zmeier/Backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Backup/_NDGOV_WindowsTeam/ITD.Infra-VMware.Administration/Scripts/VMHost-InitialHostConfiguration.ps1
T
Zack Meier 2d1feaf722 update
2026-05-12 10:37:31 -05:00

190 lines
9.9 KiB
PowerShell
Raw Permalink Blame History

# VMhost Advanced Options -- see OneNote for documentation
# used to customize the first host of each model per datacenter (host profile will be extracted from this), run the entire code
# also used for customizations that made host profiles angry
# add to distributed switches first
# pre create the syslog folder for each host
# set the logdir datastore/path value using code below
# if this is not the first host per datacenter, stop after logdir value, host profile SHOULD do the rest
$VMHostName = 'itdvmmdntel08.nd.gov'
$VMHost = Get-VMHost -Name $VMHostName
$VMHostCluster = $VMHost | Get-Cluster
$VMHostDatacenter = $VMHost | Get-Datacenter
$EsxCli = Get-EsxCli -VMHost $VMHostName -V2
# set advanced settings
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 300 -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name UserVars.ESXiShellTimeOut | Set-AdvancedSetting -Value 900 -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name UserVars.DcuiTimeOut | Set-AdvancedSetting -Value 600 -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.solo.enableMob | Set-AdvancedSetting -Value false -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd | Set-AdvancedSetting -Value false -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value "" -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Config.HostAgent.plugins.vimsvc.authValidateInterval | Set-AdvancedSetting -Value 90 -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.certificate.strictX509Compliance | Set-AdvancedSetting -Value true -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logLevel | Set-AdvancedSetting -Value info -Confirm:$false
# scratch and syslog
switch ($VMHostDatacenter.Name) {
'Primary Datacenter' {
$ScratchPath = '/vmfs/volumes/5ef4c13d-6318953e-620e-6cc217314910/scratch'
$LogDirDatastore = 'VMALL1_006_FS92_SCRATCH'
}
'Secondary Datacenter' {
$ScratchPath = '/vmfs/volumes/5ef4be61-1084f19b-ca0a-6cc217314690/scratch'
$LogDirDatastore = 'VMALL2_007_FS92_SCRATCH'
}
'DCN Datacenter' {
$ScratchPath = '/vmfs/volumes/6463c3f5-1ffe01b3-3837-e0071befea78/scratch'
$LogDirDatastore = 'VMDCN1_40_V5K'
}
'Grand Forks Vantis' {
$ScratchPath = '[VMVNTS_040_V5K] syslog/itdvmgfvnts02'
$LogDirDatastore = 'VMVNTS_040_V5K'
}
'Test Primary Datacenter' {
$ScratchPath = '/vmfs/volumes/5f36e52c-93f96f5c-3c43-6cc2172ed4d0/scratch'
$LogDirDatastore = 'VMTEST_001_FS92_SCRATCH'
}
'Test Secondary Datacenter' {
$ScratchPath = '/vmfs/volumes/5f36e52c-93f96f5c-3c43-6cc2172ed4d0/scratch'
$LogDirDatastore = 'VMTEST_001_FS92_SCRATCH'
}
}
#Get-VMHost -Name $VMHostname | Get-AdvancedSetting -Name ScratchConfig.ConfiguredScratchLocation | Set-AdvancedSetting -Value ($ScratchPath + $VMhostName.split('.')[0]) -Confirm:$false
#Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value "$LogDirDatastore] syslog" -Confirm:$false
#Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDirUnique | Set-AdvancedSetting -Value true -Confirm:$false
# 2024 syslog values
$VMHostNameShort = $VMHostName.split('.')[0]
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDir | Set-AdvancedSetting -Value ("[$LogDirDatastore] syslog/$VMHostNameShort") -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logDirUnique | Set-AdvancedSetting -Value false -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "tcp://itdvmlogging1.nd.gov:514" -Confirm:$false
# Pub 1075 requirements, no longer included in host profile
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name "Security.PasswordQualityControl" | Set-AdvancedSetting -Value "retry=3 min=disabled,disabled,disabled,disabled,14" -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name "Security.AccountLockFailures" | Set-AdvancedSetting -Value "3" -Confirm:$false
Get-VMHost -Name $VMHostName | Get-AdvancedSetting -Name "Security.PasswordHistory" | Set-AdvancedSetting -Value "24" -Confirm:$false
# static routes for backups
switch ($VMHostDatacenter.Name) {
'Primary Datacenter' { $Environment = 'Production-General' }
'Secondary Datacenter' { $Environment = 'Production-General' }
'DCN Datacenter' { $Environment = 'Production-DCN' }
'Grand Forks Vantis' { $Environment = $null }
'Test Primary Datacenter' { $Environment = 'Sandbox' }
'Test Secondary Datacenter' { $Environment = 'Sandbox' }
}
switch ($Environment) {
'Production-General' {
$vmk0IP = (Resolve-DnsName -Name $VMHostName).IPAddress
$vmk1IP = '10.8.142.' + $vmk0IP.split('.')[3]
$vmk2IP = '10.2.170.' + $vmk0IP.split('.')[3]
}
}
switch ($VMHostDatacenter.Name) {
'Primary Datacenter' {
Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-PDC-VMotion' -PortGroup 'dvPG_PDC_VMotion' -IP $vmk1IP -SubnetMask 255.255.254.0 -VMotionEnabled $true
Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-PDC-Backup' -PortGroup 'dvPG_3534_10.2.170.0_24' -IP $vmk2IP -SubnetMask 255.255.255.0
}
'Secondary Datacenter' {
Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-SDC-VMotion' -PortGroup 'dvPG_SDC_VMotion' -IP $vmk1IP -SubnetMask 255.255.254.0 -VMotionEnabled $true
Get-VMHost -Name $VMHostname | New-VMHostNetworkAdapter -VirtualSwitch 'dvSwitch-SDC-Backup' -PortGroup 'dvPG_3534_10.2.170.0_24' -IP $vmk2IP -SubnetMask 255.255.255.0
}
'DCN Datacenter' {
}
'Grand Forks Vantis' {
}
}
# set vmkernel capabilities
Get-VMHostNetworkAdapter -VMHost $VMHostName -Name vmk0 | Set-VMHostNetworkAdapter -VSphereReplicationEnabled $true -VSphereReplicationNfcEnabled $true -Confirm:$false
Get-VMHostNetworkAdapter -VMHost $VMHostName -Name vmk1 | Set-VMHostNetworkAdapter -VMotionEnabled $true -Confirm:$false
Get-VMHostNetworkAdapter -VMHost $VMHostName -Name vmk2 | Set-VMHostNetworkAdapter -VSphereBackupNfcEnabled $true -Confirm:$false
# core dump - disable coredump file, enable network coredump
$CoreDumpArgs = $EsxCli.system.coredump.file.set.CreateArgs()
$CoreDumpArgs.enable = $false
$EsxCli.system.coredump.file.set.invoke($CoreDumpArgs)
$CoreDumpArgs = $EsxCli.system.coredump.network.set.CreateArgs()
$CoreDumpArgs.serverport = 6500
$CoreDumpArgs.interfacename = 'vmk0'
switch ($VMHostDatacenter.Name) {
