Backgroound Image

vSphere Lab Build Out – The Domain Controller Deployment

When building out a lab the first thing I do is build out a Domain Controller and DNS server. I can then use AD for credential management, and the DNS functionality is helpful as well.  I also use that server to create an iSCSI target for my hosts.

1. Virtual Environment

The first step is to have your virtualization environment ready to go.  It’s easy enough to next-next-finish your way through the VMware Workstation install, so I won’t detail out those steps.

2. Download Windows ISOs

You can download the Server 2019 ISO here: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019

Select ISO, fill out the info required, and then hit continue.  Select your language, and then start the download.

3. Create the Lab Domain Controller VM

  1. In VMware Workstation press CTRL+N to open the New Virtual Machine Wizard, and make sure Typical is selected, then click Next
  2. Select the option for Installer Disc Image File, and browse to the location you downloaded the Server 2019 ISO to then click Next
  3. Since this will be using the evaluation license leave the product key blank, enter a name and password, and then click Next.
  4. Accept the prompt about not having a product key
  5. Enter the name and location for the VM, and click Next again
  6. Use the default hard drive size of 60GB (another drive will be added later for the iSCSI target storage), and click Next
  7. Click Customize Hardware…
  8. Set the VM hardware
    1. Set the CPU and RAM to what you’d like.  I used 2 vCPUs and 8GB RAM on my VM.
    2. Change the Network Adapter to Bridged
    3. Click Close
  9. Uncheck the box for Power on this virtual machine after creation and click finish.
  10. Now to add a the hard drive for the iSCSI target and remove the floppy drive.  In the library view right-click on the VM and click Settings
    1. Find the Floppy drive and click Remove (NOTE: If you don’t remove the floppy drive the OS install will encounter an error and fail), then click Add
      1. Select Hard Drive and click Next
      2. Leave the default drive (mine happens to be NVMe) and click Next
      3. Leave the default option to create a new drive and click Next
      4. Enter the size for the drive (I used 750GB) and click Next
      5. Leave the default file name and click Finish
    2. Click OK to finish the hardware changes
  11. Power on the VM

4. Install the OS to the Lab DC

NOTE: While in the VM you will need to press Ctrl+Alt to release the cursor to get to your desktop
  1. While the VM is booting you might see a prompt to press a key to boot from CD.  If that happens click into the window and press a key.
  2. Select the language, and keyboard settings
  3. Click Install Now
  4. When prompted to select the OS choose Windows Server 2019 Datacenter Evaluation (Desktop Experience) because we like graphical interfaces, and click Next
  5. Read through all of the licenses terms, and if you accept the terms check the box to accept them and click Next
  6. Select the Custom install option
  7. Select Drive 0, this should be the 60GB drive, and click Next
  8. Wait for the install to complete.  This might take some time.
  9. When the install is complete it will prompt for a password.  Set that and click Finish.
  10. The last thing to do for the VM deployment is to install VMware Tools.
    1. Log into the VM using the password set previously
    2. Right click on the VM in the Library an select Install VMware Tools
    3. Navigate to the D: drive and double click it.  That should kick off the Autorun for the installer.
    4. Follow the defaults for the install.  Next > Next > Install > Finish and then click Yes when prompted for a reboot.
The DC configuration will be detailed out in another posting in this series.

VMware lab design

 I am going to be building out a lab to test out some automation tools in VMware, so I decided I’d write up a few posts detailing the process.  I’m calling this part Phase 1, where the goal will be to get two ESX hosts, vCenter, and vRealize up and working.  I after that, I need to decide if I’ll go SRM, NSX, Horizon, or start playing the the Tanzu stuff.  For now though, vSphere and vRealize.

I put together a high-level design of what I will be building out:

(Shameless plug for Draw.io.  It’s an awesome tool for creating diagrams!)

I am running VMware workstation on my desktop, so I’ll be running the entire lab within Workstation.  I’ll also point out that there are free eval copies of everything except vRealize Automation.  You can also register for the VMware User Group’s VMUG Advatage program and get access to 365-day trial licenses for everything except vRealize Automation.  More info on the VMUG Advantage program can be found here: https://www.vmug.com/membership/vmug-advantage-membership

My Home Lab

I recently decided to build up a PC for my home lab environment.  I know a lot of people find old rack mount servers that they use as a lab, but I didn’t want to deal with the space, power, or noise of a bunch of old servers.  Instead, I decided to build a desktop PC that could run everything I wanted.  

Here’s a list of my build, and why I selected the parts that I did.  I will point out that pricing and part availability has changed, so your mileage may vary.

