Home Lab Virtualization

vCenter with Embedded Platform Services Controller Install

With the core infrastructure of my lab setup it’s now time to install vCenter to make management of my servers much easier.


Before we begin it is important to add your desired vCenter name into your DNS before you try to install your appliance. If you forget to do this it will result in the appliance failing to install and you will need to start over.

Installing the vCenter Appliance

For this guide I am going to mount the .ISO for vCenter on a workstation that has access to my management VLAN. Once the image is mounted I am going to navigate to \vcsa-ua-installer\Win32 and run the installer.exe file.

Your given options to Install, Upgrade, Migrate, or Restore.

  • Click Install
  • Click Next to get past the Introduction
  • Accept the EULA
  • Select the option for Embedded Platform Service Controller

If you’re new to vCenter and want to know the difference between Embedded and External Platform Services Controller just know that VMware is depreciating the external platform service controller in future appliances so it is a moot point.

At this point the installer will want to talk to one of the ESXi hosts so that it can install vCenter. You can use either the IP address or FQDN of the host followed by the username and password that you use to access vSphere’s management web interface and then click Next.

You will get a Certificate Warning screen which you can accept and continue past.

Next up you will want to give your vCenter a VM name and a unique root password. Best practices here is to name your VM the same as what you expect the host name to be.

Next the installer wants to know how big and powerful to make your vCenter. 

  1. Take a look at the deployment size table to figure out where you fit.
  2. Most labs and small businesses can you probably use Tiny. 
  3. Click Next

Select your desired datastore and click next.

You now need to configure your Network Settings.

  1. Select which Network (or port group) you want vCenter to use. 
  2. Select a static IP assignment
  3. Enter the FQDN you used in your DNS when I mentioned the required prerequisite for a successful install
  4. Type the IP address you selected vCenter  will use
  5. Enter your subnet
  6. Enter your Default gateway
  7. Enter the IP addresses of your DNS servers
  8. Click Next

Verify your settings and click Finish to begin the install.

Once the install is complete you should get a message that states that vCenter has been successfully installed.

Setting up the vCenter Appliance

If everything goes well the installer should automatically move you setup vCenter wizard however if there are any issues you could always get their via your web browser by typing https://FQDN:5480 into your browser. Obviously replacing FQDN with the fully qualified domain name of your vCenter server.

  1. Select which NTP servers you’d like vCenter to use to keep its time synchronized.
  2. Enable SSH access
  3. Click Next

You may be prompted with an IP Address change warning. If you do, you can safely click OK.

On the SSO configuration screen:

  • Type vsphere.local for your Single Sign-On domain name
  • Type a password for your Administrator account
  • Click Next

To be clear you can name your SSO domain whatever you want however once we setup AD integration to vSphere you should never really use this account. (Like your root account) 

Home Lab Servers

Windows Server 2019 KMS Setup

In my last post I discussed how to setup a KMS Server on a 2016 Windows Server however if you’re currently looking for a setup guide, I am guessing you’re probably licensed for Server 2019 with downgrade rights to 2016. If this is true then even if your not ready to upgrade your infrastructure to Windows Server 2019 it does makes sense to at least have your KMS server installed as the highest available level for future growth.

Install the Volume Activation Service Role via Server Manager

To create a primary Domain controller start Server Manager:

  1. Click Manage
  2. Click Add Roles and Features

Click Role Based on Featured Installation and click Next followed by clicking Next again on the Server Selection page.

On the Server Roles selection page select Volume Activation Services and click Next.

You will get a popup informing you of what features will be needed for the Server Role to function properly. Go ahead and click Add Features.

Continue to push Next throughout following screens:

  • Volume Activation Services information screen
  • Results screen, once the roles & features are fully installed.

Activate the KMS Server via the Server Manager

Navigate back to Server Manager click the flag to easily get to Volume Activation Tools

You should now be prompted to select your Volume Activation Method. For this process with will choose Key Management Service (KMS) and click Next.

Now type your KMS host key and click commit.

Once your key is installed you will need to activate your product. As long as you have internet access you can power through a series of screens to complete this task without issue.

