Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority:

  1. Launch the vSphere 6.0 Certificate Manager using:
    Windows Platform Service Controller:
    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
  2. Select Option 2(Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates)
  3. vmca
  4. Provide the administrator@vsphere.localpassword when prompted.
  5. Provide appropriate details
  6. Select Option 1(Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate)
  7. Your new CSR is in the folder you specified titled “vmca_signing_cert.csr” with its corresponding key file.
    1. Login to Windows Certificate Authority https://<CA Name>/certsrvand sign the certificate with Certificate Template
      1. Creating a new template for vSphere 6.0 to use for VMCA as a Subordinate CA
      2. Connecting to the CA server
      3. Click Start > Run, type certtmpl.msc, and click OK.
      4. In the Certificate Template Console, under Template Display Name, right-click Subordinate Certificate Authority and click Duplicate Template.
      5. In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
      6. If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
      7. Click the General tab.
      8. In the Template display name field, enter the name of the new template.
      9. Ensure Publish certificate in Active Directory is selected.
      10. Click the Extensions tab.
      11. Select Key Usage and click Edit.
      12. Ensure that Digital Signature, Certificate signing and CRL signing are enabled.
      13. Ensure that Make this extension critical is enabled.
      14. Click OK.
      15. Click OK to save the template.
      16. Proceed to Adding a new template to certificate templates section in the article to make the newly created certificate template available.
      17. Adding a new template to certificate templates
      18. Connecting to the CA server
      19. Click Start > Run, type certsrv.msc, and click OK.
      20. In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon.
      21. Right-click Certificate Templates and click New > Certificate Template to Issue.
      22. Locate vSphere 6.0 or vSphere 6.0 VMCA under the Name column.
      23. Click OK.
  1. Select Base64 Encoded and download the chain.
  2. Open .p7b certificate and export both certificates as Base64.
  3. Create a chain file called root_signing_chain.cer by running the following command to concatenate the new leaf (vmca) certificate, and the root certificate.
  4. copy root_signing_cert.cer + root64.cer root_signing_chain.cer
  5. Return to the vSphere 6.0 Certificate Manager and select Option 1(Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).
  6. Provide the full path to the root_signing_chain.cer and vmca_signing_cert.key.
  7. Once the import is done Login to Platfor Service Controller Web console https://<PSC Serrver>/webssoand check the certificates.



Out Of Office is not working for External Users – Exchange 2013

I have seen an issue with Out of Office emails are not working for External user, after checking few things I found that auto-reply has been set to false on my exchange, to check auto-reply setting and enable auto-reply please use below commands.

Get-RemoteDomain Default | fl AllowedOOFType, AutoReplyEnabled, AutoForwardEnabled

If AutoReplyEnabled is false, use below command to enable it.

Set-RemoteDomain -Identity Default -AutoReplyEnabled $true. 

When OOF is enabled, all reply emails are sent using Return-Path:<>  (=empty), when your email gateway/smart host detects this they may drop the email so the external sender is not notified that you are out of office.

There is no resolution to this on the Exchange 2013 side of things and you must contact your smart host provider to see if they can disable this “feature”.

To check if you are running a smart host, in the Exchange 2013 EAC browse to mail flow then select your Send Connector and then edit. you will then see the smart host option.

To workaround this issue I have created an automatic reply using a template works without any problem, Please find the below steps to create an automatic reply on outlook.

Please follow the below steps:

Step 1: Open outlook – File – Info – Automatic Replies


Step 2: Select Automatic Replies and select send automatic relies and then select rules at the bottom.


Step 3:  Select Rules and click Add Rules


Step 4:  Select Add Rule and tick the check box Reply with and click Template.


Step 5: Create a template with your out of office message and leave blank in from and to fields.

I found this solution working for me with out any further changes on smart host.



HowTo: troubleshoot and fix VmWare ESXi boot stuck at ‘loading ipmi_si_drv’


The first post that urged me to write a new blog because of several hours of head banging against wall, scratching my hair and relentlessly typing on keyboard with random hits as if i caught up on some shockwave.

