Veeam Backup & Recovery 6 Fails with SBS 2011

I’ve just completed a migration from SBS 2003 to SBS 2011 for a customer and the final phase of this project was backup.

The new SBS 2011 was deployed using the free edition of VMware vSphere 5 Hypervisor (ESXi) so I was keen to try out the latest version of Veeam Backup and Recovery v6 with this.
I download Veeam Backup & Recovery v6 and set it up using my trial Key.

The product itself is a breeze to get installed and setup but I immediately ran into issues when trying to run my first backup.
The backup job would hang for around 15 – 20mins before throwing the following error

Failed to prepare guest for hot backup. Error: VSSControl: Failed to prepare guest for freeze, wait timeout 900 sec
Error: VSSControl: Failed to prepare guest for freeze, wait timeout 900 se

After a bit of digging I stumbled across an SBS post relating to SharePoint Foundation 2010 SP1 and the need to manually complete the SP1 process.
Failure to complete the process can prevent all backups from working which is what happened in my case.

See the following article for full details on how to resolve the issue.

http://blogs.technet.com/b/sbs/archive/2011/07/06/potential-issues-after-installing-sharepoint-foundation-2010-sp1.aspx

Technorati Tags: SBS 2011,Veeam,Backup

Creating OpenSSL Certificates for vSphere & vCenter

I have been meaning to write this blog post for a while but never quite managed to find the time until now.

As part of a project that I have been working on, I had a need to replace the default certificates that get installed during the installation of vCenter and vSphere 4.1 with OpenSSL certificates.

This guide is based on vSphere & vCenter 4.1 although it should also work for vSphere 5

The process will be broken into a number of steps

1. Installation of OpenSSL & creating the working directory structure
2. Creating a Root CA
3. Creating the CSRs (Certificate Signing Requests) for vSphere and vCenter
4. Signing the CSRs using the Root CA
5. Assign certificates to vCenter & vSphere
6. Deploying the OpenSSL RootCA via GPO

I want to make this process as easy as possible and as such I’ll be using the default values that are already predefined in the openssl.cfg file

So lets get started with replacing vSphere certificates.

Installing OpenSSL & creating the directory structure

Download OpenSSL for Windows x64 from
http://www.slproweb.com/products/Win32OpenSSL.html

Accept the license agreement and use the defaults when installing.

OpenSSL has now been installed to C:\OpenSSL

The next thing that needs to be done is to create the working directory structure. The directory structure will be used when signing the certificates using the RootCA.

Use the following commands

mkdir C:\openssl\bin\demoCA\newcerts
mkdir C:\OpenSSL\bin\demoCA\private
Copy C:\OpenSSL\bin\PEM\demoCA\serial C:\OpenSSL\bin\demoCA\
copy con C:\OpenSSL\bin\index.txt
(after issuing the above command use CTRL-Z then enter to finish the command. This will create a blank document called index.txt)

Creating the Root CA

We are now ready to create the RootCA.
Open a command prompt at C:\OpenSSL\bin and issue the below command

openssl req -new -x509 -extensions v3_ca -keyout rootca.key -out rootca.crt -days 3650 -config openssl.cfg

The first thing that you will be asked for is a “Enter PEM pass phrase:”

This is a pass phrase of your own choosing (Should be a strong pass phrase) and will be used again when signing the certificates for vSphere & vCenter

Complete the remainder of the fields that you are asked information about.
The relevant fields have been highlighted in the below graphic.

Once the command has complete you will find 2 new files named rootca.crt and rootca.key within C:\OpenSSL\bin

Creating the CSR’s

Next we need to create the CSRs for the vsphere and vcenter certificates

Again open a command prompt from C:\OpenSSL\bin and issue the following commands

openssl req -new -nodes -out vsphere.csr -keyout vsphere.key -config openssl.cfg

openssl req -new -nodes -out vcenter.csr -keyout vcenter.key -config openssl.cfg

The above commands will create the CSRs, each CSR will consist of 2 files, the csr file and the key file.

At the end of the request you will be prompted to enter ‘extra attributes’. Leave these 2 options blank.

The yellow highlight below are the options that you need to fill in, the green are the optional setting that are to be left blank.

We now have the private key and the CSR for both vsphere and vcenter within C:\OpenSSL\bin.

Signing CSR

The next step is issue certificates based on the the CSRs using the RootCA.

Remember back to that start when we created the directory structure? Well this is where it comes into use.

