Professional Documents
Culture Documents
VCP6 DCV Study Guide ESX Virtualization PDF
VCP6 DCV Study Guide ESX Virtualization PDF
[UNOFFICIAL]
By Vladan SEGET
www.vladan.fr
1
Running out of Capacity Again?
MPL I VI TY
SI
E
HY
TE
ER
GUARAN
P
SimpliVity HyperGuarantee
The Industry’s Most Complete Guarante
www.simplivity.com/vcp6
Contents
VCP6-DCV Objective 1.1 – Configure and Administer Role-based Access Control .................................................................... 3
VCP6-DCV Objective 1.2 – Secure ESXi, vCenter Server, and vSphere Virtual Machines .......................................................... 9
VCP6-DCV Objective 2.1 - Configure Advanced Policies/Features and Verify Network Virtualization Implementation ................. 26
VCP6-DCV Objective 3.3 - Configure vSphere Storage Multi-pathing and Failover ................................................................ 76
VCP6-DCV Objective 3.4 - Perform Advanced VMFS and NFS Configurations and Upgrades ................................................... 83
VCP6-DCV Objective 3.5 - Setup and Configure Storage I/O Control .................................................................................. 93
VCP6-DCV Objective 4.1 - Perform ESXi Host and Virtual Machine Upgrades ....................................................................... 96
VCP6-DCV Objective 6.1 - Configure and Administer a vSphere Backups/Restore/Replication Solution .................................. 116
VCP6-DCV Objective 7.1 - Troubleshoot vCenter Server, ESXi Hosts, and Virtual Machines ................................................. 132
VCP6-DCV Objective 7.2 - Troubleshoot vSphere Storage and Network Issues................................................................... 139
VCP6-DCV Objective 7.4 - Troubleshoot and Monitor vSphere Performance ....................................................................... 149
VCP6-DCV Objective 7.5 - Troubleshoot HA and DRS Configurations and Fault Tolerance .................................................... 156
VCP6-DCV Objective 8.1 - Deploy ESXi Hosts Using Autodeploy ....................................................................................... 166
VCP6-DCV Objective 8.3 - Consolidate Physical Workloads using VMware Converter ........................................................... 177
VCP6-DCV Objective 9.2 - Configure Advanced vSphere DRS Features ............................................................................. 189
VCP6-DCV Objective 10.1 - Configure Advanced vSphere Virtual Machine Settings............................................................. 192
VCP6-DCV Objective 10.2 - Create and Manage Multi-Site Content Library ........................................................................ 200
VCP6-DCV Objective 10.3 - Configure and Maintain a vCloud Air Connection ..................................................................... 205
2
VCP6-DCV OBJECTIVE 1.1 – CONFIGURE AND ADMINISTER ROLE -BASED ACCESS CONTROL
Today's VCP6-DCV goal is to talk about - VCP6-DCV Objective 1.1 - Configure and Administer Role-based Access
Control. VMware VCP exam is a gold standard of VMware certification exams. VCP exam is the most known VMware
exams, even if it's not the highest technical level.
But it's most recognized. By a future employer, by industry as a whole. We will cover VCP6-DCV exam certification
based on VMware latest VMware VCP6-DCV blueprint. Check VCP6-DCV page for all objectives.
There are roles and privileges. Role is a collection of privileges assigned to group or a user. There are certain number
of Out-of-the-box (predefined) roles when we look at the vSphere client > Roles. You can keep them, clone them,
delete or edit.
3
Four different types of permissions
Not only vCenter server, like the ones above, but also Local permissions for ESXi. The full list:
Global Permissions – Global permissions are applied to a global root object that spans solutions. To assign
permissions via global root allows to propagate them to the other products relying on SSO (vCO, vROPS, vCD..)
vCenter Server Permissions – Hierarchical model. Permission gives you a certain number of privileges. Similar
like in Microft's AD. You Select object > assign role to a group of users > to give them privileges on that object.
Group Membership in vSphere.local Groups – The vsphere.local domain includes several predefined groups.
Assign users from AD (if you're using AD) to one of those groups to be able to perform the corresponding
actions.
For some services that are not managed by vCenter Server directly, privileges are determined by membership
to one of the vCenter Single Sign-On groups. For example, a user who is a member of the Administrator group
can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware
Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.
Note: to be able to find the AD groups it's necessary to add Identity sources via:
Home > Administration > Single Sign-ON > Configuration > Identity sources.
The user administrator@vsphere.local can perform tasks that are associated with services included with the Platform Services
Controller.
4
ESXi Local Host Permissions – If you are managing a standalone ESXi host that is not managed by a vCenter
Server system, you can assign one of the predefined roles to users.
If you deselect the propagate to children the objects lying down the road won't be accessible by that particular
user/group. (It's like when you manage NTFS permissions on Windows servers and you uncheck the heritage check
box). Permissions are applicable directly and propagated to children by default.
If you click the "View Children" link, it'll show you the permission of all the children which permission will apply to (if
"Propagate to children is selected).
Inheritance of Multiple Permissions - If user is member of more than one group? Then combined privileges
within the roles apply. Example below showing user member of both groups.
Child permissions override Parent permissions - Permissions applied on a child object always override
permissions that are applied on a parent object. See examples P. 119 of vSphere Security Guide.
5
Ex. Role 1 can power on VMs and Role 2 can take snapshots.
Group A is granted Role 1 on VM folder and permissions propagate to child objects
Group B is granted Role 2 on VM B
User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role
1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B,
but not power it on.
User role overriding group role - if two permissions are defined on the same object.
Permissions are on the same object. One permission is granted to a group, the other to a user which at the same time
is member of the group. Role 1 can power VMs Group A is granted Role 1 on VM folder and at the same time User 1 is
granted No Access role on VM folder.
User 1, who belongs to group A, logs on. The No Access role granted to User 1 on VM Folder overrides the role assigned
to the group. User 1 has no access to VM Folder or VMs A and B.
You can be export to a CSV file or copy to the Clipboard selected or All items. You can also use CTRL+Click to copy to
the clipboard.
6
A DD /M ODIFY /R EMOVE PERMISSIONS FOR USERS AND GROUPS ON V C ENTER S ERVER INVENTORY
OBJECTS
To modify/add permissions you must Select an object > Manage > Permissions.
Than you can use the delete, edit or Add icons there...
Administrator
Read-Only
No Access
7
vSphere Security Guide (p. 121).
DETERMINE THE CORRECT ROLES / PRIVILEGES NEEDED TO INTEGRATE V C ENTER S ERVER WITH
OTHER VM WARE PRODUCTS
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and
vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and
vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.
P. 122
DETERMINE THE APPROPRIATE SET OF PRIVILEGES FOR COMMON TASKS IN V C ENTER S ERVER
Tools:
8
VCP6-DCV OBJECTIVE 1.2 – SECURE ESX I, VCENTER SERVER, AND VSPHERE VIRTUAL
M ACHINES
This post covers VCP6-DCV Objective 1.2 - Secure ESXi, vCenter Server, and vSphere Virtual Machines. A very
interesting chapter indeed, where we cover all the "locks" which an admin can put in place to secure his/here
environment. And you don't have to be Linux expert as all this is done without much difficulty!
For whole exam coverage I created a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, you
might just want to look on some how-to, news, videos about vSphere 6 - check out my vSphere 6 page. If you find out
that I missed something, don't hesitate to comment.
Knowledge
HOW TO ENABLE / DISABLE SERVICES IN THE ESX I FIREWALL - THE EASY WAY ( VIA VS PHERE CLIENT )
Note that you can do the same by selecting the host through vSphere client > configuration > security profile >
Firewall
9
Services can be Started, Stopped, or Restarted. Services can be configured to Start and stop with host, Start and stop
manually, or Start and stop with port usage.
ESXi Shell and SSH are disabled (Set to Start and stop manually) by default. ESXi Shell and SSH can be enabled/disabled
in the DCUI from the Troubleshooting Mode Options menu.
10
E NABLE LOCKDOWN M ODE
When you enable lockdown mode, you can't connect directly from the console. the host is accessible only through the
vSphere client directly or via vCenter server.
Lockdown Modes:
dcui
11
vSphere 6 introduced "Exception users" which are users with local accounts or Microsoft Active Directory accounts
with permissions defined locally on the host where these users have host access. You can define those exception
locally on the host, but it’s not recommended for normal user accounts, but rather for service accounts. You should
set permissions on these accounts to strict minimum and only what’s required for the application to do its task and
with an account that needs only read-only permissions to the ESXi host.
This is basically the same principle of local server accounts on Windows member server, where you can create local
accounts, but as a best practice to give them only the permissions they need…
Smart Card Authentication to DCUI – There is new function, but apparently it is for U.S. federal customers only. It
allows DCUI login access using a Common Access Card (CAC) and Personal Identity Verification (PIV). In this case
the ESXi host must be part of Microsoft AD.
vSwitch level
Portgroup level
Promiscuous mode – If set to Accept then it allows the guest OS to receive all traffic observed on the
connected vSwitch or PortGroup (the switch becames a HUB basically - with all the inconveniences, packet
colisions, performance degradation etc... ). By default it's Reject
MAC address changes – A host is able to accepts requests to change the effective MAC address to a different
address than the initial MAC address. By default it's Accept
Forged transmits – A host does not compare source and effective MAC addresses transmitted from a virtual
machine. By default it's Accept
12
MAC address changes and Forged transmits if set to Reject, than it protects against MAC address spoofing. If changing
the settings at the Portgroup level there is an Override checkbox allowing you to set the policy on a portgroup rather
than on the vSwitch.
A special AD group named "ESX Admins" shall be manually created before host is joined to AD. Why?
Because like this All members of this group (ESX admins) are automatically assigned with the Administrator
role on the host when this host is joined to AD. If not the permissions has to be applied manually.
13
vSphere web client > Hosts and clusters > Select ESXi host > Manage > Settings > Authentication services.
Host profiles are very cool feature allowing to homogenize configuration across ESXi hosts and automate compliance.
In some cases, host profiles can be also useful when for example you need to reset esxi root password on a host.
Check vSphere Security guide (PDF) on p. 133, but basically this procedure apply:
3. Apply the host profile of the reference host to other hosts or clusters.
If you haven't done yet, go to Home > Host profiles > Extract profile from host. Once you have that profile you can
apply it to a host...
Select the host profile > Click Actions > Edit Host Profile (or right click > edit settings)
Expand Security and Services
Select the Permission Rules folder > click the Plus Sign
14
Root password is encrypted within the host profile, however by joining hosts to AD via Host profiles leaves password
in plain text... -:(.
VMs are fragile. The same for Guest OS. Treat them accordingly ... -:). Seriously, you should patch to the latest release
for the OS patches, Antivirus patches and/or Malware patches.... That's a bare minimum to prevent system corruption.
15
Prevent virtual machines from taking over resources
Disable unnecessary functions inside virtual machines - usually Windows/Linux services can be stopped, to put
them on manual instead of automatic startup, etc..
Remove unnecessary hardware devices - floppy, printers, sound devices... All you don't need you can remove
to have lower overhead.
Disable unused display features
Disable unexposed features
Disable HGFS file transfers
Disable copy and past operations between guest operating system and remote console (by default is disabled
- on per host level, but you can add an advanced settings:)
isolation.tools.copy.disable = true
isolation.tools.paste.disable = true
1. Click Administration and select Roles > click create role > NO Guest Access > select all privileges
2. Deselect All Privileges >Virtual machine > Guest Operations to remove the Guest Operations set of privileges >
validate OK.
To view certificates:
16
The VMware Certificate Authority (VMCA) provisions vCenter Server components and ESXi hosts with certificates that
use VMCA as the root certificate authority by default.
The vSphere Certificate Manager utility allows you to perform most certificate management tasks interactively from
the command line.
vSphere Certificate Manager prompts you for the task to perform, for certificate locations and other information as
needed, and then stops and starts services and replaces certificates for you.
vSphere Certificate Manager utility – certificate replacement tasks from a command line utility.
Certificate management CLIs – dir-cli, certool, and vecs-cli command line utilities.
o certool can Generate and manage certificates and keys. Part of VMCA.
o dir-cli is a able to create and update certificates in VMware Directory Service. Part of VMAFD.
o ves-cli can manage the contents of VMware Certificate Store instances. Part of VMAFD
vSphere Web Client certificate management – view certificate information in the Web Client
Tools
For whole exam coverage I created a dedicated VCP6-DCV Wordpress page. If you just look on some how-to, news,
videos about vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release,
but simplified the deployment and management. vSphere Web client is more present and used in this release as the
legacy C# client does not allow to configure advanced configuration options and functions like SSO, FT, VSAN
17
Identify available authentication methods with VMware vCenter
Step 1: Connect to your vCenter server by entering the ip address you have entered during the deployment
process:
and by using the administrator@vsphere.local as a user name and your password you have used during the
deployment.
And then go to Single Sign-On > Configuration > Identity Sources > Click the "+" sign to add your AD as an identity
source. Normally it will populate your local AD automatically, so you just have to click the OK button...
18
You can also click the globe icon to make the AD as the default while you're there...
Go to Home > vCenter Inventory Lists > vCenter Servers > vCenter.lab.local (in my case) > Click the Manage Tab >
Permissions
There you click the "+" sign > Add button > make sure that you select the drop-down for your Microsoft Ad to make
appear the Domain admin user...
19
Click OK to validate. You can disconnect and connect as domain admin now... Note that in case your workstation is
part of Microsoft AD, you just have to check the box and no need to enter your domain user password... -:)
Some of you might wonder why there is this Single Sign-On. The vCenter Single Sign On is an authentication service
which allows the different vSphere software components present in the vCloud suite, to communicate between each
other via a secure token exchange mechanism.
20
Certificate Authority (VMCA)
You can deploy it on at the same time or a part and you can deploy it as Windows based or Appliance based (VCSA). It's
important to know that PSO is completely transparent working with Windows or VCSA based vCenter!
The embedded PSC is meant to be used for standalone sites where vCenter server will be the only SSO integrated
solution. In this case a replication to another PSC is not necessary.
External PSC shall be deployed in anvironments where there is more then one SSO enabled solution (vCenter Server,
vRealize Automation, etc…) OR where replication to another PSC (another site) is necessary.
Here is the screenshot from the installation process (VCSA) showing the different options and changing the options
also changes the different phases of the deployment (on the left).
PSC features:
D EPLOYMENT O PTIONS:
21
Embedded Platform Service Controller
All services bundled with the Platform Services Controller are deployed on the same virtual machine or
physical server as vCenter Server.
External Platform Service Controller
The services bundled with the Platform Services Controller and vCenter Server are deployed on different
virtual machines or physical servers.
Recommended reads:
VMware vSphere Blog - vCenter Server 6 Deployment Topologies and High Availability.
VMware KB - Recommended topologies for vSphere 6.0.x (2108548).
When you first install vSphere, the default certificates are deployed with 10 years of life span. The VMCA generates
those self-signed certs during the installation process, and provisions each of the ESXi host with a signed certificate
by this root certificate authority. Earlier versions of vSphere with self-signed certificates are automatically replaced
by new self-signed certificates by VMCA.
Default - VMCA as cert authority where VMCA issues certs for your hosts.
Custom - you can override and do and issue certs manually via VMCA
Thumbprint mode - this way you keep certs from vSphere 5.5
To check this go to the View Support Information after logging to your ESXi host:
22
W HERE TO CHECK THE CERTIFICATES IN W EB CLIENT ?
Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority
Note: If you're not a member of SystemConfiguration.Administrators group than you might want to add yourself there.
If of course you're connecting as an domain administrator....
Home > System Configuration > Nodes > Node > Manage > Certificate Authority
23
Password Policy
Lockout Policy
Token Policy
P ASSWORD P OLICY
To get to this screen You must click Administration > Single Sign-On > Configuration
By clicking the Edit button you are able to change values there…
24
If you leave the default values and after 90 days you will want to log-in you might end up with messages saying that:
Those SSO policies are pretty much the same as in vSphere 5.5, but with a difference that in vSphere 5.5 we also had
an administrator password expiry on the vCenter server appliance (VCSA). The VCSA 6.0 is pretty much locked out and
the GUI we use to manage VCSA accessible via the port 5480 is no longer available.
Lockout Policy
Specifies the condition under which a vCenter SSO account is locked when the user attempts to log in with incorrect
credentials. Five login attempts and three minutes between failures are set by default. This policy also specifies the
time that must elapse before the account is automatically unlocked.
To see the lockout policy parameters, click on the Policies tab and select Lockout Policy:
Token Policy - also interesting as for example the Clock tolerance shows time difference, in milliseconds, that vCenter
Single Sign-On tolerates between a client clock and the domain controller clock. If the time difference is greater than
the specified value, vCenter Single Sign-On declares the token invalid.
25
Other configuration options:
Maximum token renewal count – Maximum number of times that a token can be renewed. After the
maximum number of renewal attempts, a new security token is required.
Maximum token delegation count – Holder-of-key tokens can be delegated to services in the vSphere
environment. A service that uses a delegated token performs the service on behalf of the principal that
provided the token. A token request specifies a DelegateTo identity. The DelegateTo value can either be a
solution token or a reference to a solution token. This value specifies how many times a single holder-of-key
token can be delegated.
Maximum bearer token lifetime – Bearer tokens provide authentication based only on possession of the
token. Bearer tokens are intended for short-term, single-operation use. A bearer token does not verify the
identity of the user or entity that is sending the request. This value specifies the lifetime value of a bearer
token before the token has to be reissued.
Maximum holder-of-key token lifetime – Holder-of-key tokens provide authentication based on security
artifacts that are embedded in the token. Holder-of-key tokens can be used for delegation. A client can obtain
a holder-of-key token and delegate that token to another entity. The token contains the claims to identify the
originator and the delegate. In the vSphere environment, a vCenter Server obtains delegated tokens on a
user’s behalf and uses those tokens to perform operations. This value determines the lifetime of a holder-of-
key token before the token is marked invalid.
AD integrated (preferred)
Active Directory LDAP
Open LDAP
Local OS
Yep, you can obviously use Local OS option only if you don't want to interconnect with your AD (for security reasons
or isolation purposes).
Check How-to, news, videos and tutorials at my vSphere 6 page too or check Free VMware tools page.
26
You can follow the VCP6-DCV study guide built through my VCP6-DCV page. When finished, there will be a PDF version
which will get its proper formatting for better reading experience. We're more than half way through right now, and
the work continues. Let's kick on with this chapter!
vSphere Knowledge
The vDS separates the data plane and management plane to separate them. The data plane resides on ESXi host, but
the management plane moves to vCenter server. The data plane is called host proxy switch.
NetFlow Support - Netflow is used for troubleshooting, it picks a configurable number of samples of network
traffic for monitoring..
PVLAN Support - PVLAN is able to get more from VLANs (which are limited in numbers) and you can use these
PVLANS to further segregate your traffic and increase security. (Note: Enterprise plus licensing required! Check
my detailed post on PVLANs here.
Ingress and egress traffic shaping - Inbound/outbound traffic shaping, which allows you throttle bandwidth
to the switch.
VM Port Blocking - can block VM ports in case of viruses or troubleshooting...
Load Based Teaming - LBT is an additional load balancing that works off the amount of traffic a queue is
sending
Central Management across cluster - vDS can create the config once and push it to all attached hosts...so you
don't have to go to each host one-by-one...
Per Port Policy Settings - It's possible to override policies at a port level which gives you more controll
Port State Monitoring - This feature allows each port to be monitored separately from other ports
LLDP - Allows supports for link layer discovery protocol
Network IO Control - possibility to set priority on port groups and reserve bandwidth for VMs connected to
this port group. Check the detailed chapter on NIOC here: Objective 2.2: Configure Network I/O Control (NIOC)
LACP Support - LACP (Link aggregation control protocol) ability to aggregate links together into a single link
(your physical switch must support it!)
Backup/Restore Network config - It's possible to backup/restore network config at the vDS level (Not new!
It's here since 5.1! - save and restore network config...)
