Top vCenter Server Appliance (VCSA) troubleshooting commands

During the configuration and troubleshooting of vCenter Server Appliances (VCSA) I maintain a list of commands that I frequently use. This list contains my top configuration and troubleshooting VCSA commands:

  • Enable access the Bash shell:
shell.set --enabled true
  • Permanently configure the default Shell to BASH for Root:
chsh -s /bin/bash root
  • Log location of the VCSA:
  • VCSA service management:
Check status
service-control --status --all
List services
service-control --list
Stop all services
service-control --stop --all
Start all services
service-control --start --all
  • Join the AD domain from PSC:
/opt/likewise/bin/domainjoin-cli join aduser password

After the AD domain join reboot the appliance

  • Check the AD domain join status:
/opt/likewise/bin/domainjoin-cli query
  • Leave AD domain join:
/opt/likewise/bin/domainjoin-cli leave

After the AD domain leave reboot the appliance

  • Certificate Manager location:
  • Test port connectivity from the VCSA:
curl -v telnet://target ip address:port
curl –v telnet://mypsc.domain.local:443
  • Identity which PSC the VCSA is pointing to:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost
  • Repoint the VCSA to another PSC:
cmsso-util repoint --repoint-psc "PSC01"
  • Check the PSC replication partner:
/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u administrator -w password
  • Check the PSC replication status:
/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w password


Partner: psc02
Host available: Yes
Status available: Yes
My last change number: 4274
Partner has seen my change number: 4274
Partner is 0 changes behind.
  • VDC Admin tool test LDAP and force replication

Proactively manage your vSphere environment with Runecast Analyzer

I’ve got the opportunity to test Runecast Analyzer. Runecast Analyzer Proactively use VMware KBs, best practices and security hardening guidelines to identify problems in your VMware environment. In this blogpost you find my experience of testing Runecast Analyzer.


The deployment of Runecast Analyzer is easy. It’s an on-premises deployment on you’re vSphere environment. Within a couple of minutes the Runecast is up and running. First download and deploy the virtual appliance OVA in an existing vSphere 5 or higher environment. During the deployment 3 appliance configuration sizes options are available:

DeploymentvCPUMemory (GB)Storage (GB)Network
After choosing the appliance size and set the IP address you’re ready to access the appliance using a web browser.
After the appliance is deployed, the updating of the KB definitions, updates, application and OS updates can be configured in the VA admin interface of the appliance. When using the automatic updating you’re always up-to-date.
When the appliance has no internet connection, offlines updates are available on the RuneCast website.
Scan the vSphere environment
Add one ore more vCenter Server(s) and you’re ready to fire you’re first scan of the VMware environment. The scan can be manually performed of scheduled.
After the scan of the environment the issues are displayed in a dashboard.  The issues are categorized in critical, major and medium.

Version 1.7 adds a new dashboard called “issues by layer”. This dashboard categories the issues in 5 main layers: Management, VM, Compute, Network and Storage.

The detected issues are added in the five layers. This dashboard is interactive. By selecting the layer and issue you can drill-down and find the affected component and root cause.

It is possible to integrate RuneCast in the vSphere Web client. The plugin displays all issues detected by RuneCast Analyzer with the details and their root causes.

The vSphere Web Client HTML5 page looks awesome.

Meltdown and Spectre

Runecast is continuously monitoring the VMware KB articles and is able to detect Spectre and Meltdown issues. The great thing is that when VMware is updating or adding a Spectre or Meltdown KB issue, Runecast monitors that and alert you when the vSphere environment is affected. In the following example the Spectre/Meltdown issues are found.

You can drill down to see what hosts are effected.

Log Analytics

Runecast Analyzer includes log analytics. Runecast collects the syslogs from the ESXi hosts and do a smart analytics to discover possible problems found in KBs.


Runecast Analyzer uses VMware Security checks ( and DISA STIG 6 to check the compliance of the vSphere environment. The results are reports in a dashboard.

vSAN support

Version 1.7 adds support for VMware vSAN environments. It scans vSAN clusters and test their configurations against VMware KB articles and best practices. When issues are found guides are added how to fix them.

For example in a customer vSAN environment Runcast Analyzer found the following vSAN problem:

When drilling down the guide tells me that this issue is fixed in ESXi 6.5 Update 1 (vSAN 6.6.1). After patching  the issue was solved without occurring in the vSAN environment. This is what you called “proactive management”.


With Runecast Analyzer every VMware vSphere admin can proactively identify possible (security) problems in there vSphere environment. The installation is easy and fast. As VMware consultant I use Runecast on frequently basis which gives me a great overview of the state of the vSphere environment i’m working with.

Every new release has great features are added such as vSAN and vSphere Web Client HTML5 support .

In my opinion Runecast Analyzer is a must have tool for every VMware vSphere admin to proactively monitor there environment.

Wanna try?

There is a 14-day free trial available from this link.

Firefox does not trusts vCenter signed CA certificates

For a vCenter Server environment I replaced the default SSL certificates with CA signed SSL certificates. The Platform Service Controller (PSC) is configured as VMCA subordinate CA. When opening the vSphere Web/HTML5 Client, Firefox displays the following warning: Your connection is not secure.

This is because Firefox does not trust root certificates in the Windows certificate store. Since Firefox 49 a new option is included which allows Firefox to trust root certificates. This option is not enabled by default.

The following steps illustrate how to configure Firefox to use the Windows certificate store:

  • Open Firefox
  • In the address bar type: about:config
  • Accept the warning
  • Navigate to Preference name: security.enterprise_roots.enabled 
  • Set the value to:  true

Firefox now trust the root certificates in the Windows certificate store.