Deploying VMware vCenter Server Appliance 6 (VCSA)

From vmWIKI
Jump to: navigation, search

Contents

Originating Author

Michelle Laverick

Michelle Laverick.jpg

Video Content [TBA]

Introduction to vCenter Server Appliance

Version: vSphere 6.5 Update 1

Features and Functions

VMware vCenter is the companies core management platform, and its common for other technologies both from VMware and third-parties to use it as the central point for accessing ESX hosts and clusters, as well accessing VMs and other components upon which they can add value or further orchestration. At the time of writing VMware support two version of vCenter - an installable version which runs on the Microsoft Windows platform and virtual appliance edition which runs on the SUSE Linux platform. In terms of their core APIs, the two editions are functionally the same. Finally, whilst the scale of vCenter Server Appliance (VCSA) has increased in recent releases, it has lower configurable maximums. In production environments it is the Windows edition that predominates - and this is combination of history (the first version of vCenter was Windows only). With this said, the VCSA is considerably easier to deploy and update/upgrade than the Windows edition - and for this reason it has become the preferred method of standing up the vCenter service.

Previously, there were features that were only available on the Windows edition, and were not available to the VCSA. One example is "Linked Mode" which allows for one login to many vCenters. vSphere 6.0 finally removed all the functional difference between the Windows vCenter and the VCSA - such that the VCSA can sit along now increasingly legacy Windows editions happily. In the screengrab below there three vCenters - vcnyc and vcnj are running the Windows version of vCenter, and vcwdc is running the VCSA based on Linux.

Screen Shot 2016-02-23 at 15.55.56.png

Virtual Hardware Requirements

By default the vCSA uses 2 vCPUs and 10GB of RAM. This has been regarded by some as quite a large amount of virtual resources - but it does include an embedded database.

Screen Shot 2018-02-15 at 12.32.42.png

From the Service on the appliance tab, the administrator select scalability can select from Small (100 hosts/1000 VMs), Medium and Large (400 hosts/4000 VMs). When configured for small inventory the appliance uses 8GB of RAM whereas medium and large consume 16GB and 24GB RAM respectively.

Software Requirements

As it is the vCSA does not require any specialist software for it to function, except a supported virtual platform for it to run on - in most cases this will vSphere/VMware ESX, although some homelabs do run it on a PC/MAC style equipment using VMware Workstation/Fusion in a VMware ESX "nested" configuration. The vCenter database is supported into two formats - an "Embedded" Postgres database which is built-in to the appliance. Currently, the only external database supported is Orcale. Due to the cost incurred in licensing Orcale, most organizations who deploy the vCSA use the built-in database.

Simple Single Site: Deployment of the vCenter Server Appliance (VCSA)

Such a deployment maybe the perfect fit for a small/medium sized organisation that is compromised of single physical site. In this scenario the customer desires requires each vCenter deployed to be stand-alone and independent of all others. A few customers even in a multi-site environment prefer this model as some customer prefer each vCenter build to be independent of others. It is not without draw backs - namely increased administration and duplication of tasks - as well the orphaning of licenses with a particular location. For instance there maybe spare socket licenses in New York, that could be used to license new VMware ESXi host in New Jersey. In stand-alone mode one would need to work with the companies VMware Rep in order to get the socket allocation adjusted - in an enhanced linked-mode multi-site configuration this would not be necessary.

The vCenter Server Appliance is downloadable in .ISO image. The deployment process has change significantly since its release. Now a deployment wizard on the .ISO will deploy the appliance and configure it for you. Previously, the VCSA shipped as OVF/OVA file, and a web-browser based admin tool require significant amount of work to get the appliance up and running. The "installer" uploads the VCSA to system of your selection. This new "installer" approach vastly reduces the time to deploy and configure the VCSA compared to the previous method - and represent a significant step forward which should accelerate its adoption in the longer term. There is a graphical installer as well as command-line version - and the graphical installer comes in the three flavours - Windows, Apple Mac and Linux.

This installer also offers the option to upgrade the vCSA, restore a backup of the vCSA as well as migrate a Windows based vCenter to the vCenter Server Appliance.

Care must be taken over pre-requisites like IP addresses and DNS. If you specify an IP/FQDN combination which is not resolvable by DNS then the "installation" will fail. For instance in the screen grab below the FQDN of vcwdc.corp.com was not resolvable to DNS because of absent zone records.

Screen Shot 2018-01-29 at 14.56.14.png

Stage One: vCenter Install

1. Mount the .ISO image to workstation or VM that has access to the same network as your destination VMware ESXI host.

2. Once mounted browse to D:\vcsa-ui-installer\ to find your preferred installer - in our case we were using a Windows10 jumpbox into the lab environment we used Win32.

3. Double-click the Installer

4. Select the option to Install

5. The install is two-stage process - first the installation of the vCenter service itself, and then the installation of the Platfrom Service Controller (PSC) element.

Screen Shot 2018-01-29 at 14.56.27.png

6. Accept the EULA

7. For simple single-site deployment the "Embedded Model" where both the vCenter and PSC reside in the same appliance. However, for multi-site deployments it is best to seperate the vCenter/PSC roles.

Screen Shot 2018-01-29 at 14.56.46.png

8. Next we need to specify an VMware ESXi host to deploy the vCenter together with the "root" account and password

Screen Shot 2018-01-29 at 15.02.13.png

Note: You will be prompted to accept the default untrusted SSL thumbprint/certificate of the host.

9. Next assign an VM name for the Appliance, together with a password for the default "root" account. The name is virtual machine name, not the FQDN of the appliance. In this case we used "vcnyc" representing the vCenter for the New York Datacenter.

Screen Shot 2018-01-29 at 15.05.32.png

10. Next we can set the appliance size - this will allocate CPU and Memory commensurate with the number of hosts/virtual machines the vCenter will eventually support.

Screen Shot 2018-02-13 at 21.43.24.png

11. Next select a datastore within which the VCSA will be held. On an unconfigured VMware ESXi host it is likely all you will see is local storage. In a fully configured VMware ESXi host you should be able to see the datastore(s) that have been mounted to it - these can take the form of FC, iSCSI, NFS or VSAN capable storage.

Screen Shot 2018-02-13 at 21.43.42.png

13. Next select which network the vCenter will reside on together with it's FQDN, IP address, subnet mask, default gateway and DNS name servers. On an unconfigured VMware ESXi host you will see just "VM Network". This should be the same network as the ESXi Host. If the ESXi host is using VLAN Tagging to separate the management network - you will need to use ESXi Web-Client to change the VLAN Tag value for "VM Network" for this to functional. In our case we configured a VM network called "Management" on all our hosts for this purpose.

Screen Shot 2018-02-13 at 21.45.29.png

From this point onwards what you will see is status bars as the vCSA is uploaded to the VMware ESXi host, and configured.

Screen Shot 2018-02-13 at 22.00.49.png

Stage Two: PSC Install

Screen Shot 2018-02-13 at 22.01.06.png

13. Next configure the preferred time synchronisation process. Typically, all VMs get their time from the underlying VMware ESXi host - which in turn is configured for an external NTP time source. Enable the SSH access if you intend to use the new vCenter Server High Availability function.

Screen Shot 2018-01-29 at 15.27.50.png

14. The VCSA can establish its own SSO domain. It's possible to have more than one vCenter per site (it wouldn't be usual to have one vCenter managing server-based VMs, and dedicated vCenter managing virtual desktops for instance. In this case we wanted a single SSO domain for authentication purposes, with each vCenter residing in their site - both logically and physically.

Screen Shot 2018-02-13 at 22.02.12.png

15. Indicate if you wish join VMWare's Customer Experience Improvement Program (CEIP)

16. Review your settings and click Finish

Note: After the end of the configuration process you will be informed that you have successfully configured the appliance - and the URL to access the vCenter Web-Client will be displayed.