The final steps will have the Server Manager modify your firewall and update your DNS records for you. Make sure to check the appropriate boxes for KMS firewall exceptions before you click Commit.

Home Lab Servers

Windows Server 2016 KMS Setup

Note: There is an issue with using the Roles and Feature Wizard that will result in the wizard crashing before completion which is why I recommend activating the KMS Server via command prompt.

Install the Volume Activation Service Role via PowerShell

From PowerShell run the following command on the server you want to promote to a KMS Server:
Install-WindowsFeature -Name VolumeActivation -IncludeAllSubFeature

Activate the KMS Server via Command Prompt

Open an elevated command prompt and paste the following and then press Enter:
cscript.exe %windir%\system32\slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
Make sure to replace the series of X’s with KMS host key you acquired from the Microsoft Volume Licensing Portal
After pressing Enter you should see a message that the product key was installed successfully.

As long as you have internet on your KMS server you can activate your product by typing the following into the open command prompt window:
Cscript.exe %windir%\system32\slmgr.vbs /ato

KMS Firewall Configuration via Command Prompt

Generally I am going to turn off the firewall on the Windows server hosting the KMS server however if you want to keep your firewall on these are the commands to get KMS inbound/outbound traffic through the Windows Firewall:
  1. With elevated command prompt type the following and press enter:
    netsh advfirewall firewall add rule name = "KMS Traffic" dir = in protocol = tcp action = allow localport = 1688 remoteip = localsubnet profile = DOMAIN
  2. Now type the following and press enter:
    netsh advfirewall set allprofiles state on
Home Lab Servers

Primary Domain Controller Setup

Note: Before you begin adding your domain controller roles make sure your target server has a static IP address.

Add PDC Roles and Features

To create a primary Domain controller start Server Manager:

  1. Click Manage
  2. Click Add Roles and Features

Click Role Based on Featured Installation and click Next followed by clicking Next again on the Server Selection page.

On the Server Roles selection page select:

  1. Active Directory Domain Services
  2. DHCP Server
  3. DNS Server

As each role is selected you will get a popup informing you of what features will be needed for the Server Role to function properly. Click Add Features to each pop up and then click Next.

Continue to push Next throughout following screens:

  • Additional Features Installation
  • AD info and best practices screen
  • DHCP info and best practices screen
  • DNS info and best practices screen

When you get to the confirmation screen make sure to review your settings and click Install.

Once the installation is complete you can begin configuring the server roles by clicking directly on the link on the installation progress page.

Configuring Active Directory Role.

If you closed out the roles and features installation wizard before configuring any newly installed features you can use the Server Manager. Click on the flag icon and then click Promote this server to a domain controller.

Select Add a new forest and give your root domain a name. My personal preferences here is to give the root domain an easy short name. For example AdminMonkeysLLC might be better off as just AM.local or AM.internal. As you sysadmin your way through the infrastructure the simplicity and fewer keystrokes will be a blessing.

Select your forest and domain functional level, leave the domain controller capabilities at their default settings, give your DSRM a password and click Next.

Continue to push your way through wizard by:

  • Ignoring the DNS delegation error
  • Verifying the NetBIOS name
  • Verifying the AD Database location
  • Reviewing your Configuration
  • Completing the perquisite check and clicking Next.

Once the install is complete you will be forced to sign out and re-login using your newly created domain.

Creating Active Directory OUs and Users

With the Active Directory role installed the first thing I am going to do is create my OU structure followed by creating a new admin user.

Create the user account and the password policy that works best for you. In this scenario my user will be a backup admin service account with a very complex password. Because of this I have chosen not to have the password expire however if you have an active admin account on your network I’d recommend having the password changed regularly.

Next I will add this user to the Domain Admins, Enterprise Admins, Schema Admins, and Group Policy Creator Owners groups.

Note: All this groups are not necessarily needed however this will be the account I use for forest upgrades hence the Schema admins and this will be the account I use for installing my SQL Server which requires me to be an Enterprise Admin.

