vCenter Upgrade Error 28035. Setup failed to copy LDIFDE.EXE from System folder to ‘%windir%\ADAM’ folder

During the upgrade of vCenter I have faced the exact error that is documented in KB#2013675. The error was as follow:

————

Error 28035. Setup failed to copy LDIFDE.EXE from System folder to ‘%windir%\ADAM’ folder

———–

Below is an actual screenshot of the error:

vCenter upgrade error 28035 setup failed to copy LDIFDE

Further, in the vminst.log file, we found the following error:

———-

  • Unable to copy c:/Windows/ADAM/LDIFDE.EXE to C:/Windows/ADAM/LDIFDE.EXE

———

If you have read KB#2013675, then you will notice the above errors are an exact match of the errors documented in that KB. If so why, I am creating this post if a KB is out there that include the solution, because that solution alone which is shown below did not resolve my issue:

——- KB#2013675  Solution Start —-

To resolve this issue, manually install the Active Directory Lightweight Services Role for the server.
To manually install the Active Directory Lightweight Services Role for the server:
  1. Open the Server Manager for the server and click Add Role.
  2. Select the Active Directory Lightweight Directory Services option.
You should be able to install vCenter Server after the Role tasks complete

——- KB#2013675  Solution End —-

If the above solution does not work for you, just like was the case in our situation, then try the below solution after you apply the solution documented in the KB.… Read More

vCenter 5.5 Upgrade fails when installing Microsoft Visual C++ Redistributable Package prerequisite with the error: Error Code 3010

While at a customer site and trying to upgrade their vCenter 5.0 to 5.5, every time we tried to run the installer it ran for a bit then gave us the follow error:

vCenter SSO Error 1722

Then the following errors appeared in a log files that was opened automatically in a notepad.

—————–  Error start —————–

Action 12:39:49: VM_InstallVCREDIST_x64. Configuring Microsoft Visual C++ Redistributable Package (x64)…
Action start 12:39:49: VM_InstallVCREDIST_x64.
CustomAction VM_InstallVCREDIST_x64 returned actual error code 3010 (note this may not be 100% accurate if translation happened inside sandbox

MSI (c) (5C:E4) [12:40:32:470]: Note: 1: 1722 2: VM_InstallVCREDIST_x64 3: F:\ 4: D:\Single Sign-On\prerequisites\vcredist_x64.exe /s /v/qn
Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action VM_InstallVCREDIST_x64, location: F:\, command: D:\Single Sign-On\prerequisites\vcredist_x64.exe /s /v/qn

MSI (c) (5C:E4) [12:42:05:103]: Product: vCenter Single Sign-On — Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action VM_InstallVCREDIST_x64, location: F:\, command: D:\Single Sign-On\prerequisites\vcredist_x64.exe /s /v/qn

Action ended 12:42:05: VM_InstallVCREDIST_x64. Return value 3.
MSI (c) (5C:E4) [12:42:05:103]: Doing action: FatalError
Action 12:42:05: FatalError.Read More

vCenter Server Appliance 5.5 SSO Issues

While rebuilding my home lab to use the latest version of vCloud Automation Center, I have decided to rebuild it from scratch with the latest vCenter Server Appliance and ESXi. After deploying the vCenter Appliance 5.5c and going through the configuration, I wanted to join the appliance to my domain and allow users from my domain to authenticate.  While I was able to join the appliance to my domain and that seemed to work just fine as in the below screen shot, I was having a problem configuring SSO for native active directory. I kept getting the following error:  ” ‘alias’ value should not be empty ”

Alias Value should not be empty

The solution for this particular problem was easy, actually it was more of Ooops I have forget to restart the vCenter Appliance after joining the appliance to my domain. Actually it tell you to do so as in the below screenshot:

You actually need to restart the appliance after configuring AD

I wanted to document this, as I am positive there will be the case where others will miss this as well and try to fight this error and thought I will save them time. This is especially true that I have seen other posts on forums and blogs that claim rebooting after this step is not required although the documentation state so.… Read More

How to fix: vCAC 6 AD Login is very slow

While working at a customer site with a pretty decent size Active Directory where they have implemented an Empty root structure, vCAC login through Single Sign On when using Active Directory accounts were pretty slow. It took up to 10-15 minutes at time per login attempt.

