PD005 InstallGuide Vsphere 8.0.x

vSphere Installation and Configuration
Procedures Guide
vSphere 8.0.x
vSphere Installation and Configuration Procedures Guide
You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave. Palo
VMware, Inc. 2
vSphere Installation and Configuration Procedures Guide
Alto, CA 94304
www.vmware.com
©
Copyright 2023 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 3
Contents
Contents.........................................................................................................................................................3
Purpose and Assumptions..............................................................................................................................4
VMware Products and Versions................................................................................................................4
Architecture Models..................................................................................................................................4
Procedures......................................................................................................................................................6
Preparation.................................................................................................................................................6
Deployment and Configuration...............................................................................................................27
Integrations Deployment and Configuration.........................................................................................101
References..................................................................................................................................................102
vSphere References...............................................................................................................................102
VMware, Inc.
Purpose and Assumptions
This document provides step-by-step instructions for installing, configuring and deploying the solution for Customer.
This document is written with the assumption that the administrator who uses these procedures is familiar with the
products being used. It is not intended for administrators without prior knowledge of the concepts and terminology.
This chapter includes the following topics:
 VMware Products and Versions
 Architecture Models
VMware Products and Versions

The following table lists the product versions used in this service. The build numbers here refer to the downloaded
installer version of this guide.
Table 1-1. VMware Products and Versions
VMware Product Version Number
VMware ESXi™ 8.0 - Build 20513097
VMware vCenter® Server Appliance™ 8.0 - Build 20519528
Architecture Models
Standardization of software configuration improves predictability, supportability and speed of delivery.
VMware designs are comprehensive and cover everything from hardware configuration and specification to detailed
software configuration based on Customer's requirements. It can also cover the required third-party components to
support day 2 operations. The result is a highly available, scalable and robust platform, that is vigorously tested.
VMware Professional Services leverages practices that have been and rigorously tested and are a part of:
 A VMware Validated Solution Design Guidance
 The VMware Cloud Foundation Design Guidance
 Product Specific Designs as provided by the individual VMware Business Units.
VMware, Inc.
Using these designs introduce standardization through the best practices to increase the speed of delivery as well as
consistency during deployment.
VMware, Inc.
Procedures
This section provides step-by-step procedures for common configuration tasks to be performed during the deployment
of the product in Customer's environment.
This chapter includes the following topics:
 Preparation
 Deployment and Configuration
 Integrations Deployment and Configuration
Preparation
This section describes the preparation tasks which are required for the deployment of the solution. It is split up into
technology sections.
ESXi Host Deploy Preparation

This section describes the preparation steps required for the ESXi host installation.
To install or upgrade ESXi, your system must meet specific hardware and software requirements as described by
the following detail.
ESXi System Storage Overview

ESXi 8.0 has a system storage layout that allows flexible partition management and support for large modules, and
third-party components, while facilitating debugging.
ESXi System Storage
The ESXi 8.0 system storage layout consists of four partitions:
Table 2-1. ESXi system storage partitions:
Partition Use Type
System Boot Stores boot loader and EFI modules. FAT16
Boot-bank 0 System space to store ESXi boot modules. FAT16
VMware, Inc.
Partition Use Type
Boot-bank 1 System space to store ESXi boot modules. FAT16
ESX-OSData Acts as the unified location to store additional modules. Not used for VMFS-L
booting and virtual machines.
Consolidates the legacy /scratch partition, locker partition for VMware Tools, and core dump
destinations.
Caution In case the installation media is a USB or an SD card device, best practice is to create
ESX-OSData partitions on persistent storage device that is not shared between ESXi hosts.
The ESX-OSData volume is divided into two high-level categories of data, persistent and non- persistent data.
Persistent data contains of data written infrequently, for example, VMware Tools ISOs, configurations, and core
dumps.
Non-persistent data contains of frequently written data, for example, logs, VMFS global traces, vSAN Entry
Persistence Daemon (EPD) data, vSAN traces, and real-time databases.
Figure 2-1. Consolidated system storage in ESXi 8.0
ESXi System Storage Sizes
Partition sizes, except for the system boot partition, can vary depending on the size of the boot media used. If the
boot media is a high-endurance one with capacity larger than 142 GB, a VMFS datastore is created automatically to
VMware, Inc.
store virtual machine data.
You can review the boot media capacity and the automatic sizing as configured by the ESXi installer by using the
vSphere Client and navigating to the Partition Details view. Alternatively, you can use ESXCLI, for example the
esxcli storage filesystem list command.
Table 2-2. ESXi System Storage Sizes, Depending on the Used Boot Media and Its Capacity.
Boot Media Size 8-10 GB 10-32 GB 32-128 GB >128 GB
System Boot 100 MB 100 MB 100 MB 100 MB
Boot-bank 0 500 MB 1 GB 4 GB 4 GB
Boot-bank 1 500 MB 1 GB 4 GB 4 GB
ESX-OSData remaining space remaining space remaining space up to 128 GB
VMFS datastore remaining space for

media size > 142 GB
You can use the ESXi installer boot option systemMediaSize to limit the size of system storage partitions on the
boot media. If your system has a small footprint that does not require the maximum of 128 GB of system storage size,
you can limit it to the minimum of 32 GB. The systemMediaSize parameter accepts the following values:
 min (32 GB, for single disk or embedded servers)
 small (64 GB, for servers with at least 512 GB of RAM)
 default (128 GB)
 max (consume all available space, for multi-terabyte servers)
The selected value must fit the purpose of your system. For example, a system with 1 TB of memory must use the
minimum of 64 GB for system storage. To set the boot option at install time, for example
systemMediaSize=small, refer to Enter Boot Options to Start an Installation or Upgrade Script. For more
information, see Knowledge Base article 81166.
ESXi System Storage Links
The sub-systems that require access to the ESXi partitions, access these partitions by using the following symbolic
links:
Table 2-3. ESXi system storage symbolic links.
System Storage Volume Symbolic Link
Boot-bank 0 /bootbank
Boot-bank 1 /altbootbank
VMware, Inc.
System Storage Volume Symbolic Link
Persistent data /productLocker

/locker
/var/core
/usr/lib/vmware/isoimages
/usr/lib/vmware/floppies
Non-persistent data /var/run

/var/log
/var/vmware
/var/tmp
/scratch
ESXi Hardware Requirements

Make sure that the host meets the minimum hardware configurations supported by ESXi 8.0.
Hardware and System Resources
To install or upgrade ESXi, your hardware and system resources must meet the following requirements:
 Supported server platform. For a list of supported platforms, see the VMware Compatibility Guide at
http://www.vmware.com/resources/compatibility.
 ESXi 8.0 requires a host with at least two CPU cores.
 ESXi 8.0 supports a broad range of multi-core of 64-bit x86 processors. For a complete
list of supported processors, see the VMware compatibility guide at http://www.vmware.com/
resources/compatibility.
 ESXi 8.0 requires the NX/XD bit to be enabled for the CPU in the BIOS.
 ESXi 8.0 requires a minimum of 8 GB of physical RAM. Provide at least 12 GB of RAM to run virtual
machines in typical production environments.
 To support 64-bit virtual machines, support for hardware virtualization (Intel VT-x or AMD RVI) must be
enabled on x64 CPUs.
 One or more Gigabit or faster Ethernet controllers. For a list of supported network
adapter models, see the VMware Compatibility Guide at http://www.vmware.com/resources/ compatibility.
 ESXi 8.0 requires a boot disk of at least 32 GB of persistent storage such as HDD, SSD, or NVMe. A
boot device must not be shared between ESXi hosts.
 SCSI disk or a local, non-network, RAID LUN with unpartitioned space for the virtual machines.
 For Serial ATA (SATA), a disk connected through supported SAS controllers or supported
VMware, Inc.
on-board SATA controllers. SATA disks are considered remote, not local. These disks are not used as a scratch
partition by default because they are seen as remote.
Note You cannot connect a SATA CD-ROM device to a virtual machine on an ESXi host. To use the SATA
CD-ROM device, you must use IDE emulation mode.
Storage Systems
For a list of supported storage systems, see the VMware Compatibility Guide at http://
www.vmware.com/resources/compatibility. Starting with ESXi 8.0, you cannot use software adapters for Fibre
Channel over Ethernet (FCoE), only hardware FCoE adapters.
ESXi Booting Requirements
In vSphere 8.0, support for legacy BIOS is limited and booting ESXi hosts from the Unified Extensible Firmware
Interface (UEFI) is recommended. With UEFI, you can boot systems from hard drives, CD-ROM drives, or USB
media. vSphere Auto Deploy supports network booting and provisioning of ESXi hosts with UEFI. If your
system has supported data processing units (DPU), you can only use UEFI to install and boot ESXi on the DPUs.
For more information on VMware plans to deprecate support for legacy BIOS in server platforms, see
Knowledge Base article https://kb.vmware.com/s/article/84233.
ESXi can boot from a disk larger than 2 TB if the system firmware and the firmware on any add-in card that you are
using support it. See the vendor documentation.
Storage Requirements for ESXi 8.0 Installation or Upgrade
For best performance of an ESXi 8.0 installation, use a persistent storage device that is a minimum of 32 GB for
boot devices. Upgrading to ESXi 8.0 requires a boot device that is a minimum of
8 GB. When booting from a local disk, SAN or iSCSI LUN, at least a 32 GB disk is required to allow for the
creation of system storage volumes, which include a boot partition, boot banks, and a VMFS-L based ESX-
OSData volume. The ESX-OSData volume takes on the role of the legacy / scratch partition, locker partition
for VMware Tools, and core dump destination.
Note In ESXi 8.0, the ESX-OSData volume is considered a unified partition and the separate components, such as
/scratch and VMware Tools, are consolidated into a single persistent OSDATA partition.
Other options for best performance of an ESXi 8.0 installation are the following:
 A local disk of 128 GB or larger for optimal support of ESX-OSData. The disk contains the boot partition,
ESX-OSData volume and a VMFS datastore.
 A device that supports the minimum of 128 terabytes written (TBW).
 A device that delivers at least 100 MB/s of sequential write speed.
VMware, Inc.
 To provide resiliency in case of device failure, a RAID 1 mirrored device is recommended.
Note GB units are 2^30 bytes or 1024*1024*1024 byte multiples.
Legacy SD and USB devices are supported with the following limitations:
 SD and USB devices are supported for boot bank partitions. The use of SD and USB devices for storing
ESX-OSData partitions is being deprecated and best practice is to provide a separate persistent local device
with a minimum of 32 GB to store the ESX-OSData volume. The persistent local boot device can be an
industrial grade M.2 flash (SLC and MLC), SAS, SATA, HDD, SSD, or a NVMe device. The optimal
capacity for persistent local devices is 128 GB.
 If you do not provide persistent storage, you see an alarm such as Secondary persistent device
not found. Please move installation to persistent storage as support for
SD-Card/USB only configuration is being deprecated.
 You must use an SD flash device that is approved by the server vendor for the particular server model on which
you want to install ESXi on an SD flash storage device. You can find a list of validated devices on
partnerweb.vmware.com.
 See Knowledge Base article 85685 on updated guidance for SD card or USB-based environments.
 To chose a proper SD or USB boot device, see Knowledge Base article 82515.
The upgrade process to ESXi 8.0 from versions earlier than 7.x repartitions the boot device and consolidates the
original core dump, locker, and scratch partitions into the ESX-OSData volume.
The following events occur during the repartitioning process:
 If a custom core dump destination is not configured, then the default core dump location is a file in the ESX-
OSData volume.
 If the syslog service is configured to store log files on the 4 GB VFAT scratch partition, the log files in
var/run/log are migrated to the ESX-OSData volume.
 VMware Tools are migrated from the locker partition and the partition is wiped.
 The core dump partition is wiped. The application core dump files that are stored on the scratch
partition are deleted.
Note Rollback to an earlier version of ESXi is not possible due to the repartitioning process of the boot device. To
use an earlier version of ESXi after upgrading to version 8.0, you must create a backup of the boot device before the
upgrade, and restore the ESXi boot device from the backup.
If you use USB or SD devices to perform an upgrade, best practice is to allocate an ESX-OSData region on an
available persistent disk or a SAN LUN. If persistent storage or a SAN LUN are
VMware, Inc.
not available, ESX-OSData is automatically created on a RAM disk. VMFS can also be used for ESX-OSData
partition.
After upgrade, if ESX-OSData resides on a RAM disk and a new persistent device is found on subsequent
boots, and this device has the setting autoPartition=True, ESX-OSData is automatically created on
the new persistent device. ESX-OSData does not move between
persistent storage automatically, but you can manually change the ESX-OSData location on a supported storage.
To reconfigure /scratch, see Set the Scratch Partition from the vSphere Client.
To configure the size of ESXi system partitions, you can use the systemMediaSize option. For more
information, see Knowledge Base article https://kb.vmware.com/s/article/81166.
In Auto Deploy installations, the installer attempts to allocate a scratch region on an available local disk or datastore.
If no local disk or datastore is found, installation fails.
For environments that boot from a SAN or use Auto Deploy, the ESX-OSData volume for each ESXi host must
be set up on a separate SAN LUN.
Recommendations for Enhanced ESXi Performance

To enhance performance, install or upgrade ESXi on a robust system with more RAM than the minimum required and
with multiple physical disks.
For ESXi system requirements, see ESXi Hardware Requirements.
Table 2-4. Recommendations for Enhanced Performance
System Element Recommendation
RAM ESXi hosts require more RAM than typical servers. ESXi
8.0 requires a minimum of 8 GB of physical RAM. Provide at least
12 GB of RAM to take full advantage of ESXi features and run
virtual machines in typical production environments. An ESXi host
must have sufficient RAM to run concurrent virtual machines. The
following examples are provided to help you calculate the RAM
required by the virtual machines running on the ESXi host.
Operating four virtual machines with
Red Hat Enterprise Linux or Windows XP requires at least 3 GB of
RAM for baseline performance. This figure includes 1024 MB for
the virtual machines, 256 MB minimum for each operating system
as recommended by vendors.
Running these four virtual machines with 512 MB RAM requires that
the ESXi host have 4 GB RAM, which includes 2048 MB for the
virtual machines.
These calculations do not include possible memory savings from using
variable overhead memory for each virtual
VMware, Inc.
machine. See vSphere Resource Management.
Dedicated Fast Ethernet adapters for virtual machines Place the management network and virtual machine networks on
different physical network cards. Dedicated Gigabit Ethernet cards for
virtual machines, such as
Intel PRO 1000 adapters, improve throughput to virtual
machines with high network traffic.
System Element Recommendation
Disk location Place all data that your virtual machines use on physical disks
allocated specifically to virtual machines.
Performance is better when you do not place your virtual machines on
the disk containing the ESXi boot image. Use physical disks that are
large enough to hold disk images that all the virtual machines use.
VMFS6 partitioning The ESXi installer creates the initial VMFS volumes on the first
blank local disk found. To add disks or modify the original
configuration, use the vSphere Client. This practice ensures that the
starting sectors of partitions are 64K-aligned, which improves
storage performance.
Note For SAS-only environments, the installer might not format the
disks. For some SAS disks, it is not possible
to identify whether the disks are local or remote. After the
installation, you can use the vSphere Client to set up VMFS.
Processors Faster processors improve ESXi performance. For certain workloads,

larger caches improve ESXi performance.
Hardware compatibility Use devices in your server that are supported by