Screen Shot 2018-02-13 at 22.19.53.png

vCenter Server Appliance Management

The VCSA has two core management UI. The primary one has been around for sometime and is accessed by typing in the URL of the VCSA to a web-browser together with a unique port number of 5480. This interface is based around the "VMware Studio" front-end which a free tool for creating virtual appliance web-based management. The web-based management UI is perhaps more user-friendly and offers more functions than the new VCSA 'console'

Screen Shot 2018-02-15 at 13.47.33.png

Below is a list to common tasks administration tasks that can be carried out:

  • Shutdown/Reboot
  • Reset root password
  • Configure Management Network
  • Restart Management Network
  • Enable SSH shell (for remote console using SSH clients like PuTTy and the High Availability feature)
  • Enable BASH shell (for local console command-line using Alt+F1)
  • Set Timezone
  • Perform Updates and Schedule Updates
  • Control "root" password expiry
  • Syslog Configuration
  • Monitor CPU, Memory, Database and Network Activity

Additionally to vSphere 6.0 introduced a new interactive console. The default interface or "shell" is the "Appliance Shell" which only allows vCSA style commands to be allowed. It is possible to turn on a "BASH" shell which presents a more conventional Linux like environment. This is done from the Appliance Management page which listens on TCP port 5480. We recommend keeping away from this interactive shell and limiting your appliance management to the graphical UI.

With Appliance Shell Enabled (Default)

Screen Shot 2018-02-16 at 12.11.53.png

With "BASH" Shell Enabled:

Screen Shot 2018-02-16 at 12.10.18.png

How to Shutdown and Reboot the VCSA

Some system reconfiguration does require a reboot of the VCSA. As the VCSA is just another virtual machine it could be rebooted from the VMware ESXi host it is currently running on. Alternatively, the vCSA can be shutdown or rebooted from the Summary tab. Before shutting down the vCSA for whatever reason, make a note of the current VMware ESX host it is running to facilitate the power back on.

Screen Shot 2018-02-15 at 18.05.42.png

Updating the vCSA

One of the most compelling reasons to use the vCSA is the ease by which it can be updated and patched from one release to another. This compares more favourably than using setup .exe packages to perform updates to the Windows vCenter. The vCSA allows for manual updating, as well as controls for check how frequently to look for updates and whether to apply them. The VCSA supports checking online for updates (referred to as Check URL) or by attaching an .ISO image that has been downloaded seperately and attached to the VCSA (referred to as Check CD-ROM). This second method is intended for customers who prefer the vCenter to have no access to the internet for outbound use. Such customers most likely work in high-security environments where an air gap is maintained from the management network and the internet.

Manual Update:

1. Select the Updates tab

2. Click the Check Updates button, and select Check Repository. After a short while the appliance will update to indicate if a new version is available. In this case the system has discovered no updates are required. The screengrabs below shoe the previous release of vSphere 6.0 U1 and how there are there are Available Updates from vCenter Build 3018521 to Build 3343022 . This second build is vCenter 6.0.0.10200, whereas the current build is 6.0.0.10000. One of the compelling reasons to use the VCSA in preference to the Windows edition is the ease of updating and upgrading in this manner.

Screen Shot 2018-02-15 at 18.07.14.png

3. Click the Install Updates button and Install All Updates - to apply the new version. This should produce EULA pop-up message together with the option to Install the updates. This process will take sometime. But once it has completed you will be instructed to reboot the vCSA to allow the updates to take affect.

Screen Shot 2016-02-23 at 16.58.11.png

4. To reboot the appliance from Sumarry tab and Reboot button

Once the Update has completed - no new updates will be available (until such time they are released) and you should see the build number has incremented.

Screen Shot 2016-02-24 at 14.04.51.png

Configuring Auto Updates:

By default the vCSA does not carry out automatic updates - its possible to configure it to automatically check fro updates (but not apply them) or automatically check for updates, download and apply them. Once Automatic Updates is enabled you can configure the frequency of the check, and its also possible not pull updates from vmware.com, but from an offline CD-ROM bundle. You can enabled auto updates by clicking the Settings button under the Update tab.

Screen Shot 2018-02-15 at 18.10.42.png

Disabling Password Expiry

By default the SSO account password on the vCSA expire after 90-days. Some administrators working primarily lab environments prefer not have this policy engaged. This policy can be modified for the root account using the Appliance Management interface:

Screen Shot 2018-02-16 at 12.44.43.png

Setting the Password Policy within the Web-Client to 0 days turns off the expiration timer:

Screen Shot 2018-02-16 at 12.48.06.png

Post-Configuration of vCenter Install (Web Client)

Using to the vSphere Web-Client

The Legacy C# vSphere Client:

This client has been discontinued - and is no longer downloadable from the web-pages of a VMware ESXi or VMware Center Server. It is still distributed as stand-alone download for the vSphere 6.5 U1 bundle. In my tests I found it still opened directly against VMware ESXi host - However, I found it will not work against the vCenter Server. It's days are numbered...

Screen Shot 2018-02-13 at 16.00.42.png

The VMware ESXi Web-Client:

The VMware ESXi hosts now has its own web-service which is now the preferred method when managing a host in the absence of VMware vCenter:

Screen Shot 2018-02-13 at 15.42.53.png

The vSphere Web Client (Flash):

Screen Shot 2016-01-19 at 11.51.02.png

The vSphere Web Client (HTML5):

VMware has been working on a HTML5 client for sometime, and version shipped with vSphere 6.5. It's close to offering all the functionality of the older clients - and is probably one major release away from being the preferred client to use:

Screen Shot 2018-02-13 at 15.49.10.png

For the web-client to work the web-browser will need Adobe Flash installed or enabled. Whilst a wide range of web-browsers work with the vSphere Web Client, many users in the community prefer Mozilla FireFox or Google Chrome, as it appears these handle untrusted certificates generated by the installer in an easier way than some other web-browsers. Nowadays, Flash already installed in many web-browsers - but increasingly they default to blocking it unless you enable it specifically for website that still require it. So the warning message can be somewhat erroneous - the software is present, but is currently blocked.

Screen Shot 2016-01-19 at 12.13.13.png

Note: Here it looks as if Chrome does not have the Flash Player installed - but it does

Screen Shot 2018-02-14 at 08.50.04.png

Note: Such web-browsers will notify of the block, but may require the URL of the vCenter Web-Client to be added to an exclusion list to function. For instance in Chrome - Settings, Advanced, Content Settings, and Flash can be used to add the URL of the vCenter Server the allow list. Google Chrome has settings that allow you safely allow Flash on trusted websites.

If you want to run the Flash-based Web Client from Windows 2012 R2 and later - then you will need to add the "Desktop Experience" under "User Interfaces and Infrastructure". This is not a recommended configuration for a server environment - but it can be configured if required say in Microsoft Remote Desktop scenario.

Screen Shot 2018-02-13 at 18.12.58.png

Integrate with Microsoft Active Directory Domains

Joining vCSA to Active Directory Domain

1. Login to the vSphere Web Client as administrator@vsphere.local

2. Navigate to Home >>> Deployment >> System Configuration

3. Under System Configuration, click Nodes

4. Under Nodes, select the vCSA and click the Manage tab

5. Advanced, select Active Directory, and click Join

Screen Shot 2018-02-16 at 09.44.28.png

Delegating Responsibility to using Active Directory Groups

With a clean installation vCenter use its own internal director service called "Single Sign-On" (SSO) as the primary authentication domain. The default username is administrator@vsphere.local. It is possible add the Active Directory domain to SSO, and enable user accounts and groups from it as the logon to the web-client.

