I recently completed a VMware VI 3.5 to vSphere upgrade in a small environment (5 hosts, 80 VM’s). Being a small environment, the upgrade was planned for one big overnight blitz. Unfortunately, the size of the environment did not afford a test environment to uncover potential issues before the upgrade. The upgrade to vSphere itself went swimmingly (the vCenter server had been upgraded a couple weeks earlier). However, some things in the environment started to go wonky once the upgrade was complete. Specifically, name resolution (DNS), DHCP, WINS, Group Policy, and really anything Microsoft Active Directory related just did not work.
Let me explain a bit about the environment so you can better understand what the problem was and how it was corrected. The environment was an all Microsoft shop, except for VMware of course. The company follows a virtualize-first policy and is about 90% virtualized, including the Active Directory Domain Controllers. The DC’s are Windows 2008 and serve up DHCP, DNS, and WINS in addition to their Directory Services roles.
The problems really began after I upgraded the virtual hardware version from v4 to v7 (check out page 97 of the vSphere Upgrade Guide for the upgrade procedure). When a Windows server is upgrade from VMware Hardware Version 4 to 7, the VMware Upgrade Helper Service handles the reconfiguration of network adapters on the upgraded virtual machine. The VMware Upgrade Helper Service is installed with VMware Tools and is one of the reasons, along with getting drivers installed for the new hardware, for upgrading VMware Tools before upgrading the hardware version. If you review the Event Viewer Application log on an upgraded machine you will see several entries from VMUpgradeHelper (Source) with several different Event ID’s (26, 280, 272, 108, & 105). An examination of these events will show that the VMware Upgrade Helper service 1.) Backed up the network configuration at OS shutdown, 2.) Started Automatically with the OS, 3.) Checks the device ID for the network adapter, 4.) If the device ID has changed (as a result of a hardware upgrade), the backed up configuration is restored and Event ID 269 is logged.
This behavior should be transparent for most configurations, with the exception of a slightly longer boot time following the upgrade. However, I did notice a few problems with the NIC settings being restored under certain conditions. First, on servers with a statically configured IPv4 stack, IP addresses and DNS server addresses were restored, but the WINS server addresses were not restored. I suspect this is an oversight in the VMware Upgrade Helper service, but is probably not a major issue for many servers/environments as WINS is infrequently used. However, for a WINS server itself to lose its configuration to use itself as a WINS server, bad things happen. There are several ways to correct this – scripts, DHCP Options, etc. In the end, this wasn’t really a show stopper for me in this small environment.
The second, and bigger issue for me, was that after the virtual hardware was upgraded and the VMware Upgrade Helper Service did it’s job my Active Directory and related services were not available. DNS was not functioning, DHCP was not handing out addresses, and I couldn’t connect to AD using ADUC, GPMC or LDAP. It took me a few minutes to figure out what was going on. This seems to be what happened: the virtual hardware upgrade caused a new virtual network adapter to be installed in the VM and all of the settings, including the MAC, address to be restored. The HW v4 NIC was removed from the machine, but Windows held onto the device as a ‘ghost NIC’ in Device Manager. The core AD services, including DNS and DHCP, were still attempting to bind to the ghost NIC. This behavior persisted through service restarts and reboots of the guest. It wasn’t until I examined the IP configuration on the new NIC and clicked Apply (instead of canceling out) that I was prompted with a message indicating that there was more than one network interface configured with the same IP address, queuing me into the solution.
The error message should be familiar to anyone who has performed a Physical-to-Virtual migration (P2V) and is easily corrected by removing the old device through Windows Device Manager. The device is hidden so you first have to expose it before deleting it. Check http://support.microsoft.com/kb/315539 for details or simply follow my instructions below. To expose the non-present NIC, open a command prompt and enter:
You can then open Device Manager (enter devmgmt.msc at the command prompt to save some time). In Device Manager, click View | Show Hidden Devices. Expand Network Adapters and find the grayed-out entry for the old NIC as pictured below.
Select the ghost NIC and right-click | Uninstall to remove it.
The final gotcha for me on this is that the set devmgr_show_nonpresent_devices=1 command does not work on Windows 2008 (or Vista, Windows 7, or Windows 2008 R2). To see and remove ghost NICs from Windows 2008, and environmental variable must be defined. To set the variable, open Server Manager from the Windows Start Menu. Highlight ‘Server Manager (%SERVERNAME%)’ in the left-side tree-view pane. Click ‘Change System Properties’ in the right-hand pane. Switch to the Advanced tab and click ‘Environment Variables. Create a new System variable by clicking the New button. The Variable name should be ‘devmgr_show_nonpresent_devices’ and the value should be ‘1’ as pictured below.
Click OK to close out of any open Windows. A reboot is not necessary for the variable to take effect, although you may have to close out of all open Device Manager Windows and then reopen devmgmt.msc. Click View | Show Hidden Devices and remove the ghost NIC as described above. A quick reboot after I removed the ghost NIC from the domain controllers and all Active Directory, DNS, DHCP, and WINS services immediately began operating normally. This second issue is more of a Microsoft problem in my opinion, and has been around for some time.
Before you start getting all upset and the FUD starts flying (“this is Microsoft/VMware’s latest attempt to break VMware/Microsoft?”), it wasn’t really vSphere that broke Active Directory; It was me. A little better planning and not rushing through the last wee hours of the upgrade Window could have saved some trouble. If you are planning a similar upgrade, it would be best to upgrade your domain controllers/DNS servers one at a time and remediate the issues I have described before upgrading the next. This will ensure continued availability of your Active Directory and other critical services during your upgrade.