Overview
The VMware-tools connection type is commonly used to connect to a target Windows VM to manage components either on a Microsoft Endpoint such as jump box for managing Microsoft AD/DNS/IPAM, or to connect to a provisioned Windows VM for running agent installs or custom scripts. The VMware-tools connection type uses the built-in functionality of the VMware Tools package installed on a vSphere VM to write a script to the target and execute it to do some action and then remove that script.
This how-to guide focuses on the Jump Server scenario where you have a Windows server with Remote Server Administration Tools (RSAT) installed and configured that you use for managing Microsoft AD/DNS/IPAM through the SovLabs Microsoft plugins. This guide can be used to troubleshoot step by step to determine the root cause of failures during the Remoter phase of the SovLabs Microsoft plugins.
Considerations
This guide assumes you have a Windows VM on the network with the same network connectivity to your vSphere environment as your VRO orchestrator.
Specifically connections are established from the client running PowerShell to vCenter (tcp port 443) and the ESXi host (tcp port 902) running the Jump Server.
Procedure
Install Module
If required, install the PowerCLI module on your Windows VM:
Install-Module -Name VMware.PowerCLI -Scope CurrentUser -Force
Setup Variables
Modify these to suit your environment
$vcenter = "vcenter.domain" $jumpserverfolder = "C:\SovLabs" $jumpvm = "jumphost.domain" $dnsserver = "domaincontroller.domain"
Get Credentials and Connect to vCenter
This example shows a small test script that lists the DNS Zones available to the jump server user, this is a read-only process.
This step will prompt for your vCenter credentials and then windows credentials for your jump server, these may or may not be the same account.
$vcentercreds = (get-credential -Message "vCenter Credentials, user@domain.net") $jumpcreds = (get-credential -Message "Jump Credentials DOMAIN\user") Import-Module VMware.VimAutomation.Core Connect-VIServer -Credential $vcentercreds -Server $vcenter $scriptfile = [System.IO.Path]::GetTempFileName() $remotefile = [System.IO.Path]::Combine($jumpserverfolder,[System.IO.Path]::GetFileNameWithoutExtension($scriptfile)+".ps1") Set-Content -Path $scriptfile -Value "Import-Module DnsServer`r`nGet-DnsServerZone -ComputerName $dnsserver"
Create Script and Run it
Using -Force creates the jumpserver folder if it is not present
Copy-VMGuestFile -Destination $remotefile -VM $jumpvm -LocalToGuest -GuestCredential $jumpcreds -Source $scriptfile -Force Invoke-VMScript -ScriptText "powershell $remotefile" -VM $jumpvm -GuestCredential $jumpcreds
The expected output from the script will be a list of DNS Zones/Domains that the user has access to. This script does not write anything to DNS as part of its testing but the script is a good starting point to complete your own further testing.
Additional information
Configuring Remote Server Administration Tools on your Jumpbox
0 Comments