Site Status – All Pages Updated

I realised that it’s been a while since the last post was added to this blog so I thought I’d write this and summarise what’s actually been going on.

In in reality I’ve updated every page on this site  with instrcutions, screenshots and “gotchas” for the newer versions of the products. So, the homelab guide has been updated to work for vSphere 6.5 adn vRA is up to 7.2.

Hopefully in the near future I’ll add in some fresh content and guide extensions that make it look more up to date than it seems.  In the mean time, rest assured that I’ve sanity checked everything here so I know it works (and now someone is going to find a bug I missed… I just KNOW it.

Advertisements

vSphere / Lab For Beginners: Part 4 – Virtual Distributed Switches & Migrating Networking (VSS to vDS)

Where are We?

By this point we should be in the position of having our lab cluster up and running, configured for storage and able to authenticate against a real domain with all the control that gives us.  We haven’t yet enabled any of the advanced features like vMotion though as this would have required network configuration that we would have removed in this stage.

What’s Next?

VMware provides two different ways to configure networking Virtual Standard Switches  (VSS) and Virtual Distributed Switches (vDS).  So, what’s the difference?  Standard switches are, simple, easily configurable switches that have to be configured individually on every ESXi host you have.  They also dont need Virtual Center to work.  Additionally, for features like vMotion to work they must be configured identically across all hosts.  This a management pain and when you scale, it doesn’t!

Virtual Distributed Switches are a centeralised switch that hosts can be members of.  They are managed from vCenter and provide unified management of the estates networking and advanced features not in VSS (such as pVLAN tagging).

So, in this part of our tutorial we are going to do a few things.

  1. Create a new Virtual Distributed Switch
  2. Migrate the initial VSS configuration and virtual machine networking over to the vDS
  3. Create a vDS VMKernel Port Group and enable vMotion (because we havent set this up in VSS at this moment).

A small note.  In a real environment you would be running with network uplink redundency and would be able to do this in 2 stages.  In this example we only have 3 NICs and we will have to migrate components one at a time using the ‘spare’ physical NIC.  This means that there is a lot of repition in this part of the blog.  It’ll help to understand the process!

Why Do I Want to Do This?

Simply because in the real world you’re unlikley to encounter many enterprises using VSS configurations.  vDS setups are more flexible and more widly in use.  From a lab perspective it also means you get  to play with more advanced features once you’re familar with vSphere so you may as well enable that functionality now.

Step 1: Create a new Virtual Distributed Switch

First we have to create the actual switch within vCenter.  So, log on to the vCenter Web Client as before with administrator rights and swititch to the networking tab on the left.  Select you Data Center and then click the Actions dropdown.  Expand Distributed Switch and select New Distributed Switch.

screen-shot-2016-10-21-at-20-54-55

This brings up a familiar looking wizard.  Give your switch a friendly name (it’s good practice to denote that it’s a distributed switch in the name). Click Next.

screen-shot-2016-10-21-at-20-55-48

You can now select the version (feature level) of you vDS.  In this example we’re going for the newest to enable all features.  In the real world you may want to select an older version if you are integrating with an older VSphere suite. Select the newest version. Click Next.

screen-shot-2016-10-21-at-20-56-03

We now get to choose the number of uplinks we want to assign to the switch.  Uplinks map to physical network adapters.  The default is 4  and we are going to go with this (even though the lab in this example only has 3 Physical NICs).  You can have more uplinks than Physical NICs no problem (they just wont work or don anything).

We also get the option to Create a default Port Group (A port group is analgous to a set of network ports you’d plug wires into, grouped together for a similar task).  This first Port Group is the one you’d probably assign for connecting Virtual Machine vNIC to (to enable communication).  Give it a friendly name and click  Next.

screen-shot-2016-10-21-at-20-56-31

You now get a summery page detailing what has happened and, interestingly, what your next actions should be.  Click  Finish.

screen-shot-2016-10-21-at-20-57-25

So, we’ve now created a basic Distributed Switch, created a set of uplinks for it (as yet NOT assigned to a Physical NIC) and created a default Purt Group which we shall use for VM connectivity.

Step 2: Add Hosts to the vDS

Now the vDS is created we have to assign our ESXi hosts to the switch and create the additional port groups we are going to need (for Storage and vMotion in our case).  To do this navigate to the Networking tab in the Webclient,  select the distributed switch we created above, Select the Manage tab (configure in version 6.5), selct settings and then Topology  you’ll now need to click on the screen-shot-2016-10-22-at-16-18-09 icon.

screen-shot-2016-10-22-at-16-17-17

This will bring up the  Add and Manage Hosts configuration Wizard.  This is a Wizard we will keep returning to whenever we make a change to the vDS.

Firstly we will need to add our hosts to the vDS.  Select Add Hosts and click  Next.

screen-shot-2016-10-21-at-21-18-07

Here you’ll need to select all the hosts you have in your lab and click OK.

screen-shot-2016-10-21-at-21-18-31

You’re shown a confirmation screen. Click Next.  Continue to the end of the Wizard and  Finish (without altering any configuration). Remember, we’re just connecting the hosts at this point, taking it step by step.

screen-shot-2016-10-21-at-21-18-41

Step 3: Crete Other Port Groups

Now we’re going to create the remaining Port Groups we will need for ther lab.  These include:

  • A portgroup for iSCSI storage that we will migrate our ‘storage’ VSS to.
  • A portgroup for vMotion to enable this feature.

Each portgroup will have a dedicated uplink associated with it (and each uplink will have a dedicated physical NIC).

