How I took the “IWANT CLOUDGENIX CHALLENGE” …and won?

I was in Charlotte, NC, hanging out in the lobby at a customer I was visiting, trying not to distract too many of the folks also wearing visitor badges with some sort of random epiphany, when my iPhone rang. Glancing at the display, it wasn’t a contact or number I recognized, so I answered it, anxious to learn that I had won yet another free cruise or some sort of mortgage relief signed into law last week by President Obama himself.

“Hi, this is Matt,” automatically readying myself to go through the steps required to blacklist the number within iOS.

“Hi Matt, this is Ray from CloudGenix,” the friendly voice stated. “I wanted to know when you’d have an opportunity to schedule the CloudGenix challenge.”

Then I remembered. A couple of weeks prior, their founder had connected with me on LinkedIn, and I thought he had a cool concept. I had in fact signed up for the promotion, where you could get some free stuff just by listening to their pitch and comparing their SD-WAN solution to Cisco’s.

“Hey, thanks for calling. I’d love to, but… you know I work for Cisco, right?”

“That’s not a problem, send me over some dates.”

I’m sure there were some additional pleasantries exchanged, and specifics about the promotion, but I was getting ready to walk into a conference room, and didn’t think about this again until I got another friendly reminder via email a few weeks later. Some dates were suggested, and we finally agreed on a day in mid-September, when they would be up in my neck of the woods.

(Fast-forward a few months. As is typically the case, summer was over in the blink of an eye.)

So it was going to be a busy day, but I was still curious about what was to come from the challenge. I began to ruminate if there was going to be a way to actually win (lose?) the challenge, and how I could go about beating this thing. Delusions of a Kobayashi Maru exercise permeated my thoughts, and I was actually getting excited to go through with it. What if I was able to get the Cisco WAN gear up quicker and show them which was a better choice? What would they say about that? Had anyone even done that? And then a really strange thing happened:

They didn’t show up.

 

screen-shot-2016-12-01-at-11-45-14-pm

 

I got a cancellation notice in my Outlook inbox. No explanation was attached, no follow-up, no offer to reschedule. I can only assume that they were not interested in someone who has a pretty good understanding of WAN architecture touching their gear. I wondered if they just had a company viewing of WarGames, and actually considered that “the only winning move is not to play.”

I guess I have a few things in common with these people. We’re obsessed with all things Cisco. Many of them used to work for Cisco. We like being in New England in the summer. Did I mention that they are obsessed with Cisco?

Now, I’ve always said that there comes a point in time when you have to sell your product on its own merits. In this case, the whole thing feels like going on a date where the other person talks about their ex- the entire time. I also happen to think that spending more on marketing than you do on R&D performs a tremendous disservice to the industry. (I’m talking to you too Nutanix.)

Since then, I’ve seen all sorts of gimmicks like their rebranded version of the Pepsi Challenge on social media. (If imitation is the sincerest form of flattery, these guys LOVE Pepsi.) They were very vocal about the release of a Cisco Press iWAN book, claiming that it was tantamount to an installation manual. On the contrary, it’s a deep dive on WAN architecture and an everything-you-wanted-to-know-about-SD-WAN-but-were-afraid-to-ask compendium packed with great content.

As I’ve alluded, I spend most of my time focused on application and data center solutions, and I think it’s a great deal of fun, perhaps even exciting. I don’t expect everyone to feel that way (just ask my wife) but if I can help solve some problems along the way and convey my belief that I’m promoting the correct solutions, I like to think I bring some relevance to the table. But I can assure you, I have never sold a product/solution/architecture, unintentionally or otherwise, based on the fact that it was exciting.

So keep that in mind if you get the privilege to actually take the CloudGenix Challenge. If you decide to take the leap, I sincerely hope that your WAN adventures exceed your wildest dreams.

Oh, and bring along a six-pack of Coke. I’d be interested to know if they get it.

Fighting with Windows 2012 R2 Directory Services, NETBIOS naming, vCenter 6.0 SSO on VCSA

I’ve been playing with my new toy that is vCenter 6 for a while now, and decided it was time to actually implement single sign-on, linked to my Windows 2012 R2 Active Directory testbed.  Given my propensity to come across “weird things,” what followed certainly didn’t surprise me.

(So… this is all easy, right…?)