The customer had a multitiered domain in a single forest. The top domain/root domain or if you want to call it level 1 domain was empty, where all the users and where vCAC users were coming from is the level 2 domain. What was happening is when a user of the level 2 domain try to login he was facing one of the below two problems:

1- If the user does not have any group membership outside  the level 2 domain, they were allowed to login, but it took quite a bit for the login attempt to complete. (10-15 minutes)

2- If the user has any group membership or any tie outside the level 2 domain, after the log on attempt, the progress bar on the log on page will stop and nothing will happen.

At first, I thought I might be short at resources on my SSO server so I boosted that up, while it speeded things a bit it was not too noticeable of improvement and I knew there was a bit more work to do.… Read More

vCenter Single Sign On 5.5 Whats New

vCenter Single Sign On has a considerable amount of changes in vSphere 5.5, with few major ones. Many of these changes have went undetected or unnoticed by the Virtual Infrastructure Admins. If you have deployed vSphere 5.5 and missed these changes or planning to install vCenter SSO 5.5 and want to learn what has changed from the vSphere 5.1 days, then this post is for you:

Below is the list of the major changes introduced in vCenter Single Sign On:

 vCenter SSO Architecture Improvements:

1- Multi master: Unlike 5.1, vCenter SSO 5.5 has A built-in automatic multi-master replication architecture that ensure that all SSO instances are always kept in sync. While this sound great, most admins are not sure what it means nor how it affect the way they design SSO. To understand the value of this change, you must understand how SSO worked in 5.1. and how that changed in 5.5.

In 5.1 if you wanted to enable SSO for multiple vCenters in your environment, you needed to point all of them to the same SSO instance which made all of those vCenters dependent on that single SSO instance. This has made that single SSO instance to be crucial for the operation of all of your vCenters, as if that SSO instance goes down you will not be able to access any of your vCenters.… Read More

Assign Domain Users vCenter Single Sign Administrator Privileges

If you have upgraded your Virtual Infrastructure to vSphere 5.1 or 5.5, you are already aware of the addition of Single Sign On. When installing Single Sign On, a default user Admin@System-Domain is created for you with a password that you have assigned to it during the vCenter Single Sign On installation. The Admin@System-Domain user is initially the only single user that have access to manage your the Single Sign On portion of your vSphere environment.

As a good practice & to be able to track who is responsible for a particular change in your SSO you might want to assign your vSphere Administration team domain accounts administrator privillages to your vCenter Single Sign On. While it is an easy task to do, the way it must be done seems to confuse many admins who is new to vCenter SSO. Below is the instruction of doing so:

  1. Browse your vSphere Web Client Portal (https://<Your vCenter Machine>:9443).  (Note: SSO only can be managed using the Web Client)
  2. Browse to Administration > Access > SSO Users and Groups in the vSphere Web Client.
  3. Click on the Groups Tab
  4. Click on the desired Group (_Administrators_)
  5. Click Add Principals (The icon of a person with a plus sign next to it highlighted in the above screenshot)
  6. Select the identity source that contains the principal to add to the group (Probably your Domain)
  7. Search for the desired user
  8. Select the desired user and click Add
  9. Repeat step 6-8 to add the rest of the desired users.
Read More

How to replace vCenter 5.1, SSO, Web Client, vCO Certificates

With the release of vSphere 5.1 certificates started to play a much more vital role, where having invalid certificates in your environment is not an option anymore as it could break the operation of your environment as well forbid you from logging in. This change has been done to increase the security of your Virtual Infrastructure Management Components (vCenter Service, Inventory Services, SSO, Web Client, vCO, Update Manager, & vCenter Log Browser) & to compact the possibilities of man in the middle attacks. This change has brought a lot of challenges to many VMware customers who had invalid and expired certificates in their environment without even noticing it. The tedious process of replacing any of these certificates have not been a pleasure work for many, the good news is that VMware has just released vCenter Certificate Automation Tool 1.0 to streamline the process & release much of that pain.