So, from the vSphere Web Client, navigate to the Networking tab, select the  Distributed Switch  we have created and right click on it.  Select Distributed Port Group and then  New Distributed Port Group.

screen-shot-2016-10-21-at-21-23-24

You’ll now be presented with a simple wizard:

Give the Port Group a friendly, descriptive name. Click  Next.

screen-shot-2016-10-22-at-16-41-06

Keep the default options for the switch (we can do configuration and explination in detail another time).  Click  Next.

screen-shot-2016-10-22-at-16-41-20

The Summary screen is shown.  Click  Finish.

screen-shot-2016-10-22-at-16-41-32

Repeat this Wizard three times.  I have created three Port Groups called:

  • StorageDPG (for iSCSI traffic and access to storage).
  • VMNetworkDPG (for Management and VM communication) [Renamed default Port Group from Step 2].
  • vMotionDPG (for vMotion traffic).

At the end of the process you should have something like this.

screen-shot-2016-10-21-at-22-11-41

Back in the Topology view for the vDS you should now see something like this.  IT shown the Distributed Switch with it’s uplinks (notice there’s still no physical NICs associated with them).  You can also see t he portgroups on the left (currently with no details or items assigned to them).

Now, we have to add Physical NICs to the Uplinks.

Step 4: Add Physical NICS to Uplinks

Click on the screen-shot-2016-10-22-at-16-18-09icon fromt he topology view to initiate the  Add and Manage Hosts wizard again.

screen-shot-2016-10-21-at-22-13-27

Click the Green plus symbol labelled  Attached hosts.

screen-shot-2016-10-21-at-22-13-48

Select all the hosts in the lab cluster (all of the ones shown below in this example).

screen-shot-2016-10-21-at-22-18-05

The confirmation will be shown as below. Click  Next.

screen-shot-2016-10-21-at-22-14-09

On the next wizard screen select the  Manage Host Networking  option and click  Next.

screen-shot-2016-10-21-at-22-17-51

Now ensure only  Manage Physical Adapters is selected and click  Next.   In this step we are only going to add the spare adapter.

screen-shot-2016-10-21-at-22-18-23

Select the currently not used (or extra) vNIC and click the Assign Uplink button. Assign it to Uplink 1.  Note: In the example below if we try to assign one of the vNICS from vSwitch0 or Storage we would end up disconnecting the physical link from the switches BEFORE migrating the networking over to the vDS.  This would mean that either Management+VM networking or (worse) storage to the running VMs (Including this vCSA) would die.  This causes a horrible mess and is why you should probably run dual NICS / switch in reality (so we could connect half to the new vDS and leave half where they were and do a seemles switchover).

As mentioned above this lab example doesnt have this so we have to perform a rolling migration with our currently unassigned NIC.  If you’re messing around in a lab that has multi physical NICs but no spare (but vMotion has been configured) then use the NIC assigned to the vMotion interface as the ‘spare’ as this isn’t a critical componant of keeping a VM alive.

Check everying is assigned to the correct (free) NIC.  Click Next.

screen-shot-2016-10-21-at-22-18-55

The next screen shows an impact summary and should alert you is you’re about to do anything stupid.  We’re not.  Click Next.

screen-shot-2016-10-21-at-22-19-10

Click Finish and the process should complete momentarily.  Back at the Topology screen you should notice that the Uplinks sections of the diagram now shows adapters assigned to Uplink 1.  In tis example, 2.  One for each host.

screen-shot-2016-10-21-at-22-19-24

Step 5: Migrate Networking

Again, click the screen-shot-2016-10-22-at-16-18-09 Add and Manage Hosts button from the topology view and ensure, this time, that just  Manage host Networking is selected.

screen-shot-2016-10-21-at-22-19-34

Select both hosts again.

screen-shot-2016-10-21-at-22-19-49

Now ensure Manage VMkernel adapter  and Migrate virtual machine networking options are selected.

screen-shot-2016-10-21-at-22-20-04

Now select the VMK0 adapter currently assigned to vSwitch0 (Management Network) and select the Assign Port Group button.

screen-shot-2016-10-21-at-22-20-26

Assign this to the newley created VMNetworkDPG vDS port group and ensure the same is done for the second (and any other additional) hosts in your environment.  Click  Next. Leave the storage adapter alone for the moment.

screen-shot-2016-10-21-at-22-20-36

Check that nothing will be broken in the Analyze Impact window.

screen-shot-2016-10-21-at-22-20-49

Now, on the Migrate vm Networking  window expand and ensure all the VMs currently in the lab are migrated over to the new Port Group.  In the example be low you can see the three VMs already in my lab (including this VCSA) ready to migrate from the VM Network VSS Port group to the VMNetworkDPG  vDS Portgroup.

screen-shot-2016-10-21-at-22-21-25

Review the settings to ensure everything is as it should be.  Finish the wizard.

screen-shot-2016-10-21-at-22-21-34

You should now see, in the topology view, the three VMs attached to Uplink 1 and, crucially, you should still have network connectivity to the LVCA web interface.

screen-shot-2016-10-21-at-22-22-01

Next, restart the Add and Manage Hosts wizard to move the next set of items over.

screen-shot-2016-10-21-at-22-24-24

Select all the hosts in the lab.

screen-shot-2016-10-21-at-22-24-37

Select  Manage physical adapters  and  Manage VMkernel adapters.

screen-shot-2016-10-21-at-22-24-55

Now assign the NIC in use by vSwitch0 (which we migrated the networking OFF off in the last step through the wizard) to Uplink 2.  Do this for all hosts in the environment.

screen-shot-2016-10-21-at-22-25-22

Now click the Assign Port Group button and ensure that the vmkernel  port currently used for storage in the VSS is migrated to the StorageDPG .  Notice how we are rotating the next VSS switch to the DPG to free up the final adapter in the next step.

screen-shot-2016-10-21-at-22-25-43

A final check on the Analyse Impact screen and it is showing a warning.  In this instance it is simply telling us that we are switching physical NICs in this operation.  We know this to be the case as were having to shuffle non resilliant connections.

screen-shot-2016-10-21-at-22-26-04

Check the summery screen and Finish

screen-shot-2016-10-21-at-22-26-19

Once complete we, again, should still ahve access to our VMs (the storage is still connected) and the StorageDPG  portgroup and vmk ports anre connected to Uplink 2

screen-shot-2016-10-21-at-22-27-21

For one final time.  Restart the Wiard and select Manage host networking 

screen-shot-2016-10-21-at-22-27-40

Add all the hosts from the environment.