Screen Shot 2015-03-30 at 5.11.09 PM

 

 

This should all be fairly commonplace although it’s a little different with vCenter 6; you are able to change and register services from within the web UI, rather than the old-style [https://vcenter:5480] appliance configuration.

Here’s what happened when I tried to add vCenter to AD:

Screen Shot 2015-03-30 at 5.12.16 PMScreen Shot 2015-03-30 at 5.12.29 PM

 

 

ldm client exception: Error trying to join AD, error code [42500], user [administrator], domain [ad.fenway.matthewjwhite.com], orgUnit [cn=Computers,dc=ad, dc=fenway, dc=matthewjwhite, dc=local]

 

I suspected that like most Linux/AD integrations, VMware was using likewise-open for this function.

No problem.  When in doubt, drop to the CLI:

Screen Shot 2015-03-31 at 8.55.58 AM

The response is a big, fat, resounding “Error: Lsass Error

The OU format is invalid.”

 

I suspect that maybe DNS is wrong, as you need both A and PTR records to resolve your vCenter from AD.
Let’s take a look:

Screen Shot 2015-03-31 at 9.02.16 AMHOSTS file looks fine.

Screen Shot 2015-03-31 at 9.02.32 AM

There’s the pointer.

Screen Shot 2015-03-31 at 9.02.59 AM …and the domain controller resolving the DNS records.

Screen Shot 2015-03-31 at 9.03.47 AMLo and behold, it even created the CN object for VCENTER!

(Several reboots later, no changes.)

Well, who needs enemies when google is your friend, so I eventually come across this:

http://www.vdsyn.com/unable-add-virtual-center-server-appliance-5-5-windows-2012-r2-ad/

So let’s ask our good friend RENDOM to take a look, and just maybe we may be on our way to solving this.  You can read more about RENDOM here.

[DISCLAIMER: Performing this in production, especially with ancillary Microsoft services running (Exchange, SQL, etc..) apparently has the potential to break things, cause issues, take away your birthday, and so on, so don’t blame me for those 800 missing Facebook posts.]

On the Windows 2012 R2 domain controller, we’re going to list the DS object naming conventions with “rendom /list” and opening the Domainlist.xml file that it creates:

Screen Shot 2015-03-31 at 9.05.10 AMSure enough, the NETBIOS naming convention is in fact, all lowercase.  That REALLY can’t be it, can it?

Screen Shot 2015-03-31 at 9.06.19 AM

We make it UPPERCASE

Screen Shot 2015-03-31 at 9.08.14 AM Verifying that the file is updated, we run “rendom /upload” and “rendom /prepare”
It seems to like that.

Screen Shot 2015-03-31 at 9.08.35 AM Finally, “rendom /execute” is run to commit the changes to the DS.

Screen Shot 2015-03-31 at 9.08.49 AMAs an added bonus, the domain controller restarts without warning.  (Told you not to do this in production.)

Screen Shot 2015-03-31 at 9.18.01 AMAfter logging in after the restart, we run “rendom /clean” to keep things tidy, and create the xml files again to verify.  Like my grandmother’s emails, FENWAY is in ALL CAPS.

We are successfully able join the domain from the vCenter CLI, and Skynet is one step closer to ruling the world.

Screen Shot 2015-03-31 at 9.20.00 AM

(It works!)

Screen Shot 2015-03-31 at 9.22.18 AM REBOOT!

Screen Shot 2015-03-31 at 9.32.54 AM Screen Shot 2015-03-31 at 9.39.30 AM Screen Shot 2015-03-31 at 10.02.58 AM

Reboot the vCenter appliance to see the AD context in the WebGui and/or run domainjoin-cli query to prove that we’ve gotten this to work.  You can now happily add AD as an identity and the promise of SSO is alive and well.

So why didn’t this work to begin with?  After a few convenient snapshot restores to pre-dcpromo status, I remember that I did change the NETBIOS name for ad.fenway.matthewjwhite.com from “AD” to “fenway” when I should have made it “FENWAY”.  However, Windows should have automatically changed it to uppercase, as lowercase naming for NETBIOS has been disallowed since Server 2008.

We’ll claim comparative negligence for both likewise-open and Windows 2012 R2 AD services on this one, as I really should have just kept my CAPS LOCK ON.

Hope this helps someone, it was a frustrating hour or two.