Note: If you are using the vCenter Server Appliance you must add it to the domain.

1. Login to the vSphere Web Client as administrator@vsphere.local

2. From the home location, navigate to >>Administration >>Singe Sign-on >>Configuration and select the Identity Sources tab

Screen Shot 2018-02-16 at 10.11.26.png

Note: Click the green + to update the configuration.

3. Select the radio button - "Active Directory (Integrated Windows Authentication".

Screen Shot 2018-02-13 at 16.37.30.png

Note: This type of authentication enables the pass-though of your logged on local credentials from the Windows domain to the web-client.

Note: In a simple installation of vCenter, SSO should pick up on the single domain that vCenter is joined to.

4. After clicking OK, this should add the domain to the list

Screen Shot 2018-02-16 at 10.12.39.png

Next we can add in accounts to the vCenter to delegate responsibility. The best method it create a group in Active Directory called "vCenter Admins", and populate it with user accounts from the administration team.

5. Navigate to Home >>> Global Inventory Lists >>>vCenter Servers and select your vCenter Server

6. Select the Permissions tab

Screen Shot 2018-02-16 at 10.15.29.png

Note: Click the green + to update the configuration.

7. Click Add, in the subsequent dialog box select the domain, and from the second pull-down list "Show Groups First". Select the group created - and click Add

Screen Shot 2018-02-13 at 16.53.09.png

8. Finally, assign the "Administrator" role and click OK

Screen Shot 2013-11-01 at 09.36.03.png

Once enabled, you should be able to login with your Microsoft Active Directory domain credentials based on membership of the appropriate groups.

Enabling AD User/Groups to Manage VMware SSO

Even if you give a Microsoft AD user/group complete rights to vCenter from a top-level container - this doesn't necessarily give those AD user/groups rights to manage SSO itself. This handled by different subset of permissions and rights. Typically, SysAdmins like to do this delegation to prevent situations such as loosing, forgetting or getting locked out of VMware SSO, which then prevents further administration. VMware SSO has its own systems of password policies and lockouts.

1. Login to the vSphere Web Client as administrator@vsphere.local

2. From the home location, navigate to >>Administration >>Singe Sign-on >>Users & Groups

3. Select the Groups Tab and Select the Administrators group

4. Click the Add Member icon which resembles the figure of person with small green +

Screen Shot 2016-01-19 at 15.17.11.png

5. From the Domain and User and Group pull-down lists - select your Microsoft Active Directory Domain, and Show Groups First

6. Locate your delegated user/group from the list, and click the Add button

Screen Shot 2018-02-14 at 08.58.12.png

Creating vCenter Datacenters (Web Client)

A "Datacenter" in vCenter is a logical construct which could be compared to an object like a "domain" in Active Directory. It acts as an administrative boundary, separating generally one site from another. Therefore its not uncommon for datacenters to be named after locations like "New York" and "New Jersey". Whether one vCenter instance will be sufficient for organisation with many sites is large dependent on factors outside of the control of VMware. These include the quality of the network links from one site to another - as well as the internal politics of a given organization. It may have always been the case that the West Coast of the USA is managed independently of the East Coast of the USA - this might reflect the timezone difference between the regions. Similarly in a European context each country within the EU maybe administrated separately because of language differences, and that fact that despite existence of European Law, systems of data protection, compliance and audit rule still differ from one member state to another.

Screen Shot 2018-02-13 at 18.34.34.png

Note: Screen grab from the vSphere 6.5 Configuration Maximum guide.

One datacenter can contain many clusters, and clusters can contain many VMware ESX hosts. This means vCenter scales quite well for large datacenters which have been packed with a large number of servers to maximise economies of scale. Nonetheless, vCenter like VMware ESX has its own configurable maximums. This might force organizations to adopt a multiple vCenters because they are rubbing up to those configurable maximums. It's salutatory to remember that increasingly these maximums are only of theoretical interest. The numbers are now so large, most customers will find they run out of physical resource on the host before they hit the configurable maximums.

Creating a datacenter

1. Select the Home button

Screen Shot 2016-01-19 at 15.32.59.png

'2. In the Inventory List, select Hosts and Clusters

3. Click the New Datacenter icon

4. In the New Datacenter dialog box, type in a friendly name for the datacenter - in this case "New York"

Screen Shot 2016-01-19 at 15.38.14.png

Note: You must select a vCenter Server or folder (if one exists) to create the datacenter.

Adding VMware ESX hosts

Once a datacenter object is created in vCenter, you can start to add VMware ESX hosts. This then allows you to perform further post-configuration tasks such as managing the network and storage layers, ready for creating a VM. Adding a VMware ESX hosts is relatively simple affair, but not a terrifically exciting task, so you may wish to automate this process with a PowerCLI script if you dealing with a rollout of large number of servers.

1. In the Datacenter view, select the datacenter

2. Click the Actions button, and from the menu select Add Host

Screen Shot 2018-02-14 at 09.14.07.png

3. In the Add Host wizard, type the FQDN of the ESX host

Screen Shot 2018-02-14 at 09.15.19.png

Note: VMware customers can download and setup the "vCenter Host Gateway". This allows vCenter managed other "3rd Party Hypervisors" currently this is limited to Microsoft Hyper-V system. VMware has announced that this feature is to be depreciated due to lack of production use. See: https://kb.vmware.com/s/article/2150007

4. Type in the root account and password

Screen Shot 2013-11-02 at 03.12.42.png

Note: You should prompted by warning that the ESX host certificate is untrusted (as it was auto-generated during the installation), together with its SHA1 Thumbprint.

Screen Shot 2013-11-02 at 03.16.46.png

Once the certificate is accepted the host information page should be refreshed with a table of data that shows - the FQDN, Vendor and Model of Server, and ESX version and build number. If the host has virtual machines present on it these will be listed as well.

5. Assign a license to the host if these have been inputed, alternative continue to use the evaluation period.

Screen Shot 2016-02-02 at 12.25.18.png

6. Enabled Lockdown Mode [OPTIONAL]

Screen Shot 2016-02-02 at 12.30.57.png

This is an optional configuration. Lockdown mode does improve security, but at the expense of ease of management. Consult the policies of your organization if any. vSphere 6.0 introduces a new 'strict' policy where even access with the root account to the DCUI cannot be used to disable lockdown mode. This intended for hyper-secure locations where no potential 'backdoors' or loopholes are permitted. Mostly like in this case the organization is following VMware's Hardening Guidelines for vSphere.

7. Select a VM location - This maybe blank on clean system. But on existing system with virtual machine folder hierachy, and with a host with pre-existing VMs on it, the option can be used to control where VMs are located in the vCenter Inventory

Screen Shot 2018-02-14 at 09.29.59.png

8. Click Next and Finish to add the host.

Creating vCenter Folder Structure

vCenter supports the creation of folder structure for virtual machines and templates, as well for datastores. Like a folder structure on hard disk or an OU structure in Active Directory - the intention is to create a layout that allows the administration team to collect and sort objects in such a way that makes them easy to find. Additionally, these folder structures can be used to hold permissions - and limit the view of a user or groups to a subset objects. The folder structure is entirely free form, and its entirely up to your organization how to lay these folders out. It's useful to have these folders created upfront as it means VMs are being sorted and categorised from day one. However, its entirely possible to create and modify these folder structures after the fact, and move VMs from one folder to another at will. It's worth mentioning that some technologies from VMware (and others) such as Horizon View and vCloud Director will automatically create folders for you, as these management systems create new objects in the vCenter inventory.