 

screen-shot-2016-10-21-at-22-27-51

 

Ensure the Manage physical adapters  and  Manage VMkernel adapters options are selected.

screen-shot-2016-10-21-at-22-28-07

Assign the final unused NIC from the VSS to Uplink 3.  This should be the NIC assigned to the Storage switch in the old networking.

screen-shot-2016-10-21-at-22-28-27

On the Manage VMkernel adapters screen click the New adapter button.

Screen Shot 2016-10-24 at 21.09.30.png

One the Select target device  screen click  browse to select an existing network.

screen-shot-2016-10-21-at-22-28-58

Now select the vMotionDPG portgroup that was created right back at the start of this stage of the guide.  Note in the screenshot belowthe WRONG network is hilighted…

screen-shot-2016-10-21-at-22-29-08

For the Port Propeties tick vMotion traffic  under  enable services.

screen-shot-2016-10-21-at-22-29-26

Assign the new VMkernel port for vMotion an IP address and appropriate subnet.

screen-shot-2016-10-21-at-22-31-08

Now assign this new VMK port to the vMotionDPG distributed port group on all hosts. NOTE: In the picture below I got it wrong for host esxi01.  Host esxi02 is CORRECT.

screen-shot-2016-10-21-at-22-32-21

One final Analyse Impact  screen is shown.  Move on to thee Summary screen and complete the wizard.

screen-shot-2016-10-21-at-22-32-32

Like before, you should be able to see the two new VMkernel ports assigned to the vMotionDPG port group.

screen-shot-2016-10-21-at-22-33-52

That’s it.  We have migrated all the networking from VSS to vDS and created a final DPG and VMK port for vMotion capabilities.  We now have centerally managed networking from within vCenter with the ability to migrate VMs across hosts.  We also have the storage and regular network traffic controlled fromt he same area.

Step 6: Cleanup

Now everything is controlled by the vDS we just need to clean up the older VSS configuration.  To do this from the Web Client select the individual host from the  Hosts and Clusters  view, select the 1st host, the  manage  tab,  networking and then  virtual switches.  This will list the vDS and the two (obsolete) standard switches (vSwitch0 and Storage).  Select the 1st VSS and click the red ‘x’ to delete it.  Now do the same for the final VSS. NOTE:  In version 6.5 select the switch, click actions then select remove.

Remember that you will have to do this for all the hosts you have as VSS and not centerally controlled.

screen-shot-2016-10-24-at-21-37-33

What’s Next?

Next we will roll through some of the feaures in vCenter such as HA, DRS and vMotion.  this will be in part 5 of this beginners series.

vSphere / Lab For Beginners: Part3 – Domain Based Authentication

So, What Do We Currently Have?

At this point we have a functioning vCenter server containing a datacenter construct and a cluster with some ESXi servers.  These are all authenticating using the built in SSO (Single Sign On) server and all networking is done via VMware Standard Switches (VSS).  These should all be configured exactly the same for basic networking across all hosts.

We could go and start deploying VMs now and creating additional vmKernel ports to enable vMotion etc. BUT VSS configs are a pain to manage and scale out (as everything has to manually be configured identically) and dont provide anyof the advanced features or centeralised management that virtual Distributed Switches do (vDS).  Also, you’d be hard pressed to find a real world deployment using just standard switches.

What We’re Going To Do Next?

This post is going to deal with one of two things that you should do right now as it’s far, far easier to configure these features before going forward than it is to try and change later when VMs are running and using all the vSphere features.

  1. Configure vSphere (ESXi and vCenter) to use domain authentication for added, more flexible, more real world security).
  2. Configure vSphere with a custom group to allow users to be given very specific roles and permissions.

We will configure advance networking in the next part of this series.

Why Are We Doing It?

Simple, because this is one of two changes to the basic config that are typical of what you’ll find in real world deployments and enable more features and flexibility in your lab whilst being easier to manage.

Stage 0: Stop the VCSA root Password From Expiring and Configure NTP

In this blog post we are going to configure the vSphere environment to use AD Authentication vs the inbuild SSO authentication.  But what if something goes wrong and both authentication sources require remediation.  Simple, you log in as root to your appliance and you can fix stuff.  True, but….  By default the root password in VCSA will expire after a year which can leave you high and dry.  It’s simple to fix so, before going any further, lets configure it to never expire.

Navigate to your VCSA’s admin web interface.  This is a specialconfiguration interface with basic appliance settings.  it’s avaialble at https://<VCSA-Appliance&gt;:5480

screen-shot-2016-09-29-at-21-40-59

Log on to the appliance’s web configuration interface using the root user and the password defined in the setup script from Part 2 of this blog series.
screen-shot-2016-09-29-at-21-41-19

Navigate to Adminsitration and ensure that No  is selected under Password Expiry Settings > Root Password Expires. Click Submit.
screen-shot-2016-09-29-at-21-46-20

Now we can quickly configure the time service to the same values as we did for the ESXi hosts. Select Time from the menu and then the Edit button.

screen-shot-2016-09-29-at-22-06-50

Click on the dropdown for Mode and select NTP from the list of options.
Now enter uk.pool.ntp.org (Assuming this is the server you entered into the ESXi NTP configuration earlier) under the Time Servers area and click OK.screen-shot-2016-09-29-at-22-07-44

The VCSA is now configured to use NTP as it’s time source.