Port Mirroring - Allows monitoring and can send all traffic from one port to another
27
Stats stays at the VM level - statistics move with the VM even after vMotion.
Select how many uplinks, specify if you want to enable Network I/O control and rename the default port group (not
mandatory)...
28
A DD /R EMOVE ESX I HOSTS FROM A VS PHERE DISTRIBUTED S WITCH
You can add/remove ESXi hosts from vDS to manage their networking (or not) from a central location. The good thing
is that you can analyse impact before breaking a connectivity, so you're able to see the impact. The impact can be as
follows:
No Impact
Important impact
Critical Impact
Next...
To remove a port group. Simple. Right click on the port group > delete...
29
A DD /R EMOVE UPLINK ADAPTERS TO DV U PLINK GROUPS
Again, right click is your friend... -:)
If you want to add/remove (increase or decrease) number of uplinks you can do so by going to the properties of the
vDS.
And on the next screen you can do that... Note that at the same time you can give a different names to your uplinks...
30
CONFIGURE V S PHERE DISTRIBUTED S WITCH GENERAL AND DV P ORT GROUP SETTINGS
General properties of vDS can be reached via Right click on the vDS > Settings > Edit settings
Port binding properties (at the dvPortGroup level - Right click port group > Edit Settings)
Static binding - Assigns a port to a VM when the virtual machine is connected to the PortGroup.
Dynamic binding - it's kind of deprecated. For best performance use static binding
Ephemeral – no binding
Port allocation:
31
Elastic - Increase or decreas on-the-fly..... 8 at the beginning (default). Increases by 8 when needed.
Fixed - There is 128 by default.
vSphere Web Client > Host and Clusters > Select Host > Manage > Networking > VMkernel adapters
vMotion traffic
Provisioning traffic
Fault Tolerance (FT) traffic
Management traffic
vSphere Replication traffic
vSphere Replication NFC traffic
VSAN traffic
Migrate VMs to vDS. Right click vDS > Migrate VM to another network
Make sure that you previously created a distributed port group with the same VLAN that the current VM is running...
(in my case the VMs run at VLAN 7)
32
Pick a VM...
Done!
vSphere Web Client > Networking > vDS > Manage > Settings > LACP
33
LAG Mode can be:
Passive - where the LAG ports respond to LACP packets they receive but do not initiate LACP negotiations.
Active - where LAG ports are in active mode and they initiate negotiations with LACP Port Channel.
Note that you must configure the LNB hashing same way on both virtual and physical switch, at the LACP port channel
level.
34
DESCRIBE V DS S ECURITY P OLICES /S ETTINGS
Promiscuous mode – Reject is by default. In case you set to Accept > the guest OS will receive all traffic
observed on the connected vSwitch or PortGroup.
MAC address changes – Reject is by default. In case you set to Accept > then the host will accepts requests to
change the effective MAC address to a different address than the initial MAC address.
Forged transmits – Reject is by default. In case you set to Accept > then the host does not compare source
and effective MAC addresses transmitted from a virtual machine.
35
Network security policies can be set on each vDS PortGroup.
Port blocking can be enabled on a port group to block all ports on the port group
or you can configure the vDS or uplink to be blocked at the vDS level...
vSphere Web Client > Networking > vDS > Manage > Ports
And then select the port > edit settings > Miscellaneous > Override check box > set Block port to yes.
36
CONFIGURE LOAD BALANCING AND FAILOVER POLICIES
Route based on IP hash - The virtual switch selects uplinks for virtual machines based on the source and
destination IP address of each packet.
Route based on source MAC hash - The virtual switch selects an uplink for a virtual machine based on the
virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual
machine MAC address and the number of uplinks in the NIC team.
Route based on originating virtual port - Each virtual machine running on an ESXi host has an associated
virtual port ID on the virtual switch. To calculate an uplink for a virtual machine, the virtual switch uses the
virtual machine port ID and the number of uplinks in the NIC team. After the virtual switch selects an uplink
for a virtual machine, it always forwards traffic through the same uplink for this virtual machine as long as the
machine runs on the same port. The virtual switch calculates uplinks for virtual machines only once, unless
uplinks are added or removed from the NIC team.
Use explicit failover order - No actual load balancing is available with this policy. The virtual switch always
uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover
detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the
Standby list.
Route based on physical NIC load (Only available on vDS) - based on Route Based on Originating Virtual Port,
where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on overloaded
uplinks. Available only for vSphere Distributed Switch. The distributed switch calculates uplinks for virtual
machines by taking their port ID and the number of uplinks in the NIC team. The distributed switch tests the
uplinks every 30 seconds, and if their load exceeds 75 percent of usage, the port ID of the virtual machine with
the highest I/O is moved to a different uplink.
Active uplinks
Standby uplinks
Unused uplinks
37
CONFIGURE VLAN/PVLAN SETTINGS
private VLANs allows further segmentation and creation of private groups inside each of the VLAN. By using private
VLANs (PVLANs) you splitting the broadcast domain into multiple isolated broadcast “subdomains”.
Private VLANs needs to be configured at the physical switch level (the switch must support PVLANs) and also on the
VMware vSphere distributed switch. (Enterprise Plus is required). I’ts more expensive and takes a bit more work to
setup.
Promiscuous Primary VLAN – Imagine this VLAN as a kind of a router. All packets from the secondary VLANS
go through this VLAN. Packets which also goes downstream and so this type of VLAN is used to forward packets
downstream to all Secondary VLANs.
S ECONDARY
Isolated (Secondary) – VMs can communicate with other devices on the Promiscuous VLAN but not with other
VMs on the Isolated VLAN.
Community (Secondary) – VMs can communicate with other VMs on Promiscuous and also w those on the
same community VLAN.
38
Traffic shaping policy is applied to each port in the port group. You can Enable or Disable the Ingress or egress traffic
Average bandwidth in kbits (Kb) per second - Establishes the number of bits per second to allow across a port,
averaged
Peak bandwidth in kbits (Kb) per second - Maximum number of bits per second to allow across a port when
it is sending or receiving a burst of traffic. This number limits the bandwidth that a port uses when it is using
its burst bonus.
Burst size in kbytes (KB) per second - Maximum number of bytes to allow in a burst. If set, a port might gain
a burst bonus if it does not use all its allocated bandwidth. When the port needs more bandwidth than
specified by the average bandwidth, it might be allowed to temporarily transmit data at a higher speed if a
burst bonus is available
Use TCP Segmentation Offload (TSO) in VMkernel network adapters and virtual machines to improve the network
performance in workloads that have severe latency requirements.
When TSO is enabled, the network adapter divides larger data chunks into TCP segments instead of the CPU. The
VMkernel and the guest operating system can use more CPU cycles to run
applications.
By default, TSO is enabled in the VMkernel of the ESXi host , and in the VMXNET 2 and VMXNET 3 virtual machine
adapters
There are many places where you can enable Jumbo frames and you should enable jumbo frames end-to-end. If not
the performance will not increase, but rather the opposite. Jumbo Frames can be enabled on a vSwitch, vDS, and
VMkernel Adapter.
39
Jumbo frames maximum value = 9000.
There are three main places or three different ways to tag frames in vSphere.
External Switch Tagging (EST) - VLAN ID is set to None or 0 and it is the physical switch that does the VLAN
tagging.
Virtual Switch Tagging (VST) - VLAN set between 1 and 4094 and the virtual switch does the VLAN tagging.
Virtual Guest Tagging (VGT) - the tagging happens in the guest OS. VLAN set to 4095 (vSwitch) or VLAN
trunking on vDS.
The best to understand this is I guess this document from VMware called Best Practices for Virtual Networking and
from there I also "borrowed" this screenshot...
Networking is big chapter. If I missed something, just comment or email me your suggestion. Thanks...
40
VDS Network Health Check
vSphere Client / vSphere Web Client
For whole exam coverage I created a dedicated VCP6-DCV page. If you just look on some how-to, news, videos about
vSphere 6 check out my vSphere 6 page. vSphere 6 grew up quite big compared to vSphere 5.5 release, but simplified
the deployment and management. "White boxing" got more complicated as drivers for unsupported hardware not
always works. vSphere Web client is more present and used in this release as the legacy C# client does not allow to
configure advanced configuration options and functions like SSO, FT, VSAN. Let's get started.
vSphere Knowledge
THE REQUIREMENTS :
vSphere Web Client > Networking > vDS > Manage > Resource Allocation > System traffic
Note: If you have previous version of vSphere and you upgraded, than you might see previous version of NIOC (version
2) and so there is not the menu "system traffic". Make sure that you upgrade your VDS to v 6.0.
41
So in our case we can see the menu system traffic... The traffic types are all set to 50 shares except the VM
traffic. No reservation or limits are set by default.
42
Individual VMs can be configured according to bandwidth requirements through VM options at the network level...
Shares - The relative priority, from 1 to 100, of the traffic through this VM network adapter against the capacity of the
physical adapter that is carrying the VM traffic to the network.
Reservation - The minimum bandwidth, in Mbps, that the VM network adapter must receive on the physical adapter.
Limit - The maximum bandwidth on the VM network adapter for traffic to other virtual machines on the same or on
another host.
To enable bandwidth allocation for virtual machines by using Network I/O Control, configure the virtual machine
system traffic. The bandwidth reservation for virtual machine traffic is also used in admission control. When you power
on a virtual machine, admission control verifies that enough bandwidth is available.
43
Check the following requirements:
Network Resource Pools - You can create new network resource pools to reserve part of the aggregated bandwidth
for VMs system trafic on all the physical adapters connected to the VDS.
For example, if the virtual machine system traffic has 0.5 Gbps reserved on each 10 GbE uplink on a distributed switch
that has 10 uplinks, then the total aggregated bandwidth available for VM reservation on this switch is 5 Gbps. Each
network resource pool can reserve a quota of this 5 Gbps capacity.
Create network resource pool: Distributed switch > Manage > Resource allocation > Network resource pools > Add
Once you create network resource pool you can add distributed port group so you an allocate bandwidth to the VMs
that are connected to that portgroup.
You can check and monitor Network I/O Control through vSphere web client. Networking > vDS > Manage > Resource
Allocation
Concerning the system traffic it's possible to have a look a those metrics and details:
44
Network I/O Control Status (state is Enabled/Disabled)
NIOC Version
Physical network adapters details
Available bandwidth capacity
Total bandwidth capacity
Maximum reservation allowed
Configured reservation
Minimum link speed
You can also check the vSphere 6 page where you'll find many how-to, videos, and tutorials about vSphere 6. Let's get
back to our today's objective.
vSphere Knowledge
The virtual standard switches (vSS) can have following policies and settings:
45
If you set VLAN policy to 4095 (All) it allows you to pass All VLANs, and the tagging is done at the Guest
OS level
Promiscuous Mode - Default settings are set to reject for both (VSS and VDS). If you change to accept then
the guest OS can receive all traffic which passes through the vSwitch or Portgroup.
MAC address change - The default setting is reject for VDS but accept on VSS. If set to allow then the host
accepts requests to change the effective MAC address to a different one than the original.
Forged transmits - The default settings is Reject for VDS but accept on VSS. The host do not compare source
and effective MAC addresses which are transmitted from a VM.
Each settings can be set to Accept or Reject and it can be done at the virtual switch level or at the port group level.
More granular ist's obviously at the port group level.
The port blocking policy is done at the portgroup level. vSphere web client > Networking > Right click a portgroup >
Edit settings.
46
You can also block individual distributed switch or uplink port. It can be done by selecting the VDS > Manage > Ports
> Select Port > Edit > check the box and select Yes.
You can configure various load balancing algorithms on a virtual switch to determine how network traffic is
Route Based on Originating Virtual Port - The virtual switch selects uplinks based on the virtual machine port
IDs on the vSphere Standard Switch or vSphere Distributed Switch.
47
Route Based on Source MAC Hash - The virtual switch selects an uplink for a virtual machine based on the
virtual machine MAC address. To calculate an uplink for a virtual machine, the virtual switch uses the virtual
machine MAC address and the number of uplinks in the NIC team.
Route Based on IP Hash - The virtual switch selects uplinks for virtual machines based on the source and
destination IP address of each packet
Route Based on Physical NIC Load - Route Based on Physical NIC Load is based on Route Based on Originating
Virtual Port, where the virtual switch checks the actual load of the uplinks and takes steps to reduce it on
overloaded uplinks.
And for VDS there is another one called Use Explicit Failover Order.
Use Explicit Failover Order - No actual load balancing is available with this policy. The virtual switch always
uses the uplink that stands first in the list of Active adapters from the failover order and that passes failover
detection criteria. If no uplinks in the Active list are available, the virtual switch uses the uplinks from the
Standby list.
Link Status only - check link availability. Is the adapter is physically up or down? Depending on the result it can
possibly detects physical switch failures.
Beacon Probing - Sends out and listens for beacon probes on all NICs in the team. Can be used together with
link status and get better results to determine if there is a link failure. Beacon probing should not be used with
IP hash load balancing policy or on vSwitches which has less than 3 uplinks. Unused NICs do not participate in
beacon probing. Active/active or active/standby only.
FAILOVER ORDER :
It can be specified at the vSwitch level or at the port group level, where you basically override the vSwitch level policy
(VSS). If there is a failover, then standby NIC became active in order that they're specified/listed. You must define if
during failback the physical adapter is returned to active state (and if it is!).
3 types of VLAN:
None - no tags. Physical switch ports are configured as an access ports or VLAN is configured as native VLAN
on trunk port
VLAN - in this case, the VLAN ID Tag is done on the virtual switch level.
VLAN Trunking - VLANs are tagged at the guest OS level.
PVLAN - private VLANs
Note: Same for vSphere web client. You’ll be doing it at the vDS level, so select and right click the vDS > Edit Settings
> Private VLAN tab. Once there you can add some PVLANs. Notice the Secondary Promiscuous was created
automatically when you created the Primary private VLAN.
48
So in my example above I created Primary Private VLAN 500 which automatically created secondary PVLAN 500. Then
I only could create an Isolated Secondary VLAN 501 and Community VLAN 502.
Now we have those PVLANs created and this gives us the possibility to use them for new or existing port
groups. Example below I’m creating new port group with some name and after selecting the PVLAN, a new drop-down
menu appears which gives the option to choose an entry between the Isolated, or Community.
Promiscuous Primary VLAN – Imagine this VLAN as a kind of a router. All packets from the secondary VLANS
go through this VLAN. Packets which also goes downstream and so this type of VLAN is used to forward packets
downstream to all Secondary VLANs.
S ECONDARY
Isolated (Secondary) – VMs can communicate with other devices on the Promiscuous VLAN but not with other
VMs on the Isolated VLAN.
Community (Secondary) – VMs can communicate with other VMs on Promiscuous and also w those on the
same community VLAN.
49
CONFIGURE TRAFFIC SHAPING POLICIES
Average bandwidth in kbits (Kb) per second - Bits per second to allow across a port, averaged over time.
Peak bandwidth in kbits (Kb) per second - Maximum number of bits per second to allow across a port when it
is sending or receiving a burst of traffic.
Burst size in kbytes (KB) per second - Maximum number of bytes to allow in a burst.
At the port group level (both Web client or vSphere client). Home > Networking > right click the port group > traffic
shaping.
Only on enhanced vmxnet adapters. If you using just vmxnet you must replace the adapter by enhanced vmxnet
adapter.
To use TSO, enable it in three places: the VMkernel, the virtual machine, and the guest operating system.
1. TSO is enabled for the VMkernel by default. If it is disabled on your system, you can enable it in the VMware
Management Interface Advanced Settings page. Access this page by clicking the Options tab.
2. Enable TSO for the virtual machine by powering off the virtual machine and adding the following line to the
configuration file (.vmx):ethernetn.features = "0x2"
50
Via CLI - Run this command
lab output:
Tools
51
VCP6-DCV OBJECTIVE 3.1 - M ANAGE VSPHERE STORAGE VIRTUALIZATION
VMware VCP certification exam for vSphere 6 is now available and you can register for the exam. We'll start to cover
VCP6-DCV sections to help out folks learning towards VCP6-DCV VMware certification exam. Today’s topic is VCP6-
DCV Objective 3.1 - Manage vSphere Storage Virtualization. It's quite large chapter but it' broken into several
sections, always with screenshots. We will use vSphere Web Client only (I know not everyone's favorite, but new
features aren't exposed to the old C# client anymore...).
Due to VMware re-certification policy the VCP exam has now an expiration date. You can renew by passing delta exam
while still holding current VCP or pass VCAP. For whole exam coverage I created a dedicated VCP6-DCV page. Or if
you’re not preparing to pass a VCP6-DCV, you might just want to look on some how-to, news, videos about vSphere 6
– check out my vSphere 6 page.
vSphere Knowledge
VMware vSphere 6 supports different classes of adapters: SCSI, iSCSI, RAID, Fibre Channel, Fibre Channel over
Ethernet (FCoE), and Ethernet. ESXi accesses adapters directly through device drivers in the VMkernel.
Note that you must enable certain adapters (like the software iSCSI), but this isn't new as it's been the case already in
previous release.
Web Client > Hosts and clusters > host > manage > storage > storage adapters
52
You can also check storage devices there which shows basically all storage attached to the host...
SCSI Inquire identifiers - the host query via SCSI INSUIRY command a storage device. The resulting data are
being used to generate a unique identifier in different formats (naa.number or t10.number OR eui.number).
This is because of the T10 standards.
Path-based identifiers - ex. mpx.vmhba1:C0:T1:L3 means in details - vmhbaAdapter is the name of the
storage adapter. Channel - Target - LUN. MPX path is generated in case the device does not provide a device
identifier itself. Note that the generated identifiers are not persistent across reboots and can change.
Legacy identifiers - In addition to the SCSI INQUIRY or mpx. identifiers, for each device, ESXi generates an
alternative legacy name. The identifier has the following format:
vml.number
The legacy identifier includes a series of digits that are unique to the device.
53
Note that the display name can be changed - web client Select host > Manage > Storage > Storage Devices > select >
click rename icon.
54
There are also:
B ASICALLY SIMILAR TO THE W ORLDW IDE N AME (WWN) FOR FC DEVICES . ISCSI NAMES ARE FORMATTED IN TWO DIFFERENT
WAYS . T HE MOST COMMON IS THE IQN FORMAT .
iSCSI Qualified Name (IQN) Format
iqn.yyyy-mm.naming-authority:unique name,
where:
yyyy-mm is the year and month when the naming authority was established.
naming-authority is usually reverse syntax of the Internet domain name of the naming authority. For
example, the iscsi.vmware.com naming authority could have the iSCSI qualified name form of iqn.
1998-01.com.vmware.iscsi. The name indicates that the vmware.com domain name was registered in
January of 1998, and iscsi is a subdomain, maintained by vmware.com.
unique name is any name you want to use, for example, the name of your host. The naming authority
must make sure that any names assigned following the colon are unique, such as:
o iqn.1998-01.com.vmware.iscsi:name1
o iqn.1998-01.com.vmware.iscsi:name2
o iqn.1998-01.com.vmware.iscsi:name999
OR
Hardware based - add-On iSCSI cards (can do boot-on-lan). Those types of adapters are also capable of
offloading the iSCSI and network processing so the CPU activity is lower. Hardware adapters can be dependent
or independent. Compared to Dependent, the Indpendent adapters do not use VMkernel adapters for
connections to the storage.
Software based - activated after installation (cannot do boot-on-lan). Brings a very light overhead. Software
based iSCSI uses VMkernel adapter to connect to iSCSI storage over a storage network.
Dependent adapters can use CHAP, which is not the case of Independent adapters.
COMPARE AND CONTRAST ARRAY THIN PROVISIONING AND VIRTUAL DISK THIN PROVISIONING
55
Virtual disk thin provisioning allows to allocate only small amount of disk space at the storage level, but the guest
OS sees as it had the whole space. The thin disk grows in size when adding more data, installing applications at the
VM level. So it's possible to over-allocate the datastore space, but it brings a risks so it's important to monitor actual
storage usage to avoid conditions when you run out of physical storage space.
