When you start writing your own programs to interact with GSX or ESX server, you might want to do so from a .NET application. In this article, I will show you how to do just that. It is quite simple.

In this example, I will build a simple application that illustrates how to perform the basic tasks. The application just retrieves a list of registered virtual machines and displays them in a listbox. When you double click the virtual machine, some details about that virtual machine are shown.

The sample was developed with Visual C# 2005 Express Edition.

1. Install VMWare COM API
You need to install the VMWare COM API on your system. You can install the COM API using VMWare’s installer or you can just copy the following files to a directory on your system (available when you installed the COM API on another machine, such as the GSX server itself):

VmCOM.dll
VMControlLib.dll
libeay32.dll
ssleay32.dll

Register VmCOM.dll with regsvr32 vmcom.dll.

2. Start a new project and add a reference to VmCOM.dll
In Visual C# 2005, start a new Windows Application project.  In the Solution Explorer, right click your project and select Add Reference.

Select the VMWare VmCOM 1.0 Type Library and click OK.

3. Use the VMWare COM API in your code
Add a using statement to your code:

using VMCOMLib;

To connect to a VMWare server, first create a VMConnectParams object:

vmConn = newVmConnectParams();
vmConn.Hostname = "server";
vmConn.Username = "user";
vmConn.Password = "password";

To connect to the server with these credentials:

vmSrvCtl = newVmServerCtl();
vmSrvCtl.Connect(vmConn);

Now you are connected to the server, you can enumerate the registered virtual machines:

foreach (string s in vmSrvCtl.RegisteredVmNames)
{   VmCtl vm = newVmCtl();  //create object to control a virtual machine
   vm.Connect(vmConn, s); //connect to virtual machine
   listBox1.Items.Add(newvirtualMachine(s, vm.get_Config("DisplayName")));
}

In the code snippet above, I add a virtualMachine object to a listbox. The virtualMachine class is just a custom class I use to store the path to the vmx file and the displayname of the virtual machine in each listbox item. The class has an overridden ToString() method to show the displayname of the virtual machine in the listbox.

Now you can add some code to display information about the virtual machine when you double click that machine in the listbox:

virtualMachine vmItem = (virtualMachine)listBox1.SelectedItem;string vmx = vmItem.vmx;VmCtl vm = newVmCtl();
vm.Connect(vmConn, vmx);StringBuilder sb = newStringBuilder();
//ip seems to be the only out of the box guestinfo variable
sb.AppendFormat("Name:\t {0}\n", vm.get_Config("DisplayName"));
sb.AppendFormat("Memory:\t {0}\n", vm.get_Config("memsize"));
sb.AppendFormat("IP:\t {0}\n", vm.get_GuestInfo("ip"));
MessageBox.Show(sb.ToString(), "VM Details", MessageBoxButtons.OK, MessageBoxIcon.Information);

The above code is used in the DoubleClick event of the listbox. It just gets the vmx name from the currently selected item in the listbox and then connects to the virtual machine with the VmCtl object. You always connect to a registered virtual machine using the full path of the vmx file (configuration file) of that virtual machine. Once you are connected to the virtual machine you can do things such as starting and stopping or just retrieving information.

In the above example, I only retrieve information from the vm. When you use get_Config, you retrieve information from the vmx (such as displayName and memsize). When you use get_GuestInfo, you retrieve information you have set with the VMWare Tools. Apparantly, ip is an available GuestInfo variable that retrieves the ip address of the virtual machine. It seems there are no other such variables.

In an earlier post, I talked about an issue in VMWare when you try to create a trust from a Windows 2003 SP1 domain controller virtual machine. That virtual machine ran in GSX 3.1. I upgraded GSX to version 3.2 but the problem remains.

There is another issue with the Shared Folders feature when combined with terminal services. This issue is documented by VMWare in their knowledge base. The solution offered by the knowledge base is to remove hgfs (driver for the shared folders feature) from the following registry value.

HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

A reboot is required after this change.

The solution that is offered by this knowledge base article does not solve the trust issue. The trust issue is only resolved when the shared folders feature is completely removed.

Because of these issues, I advise customers not to install the Shared Folders feature in GSX and ESX environments. The feature cannot be used with ESX and GSX anyway. When you install the VMWare Tools, choose Typical instead of Complete. A typical install does not include the Shared Folders feature.

When you add Windows Server 2003 SP1 domain controllers to an existing domain that has Windows 2000 domain controllers, several issues will pop up. There is an issue with the Windows Time Service and an issue with the MSDTC service. The issues all have to do with changes in the security configuration of Windows 2003 SP1.

Because your new domain controller will get security settings from the Default Domain Controllers policy (Windows 2000 timeframe), these settings do not work with Windows 2003 SP1.

This post provides some details about these issues and how to resolve them.

Windows Time Service Errors
An error from source W32Time with event ID 46 with the following description:

The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

The reason for this error is that Windows 2003 SP1 uses the nt authority\localservice account for the time service. That account needs the right to change the windows time. You should grant that right in the Default Domain Controllers Policy or create a separate policy for Windows 2003 domain controllers with that right. In the policy, navigate to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment and then set the user right “Change the system time” as shown below.