Stage 1: Configuring For Active Directory Authentication

What You’ll Need

In order to connect the VCSA to an Active Directory for authentication you’ll need to have an account in the Active Directory set up to allow vCenter to be joind to the lab domain.  For this example I recomend creating a service account to perform this function.

I have created and will be using the following in this example: svc_ldap@lab.local

NOTE: It does not need to be an admin user as a standard AD account can join 10 computers to a domain.  This is only going to join 1.

Join The VCSA To The Domain

Open a browser to https://<vCSA_Address>/vsphere-client/

screen-shot-2016-09-29-at-22-12-55

Log on to the appliance using the administrator@vsphere.local account and the password set up when you deployed the appliance.screen-shot-2016-09-29-at-22-17-39

From the Navigator pane select Administration to open the admin sub menu.

screen-shot-2016-09-29-at-22-37-21

Select Deployment System Configuration

screen-shot-2016-09-29-at-22-42-18

This will open System Configuration. Select Nodes then hilight the VCSA from the list (of one).  Now Select the Manage tab and click the Join button.

screen-shot-2016-09-29-at-22-42-59

This will bring up the Join Active Directory window. Enter the information required to join the domain.  In the example below:

  • Domain: lab.local [The full name of the domain you wish to join]
  • Organization Unit: <optional> [The DN path of the AD area you’d like the VCSA to be placed.
  • User Name: svc_ldap@lab.local [the service account created earlier]
  • Password: <password> [The password]

Click OK.

screen-shot-2016-09-29-at-22-43-38

Unless there is an error noting obvious will happen.  You will have to reboot the appliance to see the changes applied.  Once it has rebooted, navigate back to the same place  and notice that the domain is now listed as joined.

screen-shot-2016-09-29-at-22-56-29

Now we should configure Active Directory as an Identity Source within  vCenter.  This will allow us to use domain credentials to logon to vCenter and control access via domain group membership.  To do this navigate to Single Sign-on > Configuration  and open the Identity Sources tab.

snapcrab_noname_2016-6-8_10-26-24_no-00

Click green plus to start the process to add an identity source.

snapcrab_noname_2016-6-8_10-32-2_no-00

the simplest method to use is the one listed below.  So, in the Add identity source window, select Active Directory (Integrated Windows Authentication) option.  Ensure the domain name is correct (i.e. the same as the domain we just joined inthe steps above). and select the Use machine account option.  Clock OK. toadd the identity source.

NOTE: this will only work if the VCSA is joined to a domain already.  This is what we achieved in the previous step so it will work for us.

snapcrab_noname_2016-9-30_17-41-33_no-00

We can now use Active Directory as an authentication source but, right now, we still need to configure vCenter to give permissions to users/groups to allow this to happen.  Firstly off it makes sense to give a domain account administrative access to vCenter so we can stop using the administrator@vsphere.local account.

Navigate to Single Sign-On > Users and Groups and select the Groups tab.

screen-shot-2016-10-01-at-20-03-31

This window allows tyou to create a new group for use in vSphere or add users / groups in to an existing group.  Scroll down and select the Administrators group (this is the default group vSphere has for high level access to vSphere).  You’ll see that the only member of this at the moment is the accoiunt you’re logged in with right now.

screen-shot-2016-10-01-at-20-09-07

Click the Add Member  (under the Group Members heading).  From the Domain drop down ensure you select the Active Directory domain you want (In our example lab.local).  You can now select the user or group from the domain to add to the group.  I’ve added both (shown below).  If you’re following best practice you should probably create a group in Active Directory, add users to that group and add this group at this step.

Now, when we look at the group, we should see our new entries listed.

Screen Shot 2016-10-01 at 20.49.32.png

 

To test this worked log out of the web client and try logging back in as a domain user (as shown below.  You have to use the format <user>@<domain>.<whatever> in VMware products

Screen Shot 2016-10-01 at 20.51.18.png

If Successful you’ll be back in the main Web Client window and you should be able to see and do whatever you want.  You’ll also have your domain username shown in the top right

screen-shot-2016-10-01-at-20-54-14

Stage 2: Creating Groups With Custom Permissions

Being able to add users and groups from SSO and a Windows domain to the built in vSphere groups is great and all that but, what if you want to offer more granular permissions or restrict a user / group to a single task in Virtual Center.  This is where Roles/Global Permissions can come in handy.

What’s The Process Then?

Simply it’s this:

  1. Create a new group.
  2. Add Users and Groups to this group.
  3. Create a new role with custom permissions
  4. Assign the created group the new custom role

Create a New Group, Assign Users

As in stage 1 navigate to Users and Groups and the Groups tab.  Now Create a new group by clicking on the green plus sign.  In this example I’ve named it as below.  This gives a good explination of the purpose of this demo.

screen-shot-2016-10-01-at-21-15-52

Once the group is created add in a user from Active Directory that will eventually have the rights we’re about to define.  In this example I have pre-created a domain account called No Access.  It’s just a basic domain user account I’m going to use for this process.

screen-shot-2016-10-01-at-21-16-29

Create a New Role In vCenter

Now Navigate to the Access Controls > Roles section of vCenters Administration settings.  From here we will create a new role which simply has permissions to Create a Datacenter.

screen-shot-2016-10-01-at-21-10-36

The Roles screen is displayed.  Click the green plus to create a new role.

screen-shot-2016-10-01-at-21-10-54

Name the role and assign the permissions you want granted to users of this role.  In this example I’m Createing a role called Create Data Center and assigning only one permission, that of Create Datacenter.  Click ok to create the role.