Yes, the VmWare ESXi clueless error, that when you are running this baremetal hypervisor, it gets stuck during loading stage, where its loading all modules, almost to end of process, it gets stuck with following message:

Loading ipmi_si_drv

After much of docs reading and agonising go-through ESXi manual, i finally figured out the solution.

Here is what you need to do:

Step 1: Restart your machine. Its always good to go for the ‘when-nothing-works-try-this’ solution 🙂

Step 2: Be very quick and sharp about this step as it needs to be done in matter of seconds.

The moment you see a black screen with progress bar saying LOADING HYPERVISOR , enter 

View original post 113 more words

VDP Backup Failed with error: cancelled by Administrator

Continue reading

VMware ESXi 5.5 U2 / 6.0 Installation Error : Can’t have partition outside the disk

Continue reading

vCenter Server 5.5 fails to start after reboot

VMware VirtualCenter Server service unable to start after vCenter server reboot,

In the C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd.log file you see  similar logs :
[04928 info ‘[SSO][CreateSsoFacade]’] [CreateUserDirectory] STS URI set to: https://vCenter_Server_FQDN:7444/sts/STSService/vsphere.local
[04928 info ‘[SSO][CreateSsoFacade]’] [CreateUserDirectory] Admin URI set to: https://vCenter_Server_FQDN:7444/sso-adminserver/sdk/vsphere.local
[04928 info ‘[SSO][CreateSsoFacade]’] [CreateUserDirectory] Groupcheck URI set to: https://vCenter_Server_FQDN:7444/sso-adminserver/sdk/vsphere.local
[02396 error ‘[SSO][SsoFactory_CreateFacade]’]
Unable to create SSO facade: Invalid response code: 404 Not Found.
[02396 error ‘vpxdvpxdMain’]
[Vpxd::ServerApp::Init] Init failed:
Vpx::Common::Sso::SsoFactory_CreateFacade(sslContext, ssoFacadeConstPtr)
–> Backtrace:
–> backtrace[00] rip 000000018018cd7a
–> backtrace[01] rip 0000000180106c48
–> backtrace[02] rip 000000018010803e

To work around this issue, restart the VMware Secure Token Service:
Log in as an administrator to the server that is running vCenter Server.

  1. Click Start > Run, type services.msc, and click OK. The Services window opens.
  2. Stop these services:

    VMware Secure Token Service
    VMware Identity Management Service
    VMware Certificate Service
    VMware KDC Service
    VMware Directory Service.

  3. Start these services:

    VMware Identity Management Service
    VMware Certificate Service
    VMware KDC Service
    VMware Directory Service
    VMware Secure Token Service
    VMware VirtualCenter Server

Please follow the KB 2061412 for more info.


Unable to connect to the requested VDP appliance

Today I came across a situation where I am unable to connect to my VDP appliance and come up with below error.




there is no problem connecting to VDP configuration.

  • In the /usr/local/avamar/var/vdr/server_logs/vdr-server.log file, you see an entry similar to:

    YYYY-MM-DD HH:MM:SS,MS ERROR [$1]-server.VDRServer: VDRServer.getVCenterClient cannot obtain VCenterClient  java.lang.NullPointerException: VCenterClient list is empty

  • Also in the vdr-server.log file, you may see an entry similar to:

    YYYY-MM-DD HH:MM:SS,MS INFO [http-xxxx-exec-x] -impl.X509TrustChainKeySelector: Failed to find trusted path to signing certificate. 


This issue occurs with the date and time doesn’t match with VDP appliance and vCenter server or ESXi host.

Check the ntp settings are configured correctly on your VC and ESXi hosts. To resolve the issue stop the MCS service on the VDP appliance and start it again .
#dpnctl stop mcs

Once stopped start it again

#dpnctl start mcs

Please follow the KB Could not connect to the requested VDP appliance