Bulk changing port group settings for virtual machines in vSphere 5 with vSphere PowerCLI

Changing a virtual machine’s port group via the vSphere Client GUI is simple enough as it’s just 6 clicks but what if you had to change this for 70 virtual machines?  Working out the math equates to a total of 420 clicks!  This was the situation I was faced with when the master image that was used to deploy XenDesktop 5.5 virtual desktops was assigned the incorrect port group and since there were 70 desktops, I wasn’t too excited about using the GUI to make the change.  Enter vSphere 5’s vSphere PowerCLI where all of the repetitive actions we need to perform can be automated with the power of scripting.  The following may not be the most elegant solution as I’m in no way an expert with PowerCLI commands since I don’t regularly use it but I hope this will help others like myself who need a quick way to change port group settings for a large amount of virtual machines.

The first thing you’ll need to do is organize the virtual machines you need to make this change into a folder so you can reference this folder when executing the PowerCLI command:

Note too appealing is it?

Open up the vSphere PowerCLI window and begin by typing in the following command:

Connect-VIServer yourVcenterFQDN

From here, we’ll first try listing out the virtual machines that we’ll be changing the port group for via the Get-VM command.  More information about this command can be found @ the following link: http://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Get-VM.html

Get-VM -Location “XenDesktop VDI Master Images”

This step is important because you should review what is actually being listed to ensure you don’t accidentally change the port group of a virtual machine you don’t want to.

So the change we want to make is to change the port group from a regular vSwitch’s VM Network:

… to a port group on a dvSwitch named:

dvPortGroup_130

Note that the name of the port group does not include the (dvSwitch_Production)

The next 2 commands we’ll be using are:

1. Set-VM
2. Get-NetworkAdapter

More information about these 2 commands can be found here:

Set-VM: http://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Set-VM.html

Get-NetworkAdapter: http://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Get-NetworkAdapter.html

As yet another sanity and validation check, execute the following command to confirm that the virtual machines our Get-VM is returning is set to the port group that we want to change:

Get-VM -Location “XenDesktop VDI Master Images” | Get-NetworkAdapter

Note how some of the line items have the dvPortGroup listed as the NetworkName.  This is because some of the virtual machines from our Get-VM command already has the correct port group set.

The next command we’ll be using is the Set-NetworkAdapter (more information about this command can be found here: http://www.vmware.com/support/developer/windowstoolkit/wintk40u1/html/Set-NetworkAdapter.html) which will allows us to set the port group by piping in the information we’ve retrieved in the previous commands.

Get-VM -Location “XenDesktop VDI Master Images” | Get-NetworkAdapter | Where {$_.NetworkName -eq “VM Network”} | Set-NetworkAdapter -NetworkName “dvPortGroup_VDI130” -Confirm:$false

Notice how I included the additional:

Where {$_.NetworkName -eq “VM Network”}

… which his used so that we only change the port groups for the virtual machines that are set to VM Network.

The additional switch at the end:

-Confirm:$false

… is used so that you will not be asked whether you *really* want to change the port group settings for each virtual machine.

Once you execute the command, you’ll see the status being displayed:

Upon completion, you’ll see the list of virtual machines’ adapters with the new port groups set:

If you had your vSphere client up during the change, you should see the Recent Tasks window list the changes:

As a sanity check because it’s always scary when you perform bulk updates like this is to have a look at the task history to ensure you did not inadvertently change the port group for virtual machines you didn’t want:

Now in the case of my virtual desktops, since they were assigned to an incorrect port group that had a DHCP server handing out IP addresses, all of them still retained the old IP address.  The quick and easy way to correct this is to either reboot the virtual machines via the vSphere Client or Desktop Studio GUI:

… or disconnect and reconnect their NICs.  I choose the later as I had some users on the virtual machines and did not want to create a boot storm either.  The following shows a way to disconnect and reconnect the NICs with a command:

Get-VM -Location “XenDesktop VDI Master Images” | Get-NetworkAdapter | Set-NetworkAdapter -Connected $false -Confirm:$false

Note that if you had some virtual machines turned off, you will get errors and warnings that looks something like this:

There isn’t really any harm since the command will just skip the virtual machine but a more elegant way to do it is to put a Where clause as I did earlier to skip powered off virtual machines.

Once all of the NICs have been disconnected, proceed with executing the following command with the connected switch set to true:

Get-VM -Location “XenDesktop VDI Master Images” | Get-NetworkAdapter | Set-NetworkAdapter -Connected $true -Confirm:$false

Again, if you had powered off virtual machines, you’d have errors thrown:

Not much to it once you get the hang of it but I’m sure I will forget this in the future so this blog will serve as something I can reference to in the future.