screen-shot-2016-10-01-at-21-11-20

Assign Users This Permission

Now we need to assign this permission to users or groups.  In this example we will assign the role to the previously created vSphere group (above).  Navigate to Administration > Global Permissions.

screen-shot-2016-10-01-at-21-14-36

Select the Manage tab and click the green plus to add the new permission.  Note that this screen lists all the currently active permissions.

screen-shot-2016-10-01-at-21-14-44

Now Add the previously created group from the vSphere.local domain (notice that this vsphere.local group contains lab.local users) and click OK.

screen-shot-2016-10-01-at-21-17-20

Finally select the created Create DataCenter role from the dropdown on the right and click OK.  You have now created a permissions group, added domain users to it, created and new role and finally assigned this role to the new group.

screen-shot-2016-10-01-at-21-17-42

You can see the effect of this immediatly by simply logging out of the vSphere Web Client and logging back on again with the user assigned to the group.  So, in this example, I would log back on with the NoAccess@lab.local user and I should find that I can log on but all actions on all objects within vCenter are now greyed out except for the ability to create a datacenter.

NOTE: In vSphere permissions are additive.  So, if you add a user to the above Create DataCenter group but they are also a member of an admin group they will get all the administrative permissions as well as any specific others.  Its worth remembering this.

What’s Next?

next up we’re goingt o configure the advanced networking features of vSphere by configuring Virtual Distributed Switches and migrating our lab networking off the standatd switches.

 

 

 

 

 

 

 

vSphere / Lab For Beginners: Part 2 – Installing & Configuring Virtual Center

Where Are We and What’s Next?

At this point in our lab build we have our ESXi hosts up and connected to some storage but nothing else.  We need a tool to manage all our hosts and provide accss to all the cool features that VMware and Virtualisation is known for such as moving VMs between hosts, advanced networking, HA, load balancing etc.

Within vSphere this is Virtual Center.  Currently available in two formats.  One being an installable that can run on a Windows Server and one being a deployable appliance that is simply pushed out to a host without any other OS requirements.  For this guide we are going to be deploying the appliance version (known as the Virtual Center Server Appliance, VCSA).  This is because it’s now the recomended version to use from VMware and the Windows version is probably going to be phased out sometime in the near future.  The VCSA also doesnt require a Windows licence and the patching that goes with it either.  and finally, for a lab environment, the requirements are a little lower so it’s a better fit.

Virtual Center Server Appliance: It’s More Than One Thing!

One thing to note before we proceed is that the VCSA is actually MORE than one component. but, for the purposes of simplicity I’m refering to the suite as one entity in this beginners guide.  If your curious the VCSA is actually split in two.  The vCenter Management Server (responsible for managing the environment and the ‘thing’ you actually log on to) and the Platform Services Controller [PSC] (which deals with mutiple things like sign on, certificates, licensing etc.)  The PSC can be installed with the VCSA or split out to a seperate box for high load installs.  In this lab we’re goingt o use the embedded PSC.

Before You Start: Sort Out DNS

vSphere in general relies heavily on name resolution to work correctly. Indeed, installing the Virtual Center Server Appliance without having DNS in place first (i.e. using the IP address) can cause issues further down the line such as the inability to change the hostname without the system falling over or other such quirks.

So, before going any further we are going to create a DNS server on your first ESXi host.  In my case I have installed a Windows 2012 R2 Active Directory VM on our first ESXi host and configure a domain and DNS.  I’m not going to cover how to configure Active Directory in this post but before going any further you should ensure that a domain for you lab exists (in this example ‘lab.local’) as well as  forward and reverse DNS lookup zones with entries for your ESXi servers and Virtual Center Server Appliance.  In my case:

Reverse Lookup Zone: Three static entries for ESXi and VCSA and the autocreated entry for the AD server.

Screen Shot 2016-07-26 at 22.08.46

Forward Lookup Zone Entries: For the two ESXi servers and the Domain controller.

Screen Shot 2016-07-26 at 22.08.31

and  the entry for the VCSA about to be deployed.

Screen Shot 2016-07-27 at 22.09.07

If you are starting from scratch and need to create a new VM to install a Windows server / Active Directory to you can follow the steps below.  Otherwise skip to the ‘Deploying the VCSA’ step.

Creating A New VM From Within ESXi

Log on to your first ESXi host via the https://<esxiHost>/ui URL as root and select the Virtual Machines entry on the left.  Now Select Create / Register VM on the right.

Screen Shot 2016-07-27 at 22.11.57

This opens a New Virtual Machine Wizard.  Selct Create New Virtual Machine.  Click Next.

Screen Shot 2016-07-27 at 22.12.11

Enter a name for your VM and select the Compatibility, Guest OS Family and Guest OS Version.  For Compatibility it is best to select the version that matches you ESXi version.  It is also important to select the right Guest OS family (Windows, Linux etc.) and version as this determines the makeup of key elements of the the virtual hardware of the VM (disk controllers etc).  Selecting incorrect family and /or versions can cause performance issues or, at it’s worst, a failure of the VM to turn on.  Once specified, click Next.

Screen Shot 2016-07-27 at 22.12.49

Select your datastore where you would like to store the VM and click Next.

Screen Shot 2016-07-27 at 22.13.19

Here you can configure  the VMs resources tot he size you require. CPU, Memory and Disk can all be set here.   For compatibility reasons I would recomend leaving everything as default except for disk space and RAM.  It should be noted that with most VMs, unless they are performing an explicitly parallel workload the rule is ‘1 x vCPU every time’.  WHY is more advanced but, for now. leave it as a 1 CPU VM and click Next.

Screen Shot 2016-07-27 at 22.13.43

You’ll be given a summery of the options you specified.  Click Finish and the  wizard will close and the VM will be created.