Typically, the folders top-level might reflect departmental subgroups

  • Templates
  • Sales
  • Accounts
  • Distribution

or they may reflect the servers operational role

  • Templates
  • Web Servers
  • Databases
  • Mail

alternatively they may reflect the relationship between the VMs

  • Templates
  • CRM Application
  • Horizon EUC
  • Sharepoint

in a more "cloud" like environment each of the top-level folders may reflect different "tenants" within the system. For example imagine "Corp, Inc" has four distinct subsidiaries - the Corporate Headquarters (CorpHQ), Corp Overseas Investment Group, Inc (CIOG), iStocks Inc, (a stocks and shares, day trading company) and Quark AlgoTrading, Inc (a company that trades on the international exchanges using the latest algorithms for the short-selling of stocks). Using this folder structure keep the tenants separate from each other, and allows permissions to reflect the appropriate rights needed to manage them.

Each subsidiary might be top-level folder

  • Templates
  • Infrastructure
  • CorpHQ
  • COIG
  • Quark
  • iStocks

Screen Shot 2016-02-02 at 12.50.37.png

Creating these folders is as easy as creating a folder on a hard-drive.

1. Select VMs & Templates within the Web Client

2. Select the appropriate datacenter

3. Click the Actions button

4. Select in the menu - New Folder and New VM and Template Folder

Screen Shot 2016-02-02 at 12.42.36.png

5. Type in a friendly label for your folder name

Screen Shot 2013-11-04 at 12.08.18.png

Note: You may notice a folder called "Discovered virtual machines". This is created by default when new hosts are added into vCenter. It is used to hold VMs that have been found to be pre-existing on the VMware ESX host. Additionally, it maybe used if a rogue administrator bypasses vCenter, and creates a VM directly on the VMware ESX host. Once you have a VM folder created, selecting it makes subfolders.

Finally, it is possible to create folders in the "Host & Clusters", Network and Storage View. Depending on the size, scale and complexity of your environment you may or may not find these useful.

Licensing vCenter and ESX Hosts

Most VMware products are licensed by text string. For vCenter integrated technologies these licenses are stored and inputted in the licensing section of the vCenter server. Other technologies store these strings under the context of their management front-end. For example VMware Horizon View, the companies "Virtual Desktop" solutions stores the license string inside its dedicate management portal. Without a valid license key most VMware technologies expire on their evaluation by 60s day. When this occurs assets like VMware ESX hosts become disconnected and unmanageable.

Currently, two license policies dominate - either licensing by the number of physical CPU sockets (as is the case with vSphere) or by the number of VMs (as is the case with VMware Site Recovery Manager). Within the vSphere product different SKUs exist for SMB as well as Enterprize - with each progressively offering more features and functionality. Somewhat confusingly the "vCloud Suite Enterprize" edition contains the "Enterprize Plus" version of vSphere. The terminology is little skewed by the inherited history of previous editions, flavours and licensing models used in the past.

vCenter is licensed by the number of instances of vCenter that you have running in your environment.

Pricing and Packaging of VMware Technologies is an endless evolving process - we recommend you consult VMware's online documentation for up to the minute data. vSphere Enterprise Plus (the most functional version of vSphere) is available as part of the vCloud Suite - which offers not just vSphere but other components required to build the "cloud" or the new "Software Defined Datacenter".

This link offers a high level view of vCloud Suite licensing for version 6.0:

http://www.vmware.com/uk/products/vcloud-suite/compare together with a licensing whitepaper.

Adding Licenses to vCenter:

1. Navigate to >> Licensing >> License

2. Click the Green + symbol to add a license

Screen Shot 2016-02-16 at 14.52.08.png

3. Type your license key into the edit box.

4. The key should then be validated - and report the Product Type, Capacity, and expiration date (if applicable). License names can be set to anything you like - in this case we set the License Name to be the same as Product Name. Usually, this defaults to piece of text called "License1"

Screen Shot 2016-02-16 at 14.55.45.png

Note: In the case the vCenter license allows for two instances of vCenter to run. This will allow us in our documentation to have two license vCenters in "Linked Mode' for the New York and New Jersey Site. Here the license expires on Feb, 10th 2017. This is because the license key is an extended evaluation purchased as part the VMUG "Advantage" Subscription. This includes access to the EvalExperience - program which allows for access to VMware core software for 12 month period at a minimal cost. The VMUG Advantage includes many benefits and its well worth the investment and further investigation:

VMUG Advantage

Licenses for VMware ESX or the vCloud Suite can be added in similar away. VMware ESXi is license by completed CPU sockets. So three servers with two sockets each require six free CPU sockets available in order to be licensed correctly.

Screen Shot 2016-02-16 at 15.02.10.png

5. Next we can assign these license keys to the appropriate asset. In this case these are VMware ESX host licenses. Select the Assets tab and Select the Host column

6. Select the all the VMware ESX hosts, and click the Assign License Key button

Screen Shot 2016-02-16 at 15.07.38.png

Notice here you can see the Hosts are still in "evaluation" mode and when that evaluation will expire. Additionally, you can see each host is using 2-CPUs each and with there being 3 of them we will need 6-CPUs worth of licensing.

7. In the subsequent dialog box, select the license key to be assigned

Screen Shot 2016-02-16 at 15.10.27.png

Note: This self same workflow can be used to input the vCenter license and assign them to the vCenter. Once the license have been inputted and assigned, the licensing node shows a very simple view of what licenses have been used, and how much free is available. In this case all the license allocation has been assign in the inventory.

Screen Shot 2016-02-16 at 15.16.08.png

Enabling Network Time Protocol (NTP) Settings

In most cases, Virtual Machines acquire their system time from the VMware ESXi Host. In this case the "VMware Tools" service synchronises time with the underlying physical host. For this reason its imperative that the VMware ESXi host has the correct time allocated to it. Additionally, other system process such as logging will display skewed time information if the system date/time is inaccurate, further complicating the troubleshooting process. Typically, VMware ESXi hosts are configured to use an external time source running the NTP protocol. This can be a local to the organization network, or alternatively utilizes the network of public NTP servers available on the Internet.

1. In the vSphere Web Client navigate to: >>Hosts & Clusters >>Select vCenter >>Select Datacenter >> Select ESX host

2. Select the Configure tab

3. Scroll down to locate >> System and select Time Configuration

Screen Shot 2018-02-14 at 09.59.30.png

4. Click the Edit button to modify the configuration

5. In Edit Time Configuration dialog box, select the radio button Use Network Time Protocol

6. Change the Start-up Policy to be Start and Stop with host

7. In the NTP Server field type the IP address or name of the NTP servers you wish to use. Multiple NTP servers can be specified for resiliency, each separated with comma.

Screen Shot 2013-11-11 at 13.21.12.png

8. Click OK to confirm the configuration.

9. Finally, click the Edit button again - and click the button to Start the NTP Service.

Screen Shot 2016-02-02 at 15.11.47.png

Adding ESX host to Microsoft Active Directory Domain

By default a VMware ESXi host a local database of user accounts where the 'root' account is held. VMware ESXi supports creating a group in Active Directory called "ESX Admins" and populating with either users or groups - once the VMware ESXi host is added to the domain then it looks for this groups and enables its members access. An Advanced Setting on the VMware ESXi host called "Config.HostAgent.plugins.hostsvc.esxAdminsGroup determines the name of the group used.

Screen Shot 2018-02-14 at 16.29.40.png

It is possible to reconfigure the ESXi host to be joined to the Microsoft Active Directory Domain, and source users and groups from this LDAP source, rather than using local groups. This means access to the local host can be centrally controlled, without a need to disclose the "root" account on the ESXi host itself. There are two main ways to achieve this configuration - one uses either the new ESXi Web-Client or PowerCLI to join the ESXi host to the domain. This requires credentials sufficient in Active Director to complete the process. Alternatively, the vSphere Authentication Proxy can achieve the same result without the need for domain credentials.

