# VMhost Advanced Options -- see OneNote for documentation # used to customize the first host of each model per datacenter (host profile will be extracted from this), run the entire code # also used for customizations that made host profiles angry # add to distributed switches first # pre create the syslog folder for each host # set the logdir datastore/path value using code below # if this is not the first host per datacenter, stop after logdir value, host profile SHOULD do the rest $VMHostName = 'itdvmmdntel08.nd.gov' $VMHost = Get-VMHost -Name $VMHostName $VMHostCluster = $VMHost | Get-Cluster $VMHostDatacenter = $VMHost | Get-Datacenter $EsxCli = Get-EsxCli -VMHost $VMHostName -V2 # set advanced settings Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 300 -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600 -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd | Set-AdvancedSetting -Value false -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "" -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.vimsvc.authValidateInterval | Set-AdvancedSetting -Value 90 -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Set-AdvancedSetting -Value true -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logLevel | Set-AdvancedSetting -Value info -Confirm:$false # scratch and syslog switch ($VMHostDatacenter.Name) { 'Primary Datacenter' { $ScratchPath = '/vmfs/volumes/5ef4c13d-6318953e-620e-6cc217314910/scratch' $LogDirDatastore = 'VMALL1_006_FS92_SCRATCH' } 'Secondary Datacenter' { $ScratchPath = '/vmfs/volumes/5ef4be61-1084f19b-ca0a-6cc217314690/scratch' $LogDirDatastore = 'VMALL2_007_FS92_SCRATCH' } 'DCN Datacenter' { $ScratchPath = '/vmfs/volumes/6463c3f5-1ffe01b3-3837-e0071befea78/scratch' $LogDirDatastore = 'VMDCN1_40_V5K' } 'Grand Forks Vantis' { $ScratchPath = '[VMVNTS_040_V5K] syslog/itdvmgfvnts02' $LogDirDatastore = 'VMVNTS_040_V5K' } 'Test Primary Datacenter' { $ScratchPath = '/vmfs/volumes/5f36e52c-93f96f5c-3c43-6cc2172ed4d0/scratch' $LogDirDatastore = 'VMTEST_001_FS92_SCRATCH' } 'Test Secondary Datacenter' { $ScratchPath = '/vmfs/volumes/5f36e52c-93f96f5c-3c43-6cc2172ed4d0/scratch' $LogDirDatastore = 'VMTEST_001_FS92_SCRATCH' } } #Get-VMHost -Name $VMHostname | Get-AdvancedSetting -Name ScratchConfig.ConfiguredScratchLocation | Set-AdvancedSetting -Value ($ScratchPath + $VMhostName.split('.')[0]) -Confirm:$false #Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "$LogDirDatastore] syslog" -Confirm:$false #Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDirUnique | Set-AdvancedSetting -Value true -Confirm:$false # 2024 syslog values $VMHostNameShort = $VMHostName.split('.')[0] Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value ("[$LogDirDatastore] syslog/$VMHostNameShort") -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDirUnique | Set-AdvancedSetting -Value false -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "tcp://itdvmlogging1.nd.gov:514" -Confirm:$false # Pub 1075 requirements, no longer included in host profile Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name "Security.PasswordQualityControl" | Set-AdvancedSetting -Value "retry=3 min=disabled,disabled,disabled,disabled,14" -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name "Security.AccountLockFailures" | Set-AdvancedSetting -Value "3" -Confirm:$false Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name "Security.PasswordHistory" | Set-AdvancedSetting -Value "24" -Confirm:$false # static routes for backups switch ($VMHostDatacenter.Name) { 'Primary Datacenter' { $Environment = 'Production-General' } 'Secondary Datacenter' { $Environment = 'Production-General' } 'DCN Datacenter' { $Environment = 'Production-DCN' } 'Grand Forks Vantis' { $Environment = $null } 'Test Primary Datacenter' { $Environment = 'Sandbox' } 'Test Secondary Datacenter' { $Environment = 'Sandbox' } } switch ($Environment) { 'Production-General' { $vmk0IP = (Resolve-DnsName -Name $VMHostName).IPAddress $vmk1IP = '10.8.142.' + $vmk0IP.split('.')[3] $vmk2IP = '10.2.170.' + $vmk0IP.split('.')