vmware: useful powercli commands

List all LUNs that are not set to Round Robin:
Get-VMHost | Get-ScsiLun -LunType disk | Where {$_.MultipathPolicy -notlike "RoundRobin"}

Set all LUNs that are not set to Round Robin to Round Robin:
Get-VMHost | Get-ScsiLun -LunType disk | Where {$_.MultipathPolicy -notlike "RoundRobin"} | Set-Scsilun -MultiPathPolicy RoundRobin

List all VMs in a cluster:
Get-Cluster "Cluster Name" | Get-VM | Sort Name

List all services running on a host:
Get-VMHost "hostname" | Get-VMHostService | Select Key,Label

List servers with SSH server status:
Get-vmhost | Get-VMHostService | ? {($_.Key -eq "TSM-ssh")} | Select VMHost, Key,Label, Running

List servers with ESXi shell status:
Get-vmhost | Get-VMHostService | ? {($_.Key -eq "TSM")} | Select VMHost, Key,Label, Running

List servers with SSH server status in specific cluster:
Get-Cluster -Name "Non-Production-Pod-01" | get-vmhost | Get-VMHostService | ? {$_.Key -eq "TSM-ssh"} | Select VMHost, Key,Label, Running

Start ESX Shell on all hosts in vCenter:
Get-VMHost | Foreach {
Start-VMHostService -HostService ($_ | Get-VMHostService | Where { $_.Key -eq "TSM"} | Set-VMHostService -policy "on" -Confirm:$false)
}

Start ssh on all hosts in vCenter:
Get-VMHost | Foreach {
Start-VMHostService -HostService ($_ | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"} | Set-VMHostService -policy "on" -Confirm:$false)
}

Suppress ssh alert on all hosts in vCenter:
Get-VMHost | Get-AdvancedSetting UserVars.SuppressShellWarning | Set-AdvancedSetting -Value 1

Create VM:
New-VM -RunAsync –name $servername –Datastore $datastore –Template $template –OSCustomizationSpec $spec –ResourcePool $host/resource pool -Location $folder

misc: how to set different certificate validity period for root and subordinate certification authority (CA)

Here is the little issue that took me a good while to understand and figure out as I thought this is set during initial install through console or by .inf file as MS recommanded. Nope, didn’t work that way.

My setup consists of one standalone root CA with 30 year validity which will be turned off and stored in a safe place for many many years, and two subordinate enterprise CA in two sites which will perform all cert related tasks with 15 year certificate validity… simple enough. All three are 2012 R2 servers.

Adding the role and promoting servers is as easy as you expect. Trick is to get the right validity on subordinates. Regardless of what validity term is set on root CA, it will issue a 1 year certificate to subordinates by default. Trick is to use the following commands to change default registry values:

certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "15"

Make sure to restart cert server service right away. To check registry value for “years” use:

certutil -getreg ca\val*

If you get revocation server was offline error you can override it with this command:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Then reboot and ignore the error – service will start.

To roll back and enable revocation server check:

certutil –setreg ca\CRLFlags -CRLF_REVCHECK_IGNORE_OFFLINE