ESXi drivers. See the Hardware Compatibility Guide at
http://www.vmware.com/resources/compatibility.
Incoming and Outgoing Firewall Ports for ESXi Hosts

The vSphere Client and the VMware Host Client allow you to open and close firewall ports for each service or to
allow traffic from selected IP addresses.
ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block
incoming and outgoing traffic, except traffic for services that are enabled
in the host's security profile. For the list of supported ports and protocols in the ESXi firewall, see the VMware
Ports and Protocols Tool™ at https://ports.vmware.com/.
The VMware Ports and Protocols Tool lists port information for services that are installed by default. If you install
other VIBs on your host, additional services and firewall ports might become available. The information is primarily
for services that are visible in the vSphere Client but the VMware Ports and Protocols Tool includes some other ports
as well.
Required Free Space for System Logging
VMware, Inc.
If you used Auto Deploy to install your ESXi 8.0 host, or if you set up a log directory separate from the default
location in a scratch directory on the VMFS volume, you might need to change your current log size and rotation
settings to ensure that enough space is available for system logging .
All vSphere components use this infrastructure. The default values for log capacity in this infrastructure vary,
depending on the amount of storage available and on how you have configured system logging. Hosts that are
deployed with Auto Deploy store logs on a RAM disk, which means that the amount of space available for logs is
small.
If your host is deployed with Auto Deploy, reconfigure your log storage in one of the following ways:
 Redirect logs over the network to a remote collector.
 Redirect logs to a NAS or NFS store.
If you redirect logs to non-default storage, such as a NAS or NFS store, you might also want to reconfigure log sizing
and rotations for hosts that are installed to disk.
You do not need to reconfigure log storage for ESXi hosts that use the default configuration, which stores logs in a
scratch directory on the VMFS volume. For these hosts, ESXi 8.0 configures logs to best suit your installation, and
provides enough space to accommodate log messages.
Table 2-5. Recommended Minimum Size and Rotation Configuration for hostd, vpxa, and fdm Logs
Number of Log Files to

Log Maximum Log File Size Preserve Minimum Disk Space Required
Management Agent (hostd) 10 MB 10 100 MB
VirtualCenter Agent (vpxa) 5 MB 10 50 MB
vSphere HA agent (Fault 5 MB 10 50 MB

Domain Manager, fdm)
For information about setting up a remote log server, see #unique_13.
ESXi Passwords and Account Lockout

For ESXi hosts, you must use a password with predefined requirements. You can change the required
length and the character class requirement or allow pass phrases using the
Security.PasswordQualityControl advanced system setting. You can also set the number of passwords
to remember for each user using the Security.PasswordHistory advanced system setting.
Note The default requirements for ESXi passwords can change from one release to the next. You can
check and change the default password restrictions by using the
VMware, Inc.
Security.PasswordQualityControl advanced system setting.
ESXi Passwords
ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or
the VMware Host Client.
 By default, you must include a mix of at least three from the following four character classes: lowercase
letters, uppercase letters, numbers, and special characters such as underscore or dash when you create a
password.
 By default, password length is at least 7 characters and less than 40.
 Passwords must not contain a dictionary word or part of a dictionary word.
 Passwords must not contain the user name or parts of the user name.
Note An uppercase character that begins a password does not count toward the number of character classes used. A
number that ends a password does not count toward the number of character classes used. A dictionary word used
inside a password reduces the overall password strength.
Example ESXi Passwords
The following password candidates illustrate potential passwords if the option is set as follows.
retry=3 min=disabled,disabled,disabled,7,7
With this setting, a user is prompted up to three times (retry=3) for a new password that is not sufficiently
strong or if the password was not entered correctly twice. Passwords with one or two character classes and
pass phrases are not allowed, because the first three items are
deactivated. Passwords from three- and four-character classes require seven characters. See the
pam_passwdqc man page for details on other options, such as max, passphrase, and so on. With these
settings, the following passwords are allowed.
 xQaTEhb!: Contains eight characters from three character classes.
 xQaT3#A: Contains seven characters from four character classes.
The following password candidates do not meet requirements.
 Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two.
The minimum number of required character classes is three.
 xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum
number of required character classes is three.
VMware, Inc.
ESXi Pass Phrase
Instead of a password, you can also use a pass phrase. However, pass phrases are deactivated by default. You
can change the default setting and other settings by using the Security.PasswordQualityControl
advanced system setting from the vSphere Client.
For example, you can change the option to the following.
retry=3 min=disabled,disabled,16,7,7
This example allows pass phrases of at least 16 characters and at least three words.
For legacy hosts, changing the /etc/pam.d/passwd file is still supported, but changing the file is
deprecated for future releases. Use the Security.PasswordQualityControl advanced system setting
instead.
Changing Default Password Restrictions
You can change the default restriction on passwords or pass phrases by using the
Security.PasswordQualityControl advanced system setting for your ESXi host. See the vCenter Server
and Host Management documentation for information on changing ESXi advanced system settings.
You can change the default, for example, to require a minimum of 15 characters and a minimum number of four
words (passphrase=4), as follows:
retry=3 min=disabled,disabled,15,7,7 passphrase=4
See the man page for pam_passwdqc for details.
Note Not all possible combinations of password options have been tested. Perform testing after you change the
default password settings.
This example sets the password complexity requirement to require eight characters from four character classes
that enforce a significant password difference, a remembered history of five passwords, and a 90 day rotation
policy:
min=disabled,disabled,disabled,disabled,8 similar=deny
Set the Security.PasswordHistory option to 5 and the Security.PasswordMaxDays option to 90.
ESXi Account Lockout Behavior
Account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct
Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed
attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.
VMware, Inc.
Configuring Login Behavior
You can configure the login behavior for your ESXi host with the following advanced system settings:
 Security.AccountLockFailures. Maximum number of failed login attempts before a user's account

is locked. Zero deactivates account locking.
 Security.AccountUnlockTime. Number of seconds that a user is locked out.
 Security.PasswordHistory. Number of passwords to remember for each user. Zero

deactivates password history.
See the vCenter Server and Host Management documentation for information on setting ESXi advanced
options.
Preparing for Installing ESXi

Before you install ESXi, determine the installation option that is suitable for your environment and prepare for the
installation process.
Download the ESXi Installer
Download the installer for ESXi. You can obtain the software either from an OEM or from the VMware download
portal at https://customerconnect.vmware.com/.
Prerequisites
Create a VMware Customer Connect account at https://customerconnect.vmware.com/.
Procedure
1 Log in to VMware Customer Connect.
2 Navigate to Products and Accounts > All Products.
3 Find VMware vSphere and click Download Product.
4 Select a VMware vSphere version from the Select Version drop-down menu.
5 Select a version of VMware vSphere Hypervisor (ESXi) and click GO TO DOWNLOADS.
6 Download an ESXi ISO image.
7 Confirm the SHA256 checksum.
Note vSphere 8.0 removes insecure default ciphers such as SHA1 and MD5 and replaces them with secure
ciphers such as SHA256.
VMware, Inc.
For an evaluation copy of ESXi, go to https://www.vmware.com/try-vmware.html.
For more information on ESXi downloads, see VMware knowledge base article https://
kb.vmware.com/s/article/2107518.
For product patches to ESXi, see VMware knowledge base article 1021623 or go to https://
my.vmware.com/group/vmware/patch.
Required Information for ESXi Installation
In an interactive installation, the system prompts you for the required system information. In a scripted installation,
you must supply this information in the installation script.
For future use, note the values you use during the installation. These notes are useful if you must reinstall ESXi and
reenter the values that you originally selected.
Table 2-6. Required Information for ESXi Installation
Required or
Information Optional Default Comments
Keyboard layout Required U.S. English
VLAN ID Optional None Range: 0 through 4094
IP address Optional DHCP You can allow DHCP to configure the network during
installation. After installation, you can change the
Subnet mask Optional Calculated based on the IP address
network settings.
Required or
Information Optional Default Comments
Gateway Optional Based on the configured IP address

and subnet mask
Primary DNS Optional Based on the configured IP address

and subnet mask
Secondary DNS Optional None
Host name Required for None The vSphere Client can use either the host name
static IP or the IP address to access the ESXi host.
settings
Install location Required None Must be at least 5 GB if you install the components on a
single disk.
Migrate existing ESXi Required if you None If you have an existing ESXi 5.x installation, the
settings. are installing ESXi installer offers a choice between preserving or
Preserve existing VMFS ESXi on a drive overwriting the VMFS datastore during installation
datastore. with an existing
ESXi
installation.
VMware, Inc.
Root password Required None The root password must contain between 8 and 40
characters. For information about passwords see
the vSphere Security documentation.
Media Options for Booting the ESXi Installer
The ESXi installer must be accessible to the system on which you are installing ESXi. The following
boot media are supported for the ESXi installer:
 Boot from a CD/DVD. See Download and Burn the ESXi Installer ISO Image to a CD or DVD.
 Boot from a USB flash drive. See #unique_20.
 Boot from a network. #unique_21
 Boot from a remote location using a remote management application. See #unique_22
Download and Burn the ESXi Installer ISO Image to a CD or DVD

If you do not have an ESXi installation CD/DVD, you can create one.
You can also create an installer ISO image that includes a custom installation script. See #unique_23.
Procedure
1 Follow the procedure Download the ESXi Installer.
2 Burn the ISO image to a CD or DVD.
vCenter Server Deploy Preparation

This section describes the preparation steps required for the vCenter Server installation.
To install or upgrade vCenter Server, your system must meet specific hardware and software requirements as
described by the following detail.
System Requirements for the vCenter Server Appliance

You can deploy the vCenter Server appliance on an ESXi host 6.7 or later, or on a vCenter Server instance 6.7 or
later. Your system must also meet specific software and hardware requirements.
When you use Fully Qualified Domain Names, verify that the client machine from which you are deploying the
appliance and the network on which you are deploying the appliance use the same DNS server.
Before you deploy the appliance, synchronize the clocks of the target server and all vCenter Server instances on the
vSphere network. Unsynchronized clocks might result in authentication problems and can cause the installation to
fail or prevent the appliance services from starting. See Synchronizing Clocks on the vSphere Network.
Storage Requirements for the vCenter Server Appliance
VMware, Inc.
When you deploy the vCenter Server appliance, the ESXi host or DRS cluster on which you deploy the appliance
must meet minimum storage requirements. The required storage depends not only on the size of the vSphere
environment and the storage size, but also on the disk provisioning mode.
The storage requirements are different for each vSphere environment size and depend on your database size
requirements.
Default Storage Size Large Storage Size X-Large Storage Size
Tiny environment (up to 10 579 GB 1992 GB 4279 GB

hosts or 100 virtual
machines)
Small environment (up to 100 694 GB 2046 GB 4304 GB

hosts or 1,000 virtual
machines)
Medium environment (up to 400 908 GB 2140 GB 4468 GB

hosts or 4,000 virtual machine)
Default Storage Size Large Storage Size X-Large Storage Size
Large environment (up to 1358 GB 1958 GB 4518 GB

1,000 hosts or 10,000 virtual
machines)
X-Large environment (up to 2283 GB 2383 GB 4620 GB

2,000 hosts or 35,000 virtual
machines)
Note The storage requirements include the requirements for the vSphere Lifecycle Manager that runs as a service in
the vCenter Server appliance.
Software Requirements for the vCenter Server Appliance
The VMware vCenter Server appliance can be deployed on ESXi 6.7 hosts or later, or on vCenter Server instances
6.7 or later.
You can deploy the vCenter Server appliance using the GUI or CLI installer. You run the installer from a network
client machine that you use to connect to the target server and deploy the appliance on the server. You can connect
directly to an ESXi 6.7 host on which to deploy the appliance. You can also connect to a vCenter Server 6.7 instance
to deploy the appliance on an ESXi host or DRS cluster that resides in the vCenter Server inventory.
For information about the requirements for network client machine, see System Requirements for the vCenter Server
Installer.
VMware, Inc.
Required Ports for vCenter Server
The vCenter Server system must be able to send data to every managed host and receive
data from the vSphere Client. To enable migration and provisioning activities between managed hosts, the source and
destination hosts must be able to receive data from each other through predetermined TCP and UDP ports.
vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from
outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports. For the
list of all supported ports and protocols in vSphere, see the VMware Ports and Protocols Tool™ at
https://ports.vmware.com.
During installation, if a port is in use or is blocked using a denylist, the vCenter Server installer displays an error
message. You must use another port number to proceed with the installation. There are internal ports that are used
only for inter-process communication.
VMware uses designated ports for communication. Additionally, the managed hosts monitor designated ports for data
from vCenter Server. If a built-in firewall exists between any of these elements, the installer opens the ports during
the installation or upgrade process. For custom firewalls, you must manually open the required ports. If you have a
firewall between two managed hosts and you want to perform source or target activities, such as migration or cloning,
you must configure a means for the managed hosts to receive data.
To configure the vCenter Server system to use a different port to receive vSphere Client data, see the vCenter
Server and Host Management documentation.
DNS Requirements for the vCenter Server Appliance
When you deploy the vCenter Server appliance with a static IP address, you ensure that in case of system restart, the
IP address of the appliance remains the same.
Before you deploy the vCenter Server appliance with a static IP address, you must verify that this IP address has a
valid internal domain name system (DNS) registration.
When you deploy the vCenter Server appliance, the installation of the web server component that supports the
vSphere Client fails if the installer cannot look up the fully qualified domain name (FQDN) for the appliance from its
IP address. Reverse lookup is implemented using PTR records.
If you plan to use an FQDN for the appliance system name, you must verify that the FQDN is resolvable by a DNS
server, by adding forward and reverse DNS A records.
You can use the nslookup command to verify that the DNS reverse lookup service returns an FQDN when
queried with the IP address and to verify that the FQDN is resolvable.
nslookup -nosearch -nodefname FQDN_or_IP_address
If you use DHCP instead of a static IP address for the vCenter Server appliance, verify that the appliance name is
VMware, Inc.
updated in the domain name service (DNS). If you can ping the appliance name, the name is updated in DNS.
Ensure that the ESXi host management interface has a valid DNS resolution from the vCenter Server and all
vSphere Client instances. Ensure that the vCenter Server has a valid DNS resolution from all ESXi hosts and
vSphere Client.
vSphere Client Software Requirements
Use of the vSphere Client requires a supported web browser.
VMware has tested and supports the following guest operating systems and browser versions for the vSphere
Client.
Supported Guest Operating Systems
 Windows 32-bit and 64-bit
 Mac OS
Supported Browser Versions
 Google Chrome 89 or later
 Mozilla Firefox 80 or later
 Microsoft Edge 90 or later
Note Later versions of these browsers are likely to work, but have not been tested.
Preparing for Deployment of the vCenter Server Appliance