You will also need to change the configuration of services in the domain controller’s policy in AD. In the policy, go to Computer Configuration, Windows Settings, Security Settings, System Services. On the Net Logon and Windows Time service, set the settings as below:

Click Edit Security and set as below:

The rights for Administrators and SYSTEM are Full Control.

After you set the user right and you configured the Net Logon and Windows Time Service, reboot the server. When the server comes back up, check that the Windows Time service is started. To verify that time sync is happening, open a command prompt and type w32tm /monitor. You should see that the Windows 2003 domain controller syncs with its PDC (check the refid). If not, use w32tm /resync and then try w32tm /monitor again. Also check the system log for an event from the W32Time service with event ID 35 (The time service is now synchronizing….).

MSDTC Errors
You might see the following MSDTC errors:

• Event with source MSDTC, ID 53258: MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: %1
• Event with source MSDTC, ID 4439:  Failed to verify MS DTC service account information. Internal Information : msdtc_trace : File: d:\srvrtm\com\complus\dtc\dtc\adme\uiname.cpp, Line: 9390, VerifyAccountInfo: CService::Create failed, hr=0x80070005

To get rid of the first event, do the following:

• From Administrative Tools, start Component Services.
• In the MMC snap-in, go to Component Services, Computers, My Computer.
• Open the properties of My Computer and click the MSDTC tab.
• Click the button Security Configuration.
• Do not change anything, just click OK (silly, I know).
• Click OK again and then close the MMC.

Stop and start MSDTC. The event with ID 53258 should not appear anymore.

To get rid of the 4439 event, do the same as for the Windows Time Service. In the Sytem Services section of the server’s policy in AD, give the account SERVICE read/start/stop rights. Refresh group policy with gpupdate /force and then restart MSTDC. The error should disappear.

Hope this helps…

When you copy a large file between a VMWare guest and the host, you might get the following error in the guest:

On the host, you will see the following event:

It is very annoying and is not so easily solved. The reason why this happens is explained in the VMWare knowledge base. This web page also contains more info. In essence, it happens because of a security feature in Windows 2003. Windows 2003 thinks a denial of service attack is happening because the transfer rate is higher than possible. The solutions are discussed in the VMWare KB article.

When you are behind a proxy that uses NTLM authentication, many applications will refuse to work. What is worse, some applications don’t even support passing a name and password to the proxy.

As an example, I take BlogJet. BlogJet supports proxies and authentication. In fact, version 1.6 should support proxies that support NTLM and even Digest. But I could not get it to work with an upstream ISA server.

To get an application like that to work anyway, use NTLMAPS. NTLMAPS stands for NTLM Authorization Proxy Server. Basically, it is a proxy server that you install on your local machine. When you configure an application like BlogJet to use your local machine and the port that NTLMAPPS listens on, NTLMAPPS will take the (anonymous) request from the application and then pass it on to the upstream proxy servers using NTLM authentication with a name and password.

NTLMAPPS comes with a configuration file (server.cfg) where you have to configure the upstream proxy name, port, user name and password. If you don’t type the password, NTLMAPPS will ask it during start. You can also configure the user-agent string so the request looks like it is coming from Internet Explorer 6 or anything you want.

Configuration in BlogJet:

Now, whenever BlogJet needs to connect to the Internet, it will connect to NTLMAPPS on 5865. In turn, NTLMAPPS will connect to the upstream proxy you configured in server.cfg.

NTLMAPPS itself is written in Python, so you will need to install Python on your local machine. It is a great solution to allow any application that can use a proxy to work through MS Proxy or ISA Server.

In a test environment running in VMWare GSX 3.1 on a Windows 2003 host, we had problems creating a trust between two domains. The Windows 2003 domain controllers are SP1 running as VMs. I will tell you up front that the problem was caused by the fact that the domain controllers run as virtual machines with the VMWare Tools installed!

The following setup:

• Domain A: Windows 2000 domain controllers, native
• Domain B: Windows 2003 SP1 domain controllers, native
• DNS and WINS name resolution fully functional and verified
• You want a trust from domain B (2003 SP1) to domain A (could be any version)

When you try to create the trust with Active Directory Domains and Trusts on one of the Windows 2003 SP1 domain controllers (domain B), you will get an error about not being able to contact the domain controller in the trusted domain A. The error is shown directly after you specify the name of domain A.

You can create the trust with netdom.exe because you can specify credentials for both domains. However, verification of the trust using Active Directory and Trusts will fail. The trust will work though!

Under the hood, when you create a trust using the trust wizard, the Windows 2003 domain controller will first try to connect to the trusted domain's domain controller using the credentials from the trusting domain (domainB\administrator). Logically, that will fail (because there is no trust). However, after that failure, a null session should be setup so that the Windows 2003 domain controller can talk to the LSA using RPCs. The null session is setup by connecting to \\targetdcindomainA\ipc$ using null as user and password.