Image says thousands words... p.254 of vSphere Storage Guide
Thick Lazy Zeroed - default thick format. Space is allocated at creation, but the physical device is not erased
during the creation proces, but zeroed-on-demand instead.
Thick Eager Zeroed - Used for FT protected VMs. Space is allocated at creation and zeroed immediately. The
Data remaining on the physical device is zeroed out when the virtual disk is created. Takes longer to create
Eager Zeroed Thick disks.
Thin provission - as on the image above. Starts small and at first, uses only as much datastore space as the
disk needs for its initial operations. If the thin disk needs more space later, it can grow to its maximum capacity
and occupy the entire datastore space provisioned to it. Thin disk can be inflated (thin > thick) via datastore
browser (right click vmdk > inflate).
Check the different VMDK disk provisioning options when creating new VM or adding an additional disk to existing VM
56
Thin-provissioned LUN
ESXi also supports thin-provisioned LUNs. When a LUN is thin-provisioned, the storage array reports the LUN's logical
size, which might be larger than the real physical capacity backing that LUN. A VMFS datastore that you deploy on the
thin-provisioned LUN can detect only the logical size of the LUN.
For example, if the array reports 2TB of storage while in reality the array provides only 1TB, the datastore considers
2TB to be the LUN's size. As the datastore grows, it cannot determine whether the actual amount of physical space is
still sufficient for its needs.
Via Storage API -Array integration (VAAI) you CAN be aware of underlying thing-provisioned LUNs. VAAI let the array
know about datastore space which has been freed when files are deleted or removed to allow the array to reclaim the
freed blocks.
57
DESCRIBE ZONING AND LUN MASKING PRACTICES
Zoning is used with FC SAN devices. Allow controlling the SAN topology by defining which HBAs can connect to which
targets. We say that we zone a LUN. Allows:
Protecting from access non desired devices the LUN and possibly corrupt data
Can be used for separation different environments (clusters)
Reduces number of targets and LUN presented to host
Controls and isolates paths in a fabric.
58
LUN MASKING
esxcfg-scsidevs -m — the -m
esxcfg-mpath -L | grep naa.5000144fd4b74168
esxcli storage core claimrule add -r 500 -t location -A vmhba35 -C 0 -T 1 -L 0 -P MASK_PATH
esxcli storage core claimrule load
esxcli storage core claiming reclaim -d naa.5000144fd4b74168
U NMASK A LUN
Perform the manual rescan each time you make one of the following changes.
You can scan at the Host level or at the datacenter level (storage > select datacenter > right click > Storage > Rescan
storage.
59
Scan for New Storage Device – Rescans HBAs for new storage devices
Scan for New VMFS Volumes – Rescans known storage devices for VMFS volumes
1:1 ratio - Each host must have access to its own boot LUN only, not the boot LUNs of other hosts.
Bios Support - Enable the boot adapter in the host BIOS
HBA config - Enable and correctly configure the HBA, so it can access the boot LUN.
Docs:
How? By exporting NFS volume as NFS v3 or v4.1 (latest release). Different storage vendors have different methods of
enabling this functionality, but typically this is done on the NAS servers by using the no_root_squash option. If the
NAS server does not grant root access, you might still be able to mount the NFS datastore - but read only.
60
E NABLE/CONFIGURE/DISABLE V CENTER S ERVER STORAGE FILTERS
When you perform VMFS datastore management operations, vCenter Server uses default storage protection filters.
The filters help you to avoid storage corruption by retrieving only the storage devices that can be used for a particular
operation. Unsuitable devices are not displayed for selection. p. 167 of vSphere 6 storage guide.
Where?
Hosts and clusters > vCenter server > manage > settings > advanced settings
61
CONFIGURE /E DIT HARDWARE / DEPENDENT HARDWARE INITIATORS
W HERE ?
Host and Clusters > Host > Manage > Storage > Storage Adapters.
It's possible to rename the adapters from the default given name. It's possible to configure the dynamic and static
discovery for the initiators.
It's not so easy to find through Web client, as before we use to do it eyes closed through a vSphere client...
62
Configure Dynamic Discovery and (or) Static Discovery
Add Network Port Bindings to the adapter
Configure iSCSI advanced options
iSCSI ports of the array target must reside in the same broadcast domain and IP subnet as the VMkernel
adapters.
All VMkernel adapters used for iSCSI port binding must reside in the same broadcast domain and IP
subnet.
All VMkernel adapters used for iSCSI connectivity must reside in the same virtual switch.
Port binding does not support network routing.
Do not use port binding when any of the following conditions exist:
Array target iSCSI ports are in a different broadcast domain and IP subnet.
VMkernel adapters used for iSCSI connectivity exist in different broadcast domains, IP subnets, or use
different virtual switches.
Routing is required to reach the iSCSI array.
Note: The VMkernel adapters must be configured with single Active uplink. All the others as unused only (not
Active/standby). If not they are not listed...
63
p. 98 of vSphere 6 Storage Guide.
Challenge Handshake Authentication Protocol (CHAP), which verifies the legitimacy of initiators that access targets on
the network.
Unidirectional CHAP - target authenticates the initiator, but the initiator does not authenticate the target.
Bidirectional CHAP - an additional level of security enables the initiator to authenticate the target. VMware supports
this method for software and dependent hardware iSCSI adapters only.
CHAP METHODS :
CHAP does not encrypt, only authenticates the initiator and target.
It's fairly simple, as we know that if we use the software iSCSI adapter we do not have to buy additional hardware and
we're still able to "hook" into iSCSI SAN.
The case for Dependent Hardware iSCSI Adapter which is dependant on the VMKernel adapter but offloads iSCSI
processing to the adapter, which accelerates the treatment and reduces CPU overhead.
On the other hand, the Independent Hardware iSCSI Adapter has its own networking, iSCSI configuration, and
management interfaces. So you must go through the BIOS and the device configuration in order to use it.
64
Some arrays do support thin provissioned LUNs while others do not. The benefit is to offer more capacity (visible) to
the ESXi host while consuming only what's needed at the datastore level. (attention however for over-subscribing, so
proper monitoring is needed). So at the datastore level it's possible to use thin provisioned virtual disk or on the array
using thin provisioned LUNs.
Tools
For whole exam coverage I created a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, you
might just want to look on some how-to, news, videos about vSphere 6 - check out my vSphere 6 page.
VMware VSAN (traditional) needs some spinning media (SAS or SATA) and 1 SSD per host (SATA, SAS or PCIe).
VMware VSAN (All-Flash) needs some SATA/SAS for capacity tier and 1 SSD hight performance and endurance
for caching.
HBA which is on the VMware HCL (queue depth > 600)
All hardware must be part of HCL (or if you want easy way -> via VSAN ready nodes!)
HBA with RAID0 jor direct pass-through so ESXi can see the individual disks, not a raid volume.
SSD sizing - 10% of consumed capacity
1Gb Network (10GbE recommended)
1 VMkernel unterface configured (dedicated) for VSAN traffic
Multicast activated on the switch
IGMP Snooping and an IGMP Querier can be used to filter multicast traffic to a limited to specific port group.
Usefull if other non-Virtual SAN network devices exist on the same layer 2 network segment (VLAN).
IPv4 only on the switch
Minimum 3 hosts in the cluster (4 recommended) - maxi. 64 hosts (vSphere 6)
65
Host > Manage > Networking > VMkernel Adapters > Add
Hosts and Clusters > Cluster > Manage > Settings > Virtual SAN > General
Hosts and Clusters > Cluster > Manage > Settings > Virtual SAN > Disk Management
66
CLAIM DISKS FOR VSAN
This brings a small warning window saying that you might deteriorate the performance of datastores and services that
use them, but if you’re sure on what you’re doing, then go ahead and validate on Yes button.
As a result, after few seconds (without even refreshing the client’s page) the disk turns into a SSD disk… It’s magic, no?
It works also the other way around! SSD to HDD. Note that this works only in VSAN 6.0!
67
So let’s demonstrate it in my lab. I use VMware Workstation for the job where I quickly created few ESXi VMs. I
configured the ESXi 6 host with 7 hard drives, where each virtual disk is destined to fill different function. Here are the
details:
To check the status of your disks as ESXi sees them you can use the vdq -q command
So in our case:
vdq -q
gives us this:
We can see that the mpx.vmhba1:C0:T6:L0 is our disk which we need to tag to be able to use is in our disk group.
(otherwise the disk won’t appear to be used in VSAN as capacity tier).
We need to connect via SSH to our host. If you haven’t enabled yet, please enable SSH by going and selecting your
host > Manage > Security Profile > services > Edit
After you have identified the disk which you need to tag, just enter this command:
68
where naa.XYZ is your hard drive. In my example
After tagging all of the 20Gb disks we can create a disk group where those disks will appear as data disks below… (You
can see that our mpx.vmhba1:C0:T6:L0 device can now be selected to be used data disk)…
Check this:
the above command will simply remove the “capacityFlash” tag from the storage device.
So if you just want to check which tag does your storage has you can use this command:
vdq -q
69
You should get this VSAN Troubleshooting Reference Manual which is great resource
Ensure accessibility - Virtual SAN ensures that all virtual machines on this host will remain accessible if the
host is shut down or removed from the cluster.
Full data migration - Virtual SAN migrates all data that resides on this host.
No data migration - Virtual SAN will not migrate any data from this host. Some virtual machines might become
inaccessible if the host is shut down or removed from the cluster.
70
VVOls are new in vSphere 6. By using a special set of APIs called vSphere APIs for Storage Awareness
(VASA), the storage system becomes aware of the virtual volumes and their associations with the relevant
virtual machines. Through VASA, vSphere and the underlying storage system establish a two-way out-of-
band communication to perform data services and offload certain virtual machine operations to the storage
system. For example, such operations as snapshots, storage DRS and clones can be offloaded.
VVOLs are supported on SANs compatible with VAAI (vSphere APIs for Array Integration).
VVOLs supports vMotion, sVMotion, Snapshots, Linked-clones, vFRC, DRS
VVOLs supports backup products which uses VADP (vSphere APIs for Data Protection)
VVOLs supports FC, FCoE, iSCSI and NFS
71
VVOL S L IMITATIONS
VVOLs Does not works with standalone ESXi hosts (needs vCenter)
VVOLs do not support RDMs
VVOLs wih the virtual datastores are tighten to vCenter sor if used with Host profiles, than only within this
particular vCenter as the extracted host profile can be attached only to the hosts withing the same vCenter as
the reference host is located.
No IPv6 support
NFS v3 only (v4.1 isn't supported)
Multipathing only on SCSI-based endpoints, not on NFS-based protocol endpoint.
Virtual volumes are encapsulations of virtual machine files, virtual disks, and their derivatives. Virtual volumes are not
preprovisioned, but created automatically when you perform virtual machine management operations. These
operations include a VM creation, cloning, and snapshotting. ESXi and vCenter Server associate one or more virtual
volumes to a virtual machine.
Storage Provider - A Virtual Volumes storage provider, also called a VASA provider, is a software component
that acts as dastorage awareness service for vSphere.
Storage Container - A storage container is a part of the logical storage fabric and is a logical unit of the
underlying hardware. The storage container logically groups virtual volumes based on management and
administrative needs.
Protocol Endpoints -ESXi hosts use a logical I/O proxy, called the protocol endpoint, to communicate with
virtual volumes and virtual disk files that virtual volumes encapsulate. ESXi uses protocol endpoints to establish
a data path on demand from virtual machines to their respective virtual volumes.
Virtual Datastores - A virtual datastore represents a storage container in vCenter Server and the vSphere Web
Client.
vCenter Inventory Lists > vCenter Servers > vCenter Server > Manage > Storage Providers
72
vCenter Inventory Lists > Datastores
vCenter Inventory Lists > Hosts > Host > Manage > Storage > Protocol Endpoints
(optional) Change the path selection policy (psp) for protocol endpoint.
Manage > Storage > Protocol Endpoints > select the protocol endpoint you want to change and click Properties >
Under multipathing Policies click Edit Multipathing
73
and control which type of storage is provided for the virtual machine, how the virtual machine is placed within the
storage, and which data services are offered for the virtual machine. SP contains storage rule or collection of storage
rules.
define a storage policy, you specify storage requirements for applications that run on virtual machines. After you apply
this storage policy to a virtual machine, the virtual machine is placed in a specific datastore that can satisfy the storage
requirements.
In case of VSAN and VVOLs, the SP determines how the VM storage objects are handled and allocated within the
datastore to guarantee the SLA.
Rules based on storage-specific data service - VSAN and VVOLs uses VASA to surface the storage capability to
VMstorage policies's interface
Rules based on TAGs - by tagging a specific datastore. More than One tag can be applied per datastore
74
E NABLE/DISABLE V IRTUAL SAN F AULT DOMAINS
VSAN fault domains allows to create an environment where the in case of failure 2 hosts for example, which are in the
same rack. Failure of all hosts within a single fault domain is treated as one failure. VSAN will not store more than
one replica in this group (domain).
Requirements: 2*n+1 fault domains in a cluster. In order to leverage fault domain you need at least 6 hosts (3 fault
domains). Using a three domains does not allow the use of certain evacuation modes, nor is Virtual SAN able to
reprotect data after a failure.
VMware recommends 4 Fault domains. (the same for vSAN clusters - 4 hosts in a VSAN cluster).
On the pic below you see my hosts are down, but VSAN still works and provide storage for my VM... (nested
environment).
Hosts and Clusters > Cluster > Manage > Settings > Virtual SAN > Fault Domains
If a host is not a member of a fault domain, Virtual SAN interprets it as a separate domain.
Tools
75
VCP6-DCV OBJECTIVE 3.3 - CONFIGURE VSPHERE STORAGE MULTI-PATHING AND
FAILOVER
Today’s VCP6-DCV goal is to talk about VCP6-DCV Objective 3.3 - Configure vSphere Storage Multi-pathing and
Failover. VMware VCP exam is a gold standard of VMware certification exams. VMware vSphere 6 brings new
certification exam.
VCP exam is the most known VMware exams, even if it’s not the highest technical level. But it’s most recognized. By a
future employer, by industry as a whole. We will cover VCP6-DCV exam certification based on VMware latest VMware
VCP6-DCV blueprint. Check VCP6-DCV page for all objectives.
vSphere knowledge
To get started, if you're using block storage - check the Storage > Datastore > Manage > Settings > Connectivity and
Multipathing
76
IDENTIFY AVAILABLE S TORAGE LOAD B ALANCING OPTIONS
You can manage multipathing using the vSphere Client, the esxcli command, or using the following commands. Use
the HostStorageSystem.multipathStateInfo property to access the HostMultipathStateInfo.
SAN storage systems require continual redesign and tuning to ensure that I/O is load balanced across all storage system
paths. To meet this requirement, distribute the paths to the LUNs among all the SPs toprovide optimal load balancing.
Multipathing allows you to have more than one physical path from the ESXi host to a LUN on a storage system.
Generally, a single path from a host to a LUN consists of an iSCSI adapter or NIC, switch ports, connecting cables, and
the storage controller port. If any component of the path fails, the host selects another available path for I/O. The
process of detecting a failed path and switching to another is called path failover.
Path information:
Active - Paths available for issuing I/O to a LUN. A single or multiple working paths currently used for
transferring data are marked as Active (I/O).
Standby - If active paths fail, the path can quickly become operational and can be used for I/O
Disabled - path disabled, no transfer possible.
Dead - impossible to connect to the disk via this path.
Fixed - (VMW_PSP_FIXED) the host uses designated preferred path if configured. If not it uses first working path
discovered. Prefered path needs to be configured manually.
77
Most Recently Used - (VMW_PSP_MRU) The host selects the path that it used most recently. When the path
becomes unavailable, the host selects an alternative path. The host does not revert back to the original path
when that path becomes available again. There is no preferred path setting with the MRU policy. MRU is the
default policy for most active-passive arrays.
Round Robin (RR) - VMW_PSP_RR - The host uses an automatic path selection algorithm rotating through all
active paths when connecting to active-passive arrays, or through all
available paths when connecting to active-active arrays. RR is the default for a number of arrays and can be
used with both active-active and active-passive arrays to implement load balancing across paths for different
LUNs.
78
IDENTIFY FEATURES OF P LUGGABLE S TORAGE A RCHITECTURE (PSA)
VMware NMP - default multipathing module (Native Multipathing Plugin). Nmp plays a role when associating
the set of physical paths with particular storage device or LUN, but delegates the details to SATP plugin. On
the other hand the choice of path used when IO comes is is handled by PSP (Path Selection Plugin)
VMware SATP - Storage Array Type Plugins runs hand in hand with NMP and are responsible for array based
operations. ESXi has SATP for every supported SAN, It also provides default SATPs that support non-specific
active-active and ALUA storage arrays, and the local SATP for direct-attached devices.
VMware PSPs - Path Selection Plugins are sub plugins of VMware NMP and they choose a physical path for IO
requests.
Rules based on storage-specific data service – VSAN and VVOLs uses VASA to surface the storage capability to
VMstorage policies’s interface. To supply information about underlying storage to vCenter Server, Virtual SAN
and Virtual Volumes use storage providers, also called VASA providers. Storage information and datastore
characteristics appear in the VM Storage Policies interface of the vSphere Web Client as data services offered by
the specific datastore type.
79
Rules based on TAGs – by tagging a specific datastore. More than One tag can be applied per datastore.
Then you go back to a VM storage policy > Add new policy icon > put some meaningful name > click Add tag-based
rule > choose your rule from the category drop down menu > click Next > choose a compatible datastore
80
Check compliance via VM storage Policies > Storage policy > monitor
If you want to change from default storage policy to newly created one, you must first change it at the VM level and
then check back at VM storage Policies > Storage policy > monitor
81
E NABLE/DISABLE V IRTUAL SAN F AULT DOMAINS
VMware fault domains in VSAN environment allows to spread the replicas over different locations (different racks) in
order to "not to put all eggs in the same basket" - literarly. Let's say you have 4 hosts per rack and you want to achieve
a redundancy in case of failure multiple components within single rack. VSAN considers each fault domain as single
host.
Virtual SAN Fault Domains ensures replicas of VM data is spread across the defined failure domains. Fault domains
provide the ability to tolerate:
Rack failures
Storage controller
Network failures
Power failure
Hosts and Clusters > Cluster > Manage > Settings > Virtual SAN > Fault Domains
82
If a host is not a member of a fault domain, Virtual SAN interprets it as a separate domain.
VMware recommends to configure minimum 3 or more fault domains in the VSAN cluster, and also you should assing
the same number of hosts per fault domain. It's not necessary however assign all hosts to fault domains.
Note: If a host is moved to another cluster, VSAN hosts retain their fault domain assignements.
Tools:
VCP6-DCV OBJECTIVE 3.4 - PERFORM ADVANCED VMFS AND NFS CONFIGURATIONS AND
UPGRADES
This post covers VCP6-DCV Objective 3.4 - Perform Advanced VMFS and NFS Configurations and Upgrades. Important
storage chapter where you'll learn the inside out about VMFS, datastores, management or enable/disable vStorage
API for array integration.
For whole exam coverage I created a dedicated VCP6-DCV page which follows the exam's blueprint. If you just want
to look on some how-to, news, videos about vSphere 6 – check out my vSphere 6 page. If you find out that I missed
something in this post, don’t hesitate to comment.
83
VMware vSphere Knowledge
VMFS uses locking mechanism (ATS or ATS + SCSI) which prevents multiple hosts from concurrently writing to the
metadata and ensure that there is no data corruption. Check Page 149 for vSphere Storage guide for more on the ATS
or ATS+SCSI locking mechanism.
NFS - Network file system, can be mounted by ESXi host (which uses NFS client). NFS datastores supports vMotion or
SvMotion, HA, DRS, FT or host profiles (note that NFS 4.1 do not supports FT). NFS v3 and NFS v4.1 are supported with
vSphere 6.0.