Join VMware ESXi host to Domain:

1. Open the vSphere Web-Client on the ESX host, and logon using the "root" account username and password configured during installation

Screen Shot 2018-02-14 at 16.04.51.png

2. Select Manage, the Security & Users tab, and Authentication Services

Screen Shot 2018-02-14 at 16.07.21.png

3. Click the Join Domain button

4. Type in the name of the domain and domain administrator credentials, and press Join Domain

Screen Shot 2018-02-14 at 16.09.13.png

Access the vSphere Web-Client and SSH with Active Directory Usernmame:

[File:Screen_Shot_2018-02-14_at_17.04.50.png]]

Anyone who is member of the group added should be able to log into the vSphere Client on the ESX host. This includes other protocols and utilities such as SSH/PuTTy (assuming they have been enabled) so long as the user supplies their credentials in either the useraccount@domain.local or NTDOMAIN\username format.

Screen Shot 2013-11-11 at 15.13.53.png

Post-Configuration of vCenter Install (PowerCLI)

This section essentially repeats the same configuration as carried out in the web-client, but instead uses VMware's PowerCLI extensions to Microsoft's PowerShell. It does include "bulk administration" methods which can substantially reduce the time it takes to complete repetitive tasks. If you wish to carry on in the next part of the wiki on vCenter, then you can buy pass this section to look how vCenter is installed and configured in the context of multiple vCenters and Linked Mode:

A Simple Install of vCenter - Linked Mode

Alternatively, if you are working in a single vCenter environment you may wish to move to look at installing VMware's patch management solution called "Update Manager" or consider installing some of the more ancillary services associated with vCenter.

Creating vCenter Datacenters

Screen Shot 2013-10-21 at 14.01.16.png - Creating Datacenter Example:

New-Datacenter -Location (Get-Folder -NoRecursion) -Name "New York"

Adding VMware ESX hosts

Adding ESX host using PowerCLI can be done in a number of ways. Individually, by specifying each ESX hosts, or in a more bulk methods. One bulk method is to use a .CSV file to hold the names of the ESX hosts you wish to add, another uses a for each loop to add ESX hosts from 01-08. This methods assumes you have a naming convention that includes an number to differentiate one host from another such as esx01nyc, esx02nyc, esx03nyc and so on. The add-vmhost cmdlet does not support the enablement of the lockdown feature - and if required has to be configured as separate PowerCLI step.

Screen Shot 2013-10-21 at 14.01.16.png - Simple Add and Lockdown Example

add-vmhost esx01nyc.corp.com -location "New York" -user root -password Password1 -force:$true
(get-vmhost esx01nyc.corp.com| get-view).EnterLockdownMode()

Screen Shot 2013-10-21 at 14.01.16.png - Bulk Add by using a unique number

In this script ESX hosts are added by their unique number. The script loops round from 1 to 9 times using a "range" in PowerShell, adding esx01nyc, esx02nyc and so on. The "{0:00}" handles the situation where the naming convention contains a leading zero in the series such as 01, 02, 03, 04, 05, 06, 07, 08, 09, 10 and so on...

Acknowledgement: This script to was written with assistance from Alan Renouf. Alan's personal blog is available at http://virtu-al.net and he tweets as @AlanRenouf

1..16 | Foreach {
	$Num = "{0:00}" -f $_
	add-vmhost esx"$Num"nyc.corp.com -location "New York" -user root -password Password1 -force
	}

Screen Shot 2013-10-21 at 14.01.16.png - Bulk Add of ESX hosts by CSV File Example

Create a a CSV file called vmhosts.csv and formatted like so. CSV files can be populated with any number of variables that can be in turn called by your PowerCLI scripts. PowerCLI scripts are merely text files saved with the .PS1 extension, and executed from the PowerCLI prompt with a ./addhost.ps1 command.

Screen Shot 2013-11-04 at 10.29.18.png

Then create an addhosts.ps1 script file with a text editor:

Import-CSV c:\vmhosts.csv | ForEach-Object {
$hostname = $_.vmhost
add-vmhost $hostname -location "New York" -user root -password Password1 -force
}

Below is the results of the script using the CSV method to bulk add many ESX hosts:

Screen Shot 2013-11-04 at 11.01.48.png

Creating vCenter Folder Structure

Creating folders for VMs and Templates can be carried out using the New-Folder cmdlet. The default location if no location is specified is the "Hosts & Clusters" view in vCenter. Using a combination of Get-Datacenter and Get-Folder cmdlet we can force the folder to be created any view that supports the creation of folders. For example the following scripts creates this folder structure in the "VM & Templates" view.

It uses the variable $toplevel to find the upmost location in the inventory in a datacenter called "New York", and then re-uses that variable to create the top level folder structure:

Screen Shot 2013-11-04 at 12.33.43.png

Screen Shot 2013-10-21 at 14.01.16.png - Simple VM Folder Creation Example

$toplevel = (Get-Datacenter "New York" | Get-Folder -name vm)
New-Folder -name "CorpHQ" $toplevel
New-Folder -name "COIG" $toplevel
New-Folder -name "iStocks" $toplevel
New-Folder -name "Quark" $toplevel
Remove-Folder -Folder "Discovered Virtual Machine" -Confirm:$False

Note: Remove-Folder supports a -DeletePermanently switch which could be dangerous. The Remove-Folder cmdlet can also delete and destroy VMs that are contained within the folder. Use with caution.

Licensing vCenter and ESX Hosts

Screen Shot 2013-10-21 at 14.01.16.png - Adding Licenses to vCenter

$si = Get-View ServiceInstance

$LicManRef=$si.Content.LicenseManager
$LicManView=Get-View $LicManRef
$license = New-Object VMware.Vim.LicenseManagerLicenseInfo
$license.LicenseKey = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
$license.EditionKey="esxEnterprisePlus"
$LicManView.AddLicense($license.LicenseKey,$null)

$si = Get-View ServiceInstance
$LicManRef=$si.Content.LicenseManager
$LicManView=Get-View $LicManRef
$license = New-Object VMware.Vim.LicenseManagerLicenseInfo
$license.LicenseKey = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
$license.EditionKey="esxEnterprisePlus"
$LicManView.AddLicense($license.LicenseKey,$null)

The result of this script outputs like so:

Screen Shot 2013-11-04 at 15.23.01.png


Screen Shot 2013-10-21 at 14.01.16.png - Assigning Licenses to ESX hosts

Foreach ($vmhost in (get-vmhost))
{

	$targethostMoRef = (get-VMHost $vmhost | get-view).MoRef
	$si = Get-View ServiceInstance
	$LicManRef=$si.Content.LicenseManager
	$LicManView=Get-View $LicManRef
	$licassman = Get-View $LicManView.LicenseAssignmentManager
	$licassman.UpdateAssignedLicense($targethostMoRef.value,"XXXXX-XXXXX-XXXXX-XXXXX-XXXXX","VMware vCloud Suite Enterprise")


}

The result of this scripts outputs like so:

Screen Shot 2013-11-04 at 15.23.01.png

Screen Shot 2013-10-21 at 14.01.16.png - Retrieving License Data

Acknowledgement: This script to retrieve licensing data originally appeared in the official VMware PowerCLI blog and was written by Alan Renouf. Alan's personal blog is available at http://virtu-al.net and he tweets as @AlanRenouf http://blogs.vmware.com/vipowershell/2012/05/retrieving-license-keys-from-multiple-vcenters.html

# Get the license info from each VC in turn 
$vSphereLicInfo = @() 
$ServiceInstance = Get-View ServiceInstance 
Foreach ($LicenseMan in Get-View ($ServiceInstance | Select -First 1).Content.LicenseManager) { 
    Foreach ($License in ($LicenseMan | Select -ExpandProperty Licenses)) { 
        $Details = "" |Select VC, Name, Key, Total, Used, ExpirationDate , Information 
        $Details.VC = ([Uri]$LicenseMan.Client.ServiceUrl).Host 
        $Details.Name= $License.Name 
        $Details.Key= $License.LicenseKey 
        $Details.Total= $License.Total 
        $Details.Used= $License.Used 
        $Details.Information= $License.Labels | Select -expand Value 
        $Details.ExpirationDate = $License.Properties | Where { $_.key -eq "expirationDate" } | Select -ExpandProperty Value 
        $vSphereLicInfo += $Details 
    } 
} 
$vSphereLicInfo | Format-Table -AutoSize

Enabling Network Time Protocol (NTP) Settings

Screen Shot 2013-10-21 at 14.01.16.png - Enabling NTP Service

The cmdlet Add-VmhostNtpServer and Get-VMHostService can be used to both configure the NTP servers, the start-up policy as well as starting the service.