Before you deploy the vCenter Server appliance, you must download the vCenter Server installer ISO file and
mount it to a network virtual machine or physical server from which you want to perform the deployment.
The machine from which you deploy the appliance must run on a Windows, Linux, or Mac operating system that
meets the operating system requirements. See System Requirements for the vCenter Server Installer.
System Requirements for the vCenter Server Installer
You can run the vCenter Server GUI or CLI installer from a network client machine that is running on a Windows,
Linux, or Mac operating system of a supported version.
To ensure optimal performance of the GUI and CLI installers, use a client machine that meets the minimum hardware
requirements.
Table 2-7. System Requirements for the GUI and CLI Installers
VMware, Inc.
Operating System Supported Versions Minimum Hardware Configuration for Optimal Performance
Windows  Windows 10, 11 4 GB RAM, 2 CPU having 4 cores with 2.3 GHz, 32 GB hard disk, 1 NIC
 Windows 2016 x64
bit
bit
bit
Linux  SUSE 15 4 GB RAM, 1 CPU having 2 cores with 2.3 GHz, 16 GB hard disk, 1 NIC
 Ubuntu 18.04,
Note The CLI installer requires 64-bit OS.
20.04, 21.10
Mac  macOS 10.15, 11, 12 8 GB RAM, 1 CPU having 4 cores with 2.4 GHz, 150 GB hard disk, 1 NIC
 macOS Catalina, Big
Sur, Monterey
Note For client machines that run on Mac 10.15 or later, concurrent GUI deployments of multiple appliances are
unsupported. You must deploy the appliances in a sequence.
Note Visual C++ redistributable libraries need to be installed to run the CLI installer on versions of Windows
older than Windows 10. The Microsoft installers for these libraries are located in the vcsa-cli-
installer/win32/vcredist directory.
Note Deploying the vCenter Server appliance with the GUI requires a minimum resolution of 1024x768 to properly
display. Lower resolutions can truncate the UI elements.
Download and Mount the vCenter Server Installer
VMware releases the vCenter Server appliance ISO image, which contains GUI and CLI installers for the vCenter
Server appliance.
With the GUI and CLI executable files that are included in the vCenter Server installer, you can:
 Deploy the vCenter Server appliance.
 Upgrade the vCenter Server appliance.
 Converge older versions of vCenter Server with an external Platform Services Controller to the current version
of vCenter Server.
 Restore a vCenter Server appliance from a file-based backup.
Prerequisites
VMware, Inc.
 Create a Customer Connect account at https://my.vmware.com/web/vmware/.
 Verify that your client machine meets the system requirements for the vCenter Server installer. See System
Requirements for the vCenter Server Installer.
Procedure
1 Log in to VMware Customer Connect.
2 Navigate to Products and Accounts > All Products.
3 Find VMware vSphere and click View Download Components.
4 Select a VMware vSphere version from the Select Version drop-down.
5 Select a version of VMware vCenter Server and click GO TO DOWNLOADS.
6 Download the vCenter Server appliance ISO image.
7 Confirm that the md5sum is correct by using an MD5 checksum tool.
8 Mount the ISO image to the client machine from which you want to deploy, upgrade, migrate, or restore the
appliance.
Note ISO mounting software that does not allow more than eight directory levels, for example, MagicISO
Maker on Windows, is unsupported.
For Linux OS and Mac OS, Archive Manager is unsupported.
For Mac OS, you can use DiskImageMounter.

For Ubuntu 14.04, you can use Disk Image Mounter.
For SUSE 12 OS, you can use the terminal.
$ sudo mkdir mount_dir

$ sudo mount -o loop VMware-vCSA-all-version_number-build_number.iso mount_dir
Important Due to a security change in MacOS Catalina, you must modify the security settings on your
computer until the vCenter Server deployment completes. If you attempt to run the installer under MacOS
Catalina without modifying the security settings, the vCenter Server installer reports the error: ovftool
cannot be opened because the developer cannot be verified. For more information, see KB
79416.
What to do next
Open the readme.txt file and review the information about the other files and directories in the vCenter Server
VMware, Inc.
appliance ISO image.
Synchronizing Clocks on the vSphere Network
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent
the vCenter Server vmware-vpxd service from starting.
Time inconsistencies in vSphere can cause the first boot of a component in your environment to fail at different
services depending on where in the environment time is not accurate and when the time is synchronized. Problems
most commonly occur when the target ESXi host for the destination vCenter Server is not synchronized with NTP
or PTP. Similarly, issues can arise if the destination vCenter Server migrates to an ESXi host set to a different time
due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or upgrading
a vCenter Server instance.
 The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
 The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
 When upgrading or migrating from vSphere 6.7 to vSphere 8.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external
Platform Services Controller is synchronized to NTP or PTP.
 If you are upgrading or migrating from vSphere 6.7 to vSphere 8.0, verify that the source vCenter Server or
vCenter Server appliance and external Platform Services Controller have the correct time.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP or a PTP server, you can use the VMware Host Client. For information
about editing the time configuration of an ESXi host, see topic Edit the Time
Configuration of an ESXi Host in the VMware Host Client in the vSphere Single Host Management -
VMware Host Client documentation.
To learn how to change time synchronization settings for vCenter Server, see topic Configure the System
Time Zone and Time Synchronization Settings in the vCenter Server Configuration
documentation.
To learn how to edit the time configuration for a host by using the vSphere Client, see topic Editing the Time
Configuration Settings of a Host in the vCenter Server and Host Management documentation.
System Clock Synchronization Between the Client and Server
VMware, Inc.
To establish a secure TLS connection to a vCenter Server (the server), the system where you are running the CLI
installer (the client) must not have its system clock slower or faster than the server's system clock by an
acceptable limit (tolerance).
See Table 2-8. Client Clock Tolerance for specific values for each deployment scenario.
Note The client clock values are applicable only for vCenter Server 6.7 and later.
Table 2-8. Client Clock Tolerance
Deployment Scenario Clock Tolerance Connection Notes
Linking one vCenter Server with another When deploying the second vCenter Server,
vCenter Server the clock tolerance for the client and the first
vCenter Server must not exceed 10 minutes.
Installing a vCenter Server appliance using a The maximum clock tolerance between the
container vCenter Server with a client and the container vCenter Server is 8
*._on_vc.json template.
hours 20 minutes.
Prerequisites for Deploying the vCenter Server Appliance

To ensure a successful deployment of the vCenter Server appliance, you must perform some required tasks and pre-
checks before running the installer.
General Prerequisites
 Download and Mount the vCenter Server Installer.
Target System Prerequisites
 Verify that your system meets the minimum software and hardware requirements. See System Requirements
for the vCenter Server Appliance.
 If you want to deploy the appliance on an ESXi host, verify that the ESXi host is not in lockdown or
maintenance mode and not part of a fully automated DRS cluster.
 If you want to deploy the appliance on a DRS cluster of the inventory of a vCenter Server instance,
verify that the cluster contains at least one ESXi host that is not in lockdown or maintenance mode.
 If you plan to use NTP servers for time synchronization, verify that the NTP servers are running and that the
time between the NTP servers and the target server on which you want to deploy the appliance is synchronized.
 If you want to deploy the appliance on a vSAN ESA cluster with vSAN ESA encryption, you must
enable vSAN ESA encryption before installing vCenter Server. vSAN Express
VMware, Inc.
Storage Architecture is a next-generation architecture designed to get the most out of high- performance storage
devices, resulting in greater performance and efficiency. You can enable vSAN ESA encryption through vSAN
SDK or vSAN API.
vCenter Enhanced Linked Mode Prerequisites
When deploying a new vCenter Server as part of an Enhanced Linked Mode deployment, create an image-based
backup of the existing vCenter Server nodes in your environment. You can use the backup as a precaution in case
there is a failure during the deployment process.
If the deployment fails, delete the newly deployed vCenter Server appliance, and restore the vCenter Server nodes
from their respective image-based backups. You must restore all the nodes in the environment from their image-
based backups. Failing to do so can cause the replication partners to be out of synchronization with the restored
node.
 To learn more about creating vCenter Enhanced Linked Mode deployments, see #unique_37.
 To learn about image-based backs, see #unique_38.
Network Prerequisites
If you plan to assign a static IP address and an FQDN as a system name in the network settings of the appliance,
verify that you have configured the forward and reverse DNS records for the IP address.
vSphere Network Infrastructure Deploy Preparation

This section describes the preparation steps required for the vSphere Network Infrastructure deployment.
Prior to starting the installation and configuration of the vSphere Network Infrastructure the following preparation
steps are required:
 ESXi host hardware must have the appropriate network connectivity in the datacenter provisioned
and connected
 Appropriate IP addresses, DNS, VLANs, and the like should be available, assigned and configured as
required for the design.
vSphere Storage Infrastructure Deploy Preparation

This section describes the preparation steps required for the vSphere Storage Infrastructure deployment.
Prior to starting the installation and configuration of the vSphere Storage Infrastructure the following preparation
steps are required:
 External storage systems should be provisioned, and appropriate configuration of LUNs, Zoning, and the like
should be available for configuration of the storage. Steps are only provided for configuration steps specific to
VMware products, that are required to generically setup storage.
VMware, Inc.
 Storage vendor should be contacted to ensure their best practices are being followed.
High Availability Deploy Preparation

This section describes the preparation steps required for the High Availability Deployment.
Prior to starting the installation and configuration of High Availability the following preparation steps are required:
 No steps are required to prepare for vSphere HA Deployment.
 For vCenter Server HA, the following prerequisites apply:
Consultant Note Remove this section if vCenter HA will not be deployed.
 The vCenter Server Appliance that later becomes the Active node, has been deployed. vCenter for
windows is not supported.
 Appropriate access and privileges have been granted to modify that vCenter Server Appliance and
the ESXi host on which it runs.
 During network setup, static IP addresses for the management network are required. The management and
cluster network addresses must be IPv4 or IPv6. They cannot be mixed.
 If Fault Tolerance will be configured the following prerequisites apply:
Consultant Note Remove this section if Fault Tolerance is not in the engagement.
 Fault Tolerance Network must be available and configured.
Dynamic Resourcing Deploy Preparation

This section describes the preparation steps required for the Dynamic Resourcing Deployment.
Prior to starting the installation and configuration of DRS the following preparation steps are required:
 VMware vMotion network must be configured and available.
Virtual Machine Deploy Preparation

This section describes the preparation steps required for the Virtual Machine Deployment.
Prior to starting the installation and configuration of the virtual machine configurations the following preparation
steps are required:
 Sizing and Operating System details for the templates must be decided.
vSphere+ Deploy Preparation
VMware, Inc.
This section describes the preparation steps for activating vSphere+.
Prior to starting the deployment and configuration of vSphere+ make sure that the following steps are completed:
 The latest version of the vCenter Cloud Gateway Appliance has been downloaded.
 The vSphere+ System requirements are met.
 The network latency and bandwidth requirements are met. For details see the Configuration Maximums page
for vSphere.
 Network ports have been opened as appropriate for your given configuration. Details can be found in the Port
Requirements section of the vCenter Cloud Gateway Requirements Page.
Deployment and Configuration

This section describes the deployment details for the product.
ESXi Host Deployment and Configuration

A VMware vSphere implementation involves multiple VMware software components.
The first building block of the deployment is the ESXi host. Installing an ESXi host creates a virtualization layer that
runs on physical servers and abstracts processor, memory, storage, and other resources that one or more virtual
machines can consume, and is generally required to build the rest of the infrastructure. This may include vCenter
Server but could also include many other optional modules or products.
For more information, refer to the product documentation available on the VMware vSphere 8.0 Documentation
Center Web site (https://docs.vmware.com/en/VMware-vSphere/index.html).This section describes how to install and
configure ESXi Hosts.
Installing ESXi Interactively