84
CREATE/R ENAME/D ELETE/UNMOUNT A VMFS DATASTORE
Create Datastore - vSphere Web Client > Hosts and Clusters > Select Host > Actions > Storage > New Datastore
To rename datastore > Home > Storage > Right click datastore > Rename
85
As you can see you can also unmount or delete datastore via the same right click.
86
You can use NFS 3 or NFS 4.1 (note the limitations of NFS 4.1 for FT or SIOC). Enter the Name, Folder, and Server (IP or
FQDN)
And then choose the host(s) to which you want this datastore to mount...
87
and then you just select the device..
You can also Add a new extent. Which means that datastore can span over up to 32 extents and appear as a single
volume.... But in reality, not many VMware admins likes to use extents....
88
IDENTIFY AVAILABLE R AW DEVICE M APPING (RDM) SOLUTIONS
vSphere storage guide p. 203. RDM allows a VM directly access a LUN. Think of an RDM as a symbolic link from a VMFS
volume to a raw LUN.
An RDM is a mapping file in a separate VMFS volume that acts as a proxy for a raw physical storage device. The RDM
allows a virtual machine to directly access and use the storage device. The RDM contains metadata for managing and
redirecting disk access to the physical device.
When SAN snapshot or other layered applications run in the virtual machine. The RDM better enables scalable
backup offloading systems by using features inherent to the SAN.
In any MSCS clustering scenario that spans physical hosts — virtual-to-virtual clusters as well as physical-to-
virtual clusters. In this case, cluster data and quorum disks should be configured as RDMs rather than as virtual
disks on a shared VMFS.
If RDM is used in physical compatibility mode - no snapshoting of VMs... Virtual machine snapshots are available for
RDMs with virtual compatibility mode.
Physical Compatibility Mode - VMkernel passes all SCSI commands to the device, with one exception: the REPORT
LUNs command is virtualized so that the VMkernel can isolate the LUN to the owning virtual machine. If not, all physical
characteristics of the underlying hardware are exposed. It does allows the guest operating system to access the
hardware directly. VM with physical compatibility RDM has limits like that you cannot clone such a VM or turn it into
a template. Also sVMotion or cold migration is not possible.
Virtual Compatibility Mode - VMkernel sends only READ and WRITE to the mapped device. The mapped device
appears to the guest operating system exactly the same as a virtual disk file in a VMFS volume. The real hardware
characteristics are hidden. If you are using a raw disk in virtual mode, you can realize the benefits of VMFS such as
advanced file locking for data protection and snapshots for streamlining development processes. Virtual mode is also
more portable across storage hardware than physical mode, presenting the same behavior as a virtual disk file.
(VMDK). You can use snapshots, clones, templates When an RDM disk in virtual compatibility mode is cloned or a
template is created out of it, the contents of the LUN are copied into a .vmdk virtual disk file.
Other limitations:
89
You cannot map to a disk partition. RDMs require the mapped device to be a whole LUN.
VFRC - Flash Read Cache does not support RDMs in physical compatibility (virtual compatibility is compatible).
If you use vMotion to migrate virtual machines with RDMs, make sure to maintain consistent LUN IDs for RDMs
across all participating ESXi hosts
Now if you want just to select preferred path, you can do so. Ifyou want the host to use a particular preferred path,
specify it manually.
Fixed – (VMW_PSP_FIXED) the host uses designated preferred path if configured. If not it uses first working path
discovered. Preffered path needs to be configured manually.
Cloning VMs
Storage vMotion migrations
Deploying VMs from templates
VMFS locking and metadata operations
Provisioning thick disks
Enabling FT protected VMs
vSphere Web Client > Manage tab > Settings > System, click Advanced System Settings > Change the value for any of
the options to 0 (disabled):
VMFS3.HardwareAcceleratedLocking
DataMover.HardwareAcceleratedMove
DataMover.HardwareAcceleratedInit
90
you can check the status of the hardware via CLI (via esxcli storage core device vaai status get)
Via vSphere web client you can also see if a datastore has hardware acceleration support...
91
DISABLE A PATH TO A VMFS DATASTORE
It's possible to temporarily disable storage path, for example for maintenance reasons. Check Storage Paths in the
vSphere Storage Guide on p 192.
One can disable the path from through the web client from the datastore view OR storage device OR adapter view.
Separate spindles – having different RAID groups to help provide better performance. Than you can have multiple
VMs, executing applications which are I/O intensive. If you make a choice with single big datastore, than you might
have performance issues...
Separate RAID groups. – for certain applications, such as SQL server you may want to configure a different RAID
configuration of the disks that the logs sit on and that the actual databases sit on.
Redundancy – You might want to replicate VMs to another host/cluster. You may want the replicated VMs to be
stored on different disks than the production VMs. In case you have failure on production disk system, you most
likely still be running the secondary disk system just fine.
Load balancing - you can balance performance/capacity across multiple datastores.
Tiered Storage – Arrays comes often with Tier 1, Tier 2, Tier 3 and so you can place your VMs according to
performance levels...
Tools
92
VCP6-DCV OBJECTIVE 3.5 - SETUP AND CONFIGURE STORAGE I/O CONTROL
This post will cover VCP6-DCV Objective 3.5 - Setup and Configure Storage I/O Control. Storage I/O is one of the
features that are overlooked. But Storage I/O can "heal" part of your storage performance problems by setting a
priority at the VM level (VMDK). You know the "noisy neighbor story"....
When you enable Storage I/O Control on a datastore, ESXi host starts to monitor the device latency that hosts observe
when communicating with that datastore. When device latency exceeds a threshold, the datastore is considered to be
congested and each VM that accesses that datastore is allocated I/O resources in proportion to their shares. (by
default all VMs are set to Normal (1000) You set shares per VMDK. You can adjust the number for each based on need.
Default is 1000.
I started to cover this VCP6-DCV exam blueprint since few weeks and It seems that for VCP6 there is more material to
study and more topics to master than for previous version of VCP as the technology has evolving with each release of
vSphere. But this never mind, we like technology, we like virtualization and we like VMware. Let's kick some tires.. -:)
For whole exam coverage I created a dedicated VCP6-DCV page.
93
Storage I/O Control operates as a “datastore-wide disk scheduler.” Once Storage I/O Control has been enabled for a
specific datastore, it will monitor that datastore, summing up the disk shares for each of the VMDK files on it. Storage
I/O Control will then calculate the I/O slot entitlement per ESXi host based on the percentage of shares virtual machines
running on that host have relative to the total shares for all hosts accessing that datastore.
Activate at the datastore level via vSphere client or vSphere Web client.
In the vSphere Client > select a datastore > Configuration tab > Properties > Storage I/O Control, select the Enabled
check box.
The advanced settings - Threshold - default value there. Check if the value is 30ms.
2. Set the number of storage I/O shares and upper limit of I/O operations per second (IOPS) allowed for each virtual
machine. Those settings at the VMDK level so you could possibly prioritize disk where you important production DB
sits!
Set the threshold. More the VM is important, greater the number...... You can use the drop down or the custom and
enter your value...
94
In case you're getting error on activating SIOC this can be due 2 reasons:
Not having proper licensing - Enterprise Plus is required. Storage I/O Control (SIOC) requires Enterprise Plus
licensing. Without this license, the option to enable SIOC is grayed out
Check that the host is installed with ESXi 4.1 or higher.
95
W HERE ?
vSphere Web client > Datastore > Monitor tab > Performance tab > View drop-down menu > select
Performance.
Tools
VCP6-DCV OBJECTIVE 4.1 - PERFORM ESXI HOST AND VIRTUAL M ACHINE UPGRADES
We will In no particular order start to cover VCP6-DCV sections to help out folks learning towards VCP6-DCV VMware
certification exam. Due to VMware recertification policy the VCP exam has now an expiration date. You can renew by
passing delta exam while still holding current VCP or pass VCAP. Today's topic of VCP6-DCV Objective 4.1 - Perform
ESXi Host and Virtual Machine Upgrades.
96
For whole exam coverage I created a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, you
might just want to look on some how-to, news, videos about vSphere 6 - check out my vSphere 6 page.
We'll cover the topic today present on the VMware VCP6-DCV blueprint:
ESXi 6 support booting via UEFI or BIOS, but if you plan to use autodeploy, then you might privilege BiOS as UEFI isn't
supported. Changing from BIOS to UEFI after install isn't supported.
W HERE ?
vSphere Web client > Networking > Right-click the distributed switch and select > Upgrade > Upgrade Distributed
Switch
97
Check the the vSphere Networking Guide (page 28) for more.
98
Where?
Note that once you upgrade the Virtual machine hardware, there is no easy way back. There is three ways to
downgrade virtual machine hardware version (supported by VMware).
Note that only hosts running ESXi 5.0, ESXi 5.1, or ESXi 5.5 are directly upgradable to the ESXi 6.0. If you're still on 4.1
then you must first upgrade to 5.0. vCenter server 6 and vSphere Update Manager 6 (VUM) must be used for the
upgrade. Details - vSphere Upgrade Guide (p. 135).
1. If you didn’t downloaded the ESXi 6.0 installation ISO, you’ll need to do so. Download Link.
2. You’ll need to install/configure VMware Update Manager – follow this guide.
3. Connect via vSphere client > select your host (or cluster) and go to the Update Manager TAB > Admin View > ESXi
Images > Import ESXi Image
99
4. Follow with the assistant and create a new baseline (we have named it ESXi 6.0) > Change to Compliance View
and Attach this new baseline > Scan > Remediate > Watch and wait till the server apply the upgrade and reboots the
server.
The same principle, but you selecting the host candidates for the upgrade at the cluster level (not at the host level).
In case you’re applying the upgrade to a whole cluster you have other options, like deactivate DPN. But basically
what’s happening is that host after host is patched and rebooted where the VMs residing on those hosts are
"vMotioned" elsewhere before the patches are applied.
Hosts that are part of VSAN cluster might need more time to evacuate VMs out as the local storage holding the
VMDKs must shift some of those VMDKs elsewhere in order to be able to put the host into maintenance mode and
launch the upgrade. 1 host at a time.
100
For whole exam coverage I created a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, you
might just want to look on some how-to, news, videos about vSphere 6 - check out my vSphere 6 page.
OS support:
Internal or external DB
For environments with up to 20 hosts and 200 virtual machines, you can use the bundled PostgreSQL database.
External DB support Oracle, Microsoft SQL. Check Interoperability Matrix!
101
For Windows - synchronize clocks on all machines running the vCenter Server 5.x services (if distributed).
If your vCenter Server service is running in a user account other than the Local System account, check that the account
account in which the vCenter Server service is running is:
The steps:
Click Start, point to Control Panel, point to Administrative Tools, and then double-click Local Security Policy.
In the console tree, double-click Local Policies, and then click User Rights Assignment.
In the details pane, double-click Log on as a service.
102
Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log
on as a service right.
vCenter Server Appliance 5.1U3 and vCenter Server Appliance 5.5 can be upgraded to vCenter Server
Appliance 6. (Not 5.1U2).
VMware vCenter Server Appliance can be deployed only on hosts that are running ESXi version 5.0 or later.
If an external vCenter SSO is used, check out the upgrade process here.
The vCenter Server Appliance PostgreSQL database supports up to 1000 hosts and 10,000 virtual machines.
An Oracle 11g database or an Oracle 12c database are the only external databases supported by the vCenter
Server Appliance.
vSphere Update Manager also requires a supported database. Use separate databases for vCenter Server and vSphere
Update Manager.
Upgrade from VCSA 5.5 to VCSA 6.0 is not in place upgrade but rather side-by-side upgrade. We setup a new VCSA 6.0
appliance which will pull all configuration of the current environment from the old VCSA 5.5 appliance (including
historical/performance data).
103
CHECK THIS BEFORE STARTING THE UPGRADE :
Here is what I’ve done to upgrade to the latest vSphere 6.0 vCenter (VCSA). After downloading the VCSA 6.0 iso
image from VMware (The latest one is the VMware-VCSA-all-6.0.0-2562643.iso version), there is just very few steps
to do:
1. Mount the ISO and go to the vcsa folder to install VMware Client Integration plugin.
2. Once done, double-click the vcsa-setup.html file located at the root of the DVD…
3. This bring the famous window offering you to do a clean install or an upgrade. You might have seen it in my
detailed post about here.
104
You’ll get a nag telling you basically that you’ll have to be on VCSA 5.1 U3 or VCSA 5.5 in order to upgrade to VCSA
6.0… That’s the only options. If you’re on other version, you must first upgrade to those two supported ones…
vCenter Applicance
Appliance Version
vCenter Server IP or FQDN
vCenter Administrator Username
vCenter Administrator Password
vCenter HTTPS Port
Appliance Root password (when using https://vc-address:5480
Check ALL the steps for upgrade VCA in my Detailed Step-by-Step post here - How to Upgrade from VCSA 5.5 to 6.0 –
Lab Time. Note that I run into a problem with default certificate (solved) during the upgrade.
In case you're doing CLEAN install you might want to check scripted install guide of vCenter server appliance here.
105
IDENTIFY THE METHODS OF UPGRADING V C ENTER
Embedded Deployment Model – The Platform Service Controller (PSC) and the vCenter Server are installed on
the same machine.
External Deployment Model – PSC is installed on a separate machine from the vCenter Server.
vCenter 5.5 and earlier deployed using Simple Install option will be upgraded to vCenter Server with embedded
Platform Services Controller.
If vCenter Single Sign-On was on a different machine than vCenter Server, the upgrade will be an external
deployment model.
If vCenter Single Sign-On was on the same node as vCenter Server, the upgrade will product an embedded
deployment model.
Upgrade external SSO servers to Platform Service Controllers, then upgrade vCenter Servers.
Upgrade including an AutoDeploy Server (4) - the upgrade process upgrades it when upgrading the associated
vCenter Server instance. Auto Deploy server included with an earlier version of the product cannot be used in
conjunction with vCenter Server 6.0. If the Auto Deploy server is running on a remote system, it is upgraded and
migrated to the same system as vCenter Server during the upgrade process. Settings are migrated to the new
location. ESXi hosts must be reconfigured to point to the new Auto Deploy location.
106
Upgrading with Remote Web Client Server (5) - it is upgraded along with the vCenter Server instance to which it is
registered and migrated to the same location as the vCenter Server instance.
OR to Temp directory
pi shell
vc-support.sh
Export it with
cat /var/log/firstboot/firstbootStatus.json
VMware Resources:
107
VCP6-DCV OBJECTIVE 5.1 - CONFIGURE ADVANCED/M ULTILEVEL RESOURCE POOLS
Today's VCP6-DCV topic will touch resource pools. Resource pools aren't folders, remember? Hey, resource pools are
cool when used sparingly, not with 3 levels of inception... VCP6-DCV exam blueprint has this chapter about resource
pools and it's important to know the insight out - VCP6-DCV Objective 5.1 - Configure Advanced/Multilevel Resource
Pools.
The whole exam details, and all topics from the blueprint can be found on the VCP6-DCV page. So in In today's topic
we will learn about resource pools, but also there is a chapter about vFlash architecture. As you know vFRC caching
has been here since vSphere 5.5 and it allows read-only caching mechanism to accelerate applications and VMs.
vSphere Knowledge
Resource Pools should be used when you would need to limit or to guarantee resources to VMs. By having resource
pool you don't have to gurantee the resources to VMs individually, but only at the pool level.
Child resource pool - It's possible to create child resource pools under the root resource pool or under any other user-
created resource pool. Each child resource pool owns some of the parent's resources. Inside of each child resource
pool it's possible create another resource pool. (Russian dolly like).
108
Child resource pools
VMs
Both
Siblings - Resource pools and VMs at the same level are called siblings.
Creating multiple RP allows you to aggregate computing capacity from the underlying hosts within the DRS cluster.
You then can set resources for each resource pool instead on individual VMs. For each resource pool you specify
reservation, limit, shares and you can also specify if the reservation shall be expandable.
Expandable Reservation parameter is a value allowing the resource pool resources became available to child
resource pools and virtual machines.
If a VM’s workload increases and its resource pool cannot allocate more resources because there aren’t any available,
the resource pool will asks its parent resource pool to borrow resources. Resource pools that have VMs and workloads
varies, then you should possibly enable expandable reservations.
When the check box is selected (default), expandable reservations are considered during admission control.
If you power on a virtual machine in this resource pool, and the combined reservations of the virtual machines are
larger than the reservation of the resource pool, the resource pool can use resources from its parent or ancestors.
109
Flash Pooling as a resource pool:
Reservations, limits
Uses per VMDK or per VM allocation (the config is at the VM level).
Enforces admission control
vFlash is a broker and manager for the entities which consumes the resources
The first release supports write through mode, which is read only. The write back mode will be available in future
releases. It’s important to understand the the publicly available APIs gives opportunity to other storage companies to
integrate their flash caching solution.
A configured of hosts with each one with at least one SSD or PCIe SSD…
vSphere 5.5 (vCenter 5.5 and ESXi 5.5)
110
On the next screen you select available SSD from each ESXi host and click OK.
Select Hosts and clusters > Manage > vSphere DRS > Edit > Check the Turn ON.
111
Easiest way to create resource pool is perhaps the Right click at the cluster > New resource pool...
To delete, simple too. Right click the Resource Pool > Delete
Navigate to the Host and Clusters view (View > Inventory > Hosts and Clusters)
Right-click on the resource pool you want to edit and select Edit Settings…
Change the name if desired
Change the CPU Shares, Reservation, Expandable Reservation and Limit if desired
Change the Memory Shares, Reservation, Expandable Reservation and Limit if desired
CPU R ESOURCES
Shares - Specify shares for this resource pool with respect to the parent’s total resources. The amounts of shares you
allocate to a resource pool are relative to the shares of any sibling (virtual machine or resource pool) and relative to
its parent’s total resources. Sibling resource pools share resources according to their relative share values bounded
by the reservation and limit.
Different types of shares - Low (1), Normal (2), or High (4) which specify share values in a ratio. Or you can select
Custom to give each RP a specific number of shares, which expresses a proportional weight.
112
Reservation - Specify a guaranteed CPU or memory allocation for this resource pool. Defaults to 0. A nonzero
reservation is subtracted from the unreserved resources of the parent (host or resource pool). The resources are
considered reserved, regardless of whether virtual machines are associated with the resource pool.
Limit - Upper limit for this resource pool’s CPU allocation. Select Unlimited to specify no upper limit.
Memory Resources
Shares - Memory shares for this resource pool with respect to the parent’s total. Sibling resource pools share
resources according to their relative share values bounded by the reservation and limit. Select Low (1), Normal (2),
or High (4), which specify share values in a ratio.
Select Custom to give each virtual machine a specific number of shares, which expresses a proportional weight.
Limit - Upper limit for this resource pool’s memory allocation. If you give RP limit 32Gb RAM it will never receive
more RAM even if the host/cluster is able to allocate more. Select Unlimited to specify no upper limit.
113
Or when creating new VM, during the wizard creation you're asked whether you want to place the VM into specific
resource pool...
If the resource pool does not have enough resources to guarantee the virtual machine reservation(s) then the move
into the resource pool will fail (for powered-on virtual machine).
Drag-and-drop the virtual machine into another resource pool. You can also drag it into the root of the DRS cluster
which will move it into the root resource pool.
114
You have to go and do it at the VM level (vFRC operates per VMDK). Select an individual VM and click edit settings >
Virtual hardware tab >next to the Virtual Flash Read Cache > click Advanced.
Now can select the amount of GB (Mb) that will be reserved for that particular virtual hard drive. Depending of your
workloads, because vFRC has variable block size capability (4kb – 1M). So the best selection will depends on your
application, which IO size or your application which runs in your VM. (you can used for example vISCSI stats to find
out) Then you carve up those information to match the block size of the vFlash to give the best possible performance.
Not every node in the vFlash cluster needs to have SSD installed, but if that’s the case, the particular host won’t be
able to provide any vFlash resources.
Once you have defined the workloads, you can start dividing up the resources pools the way it is able to meet the
requirements of the workloads running on the DRS cluster.