In our environment, the null session was not setup at all. After the wizard tries to connect with domainB\administrator and the (obvious ) error STATUS_LOGON_FAILURE as seen in a network trace, the process just stops. No null session is established, not even tried! And the trust wizard throws the error.

SOLUTION
Remove the Shared Folders feature of the VMWare Tools. That feature uses a driver, hgfs.sys, that apparently causes this behaviour. After I removed that driver, everything functioned normally. The null session was established and the trust wizard continued without issues. Verification of the trust afterwards is ok as well.

On some of my virtual machines, hgfs.sys was still loaded after removing the VMWare Tools. Manually check that the driver is not loaded.

This is not really an issue with virtualization. It is, quite simply, a driver issue. In production, I would recommend against using the shared folders feature.

NOTE
You should use VMWare GSX 3.2 with Windows Server 2003 SP1 virtual machines. I have not yet checked if GSX 3.2 solves these issues.

When you create a one-way trust between two Windows domains, you would expect that null sessions are used to make browsing for users and groups possible. Of course, as you might have guessed, this is not the case. I never actually paid attention to this, until someone asked me why they got an authentication dialog box to verify accounts in a trusted domain.

Take the following scenario:

• Domain A (Windows 2003)
• Domain B (Windows 2000)
• Domain A trusts domain B (so we can add accounts from domain B to ACLs of resources in domain A)

When you are on a Windows 2000 (or higher) system in domain A, and you want to add a user from domain B to an ACL, you will get a prompt that asks you for credentials in domain B. This is because a Windows 2000 and higher system does not use a null session to connect to a domain controller in domain B. Apparently, this cannot be changed because it is by design.

It does not actually matter if domain A or B are Windows 2000 and higher domains (native, mixed, whatever). If the machine that has the resource (share, printer, ….) is Windows 2000 or higher, you will get the authentication prompt. Annoying!

You really need to check out Hamachi. It lets you create ad-hoc VPNs with others in a plug and play manner. Once installed and configured, you will have an extra network adapter on your machine that will get an IP address in the 5.x.y.z range. The systems in the network that you create will all be in the same "virtual" LAN so you can easily connect to shares, play games, use remote desktop, whatever you want.

Check it out.

In Belgium, there are only a couple of digital TV providers. One of them is Telenet. You can get digital TV from them in two ways:

1. Using a digibox: a simple decoder and remote control without recording features
2. Using a digicorder: a decoder but with a 160 GB hard disk and two tuners so you can record one digital program and watch another. Only a hard disk, no dvd!

The digibox is available since the launch of digital tv in 2005. The digicorder can be ordered from january 2006 and will be delivered from february. The funny part is that you can only start recording from march 2006 because a software upgrade is needed first. The software upgrade is done automatically via the cable network.

Like any good HDD recorder, you will be able to record a program by selecting the program from the EPG (electronic program guide). But with Telenet's offering, this will only work if you pay 4,95€ a month for the Easy Recording Service. Some are even saying that timeshifting (pausing live tv) will only work with that service. Of course, like always, it is absolutely unclear because Telenet is not specifying all features clearly on their website. Even when you talk to Telenet help desk staff, they cannot clearly say how it will work. You even get different answers depending on who you talk to. Typical!

Having to pay a monthly fee for a service like that is just ridiculous. It is another reason why I think that it is not a good time to switch to digital tv unless they adopt standards like in our neighbouring countries or the UK.

I do not want to be tied to the hardware (digibox/digicorder) that Telenet provides. I want standard hardware, with smartcards, so I can use digital equipment from others that do get it right. I want an easy (or easier) upgrade path to HDTV. Maybe I want to much. Sigh......

Take a look at this application from Namescape. It is a web based employee directory that allows users to search AD and to update their own information. The nice thing about it is that they have a free community edition.

The enterprise edition has more features such as exports to Excel, and the possibility to create other interfaces/applications without programming.

VMWare GSX comes with a VmCom and VmPerl scripting API to script actions you need to perform on GSX. You can use the scripting API to get a list of all registered VMs, get their execution state, get configuration parameters and so on.

I needed a script to disconnect all floppies and cd-roms from all virtual machines on a server. The scripting API makes this simple.

Check the attached file for a sample Perl script that does the trick. It is best to add the directory where VMWare GSX installed Perl to your path. Normally, Perl is installed in C:\Program Files\VMware\VMware VmPerl Scripting API. You should also connect the .pl extension to C:\Program Files\VMware\VMware VmPerl Scripting API\perl.exe.

To run the script (after path change and .pl extension), just type disconnect.pl from the command prompt.

Of course, you can create a similar script with VBScript or JScript but what's the fun in that.

The Google Quick Reference (see link below) lists some of the more advanced operators you can use. I especially like the following:

• old units in new units: for example 100 euros in forint or 7.6 feet in meter.
• filetype:<type>: for example javascript guide filetype:pdf for javascript guides in pdf format.
• movie:<movie name>: for example movie:King Kong for movie reviews of King Kong.
• define:<term>: for example define:blog for a definition of the word blog

Check out the guide for more examples.

Google Guide Quick Reference