Finally I am going to log out of the default administrator account, login with the newly created domain admin account and disable the built in administrator account for security reasons.

Configuring the DHCP Server

Using Server Manager click on the flag icon and then click Configure DHCP configuration

This will create two new security groups:

  • DHCP Administrators
  • DHCP Users

You don’t have to do anything besides clicking Next however it is good to take note of the above changes.

If your still using the domain admin account we created previously you can click the Commit button to add this DHCP server to your AD.

Once the security groups have been created and the DHCP server has been authorized you can close out of the wizard.

The next step will be to open the DHCP application and then:

  1. Right click on IPv4
  2. Select New Scope…

I am going to start by creating a small scope for newly created servers. First I am going to give it a name:

Followed by an IP range. As mentioned this will be a small scope of 20 IPs between the range of 150 and 170 on a /24 subnet.

Click Next on the Exclusion and Delay screen. (Rarely should you every need to use and exclusion)

Select your DHCP lease duration. For workstations and IOT devices the default of 8 days should be fine. For my server scope I am going to change it to 1 day as I am likely going to be giving any servers on my network a static IP.

Configure your DHCP options now which will include identifying your default gateway:

Followed by listing your DNS servers. Since this is the first server on my network I will only have the one however when I add a backup I will need to edit these settings.

When finished with your first scope you will want to repeat these steps for all the VLANs you have planned out for your network.

Create a Reverse DNS Lookup Zone

Open your DNS Manager and right click on the Reverse Lookup Zones and then click New Zone…

When the New Zone Wizard begins select the following options:

  • Primary Zone
  • To all DNS servers running on domain controllers in the domain
  • IPv4 Reverse Lookup Zone

For the Network ID your going to want to put in the first three octets of the IP your creating a reverse lookup for. When your done go ahead and repeat these steps for each IP scope you have on your network.

Your domain controller is now setup and configured to manage the 3 most vital roles in your infrastructure. Coming up next I will quickly cover setting up a backup domain controller. Stay tuned…


Creating a Virtual Machine in vSphere

To create a virtual machine login to vSphere and:

  1. Click on Virtual Machines
  2. Select Create/Register VM

This will initiate the virtual machine creation wizard. Click Create a new virtual machine and click Next

The next page allows you to configure the following:

  1. Name: Give your VM a name. Best Practices is to give it the same name as the intended hostname
  2. Compatibility: Generally you will want to make your VM compatible with the latest version of vSphere.
  3. Guest OS Family: Select between Windows, Linux, or Other
  4. Guest OS Version: Based off the guest OS family you will now be able to select the version. In my example I am creating a VM for Windows Server 2019 which is a newer OS than vSphere supports so I selected Server 2016.

Pick where you want to store your VM and click Next

The next page in the wizard allow you to customize your VM. It will have the recommended resource settings based off the Guest OS but you still need to:

  1. Configure disk provisioning. Thin for VMs that won’t see a lot of write usage and Thick Eager Zero if the VM will see a high write usage.
  2. Configure the adapter type: Click the drop down and select VMNETX if using a Windows VM. Leave it at E1000 for Linux VMs.
  3. Select which VLAN the VM will run on (If using multiple VLANs)
  4. Change the drop down to Datastore ISO file and and point the menu to the ISO where your datastore is located.
  5. Make sure it the Connected box is checked after adding your ISO
  6. Verify and click Finish

Once the VM is created and provisioned VSphere and then you can install your OS like you normally would.


Basic FortGate Setup

This guide covers the very basics on how to get a brand new FortiGate setup. By basic I mean “How to get internet flowing in and out of your local area network.”

Creating a Direct Connection

When setting up a FortiGate for the first time a connection between a PC and the FortiGate’s management interface needs to be made. Higher end FortiGates will have a dedicated management port as seen below:

While lower end FortiGates will have one of the Ports pre-configured for management access.

Connect a laptop to the management port which should have a DHCP server ready to hand out an IP address. Once your computer has acquired an IP navigate to in your browser and login with the username admin and leave the password field blank. You should be prompted to change your password:

Setup the WAN Interface

Once you have logged into your FortiGate the first thing we will want to do is setup your WAN interface.