You should check whether the RP need to reach out to the parent RP to provide more resources -> configure
expandable reservations.
Check if you need reservations or limits. Do not use per-VM reservations as it's like if you would use per file NTFS
permissions... [Administrative Overhead]. If you're using reservation then use it at the resource pool level.
115
E VALUATE APPROPRIATE SHARES , RESERVATIONS AND LIMITS FOR A RESOURCE P OOL BASED ON
VIRTUAL MACHINE WORKLOADS
Know your workload first, then only you'll be able to define shares, reservations and (or) limits. We have talked
about CPU shares, reservations, limits and Memory shares, reservations, limits in the chapter above. All the
resources available within the cluster can be managed and distributed by Resource pools depending on how they're
configured, but this determines the requirements. Note that limits is a resource limit and so it's not the same as if
you were used shares which depends on other resources and their availability.
It seems that for VCP6 there is more material to study and more topics to master. For whole exam coverage I created
a dedicated VCP6-DCV page. Or if you're not preparing to pass a VCP6-DCV, you might just want to look on some
how-to, news, videos about vSphere 6 - check out my vSphere 6 page.
VDP utilizes the Changed Block Tracking (CBT) greatly reducing the backup time of a VMs and so you can process
much more VMs during your backup window than without using CBT. Note that CBT is also leveraged during restores
116
where the if restored to the original location, VDP can determine the missing blocks in the destination and only
restore those. Not all the blocks.
VDP leverages deduplication technology based on Avamar's code. Full VM recovery, File level recovery - both
supported in VDP. vSphere data protection (VDP) and vSphere replication (VR) both uses snapshots on regular basis
to protect VMs (or to replicate them). In the case of VR the RPO is as low as 15 min.
Guest-level backup - VDP supports guest‐level backups for Microsoft SQL Servers, Exchange Servers, and Share Point
Servers. With
guest‐level backups, client agents (VMware VDP for SQL Server Client, VMware VDP for Exchange Server
Client, or VMware VDP for SharePoint Server Client) are installed on the SQL Server, Exchange Server, or
SharePoint Server in the same manner that backup agents are typically installed on physical servers
VDP can not only protect VMs but also physical systems! - Microsoft Exchange, SQL Server, SharePoint when
backed up by VDP, the agents which needs to get installed on those servers in order to protect them efficiently, are
leveraged for granular restores. It does not have to be VMs to allow application level recovery.
CAPACITY R EQUIREMENTS :
117
S OFTWARE R EQUIREMENTS :
Minium requirements is vCenter 5.1 to install VDP 6, but 5.5 or higher is recommended.
VDP 6 supports vCSA and Windows based vCenters
vSphere Web client where browsers needs Flash player 11.3 or above version installed.
NOTE: VDP do not support of backup of vCenter server appliance (VCSA) itself.
VMs to be protected must be on virtual hardware version 7 or higher (CBT) and VMware tools installed.
VDP repository usually fills rapidly for the first few weeks. This is because nearly every client that is backed
up contains unique data. But then VDP deduplication allows to save space when other similar clients have
been backed up, or the same clients have been backed up at least once.
U NSUPPORTED VM S DISKS :
Independent
RDM Independent - virtual compatibility mode
RDM w. physical compatibility mode
Application-level replication
Ability to expand current datastore
Backup to a Data Domain system
Ability to restore to a granular level on Microsoft Servers and automatic backup verification.
VDP also supports guest-level backups and restores of Microsoft SQL Servers, Exchange Servers, and Share
Point Servers, providing for application consistent backups of these servers.
A migration tool is included with VDP 5.1.10 and later releases. This tool handles migration of data and restore
points. Backup jobs cannot be migrated.
118
vSphere replication is separate product included in vSphere. It allows to configure replication of VMs from source
site to target site. It uses snapshots (points-in-time) to transfer delta informations to the other side.
Types of replication:
vCenter server (Windows) or VCSA can be used. Possibility to deploy additional VR servers to enhance.
VMware VSAN is supported as target (destination) datastore.
A RCHITECTURE :
Below example of architecture with single vCenter server and single site (possible also multi-site to shared location
or two sites in between).
From the network perspective it's necessary to setup vmkernel adapter per ESXi host which is used as a replication
source, for isolation of the replication traffic.
119
Consolidate VM snapshots - if any VM that shows that needs to consolidate, just select and right click that
particular VM and choose Consolidate.
VDP is VSA based (Linux). The deployment as an OVF is fast and convenient.
Requirements:
NTP - All vSphere hosts and the vCenter Server must have NTP configured properly. The VDP Appliance gets
the correct time through vSphere and must not
be configured with NTP.
DNS - create DNS forward and reverse record and check that you have vCenter server responding via
nslookup.
Deploy the OVF file via vSphere Web client to a VMFS5 datastore (to avoid block size limitations).
After the deployment and start up of the VM go to the IP address precised on the console.
https://ip_of_vdp:8543/vdp-configure
Login: root
pass: changeme
Follow the assistant, you should have the info pre-filled when you click the next button...
120
continue with the wizard. Test your connection to vCenter to avoid issues...
Create storage. Here you can (but don't have to) check the box "store with appliance" in case you have enough space
on the shared storage datastore you have chosen.
121
Continue with the assistant until the end. After the setup finished the appliance will reboot...
122
It takes up to 15 min to fully setup after the reboot... -:) You'll have to log off and log in back again through vSphere
web client to see this new plugin to appear..
123
continue..
Choose a VM(s)...
124
Backup schedule...
Specify retention policy.... Note that this can be changed later. (Think of sizing).
125
Just created first backup job. If you go and click the Configuration TAB, then down there you can configure the Backup
window configuration... If not the default backup starts at 8PM...
Requirements:
Source and target site must have vSphere web client and the client integration plugin is installed as well
Select the vCenter Server instance on which you are deploying vSphere Replication, click Manage > Settings >
Advanced Settings, and verify that the VirtualCenter.FQDN
Network ports - For a list of all the ports that must be open for vSphere Replication, see
http://kb.vmware.com/kb/2087769
Bandwidth - vSphere Replication transfers blocks based on the RPO schedule. If you set an RPO of one hour,
vSphere Replication transfers any block that has changed in that hour to meet that RPO. vSphere Replication
only transfers the block once in its current state at the moment that vSphere Replication creates the bundle
of blocks for transfer. vSphere Replication only registers that the block has changed within the RPO period,
not how many times it changed
vSphere Replication 6.0 administration guide p. 31 Select cluster and then Actions > deploy OVF template > local file
> browse... and so on...
If you don't want to relay on the DHCP you can use fixed IP.... Select a network from the list of available networks, set
the IP protocol and IP allocation, and click Next. vSphere Replication supports both DHCP and static IP addresses. You
can also change network settings by using the virtual appliance management interface (VAMI) after installation.
126
And then
Once done. Log off and log back again to see the VR plugin
127
CONFIGURE VM WARE CERTIFICATE A UTHORITY (VMCA) INTEGRATION WITH V SPHERE
R EPLICATION
You can change the SSL certificate, for example if your company's security policy requires that you use trust by validity
and thumbprint or a certificate signed by a certification authority. You change the certificate by using the virtual
appliance management interface (VAMI) of the vSphere Replication appliance. For information about the SSL
certificates that vSphere Replication uses, see “vSphere Replication Certificate Verification,” on page 45 and
“Requirements When Using a Public Key Certificate with vSphere Replication,” on page 46.
128
CONFIGURE R EPLICATION FOR S INGLE/M ULTIPLE VM S
Before this, make sure that you have the permissions.
Step 1: Select VM(s) > Right click > All vSphere Replication Actions > configure Replication
Now if you haven't restarted the vCenter service, you see this (1), because after restart you should see this (2). Also,
you'll get some error on the permissions if you don't restart, and so you won't be able to configure the replication
for your VMs. That "from the field" experience ...
Step 2: Replicate to a vCenter server (or service provider) > select target site > target location...
129
And enable compression...
Step 3: You can change the RPO settings and enable the Point in time instances on this screen...
But what's interesting is the fact that if compression is enabled. Quick quote:
However, if the target ESXi host is earlier than 6.0,vSphere Replication prevents vMotion from moving replication
source VMs to that host because it does notsupport data compression. This prevents DRS from performing
automated vMotion operations to hosts thatdo not support compression. Therefore, if you need to move a
replication source VM to an ESXi host earlier than 6.0, before you perform the vMotion operation, you must
reconfigure the replication to disable data compression.
130
Web client > vSphere replication > Home tab > Monitor > Incoming replication
1. Recover with recent changes - Performs a full synchronization of the virtual machine from the source site to
the target site before recovering the virtual machine. Selecting this option avoids data loss, but it is only
available if the data of the source virtual machine is accessible. You can only select this option if the virtual
machine is powered off.
2. Recover with latest available data - Recovers the virtual machine by using the data from the most recent
replication on the target site, without performing synchronization. Selecting this option results in the loss of
any data that has changed since the most recent replication. Select this option if the source virtual machine is
inaccessible or if its disks are corrupted.
You continue and select folder where you want to recover the VM...
Before you configure a reverse replication, you must unregister the virtual machine from the inventory on the source
site.
131
Depending on your needs it's necessary to size accordingly your backup solution. You must take into account the daily
delta changes within your all environment and see if the product you want to use as a backup solution is suitable. How
it scale? What's the limitations?
You must also take into account the possible conflicts with other vSphere products you may be using (vSphere
replication, SRM, vCD....). If you're planning to use VDP, than you should certainly check vSphere compatibility matrix.
Tools:
VCP6-DCV OBJECTIVE 7.1 - TROUBLESHOOT VCENTER SERVER , ESXI HOSTS , AND VIRTUAL
M ACHINES
In today's Objective we'll discuss VCP6-DCV Objective 7.1 - Troubleshoot vCenter Server, ESXi Hosts, and Virtual
Machines. You can check the whole VCP6-DCV Study Guide page for all topics there. You can also check the vSphere
6 page where you’ll find many how-to, videos, and tutorials about vSphere 6.
Another troubleshooting chapter today. After we cracked the troubleshooting of vSphere upgrades, in another
troubleshooting chapter we hit the storage and network issues, today we'll hit the Toubleshooting of vCenter, ESXi
and VMs.
When something goes wrong with vCenter, only things that rely on vCenter does suffer. Things like HA, DRS or FT
continues to work, but you can't manually vMotion a VM if you don't have an access to vCenter. It can be that one of
the vCenter services went down or something like that. Today well' have a look at those different things which can
happened.
vSphere Knowledge
132
Identify and detect common knowledge base article solutions
You'll find problems (and their resolution) like those one below:
For Platform Services Controller node deployments, additional runtime logs are located at
C:\ProgramData\VMware\CIS\runtime\VMwareSTSService\logs
Recursive panic might occur when using ESXi Dump Collector - PSOD. Check release notes.
133
V C ENTER SERVER ON W INDOWS
Collect Installation Logs by Using the Installation Wizard - You can use the Setup Interrupted page of the
installation wizard to browse to the generated .zip file of the
vCenter Server for Windows installation log files. If the installation fails, the Setup Interrupted page appears
with the log collection check boxes selected by default.
The installation files are collected in a .zip file on your desktop, for example, VMware-VCS-logs-time-of-installation-
attempt.zip
You can then unzip the log file located on your desktop and start checking what's wrong.
C:\ProgramData\VMware\vCenterServer\logs
C:\Users\username\AppData\Local\Temp
The files in the %TEMP% directory include vminst.log, pkgmgr.log, pkgmgr-comp-msi.log, and vim-vcs-msi.log
V C ENTER A PPLIANCE
The full path to the log files is displayed in the vCenter Server Appliance deployment wizard.
1. Log in to the Windows host machine on which you want to download the bundle.
2. Open a Web browser and enter the URL to the support bundle displayed in the DCUI.
https://appliance-fully-qualified-domain-name:443/appliance/support-bundle
If you ran the vc-support.sh script in the vCenter Server Appliance Bash shell, to examine the firstbootStatus.json file,
run
cat /var/log/firstboot/firstbootStatus.json
134
OR, If connected directly to the ESXi host:
1. Start the vSphere Web Client and log in to the vCenter Server system.
2. Under Inventory Lists, select vCenter Servers.
3. Click the vCenter Server that contains the ESX/ESXi hosts from which you want to export logs.
135
4. Click the Monitor tab and click System Logs.
5. Click Export System Logs.
1. Select the ESX/ESXi hosts from which you want to export logs.
2. Select the Include vCenter Server and vSphere Web Client logs option. This step is optional.
3. Click Next.
4. Select the system logs that are to be exported.
5. Select Gather performance data to include performance data information in the log files.Note: You can update
the duration and interval time between which you want to collect the data.
6. Click Next.
7. Click Generate Log Bundle. The Download Log Bundles dialog appears when the Generating Diagnostic Bundle
task completes.
1. Click Download Log Bundle to save it to your local computer.Note: The host or vCenter Server generates .zip
bundles containing the log files. The Recent Tasks panel shows the Generate diagnostic bundles task in
progress.
136
5. Click Generate CSV Report, and click Save.
Cli commands. Depending what you want to do, which part of the infrastructure you targetting:
vmkping - simple ping via vmkernel interface (ex. How-to troubleshoot iSCSI connection to your SAN )
vmkfstools - works with VMFS volumes, VMDKs ... (ex Recreate a missing VMDK header file )
esxcli network <namespace> - ( ex. How to create custom ESXi Firewall rule )
esxcli storage <namespace>- ( ex. How to tag disk as SSD VMware esxi 5.x and 6.0 )
esxtop - performance monitoring - (ex. How-to check Queue Depth Of Storage Adapter or Storage Device )
VMware KB Article 1003908 – Troubleshooting a Failed VMware Tools Installation in a Guest Operating
System.
How to remove VMware Tools manually if uninstall or upgrade finish with error
Manual Download of VMware Tools from VMware Website
137
IDENTIFY VIRTUAL MACHINE CONSTRAINTS
ESXTOP:
davg – average response time for a command which are sent to the device.
kavg – average response time a command is in the vmkernel
gavg – response time as it appears to the VM. (davg + kavg).
CMD/s – number of IOps sent or received from the device or the VM
138
VCP6-DCV OBJECTIVE 7.2 - TROUBLESHOOT VSPHERE STORAGE AND NETWORK ISSUES
Today's topic of VCP6-DCV Study Guide is touching troubleshooting. In case something goes wrong and you loose
connectivity to your application, you must probably troubleshoot the underlying VM first, the network second, but
also a storage. When storage is under a pressure then your whole infrastructure just slows down and you might
experience disconnections at the VM/application level. VCP6-DCV Objective 7.2 - Troubleshoot vSphere Storage
and Network Issues is today's lesson.
You can also check vSphere 6 page where you'll find how-to's, news, videos concerning vSphere 6.x. Last but not
least, my Free Tools page where are the post popular tools for VMware and Microsoft. Daily updates of the blog are
taking time, but we do it in the goal to provide a guide which is helpful for the community and folks learning towards
VCP6-DCV certification exam. If you find one of those posts useful for your preparation, just share.. -:).
vSphere Knowledge
Guest OS config
Check for disabled/inactive adapters or other unused hardware (if Guest OS has been P2V)
In Windows VM do this:
Click on Start > Run > devmgmt.msc > click + next to network adapters > check if it's not disabled or not present
You can also check the network config like IP address, Netmask, default gateway and DNS servers. Make sure that
those informations are correct.
On your VM go to Start > RUN > CMD > Enter > Type “
set devmgr_show_nonpresent_devices=1
139
While still in the command prompt window type:
devmgmt.msc
and then open Device Manager and click on the Menu go to View > Show Hidden Devices (like on the pic).
Then you should see which devices are marked like ghosted devices.They are grayed out. Those devices you can safely
remove from the device manager.
Check IP stack - It happened to me several times that the IP stack of a VM was corrupted. The VM has had
intermittent networking connectivity, everything seems to be ok but isn't. You can clear the local cache by
entering this:
ipconfig /renew
For Linux:
dhclient -r
dhclient eth0
I've done few posts in configuring iSCSI and vSphere (not particulary related to vSphere 6 but those are step-by-steps:
Also check this VMware KB for Teaming and Failover Policy section in the vSphere Networking guide.
140
TROUBLESHOOT COMMON STORAGE ISSUES
Storage Issues - Check that the virtual machine has no underlying issues with storage or it is not experiencing
resource contention, as this might result in networking issues with the virtual machine. You can do this by logging
into ESX/ESXi or Virtual Center/vCenter Server using the VI/vSphere Client and logging into the virtual machine
console.
Good doc - Troubleshooting Storage guide (p.55 - p.70) which talks about:
Verify that the virtual machine is configured with two vNICs to eliminate a NIC or a physical configuration issue. To
isolate a possible issue:
If the load balancing policy is set to Default Virtual Port ID at the vSwitch or vDS level:
o Leave one vNIC connected with one uplink on the vSwitch or vDS, then try different vNIC and pNIC
combinations until you determine which virtual machine is losing connectivity.
If the load balancing policy is set to IP Hash:
a. Ensure the physical switch ports are configured as port-channel. For more information on verifying
the configuration on the physical switch, see Sample configuration of EtherChannel / Link aggregation
with ESX/ESXi and Cisco/HP switches (1004048).
b. Shut down all but one of the physical ports the NICs are connected to, and toggle this between all the
ports by keeping only one port connected at a time. Take note of the port/NIC combination where the
virtual machines lose network connectivity.
Load balancing and failover policies - configure VM with 2 vNICs to eliminate physical NIC problems. Check
esxtop using the n option (for networking) to see which pNIC the virtual machine is using. Try shutting down
the ports on the physical switch one at at time to determine where the virtual machine is losing network
connectivity.
Check the vNIC's connection - check the status of the vNIC, (connected/disconnected) at the VM level AND
also the NIC inside of the Guest OS (activated/deactivated).
Check more in this KB: Troubleshooting virtual machine network connection issues (1003893)
V ERIFY A GIVEN VIRTUAL MACHINE IS CONFIGURED WITH THE CORRECT NETWORK RESOURCES
I've invoked few areas already above. All or most of the possible problems can be found in this KB - KB 1003893
141
Same name for port groups - Make sure that the Port Group name(s) associated with the virtual machine's
network adapter(s) exists in your vSwitch or Virtual Distributed Switch and is spelled correctly. Usually if this
isn't done right on per-port group then you have connectivity problems
If beacon probing is used, make sure that you have more than 2 pNICs in the team....
VMware KBs:
invalid argument
Check it out - Using vSphere On-disk Metadata Analyzer (VOMA) to check VMFS metadata consistency (2036767)
Quote:
To perform a VOMA check on a VMFS datastore and send the results to a specific log file, the command
syntax is:
Note: VOMA must be run against the partition and not the device.
142
Press f to modify the fields that are displayed.
Press b, c, f, and h to toggle the fields and press Enter.
Press s and then 2 to alter the update time to every 2 seconds and press Enter.
Start esxtop by typing esxtop > Press d to switch to disk view (HBA mode).
To view the entire Device name, press SHIFT + L and enter 36 in Change the name field size.
Press f to modify the fields that are displayed.
Press b, c, d, e, h, and j to toggle the fields and press Enter.
Press s and then 2 to alter the update time to every 2 seconds and press Enter.
You should check this community thread from which I quote the main part because I think that it's a very good work
done by the community:
Latency values are reported for all IOs, read IOs and all write IOs. All values are averages over the measurement
interval.
GAVG - This is the round-trip latency that the guest sees for all IO requests sent to the virtual storage device. GAVG
should be close to the R metric in the figure.
KAVG - These counters track the latencies due to the ESX Kernel's command.
The KAVG value should be very small in comparison to the DAVG value and should be close to zero. When there is a
lot of queuing in ESX, KAVG can be as high, or even higher than DAVG. If this happens, please check the queue
statistics, which will be discussed next.
DAVG - This is the latency seen at the device driver level. It includes the roundtrip time between the HBA and the
storage.