Use the interactive installation option for small deployments of fewer than five hosts.
In a typical interactive installation, you boot the ESXi installer and respond to the installer prompts to install ESXi
to the local host disk. The installer reformats and partitions the target disk and installs the ESXi boot image. If you
have not installed ESXi on the target disk before, all data on the drive is overwritten, including hardware vendor
partitions, operating system partitions, and associated data.
Note To ensure that you do not lose any data, migrate the data to another machine before you install ESXi.
If you are installing ESXi on a disk that contains a previous installation of ESXi or ESX, or a
VMFS datastore, the installer provides you with options for upgrading. See the vSphere Upgrade
documentation.
VMware, Inc.
Install ESXi Interactively
You use the ESXi CD/DVD or a USB flash drive to install the ESXi software onto a SAS, SATA, SCSI hard drive, or
USB drive.
Prerequisites
 You must have the ESXi installer ISO in one of the following locations:
 On CD or DVD. If you do not have the installation CD/DVD, you can create one. See Download
and Burn the ESXi Installer ISO Image to a CD or DVD
 On a USB flash drive. See #unique_20.
Note You can also PXE boot the ESXi installer to run an interactive installation or a scripted installation. See
#unique_21.
 Verify that the server hardware clock is set to UTC. This setting is in the system BIOS or UEFI.
 Verify that a keyboard and monitor are attached to the machine on which the ESXi software is installed.
Alternatively, use a remote management application. See #unique_22.
 Consider disconnecting your network storage. This action decreases the time it takes the installer to search for
available disk drives. When you disconnect network storage, any files on the disconnected disks are
unavailable at installation.
Do not disconnect a LUN that contains an existing ESX or ESXi installation. Do not disconnect a VMFS
datastore that contains the Service Console of an existing ESX installation. These actions can affect the
outcome of the installation.
 Gather the information required by the ESXi installation wizard. See Required Information for ESXi
Installation.
 Verify that ESXi Embedded is not present on the host machine. ESXi Installable and ESXi
Embedded cannot exist on the same host.
Procedure
1 Insert the ESXi installer CD/DVD into the CD/DVD-ROM drive, or attach the Installer USB flash drive and
restart the machine.
2 Set the BIOS or UEFI to boot from the CD-ROM device or the USB flash drive.
Note If your system has supported NVIDIA or Pensando data processing units (DPUs), you can only use
VMware, Inc.
UEFI to install and boot ESXi on the DPUs.
See your hardware vendor documentation for information on changing boot order.
After scanning for available devices completes, if your system has supported DPUs, you see them listed with
their respective PCI slots.
3 If your system has supported DPUs, select the DPU on which you want to install ESXi and press Enter.
In the DPU Details screen, you see all properties of the DPU device.
With vSphere 8.0, if your system has supported DPUs, always consider the installation, re- installation or
upgrade of ESXi on the DPUs in a lockstep with ESXi on hosts.
4 On the Select a Disk to Install or Upgrade ESXi page, select the drive on which to install ESXi, and press
Enter.
Press F1 for information about the selected disk.
Note Do not rely on the disk order in the list to select a disk. The disk order is determined by the BIOS or
EUFI and might be out of order. This might occur on systems where drives are continuously being added and
removed.
If you select a disk that contains data, the Confirm Disk Selection page appears.
If you are installing on a disc with a previous ESXi or ESX installation or VMFS datastore, the installer provides
several choices.
Important If you are upgrading or migrating an existing ESXi installation, see the VMware ESXi
Upgrade documentation.
If you select a disk that is in vSAN disk group, the resulting installation depends on the type of disk and the
group size:
 If you select an SSD, the SSD and all underlying HDDs in the same disk group are wiped.
 If you select an HDD, and the disk group size is greater than two, only the selected HDD is wiped.
 If you select an HDD disk, and the disk group size is two or less, the SSD and the selected HDD is
wiped.
For more information about managing vSAN disk groups, see the vSphere Storage
documentation.
If you select an SD or USB device, you see a warning that prompts you to select a persistent disk to store the
ESXi-OSData partition. In the Select a Disk to store ESX OSData screen, select a persistent storage device
with minimum 32 GB available space.
VMware, Inc.
5 Select the keyboard type for the host.
You can change the keyboard type after installation in the direct console.
6 Enter the root password for the host.
You can change the password after installation in the direct console.
7 Press F11 to confirm the start of the installation.
8 When the installation is complete, remove the installation CD, DVD, or USB flash drive.
9 Press Enter to reboot the host.
10 Set the first boot device to be the drive on which you installed ESXi in Step 4.
For information about changing boot order, see your hardware vendor documentation.
Note UEFI systems might require additional steps to set the boot device. See #unique_49
Results
After the installation is complete, you can migrate existing VMFS data to the ESXi host.
You can boot a single machine from each ESXi image. Booting multiple devices from a single shared ESXi image
is not supported.
What to do next
Set up basic administration and network configuration for ESXi. See #unique_50.
Setting Up ESXi
These topics provide information about using the direct console user interface and configuring defaults for ESXi.
Managing ESXi Remotely
You can use the VMware Host Client, the vSphere Client and vCenter Server to manage your ESXi hosts.
For instructions about downloading and installing vCenter Server and the vCenter Server components, see vCenter
Server Installation and Setup. For information about installing the VMware Host Client, see vSphere Single
Host Management.
About the Direct Console ESXi Interface
Use the direct console interface for initial ESXi configuration and troubleshooting.
Connect a keyboard and monitor to the host to use the direct console. After the host completes the autoconfiguration
phase, the direct console appears on the monitor. You can examine the default network configuration and change
any settings that are not compatible with your network environment.
VMware, Inc.
Key operations available to you in the direct console include:
 Configuring hosts
 Setting up administrative access
 Troubleshooting
You can also use vSphere Client to manage the host by using vCenter Server.
Table 2-9. Navigating in the Direct Console
Action Key
View and change the configuration F2
Change the user interface to high-contrast mode F4
Shut down or restart the host F12
View the VMkernel log Alt+F12
Switch to the shell console Alt+F1
Switch to the direct console user interface Alt+F2
Move the selection between fields Arrow keys
Select a menu item Enter
Toggle a value Spacebar
Confirm sensitive commands, such as resetting F11

configuration defaults
Save and exit Enter
Exit without saving Esc
Exit system logs q
Enable ESXi Shell and SSH Access with the Direct Console User Interface
Use the direct console user interface to enable the ESXi Shell.
Procedure
1 From the Direct Console User Interface, press F2 to access the System Customization menu.
2 Select Troubleshooting Options and press Enter.
3 From the Troubleshooting Mode Options menu, select a service to enable.
 Enable ESXi Shell
 Enable SSH
VMware, Inc.
4 Press Enter to enable the service.
5 (Optional) Set the timeout for the ESXi Shell.
By default, timeouts for the ESXi Shell is 0 (not active).
The availability timeout setting is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled. After the timeout period, if you have not logged in, the shell is deactivated.
Note If you are logged in when the timeout period elapses, your session will persist. However, the ESXi
Shell is deactivated, preventing other users from logging in.
a From the Troubleshooting Mode Options menu, select Modify ESXi Shell and SSH timeouts
and press Enter.
b Enter the availability timeout in minutes.
The availability timeout is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled.
c Press Enter.
d Enter the idle timeout.
The idle timeout is the number of minutes that can elapse before the user is logged out of an idle
interactive sessions. Changes to the idle timeout apply the next time a user logs in to the ESXi Shell and
do not affect existing sessions.
6 Press Esc until you return to the main menu of the Direct Console User Interface.
Set the Password for the Administrator Account
You can use the direct console to set the password for the administrator account (root).
The administrative user name for the ESXi host is root. By default, the administrative password is not set.
Procedure
1 From the direct console, select Configure Password.
2 (Optional) If a password is already set up, type the password in the Old Password line and press Enter.
3 In the New Password line, type a new password and press Enter.
4 Retype the new password and press Enter.
Configuring Network Settings
ESXi requires one IP address for the management network. To configure basic network settings, use the vSphere
VMware, Inc.
Client or the direct console.
Use the vSphere Client if you are satisfied with the IP address assigned by the DHCP server. Use the direct
console for network configuration in the following cases:
 You are not satisfied with the IP address assigned by the DHCP server.
 You are not allowed to use the IP address assigned by the DHCP server.
 ESXi does not have an IP address. This situation might occur if the autoconfiguration phase did not succeed in
configuring DHCP.
 The wrong network adapter was selected during the autoconfiguration phase.
Use ESXCLI commands to configure your network settings. See esxcli network Commands.
Network Access to Your ESXi Host
The default behavior is to configure the ESXi management network using DHCP. You can override the default
behavior and use static IP settings for the management network after the installation is completed.
Table 2-10. Network Configuration Scenarios Supported by ESXi
Scenario Approach
You want to accept the DHCP-configured IP settings. In the ESXi direct console, you can find the IP address assigned through
DHCP to the ESXi management interface. You can use that IP address to
connect to the host from the vSphere Client and customize settings,
including changing the management IP address.
One of the following is true: During the autoconfiguration phase, the software assigns the link local IP
 You do not have a DHCP server. address, which is in the subnet 169.254.x.x/16. The assigned IP address
 The ESXi host is not connected to a DHCP appears on the direct console.
server. You can override the link local IP address by configuring a static IP address
 Your connected DHCP server is not using the direct console.
functioning properly.
The ESXi host is connected to a functioning DHCP server, During the autoconfiguration phase, the software assigns a DHCP- configured IP
but you do not want to use the DHCP- configured IP address.
address. You can make the initial connection by using the DHCP-configured IP address.
Then you can configure a static IP address.
If you have physical access to the ESXi host, you can override
the DHCP-configured IP address by configuring a static IP address using the
direct console.
Your security deployment policies do not permit Follow the setup procedure in #unique_58.
unconfigured hosts to be powered on the network.
Choose Network Adapters for the Management Network

Traffic between an ESXi host and any external management software is transmitted through an Ethernet network
adapter on the host. You can use the direct console to choose the network adapters that are used by the management
VMware, Inc.
network.
Examples of external management software include the vCenter Server and SNMP client. Network adapters on the
host are named vmnicN, where N is a unique number identifying the network adapter, for example, vmnic0, vmnic1,
and so forth.
During the autoconfiguration phase, the ESXi host chooses vmnic0 for management traffic. You can
override the default choice by manually choosing the network adapter that carries management traffic for
the host. In some cases, you might want to use a Gigabit Ethernet
network adapter for your management traffic. Another way to help ensure availability is to select multiple
network adapters. Using multiple network adapters enables load balancing and failover capabilities.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
2 Select Network Adapters and press Enter.
3 Select a network adapter and press Enter.
Results
After the network is functional, you can use the vSphere Client to connect to the ESXi host through vCenter Server.
Set the VLAN ID
You can set the virtual LAN (VLAN) ID number of the ESXi host.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
2 Select VLAN and press Enter.
3 Enter a VLAN ID number from 1 through 4094.
Configuring IP Settings for ESXi

By default, DHCP sets the IP address, subnet mask, and default gateway. For future
reference, write down the IP address.
For DHCP to work, your network environment must have a DHCP server. If DHCP is not available, the host assigns
the link local IP address, which is in the subnet 169.254.x.x/16. The assigned IP address appears on the direct console.
If you do not have physical monitor access to the host, you can access the direct console using a remote management
application. See #unique_22
When you have access to the direct console, you can optionally configure a static network address. The default
subnet mask is 255.255.0.0.
Configure IP Settings from the Direct Console
If you have physical access to the host or remote access to the direct console, you can use the direct console to
VMware, Inc.
configure the IP address, subnet mask, and default gateway.
Procedure
1 Select Configure Management Network and press Enter.
2 Select IP Configuration and press Enter.
3 Select Set static IP address and network configuration.
4 Enter the IP address, subnet mask, and default gateway and press Enter.
Configuring DNS for ESXi

You can select either manual or automatic DNS configuration of the ESXi host.
The default is automatic. For automatic DNS to work, your network environment must have a DHCP server and a
DNS server.
In network environments where automatic DNS is not available or not desirable, you can configure static DNS
information, including a host name, a primary name server, a secondary name server, and DNS suffixes.
Configure DNS Settings from the Direct Console
If you have physical access to the host or remote access to the direct console, you can use the direct console to
configure DNS information.
Procedure
1 Select Configure Management Network and press Enter.
2 Select DNS Configuration and press Enter.
3 Select Use the following DNS server addresses and hostname.
4 Enter the primary server, an alternative server (optional), and the host name.
Configure DNS Suffixes

If you have physical access to the host, you can use the direct console to configure DNS information. By default,
DHCP acquires the DNS suffixes.
Procedure
1 From the direct console, select Configure Management Network.
2 Select Custom DNS Suffixes and press Enter.
3 Enter new DNS suffixes.
Test the Management Network

You can use the direct console to do simple network connectivity tests. The direct
console performs the following tests.
VMware, Inc.
 Pings the default gateway
 Pings the primary DNS name server
 Pings the secondary DNS nameserver
 Resolves the configured host name
Procedure
1 From the direct console, select Test Management Network and press Enter.
2 Press Enter to start the test.
vCenter Server Deployment and Configuration

A VMware vSphere implementation involves multiple VMware software components. Once the ESXi hosts are
installed, the vCenter Server Infrastructure is next.
For more information, refer to the product documentation available on the VMware vSphere 8.0 Documentation
Center Web site (https://docs.vmware.com/en/VMware-vSphere/index.html).
Installing a vCenter Server system creates the central point for configuring, provisioning, and managing virtualized IT
environments. You must install the vCenter Server system software before you can add the hosts and data centers to
be managed and monitored.
With vSphere 8.0 a single architecture exists, simplifying the required design for the environment. This design
deploys vCenter Server appliance in an embedded configuration.
With vSphere 8.0, the vCenter Server Appliance is the only platform for running vCenter Server. vCenter Server for
Windows is not available.
This document describes installation and deployment of vCenter that will be standalone as shown in the below
figure:
Figure 2-2. Embedded vCenter Server
VMware, Inc.
Or that will be linked together using Enhanced Linked Mode with other vCenter servers as shown in the below
figure:
Figure 2-3. Enhanced Linked Mode
Note Although vCenter Server 8.0 supports connections between vCenter Server and vCenter Server components
using IPv4 IP addresses, VMware recommends that you use a FQDN to configure the services. In the case of an
IPv6 environment, you must use the FQDN or host name of the vCenter Server system.
Deploy the vCenter Server Appliance by Using the GUI