Foreach ($vmhost in (get-vmhost))
{
Add-VmHostNtpServer -NtpServer "0.north-america.pool.ntp.org","1.north-america.pool.ntp.org" -VMHost $vmHost | Out-Null
Get-VMHostService -VMHost $vmHost | where{$_.Key -eq "ntpd"} | set-vmhostservice -policy "on" -Confirm:$false
Get-VmHostService -VMHost $vmHost | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService -Confirm:$false | Out-Null
}

Screen Shot 2013-10-21 at 14.01.16.png - Confirming NTP Service has started & configured correctly

Confirming the NTP Service has started and viewing its configuration can be achieved with this PowerCLI "one-liner". This was found on Alan Renouf's website - http://www.virtu-al.net/2009/08/14/powercli-do-you-have-the-time/

Get-VMHost |Sort Name|Select Name, @{N=“NTPServer“;E={$_ |Get-VMHostNtpServer}}, @{N=“ServiceRunning“;E={(Get-VmHostService -VMHost $_ |Where-Object {$_.key-eq “ntpd“}).Running}}

Screen Shot 2013-11-11 at 13.43.04.png

Adding ESXi hosts to Microsoft Active Directory Domain

Screen Shot 2013-10-21 at 14.01.16.png - Adding ESXi Host to Active Directory & Assigning a Group Permissions

Foreach ($vmhost in (get-vmhost))
{
Get-VMHostAuthentication -VMHost $vmhost | Set-VMHostAuthentication -Domain corp.com -User administrator -Password Password1 -JoinDomain -Confirm:$false
}

Complex Multi-Site: Multiple vCenters and Enhanced Linked Mode Configuration

Note: Before you begin - make sure the FQDNs of your proposed PSC and vCenter are listed in DNS - and reserve your IP addresses accordingly.

WARNING: Please pay close, close attention to your FQDNs as during the process built-in certificates are created which if you subsequently correct/change hostname will be invalid.

Screen Shot 2018-02-16 at 14.15.02.png

In this scenario - the customer requires multiple vCenters across many sites - and wish to link them together for ease of administration - and the sharing of licensing repositories. This ensures licenses can be assigned freely around the organisation - and not be "locked" to specific site location. This distributed model is not supported with the embedded deployment type - where the vCenter and PSC service reside in the same instance.

Recommendation: There now 8 supported topologies for multiple vCenters and "Enhanced" Link Mode - and 3 depreciated one as well. Far too many possible permutations for the vmWIKI to serious considering documenting in full. We would recommend starting https://kb.vmware.com/s/article/2147672 which gives a good round-up of all them.

VMware's "Linked Mode" feature has a number of names - from Linked Mode to Enhanced Linked Mode, to now it being also called "Hybrid Link Mode". Most of the changes have come about as the company pivots away from vCenter's historical Microsoft Windows roots, to being purely a Linux based Virtual Appliance. However, In 2017, VMware announced a partnership with Amazon to extend vSphere functionality into Amazon Datacenters and integration with its Amazon Web Services (AWS) environment. This development prompted VMware to modify linked-mode functionality to also include management of assets in Amazon's cloud. Hence "Hybrid" mode is now the favoured term. Hybrid mode in its full functionality is only available for those who have both vSphere on-premises and a vSphere subscription with Amazon.

Whatever its name - linked mode addresses a scenario for where multipole vCenter persist for geographical or political reasons - and it has been decided to provide one-login identity to both systems.

It's entirely possible that you may wish to install another vCenter at different site or location. The installation of subsequent vCenter's looks and feels different dependent on the configuration you are building. This caused by installation of PSC differs in this respect around the technologies of PSC. We have not chosen not to repeat the same configuration steps as shown previously. Instead we emphasised what is different about this first setup. In this configuration we had a single PSC Domain and single Active Directory Domain - but with two SSO sites - one called New York, and the other called New Jersey.

In our case we have two different vCenters and PSC in two different sites - however, they will part of the same SSO domain and linked together. The KB article referenced at the beginning of this section outlines this accordingly - although there will for the moment just one vCenter under each PSC.

RtaImage.png

1 Single Sign-On domain 1 Single Sign-On site 2 or more external Platform Services Controllers

Limitations In the event of a Platform Servcices Controller failover the vCenter Servers will need to be manually repointed to the functioning Platform Services Controller. vCenter Servers attached to higher latency Platform Services Controller may experience performance issues

New York: PSC - Establishing the SSO Domain

Note: Deploying the PSC comes in two stages - the 1st Stage being the primary deployment to a VMware ESXi Host, and the 2nd Stage being the post-configuration of the SSO component.

STAGE ONE: DEPLOYMENT

1. Mount the .ISO image to workstation or VM that has access to the same network as your destination VMware ESXI host.

2. Once mounted browse to D:\vcsa-ui-installer\ to find your preferred installer - in our case we were using a Windows10 jumpbox into the lab environment we used Win32.

3. Double-click the Installer

4. Select the option to Install

5. In a multi-site and multi-vcenter configuration - the install is two-stage process - first the installation of the Platform Services Controller (PSC) service itself, and then the installation of the vCenter element.

Screen Shot 2018-01-29 at 14.56.27.png

6. Accept the EULA

7. For simple multiple-site deployment we won't use the "Embedded Model" where both the vCenter and PSC reside in the same appliance. For multi-site deployments it is best to separate the vCenter and PSC roles.

Screen Shot 2018-02-16 at 10.32.01.png

8. Next we need to specify an VMware ESXi host to deploy the vCenter together with the "root" account and password

Screen Shot 2018-02-16 at 10.33.19.png

Note: You will be prompted to accept the default untrusted SSL thumbprint/certificate of the host.

9. Next assign an VM name for the PSC Appliance, together with a password for the default "root" account. The name is virtual machine name, not the FQDN of the appliance. In this case we used "pscnyc" representing the PSC for the New York Datacenter.

Screen Shot 2018-02-16 at 10.34.49.png

10. Next select a datastore within which the PSC will be held. On an unconfigured VMware ESXi host it is likely all you will see is local storage. In a fully configured VMware ESXi host you should be able to see the datastore(s) that have been mounted to it - these can take the form of FC, iSCSI, NFS or VSAN capable storage.

11. Next select which network the PSC will reside on together with it's FQDN, IP address, subnet mask, default gateway and DNS name servers. On an unconfigured VMware ESXi host you will see just "VM Network". This should be the same network as the ESXi Host. If the ESXi host is using VLAN Tagging to separate the management network - you will need to use ESXi Web-Client to change the VLAN Tag value for "VM Network" for this to functional. In our case we configured a VM network called "Management" on all our hosts for this purpose.

Screen Shot 2018-02-16 at 10.51.32.png

12. Select Finish to review your settings and upload PSC Appliance to the VMware ESXi host

STAGE TWO: POST-CONFIGURATION

In this stage we configure the time configuration and the SSO settings.