DAVG is a good indicator of performance of the backend storage. If IO latencies are suspected to be causing
performance problems, DAVG should be examined. Compare IO latencies with corresponding data from the storage
array. If they are close, check the array for misconfiguration or faults. If not, compare DAVG with corresponding data
from points in between the array and the ESX Server, e.g., FC switches. If this intermediate data also matches DAVG
values, it is likely that the storage is under-configured for the application. Adding disk spindles or changing the RAID
level may help in such cases.
143
M ONITOR /TROUBLESHOOT S TORAGE DISTRIBUTED R ESOURCE S CHEDULER (SDRS) ISSUES
Even when Storage DRS is enabled for a datastore cluster, it might be disabled on some virtual disks in the datastore
cluster.
Check the vSphere, ESXi and vCenter server troubleshooting guide p.47 and p.52.
Storage DRS generates an alarm to indicate that it cannot operate on the datastore.
Problem - Storage DRS generates an event and an alarm and Storage DRS cannot operate.
Cause - The following scenarios can cause vCenter Server to disable Storage DRS for a datastore.
The datastore is shared across multiple data centers - Storage DRS is not supported on datastores that are
shared across multiple data centers. This
configuration can occur when a host in one data center mounts a datastore in another data center, or
when a host using the datastore is moved to a different data center. When a datastore is shared across
multiple data centers, Storage DRS I/O load balancing is disabled for the entire datastore cluster.
However, Storage DRS space balancing remains active for all datastores in the datastore cluster that are
not shared across data centers.
The datastore is connected to an unsupported host - Storage DRS is not supported on ESX/ESXi 4.1 and earlier
hosts.
The datastore is connected to a host that is not running Storage I/O Control. The datastore must be visible
in only one data center. Move the hosts to the same data center or
unmount the datastore from hosts that reside in other data centers.
Ensure that all hosts associated with the datastore cluster are ESXi 5.0 or later.
Ensure that all hosts associated with the datastore cluster have Storage I/O Control enabled.
Tools
VCP6-DCV exam validates you have the skills required to successfully install, deploy, scale and manage VMware
vSphere 6. If someone asks you to activate trivial logging you must know how to do it and where.... And this also is
part of today's Objective for the VCP6 exam. Note that Trivia logging (Extended verbose) - Displays information,
error, warning, verbose, and trivia log entries....
vSphere Knowledge:
144
Create a Log Bundle
Locate/Analyze VMware Log Bundles
Identify Alternative Methods to Upgrade ESXi Hosts in Event of Failure
Configure vCenter Logging Options
Tools:
Check logs for vCenter server or ESXi- Collecting logs for ESXi and vCenter via Web Client - VMware KB Article
2032892.... or VMware KB Article 1011641 for vCenter.
Create a log bundle.
Collect logs via vSphere Client - VMware KB Article 653
Blog posts from the lab, which gives you step-by-step to follow...
ESXi 5.5 upgrade to 6.0 – via VMware Online Repository Plus few other CLI commands
ESXi Offline Bundle Download – To Upgrade ESXi Free (Internet connection is necessary) [Guide]
Patch ESXi 5.5 to ESXi 6.0 – Lab Time (via vSphere Upgrade bundle OR via ISO) [Guide]
Upgrade ESXi with VMware Update Manager (VUM) – [Guide] – Needs to install VUM first.
How to Upgrade from VCSA 5.5 to 6.0 – Lab Time [Guide]
1. Start the vSphere Web Client and log in to the vCenter Server system.
2. Under Inventory Lists, select vCenter Servers.
3. Click the vCenter Server that contains the ESX/ESXi hosts from which you want to export logs.
4. Click the Monitor tab and click System Logs.
5. Click Export System Logs.
1. Select the ESX/ESXi hosts from which you want to export logs.
2. Select the Include vCenter Server and vSphere Web Client logs option. This step is optional.
3. Click Next.
4. Select the system logs that are to be exported.
5. Select Gather performance data to include performance data information in the log files.Note: You can
update the duration and interval time between which you want to collect the data.
6. Click Next.
7. Click Generate Log Bundle. The Download Log Bundles dialog appears when the Generating Diagnostic Bundle
task completes.
145
1. Click Download Log Bundle to save it to your local computer.Note: The host or vCenter Server
generates .zip bundles containing the log files. The Recent Tasks panel shows the Generate diagnostic bundles
task in progress.
vm-support
As a result..
146
A compressed bundle of logs is produced and stored in a file with a .tgz extension in one of these locations:
/var/tmp/
/var/log/
The current working directory
To export the log bundle to a shared vmfs datastore, use this command: vm-support -f -w
/vmfs/volumes/DATASTORE_NAME
Using vm-support command line tool (VMware KB 1010705, Collecting Diagnostic Information Using the vm-
support Command in VMware ESX/ESXi)
How-to obtain vCenter Server Log Bundles (VMware KB 1011641, Collecting Diagnostic Information for
VMware vCenter Server)
By Using PowerCLI (VMware KB 1027932, Collecting Diagnostic Information for VMware vCenter Server and
ESX/ESXi Using the vSphere PowerCLI)
How-to obtain vCenter Server and ESXi Log Bundles (VMware KB 653, Collecting Diagnostic Information for
Vmware ESX/ESXi Using the vSphere Client)
Via VUM - vsphere update manager. I've done the step-by-step in the lab.
Via Scripted upgrade - not my prefered. Check the steps here in the VMware documentation.
vSphere Auto Deploy - via autodeploy you can provision a host with new image profile which would contain
the ESXi upgrade to 6.0. It would be necessary to use Image builder. You can check VCP6-DCV Autodeoploy
Objective here.
ESXCLI - well know for free ESXi. And easy to do.
Interactive Upgrade - And old fashion method, but easy. By booting the CD. You'll need to burn a CD first with
the ISO image. Step-by-step here.
vSphere web client > vCenter Inventory Lists > vCenter servers, click vCenter > Manage TAB > Settings > General >
Edit > Logging Settings
147
The options are:
148
VCP6-DCV OBJECTIVE 7.4 - TROUBLESHOOT AND MONITOR VSPHERE PERFORMANCE
In today's Objective we'll discuss VCP6-DCV Objective 7.4 - Troubleshoot and Monitor vSphere Performance. You
can check the whole VCP6-DCV Study Guide page for all topics there.
You can also check the vSphere 6 page where you’ll find many how-to, videos, and tutorials about vSphere 6.
Performance is a key to everything. When your application is slow, you must pinpoint many values to find out what's
going on at your virtual infrastructure.
If it's the underlying VM which is experiencing problems (wrong sizing of CPU, Memory, Disk...) or is it the underlying
storage system, network or physical CPU of the host. Quite complex to find out what's going on.
vSphere Knowledge
Select Host, VM, Datastore or network TAB > Below, Select object on the left > Monitor TAB > Tasks.
You can also select cluster, datacenter or vCenter object to see the tasks...
149
EVENTS
The same for events. Example showing the events at the cluster level. Again, you can choose another object like
host, datastore, VM....
Avg Memory Usage in KB - similar to Average CPU Usage, this should be reported at both Host and Guest levels. It
can give you an indication in terms of who is using the most memory but high usage does not necessarily indicate a
bottleneck. If memory usage is high, check the values for Memory Ballooning/Swapping.
Balloon (KB) - MCTL - Host cannot meet its memory requirements, so there is a memory pressure on the host. The
Balloon driver is installed via VMware Tools onto Windows and Linux guests and its job is to force the operating
system, of lightly used guests, to page out unused memory back to ESX so it can grand more memory to other VMs.
Swap Used KB - if you see values being reported at the Host for Swap, this indicates that memory demands cannot
be satisfied and processes are swapped out to the vSwp file. This is going bad as swapping is the last resort for the
hypervisor to manage the memory at some point... Consider vMotioning some VMs out of this host or plan to add
more physical RAM....
Consumed - Consumed memory is the amount of Memory Granted on a Host to its guests minus the amount of
Memory Shared across them. Memory can be over-allocated, unlike CPU, by sharing common memory pages such as
Operating System pages. This metric displays how much Host Physical Memory is actually being used (or consumed)
and includes usage values for the Service Console and VMkernel.
Active - this metric reports the amount of physical memory recently used by the guests on the Host and is displayed
as “Guest Memory Usage” in vCenter at Guest level.
150
SWR/s (MB) - Rate at which the ESXi host swaps in memory from disk for the resource pool or virtual machine.
SWW/s (MB) - Rate at which the ESXi host swaps resource pool or virtual machine memory to disk.
SWCUR (MB) - Current swap usage by this resource pool or virtual machine.
SWTGT (MB) - Target where the ESXi host expects the swap usage by the resource pool or virtual machine
to be
MCTL? - Check if the memory balloon driver is installed or not. N means no, Y means yes.
MCTLSZ (MB) - Amount of physical memory reclaimed from the resource pool by way of ballooning.
MCTLTGT (MB) - Amount of physical memory the ESXi system attempts to reclaim from the resource pool or
virtual machine by way of ballooning.
MCTLMAX (MB) - Maximum amount of physical memory the ESXi system can reclaim from the resource pool
or virtual machine by way of ballooning. This maximum depends on the guest operating system type.
%USED - Percentage of physical CPU core cycles used by the resource pool, virtual machine, or world. %USED
might depend on the frequency with which the CPU core is running. When running with lower CPU core
frequency, %USED can be smaller than %RUN. On CPUs which support turbo mode, CPU frequency can also
be higher than the nominal (rated) frequency, and %USED can be larger than %RUN. %USED = %RUN +
%SYS - %OVRLP
%RDY - Percentage of time the resource pool, virtual machine, or world was ready to run, but was not provided
CPU resources on which to execute. 100% = %RUN + %RDY + %CSTP + %WAIT
%CSTP - Percentage of time a resource pool spends in a ready, co-deschedule state. NOTE You might see this
statistic displayed, but it is intended for VMware use only.
%SYS - Percentage of time spent in the ESXi VMkernel on behalf of the resource pool, virtual machine, or world
to process interrupts and to perform other system activities. This time is part of the time used to calculate
%USED. %USED = %RUN + %SYS - %OVRLP
%WAIT - Percentage of time the resource pool, virtual machine, or world spent in the blocked or busy wait
state. This percentage includes the percentage of time the resource pool, virtual machine, or world was
idle. 100% = %RUN + %RDY + %CSTP + %WAIT
151
KAVG (Kernel Average Latency) time an I/O request spent waiting inside the vSphere storage stack.
QAVG (Queue Average latency) time spent waiting in a queue inside the vSphere Storage Stack.
DAVG (Device Average Latency) latency coming from the physical hardware, HBA and Storage device.
High Performance - This power policy maximizes performance, using no power management features. It keeps
CPUs in the highest P-state at all times. It uses only the top two C-states (running and halted), not any of the
deep states (for example, C3 and C6 on the latest Intel processors).
Balanced - This power policy is designed to reduce host power consumption while having little or no impact
on performance. The balanced policy uses an algorithm that exploits the processor’s P-states. Balanced is the
default power policy for ESXi.
Low Power - This power policy is designed to more aggressively reduce host power consumption, through the
use of deep C-states, at the risk of reduced performance.
Custom - This power policy starts out the same as balanced, but it allows individual parameters to be modified.
If the host hardware does not allow the operating system to manage power, only the Not Supported policy is
available. (On some systems, only the High Performance policy is available.)
152
M ONITOR PERFORMANCE THROUGH ESXTOP
Check this community thread ESXTOP. It's excellent!
EVC is short for Enhanced vMotion Compatibility. EVC allows you to migrate virtual machines between different
generations of CPUs. with EVC you can mix older and newer server generations in the same cluster and be able to
migrate virtual machines with vMotion between these hosts. This makes adding new hardware into your existing
infrastructure easier and helps extend the value of your existing hosts.
The architecture has changed as well (there is no more UI VM and Analytics VM like int he vCOPS 5.8). The appliance
works in cluster, and from within the dashboard you’ll be able to deploy/add an additional appliance (node) to the
system to scale out. The solution is highly resilient, by using Gemfire to spread the data across at least 2 nodes. Two
slices has the copy of the data (at least). If there is a failure of one of the slices, then another slice takes over.
153
V R EALIZE O PERATION M ANAGEMENT S UITE 6.0 – N EW AND IMPROVED FEATURES
Newly the product will feature a management pack integration (add-ons) which will be delivered by VMware and
partners for specific storage devices. There is 40-50 management packs available on the VMware Solution Exchange
and those management packs can be installed inside the vRealize Management Operation. (vROPS)
From the overview dashboard you can see which problems arise or will arise (in the Risk alerts section). By clicking
the link you can drill down to see the problem.
154
Overview chart from my lab. Select Host > Monitor TAB > Performance > Drop down chose between Home or
Virtual Machines.
A DVANCED CHARS
Use advanced charts, or create your own custom charts, to see more performance data. Advanced charts can be useful
when you are aware of a problem but need more statistical data to pinpoint the source of the trouble.
Slect Host > Monitor TAB > Performance > Click Advanced
More information. Hover over a data point in a chart and details about that specific data point are displayed.
Customizable charts. Change chart settings. Save custom settings to create your own charts.
Export to spreadsheet.
Save to image file or spreadsheet
155
Tools
The VCP6-DCV certification exam validates that you have the skills required to successfully install, deploy, scale and
manage VMware vSphere 6 environments.
Check the VCP6-DCV Study Guide [Unofficial] page on my blog for all topics required to pass the exam. Stay tuned
for the PDF version .... Check also other How-to articles, videos, and news concerning vSphere 6 - dedicated vSphere
6 page.
vSphere Knowledge
vSphere HA is very easy to set up and manage and is the simplest high-availability solution available for
protecting virtual workloads.
HA R EQUIREMENTS :
Redundant Management Network - Verify that you are using redundant management network connections
for vSphere HA. For information about setting up network redundancy, see “Best Practices for Networking.”
Proper Licensing - vSphere Essentials Plus and higher licensing. Essentials (only) won't do the job...
Minimum 2 hosts in a cluster - HA needs 2 hosts to be able to initiate failover.
Static IP config - Host which participate in HA/DRS clusters has to be configured with static IP address.
156
Shared Storage - VMs must run on shared storage
Access All hosts to VM neworks and datastores - All Hosts shall be able to reach the VM's networks and
datastores.
VMware tools on VMs - All VMs has to have VMware tools in stalled in order to be able to activate VM
Monitoring
Configure Two Shared Datastores at least - to have redundancy for vSphere HA datastore hearbeating.
ipv6 and ipv4 are supported - vSphere HA supports both IPv4 and IPv6. See “Other vSphere HA
Interoperability Issues,” on page 31 for considerations when using IPv6.
Enable APD Timeout - If you want to use VM Component Protection, hosts must have the All Paths Down
(APD) Timeout feature enabled.
Wants VMCP with HA? - To use VM Component Protection, clusters must contain ESXi 6.0 hosts or later.
DRS R EQUIREMENTS :
vCenter server resource management p.63
V M OTION R EQUIREMENTS :
Gigabit ethernet for vMotion is a bare minimum - make sure you comply with that
No RDM or MSCS support -Microsoft Cluster service (MSCS) isn't supported.
157
VMs with CDROM Unattached - Cannot vMotion a VM that is backed by a device that isn't accessible to the
target host. I.E. A CDROM connected to local storage on a host. You must disconnect these devices first. USB
is supported as long as the device is enabled for vMotion
For VMs with USB - must enable all USB devices that are connected to the virtual machine from a host for
vMotion. If one or more devices are not enabled for vMotion, migration
will fail.
TCP port 8000 - incoming and outgoing firewall port for ESXi hosts, this is a required port for vMotion.
Check the vmkernel network interfaces for the correct network config.
Make sure that the EVC in the cluster is configured (if needed) and tested prior enabling DRS.
Make sure that all hosts within cluster can reach the shared storage and no VMs are left on local storage
somewhere....
Check this section at the vSphere Availability Guide p.29 and p.39
When you change the networking configuration on the ESXi hosts themselves, for example, adding port
groups, or removing vSwitches, suspend Host Monitoring. After you have made the networking configuration
changes, you must reconfigure vSphere HA on all hosts in the cluster, which causes the network information
to be reinspected. Then re-enable Host Monitoring.
On ESXi hosts in the cluster, vSphere HA communications, by default, travel over VMkernel networks. With an ESXi
host, if you wish to use a network other than the one vCenter Server uses to communicate with the host for vSphere
HA, you must explicitly enable the Management traffic check-box.
das.isolationaddress
By default, the network isolation address is the default gateway for the host. Only one default gateway is specified,
regardless of how many management networks have been defined. You should use the das.isolationaddress[...]
advanced option to add isolation addresses for additional networks.
This address is pinged only when heartbeats are not received from any other host in the cluster. If not specified, the
default gateway of the management network is used. This default gateway has to be a reliable address that is
available, so that the host can determine if it is isolated from the network. You can specify multiple isolation
addresses (up to 10) for the cluster:
158
das.isolationaddressX, where X = 0-9.
Typically you should specify one per management network. Specifying too many addresses makes isolation detection
take too long.
vSphere client...
159
Host Failures Cluster Tolerates - With the Host Failures Cluster Tolerates admission control policy, VMware
HA ensures that a specified number of hosts can fail and sufficient resources remain in the cluster to fail over
all the virtual machines from those hosts
Percentage of Cluster Resources - You can configure VMware HA to perform admission control by reserving a
specific percentage of cluster resources for recovery from host failures. With the Percentage of Cluster
Resources Reserved admission control policy, VMware HA ensures that a specified percentage of aggregate
cluster resources is reserved for failover.
Specify a Failover Host - when a host fails, VMware HA attempts to restart its virtual machines on a specified
failover host. If this is not possible, for example the failover host itself has failed or it has insufficient resources,
then VMware HA attempts to restart those virtual machines on other hosts in the cluster.
What can go wrong? Hosts disconnected, unconfigured (right click > reconfigure for HA). Also when (if) setting "specify
failover host" policy, than you might end up with some VMs non restarted if several hosts fails, as you did not set
enough hosts for failover. I usually use "percentage of cluster resources" or "host failures cluster tolerates" policies.
If your cluster contains any virtual machines that have much larger reservations than the others, they will distort slot
size calculation. To avoid this, you can specify an upper bound for the CPU or memory component of the slot size by
using the das.slotcpuinmhz or das.slotmeminmb advanced attributes, respectively.
vSphere HA calculates the CPU component by obtaining the CPU reservation of each powered-on virtual
machine and selecting the largest value. If you have not specified a CPU reservation for a virtual machine, it is
assigned a default value of 32MHz. You can change this value by using the das.vmcpuminmhz advanced
attribute.)
vSphere HA calculates the memory component by obtaining the memory reservation, plus memory overhead,
of each powered-on virtual machine and selecting the largest value. There is no default value for the memory
reservation.
If large VMs present in the cluster than you might want to use "percentage of cluster resources" admission policy as
you won't need to deal with slot sizes.
160
NIC teaming is the answer. Redundancy, redundancy.... Use 2 or more pNICs in a team to provide failover possibility.
If possible use separate physical switches to provide redundancy.
INTERPRET THE DRS R ESOURCE DISTRIBUTION G RAPH AND TARGET /CURRENT H OST LOAD
DEVIATION
Even if VMware is pushing the web client, I feel that the C# client shows more details when flying over with a mouse
on a chart to display the memory utilization of a host within cluster, you can actually see an individual VM, how
such a VM consumes memory on that particular host...
You can access the charts (in vSphere client) from the summary tab when selecting your cluster on the left hand side
first. Click the "View resource distribution chart" link, as on the image below....
161
This is not the case of vSphere Web client....
The DRS Resource Distribution chart displays CPU or Memory metrics for each of the hosts in the cluster. YOu can
switch from percentage to mebabytes (for memory) resp from percentage to megaherty (for CPU).
DRS cluster is load balanced when each of its hosts’ level of consumed resources is equivalent to the others. When
they aren’t, the cluster is considered to be imbalanced and VMs must be relocated to restore the balance.