  1. Click the Network Tab
  2. Click Interfaces
  3. Click the physical interface you will use for internet and click Edit

Note: Not all FortiGates will have a port dedicated for a WAN. You may need to pick a port that makes the most logical sense.

On the Edit Interface screen make sure to address the following:

  1. Alias is solely to make tracking rules easier. I recommend naming it after your ISP
  2. Addressing mode should be set to Manual (unless your using a dynamic IP from your ISP)
  3. Enter the IP/Network Mask your ISP assigned you
  4. Check the box next to HTTPS
  5. Check the box next to Ping
  6. Click OK

Note: Checking HTTPS and PING allows you to access the firewall externally and ping it for troubleshooting purposes. If you do not want external access to the firewall you can leave those options unchecked.

Setup LAN Interface

There are a few different ways to setup a LAN. Some people will take a whole group of ports and link them together to create a physical or virtual switch. Personally I do all of my switching on a dedicated core switch so in this tutorial I will be configuring only one port for my local area network.

  1. Click the Network Tab
  2. Click Interfaces
  3. Click the physical interface you will use for internet
  4. Click Edit

On the Edit Interface screen make sure to address the following:

  1. Make sure to set the role of the interface to LAN
  2. As mentioned before, give this port an Alias
  3. Set the addressing mode should be set to Manual
  4. Enter what you would like your Firewall’s internal IP to be
  5. Check the box next to HTTPS
  6. Check the box next to SSH
  7. Check the box next to Ping
  8. Make sure DHCP Server is off
  9. Click OK

Note: If your setting up a very small environment that is not using an AD server you could use the DHCP Server option here to hand out IPs.

Configuring Default Route

After your interfaces are configured navigate to:

  1. Network
  2. Click Static Routes and click Create New
  1. From the Interface drop down menu select your WAN interface
  2. Destination should be for a default route
  3. Enter the Gateway Address provided by the ISP
  4. Click OK

At this point the FortiGate should now be communicating with the outside world. As you can see in the image below, I am getting a notification from FortiGate to register my product.

Allowing Outbound Traffic (Quickly)

  1. Click on Policies & Objects
  2. Click on IPv4 Policy and click Create New

On the New Policy screen make sure to address the following:

  1. Give your policy an easy to understand name (without spaces)
  2. Incoming Interface should be the port connected to your local area network
  3. Outgoing Interface should be your WAN
  4. Source should be all
  5. Destination should be all
  6. Schedule should be always
  7. Service should be ALL
  8. Enable NAT
  9. And click OK

At this point you should now have a functioning network. All devices on your LAN will be allowed to access the internet while all inbound traffic will be blocked.

If your site is hosting servers that require outside access such as web servers, surveillance systems, or on premises VOIP system you’ll need to create some objects and more rules but I’ll cover that in a later post.

On one final note if there is one place I frequently see a firewall setup get butchered, it is on the Policies & Objects. Recently I was given the task of cleaning up a firewall that have over 120 rules in place. After a few days of sorting through the madness, I was able to get the firewall rules down to just fifteen. While that might be the most extreme case of excessive firewall rules I have ever come across, it is not uncommon to see around 30 to 45 unneeded rules that are just causing headaches. With that being said you can expect a post that covers firewall rules in greater depth coming very soon.


Configuring vSphere Networking (Basic Setup)

Continuing from my previous post of configuring vSphere’s web management, I am now I am going to login to my newly accessible admin page and configure my networking. Please note that because this is my lab and I am limited on available NICs, this setup is not best practices. I’d also note that I have seem numerous small business operate on a very similar configuration until they either grew or needed high availability which resulted in me needing to update their configuration for to a best practice scenario.