You can use the GUI installer to perform an interactive deployment of a vCenter Server appliance. You must run the
VMware, Inc.
GUI deployment from a Windows, Linux, or Mac machine that is in the network on which you want to deploy the
appliance.
Figure 2-4. Deployment Workflow of a vCenter Server Appliance
Prerequisites
 See Prerequisites for Deploying the vCenter Server Appliance.
 See #unique_69.
Stage 1 - Deploy the OVA File as a vCenter Server Appliance
With stage 1 of the deployment process, you deploy the OVA file, which is included in the vCenter Server installer,
as a vCenter Server appliance.
Procedure
1 In the vCenter Server installer, navigate to the vcsa-ui-installer directory, go to the

subdirectory for your operating system, and run the installer executable file.
 For Windows OS, go to the win32 subdirectory, and run the installer.exe file.
 For Linux OS, go to the lin64 subdirectory, and run the installer file.
 For Mac OS, go to the mac subdirectory, and run the Installer.app file.
2 On the Home page, click Install to start the deployment wizard.
3 Review the Introduction page to understand the deployment process and click Next.
4 Read and accept the license agreement, and click Next.
VMware, Inc.
5 Connect to the target server on which you want to deploy the vCenter Server appliance.
Option Steps
You can connect to an 1 Enter the FQDN or IP address of the ESXi host.
ESXi host on which to 2 Enter the HTTPS port of the ESXi host.
deploy the appliance. 3 Enter the user name and password of a user with administrative privileges on the ESXi host, for
example, the root user.
4 Click Next.
5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is installed
on the target ESXi host, and click Yes to accept the certificate thumbprint.
You can connect to a 1 Enter the FQDN or IP address of the vCenter Server instance.
vCenter Server instance 2 Enter the HTTPS port of the vCenter Server instance.
and browse 3 Enter the user name and password of user with vCenter Single Sign-On administrative
the inventory to select an privileges on the vCenter Server instance, for example, the
ESXi host or DRS cluster administrator@your_domain_name user.
on which to deploy the 4 Click Next.
appliance. 5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is installed
on the target vCenter Server instance, and click Yes to accept the certificate thumbprint.
6 Select the data center or data center folder that contains the ESXi host or DRS cluster on which you
want to deploy the appliance, and click Next
Note You must select a data center or data center folder that contains at least one ESXi host that is not in
lockdown or maintenance mode.
7 Select the ESXi host or DRS cluster on which you want to deploy the appliance, and click
Next.
6 On the Set up appliance VM page, enter a name for the vCenter Server appliance, set the password for
the root user, and click Next.
The appliance name must not contain a percent sign (%), backslash (\), or forward slash (/) and must be no more
than 80 characters in length.
The password must contain only lower ASCII characters without spaces, at least eight characters, a number,
uppercase and lowercase letters, and a special character, for example, an exclamation mark (!), hash key (#), at
sign (@), or brackets (()).
7 Select the deployment size for the vCenter Server appliance for your vSphere inventory.
See #unique_71 for information about the deployment sizes you can select. The option that you select
determines the number of CPUs and the amount of memory for the appliance.
8 Select the storage size for the vCenter Server appliance, and click Next.
The required storage depends not only on the size of the vSphere environment, but also on the disk
provisioning mode. See Storage Requirements for the vCenter Server Appliance.
9 Select the storage location for the vCenter Server appliance where all the virtual machine configuration
files and virtual disks will be stored.
VMware, Inc.
Option Action
Install on an existing datastore accessible from Select a datastore from the list of compatible datastores.
the target host
Install on a new vSAN cluster containing the Specify the required details to create a new vSAN cluster or a vSAN Express
target host Storage Architecture (vSAN ESA) cluster to store the vCenter Server appliance.
Install on an existing vSAN datastore and claim Specify the required details to create a cluster on the vSAN datastore. This option is
additional disks displayed only if your environment contains a vSAN datastore.
To enable thin provisioning, select Enable Thin Disk Mode. NFS datastores are thin provisioned by default.
10 (Optional) If you selected vSAN as your storage location, you must claim disks for storage.
 For vSAN, claim disks separately for cache tier and capacity tier.
 For vSAN ESA, claim disks from the list of compatible disks.
11 On the Configure network settings page, set up the network settings.
The IP address or the FQDN of the appliance is used as a system name. It is recommended to use an FQDN.
However, if you want to use an IP address, use static IP address allocation for the appliance, because IP
addresses allocated by DHCP might change.
Option Action
Network Select the network to which to connect the appliance.

The networks displayed in the drop-down menu depend on the network settings of the
target server. If you are deploying the appliance directly on an ESXi host, non-ephemeral
distributed virtual port groups are not supported and are not displayed in the drop-down
menu.
IP version Select the version for the appliance IP address. You can
select either IPv4 or IPv6.
IP assignment Select how to allocate the IP address of the appliance.

 static
The wizard prompts you to enter the IP address and network settings.
 DHCP
A DHCP server is used to allocate the IP address. Select this option only if a DHCP
server is available in your environment.
If there is an enabled DDNS in your environment, you can enter a preferred fully
qualified domain name (FQDN) for the appliance.
Common Ports You can customize the HTTP and HTTPS ports (optional).
If specifying a custom HTTP and HTTPS port number, ensure that you do not use a port
number already in use by vCenter Server, or the default HTTP and HTTPS ports of 80 and
443.
12 On the Ready to complete stage 1 page, review the deployment settings for the vCenter Server appliance and
VMware, Inc.
click Finish to start the OVA deployment process.
13 Wait for the OVA deployment to finish, and click Continue to proceed with stage 2 of the deployment
process to set up and start the services of the newly deployed appliance.
Note If you exit the wizard by clicking Close, you must log in to the vCenter Server Management Interface to
set up and start the services.
Results
The newly deployed vCenter Server appliance is running on the target server but the services are not started.
Stage 2 - Set up the Newly Deployed vCenter Server Appliance
When the OVA deployment finishes, you are redirected to stage 2 of the deployment process to set up and start the
services of the newly deployed vCenter Server appliance.
Procedure
1 Review the introduction to stage 2 of the deployment process and click Next.
2 Configure the time settings in the appliance, optionally enable remote SSH access to the appliance, and
click Next.
Option Description
Synchronize time with the ESXi host Enables periodic time synchronization, and VMware Tools sets the time of the guest
operating system to be the same as the time of the ESXi host.
Synchronize time with NTP servers Uses a Network Time Protocol server for synchronizing the time. If you select this option,
you must enter the names or IP addresses of the NTP servers separated by commas.
3 Create a new vCenter Single Sign-On domain or join an existing domain.
Option Description
Create a new Single Sign-On domain Creates a new vCenter Single Sign-On domain.
a Enter the domain name, for example vsphere.local.
b Set the password for the vCenter Single Sign-On administrator account.
This is the password for the user administrator@your_domain_name. c

Confirm the administrator password, and click Next.
Join an existing vCenter Single Sign- On Joins a new vCenter Single Sign-On server to an existing vCenter Single Sign-On domain.
domain You must provide the information about the vCenter Single Sign-On server to which you
join the new vCenter Single Sign-On server.
a Enter the fully qualified domain name (FQDN) or IP address of the
vCenter Single Sign-On server to join.
b Enter the HTTPS port to use for communication with the vCenter Single Sign-On
VMware, Inc.
server.
c Enter the domain name for the vCenter Single Sign-On you are joining, for
example vsphere.local.
d Enter the password of the vCenter Single Sign-On administrator account.

e Click Next.
When you select to join an existing vCenter Single Sign-On domain, you enable the Enhanced Linked Mode
feature. The infrastructure data is replicated with the joined vCenter Single
Sign-On server.
4 Review the VMware Customer Experience Improvement Program (CEIP) page and choose if you want to
join the program.
For information about the CEIP, see the Configuring Customer Experience Improvement Program section in
vCenter Server and Host Management.
5 On the Ready to complete page, review the configuration settings for the vCenter Server appliance, click
Finish, and click OK to complete stage 2 of the deployment process and set up the appliance.
6 (Optional) After the initial setup finishes, enter the URL from the browser with
https://vcenter_server_appliance_fqdn/ui to go to the vSphere Client and log in to the vCenter
Server instance in the vCenter Server appliance, or click the https://
vcenter_server_appliance_fqdn:443 to go the vCenter Server appliance Getting Started page.
7 Click Close to exit the wizard.
You are redirected to the vCenter Server appliance Getting Started page.
What to do next
You can configure high availability for the vCenter Server appliance. For information about providing vCenter
Server appliance high availability, see vSphere Availability.
vCenter Server Infrastructure Configuration

After vCenter Server and the Platform Services Controller are installed, perform these tasks (where appropriate) to
configure the systems.
With vSphere 8.0, all of the configuration is done from the vSphere HTML5 Web Client. The flex-based
Web Client no longer available.
Configure License Settings for vCenter Server
You must assign a license to a vCenter Server system before its evaluation period expires or its currently assigned
license expires. If you upgrade, combine, or divide vCenter Server licenses in Customer Connect, you must assign
the new licenses to vCenter Server systems and remove the old licenses.
VMware, Inc.
Prerequisites
 To view and manage licenses in the vSphere environment, you must have the Global.Licenses
privilege on the vCenter Server system, where the vSphere Client runs.
Procedure
1 In the vSphere Client, navigate to the vCenter Server instance.
2 Select the Configure tab.
3 Under Settings, select Licensing.
4 Click Assign License.
5 In the Assign License dialog box, select the task that you want to perform.
 In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Select a newly created license a Click the New License tab.

b In the Assign License dialog box, type or copy and paste a license key and click
OK.
c Enter a name for the new license and click OK.
Details about the product, product features, capacity, and expiration period appear on
the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the vCenter Server system, and one instance from the license capacity is allocated for the
vCenter Server system.
Configure License Settings for an ESXi Host
You must assign a license to an ESXi host before its evaluation period expires or its currently assigned license
expires. If you upgrade, combine, or divide vSphere licenses in Customer Connect, you must assign the new
licenses to ESXi hosts and remove the old licenses.
Prerequisites
 To view and manage licenses in the vSphere environment, you must have the Global.Licenses
privilege on the vCenter Server system, where the vSphere Client runs.
VMware, Inc.
Procedure
1 Navigate to the host in the inventory.
2 Select the Configure tab.
3 Under Settings, select Licensing.
5 In the Assign License dialog box, select the task that you want to perform.
 In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Select a newly created license a Click the New License tab.

b In the Assign License dialog box, type or copy and paste a license key and click
OK.
c Enter a name for the new license and click OK.
Details about the product, product features, capacity, and expiration period appear on
the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the host. Capacity from the license is allocated according to the license use of the host.
Configure License Settings for a vSAN Cluster
You must assign a license to a vSAN cluster before its evaluation period expires or its currently assigned license
expires.
If you upgrade, combine, or divide vSAN licenses, you must assign the new licenses to vSAN clusters. When you
assign a vSAN license to a cluster, the amount of license capacity used equals the total number of CPUs in the hosts
participating in the cluster. The license use of the vSAN cluster is recalculated and updated every time you add or
remove a host from the cluster. For information about managing licenses and licensing terminology and definitions,
see the vCenter Server and Host Management documentation.
When you enable vSAN on a cluster, you can use vSAN in evaluation mode to explore its features. The evaluation
period starts when vSAN is enabled, and expires after 60 days. To use vSAN, you must license the cluster before the
evaluation period expires. Just like vSphere licenses, vSAN licenses have per CPU capacity. Some advanced features,
such as all-flash configuration and stretched clusters, require a license that supports the feature.
Prerequisites
VMware, Inc.
 To view and manage vSAN licenses, you must have the Global.Licenses privilege on the vCenter
Server systems.
Procedure
1 Navigate to your vSAN cluster.
2 Click the Configure tab.
3 Under Licensing, select vSAN Cluster.
5 Select an existing license and click OK.
Create a Data Center
A virtual data center is a container for all the inventory objects required to complete a fully functional environment
for operating virtual machines. You can create multiple data centers to organize groups of environments to meet
different user needs. For example, you can create
a data center for each organizational unit in your enterprise or create some data centers for high-
performance environments and other data centers for less demanding environments.
Prerequisites
Required privileges:
 Datacenter.Create datacenter
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
2 Right-click the vCenter Server object and select New Datacenter.
3 (Optional) Enter a name for the data center and click OK.
What to do next
Add hosts, clusters, resource pools, vApps, networking, datastores, and virtual machines to the data center.
Creating and Configuring Clusters
A cluster is a group of hosts. When a host is added to a cluster, the resources of the host become part of the resources
of the cluster. The cluster manages the resources of all hosts that it contains.
Starting with vSphere 6.7, you can create and configure a cluster that is hyper-converged. The hyper-converged
infrastructure collapses compute, storage, and networking on a single software layer that runs on industry standard
x86 servers.
VMware, Inc.
You can create and configure a cluster by using the simplified Quickstart workflow in the vSphere Client. On the
Cluster quickstart page, there are three cards for configuring your new cluster.
Table 2-11. The cards initiating wizards for renaming and configuring a new cluster
Cluster Quickstart
Workflow Description
1. Cluster basics You can edit the cluster name and enable or disable cluster services. The card lists the services you enabled.
2. Add hosts You can add new ESXi hosts. After the hosts are added, the card shows the total number of hosts present in the
cluster and displays health check validation for those hosts.
3.Configure cluster You can configure network settings for vMotion traffic, review and customize cluster services. After the cluster is
configured, the card provides details on configuration mismatch and reports cluster health results through the vSAN
Health service.
The Skip Quickstart button prompts you to continue configuring the cluster and its hosts manually. To confirm
exiting the simplified configuration workflow, click Continue. After you dismiss the Cluster quickstart workflow,
you cannot restore it for the current cluster.
If you plan to enable vSphere High Availability (HA), vSphere Distributed Resource Scheduler (DRS), and the
VMware vSAN features, you must create clusters.
Starting with vSphere 7.0, you can create a cluster that you manage with a single image. By using vSphere Lifecycle
Manager images, you can easily update and upgrade the software and firmware on the hosts in the cluster. Starting
with vSphere 7.0 Update 2, during cluster creation, you can select a reference host and use the image on that host as
the image for the newly created cluster. For more information about using images to manage ESXi hosts and
clusters, see the Managing Host and Cluster Lifecycle documentation.
Starting with vSphere 7.0 Update 1, vSphere Cluster Services (vCLS) is enabled by default and runs in all vSphere
clusters. vCLS ensures that if vCenter Server becomes unavailable, cluster services remain available to maintain the
resources and health of the workloads that run in the clusters. For more information about vCLS, see #unique_79.
Create a vSphere Cluster with vSphere Client
You create a new vSphere cluster object by using the vSphere Client.
Starting with vSphere 7.0, the clusters that you create can use vSphere Lifecycle Manager images for host updates
and upgrades.
A vSphere Lifecycle Manager image is a combination of vSphere software, driver software, and desired firmware
with regard to the underlying host hardware. The image that a cluster uses defines the full software set that you want
to run on all ESXi hosts in the cluster: the ESXi version, additional VMware-provided software, and vendor software,
such as firmware and drivers.
The image that you define during cluster creation is not immediately applied to the hosts. If you do not set up an
image for the cluster, the cluster uses baselines and baseline groups. Starting with vSphere 7.0 Update 2, during
cluster creation, you can select a reference host and use the image on that host as the image for the newly created
VMware, Inc.
cluster. For more information about using images and baselines to manage hosts in clusters, see the Managing
Host and Cluster Lifecycle documentation.
Prerequisites
 Verify that a data center, or a folder within a data center, exists in the inventory.
 Verify that hosts have the same ESXi version and patch level.
 Obtain the user name and password of the root user account for the host.
 Verify that hosts do not have a manual vSAN configuration or a manual networking
configuration.
 To create a cluster that you manage with a single image, review the requirements and limitations
information in the Managing Host and Cluster Lifecycle documentation.
Required privileges:
 Host.Inventory.Create cluster
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
2 Select a data center.
3 Right-click the data center and select New Cluster.
4 Enter a name for the cluster.
5 Select DRS, vSphere HA, or vSAN cluster features.
Option Description
To use DRS with this cluster a Slide the switch to the right to enable the DRS service.
b (Optional) Click the info icon on the left to see the Default Settings for the DRS
service. The default values are:
 Automation Level: Fully Automated Migration
 Threshold: 3
To use vSphere HA with this cluster a Slide the switch to the right to enable the vSphere HA service.
b (Optional) Click the info icon on the left to see the Default Settings for the vSphere
HA service. You are present with the following default values:
Host Monitoring: Enabled