Issue the below commands at a command prompt from C:\OpenSSL\bin.
The first thing that you will be asked for is the pass phrase from the rootca we entered when creating the initial rootca files

openssl ca -cert rootca.crt -keyfile rootca.key -out vsphere.crt -config openssl.cfg -infiles vsphere.csr

openssl ca -cert rootca.crt -keyfile rootca.key -out vcenter.crt -config openssl.cfg -infiles vcenter.csr

Going back to C:\OpenSSL\bin we see 2 new files, vsphere.crt & vcenter.crt.
Double clicking these files will show that they have been signed by the Root CA.

 

Creating PFX

A PFX file is required for vcenter, a PFX file is the amalgamation of the certificate and its associated private key

The following command will create the PFX for vcenter

openssl pkcs12 –export -in vcenter.crt -inkey vcenter.key -name vcenter  -passout pass:testpassword -out vcenter.pfx

Again looking in C:\OpenSSL\bin you will see the newly created PFX file.

Replacing Certificates on vCenter

We now need to replace the default certificate that are installed on vcenter with are newly created certs.
The SSL certificates for vCenter are located at

C:\Users\All Users\VMware\VMware VirtualCenter\SSL

Opening this folder you will find 3 files

• rui.crt
• rui.key
• rui.pfx

Copy these certificates to a safe location as you will need to replace these if anything has gone wrong with the newly created certificates.

Copy across the vcenter.crt, vcenter,key and vcenter.pfx files created earlier and rename these to reflect the original rui files

On the vCenter Server, restart the service VMware VirtualCenter Management Webservices

Installing Root CA on Windows

Now that we have out certificate signed by our Root CA we need to ensure that the Root CA is trusted by servers and clients that will be connecting to both vsphere & vcenter.

The easiest way to do is this is via a GPO

Create a new GPO and give it a meaning full name

Navigate to
Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies – Trusted Root Certificate Authority
and choose Import

Import the rootCA.crt certificate

You can now close Group Policy.

Uploading Certificates to vSphere

The part went really smoothly for me due to a PowerShell script by Martijn Baecke that’s available on the VMware communities website.

See the post at http://communities.vmware.com/docs/DOC-14655 for full instructions on uploading the certs to vSphere.

Testing certificates from Clients

Finally we have everything in place and we are now ready to test the certificates for trust from out clients.

First thing to do is to issue a group policy update from the client. This will install the Root CA into the clients Trusted Root Certificate Authorities container

Once the update has been issues we can check that the certificate has been installed.

1. Click Start, click Run, type mmc, and then click OK.
2. In the File menu, click Add/Remove Snap-in.
3. In the Add/Remove Snap-in box, click Add.
4. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
5. Click Computer Account, and then click Next.
6. Click the Local computer (the computer this console is running on) option, and then click Finish.
7. Click Close, and then click OK.

Expand Certificates – Trusted Root Certificate Authorities – Certificates and you should now see the RootCA installed

Finally open Internet Explorer and point the browser to your vCenter URL. If all has gone correctly the page will display without the certifcate security warning.

My next post will cover using a Windows CA to sign the CSR

ESXi Shell for the host has been enabled warning

So I have just spun up a new vSphere 5 install on my home lab.

One of the first things I wanted to do was fix the certificate error by replacing the default certificate with a one from my internal PKI.

The only way I can see to do this is via the shell. Shell access is disabled by default so the first thing to do was enable Shell access.

To enable shell access I went to the Configuration tab on the host and drilled down to Software – Security Profiles and enabled the ESXi Shell to Start and stop with host

I now have shell access enabled but I now also have a warning message on the host complaining about configuration issues and that ESXi Shell access has been enabled.

To disable the warning its simply a matter of going back to the Configuration tab on the host then – Software – Advanced Settings – uservars and changing the UserVars.SupressShellWarning to 1

List all installed updates on ESX

To get a list of all installed updates, execute this command in the ESX Server console:

esxupdate query

Terminating a stuck VM on ESX

One of the VM’s had got itself hung and wouldn’t power off correctly.

Getting the PID (Process ID) of the stuck VM and terminating it from the CLI worked for me.

Try the following command to resolve the issue

ps auxfww | grep <vmname>

The first number to appear in the output is your PID. The PID can be used to terminate the process by issuing kill -9 PID.

ESX 3.5 msg.hbacommon.corruptredo

One of my virtual machines was stuck in a powered on state after a reboot with the error

“msg.hbacommon.corruptredo: The RedoLog of SERVERNAME-0000001.vmdk has been detected to be corrupt. If the problem still persists, you may need to discard the redolog.”

Following this KB resolved the issue.