'Primary Datacenter' { $CoreDumpArgs.serveripv4 = '10.8.145.25' }
'Secondary Datacenter' { $CoreDumpArgs.serveripv4 = '10.8.145.26' }
'DCN Datacenter' { $CoreDumpArgs.serveripv4 = '10.8.145.25' }
'Grand Forks Vantis' { $CoreDumpArgs.serveripv4 = '10.8.145.25' }
}
#$CoreDumpArgs.serveripv4 = '10.8.145.25'
$EsxCli.system.coredump.network.set.invoke($CoreDumpArgs)
$CoreDumpArgs = $EsxCli.system.coredump.network.set.CreateArgs()
$CoreDumpArgs.enable = $true
$EsxCli.system.coredump.network.set.invoke($CoreDumpArgs)
$EsxCli.system.coredump.network.get.invoke()
# ntp - set NTP server and set service to start/stop with host
Get-VMHost -Name $VMHostName | Add-VMHostNtpServer 10.2.7.40, 10.10.10.10
Get-VMHost -Name $VMHostName | Get-VMHostService | where { $_.Key -eq "ntpd" } | Set-VMHostService -Policy On
# static route for backups
$ParamsToAdd = @{
network = '10.2.169.0/24'
}
switch ($VMHostDatacenter.Name) {
'Primary Datacenter' { $ParamsToAdd.gateway = '10.2.170.1' }
'Secondary Datacenter' { $ParamsToAdd.gateway = '10.2.170.1' }
'DCN Datacenter' { $ParamsToAdd.gateway = '10.2.118.241' }
'Grand Forks Vantis' { $ParamsToAdd.gateway = '' }
'Test Primary Datacenter' { $ParamsToAdd.gateway = '10.2.168.241'}
'Test Secondary Datacenter' { $ParamsToAdd.gateway = '10.2.168.241'}
}
$EsxCli.network.ip.route.ipv4.add.Invoke($ParamsToAdd)
<#$params = @{
network = '10.2.169.0/24' ## check subnet mask, should be /24 after collapsing the Cohesity subnets
gateway = '10.2.170.1' ## General 10.2.170.1, VDI 10.2.15.1, TEST 10.2.168.241 # DCN 10.2.118.241
} #>
#$x = $esxcli.network.ip.route.ipv4.list.Invoke() | Where-Object {$_.Interface -eq 'vmk2' -and $_.Network -eq '10.2.169.0'}
#$x | Add-Member -Name "Name" -MemberType NoteProperty -Value $VMHost.Name
#$null = $result.Add($x)
<## to remove static route
$paramsToRemove = @{
network = '10.2.169.0/24'
gateway = '10.2.170.1'
}
$EsxCli.network.ip.route.ipv4.remove.Invoke($paramsToRemove)
##>
# sshServer firewall
### 10.8.145.46 itdvmutilp3, 10.29.40.0/23 adminvpn
Get-VMHost -Name $VMHostName | Get-VMHostFirewallException -Name 'SSH Server' | Set-VMHostFirewallException -Enabled $true
$sshArgs = $EsxCli.network.firewall.ruleset.set.CreateArgs()
$sshArgs.enabled = $true
$sshArgs.allowedall = $false
$sshArgs.rulesetid = 'sshServer'
$EsxCli.network.firewall.ruleset.set.invoke($sshArgs)
$AllowedIpArgs = $EsxCli.network.firewall.ruleset.allowedip.add.CreateArgs()
$AllowedIpArgs.ipaddress = "10.8.145.46"
$AllowedIpArgs.rulesetid = 'sshServer'
$EsxCli.network.firewall.ruleset.allowedip.add.invoke($AllowedIpArgs)
$AllowedIpArgs = $EsxCli.network.firewall.ruleset.allowedip.add.CreateArgs()
$AllowedIpArgs.ipaddress = "10.29.40.0/23"
$AllowedIpArgs.rulesetid = 'sshServer'
$EsxCli.network.firewall.ruleset.allowedip.add.invoke($AllowedIpArgs)
(Get-VMHost -Name $VMHostName | Get-View).EnterLockdownMode()
<#ForEach($VMHostName in $VMHostNames){
write-warning $VMHostName
$EsxCli = Get-EsxCli -VMHost $VMHostName -V2
$esxcli.network.ip.route.ipv4.list.Invoke() | Where-Object {$_.Interface -eq 'vmk2' -and $_.Network -eq '10.2.169.128'}
}#>
Reference in New Issue View Git Blame Copy Permalink