1. The CPU 

AMD Ryzen Threadripper 3960X 24-Core ($1,349.99)

I chose this CPU for a few reasons.  First, the new Threadrippers can use up to 256GB RAM, so there’s plenty of room there.  Second, 24 cores.  This thing is fast!!  And third, when comparing against the other Threadripper CPUs this one was the cheapest.  I debated going with the 3970X, but I couldn’t justify the extra cost for it.

2. Motherboard

MSI TRX40 PRO WiFi Motherboard ($389.99)

When I started this build it was near the beginning of the COVID-19 pandemic, so some parts were in short supply.  One of the primary advantages of this board was that it was in stock.  Also, it has 2x PCIe 4.0 M.2 slots, it supports up to 256GB RAM, and it has PCIe 4.0 slots.

In hindsight, I wish I’d spent the extra $50 and went with the MSI TRX40 PRO 10G Motherboard

That’s effectively the same board, but it drops the built-in Wifi in place of a 10GbE NIC.   Since a Wifi6 adapter (if needed) can be picked up for under $50, and a 10GbE NIC is nearly $100 it’s cheaper to just go with the 10G board.  Granted, doing that with both Wifi6 and 10GbE would consume an extra PCI slot.

3. CPU Cooler

Corsair H115i RGB Platinum AIO Liquid CPU Cooler ($169.99)

The Threadripper requires a water cooling solution, and since I didn’t want to mess with building a water cooling rig I went with an All-in-one (AIO) cooler.  First off, it’s imporant to be aware that there’s an H115 Pro and an H115 Platinum.  For the sTRX4 socket you need the Platinum version.  The copper base on the Pro series is too small for the sTRX4 CPUs.  

This cooler has two 140mm fans and a 280mm radiator, which is what fit best with the case I selected.  One important thing to be aware of with this cooler with the MSI motherboard is the USB power connection covers one of the RAM slots when it’s installed.  However, there’s an easy fix for this. 

I got a Cerrxian 9Inch Micro USB Cable which has a low profile 90-degree micro USB connector, and now the cooler is connected and not blocking the RAM slot.  Additionally, I used a CY 50cm 10Pin Motherboard Female Header to Dual USB 2.0 Adapter Cable to connect to the motherboard header.

I can say that this cooler is amazing!  I can run Folding@home and get the CPU up over 90°C and when I stop folding the temp is down to 50°C in seconds.

4. RAM

OLOy DDR4 RAM 128GB (4x32GB) 3000 MHz ($529.99)

The most important thing for me when looking at RAM was getting 32GB DIMMs.  That way I’d be able to get the full 256GB the CPU and motherboard would support.  I ended up with this OLOy RAM because it was cost effective.  There’s options for higher clock speeds, but I’m more concerned with memory capacity than speed.

5. Storage

Seagate Firecuda 520 2TB Performance Internal Solid State Drive SSD PCIe Gen4 X4 NVMe ($397.99 for 2TB, and $252.63 for 1TB)

I ended up going with two of these.  One 2TB drive, and a 1TB drive.  I have my OS and applications on the 1TB drive, and my VMs on the 2TB drive.  These drives are PCIe Gen4 drives, so they are stupidly fast.

6. GPU

XFX Rx 5700 XT Raw II ($379.99)

The GPU market is rapidly changing, but at the time of this build this card was one of the few PCIe 4.0 cards available.  I’m not a big 3D gamer, so I didn’t need the greatest GPU on the market.  This card seemed to be a good balance between cost and performance.

7. Case

CORSAIR CARBIDE SPEC-05 Mid-Tower ($66.23)

I didn’t want to spend a huge amount on one of the fancy RGB cases.  This one has enough room for the water cooler radiator, and room for three 120mm exhaust fans (two top, and one rear).  Coming from a full ATX case I like the smaller size, but I found it a tight fit between the exhaust fans and some of the motherboard connections.

8. Power Supply

EVGA 850 GQ, 80+ GOLD 850W ($169.99)

It’s an 850 Watt modular power supply.  It has two 8-pin CPU connectors.  All in all,  it fits what I needed.

9. Exhaust Fans

When I built this I ended up using a 3-pack of Thermaltake Pure Plus 12 RGB TT Premium Edition 120mm fans.  They work well enough, but since they use the Thermaltake RGB software, and the water cooler uses the Corsair software I wish I would have gone with the Corsair ML120 PRO 120mm fans.  Then they’d all be controlled by the same software.