Admission Control: Enabled
VM Monitoring: Disabled
VMware, Inc.
To use vSAN with this cluster  Slide the switch to the right to enable the vSAN service.
For more information on vSAN, see Creating a vSAN Cluster in the vSAN Planning and
Deployment documentation.
You can override the default values later on in the workflow.
6 (Optional) To create a cluster that you manage with a single image, select the Manage all hosts in the cluster
with a single image check box.
For information about creating a cluster that you manage with a single image, see the Managing Host and
Cluster Lifecycle documentation.
7 Click Next.
8 Review the cluster details and click Finish.
The cluster appears in the vCenter Server inventory. The Quickstart workflow appears under
Configure > Configuration.
Results
You have created an empty cluster in the vCenter Server inventory.
What to do next
You can use the Quickstart workflow to easily configure and expand the cluster. You can also skip the Quickstart
workflow and continue configuring the cluster and its hosts manually.
Use Quickstart to Add аn ESXi Host to a vSphere Cluster

You can add new and existing ESXi hosts to a cluster in the vCenter Server inventory.
You can also add hosts to a DRS cluster. For more information, see the vSphere Resource Management
documentation.
When you add the first three hosts to the cluster, vSphere Cluster Services (vCLS) agent virtual machines are
added by default to the cluster. A quorum of up to three vCLS agent virtual machines are required to run in a
cluster, one agent virtual machine per host. For more information about vCLS, see #unique_79.
Prerequisites
 Verify that hosts have the same ESXi version and patch level.
 Obtain the user name and password of the root user account for the host.
 Verify that hosts do not have a manual vSAN configuration or a manual networking
configuration.
 Verify that you have the proper privileges. Different sets of privileges apply when you add multiple hosts to a
cluster and a single host to a cluster or a data center. For more information, see Required Privileges for
VMware, Inc.
Common Tasks in the vSphere Security documentation.
 To add a host to a cluster that you manage with a single image, see the Managing Host and Cluster
Lifecycle documentation.
Procedure
1 In the vSphere Client, navigate to a cluster within a data center.
2 On the Configure tab, select Configuration > Quickstart.
3 Click Add in the Add hosts card.
4 On the Add hosts wizard, add new or existing hosts to the cluster.
 Add hosts that are not part of the vCenter Server inventory.
a Click the New hosts tab.
b Populate the IP Address and credentials text boxes for those hosts.
c (Optional) To add more new hosts, click the Add Host button.
d (Optional) To reuse the credentials for all added hosts, select the Use the same credentials
for all hosts check box.
 Add hosts that are managed by your vCenter Server instance and are in the same data center as your
cluster. The hosts must not be part of another cluster on the vCenter Server instance.
a Click the Existing hosts tab.
b From the list, select the hosts that you want to add to the cluster.
5 Click Next.
The Host summary page lists all hosts that will be added to the cluster and related warnings.
Note If a host cannot be validated automatically by the system, you are prompted to manually validate its
certificate and accept its thumbprint in the Security Alert pop-up.
6 On the Host summary page, review the details of the added hosts and click Next.
7 (Optional) On the Import Image page, select the host whose image to use as the image for the cluster.
The Import Image page appears when you add hosts to a cluster managed with a single image. For information
about adding a host to a cluster that you manage with a single image, see the Managing Host and Cluster
Lifecycle documentation.
8 On the Ready to complete page, review the IP addresses or FQDN of the added hosts and click Finish.
VMware, Inc.
Review the number of added hosts and the health check validation, performed by the vSAN Health service, in the
Add hostscard.
9 (Optional) Click Re-validate to trigger the validation of the hosts.
Note If an error occurs, it is visible in the Recent Tasks pane only.
Results
All hosts are placed in maintenance mode and added to your cluster. You can manually exit the maintenance mode.
What to do next
Configure your cluster default settings through the Quickstart workflow.
Managing Certificates Using the vSphere Client
You can view and manage certificates by using the vSphere Client. The vSphere
Client enables you to perform these management tasks.
 View the machine SSL, VMware Certificate Authority (VMCA) root, Trusted Root, and Security Token
Service (STS) certificates.
 Add new Trusted Root certificates, and renew or replace existing machine SSL and STS certificates.
 Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the certificate
when the Certificate Authority returns it.
Most parts of the certificate replacement workflows are supported fully from the vSphere Client. Other certificate
replacement workflows are supported by the vSphere Certificate Manager utility. See #unique_83.
To understand more about options for replacing the default certificates, see #unique_84.
Note If you use the VMCA as an intermediate CA, or use custom certificates, you might encounter significant
complexity and the potential for a negative impact to your security, and an unnecessary increase in your
operational risk. For more information about managing certificates within a vSphere environment, see the blog
post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at
http://vmware.com/go/hybridvmca.
Set the Threshold for vCenter Certificate Expiration Warnings Using the vSphere Client vCenter Server monitors
all certificates in the VMware Endpoint Certificate Store (VECS) and issues an alarm when a certificate is 30
days or less from its expiration. You can use the vSphere Client to change how soon you are warned with the
vpxd.cert.threshold advanced option.
Procedure
VMware, Inc.
1 Log in to the vSphere Client.
2 Select the vCenter Server object and click Configure.
3 Click Advanced Settings.
4 Click Edit Settings and filter for threshold.
5 Change the setting of vpxd.cert.threshold to the desired value and click Save.
Renew VMCA Certificates with New VMCA-Signed Certificates Using the vSphere Client
You can replace all VMCA-signed certificates with new VMCA-signed certificates. This process is called
renewing certificates. You can renew selected certificates or all certificates in your environment from the
vSphere Client.
Prerequisites
For certificate management, you have to supply the password of the administrator of the local domain
(administrator@vsphere.local by default). If you are renewing certificates for a vCenter Server system, you also have
to supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter Server
system.
Procedure
1 Log in with the vSphere Client to the vCenter Server.
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
If you specified a different domain during installation, log in as administrator@mydomain.
3 Navigate to the Certificate Management UI.
a From the Home menu, select Administration.
b Under Certificates, click Certificate Management.
4 If the system prompts you, enter the credentials of your vCenter Server.
5 Renew the VMCA-signed machine SSL certificate for the local system.
a From the Machine SSL Certificate tile, click Actions > Renew.
b Specify the duration of the certificate in days.
c Click Renew.
vCenter Server services restart automatically. You must log back in because restarting the services ends the
UI session.
VMware, Inc.
Replace Certificates with Custom Certificates Using the vSphere Client
You can use the vSphere Client to replace the default certificates with custom certificates.
You can use the vSphere Client to generate CSRs for each machine, and replace certificates when you receive them
from your internal or third-party Certificate Authority (CA). When you submit the CSRs to your internal or third-
party CA, the CA returns signed certificates and the root certificate. You can upload both the root certificate and the
signed certificates from the vSphere Client.
Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom
Certificates)
The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must
have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to
generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is
ready.
Prerequisites
The certificate must meet the following requirements:
 Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
 CRT format
 x509 version 3
 SubjectAltName must contain DNS Name=<machine_FQDN>.
 Contains the following Key Usages: Digital Signature, Key Encipherment
Procedure
4 Enter the credentials of your vCenter Server.
5 Generate the CSR.
a Under the Machine SSL Certificate tile, click Actions > Generate Certificate Signing Request
(CSR).
VMware, Inc.
b Enter your certificate information and click Next.
Starting in vSphere 8.0, 3072 (bits) is the default value for the key size. 2048 is no longer supported when
generating a CSR by using the vSphere Client. vCenter Server still does accept custom certificates bearing
a key length of 2048 bits. However, starting in vSphere 8.0, you can only generate CSRs using the vSphere
Client with a minimum key length of 3072 bits.
Note When you use vCenter Server to generate a CSR with a key size of 16384 bits, the generation takes a
few minutes to complete because of the CPU-intensive nature of the operation.
c Copy or download the CSR.
d Click Finish.
e Provide the CSR to your Certificate Authority.
What to do next
When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store. See Add
Custom Certificates Using the vSphere Client.
Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates)
You can use the vSphere Certificate Manager utility to generate Certificate Signing Requests (CSRs) that you can
then use with your enterprise CA or send to an external certificate authority. You can use the certificates with the
different supported certificate replacement processes.
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and on the type
of certificate you want to replace.
 For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or
for the administrator of the vCenter Single Sign-On domain that you are connecting to.
 You are prompted for the host name or IP address of the vCenter Server.
 To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which are
stored in the certool.cfg file. For most fields, you can accept the default or provide site-specific values.
The FQDN of the machine is required.
Note Starting in vSphere 8.0, if you use vCenter Server to generate the CSR, the key size is changed to 3072 bits
from 2048 by default.
Procedure
VMware, Inc.
1 Log in to each vCenter Server (the vCenter Server shell) in your environment and start the vSphere
Certificate Manager.
/usr/lib/vmware-vmca/bin/certificate-manager
2 Selection Option 1, Replace Machine SSL certificate with Custom Certificate.
3 Enter the administrator user and password.
4 Select Option 1, Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate, to generate
the CSR, answer the prompts and exit vSphere Certificate Manager.
As part of the process, you have to provide a directory. vSphere Certificate Manager places the certificate
and key files in the directory.
5 If you also want to replace all solution user certificates, restart vSphere Certificate Manager and selection
Option 5, Replace Solution user certificates with Custom Certificate.
6 Supply the password and the vCenter Server IP address or host name if prompted.
7 Select Option 1, Generate Certificate Signing Request(s) and Key(s) for Solution User Certificates, to
generate the CSRs, answer the prompts and exit vSphere Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files
in the directory.
What to do next
To perform certificate replacement, see #unique_91.
Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client
If you want to use third-party certificates in your environment, you must add a trusted root certificate to the
certificate store. You can do so using the vSphere Client.
Prerequisites
Obtain the custom root certificate from your third-party or in-house certificate authority (CA).
vSphere accepts only valid CA certificates for import. To be valid, a CA certificate must have the CA bit and the
keyCertSign bit set in the basic constraint and the key usage X.509 v3 certificate extensions respectively. This
implies that the certificate is a CA and its purpose is for certificate signing. See
https://www.rfc-editor.org/rfc/rfc5280 for more information.
Procedure
VMware, Inc.
5 Under Trusted Root Certificates, click Add.
6 Click Browse and select the location of the certificate chain.
You can use a file of type CER, PEM, or CRT.
7 Click Add.
The certificate is added to the store.
Add Custom Certificates Using the vSphere Client

You can use the vSphere Client to add custom Machine SSL certificates to the certificate store. Usually, replacing the
machine SSL certificate for each component is sufficient.
Prerequisites
Generate certificate signing requests (CSRs) for each certificate that you want to replace. See Generate
Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom Certificates). Place
the certificate and private key in a location that the vCenter Server can access.
Procedure
5 Under the Machine SSL Certificate tile, click Actions > Import and Replace Certificate.
VMware, Inc.
6 Click the appropriate certificate replacement option and click Next.
Option Description
Replace with VMCA Creates a VMCA-generated CSR to replace the current certificate.
Replace with certificate generated from Use a certificate signed using a vCenter Server generated CSR to replace the current
vCenter Server certificate.
Replace with external CA certificate Use a certificate signed by an external CA to replace the current certificate.
(requires private key)
7 Enter the CSR information, or upload the appropriate certificates.
8 Click Replace.
vCenter Server services restart automatically.
Configuring vCenter Single Sign-On Identity Sources
When a user logs in with just a user name, vCenter Single Sign-On checks in the default identity source whether
that user can authenticate. When a user logs in and includes the domain name in the login screen, vCenter Single
Sign-On checks the specified domain if that domain has been added as an identity source. You can add identity
sources, remove identity sources, and change the default.
You configure vCenter Single Sign-On from the vSphere Client. To configure vCenter Single Sign-On, you
must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator
privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation,
only the vCenter Single Sign-On administrator (administrator@vsphere.local by default) can authenticate to
vCenter Single Sign-On.
Identity Sources for vCenter Server with vCenter Single Sign-On

You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository
for users and groups that the vCenter Single Sign-On server can use for user authentication.
Note In vSphere 7.0 Update 2 and later, you can enable FIPS on vCenter Server. See the vSphere Security
documentation. AD over LDAP and IWA are not supported when FIPS is enabled. Use external identity provider
federation when in FIPS mode. See #unique_95.
Note In vSphere 7.0 Update 2 and later, you can enable FIPS on vCenter Server. See the vSphere Security
documentation. AD over LDAP and IWA are not supported when FIPS is enabled. Use external identity provider
federation when in FIPS mode. For more information about configuring vCenter Server Identity Provider Federation,
see vSphere Authentication documentation.
An administrator can add identity sources, set the default identity source, and create users and groups in the
VMware, Inc.
vsphere.local identity source.
The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine
where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the
identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single
Sign-On.
Note At any time, only one default domain exists. If a user from a non-default domain logs in, that user must add the
domain name to authenticate successfully. The domain name is in the form:
DOMAIN\user
The following identity sources are available.
 Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP
identity sources.
 Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On allows
you to specify a single Active Directory domain as an identity source. The domain can have child domains or
be a forest root domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts supported
with vCenter Single Sign-On.
 OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity
sources.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require
strong authentication and encryption. This change will impact how vCenter Server authenticates to Active
Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable
LDAPS. For more information about
this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/
advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere- channel-binding-
signing-adv190023.html.
For more information about vCenter Single Sign-On, see vSphere Authentication.
Set the Default Domain for vCenter Single Sign-On
Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default
domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the
default domain must include the domain name when they log in.
When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on whether the
user is in the domain that is set as the default identity source.
 Users who are in the default domain can log in with their user name and password.
VMware, Inc.
 Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the
default domain can log in to vCenter Server but must specify the domain in one of the following ways.
 Including a domain name prefix, for example, MYDOMAIN\user1
 Including the domain, for example, user1@mydomain.com
 Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter
Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active
Directory determines whether users of other domains in the hierarchy are authenticated or not.
Procedure
3 Navigate to the Configuration UI.
b Under Single Sign On, click Configuration.
4 Under the Identity Provider tab, click Identity Sources, select an identity source, and click Set as Default.
5 Click OK.
In the domain display, the default domain shows (default) in the Type column.
Add or Edit a vCenter Single Sign-On Identity Source

Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On
identity source. vCenter Single Sign-On administrator users can add identity sources, or change the settings for
identity sources that they added.
An identity source can be an Active Directory over LDAP, a native Active Directory (Integrated Windows
Authentication) domain, or an OpenLDAP directory service. See Identity Sources for vCenter Server with
vCenter Single Sign-On.
Immediately after installation, the vsphere.local domain (or the domain you specified during installation) with the
vCenter Single Sign-On internal users is available.
Note If you have updated or replaced your Active Directory SSL certificate, you must remove and re-add the
identity source in vCenter Server.
VMware, Inc.
Prerequisites
If you are adding an Active Directory (Integrated Windows Authentication) identity source, the vCenter Server must
be in the Active Directory domain. See #unique_98.
Procedure
3 Navigate to the Configuration UI.
b Under Single Sign On, click Configuration.
4 Under the Identity Provider tab, click Identity Sources, and click Add.
5 Select the identity source and enter the identity source settings.
Option Description
Active Directory (Integrated Windows Use this option for native Active Directory implementations. The machine on which the
Authentication) vCenter Single Sign-On service is running must be in an Active Directory domain if you
want to use this option.
See Active Directory Identity Source Settings.
Active Directory over LDAP This option requires that you specify the domain controller and other information. See
Active Directory over LDAP and OpenLDAP Server Identity Source Settings.
OpenLDAP Use this option for an OpenLDAP identity source. See Active Directory over LDAP and
OpenLDAP Server Identity Source Settings.
Note If the user account is locked or disabled, authentications and group and user searches in the Active
Directory domain fail. The user account must have read-only access over the User and Group OU, and must be
able to read user and group attributes. Active Directory provides this access by default. Use a special service
user for improved security.
6 Click Add.
What to do next
Initially, each user is assigned the No Access role. A vCenter Server administrator must assign the user at least to
the Read Only role before the user can log in. See the vSphere Security documentation.
VMware, Inc.
Active Directory Identity Source Settings
If you select the Active Directory (Integrated Windows Authentication) identity source type, you can use the local
machine account as your SPN (Service Principal Name) or specify an SPN explicitly. You can use this option only
if the vCenter Single Sign-On server is joined to an Active Directory domain.
Prerequisites for Using an Active Directory (Integrated Windows Authentication) Identity Source
You can set up vCenter Single Sign-On to use an Active Directory (Integrated Windows Authentication) identity
source only if that identity source is available. Follow the instructions in the vCenter Server Configuration
documentation.
Note Active Directory (Integrated Windows Authentication) always uses the root of the Active Directory domain
forest. To configure your Integrated Windows Authentication identity source with a child domain within your
Active Directory forest, see the VMware knowledge base article at http://kb.vmware.com/kb/2070433.
Select Use machine account to speed up configuration. If you expect to rename the local machine on which
vCenter Single Sign-On runs, specifying an SPN explicitly is preferable.
If you have enabled diagnostic event logging in your Active Directory to identify where hardening might be
needed, you might see a log event with Event ID 2889 on that directory server. Event ID 2889 is generated as an
anomaly rather than a security risk when using Integrated Windows Authentication. For more information about
Event ID 2889, see the VMware knowledge base article at https://kb.vmware.com/s/article/78644.
Table 2-12. Add Identity Source Settings
Text Box Description
Domain name FQDN of the domain name, for example, mydomain.com. Do not
provide an IP address. This domain name must be DNS-resolvable
by the vCenter Server system.
Use machine account Select this option to use the local machine account as the SPN. When
you select this option, you specify only the domain name. Do not
select this option if you expect to rename this machine.
Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You
must specify an SPN, a user who can authenticate with the identity
source, and a password for the user.
VMware, Inc.
Text Box Description
Service Principal Name (SPN) SPN that helps Kerberos to identify the Active Directory service.
Include the domain in the name, for example, STS/example.com.
The SPN must be unique across the domain. Running the

setspn -S command checks that no duplicate is
created. See the Microsoft documentation for information
on setspn.
User Principal Name (UPN) Password Name and password of a user who can authenticate with this identity
source. Use the email address format, for example,
jchin@mydomain.com. You can verify the User Principal Name
with the Active Directory Service Interfaces Editor (ADSI Edit).
Active Directory over LDAP and OpenLDAP Server Identity Source Settings
The Active Directory over LDAP identity source is preferred over the Active Directory (Integrated Windows
Authentication) option. The OpenLDAP Server identity source is available for environments that use
OpenLDAP.
If you are configuring an OpenLDAP identity source, see the VMware knowledge base article at
http://kb.vmware.com/kb/2064977 for additional requirements.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require
strong authentication and encryption. This change will impact how vCenter Server authenticates to Active
Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable
LDAPS. For more information about
this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/
advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere- channel-binding-
signing-adv190023.html.
Table 2-13. Active Directory over LDAP and OpenLDAP Server Settings
Option Description
Name Name of the identity source.
Base DN for users Base Distinguished Name for users. Enter the DN from which
to start user searches. For example,
cn=Users,dc=myCorp,dc=com.
Base DN for groups The Base Distinguished Name for groups. Enter the DN from
which to start group searches. For example,
cn=Groups,dc=myCorp,dc=com.
Domain name The FQDN of the domain.
VMware, Inc.
Domain alias For Active Directory identity sources, the domain's NetBIOS name.
Add the NetBIOS name of the Active Directory domain as an alias
of the identity source if you are using SSPI authentications.
For OpenLDAP identity sources, the domain name in
capital letters is added if you do not specify an alias.
Option Description
User name ID of a user in the domain who has a minimum of read- only access
to Base DN for users and groups. The ID can be in any of these
formats:
 UPN (user@domain.com)
 NetBIOS (DOMAIN\user)
 DN (cn=user,cn=Users,dc=domain,dc=com)
The user name must be fully-qualified. An entry of "user" does not
work.
Password Password of the user who is specified by Username.
Connect to Domain controller to connect to. Can be any domain controller in the
domain, or specific controllers.
Primary Server URL Primary domain controller LDAP server for the domain. You can
use either the host name or the IP address.
Use the format ldap://hostname_or_IPaddress:port or
ldaps://hostname_or_IPaddress:port. The port is
typically 389 for LDAP connections and 636 for LDAPS connections.
For Active Directory multi-domain controller deployments, the port is
typically 3268 for LDAP and 3269 for LDAPS.
A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use
ldaps:// in the primary or the secondary LDAP URL.
Secondary server URL Address of a secondary domain controller LDAP server that is used
for failover. You can use either the host name or the IP address.
SSL certificates If you want to use LDAPS with your Active Directory LDAP Server
or OpenLDAP Server identity source, click Browse to select a
certificate. To export the root CA certificate from Active Directory,
consult the Microsoft documentation.
Managing Permissions for vCenter Server Components
A permission is set on an object in the vCenter Server object hierarchy. Each permission associates the object with a
group or user and the group's or user's access role. For example, you can select a virtual machine object, add one
permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role to
User 2.
VMware, Inc.
By assigning a different role to a group of users on different objects, you control the tasks that those users can
perform in your vSphere environment. For example, to allow a group to configure memory for the host, select that
host and add a permission that grants a role to that group that includes the Host.Configuration.Memory
Configuration privilege.
For conceptual information about permissions, see the discussion in #unique_102/

unique_102_Connect_42_section_E85FD581B0E44F2999ECAF4A3B83671C.
You can assign permissions to objects at different levels of the hierarchy, for example, you can assign permissions to
a host object or to a folder object that includes all host objects. See #unique_103. You can also assign propagating
permissions to a global root object to apply the permissions to all object in all solutions. See #unique_104.
Add a Permission to an Inventory Object
After you create users and groups and define roles, you must assign the users and groups and their roles to the
relevant inventory objects. You can assign the same propagating permissions to multiple objects simultaneously by
moving the objects into a folder and setting the permissions on the folder.
When you assign permissions, the user and the group names must match Active Directory precisely,
including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you
experience problems with groups.
Prerequisites
On the object whose permissions you want to modify, you must have a role that includes the
Permissions.Modify permission privilege.
Procedure
1 Browse to the object for which you want to assign permissions in the vSphere Client object navigator.
2 Click the Permissions tab.
3 Click the Add Permission icon.
4 (Optional) If you have configured an external identity provider for federated authentication, the domain of that
identity provider is available to select in the Domain drop-down menu.
5 Select the user or group that will have the privileges defined by the selected role.
a From the User drop-down menu, select the domain for the user or group.
b Type a name in the Search box.
The system searches user names and group names. cSelect
the user or group.
6 Select a role from the Role drop-down menu.
VMware, Inc.
7 (Optional) To propagate the permissions, select the Propagate to children check box.
The role is applied to the selected object and propagates to the child objects.
8 Click OK.
Synchronizing Clocks on the vSphere Network
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent
the vCenter Server vmware-vpxd service from starting.
Time inconsistencies in vSphere can cause the first boot of a component in your environment to fail at different
services depending on where in the environment time is not accurate and when the time is synchronized. Problems
most commonly occur when the target ESXi host for the destination vCenter Server is not synchronized with NTP
or PTP. Similarly, issues can arise if the destination vCenter Server migrates to an ESXi host set to a different time
due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or upgrading
a vCenter Server instance.
 The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
 The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
 When upgrading or migrating from vSphere 6.7 to vSphere 8.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external
Platform Services Controller is synchronized to NTP or PTP.
 If you are upgrading or migrating from vSphere 6.7 to vSphere 8.0, verify that the source vCenter Server or
vCenter Server appliance and external Platform Services Controller have the correct time.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP or a PTP server, you can use the VMware Host Client. For information
about editing the time configuration of an ESXi host, see topic Edit the Time
Configuration of an ESXi Host in the VMware Host Client in the vSphere Single Host Management -
VMware Host Client documentation.
To learn how to change time synchronization settings for vCenter Server, see topic Configure the System
Time Zone and Time Synchronization Settings in the vCenter Server Configuration
documentation.
VMware, Inc.
To learn how to edit the time configuration for a host by using the vSphere Client, see topic Editing the Time
Configuration Settings of a Host in the vCenter Server and Host Management documentation.
Synchronize ESXi Clocks with a Network Time Server
Before you install vCenter Server, make sure all machines on your vSphere network have their clocks
synchronized.
This task explains how to set up NTP from the VMware Host Client.
Procedure
1 Start the VMware Host Client, and connect to the ESXi host.
2 Click Manage.
3 Under System, click Time & date, and click Edit settings.
4 Select Use Network Time Protocol (enable NTP client).
5 In the NTP servers text box, enter the IP address or fully qualified domain name of one or more NTP
servers to synchronize with.
6 From the NTP Service Start-up Policy drop-down menu, select Start and stop with host.
7 Click Save.
The host synchronizes with the NTP server.
Configuring Time Synchronization Settings in vCenter Server

You can change the time synchronization settings in vCenter Server after deployment.
When you deploy vCenter Server, you can choose the time synchronization method to be either by using an NTP
server or by using VMware Tools. In case the time settings in your vSphere network change, you can edit the
vCenter Server and configure the time synchronization settings by using the commands in the appliance shell.
When you enable periodic time synchronization, VMware Tools sets the time of the guest operating system to be
the same as the time of the host.
After time synchronization occurs, VMware Tools checks once every minute to determine whether the clocks on the
guest operating system and the host still match. If not, the clock on the guest operating system is synchronized to
match the clock on the host.
Native time synchronization software, such as Network Time Protocol (NTP), is typically more accurate than
VMware Tools periodic time synchronization and is therefore preferred. You can use only one form of periodic time
synchronization in vCenter Server. If you decide to use native time synchronization software, vCenter Server
VMware Tools periodic time synchronization is deactivated.
Add or Replace NTP Servers in the vCenter Server Configuration
To set up the vCenter Server to use NTP-based time synchronization, you must add the NTP servers to the vCenter
Server configuration.
VMware, Inc.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
The default user with super administrator role is root.
2 Add NTP servers to the vCenter Server configuration by running the following ntp.set
command.
ntp.set --servers IP-addresses-or-host-names
In this command, IP-addresses-or-host-names is a comma-separated list of IP addresses or host names of

the NTP servers.
This command removes the current NTP servers (if any) and adds the new NTP servers to the configuration. If
the time synchronization is based on an NTP server, then the NTP daemon is restarted to reload the new NTP
servers. Otherwise, this command replaces the current NTP servers in the NTP configuration with the new NTP
servers you specify.
3 (Optional) To verify that you successfully applied the new NTP configuration settings, run the following
command.
ntp.get
The command returns a space-separated list of the servers configured for NTP synchronization. If the NTP
synchronization is activated, the command returns that the NTP configuration is in Up status. If the NTP
synchronization is deactivated, the command returns that the NTP configuration is in Down status.
4 (Optional) To verify if the NTP server is reachable, run the following command.
ntp.test --servers IP-addresses-or-host-names
The command returns the status of the NTP servers.
What to do next
If the NTP synchronization is deactivated, you can configure the time synchronization settings in the vCenter
Server to be based on an NTP server. See Synchronize the Time in vCenter Server with an NTP Server.
Synchronize the Time in vCenter Server with an NTP Server

You can configure the time synchronization settings in the vCenter Server to be based on an NTP server.
Prerequisites
Set up one or more Network Time Protocol (NTP) servers in the vCenter Server configuration. See Add or Replace
VMware, Inc.
NTP Servers in the vCenter Server Configuration.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
The default user with super administrator role is root.
2 Run the command to enable NTP-based time synchronization.
timesync.set --mode NTP
3 (Optional) Run the command to verify that you successfully applied the NTP synchronization.
timesync.get
The command returns that the time synchronization is in NTP mode.
vSphere Network Infrastructure Deployment and Configuration