A cluster might become unbalanced because of uneven resource demands from virtual machines and unequal
capacities of hosts.
The migration threshold is too high - A higher threshold makes the cluster a more likely candidate for load
imbalance.
Affinity/Anti-Affinity Rules - VM/VM or VM/Host DRS rules prevent virtual machines from being moved.
Disabled DRS - DRS is disabled for some VMs...
A device is mounted to one or more virtual machines preventing DRS from moving the virtual machine in order
to balance the load.
Virtual machines are not compatible with the hosts to which DRS would move them. That is, at least one of
the hosts in the cluster is incompatible for the virtual machines that would be migrated. For example, if host
A's CPU is not vMotion-compatible with host B's CPU, then host A becomes incompatible for powered-on
virtual machines running on host B.
It would be more detrimental for the virtual machine's performance to move it than for it to run where it is
currently located. This may occur when loads are unstable or the migration cost is high compared to the
benefit gained from moving the virtual machine.
Unconfigured/disabled vMotion - vMotion is not enabled or set up for the hosts in the cluster.
162
TROUBLESHOOT V M OTION/S TORAGE V M OTION MIGRATION ISSUES
First, check requirements for vMotion/sVMotion.
VMware tools status - Make sure that VMtools installaiton is not "stuck" in a VM...as during installation of
VMware tools it's not possible to do a VMotion of such a VM due to hearbeats.
Source destination datastores are available - make sure that this apply...
Licensing - sVMotion requires vSphere "standard"licensing...
If RDM is used in physical compatibility mode - no sVMotion or snapshoting of VMs... Virtual machine
snapshots are available for RDMs with virtual compatibility mode only.Physical Compatibility Mode -
VMkernel passes all SCSI commands to the device, with one exception: the REPORT LUNs command is
virtualized so that the VMkernel can isolate the LUN to the owning virtual machine. If not, all physical
characteristics of the underlying hardware are exposed. It does allows the guest operating system to access
the hardware directly. VM with physical compatibility RDM has limits like that you cannot clone such a VM or
turn it into a template. Also sVMotion or cold migration is not possible.
A quick quote from VMware blog post, which is new (note that sVMotion do not work with such a disks):
In vSphere 6.0, you can configure two or more VMs running Windows Server Failover Clustering (or MSCS for pre-
Windows 2012 OSes), using common, shared virtual disks (RDM) among them AND still be able to successfully
vMotion any of the clustered nodes without inducing failure in WSFC or the clustered application. What's the big-
deal about that? Well, it is the first time VMware has ever officially supported such configuration without any third-
party solution, formal exception, or a number of caveats. Simply put, this is now an official, out-of-the-box feature
that does not have any exception or special requirements other than the following:
The VMs must be in "Hardware 11" compatibility mode - which means that you are either creating and
running the VMs on ESXi 6.0 hosts, or you have converted your old template to Hardware 11 and deployed it
on ESXi 6.0
The disks must be connected to virtual SCSI controllers that have been configured for "Physical" SCSI Bus
Sharing mode
And the disk type *MUST* be of the "Raw Device Mapping" type.
Maps are available only when the vSphere Client is connected to a vCenter Server system.
The maps can help you determine such things as which clusters or hosts are most densely populated, which
networks are most critical, and which storage devices are being utilized. vCenter Server provides the
following map views.
163
You can configure the maximum requested topology entities (helps for large environments) via vSphere client by
going to the Client Menu > Edit > Client settings > Maps TAB
To use legacy Fault Tolerance, you must configure an advanced option for the virtual machine. After you complete
this configuration, the legacy FT VM is different in some ways from other fault tolerant VMs.
164
If you want/need to use legacy FT, check the requirements.
CPU Requirements - CPUs that are used in host machines for fault tolerant VMs must be compatible with vSphere
vMotion or improved with Enhanced vMotion Compatibility. Also, CPUs that support Hardware MMU virtualization
(Intel EPT or AMD RVI) are required. The following CPUs are supported.
das.maxftvmsperhost
The maximum number of fault tolerant VMs allowed on a host in the cluster. Both Primary VMs and
Secondary VMs count toward this limit. The default value is 4.
das.maxftvcpusperhost
165
The maximum number of vCPUs aggregated across all fault tolerant VMs on a host. vCPUs from both Primary VMs
and Secondary VMs count toward this limit. The default value is 8.
Tools
Check the VCP6-DCV Study Guide or other How-to articles, videos, and news concerning vSphere 6 at the dedicated
vSphere 6 page.
CONFIGURE A UTODEPLOY
You must first enable the service. Go to vSphere Web Client > System Configuration > Services > Select Autodeploy >
Actions > Edit Startup Type
166
This will prompt you for the service settings:
On the vCenter Server Appliance, the Auto Deploy service by default is set to Manual (on Windows it's Disabled). If
you want the Auto Deploy service to start automatically upon OS startup, select Automatic.
CONFIGURE TFTP:
In a vSphere Web Client > Inventory list > select the vCenter Server > Manage tab > Settings > Auto Deploy.
167
Then click the Download TFTP Boot Zip to download the TFTP configuration file and unzip the file to the directory in
which your TFTP server stores files.
Install TFTP server (I usually use the Free TFTP server from Solarwinds). The installer creates a default directory
which can be changed. I changed mine to c:tftp to keep it simple. You can configure the option by going to File >
Configure menu. While there, make sure that you start the service. (Note: you can also go to Windows services to
make the TFTP service start automatically during the boot as by default it has manual start only).
That’s it for TFTP server. There is nothing else to play with and we can move on.
So next step is to click and download the TFTP boot zip files to the c:tftp directory that we created and set up on our
TFTP server. Unzip the file into the same directory You should have a view like this:
168
Once done, we can copy this name of the file (undionly.kpxe.vmw-hardwired) as an option 67 in our DHCP server. In
my case I have Windows DHCP server which sits on my domain controller.
Now you should configure each of your ESXi host's BIOS to boot from network.
Autodeploy server has the informations about the location of image profile and host profiles and this information is
specified in the rules that map machines to image profiles and host profile. Whe host boots up from the first time it's
vCenter server who creates a host objects and stores the information in the vCenter DB.
169
A UTO DEPLOY CMDLETS
There are many more auto deploy cmdlets than the ones I’m using in this post, so here is the full list for reference:
Command Description
New-DeployRule Creates a new rule with the specified items and patterns
Updates an existing rule with the specified items and patterns. Rules that belong to a
Set-DeployRule
working ruleset can not be updated.
Adds one or more rules to the working and active ruleset(s). The NoActivate parameter
Add-DeployRule
can be specified to add a rule only to the working ruleset.
Removes one or more rules from the working and active rule set. The rule(s) can be
Remove-DeployRule
deleted by using the -Delete parameter.
Set-DeployRuleSet Explicitly sets the list of rules in the working rule set.
Get-DeployRuleSet Retrieves the current working rule set or active rule set.
Switch-ActiveDeployRuleSet Activates a rule set so that any new requests are evaluated through the rule set.
170
Retrieves rules matching a pattern. For example, all rules that apply to hosts can be
Get-VMHostMatchingValues
retrieved.
Test- Checks whether items associated with a specified host are in compliance with an active
DeployRulesetCompliance rule set.
Repair- Updates the image profile, host profile and location for each host in the vCenter Server
DeployRuleSetCompliance inventory based on the results of Test-DeployRulesetCompliance.
Apply-EsxImageProfile Associates the specified image profile with the specified host.
Returns attributes for a host that are used when the Auto Deploy server evaluates the
Get-VMHostAttributes
rules.
Stateless caching - Autodeploy does not store ESXi configuration or state on the host disk by default. Rather an
image profile defines the image that the host is provisioned with, and other host attributes are managed through
host profiles. A host that uses Auto Deploy for stateless caching has to have an access to Autodeploy server and
vCenter server. That's why the vCenter server has to be UP in order to be able to provission those hosts (SPOF???).
Stateful installs - In this case it is possible to provision a host with Auto Deploy and set up the host to store the
image to disk. On subsequent boots, the host boots from disk
I have done a blog post series covering host profiles, autodeploy...when learning towards VCAP exam. You
can use it as a guide for preparation for the VCP exam as most things hasn't changed...
171
VMware vSphere Host Profiles – options and troubleshooting
Check the VCP6-DCV Study Guide page or other How-to articles, videos, and news concerning vSphere 6 at the
dedicated vSphere 6 page.
vSphere Knowledge
vSphere web client > Host profiles > Click the Plus sign > Select Host > Enter Name for the host profile > Next >
Finish
172
TO DELETE HOST PROFILE :
Select the host profile to delete > Actions > delete
Host Profiles can be also used to validate the configuration of a host by checking compliance of a host or cluster against
the Host Profile that is associated with that host or cluster.
173
IMPORT /E XPORT A H OST P ROFILE
It's possible to export host profile as a *.vpf file (VMware Profile Format) ... As you can see the administrator's
password aren't exported for security reasons.
You will be prompted to re-enter the values for the password after the profile is imported and the password is applied
to a host.
HOW TO EXPORT ?
vSphere Web Client > Host Profiles > Select Profile > Actions > Export Host Profile
Web Client > Select Host profile > Actions > Attach/detach Hosts and Clusters
And then on this screen you can select single host or whole cluster...
174
You can update or change the user input parameters for the Host Profiles policies by customizing the host.
P ERFORM COMPLIANCE SCANNING AND REMEDIATION OF AN ESX I HOST USING H OST P ROFILES
vSphere host profiles PDF p. 12
You can confirm the compliance of a host or cluster to its attached Host Profile and determine which, if any,
configuration parameters on a host are different from those specified in the Host Profile.
Select the host profile > click the check the compliance icon (or go to Actions > Check Host Profile compliance) .
To see more detail on compliance failures, select a Host Profile from the Objects tab for which the last compliance
check produced one or more failures. In order to see specific detail on which parameters differ between the host
that failed compliance and the Host Profile, click on the Monitor tab and select the Compliance view. Then, expand
the object hierarchy and select the failing host. The differing parameters are displayed in the Compliance window,
below the hierarchy.
R EMEDIATE A HOST
In the event of a compliance failure, use the Remediate function to apply the Host Profile settings onto the host. This
action changes all Host Profile managed parameters to the values contained in the Host Profile attached to the host.
Navigate to the Host profile > Select Monitor Tab > Click Compliance > Right click the host > Host profiles > Remediate
175
vSphere Documentation and Tools
So another VCP6-DCV topic done. Host profiles with autodeploy are advanced enterprise features/topics which some
of you might not need every day or will never implement, especially Autodeploy as IMHO it introduces SPOF (single
point of failure) - dependent on vCenter server.
But it's just my own opinion and it's also possible to mitigate such a risk with protecting vCenter server FT. But that's
another story...
176
VCP6-DCV OBJECTIVE 8.3 - CONSOLIDATE PHYSICAL WORKLOADS USING VM WARE
CONVERTER
VCP6-DCV blueprint covers P2V chapter too. This post will cover VCP6-DCV Objective 8.3 - Consolidate Physical
Workloads using VMware Converter. VMware converter was (and still is) very popular free tool for P2V or V2V
conversions. This was the first tool I actually started to work with when I first started with datacenter virtualization.
Converting physical systems to VMs is kind of fascinating
Compared to VCP 5 it seems that for VCP6 there is more material to study and more topics to master. For whole
exam coverage I created a dedicated VCP6-DCV page. Or if you’re not preparing to pass a VCP6-DCV, you might just
want to look on some how-to, news, videos about vSphere 6 – check out my vSphere 6 page.
VMware Knowledge
S YSTEM R EQUIREMENTS :
Windows - Windows XP Professional (32-bit and 64-bit) SP3 and higher, 2003 srv (x32 and x64) and up to 2012
(not 2012R2 - but I think it'll get updated).
Linux - RHEL 3.x - 6.x, SUSE 9.x - 11.x, Ubuntu 10.04 LTS - 13.04 .... both x32 and 64bit versions.
177
S UPPORTED F IRMWARE I NTERFACES :
The converter standalone supports BIOS and UEFI sources and the firmware intereface is preserved (cannot convert
BIOS to UEFI). For UEFI the supported destination types are Workstation 8.0 and later or ESXi 5.0 and later or vCenter
5.0 and later.
Supported Sources:
P OWERED O N:
VMware vCenter VMs - (ESX 4.0 and 4.1), ESXi 4.1, ESXi 4.0, 4.1, 5.0, 5.1, and 5.5, vCenter Server 4.0, 4.1, 5.0,
5.1, and 5.5
VMware Hosted VMs - VMware Workstation 7.x, 8.x, 9.x, and 10.x, VMware Fusion 3.x, 4.x, 5.x, and 6.x,
VMware Player 3.x, 4x, 5.x, and 6.x
Supported destination types - VMware vCenter Converter Standalone User's Guide p.22
178
TCP/IP AND UDP P ORT R EQUIREMENTS FOR CONVERSION
VMware vCenter Converter Standalone User's Guide p.25
Converter server to standalone VM or physical system - TCP - 445, 139, 9089;UDP - 137, 138
Converter to vCenter server - TCP 443
Converter Server to ESXi - TCP 902
Powered on Source machine to ESXi - TCP 443, 902
Linux VM uses additionally port 22 (SSH)
The steps to convert a physical system can be resumed like this (but this is only one of the ways that's possible.
Other ways client-server are possible as well):
1. Install VMware converter on the Window/Linux server and click Convert Machine > Powered On machine > This
local machine
2. Select Destination type > choose VMware infrastructure VM > enter vCenter credentials > Put some meaningful
name for your VM
3. Choose Cluster or host > Datastore > Virtual Machine Version > Click Next
4. Click the Advanced Link > chose the disk type of your choice (thick or thin). If you do not copy all disks and
maintain layout the volume-based cloning is used. (at the block level).
179
You can also modify other resources which the VM do not need ... like delete some unwanted NICs, Windows
services, or adjust the number of vCPUs and Memory...
By default, Converter Standalone optimizes the disk partitions alignment. Optimizing the partitionalignment improves
the performance of the destination virtual machine. (it's basically says that the process will align the VM to the LUN).
So leave the box checked...
Number of data connections per task - if you converting systems with multiple disks and volumes, it's possible to
decrease the conversion time by cloning multiple disks and volumes simultaneously. Each data transfer uses a
separate TCP connection. Check Administration > Data connections per Task.
It's possible to synchronize changes after the first conversion has finished. It's because the source machine continues
to generate data. So the delta changes can be synced and the source VM powered down...
180
INTERPRET AND CORRECT ERRORS DURING CONVERSION
Troubleshooting when vCenter Converter fails to complete a conversion of a physical or virtual machine.
Testing port connectivity with Telnet (1003487)
Best practices for using and troubleshooting VMware Converter (1004588)
Troubleshooting a virtual machine converted with VMware Converter that fails to boot with the error: STOP
0x0000007B INACCESSIBLE_BOOT_DEVICE (1006295)
Required VMware vCenter Converter 4.x/5.x ports (1010056)
Collecting diagnostic information for VMware Converter (1010633)
TCP and UDP Ports required to access VMware vCenter Server, VMware ESXi and ESX hosts, and other network
components (1012382)
VMware vCenter Converter is unable to see the disks when converting Windows operating systems (1016992)
vCenter Standalone Converter errors when an ESXi 5.x host is selected as a destination: The access to the host
resource settings is restricted. Use the management server as a destination (2012310)
How-to disable SSL in VMware vCenter Converter Standalone to speed up P2V conversions
How-to Reduce VMDK size: VMware Converter
How to use VMware Converter to Synchronize changes when P2V (or V2V)
VMware Converter Best Practices
Those study blog posts are covering topics and objectives from the blueprint from VCP 6 page and are here to help
out with studying towards the VMware Certification Exam VCP6-DCV (Datacenter Virtualization). This exam validates
you have the skills required to successfully install, deploy, scale and manage VMware vSphere 6.
vSphere Knowledge
181
E XPLAIN A DVANCED V S PHERE HA SETTINGS
vSphere HA Advanced Options do not need to be changed in most environments.The HA advanced settings are
applied at the cluster level.
There is a very good VMware knowledge base article at http://kb.vmware.com/kb/2033250, which is based on
vSphere 5.x but still relevant for vSphere 6.
das.isolationaddress[...] - Sets the address to ping to determine if a host is isolated from the network. This
address is pinged only when heartbeats are not received from any other host in the cluster. If not specified,
the default gateway of the management network is used. This default gateway has to be a reliable address
that is available, so that the host can determine if it is isolated from the network. You can specify multiple
isolation addresses (up to 10) for the cluster: das.isolationaddressX, where X = 0-9. Typically you should specify
one per management network. Specifying too many addresses makes isolation detection take too long.
das.usedefaultisolationaddress - By default, vSphere HA uses the default gateway of the console network as
an isolation address. This option specifies whether or not this default is used (true|false).
das.isolationshutdowntimeout - The period of time the system waits for a virtual machine to shut down
before powering it off. This only applies if the host's isolation response is Shut down VM. Default value is 300
seconds.
das.slotmeminmb - Defines the maximum bound on the memory slot size. If this option is used, the slot size
is the smaller of this value or the maximum memory reservation plus memory overhead of any powered-on
virtual machine in the cluster.
das.slotcpuinmhz - Defines the maximum bound on the CPU slot size. If this option is used, the slot size is the
smaller of this value or the maximum CPU reservation of any powered-on virtual machine in the cluster.
das.vmmemoryminmb - Defines the default memory resource value assigned to a virtual machine if its
memory reservation is not specified or zero. This is used for the Host Failures Cluster Tolerates admission
control policy. If no value is specified, the default is 0 MB.
das.vmcpuminmhz - Defines the default CPU resource value assigned to a virtual machine if its CPU
reservation is not specified or zero. This is used for the Host Failures Cluster Tolerates admission control policy.
If no value is specified, the default is 32MHz.
das.iostatsinterval - Changes the default I/O stats interval for VM Monitoring sensitivity. The default is 120
(seconds). Can be set to any value greater than, or equal to 0. Setting to 0 disables the check. Note: Values of
less than 50 are not recommended since smaller values can result in vSphere HA unexpectedly resetting a
virtual machine.
das.ignoreinsufficienthbdatastore - Disables configuration issues created if the host does not have sufficient
heartbeat datastores for vSphere HA. Default value is false.
das.heartbeatdsperhost - Changes the number of heartbeat datastores required. Valid values can range from
2-5 and the default is 2.
fdm.isolationpolicydelaysec - The number of seconds system waits before executing the isolation policy once
it is determined that a host is isolated. The minimum value is 30. If set to a value less than 30, the delay will
be 30 seconds.
das.respectvmvmantiaffinityrules - Determines if vSphere HA enforces VM-VM anti-affinity rules. Default
value is "false", whereby the rules are not enforced. Can also be set to "true" and rules are enforced (even if
vSphere DRS is not enabled). In this case, vSphere HA does not fail over a virtual machine if doing so violates
a rule, but it issues an event reporting there are insufficient resources to perform the failover.
das.maxresets - The maximum number of reset attempts made by VMCP. If a reset operation on a virtual
machine affected by an APD situation fails, VMCP retries the reset this many times before giving up
das.maxterminates - The maximum number of retries made by VMCP for virtual machine termination.
das.terminateretryintervalsec - If VMCP fails to terminate a virtual machine, this is the number of seconds the
system waits before it retries a terminate attempt
182
das.config.fdm.reportfailoverfailevent - When set to 1, enables generation of a detailed per-VM event when
an attempt by vSphere HA to restart a virtual machine is unsuccessful. Default value is 0. In versions earlier
than vSphere 6.0, this event is generated by default.
vpxd.das.completemetadataupdateintervalsec - The period of time (seconds) after a VM-Host affinity rule is
set during which vSphere HA can restart a VM in a DRS-disabled cluster, overriding the rule. Default value is
300 seconds.
das.config.fdm.memreservationmb - By default vSphere HA agents run with a configured memory limit of 250
MB. A host might not allow this reservation if it runs out of reservable capacity. You can use this advanced
option to lower the memory limit to avoid this issue. Only integers greater than 100, which is the minimum
value, can be specified. Conversely, to prevent problems during master agent elections in a large cluster
(containing 6,000 to 8,000 VMs) you should raise this limit to 325 MB.