Accessories:

There were three additional things that I added when I completed this build.  The first was a UPS.  I went with this: APC Sine Wave UPS Battery Backup & Surge Protector (BR1500MS) This unit can support the 850w PSU (and a few other devices) and it has a USB port to trigger a shut down in the event of a power loss.  I’ve had issues in the past with brownouts and in some cases I’ve had components damaged due to power fluctuations, so I’m happy with this.

The second item was an external storage array.  I used to run internal RAID sets, but it was always a pain when a drive failed to find which specific drive had failed, remove it, and RMA it.  So to solve that problem I added a 4-bay NAS, and loaded it with some old drives I had from my old PC.  I selected a 

QNAP TS-453Be-2G-US 4-Bay Professional NAS because it had front-accessible hot-swappable drives, it was expandable, and QNAP has a number of apps that can run natively on the appliance.

One of the apps that I can run on the QNAP is Plex.  Since Windows 10 removed Media Center I needed to find a new way to get my over-the-air TV recordings (Skol Vikings!)  I decided to go with a SiliconDust HDHomeRun HDHR5-2US Connect Duo Dual Tuner, and tie that in with Plex on the QNAP.  

In some upcoming posts I’ll detail out what I’m running in the lab, and how I deployed the different environments.

Starting the CCDE journey

I’ve finally decided to start the trek toward the CCDE.  With the upcoming changes to the CCNA/CCNP/CCIE programs it made the decision easier.  I wasn’t going to finish a CCIE before February, so that route wasn’t an option.

Step 1: Figure out what to study

Cisco has provided a reading list here: https://learningnetwork.cisco.com/docs/DOC-1673

There’s also a learning matrix here: https://learningnetwork.cisco.com/community/certifications/ccde/written_exam/study-material

I went through both and compiled a book list.  I already had physical copies of most of the books.  I was able to find some use copies that were under $10.  Other books were out of print, or difficult to justify spending the money when only a chapter or two were needed.  I also found that some of the books were available through Safari’s online library.

My library

Step 2: Study

I am hoping to take the written exam in the summer, so I have a lot of reading to do.  As I go through the different books I intend to detail some of the more challenging concepts here.  Doing so helps me reinforce what I’ve learned, and it might help some future reader grasp a topic.  I’m also planning to put more detail around what material I found helpful, and what I thought wasn’t a good use of time.

TOGAF 9.2 Certified

I recently finished the TOGAF 9 Part 2 exam.  Believe it or not, this exam is the follow-up to the TOGAF 9 Part 1 exam.  Having completed the Part 1 exam and certification process already, completing this exam upgrades my certification from TOGAF 9 Foundation to TOGAF 9 Certified.

If you don’t know what TOGAF is, or are unfimilar with the Foundation certification see my post on the Part 1 exam.

About the Exam

There are a couple things to be aware of with Part 2.  First off, it is an upgrade to Part 1.  This means that all the concepts are the same.  The big difference is that Part 1 focuses on knowing the TOGAF Standard, and its components.  Part 2 focuses on how it is used.  It’s also worth noting that the TOGAF 9 Certified certification replaces the TOGAF 9 Foundation certification.

The exam, on paper, looks deceivingly easy.  It is all of eight questions long.  No, these aren’t 8 questions with 14 sub-parts.  Nor are they simulations or other types of questions.  Just eight questions, with four answer choices each.  To pass you need to score at least 60%.  Also, each answer is weighted with the most correct answer being worth 5 points, the second best is 3 points, the next is only 1 point, and the worst answer will get you 0 points.  If you do the math, you can pass by getting the best answer five times, and completely missing the rest.  You could also get the second best answer for all eight questions and still pass.  The test is also open book.

Sounds easy, right?  Well, here’s where that takes a bit of a turn.  The questions are scenario based, which means there’s a lot of reading during the exam.  Also, because the answers are weighted it means it can be difficult to pick which of the four choices really is the best.

How I prepared

I took the Part 2 exam a week after I did the Part 1, so all of that studying was still fresh.

I picked up the Official  TOGAF ® 9 Certified Study Guide

For this exam I decided to try one of the practice tests in the back of the book first, and use that to guide my studies.  I found that with the knowledge I had after my Part 1 training, combined with some critical thinking and I was able to pass the practice test with flying colors.

I then went through the questions a second time and I ranked the answers from what I thought was best to worst.  I had about 85% accuracy with that, so I felt confident enough in my understanding that I went ahead and scheduled the test.

The Exam

As usual, this is a proctored exam from a Pearson VUE test site.  The exam experience was uneventful.  I’ve taken plenty of tests at this site, so getting in and out was a breeze.