[3] } } switch ($VMHostDatacenter.Name) { 'Primary Datacenter' { Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-PDC-VMotion' -PortGroup 'dvPG_PDC_VMotion' -IP $vmk1IP -SubnetMask 255.255.254.0 -VMotionEnabled $true Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-PDC-Backup' -PortGroup 'dvPG_3534_10.2.170.0_24' -IP $vmk2IP -SubnetMask 255.255.255.0 } 'Secondary Datacenter' { Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-SDC-VMotion' -PortGroup 'dvPG_SDC_VMotion' -IP $vmk1IP -SubnetMask 255.255.254.0 -VMotionEnabled $true Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-SDC-Backup' -PortGroup 'dvPG_3534_10.2.170.0_24' -IP $vmk2IP -SubnetMask 255.255.255.0 } 'DCN Datacenter' { } 'Grand Forks Vantis' { } } # set vmkernel capabilities Get-VMHostNetworkAdapter -VMHost $VMHostName -Name vmk0 | Set-VMHostNetworkAdapter -VSphereReplicationEnabled $true -VSphereReplicationNfcEnabled $true -Confirm:$false Get-VMHostNetworkAdapter -VMHost $VMHostName -Name vmk1 | Set-VMHostNetworkAdapter -VMotionEnabled $true -Confirm:$false Get-VMHostNetworkAdapter -VMHost $VMHostName -Name vmk2 | Set-VMHostNetworkAdapter -VSphereBackupNfcEnabled $true -Confirm:$false # core dump - disable coredump file, enable network coredump $CoreDumpArgs = $EsxCli.system.coredump.file.set.CreateArgs() $CoreDumpArgs.enable = $false $EsxCli.system.coredump.file.set.invoke($CoreDumpArgs) $CoreDumpArgs = $EsxCli.system.coredump.network.set.CreateArgs() $CoreDumpArgs.serverport = 6500 $CoreDumpArgs.interfacename = 'vmk0' switch ($VMHostDatacenter.Name) { 'Primary Datacenter' { $CoreDumpArgs.serveripv4 = '10.8.145.25' } 'Secondary Datacenter' { $CoreDumpArgs.serveripv4 = '10.8.145.26' } 'DCN Datacenter' { $CoreDumpArgs.serveripv4 = '10.8.145.25' } 'Grand Forks Vantis' { $CoreDumpArgs.serveripv4 = '10.8.145.25' } } #$CoreDumpArgs.serveripv4 = '10.8.145.25' $EsxCli.system.coredump.network.set.invoke($CoreDumpArgs) $CoreDumpArgs = $EsxCli.system.coredump.network.set.CreateArgs() $CoreDumpArgs.enable = $true $EsxCli.system.coredump.network.set.invoke($CoreDumpArgs) $EsxCli.system.coredump.network.get.invoke() # ntp - set NTP server and set service to start/stop with host Get-VMHost -Name $VMHostName | Add-VMHostNtpServer 10.2.7.40, 10.10.10.10 Get-VMHost -Name $VMHostName | Get-VMHostService | where { $_.Key -eq "ntpd" } | Set-VMHostService -Policy On # static route for backups $ParamsToAdd = @{ network = '10.2.169.0/24' } switch ($VMHostDatacenter.Name) { 'Primary Datacenter' { $ParamsToAdd.gateway = '10.2.170.1' } 'Secondary Datacenter' { $ParamsToAdd.gateway = '10.2.170.1' } 'DCN Datacenter' { $CoreDumpArgs.serveripv4 = '10.2.118.241' } 'Grand Forks Vantis' { $CoreDumpArgs.serveripv4 = '' } } $EsxCli.network.ip.route.ipv4.add.Invoke($ParamsToAdd) <#$params = @{ network = '10.2.169.0/24' ## check subnet mask, should be /24 after collapsing the Cohesity subnets gateway = '10.2.170.1' ## General 10.2.170.1, VDI 10.2.15.1, TEST 10.2.168.241 # DCN 10.2.118.241 } #> #$x = $esxcli.network.ip.route.ipv4.list.Invoke() | Where-Object {$_.Interface -eq 'vmk2' -and $_.Network -eq '10.2.169.128'} #$x | Add-Member -Name "Name" -MemberType NoteProperty -Value $VMHost.Name #$null = $result.Add($x) <## to remove static route $paramsToRemove = @{ network = '10.2.169.0/24' gateway = '10.2.170.1' } $EsxCli.network.ip.route.ipv4.remove.Invoke($paramsToRemove) ##> # sshServer firewall ### 10.8.145.46 itdvmutilp3, 10.29.40.0/23 adminvpn Get-VMHost -Name $VMHostName | Get-VMHostFirewallException -Name 'SSH Server' | Set-VMHostFirewallException -Enabled $true $sshArgs = $EsxCli.network.firewall.ruleset.set.CreateArgs() $sshArgs.enabled = $true $sshArgs.allowedall = $false $sshArgs.rulesetid = 'sshServer' $EsxCli.network.firewall.ruleset.set.invoke($sshArgs) $AllowedIpArgs = $EsxCli.network.firewall.ruleset.allowedip.add.CreateArgs() $AllowedIpArgs.ipaddress = "10.8.145.46" $AllowedIpArgs.rulesetid = 'sshServer' $EsxCli.network.firewall.ruleset.allowedip.add.invoke($AllowedIpArgs) $AllowedIpArgs = $EsxCli.network.firewall.ruleset.allowedip.add.CreateArgs() $AllowedIpArgs.ipaddress = "10.29.40.0/23" $AllowedIpArgs.rulesetid = 'sshServer' $EsxCli.network.firewall.ruleset.allowedip.add.invoke($AllowedIpArgs) (Get-VMHost -Name $VMHostName | Get-View).EnterLockdownMode() <#ForEach($VMHostName in $VMHostNames){ write-warning $VMHostName $EsxCli = Get-EsxCli -VMHost $VMHostName -V2 $esxcli.network.ip.route.ipv4.list.Invoke() | Where-Object {$_.Interface -eq 'vmk2' -and $_.Network -eq '10.2.169.128'} }#>