VMware has just announced the general availability of vCenter Certificate Automation Tool 1.0. This tool provides an automated mechanism to replace certificates in the following components of the vCenter management platform:

  • vCenter Server
  • vCenter Single Sign On
  • vCenter Inventory Service
  • vSphere Web Client
  • vCenter Log Browser
  • vCenter Orchestrator (VCO)
  • vSphere Update Manager (VUM)

The tool can be downloaded for free from: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1#drivers_toolsRead More

vCenter Single Sign On 5.1 best practices

Since vCenter Single Sign On was introduced in vSphere 5.1, many questions have been rising around it. There seems to be a very limited amount of resources out there that document best practices related to vCenter Single Sign On, which is the reason for me to develop this post where I will try to combine as many best practices and answers related to vCenter 5.1 Single Sign On as possible.

I have been one of the lucky consultants who has already got to design/implement vSphere 5.1 for quite few enterprise customers where I have got to debate and drive best practices that I used across those implementations. I am sharing them here where others can benefit from them as well to allow a room for others to debate them and contribute their feedback.

Where to install vCenter Single Sign On (Physical vs Virtual)?

Just as the recommendations have always been for vCenter using virtual machine(s) is the best practice to save on cost and benefit of the availability features built in vSphere, that is no difference in vSphere 5.1. You can host all vCenter 5.1 components including SSO on virtual or physical machine, where virtual machine is the recommended practice due to the same reason mentioned earlier.… Read More

vCenter 5.1 Installation(Part 2) – Single Sign On Installation

During the installation of vCenter 5.1, you will need to install 3 components in the following order: Single Sign On => Inventory Service => vCenter Service. In a new installation I would normally install the Web Service after installing the vCenter Service, though during an upgrade I would install the web service right after the Single Sign On service to be able to use it just in case I wanted to check on my Single Sign On configuration or want to troubleshoot. As this guide assuming a new installation we will leave the Web Client Service to the end. In this post, I will demonstrate the installation of the Single Sign On Service.

Preparing Databases for vCenter Components

Three vCenter components require a database. Single Sign On, vCenter Service, & Update Manager each of those components require its own database, where the creation of those databases have been documented at the first post in this series found at: vCenter 5.1 Installation(Part 1) – Preparing the Databases.

Alright now you have your databases ready let’s start the process of installing vCenter Components. The first component to install as mentioned earlier is the Single Sign On Service, which is documented in a step by step fashion below.… Read More

vCenter 5.1 Installation(Part 1) – Preparing the Databases

After the introduction of vSphere 5.1, there seemed to be a lot of fuzz about the installation of the new vCenter components. I believe most of the hype was caused about how the initial vSphere 5.1 release behaved differently against expired certificates from how vSphere version prior to 5.1 behaved. In earlier releases, vCenter has only checked the expiry date of the certificate used during the initial install and fall to a backup mechanism if the certificate fail though the service would went up and the user would use vCenter as nothing has happened. To increase the security of vCenter and prevent man in the middle attacks, this behavior was changed in vCenter 5.1. vCenter 5.1 is always checking the validity of its certificates every time the service is being started & it would report an error if it does not find a valid certificate. As many customers had an expired vCenter certificates and did not know about it before upgrading to vSphere 5.1 they were caught off guard by this small behavior change where VMware has quickly released a quick workaround for it and a new patch were released to improve how vCenter response to this behavior.

The installation of vCenter 5.1… Read More