The one thing about the exam that I will say is that critical thinking is important.  You need to be able to evaluate four different answers to a scenario, and at times it can be difficult to really decide which one is best.

TOGAF 9.2 Foundation Certification

About the Exam

I recently passed the TOGAF 9.2 Part 1 exam.  This is an Enterprise Architecture exam from The Open Group.  The Open Group is an open group (who would have guessed?) that includes a number of big names.  You can read more about them at their site: https://www.opengroup.org/

The TOGAF certification actually contains two parts, Foundation and Certified.  You can earn the Foundation certification, and then upgrade to the full Certified status by completing an additional exam.  You can also sit both exams back to back and go directly to the Certified status.  More info on the certification can be found here: https://www.opengroup.org/certifications/togaf

For me, since I’m new to the TOGAF standard, I decided to do the Foundation exam first, and once I’ve finished that then move on to the Certified upgrade.

How I Prepared

For my study materials I bought the TOGAF® 9 Foundation Study Guide – 4th Edition

After reading through the book I think it’s a decent read.  It can be repetitive at times, but since some of the concepts are new to me I actually think it’s helpful.  There are practice tests included in the book, and they are almost identical to the separate practice tests sold by The Open Group.  If you get the book then I wouldn’t bother getting the practice tests.

I also watched Pluralsight video series on TOGAF. The thing I liked about the video series was the use of a fictional enterprise that was going through an Enterprise Architecture process.  In the Study Guide I had some trouble really understanding what some parts would look like in practice, so this material helped fill in some gaps.

There’s also the TOGAF library which contains a lot of useful information about the TOGAF standard.  However, for this exam that material really isn’t needed.

Taking the Exam

The TOGAF exam was similar to most other Pearson VUE exams.  The registration is done through The Open Group’s site, which redirects you to the Pearson VUE site for scheduling.  I was able to take the test at the same site I’ve used for Cisco and VMware exams, so the test environment was quite familiar.

The test itself is pretty straightforward.  It’s 40 questions, all multiple choice.  The passing score is 55% with each question equally weighted.  That means if you get at least 22 correct you’ll pass.  Since it’s not an adaptive test you are able to go back and review questions prior to completing the exam.

I really didn’t find the exam to be too terribly difficult.  There were a few questions that I had to guess on, but I was confident on about 70% of my answers.  Since the passing score is 55% I didn’t worry too much about the ones I was unsure of, and I ended up passing.

What’s next

It can take up to 6 business days for the score report to become official.  I am planning to start studying for the TOGAF Certified exam, and I hope to sit the exam in 2-3 weeks.

Update: I took the exam after, and wrote another post about it.

Cisco ISR Project – vWAAS deployment (14 of ?)

(I just noticed that I forgot to publish this, so anyone reading my posts on IWAN deployment… Sorry this one’s a few years late…)

To get the WAAS deployment done there are a few prerequisites:

  • Virtual Central Manager (vCM) deployed (at HQ)
  • vWAAS appliance deployed (at HQ)
  • vWAAS appliance deployed (at branch)
  • WAN connectivity between branch and HQ

A couple things to be aware of right off the bad:

  • Default username is: admin
  • Default password is: default
  • Telnet is enabled by default, and SSH is disabled.
    • To enable SSH run these commands from a config prompt (make sure hostname and domain are set before running)
      • ssh-key-generate
      • sshd enable
    • Telnet can be disabled, however, it seems the management software 
  • When logging into the web interface if there is a prompt to select an SSL certificate, click Cancel.  That should bring up the login page.

After the OVA has been deployed you should be able to log into the appliance and it should automatically start the device configuration.  If not simply enter the ‘setup’ command.

The setup between the vCM and vWAAS is pretty similar, so I’m just going to go over the vWAAS as there are more of those.  However, the vCM does need to be configured before the vWAAS, as the vWAAS needs to connect to the vCM.

WAAS setup

The setup is text-based, and pretty straightforward.  One thing to be aware of is if the CMS service fails to start (I set up vWAAS up without setting the correct vNIC settings) you can run the command ‘cms enable’ from a config prompt.  That should force the vCM to start, or force a vWAAS appliance to register with the vCM.

After completing the setup a window will pop up with a list of commands to configure WCCP on the router.