Screen Shot 2016-07-27 at 22.13.56

Notice, back on your main screen, the recent tasks pane at the bottom of the screen will show the progress and, hopefully, success status of the VM creation.  You are now able to start the VM and install an OS to it.

Screen Shot 2016-07-27 at 22.14.13

With all of the above in mind and DNS entries set up for you ESXi and to be installed Virtual Center Server Appliance we can deploy the VCSA into our environment and get going.

Deploying The VCSA (Automated)

In vSphere 6 the VCSA can be deployed the traditional way, clicking through wizards etc.  or using a configfile and a simple command line to automate the whole process.  We’re going to be using the automated method for this guide as I firmly believe that Automation is the way forward and the principals followed here carry forward in to the more advanced areas of vSphere and are worth exploring right away.

NOTE: The following is shown using a Windows PC as the client.  This can also be done via a Mac.  It’s just the kick off command that changes.

What You’ll Need

For this section of the guide you’ll need:

  • A Windows PC on the same network as the ESXi hosts previously set up.
  • Windows Powershell
  • The VCSA ISO file (I used VMware-VCSA-all-6.0.0-3634788.iso from VMware site).
  • The ability to mount .iso images (Native to Windows 10).

Optionally, if you want to follow the command line driven configuration of datacenters and hosts you will need.

  • VMware PowerCLI (installed on your Windows PC)

Step 1: Mount the VCSA ISO and Configure Settings.

Mount your VCSA ISO.  In Windows this is done by Right-Clicking the VCSA .iso file and selecting Mount.

Navigate to <CD Drive>:\vcsa-cli-installer\templates\install and copy the embedded_vCSA_on_ESXi.json file to somewhere simple to access (such as c:\temp)

Open the .json file and edit in the values as you require for your environment.  I’ll explain the requirements for the values after this example (shown).

NOTE: The files here are slightly different between vSphere 6.0 and 6.5.  Both are shown below.

JSON Config For vCenter 6.0

{
    "__version": "1.1",
    "__comments": "Sample template to deploy a vCenter Server with an embedded Platform Services Controller to an ESXi host.",
    "target.vcsa": {
        "appliance": {
            "deployment.network": "VM Network",
            "deployment.option": "small",
            "name": "VCSA6",
            "thin.disk.mode": true
        },
        "esx": {
            "hostname": "192.168.1.10",
            "username": "root",
            "password": "aRandomPassword",
            "datastore": "Datastore1"
        },
        "network": {
            "hostname": "192.168.1.15",
            "dns.servers": [
                "192.168.1.254",
                "192.168.1.20"
            ],
            "gateway": "192.168.1.254",
            "ip": "192.168.1.15",
            "ip.family": "ipv4",
            "mode": "static",
            "prefix": "24"
        },
        "os": {
            "password": "anotherPassword",
            "ssh.enable": true
        },
        "sso": {
            "password": "evenMorePasswords",
            "domain-name": "vsphere.local",
            "site-name": "Home-Lab-SSO"
        }
    }
}

So, what are the values that need filling in?  From the top:

appliance:deployment.network - This is the name of the network created in part 1 of the guide.  If you didn't change anything it's 'VM Network'.

appliance:deployment.option - This dictates the amount of CPU, DISK and RAM allocated to the VCSA based on VMware's t-Shirt sizes.  Small is good for up to 100 hosts and 1000 VMs and is perfect for a lab.  There is a Tiny option but you can hit the VM limit in a lab quite quickly.

appliance:name - The text name that you wan to call the VCSA.

appliance:thin.disk.mode - Either true or false.  vSPhere can, simplistically, allocate all disk space requested to a VM at creation or as it is used (more efficient).  I recomend true in this instance.
esx:hostname - This field is populated with the IP address / hostname of the ESXi server you want to deploy this VCSA to.  NOTE: Use IP if DNS is not set up corretly at this stage but preferably use DNS as this can stop known issues arising later if you want to rename the appliance or do anything that relies on FQDN.

esx:username - The username you want to use to connect to the specified ESXi host.  Usually root.

esx:password - The password for the account specified in the field above. Note this is stored in plain text.

esx:datastore - Then EXACT name of the datastore on the ESXi host to deploy the VCSA on. NOTE: This is case and space sensitive.
network:hostname - This is the hostname this VCSA server. NOTE: vSphere is very, very picky about DNS.  In this example I assume you have deployed a domain controller or have DNS set up WITH an entry for this VCSA server alreaddy created. e.g. labvcas.lab.local pointing to the IP address you want to give this appliance.  If DNS resolution is not ready yet an IP address MUST be used here otherwise the install will fail.  However, this will trigger known issues if you ever want to rename your apliance or change its identity. It is HIGHLY recomended to get DNS sorted at this stage.

network:DNS.servers - This setting requires a list (can be one) of DNS servers for name resolution.  I have set these to be my default gateway (for internet name resolution) and then the IP address of the AD server i intend to build in the lab.

network:gateway - This is the default gateway to the internet in IP format.

network:ip - This is the IP address of this VCSA server you're going to be deploying. 

network:ip.family - specifies wether the above address is in IPv4 or IPv6 format.  Default is IPv4.

network:mode - Choose between static or DHCP.  Static is prefered for predictability.

network:prefix - This field is the subnet mask of the network for the VCSA in slash notation. (i.e. 24 = 255.255.255.0).

os:password - This specifies the root password for the VCSA and is needed for access to the console or SSH access. NOTE: stored in plain text.
os:ssh.enable - A true or false value specifying wether you want to enable SSH access to the VCSA.  AS this is a lab I have enabled it in the example.
sso:password - This sets the default password for the administrator SSO (the in built authentication system) account.

sso:domain-name - The domain name for the SSO component install. NOTE: This cannot be the same as an existing orsoon to be existing Windows domain.  I have used vsphere.local (so the admin account is administrator@vsphere.local). 

sso:sso-name - The name of the SSO site.  NOTE: Spaces not allowed.