1. Next configure the preferred time synchronisation process. Typically, all VMs get their time from the underlying VMware ESXi host - which in turn is configured for an external NTP time source. Enable the SSH access if you intend to use the new vCenter Server High Availability function.

Screen Shot 2018-02-16 at 11.14.53.png

2. Choose to Create a new SSO Domain. It's tempting to make the VMware SSO Domain match the Microsoft Active Directory Domain. We caution against this - as it can create the confusion or appearance that the two domains are the same entity. They are not. They are completely separate - as we saw earlier this chapter if you desire Microsoft Active Directory integration that can handled as discrete process.

Screen Shot 2018-02-16 at 11.16.10.png

3. Indicate if you wish join VMWare's Customer Experience Improvement Program (CEIP)

4. Review your settings and click Finish

New York: Install vCenter

Note: Deploying the vCenter comes in two stages - the 1st Stage being the primary deployment to a VMware ESXi Host, and the 2nd Stage being the post-configuration of the SSO component.

STAGE ONE: DEPLOYMENT

1. Mount the .ISO image to workstation or VM that has access to the same network as your destination VMware ESXI host.

2. Once mounted browse to D:\vcsa-ui-installer\ to find your preferred installer - in our case we were using a Windows10 jumpbox into the lab environment we used Win32.

3. Double-click the Installer

4. Select the option to Install

5. The install is two-stage process - first the installation of the PSC service itself, and then the installation of the vCenter appliance.

Screen Shot 2018-01-29 at 14.56.27.png

6. Accept the EULA

7. For simple single-site deployment the "Embedded Model" where both the vCenter and PSC reside in the same appliance. However, for multi-site deployments it is required to separate the vCenter/PSC roles.

Screen Shot 2018-02-16 at 11.31.12.png

8. Next we need to specify an VMware ESXi host to deploy the vCenter together with the "root" account and password

Screen Shot 2018-02-19 at 09.50.42.png

Note: You will be prompted to accept the default untrusted SSL thumbprint/certificate of the host.

9. Next assign an VM name for the Appliance, together with a password for the default "root" account. The name is virtual machine name, not the FQDN of the appliance. In this case we used "vcnyc" representing the vCenter for the New York Datacenter.

Screen Shot 2018-02-19 at 09.52.08.png

10. Next we can set the appliance size - this will allocate CPU and Memory commensurate with the number of hosts/virtual machines the vCenter will eventually support.

Screen Shot 2018-02-19 at 09.55.19.png

11. Next select a datastore within which the VCSA will be held. On an unconfigured VMware ESXi host it is likely all you will see is local storage. In a fully configured VMware ESXi host you should be able to see the datastore(s) that have been mounted to it - these can take the form of FC, iSCSI, NFS or VSAN capable storage.

Screen Shot 2018-02-19 at 09.56.18.png

13. Next select which network the vCenter will reside on together with it's FQDN, IP address, subnet mask, default gateway and DNS name servers. On an unconfigured VMware ESXi host you will see just "VM Network". This should be the same network as the ESXi Host. If the ESXi host is using VLAN Tagging to separate the management network - you will need to use ESXi Web-Client to change the VLAN Tag value for "VM Network" for this to functional. In our case we configured a VM network called "Management" on all our hosts for this purpose.

Screen Shot 2018-02-19 at 09.57.48.png

From this point onwards what you will see is status bars as the vCSA is uploaded to the VMware ESXi host, and configured.

STAGE TWO: POST-CONFIGURATION

Note: In this stage we configure the time configuration and the SSO settings.

1. Next configure the preferred time synchronisation process. Typically, all VMs get their time from the underlying VMware ESXi host - which in turn is configured for an external NTP time source. Enable the SSH access if you intend to use the new vCenter Server High Availability function.

Screen Shot 2018-02-16 at 11.51.23.png

2. Next we configure the new vCenter for New York to use its respective PSC installed and its SSO settings configured earlier

Screen Shot 2018-02-16 at 11.55.23.png

3. Review the configuration and click Next and Finish

New York: Join PSC to Microsoft Active Directory

Joining vCSA to Active Directory Domain

1. Login to the vSphere Web Client as administrator@vsphere.local

2. Navigate to Home >>> Deployment >> System Configuration

3. Under System Configuration, click Nodes

4. Under Nodes, select the PSC and click the Manage tab

5. Advanced, select Active Directory, and click Join

Screen Shot 2018-02-16 at 12.20.07.png

Note: The OU component here is optional, but if used the OU must be referred to using the LDAP format. vCenter does NOT need to be joined to the Active Directory domain, as its participation is controlled by the membership of the PSC with which it configured.

Delegating Responsibility to using Active Directory Groups

With a clean installation vCenter use its own internal director service called "Single Sign-On" (SSO) as the primary authentication domain. The default username is administrator@vsphere.local. It is possible add the Active Directory domain to SSO, and enable user accounts and groups from it as the logon to the web-client.

Note: If you are using the vCenter Server Appliance you must add it to the domain.

1. Login to the vSphere Web Client as administrator@vsphere.local

2. From the home location, navigate to >>Administration >>Singe Sign-on >>Configuration and select the Identity Sources tab

Screen Shot 2018-02-16 at 10.11.26.png

Note: Click the green + to update the configuration.

3. Select the radio button - "Active Directory (Integrated Windows Authentication".

Screen Shot 2018-02-13 at 16.37.30.png

Note: This type of authentication enables the pass-though of your logged on local credentials from the Windows domain to the web-client.

4. After clicking OK, this should add the domain to the list

Screen Shot 2018-02-16 at 10.12.39.png

Next we can add in accounts to the vCenter to delegate responsibility. The best method it create a group in Active Directory called "vCenter Admins", and populate it with user accounts from the administration team.

5. Navigate to Home >>> Global Inventory Lists >>>vCenter Servers and select your vCenter Server

6. Select the Permissions tab

Screen Shot 2018-02-16 at 10.15.29.png

Note: Click the green + to update the configuration.

7. Click Add, in the subsequent dialog box select the domain, and from the second pull-down list "Show Groups First". Select the group created - and click Add

Screen Shot 2018-02-13 at 16.53.09.png

8. Finally, assign the "Administrator" role and click OK

Screen Shot 2013-11-01 at 09.36.03.png

Once enabled, you should be able to login with your Microsoft Active Directory domain credentials based on membership of the appropriate groups.

Enabling AD User/Groups to Manage VMware SSO

Even if you give a Microsoft AD user/group complete rights to vCenter from a top-level container - this doesn't necessarily give those AD user/groups rights to manage SSO itself. This handled by different subset of permissions and rights. Typically, SysAdmins like to do this delegation to prevent situations such as loosing, forgetting or getting locked out of VMware SSO, which then prevents further administration. VMware SSO has its own systems of password policies and lockouts.

1. Login to the vSphere Web Client as administrator@vsphere.local

2. From the home location, navigate to >>Administration >>Singe Sign-on >>Users & Groups

3. Select the Groups Tab and Select the Administrators group

4. Click the Add Member icon which resembles the figure of person with small green +

Screen Shot 2016-01-19 at 15.17.11.png

5. From the Domain and User and Group pull-down lists - select your Microsoft Active Directory Domain, and Show Groups First

6. Locate your delegated user/group from the list, and click the Add button

Screen Shot 2018-02-14 at 08.58.12.png

Repeat Above for New Jersey

The deployment of the subsequent vCenters and PSC follows a very similar workflow to the first that established the VMware SSO domain. There are of course some notable differences.