WCCP template

To make things easier, here’s a text version of the commands:

ip wccp version 2

ip wccp 61 (optional:waas-wccp-redirect-list) 

ip wccp vrf IWAN-PRIMARY/SECONDARY 62 (optional:waas-wccp-redirect-list)  

interface (Router LAN interface(s)) 

     ip wccp 61 redirect in 

interface (Router WAN interface(s)) 

     ip wccp vrf IWAN-PRIMARY/SECONDARY 62 redirect in

interface (Router NM-WAE interface) 

     ip wccp redirect exclude in

(optional: 

  ip acces-list extended waas-wccp-redirect-list 

       acl1 

       acl2 

       …. 

       aclN 

)

One thing that isn’t covered in this default config is the ISR uses VRFs for the WAN interface(s).  For the WAN interface enter the correct VRF and then the commands should work.

Links:

WAAS: http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v611/configuration/guide/cnfg/traffic.html

Prime: http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/WAAS.html

CISSP Certification

I recently received a provisional passing score on the (ISC)² CISSP exam, and I thought I’d share what I learned.

About the exam


First off, the CISSP is a certification centered around IT security, and in touches on both management and engineering aspects of IT security.  You can read more about what the CISSP entails here: https://www.isc2.org/Certifications/CISSP


One of the requirements of the CISSP certification is that you have at least five years experience in at least two of the eight domains.

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

You can also get a 1-year waiver if you have a 4-year degree, or an approved certification.

When I decided to go for the CISSP I already had 15 years experience, though most of it was on the network engineering side of things.  Due to the breadth of material covered in the exam I easily spent more time preparing for this test than any other certification test I’ve taken.

How I prepared

As I mentioned, I’ve had 15 years experience, so I’m familiar with most network security concepts from an engineering standpoint.  However, this exam goes into a lot more than just the technical side of cyber security.  A lot of the legal frameworks were new to me, as well as the software development side.

I started off by reading the CISSP Exam Cram (4th Edition).  That book is based on a previous CISSP exam, but the content is still relevant to the 2018 version of the test.  I read this cover-to-cover, making a number of highlights along the way.  I then went back through and went over those highlights again to really solidify what I read.

I also had the Sybex Official Study Guide and Practice Tests.  This book is much bigger, and I thought it went into more detail than the Exam Cram.  I mainly used to book as a reference for areas that I found I was weak in after taking the practice tests or concepts that I wasn’t confident in after finishing the Exam Cram.

To break up the monotony of reading I also watched the CISSP video series through Pluralsight.  I found the videos informative, but after having done so much reading it was a bit difficult to stay focused when reviewing content I was already familiar with.  I actually think the video series provides a great foundational level, and I would have been better off if I’d started with it before I did the reading. 

Lastly, I also read the Eleventh Hour CISSP Study Guide. I got the Kindle version, and I read through it a couple times in the days before the test.  This is a really condensed version of the material, but I thought it was a great refresher. 

Personally, I’m a big fan of practice tests.  I find that they often help highlight where my weaknesses are, so I can focus my studies more in those areas.  For the CISSP exam I must have done over 800 practice questions.  The exam covers a wide range of material, so I wanted to make sure I didn’t have any gaps.

The exam itself

Having taken exams for PearsonVue and Prometric in the past this exam really wasn’t much different.  The testing center did palm scans, and they were a lot more controlled than other exams, but nothing to significant.

Not that this is unusual for certification exams, but the CISSP exam seems to take pleasure in using some tricky questions.  Without getting into NDA space I’ll just use a very loose example-

Q: Which of these BEST describes what is needed for a sandwich

A: Peanut Butter

B: Mayo

C: Bread

D: Meat

Well, a sandwich could made with all of them (at the same time if your brave enough).  The correct answer is C because a sandwich is (at least by definition) made with bread.

In the US the exam is adaptive, meaning there’s no Back button, so when you submit an answer you’d better be happy with what you selected.  Read twice, click once.  It also doesn’t tell you how many questions there are.  It just stops abruptly somewhere between 100 and 150 questions.  The screen doesn’t display a result either.  You don’t find out if you passed or not until you get the score report.  The score report should indicated if you passed or failed, and if you failed it should list the domains you were weak in.  There’s also situations where a score isn’t immediately available.

After the exam

If you passed the exam you should get an email confirmation a couple days later with information on submitting an endorsement application.  The process is pretty straightforward, but it can take upwards of eight weeks for everything to be approved before the certification is official.

 Right now I’m still waiting for the official approval, so any addition details will come along when that’s complete.

VMware Horizon View – Service not binding to 443 after SSL certificate renewal

Here’s a quick and easy one.  Since this has burned my twice (and caused more hours of troubleshooting than I care to admit) I’m going to put it here in hopes that I remember it next time.

The short version: When importing the certificate make sure to check the box to make the SSL certificate exportable.

Continue reading “VMware Horizon View – Service not binding to 443 after SSL certificate renewal”