Note : Once one of the options is changed, for all hosts in the cluster you must run the Reconfigure HA task.
Also, when a new host is added to the cluster or an existing host is rebooted, this task should be performed
on those hosts in order to update this memory setting.
183
3. Wait for HA to unconfigure, click Edit and check Turn ON vSphere HA.
4. Click OK and wait for the cluster to reconfigure.
remove fdm.cfg file on each hosts in the cluster OR reset the values to defaults on each host in the cluster.
In case the Master cannot communicate with a slave (don’t receives the heartbeat), but the heartbeat datastore
answers, the server is still working. So if that’s the case, the host is partitioned from the network, or isolated. The
Datastore heartbeat function helps greatly to determine the difference between host which failed and host that has
just been isolated from others.
host-xxx-hb files – those files are for the heartbeat datastore. The heartbeat mechanism uses the part of the
VMFS volume for regular updates. Each host in cluster has it’s own file like this in the .vSphere-HA folder.
protected list file – when you open this file, you’ll see a list of VMs protected by a HA. The master host uses
this file for storing the inventory and the state of each VM.
host-xxx-poweron files – this files role’s is to track the running VMs for each host of the cluster. The file is read
by the master host which will know if a slave host is isolated from the network. Slave hosts uses this poweron
file to tell the master host “hey, I’m isolated”. The content of this file reveals that there can be two states:
zero or one. Zero = not isolated and One = isolated. If the slave host is isolated, master host informs vCenter.
184
The .vSphere HA folder is created only on datastores that are used for the datastore heartbeating. You shouldn’t
delete or modify those files. The space used is minimum, depending on the VMFS version used and number of hosts
that uses this datastore for heartbeating. It can be maximum about 3 Gb for on VMFS 3 and 2Mb on VMFS 5
(maximm and typical usage). The overhead isn’t big either.
No VSAN support
Troubleshooting when vCenter Converter fails to complete a conversion of a physical or virtual machine.
Testing port connectivity with Telnet (1003487)
Best practices for using and troubleshooting VMware Converter (1004588)
Troubleshooting a virtual machine converted with VMware Converter that fails to boot with the error: STOP
0x0000007B INACCESSIBLE_BOOT_DEVICE (1006295)
Required VMware vCenter Converter 4.x/5.x ports (1010056)
Collecting diagnostic information for VMware Converter (1010633)
TCP and UDP Ports required to access VMware vCenter Server, VMware ESXi and ESX hosts, and other network
components (1012382)
VMware vCenter Converter is unable to see the disks when converting Windows operating systems (1016992)
vCenter Standalone Converter errors when an ESXi 5.x host is selected as a destination: The access to the host
resource settings is restricted. Use the management server as a destination (2012310)
How-to disable SSL in VMware vCenter Converter Standalone to speed up P2V conversions
How-to Reduce VMDK size: VMware Converter
How to use VMware Converter to Synchronize changes when P2V (or V2V)
VMware Converter Best Practices
185
IDENTIFY VIRTUAL MACHINE OVERRIDE PRIORITIES
You can customize settings for each VM in the cluster for VM restart priority, VMCP (see bellow), Host isolation
response or VM monitoring.
W HERE ?
In the vSphere Web Client, browse to the vSphere HA cluster > Manage tab > Settings > Under Settings, select VM
Overrides and click Add > Click the + button to select virtual machines to which to apply the overrides > OK.
If applied on the per-VM level, the settings now have more priority than the cluster settings and so they are different
on every other VMs. At the same time you can apply DRS rules there (you can see on the image above I have some
VMs which are not balanced automatically by DRS when Fully automated DRS is configured.
When VMCP is enabled, vSphere can detect datastore accessibility failures, APD (All paths down) or PDL
(Permannent device lost), and then recover affected virtual machines by restarting them on other host in the cluster
which is not affected by this datastore failure. VMCP allows the admin to determine the response that vSphere HA
will make. It can be simple alarm only or it can be the VM restart on other host. The latter one is perhaps what we’re
looking for. Let’s HA handle this for us….
Limitations:
VMCP does not support vSphere Fault Tolerance. If VMCP is enabled for a cluster using Fault Tolerance, the
affected FT virtual machines will automatically receive overrides that disable VMCP.
No VSAN support (if VMDKs are located on VSAN then they're not protected by VMCP).
No VVOLs support (same here)
No RDM support (same here)
HOW TO ENABLE ?
At the cluster level. vSphere Client Select Hosts and clusters > Manage > vSphere HA > Edit > Protect against
Storage Connectivity Loss.
186
1. Check the box “Protect against Storage Connectivity Loss”
2. Expand the “Failure conditions and VM response”
The second condition allows to specify what happens. There you have to specify 3 options:
By default it does not restart the VM on another host so it’s important to do it.
187
All paths down (APD) - vSphere will restart the VM after user-configured timeout only if there is enough capacity.
Action? Restart on a healthy host. Reset a VM if APD clears after APD timeout.
Permannent device lost (PDL) - vSphere suppose that the device won’t show up back again and is “lost” due to
hardware failure.
If the Host Monitoring or VM Restart Priority settings are disabled, VMCP cannot perform virtual machine restarts.
The VMCP settings has to be changed from their default values as by default the Response for APD recovery after
APD is disabled.
You can check settings at the cluster level, but also via the VM’s properties at the VM level by selecting the VM
through vSphere Web client.
188
Those fine-grain options allows to react on unpredictable APD and PDL signals when using shared storage within
your environment and give you significant insurance in case of connectivity problems to your shared storage.
Those study blog posts are covering topics and objectives from the blueprint from VCP 6 page and are here to help
out with studying towards the VMware Certification Exam VCP6-DCV (Datacenter Virtualization). This exam validates
you have the skills required to successfully install, deploy, scale and manage VMware vSphere 6.
vSphere Knowledge
Two Types:
VM-Host (Between a group of virtual machines and a group of hosts) - An affinity rule specifies that the
members of a selected virtual machine DRS group can or must run on the members of a specific host DRS
group. An anti-affinity rule specifies that the members of a selected virtual machine DRS group cannot run on
the members of a specific host DRS group.
VM-VM (Between individual virtual machines) - A rule specifying affinity causes DRS to try to keep the
specified virtual machines together on the same host, for example, for performance reasons. With an anti-
affinity rule, DRS tries to keep the specified virtual machines apart, for example, so that when a problem occurs
with one host, you do not lose both virtual machines.
Requirements:
189
VM-HOST AFFINITY RULE
specifies an affinity relationship between a group of virtual machines and a group of hosts. There are 'required' rules
(designated by "must") and 'preferential' rules (designated by "should".)
With an anti-affinity rule, DRS tries to keep the specified virtual machines apart. You could use such a rule if you
want to guarantee that certain virtual machines are always on different physical hosts. In that case, if a problem
occurs with one host, not all virtual machines would be placed at risk.
From the Type menu, select Virtual Machines to Hosts. Select the virtual machine DRS group and the host DRS group
to which the rule applies.
If you select the Keep virtual machines together (third option in the image above), and so be able to use this rule you
must first create VM/host Groups.... (option above close to the step 2 on the left hand side in the picture)
Must run on hosts in group - Virtual machines in VM Group 1 must run on hosts in Host Group A.
Should run on hosts in group - Virtual machines in VM Group 1 should, but are not required, to run on hosts
in Host Group A.
Must not run on hosts in group - Virtual machines in VM Group 1 must never run on host in Host Group A.
190
Should not run on hosts in group - Virtual machines in VM Group 1 should not, but might, run on hosts in Host
Group A.
To avoid losing the resource pools, instead of disabling DRS, you should suspend it by changing the DRS automation
level to manual (and disabling any virtual machine overrides). This prevents automatic DRS actions, but preserves
the resource pool hierarchy.
There you can check the drop down menu and try to check the:
191
FT VMs can benefit from DRS (EVC must be enabled) to be initially placed at best. If FT VMs are on cluster with EVC
disabled, then the FT VMs are given the DRS automation levels of "disabled".
Then from the drop down menu choose the automation level you need.
Tools
There is many tips and tricks I have published in the past for vSphere 5.x and vSphere 6. You can check the How-to
articles, config/troubleshooting videos on vSphere 5.5/vSphere 6.x on those two Wordpress pages.
But today's topic needs some more deep info concerning the VMs configuration parameters including settings like
disabling VMs acceleration.
192
vSphere Knowledge
So start vSphere web client and edit a single VM by going to Select VM > Edit settings > VM Options
General Options - Virtual machine name and location of the virtual machine configuration file and virtual machine
working location. View or change the type and version of the guest operating system.
VMware Remote Console Options - Locking behavior and settings for simultaneous connections.
193
VMware Tools - Power Controls behavior, VMware Tools scripts, automatic upgrades, and time synchronization
between the guest and host.
Boot Options - You can set the boot delay and other cool stuff here. Virtual machine boot options. Add a delay
before booting, force entry into the BIOS or EFI setup screen, or set reboot options.
194
Advanced Advanced virtual machine option:
Fibre Channel NPIV Virtual node and port World Wide Names (WWNs).
195
INTERPRET VIRTUAL MACHINE CONFIGURATION FILES (.VMX ) SETTINGS
The VMX settings can be changed through the VMs Options > Advanced configuration > Edit configuration
Usually the VMX file is in the same folder as the VM, but it can happen that the VMx files are stored elsewhere. To
check where are the files located you can see it in general options where the path to the location of the virtual
196
machine configuration file shows. The path to the virtual machine working location appears in the VM Working
Location text box.
VMs files:
No snapshot support - Snapshots are not supported with PCI vSphere Direct Path I/O devices
No Hot Add - Hot adding and removing of virtual devices
No Suspend and resume
No Record and replay
No FT - No Fault tolerance
No HA - No High availability support either...
DRS? - A kind of. DRS is limited to static..... The VM can be inside of DRS cluster, but cannot be vMotionned...
W HERE TO ENABLE ?
Edit Settings > On the Hardware tab, click Select > select PCI Device and click Add > Select the passthrough device to
connect to the virtual machine from the drop-down list > click Next.
197
D IRECT P ATH I/O VS SR-IOV
SR-IOV offers performance benefits and tradeoffs similar to those of DirectPath I/O. DirectPath I/O and SR-IOV have
similar functionality but you use them to accomplish different things.
SR-IOV is beneficial in workloads with very high packet rates or very low latency requirements. Like DirectPath I/O,
SR-IOV is not compatible with certain core virtualization features, such as vMotion. SR-IOV does, however, allow for
a single physical device to be shared amongst multiple guests.
With DirectPath I/O you can map only one physical function to one virtual machine. SR-IOV lets you share a single
physical device, allowing multiple virtual machines to connect directly to the physical function.
once enabled at the host level, then it's accessible to the VM as a physical device... The VM must be turned off
before starting to add the device.
198
VM settings > Add new device > Network > from the Adapter type drop-down menu, select SR-IOV passthrough.
Than expand the memory section, select reserve all guest memory (All locked) and click OK. I/O memory
management unit (IOMMU) must reach all virtual machine memory so that the passthrough device can access the
memory by using direct memory access (DMA).
One of the features that we haven't discussed is the Change swap file location. As you know, when a VM is powered
On, the ESXi host creates vmkrnel swap file which allows to back up the VMs RAM content. The default swap file
(vmname.vswp) location is at the same location as the other VMs files.
199
VCP6-DCV OBJECTIVE 10.2 - CREATE AND MANAGE M ULTI-SITE CONTENT LIBRARY
VCP6-DCV Study Guide is here to help you study towards VCP6-DCV (or delta) exam. Today's topic is new in vSphere
6. Feature called vSphere Content Library was not present in vSphere 5.5 and made its apparition in vSphere 6 during
its release. VCP6-DCV Objective 10.2 - Create and Manage Multi-Site Content Library is today’s lesson. vSphere
content library centrally manages virtual machine templates, ISO images, and scripts, and it performs the content
delivery of associated data from the published catalog to the subscribed catalog at other sites.
You can also check vSphere 6 page where you’ll find how-to’s, news, videos concerning vSphere 6.x. Last but not
least, my Free Tools page where are the post popular tools for VMware and Microsoft. Daily updates of the blog are
taking time, but we do it in the goal to provide a guide which is helpful for the community and folks learning towards
VCP6-DCV certification exam. If you find one of those posts useful for your preparation, just share.. -:).
Before we start I'd like to point a screenshot showing the ISO management... (must select the Other types button..)
Clone existing templates in folders into Content Library (migrate your existing templates into Content Library
with ease)
Clone a VM as a template into Content Library
Import from a web server
Synchronize content from a vCloud Director catalog
Upload contents from file system
A VM template, vApp template or another type file is considered as a library item. Each item can contain several files
(ex. OVF has several files .ovf, .vmdk, .mf, ...) however vSphere client shows only the .ovf through the content library.
200
What's the different types of content libraries?
Local Libraries - Local library stores items in single vCenter environment. When you publish to the local library, other
users from external vCenter servers can subcribe to this library. And to protect the access you can configure
password authentication.
Subscribed Libraries - When you subscribe to published library, then you create a subscribed library, which can be
created at the same vCenter server as the original content library or in another vCenter server system.
Pull the content - there is two different ways that you can pull the content out of vSphere content library:
1. Either you can download all the content of the published library after you create the subscribed library
2. You can download only metadata for the items in the subscribed library so you save space.
Permission Requirements
User needs those permissions on the vCenter Server instance where you want to create the library:
Content library
Create local library or Content library
Create subscribed library
Content libraries are not direct children of a vCenter Server system from an inventory perspective. The direct
parent for content libraries is the global root. This means that if you set a permission at a vCenter Server level and
propagate it to the children objects, the permission applies to data centers, folders, clusters, hosts, virtual machines,
and so on, but does not apply to the content libraries that you see and operate with in this vCenter Server instance.
To assign a permission on a content library, an Administrator must grant the permission to the user as a global
permission. Global permissions support assigning privileges across solutions from a global root object.
201
See the diagram from VMware vSphere 6.0 Documentation...
202
S ET/C ONFIGURE CONTENT LIBRARY ROLES
Content Library Administrator
Content Library Administrator role is a predefined role that gives a user privileges to monitor and manage a library
and its contents.
A user who has this role can perform the following tasks:
You can clone this role or use this role as is and assign this role to the user that shall manage the content library.
Click next to follow the assistant and choose one of the options...
Then again continue with the next button and choose a storage...
203
Hit next and finish.
vSphere Web Client > vCenter Inventory Lists > Content Libraries > Select library from the list > Actions > Delete >
Confirm
Web Client > vCenter Inventory Lists > Content Libraries > Select a subscribed library from the list, and click the
Related Objects tab. > Synchronize the item you want to use.
On the Templates tab, right-click a VM or a vApp template, and select Synchronize Item > On the Other Types tab,
right-click an item, and select Synchronize Item.
204
After synchronization completes, the item content and metadata are downloaded to the backing storage of the
subscribed library, and in the Related Objects tab the value for the item in the Stored Content Locally column
changes to Yes.
Tools
You will learn details on the requirements to setup vCloud Air connection, configuration of vCenter server
connection to vCloud Air.
The whole VCP6-DCV Study Guide page. Register for the VCP6-DCV exam here. In addition, you might want to visit
our Free Tools page or vSphere 6 page for latest updates and news concerning vSphere 6 or free tools for IT
administrators.
vSphere Knowledge
205
Requirements:
Compatible products - vSphere replication appliance 6.0, ESXi 5.0, 5.1.x, 5.5.x or 6.0, vCenter 6.0, vSphere
Web client 6.0
Roles, permissions to the cloud - usually assigned through vCloud Air UI after successfully installing vSphere
replication.
Check that you have VR up and running in your environment
Verify that the Disaster Recovery to Cloud service is enabled in the target cloud organization
Configure connection to the cloud organization.
When you create a connection to the cloud, the vCloud Tunneling Agent in the vSphere Replication appliance creates
a tunnel to secure the transfer of replication data to your cloud Organization.
When a tunnel is created, the vCloud Tunneling Agent opens a port on the vSphere Replication appliance. ESXi hosts
connect to that port to send replication data to a cloud organization. The port is picked randomly from a
configurable range. The default port range is 10000-10010 TCP.
In vSphere Replication, you must establish a connection to your cloud provider before you configure replications to
cloud. The vSphere Replication UI requires you to enter the cloud provider address and the cloud organization name.
Click VR icon in the vSphere web client > On the Home TAB click the Manage button.
206
The Manage tab should be preselected > click Target Sites > and then click the Connect to a Cloud Provider icon.
A pop-up windows shows up where you'll be able to enter the connection details. The information that you need is
included in the subscription email that you receive from VMware vCloud Air.
On the Connection settings page, type the address of your cloud provider, the organization name, and credentials to
authenticate with the cloud. By default, vSphere Replication uses these credentials to establish a user session to the
cloud and for system monitoring purposes. To enable system monitoring, these credentials will be stored in the
vSphere Replication appliance, unless you select to use another user account for system monitoring.
(Optional) If you do not want to store the credentials that you used for authentication, select the Use a different
account for system monitoring check box, and type the credentials to be used for system monitoring. These
credentials are encrypted and stored in the vSphere Replication database.
Click Next > The Connect to a Cloud Provider wizard displays a list of virtual data centers to which you can connect.
If a virtual data center is already connected to the vCenter Server, that data center does not appear in the list. From
the list of virtual data centers, select a target for the connection and click Next > Finish
207
You'll need the Cloud provider address and Organization name. You can find those information when you Connect
to your vCloud Air portal > The Replication tab.
Connection credentials - used for authentication within the cloud organization. The priviledges are managed
by cloud provider. Few rights are required: ManageRight, ViewRight, View Organization Networks,
View Organizations, View organization VDC, View Organization VDC. Credentials to the cloud are
needed for each target site, once per user session. When the authenticated user session to a target site
expires, users are prompted to input their credentials again
System monitoring credentials - used for system runtime, so the source and destination sites can
communicate together. Those credentials are stored in the VR appliance on the source site. The user name
must have VR role with few priviledges: ManageRight, ViewRight, View organization Networks, View
Organizations, View Organization VDCs
You can configure replicate single VM or multiple VMs at a time. The same way as configuring replication between
hosts in your On Premise environment.
You will be able to set a recovery point objective (RPO) to determine the maximum data loss that you can tolerate.
For example, an RPO of 1 hour seeks to ensure that a virtual machine loses the data for no more than 1 hour during
the recovery. vSphere Replication guarantees crash consistency amongst all the disks that belong to a virtual
machine. (VSS checkbox)
NOTE: By default, when you configure a virtual machine for replication to cloud, its NICs and MAC addresses are
copied automatically to the target site as part of the provisioning of the placeholder virtual machine. If the test
network is not isolated from the production network and these networks have common routing, a test recovery of a
replicated virtual machine might result in duplicate MAC addresses in your virtual data center.
You can check p.16 of the vSphere Replication to the Cloud document for details how to disable that.
When you configure replication by using vSphere Replication at your source site, the Disaster Recovery service
creates placeholder virtual machines in vCloud Air which represent the virtual machines at your source site.
208
The placeholders are VM for which you are testing recovery, and virtual machines recovered to the cloud. A
placeholder virtual machine appears in the VM's tab after the initial full synchronization of replication data from the
source site successfully completes.
Use the Virtual Machines tab to test recovery and recover the virtual machines to the cloud in the event your source
site is unavailable. The status of each placeholder determines what actions are available for that virtual machine
represented. After you test a recovery or recover a virtual machine to the cloud, the Disaster Recovery service
replaces the placeholder with a test or production virtual machine respectively.
If you enable multiple point in time (MPIT) setting, you can use previous replication points for better control on
failover. It allows you to:
209
Tools
210