Once all of the values have been filled in for your envionment you are ready to deploy the VCSA and automatically configure it with the settings in the JSON  file.

JSON Config for vCenter 6.5

Note that the value you will need to fill in stay the same but the filehas additional sections at the end that are required for the install to sucessfully complete.

{
 "__version": "2.3.0",
 "__comments": "Sample template to deploy a vCenter Server Appliance with an embedded Platform Services Controller on an ESXi host.",
 "new.vcsa": {
 "esxi": {
 "hostname": "esxi01.lab.local",
 "username": "root",
 "password": "Password1!",
 "deployment.network": "VM Network",
 "datastore": "Datastore1"
 },
 "appliance": {
 "thin.disk.mode": true,
 "deployment.option": "small",
 "name": "LABVCSA"
 },
 "network": {
 "ip.family": "ipv4",
 "mode": "static",
 "ip": "192.168.1.15",
 "dns.servers": [
 "192.168.1.20"
 ],
 "prefix": "23",
 "gateway": "192.168.1.254",
 "system.name": "labvcsa.lab.local"
 },
 "os": {
 "password": "Password1!",
 "ssh.enable": true
 },
 "sso": {
 "password": "Password1!",
 "domain-name": "vsphere.local",
 "site-name": "HomeLabSSO"
 }
 },
 "ceip": {
 "description": {
 "__comments": [
 "++++VMware Customer Experience Improvement Program (CEIP)++++",
 "VMware's Customer Experience Improvement Program (CEIP) ",
 "provides VMware with information that enables VMware to ",
 "improve its products and services, to fix problems, ",
 "and to advise you on how best to deploy and use our ",
 "products. As part of CEIP, VMware collects technical ",
 "information about your organization's use of VMware ",
 "products and services on a regular basis in association ",
 "with your organization's VMware license key(s). This ",
 "information does not personally identify any individual. ",
 "",
 "Additional information regarding the data collected ",
 "through CEIP and the purposes for which it is used by ",
 "VMware is set forth in the Trust & Assurance Center at ",
 "http://www.vmware.com/trustvmware/ceip.html . If you ",
 "prefer not to participate in VMware's CEIP for this ",
 "product, you should disable CEIP by setting ",
 "'ceip.enabled': false. You may join or leave VMware's ",
 "CEIP for this product at any time. Please confirm your ",
 "acknowledgement by passing in the parameter ",
 "--acknowledge-ceip in the command line.",
 "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
 ]
 },
 "settings": {
 "ceip.enabled": true
 }
 }
}

Step 2: Deploy the VCSA

Open a PowerShell window and run the vcsa-deploy.exe from the  VCSA ISO with the path to the JSON file appended to the end (as shown).

For vCenter 6.0

<DRIVE>:\vcsa-cli-installer\win32\vcsa-deploy.exe c:\temp\<json-file> --accept-eula

For vCenter 6.5

<Drive>:\vcsa-cli-installer\win32\vcsa-deploy.exe install C:\temp\<json-file> --accept-eula --acknowledge-ceip

1

There will be a prompt asking you to accept the SSL certificate of the ESXi host you’re deploying to.  Type yes and press Enter.

2
Accept the fingerprint

The isntaller will now deploy the VCSA image, boot the VM and configure based on your settings.  NOTE: Depending on your storage this can take a VERY long time to deploy and an equally long time to configure and boot for the first time (up to 30 mins).

3
Example output (note the DNS error near the top NOT killing the process)

Once the deployment is complete you should be able to open a browser window to the VCSA and log in using the administrator@vsphere.local account.

https://<IP-Address-VCSA>/vsphere-client/

Ignore the security certificate warning and add it to your exceptions list.

4

Enter your logon credentials as specified in the JSON file earlier. Press Logon.

5

You have now deployed and logged on to the VCSA.  The main screen (below, known as the vsphere Web Client) should now be visible.  Next up we need to add the ESXi hosts to the VCSA so it can manage and configure them.

6

Step 3: Create a Datacenter, Cluster and Add ESXi Hosts to VCSA

Going forward I will be showing the processes to set up the basics of vCenter via the GUI as, at this point, it gives a better understanding on how things fit together.  You sgould know that all these steps are possible via the command line (PowerCLI) which is quicker but requires you to know what you want to do.

Now that you are in the VCSA webclient we can start to configure it to manage our environment.  All vSphere administration and configuration is done via the VCSA.  Indeed, once a host is added to the VCSA it will warn you that nothing should be changed if you log on locally to a host.

First order of bnusiness is to create a new Datacenter.  This is a top level logical container for clusters of ESXi hosts.

Right click on the VCSA in the left hand pane and select New Datacenter from the contexrt menu.

7

Enter a friendly name for this Datacenter and Press Ok.

8

You’ll now see that the created Datacenter object appears in the left hand pane of the vSphere web client. Again, right-click and select  New Cluster from the context menu.

9

This brings up a nicly detailed set of options that can be turned on for a cluster.  Give the cluster a sensible name and make sure you turn on DRS and HA.  EVC is optional but nice.

DRS (Dynamic Resource Scheduling) is VMware’s technology for load balancing VMs across all the hosts in the cluster. It can mopve VMs between hosts to allow better usage of available resources.  It’s an awesome feature and should definitly be turned on.  You can leave the defaults for it’s actual configuration and feel safe it wont break anything.

HA (High Availability) monitors VMs to see if they are responsive.  If a host goes down (for example) and HA is turned on the VMs on the downed host will be powered up on the remaining hosts in a crash consistent state.  Not essential for a LAB environment but worth playing with none the less.