By default VMware puts all VM traffic on the same NIC as the management network. Assuming you have at least two NICs on your host the first thing we want to do is dedicated one NIC to management and the other to VM traffic. To begin:

  1. Click on Networking
  2. Then Right Click on VM Network
  3. Select Remove

Next we will create a new vSwitch and assign your unused NIC as the uplink. To do this you will want to:

  1. Click on Virtual Switches
  2. Click on Add Standard Virtual Switch
  3. Give your vSwitch a name (Generally I like to name each switch in numerical order however you could name it something like vSwitch-VMTraffic)
  4. Assign the physical NIC you want to use as the up-link. (FYI this should be the NIC that is connected to a trunk port on your switch, or the very least connected to your main network.)
  5. Click Add

The final step is to recreate your VM Traffic port group and assign it your newly created vSwitch. To do that we want to:

  1. Click on Port groups
  2. Click on Add port group
  3. Give your port group a name
  4. Assign the port group to your newly created vSwitch
  5. Click Add

In a later post I will dive a little deeper into creating a more complex network with vlans, high availability, optimal performance for features like vMotion but for now my very basic virtual network is complete and I am almost ready to start creating virtual machines.

Home Lab Virtualization

Configuring vSphere Web Management

After a fresh install of vSphere on a host it can only be accessed via a directly connected keyboard and monitor. To configure vSphere so you can access the network management press the F2 key at the following screen.

At the authentication screen you will want to use root for the login name and whatever password was entered during the initial installation.

Once you have logged in to vSphere you’ll want to use the arrow keys navigate to Configure Management Network and press Enter.

First select Network Adapters and verify the NIC selected is the one you intend to use for vSphere management.

Next navigate to IPv4 Configuration and:

  1. Press the spacebar on Set static IPv4 address and network configuration
  2. Enter your desired host IPv4 Address, subnet, and default gateway
  3. Press Enter to save your changes.

Navigate to IPv6 Configuration and press the space bar on Disable IPv6 and then press Enter

Optionally you can now setup your DNS Configuration and (if your using one) VLAN for your management network.

Once you are all done exit the Configure Management Network menu and you will be prompted to reboot by pressing “Y“.

Once the hosts reboots you should now be able to use any computer that has access to management network and navigate to the vSphere web management interface by typing the IP address in your web browser which should give you a certificate error.

Ignore the certificate warning and you will be able to access the vSphere Web Management portal.

Home Lab Virtualization

Installing vSphere

Installing vSphere is a pretty straight forward process. Once you boot off your media that contains the vSphere installation files you will be greeted by the VMware welcome screen.

Press F11 to accept the EULA and continue

Next VMware will want to know where to install vSphere. This is probably the only part in the installation process where thought consideration needs to take place.

I’d recommend installing vSphere on its own drive and NOT on the same datastore where you intend to put your VMs.

Newer host will have an internal spot for an SD card, these Lenovo servers have an M.2 slot with an advertised maximum capacity of 32GB (which I think they intended to be used for this purpose), but in my case I will be using a flash drive to install and run vSphere on.

Once you have made the decision on where to install vSphere, the rest is pretty straight forward. The next screen will have you select a keyboard language layout.

Followed by selecting your root password. (Obviously important and the password you will be using to gain access to vSphere once it is installed.)

Finally you will get a final warning that your about to erase everything on the drive you selected for vSphere installation, press F11 to continue and start the installation process.

Within a few minutes you should get a message stating that the installation was completed successfully.

It is now safe to remove the installation media. Once removed press enter to reboot the host.

If you haven’t done so yet, make sure that your host is set to boot off the drive you selected during the installation process.

Once the host boots you should see a screen that looks like the following:

vSphere is now installed and ready to be configured!

Home Lab Virtualization

Creating a Bootable VMware ESXi USB Drive

vSphere installer comes in an ISO format however VMware doesn’t have any official tool to convert that image to a bootable USB drive. The 3rd party tool Rufus is the quickest and easiest way to convert that image so you can load vSphere on those hosts that don’t have a CD-ROM drive.

The steps are pretty simple:

  1. From the drop down select your USB drive
  2. Navigate to your download ISO
  3. Optionally name your USB drive
  4. Click the Start button

Now get a cup of coffee and when you return your USB key will be ready to go. Don’t forget to safely eject the drive when done!