Configuring Microsoft Windows NLB (Network Load Balancing) for Citrix Web Interface 5.4 on Windows Server 2008 R2

I’m aware that Citrix has the public KB:

How to Configure Windows Network Load Balancing and Web Interface
http://support.citrix.com/article/CTX108812

… available but I noticed that the KB references Windows Server 2008 R2.  Since my environment consists of Windows Server 2008 R2, I went ahead and tried to search for a KB that showed how to configure NLB with Windows Server 2008 R2 but wasn’t able to find one.  I’ve done several NLBs in the past so rather than calling Citrix to ask, I just went ahead and configured it.  The following demonstrates what the process looks like.

Start by logging onto both of your Citrix Web Interface servers, open up the Server Manager navigate to the Features node and click on Add Features:

Continue and check the Network Load Balancing feature to install NLB:

Once the Network Load Balancing feature is installed, open up the Network Load Balancing Manager from the Administrative Tools folder:

Once you’re in the Network Load Balancing Manager console, click on the Cluster folder and select New:

Continue by adding the IP or name of your first Web Interface server:

Click the Connect button after you’ve entered the IP or name:

You should see the status Connected under the Connection status heading:

Proceed by clicking on next and you’ll be asked to assign a priority which is also a unique host identifier.  The dedicated IP address should be automatically entered for you as your server should be single homed (1 NIC):

Proceeding to the next screen will bring you to the New Cluster: Cluster IP Addresses window.  Click on the Add button:

In the Add IP Address window, proceed with entering your VIP (Virtual IP Address):

Once you’ve entered the VIP for the NLB cluster, you should see it listed in the New Cluster: Cluster IP Addresses window:

Proceeding to the next screen will allow you to select the cluster’s IP address and enter the Full Internet name which is what you’ve decided to use for your DNS name:

It’s important to note that we’ll be using Multicast mode for the cluster’s operation mode and rather than trying to explain it myself, refer to the following article if you want to know the difference between Unicast and Multicast:

http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx

**Note that because we’re using multicast mode for this cluster, make sure you ask your network engineer that he’ll need to create a static ARP entry on the layer 3 device with the MAC address listed below in the Network address field:

Proceeding on to the next screen will allow you to edit the port rules.  As best practice, you should lock down Web Interface servers by only allowing port 80 and 443 to limit possible surface attacks:

I won’t go into this but what you need to do is remove the port that covers 0 to 65535 and add 2 separate port rules (one for 80 and one for 443) into the windows above.

Once you’ve clicked the Finish button, the cluster will be created.  A successful cluster creation in Network Load Balancing Manager will look something like the following:

Now that we have our first web interface server added, proceed with adding the second web interface server by click on Cluster then Add Host:

Proceed with adding the IP or name of the second web interface server as you did with the first one:

Assign a priority and ensure the dedicated IP address is correct:

Configure the appropriate ports:

Complete the configuration and you’ll see the second node being added:

Upon completion of the convergence, you’ll see something similar to the following:

This completes the configuration but make sure you ask your network engineer to create a static ARP entry on the layer 3 device with the MAC address of the cluster (mapped to the VIP).  To retrieve that MAC address, right click on the cluster, click on Cluster Properties:

Within the cluster’s properties:

… click on the Cluster Parameters tab to get the MAC address of the cluster:

Note that your web interface’s NIC’s MAC address does not change:

Also note that NLB only protects you against server up down and not at the services level.

vSphere 5 virtual machine’s network adapter stuck with 2 port groups

I ran into an interesting issue today in a vSphere 5 / ESXi 5.0 environment with a few virtual machines that had 2 port groups listed in the network section of the properties:

What lead up to this was that the master image that was used to deploy XenDesktop 5.5 virtual desktops was assigned the incorrect port group and since there were 70 desktops, I went ahead and used PowerCLI to change all the NICs of the virtual desktops to the correct port group.  Shortly after that I noticed the master images and some (not all) virtual desktops which had Windows 7 or XP as the operating system were unable to obtain a DHCP lease.  Note that I know the screenshot above doesn’t show that the virtual machine has a 169.x.x.x IP address, the reason for this is because the virtual machine was shut off when I took the screenshot.

I took a few minutes to try and fiddle around with the network adapter’s port group by disconnected it, change the port group and changing it back then used PowerCLI commands to do the same and while changing the port group to a regular vSwitch network removed the dvSwitch port group, changing it back reverted it to the 2 port group being listed state.

I had little time to troubleshoot this and figured it was a bug so I got the client to give VMware a call and after spending a few minutes on the phone with the tech, he was asked to check for snapshots and if there were, delete it.  I’m not sure if this is supposed to be a surprise or not but deleting the snapshot fixed the port group issue:

This didn’t explain why I had the same issue with a few of my virtual desktops that were deployed by Citrix XenDesktop 5.5 but by the time we got an answer from VMware, I had already deleted and redeployed the problematic desktops.