EVC (Enhanced vMotion Compatibility) is a nice little feature that allows the movement of VMs across hosts that have CPUs from different generations with different capabilities.  It does this by limiting the CPU feature set used to the lowest common denominator in teh cluster.  Especially handy in Labs if you’re building them up over a period of months an years and might have different hardware.

SnapCrab_NoName_2016-6-17_14-46-58_No-00

After Pressing OK you should now have the Datacenter and Cluster Object visible in Virtual Center.

SnapCrab_NoName_2016-6-17_17-8-13_No-00

Now we need to add a host to the cluster.  Right click on the Cluster and select Add Host.  This will bring up a wizard to add in a host.  Type the IP (if no DNS is set up) or the Hostname (if DNS is set up) of the first host you want to add and select Next.

NOTE: As always I reomend using the hostname to add your host in as vSphere is sensitive to DNS working correctly for advance functions and adding by hostname implicitly verifies that everything is working correctly10

Type the username (root) and the password for this account and click Next.11

You may get the standard certificate warning when connecting to a host for the first time.  Click Yes.

12

A Summary page is displayed. Click Next.

13

You now should assign a licence.  As this is a lab we’re going to use the trial period evaluation mode licence.  Select it and click Next.

14

You now have to chose wether to enable Lockdown mode.  Lockdown mode, as it says, prevents users from logging directly in to the host. i.e. all access has to be via vCenter.  As this is a lab and we’re going to want to play around, keep this disabled.  Click Next.

15

Continue now through the wizard to the end accepting the defaults.  This will put any VMs on the host (just vCSA really) in to the clusters default resource pool (this is fine).  When your done, repeat for the other hosts you have installed ESXi on.  You’ll end up with something like this.

SnapCrab_NoName_2016-6-17_17-25-0_No-00

Step 4 – Removing those Errors and Warnings

You’ll probably notice that now the cluster is set up there may be some warnings displayed.  Most probably it’s the ones shown below (if you dont have some or all of these, no matter, skip that part).  At this point it’s usually relating to:

SSH Enabled: We deliberatly did this so no worries there.
No CoreDump Target: We need to fix this.
Syslogs on Non persistent storage: We need to fix this also.

18

Fixing the “Syslogs on non persistent storage” is possible in one step.  Select the first host in the cluster and click:
For vSphere 6.5: Configure > System >Advanced System Settings.
For vSphere 6.0: Manage tab.  Then select the Settings sub-tab and Advanced System Settings from the left hand list.

Scroll down and select the setting labelled Syslog.global.logDir

SnapCrab_NoName_2016-6-17_17-27-36_No-00.png

Right click this setting and select Edit Option

20

Change the value to match something like that shown below.  I’ve redirected the logs to Datastore1.  NOTE: when editing this value the “[  ]” MUST be kept and the name inside them is case and space sensitive.  It must match EXACTLY the name of the Datastore. Click Save.  Repeat for the other hosts in the cluster.  I like to target each host to a different Datastore.  If you only have the one Datastore target the logs to a seperate folder to avoid confusion.

21

Now reboot the vCenter appliance and the error relating to the logging should dissappear.

Fixing the CoreDump Error via Command Line

IConfiguring the Coredump location is done via the ESXi command line.  You’ll need to log on to the ESXi Shell via SSH (use PuTTY (Windows) or iTerm (Mac)) and run the following commands to check, look and set the coredump partition.  SSH should be enabled already on your ESXi hosts sa we ensured not to turn it off in setup.

So, if ESXi is complaining that no coredump partition is set you should be able to run the following command and verify this is the case.

esxcli system coredump partition get

This wil show something similar to that shown below (showing that a partition is configured but not active in this case).  NOTE: it may also show a blank entry for both, this is fine.

22

If the configured partition is not the device you wanted or is blank you can run the following commands to show the available partitions and then set the system to use the desired one.

esxcli system coredump partition list

this will show a list of the available partitions the system can use.  make a note of the “mpx.vmhbaxx.Cx:Tz:Lx” part of the partition you’ll want to use as it is required in the next step.

We can relate this string back to something more physical by checking the storage adapters section on the host in vCenter.  In this case you can see that vmhba33 maps to the USB Storage Controller (i.e. the USB stick ESXi is instalaled on).

24

If you need to set a new partition as the target (i.e. Configured was blank).  You can now run the command:

esxcli system coredump partition set --partition="mpx.vmhbaxx.Cx.Tz.Ly"
esxcli system coredump partition set -enable true

This will configure the coredump to the partition of your choice.  You’ll need to reboot ESXi to make the change active.

If the correct partition was configured, but not active, simply set it to active by entering the command below and rebooting ESXi:

esxcli system coredump partition set -enable true

After the reboot you can check everything is correct by running:

esxcli system coredump partition get

Now you can see that the active partition is the same as the configured one and everything is ready to carry on.

23

Fixing the SSH Is Enabled Error

The final warning we see was about the ESXi Secure Shell (SSH) being active.  As mentioned before we probably want this running in a lab but, if you want to know how to remove it, the steps to disable this are shown below.

25

Simply select the host with the warning in the left pane of the vCenter webclient and then select the Manage tab.   Now select the Security Profile item in the left bar (you’ll need to scroll down), select services area and click edit button.  Select SSH and Stop the service.

Next Steps

Thats the end of the deployment and basic setup of vCenter and ESXI.  You should now have a working ESXi cluster and vCenter and be able to deploy simple VMs all on a single network and get going.  Next up we will cover the configuration of more advanced networking and authentication within vCenter (using a distributed switch over multiple standard switches, joining the lab to a domain) and how to set up vMotion and other cool features of vSphere.