Most significantly:

  • The Subsequent PSC for New Jersey joins rather than creates the VMware SSO domain - providing the FQDN of the PSC that initially created the SSO domain together with the username/password to access it:

Screen Shot 2018-02-16 at 13.03.00.png

Then the administrator will asked if you wish want to join the existing site (NewYork) or create a new site in this case called "NewJersey"

Screen Shot 2018-02-16 at 13.03.26.png

  • The Subsequent vCenter for New Jersey (vcnj.corp.local) joins its PSC relative to their site location (pscnj.corp.local)

Screen Shot 2018-02-16 at 15.23.36.png

  • The PSC for the New Jersey location will need adding to the Microsoft Active Directory Domain

Screen Shot 2018-02-16 at 14.56.56.png

Note: As both vCenters are part of the same VMware single-sign-on domain and part of the same Microsoft Active Directory Domain - there's no need to grant rights to the vCenter Admins group - neither does the SSO Password Policy need to be modified - however, the local password expiration of the "root" account still applies - and in lab environments you may wish to turn that off.

At the end of the process we will have two vCenter side-by-side in Enhanced Linked Mode:

Screen Shot 2018-02-16 at 15.54.42.png

Configuring Other vCenter Related Services (Now Built-into vSphere 6.5)

IMPORTANT: The ESXi Dump Collector in the Windows edition of vCenter our now built-in - as is the case with the vCenter Server Appliance edition.

ESXi Dump Collector

By default if a critical error happens to the VMware ESX host a "dump" will take this place. This is not dump of memory, but of configuration data. VMware ESX hosts with local storage are capable of dumping this data to local storage, but stateless system may not have storage to carry out this process. Regardless of how VMware ESX is installed, your organization might prefer to have these centrally located. The ESXi Dump Collector allows for this type of configuration. In vSphere 6.0 the ESXi Dump Collector is pre-installed and not special installation of the collector needs to be carried out. However, post-configuration steps are required, and by default the service is disabled.

The KB article kb2002954 outlines core configuration changes that can be made to alter the way the service functions. This involves editing the vmconfig-netdump.xml file held in C:\ProgramData\VMware\vCenterServer\data\netdump\. Modifying this file allows you to relocate dumps away from the default C drive location using the <defaultDataPath> parameter; change the default TCP/IP Port number used (6500) and amount of disk space allocated for storage (2GB).

Screen Shot 2018-02-15 at 19.20.10.png

From the vSphere Web-Client the "Actions" button allow you to "Edit Start-up" and to start it manual for the current up time.

>> vCenter Web-Client >> Home >> >> Administration >>> System Configuration >> Services

Screen Shot 2018-02-15 at 19.21.55.png


Once correctly configured and service is started VMware ESXI hosts can be configured to use it using the ESXCLI command at in interactive prompt like so:

esxcli system coredump network set --interface-name vmk0 --server-ipv4 10.xx.xx.xx --server-port 6500  - To set the configuration
esxcli system coredump network set --enable true - To Enable the configuration
esxcli system coredump network get - To Get the configuration

Screen Shot 2016-02-16 at 15.50.30.png

With the VMware ESX hosts will need to be manually configured for the ESXi Dump Collector this can be a tedious administrative task using ESXCLI natively. Fortunately, This can be done using PowerCLI which in turn calls the esxcli interface can be used to get, set and enable the configuration on the ESXi host. The configuration only support an IP address for specifying the ESXi Dump Collector identity.

Acknowledgement: We would like to thank Aaron Margeson of Cloudyfuture.net for this part of the vmWIKI: http://www.cloudyfuture.net/2016/02/23/configure-dump-collector-with-powercli-in-vsphere-6/

Screen Shot 2013-10-21 at 14.01.16.png - Check the ESXi Dump Collector Configuration Example:

Foreach ($vmhost in (get-vmhost))
{
$esxcli = Get-EsxCli -vmhost $vmhost
$esxcli.system.coredump.network.get()
}

Screen Shot 2013-10-21 at 14.01.16.png - Setting the ESXi Dump Collector Example:

$vcenterip = '10.20.30.129'
foreach($vmhost in Get-VMHost)
{
    $esxcli = Get-EsxCli -VMHost $vmhost.Name
    $esxcli.system.coredump.network.set($null,"vmk0",$null,$vcenterip,6500)
    $esxcli.system.coredump.network.set($true)
    $esxcli.system.coredump.network.get()
}

If you wish to hard test this - a crash can be invoked at the physical console with the vsish command

# vsish -e set /reliability/crashMe/Panic 1

Issuing this command at the physical console will cause the ESX host to panic, and produce a purple screen of death (PSOD). Notice how the dump process is transferring configuration data to the ESX Dump Collector IP address.

Screen Shot 2018-02-15 at 20.02.59.png

You should find the dump file in the path specified during the installation, held in subdirectories which reflect the Management IP address of the ESX host. Generally, these dump files are uploaded to VMware Support for further analysis. PSOD are in the main caused by faulty hardware such as fault RAM or badly seat memory after an upgrade.

The Default Location of Dump files in the Windows vCenter is: C:\ProgramData\VMware\VMware ESXi Dump Collector\Data\

The Default Location of Dump files in the vCenter Server Appliance is: /var/core/netdumps

Screen Shot 2016-02-16 at 15.54.31.png

Syslog

By default VMware ESXi stores its core log files on a local partition. These can be accessed in a number of different ways remotely using an array of different client tools. However, so administrator prefer to collect these at a central location for ease of access or for further parsing by log analyse tools. Again, the SysLog redirection will be of specific interest to those who have adopted a stateless "Auto Deploy" model for rolling out VMware ESXi. In this scenario log files are stored temporarily on scratch storage, and lost after a reboot.

As with the VMware ESX hosts will need to be manually configured for a SysLog service. This is the same situation as with the ESXi Dump Collector service. Similarly, this configuration can be done using PowerCLI which in turn calls the esxcli interface can be used to get, set and enable the configuration on the ESXi host. The configuration only support an IP address for specifying for SysLog service. Again you can use the ESXCLI command on the VMware ESXi host to get, set, and test the configuration like so:

esxcli system syslog config get
esxcli system syslog config set --loghost='tcp://10.20.30.129:514' - For TCP Syslogging
esxcli system syslog config set --loghost='udp://10.20.30.129:514' - For UDP Syslogging
esxcli system syslog reload - To reload the VMware ESXi host configuration
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true - For Opening the port for Syslog
esxcli network firewall refresh 
nc -z 10.20.30.129 514 - Test the remote syslog collector is accessible

Screen Shot 2016-02-16 at 16.54.20.png

With the VMware ESX hosts will need to be manually configured for the Syslog Collector this can be a tedious administrative task using ESXCLI natively. Fortunately, This can be done using PowerCLI which in turn calls the esxcli interface can be used to get, set and enable the configuration on the ESXi host. .

Screen Shot 2013-10-21 at 14.01.16.png - Check the ESXi Syslog Configuration Example:

The field "RemoteHost" should indicate <none> indicating now host is configured to hold its SysLog files on the SysLog service.

Foreach ($vmhost in (get-vmhost))
{
$esxcli = Get-EsxCli -vmhost $vmhost
$esxcli.system.syslog.config.get()
}

Screen Shot 2013-10-21 at 14.01.16.png - Setting the ESXi Syslog Configuration Example:

In this case, PowerCLI enabled the "Remote Host" parameter, restarts the syslog service - and then opens the Syslog port on 514.

Foreach ($vmhost in (get-vmhost))
{
$esxcli = Get-EsxCli -vmhost $vmhost
$esxcli.system.syslog.config.set($null, $null, $null, $null,"udp://10.20.30.129:514")
$esxcli.system.syslog.reload()
}
get-vmhost| Get-VMHostFirewallException |?{$_.Name -eq 'syslog'} | Set-VMHostFirewallException -Enabled:$true