This section describes how to deploy a basic vSphere Network Infrastructure.
These steps in addition to additional service steps, for example when VMware NSX is used, are required for this
design.
Create a vSphere Distributed Switch

Create a vSphere distributed switch on a data center to handle the networking configuration of multiple hosts at a time
from a central place.
Procedure
1 In the vSphere Client, right-click a data center from the inventory tree.
2 Select Distributed Switch > New Distributed Switch.
3 On the Name and location page, enter a name for the new distributed switch, or accept the generated name,
and click Next.
4 On the Select version page, select a distributed switch version and click Next.
Option Description
Distributed Switch: 8.0.0 Compatible with ESXi 8.0 and later. Features released with later vSphere distributed switch
versions are not supported.
Distributed Switch: 7.0.3 Compatible with ESXi 7.0.3 and later. Features released with later vSphere distributed
switch versions are not supported.
Distributed Switch: 7.0.2 ompatible with ESXi 7.0.2 and later. Features released with later vSphere distributed switch
VMware, Inc.
5 On the Configure settings page, configure the distributed switch settings. .
a Use the drop-down menu to select the type of Network Offloads Compatibility.
By using Network offloads compatibility you can offload network and security functions to the DPU
device. DPU is a network card that has compute capability embedded in it. You can offload the networking
functionality from the ESXi host to DPU for better performance.
 None: If you select None, network offloads compatibility is not enabled.
 Pensando: If you select Pensando the Network I/O Control is disabled.
 NVIDIA BlueField: If you select NVIDIA BlueField the Network I/O Control is disabled.
Note You can configure Network Offloads compatibility when you use vSphere Distributed Switch
8.0.0 and later.
b Use the arrow buttons to select the Number of uplinks.
Uplink ports connect the distributed switch to physical NICs on associated hosts. The number of uplink ports
is the maximum number of allowed physical connections to the distributed switch per host.
c Use the drop-down menu to enable or disable Network I/O Control.
By using Network I/O Control you can prioritize the access to network resources for certain types of
infrastructure and workload traffic according to the requirements of your deployment. Network I/O Control
continuously monitors the I/O load over the network and dynamically allocates available resources.
d (Optional) Select the Create a default port group check box to create a new distributed port group
with default settings for this switch. Enter a Port group name, or accept the generated name.
If your system has custom port group requirements, create distributed port groups that meet those
requirements after you add the distributed switch.
6 On the Ready to complete page, review the settings you selected and click Finish.
Use the Back button to edit any settings.
Results
A distributed switch is created in the data center. You can view the features supported on the distributed switch as
VMware, Inc.
well as other details by navigating to the new distributed swit ch and clicking the Summary tab.
What to do next
Add hosts to the distributed switch and configure their network adapters on the switch.
Add a Distributed Port Group

To create a distributed switch network for your virtual machines, and to associate VMkernel adapters, you can add a
distributed port group to a vSphere Distributed Switch.
Related to adding a port group, is applying VLAN tagging globally on all distributed ports. Using the VLAN
options you can select VLAN tags. To learn more, see #unique_113
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
2 Right-click the distributed switch and select Distributed port group > New distributed port group.
3 On the Name and location page, enter the name of the new distributed port group, or accept the generated
name, and click Next.
4 On the Configure settings page, set the general properties for the new distributed port group .
Setting Description
Port binding Select the ports that are assigned to virtual machines connected to this distributed port
group.
 Static binding: Assign a port to a virtual machine when the virtual machine
connects to the distributed port group.
 Ephemeral - no binding: No port binding. You can assign a virtual machine to a
distributed port group with ephemeral port binding also
when connected to the host.
Port allocation  Elastic: The default number of ports is eight. When all the ports are assigned, a
new set of eight ports is created.
 Fixed: The default number of ports is set to eight. When all the ports are
assigned, no additional ports are created.
Number of ports Enter the number of ports on the distributed port group.
Network resource pool To assign the new distributed port group to a user-defined network resource pool, use the
drop-down menu If you have not created a network resource pool, this menu is empty.
Note You cannot assign Network Resource Pool if Network Offloads is enabled.
SettingDescription
VMware, Inc.
VLAN Use the VLAN type drop-down menu to specify the type of VLAN traffic filtering and
marking:
 None: Do not use VLAN. Select None if you are using External Switch Tagging.
 VLAN: In the VLAN ID text box, enter a number between 1 and 4094 for Virtual
Switch Tagging.
 VLAN trunking: Enter a VLAN trunk range.
Pass VLAN traffic with an ID to the guest OS. You can set multiple ranges and
individual VLANs by using a comma-separated list. For example: 1702-1705,
1848-1849
Use this option for Virtual Guest Tagging.

 Private VLAN: Associate the traffic with a private VLAN created on the distributed
switch. If you did not create any private VLANs, this menu is empty.
Advanced To customize the policy configurations for the new distributed port group, select this check
box.
5 Click Next.
6 (Optional) On the Security page, edit the security exceptions and click Next.
Setting Description
Promiscuous mode  Reject: Placing an adapter in promiscuous mode from the guest operating
system does not result in receiving frames for other virtual machines.
 Accept: If an adapter is placed in promiscuous mode from the guest operating
system, the switch allows the guest adapter to receive all frames passed on the
switch in compliance with the active VLAN policy for the port where the adapter is
connected.
Firewalls, port scanners, intrusion detection systems, and so on, must run in
promiscuous mode.
MAC address changes The MAC address change feature allows a VM to change its MAC address. A VM
connected to a port can run an administrative command to change the MAC address of its
vNIC and still send and receive traffic on that vNIC.
 Reject: If the option is set to Reject and the guest OS changes the MAC address of
the adapter to a value different from the address in the .vmx configuration file,
then the switch drops all inbound frames to the virtual machine adapter.
If the guest OS changes the MAC address back, the virtual machine receives frames
again.
 Accept: If the guest OS changes the MAC address of a network adapter,
the adapter receives frames to its new address.
Forged Transmits  Reject: The switch drops any outbound frame with a source MAC address that is
different from the one in the .vmx configuration file.
 Accept: The switch does not perform filtering and permits all outbound
frames.
7 (Optional) On the Security page, edit the MAC Learning policy and click Next.
VMware, Inc.
Setting Description
Status Enable or disable the MAC learning feature. The default is disabled.
Allow unicast flooding When a packet that is received by a port has an unknown destination MAC address, the
packet is dropped. With unknown unicast flooding enabled, the port floods unknown
unicast traffic to every port on the switch that has MAC learning and unknown unicast
flooding enabled. This property is enabled by default, if MAC learning is enabled.
MAC Limit The number of MAC addresses that can be learned is configurable. The maximum value is
4096 per port, which is the default.
MAC Limit Policy The policy for when the MAC limit is reached. The options are:
 Drop - Packets from an unknown source MAC address are dropped.
Packets inbound to this MAC address will be treated as unknown unicast. The port will
receive the packets only if it has unknown unicast flooding enabled.
 Allow - Packets from an unknown source MAC address are forwarded although
the address will not be learned. Packets inbound to this MAC address will be
treated as unknown unicast. The port will receive the packets only if it has
unknown unicast flooding enabled.
8 (Optional) On the Traffic shaping page, enable or disable Ingress or Egress traffic shaping and click Next.
Setting Description
Status If you enable either Ingress traffic shaping or Egress traffic shaping, you are setting
limits on the amount of networking bandwidth allocated for each virtual adapter associated
with this particular port group. If you disable the policy, services have a free, clear
connection to the physical network by default.
Note You cannot assign traffic shaping policies if Network Offloads Compatibility
enabled.
Average bandwidth This feature establishes the number of bits per second to allow across a port, averaged over
time. It is the allowed average load.
Peak bandwidth The maximum number of bits per second to allow across a port when it is sending and
receiving a burst of traffic. It tops the bandwidth used by a port whenever it is using its
burst bonus.
Burst size The maximum number of bytes to allow in a burst. If this parameter is set, a port can
gain a burst bonus when it does not use all its allocated bandwidth. Whenever the port
needs more bandwidth than specified by
Average bandwidth, it can temporarily transmit data at a faster speed if a burst bonus is
available. This parameter tops the number of bytes that can be accumulated in the burst
bonus and as a result transferred at a faster speed.
9 (Optional) On the Teaming and failover page, edit the settings and click Next.
Setting Description
Load balancing Specify the way an uplink is selected.
VMware, Inc.
 Route based on originating virtual port: Select an uplink based on the virtual
port where the traffic entered the distributed switch.
 Route based on IP hash: Select an uplink based on a hash of the
source and destination IP addresses of each packet. For non-IP packets, whatever is at
those offsets is used to compute the hash.
 Route based on source MAC hash: Select an uplink based on a hash of the source
Ethernet.
 Route based on physical NIC load: Select an uplink based on the current loads of
physical NICs.
 Use explicit failover order: Always use the highest order uplink from the list of
Active adapters which passes failover detection criteria.
Note IP-based teaming requires that the physical switch is configured with
EtherChannel. For all other options, disable EtherChannel.
Network failure detection Specify the method to use for failover detection.
 Link status only: Relies solely on the link status that the network adapter provides.
This option detects failures, such as cable pulls and physical switch power failures, but
not configuration errors, such as a physical switch port being blocked by spanning tree
or that is misconfigured to the wrong VLAN or cable pulls on the other side of a
physical switch.
 Beacon probing: Sends out and listens for beacon probes on all NICs in the team and
uses this information, in addition to link status, to determine link failure. This detects
many of the failures previously mentioned that are not detected by link status alone.
Note Do not use beacon probing with IP-hash load-balancing.
Notify switches Select Yes or No to notify switches in case of failover. If you select Yes, whenever a
virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic
can be routed over a different physical NIC in
the team because of a failover event, a notification is sent out over the network to update
the lookup tables on physical switches. In almost all cases, this process is desirable for the
lowest latency of failover occurrences and migrations with vMotion.
Note Do not use this option when the virtual machines using the port group
are using Microsoft Network Load Balancing in unicast mode. No such issue exists with
NLB running in multicast mode.
SettingDescription
Failback Select Yes or No to disable or enable failback.

This option determines how a physical adapter is returned to active duty after recovering
from a failure. If failback is set to Yes (default), the adapter is returned to active duty
immediately upon recovery, displacing the standby adapter that took over its slot, if any. If
failback is set to No, a failed adapter is left inactive even after recovery until another
currently active adapter fails, requiring its replacement.
Failover order Specify how to distribute the workload for uplinks. To use some uplinks but reserve others
for emergencies if the uplinks in use fail, set this condition by moving them into different
groups:
 Active uplinks: Continue to use the uplink when the network adapter
VMware, Inc.
connectivity is up and active.
 Standby uplinks : Use this uplink if one of the active adapters'
connectivity is down.
 Unused uplinks : Do not use this uplink.
Note When using IP-hash load-balancing, do not configure standby uplinks.
10 (Optional) On the Monitoring page, enable or disable NetFlow and click Next.
Setting Description
Disabled NetFlow is disabled on the distributed port group.
Enabled NetFlow is enabled on the distributed port group. NetFlow settings can be configured at the
vSphere Distributed Switch level.
11 (Optional) On the Miscellaneous page, select Yes or No and click Next.
Selecting Yes shuts down all ports in the port group. This action can disrupt the normal network operations
of the hosts or virtual machines using the ports.
12 On the Ready to complete page, review your settings and click Finish.
To change any settings, click the Back button.
Create a VMkernel Adapter on a Host Associated with a vSphere Distributed Switch

Create a VMkernel adapter on a host that is associated with a distributed switch to provide network connectivity to
the host and to handle the traffic for vSphere vMotion, IP storage, Fault Tolerance logging, vSAN, and others. You
can set up VMkernel adapters for the standard system traffic on vSphere standard switches and on vSphere
distributed switches.
You should dedicate a single distributed port group per VMkernel adapter. For better isolation, you should
configure one VMkernel adapter with one traffic type.
Procedure
1 In the vSphere Client, navigate to the host.
2 On the Configure tab, expand Networking and select VMkernel adapters.
3 Click Add networking.
4 On the Select connection type page, select VMkernel Network Adapter and click Next.
5 From the Select an existing network option, select a distributed port group and click Next.
6 On the Port properties page, configure the settings for the VMkernel adapter.
VMware, Inc.
Option Description
Network label The network label is inherited from the label of the distributed port group.
IP settings Select IPv4, IPv6, or both.
Note The IPv6 option does not appear on hosts that do not have IPv6 enabled.
MTU Choose whether to get MTU for the network adapter from the switch or to set a custom
size. You cannot set the MTU size to a value greater than 9000 bytes.
TCP/IP stack Select a TCP/IP stack from the list. Once you set a TCP/IP stack for the VMkernel adapter,
you cannot change it later. If you select the vMotion or the Provisioning TCP/IP stack, you
will be able to use only these stacks to handle vMotion or Provisioning traffic on the host.
All VMkernel adapters for vMotion on the default TCP/IP stack are disabled for future
vMotion sessions. If you set the Provisioning TCP/IP stack, VMkernel adapters on the
default TCP/IP stack are disabled for operations that include Provisioning traffic, such as
virtual machine cold migration, cloning, and snapshot migration.
Available services You can enable services for the default TCP/IP stack on the host. Select from the available
services:
 vMotion. Enables the VMkernel adapter to advertise itself to another host as the
network connection where vMotion traffic is sent. The migration with vMotion to the
selected host is not possible if the vMotion service
is not enabled for any VMkernel adapter on the default TCP/IP stack, or there are no
adapters using the vMotion TCP/IP stack.
 Provisioning. Handles the data transferred for virtual machine cold migration,
cloning, and snapshot migration.
 Fault Tolerance logging. Enables Fault Tolerance logging on the host. You can
use only one VMkernel adapter for FT traffic per host.
 Management. Enables the management traffic for the host and vCenter Server.
Typically, hosts have such a VMkernel adapter created when the ESXi software is
installed. You can create another VMkernel adapter for management traffic on the
host to provide redundancy.
 vSphere Replication. Handles the outgoing replication data that is sent from the
source ESXi host to the vSphere Replication server.
 vSphere Replication NFC. Handles the incoming replication data on the target
replication site.
 vSAN. Enables thevSAN traffic on the host. Every host that is part of a
vSAN cluster must have such a VMkernel adapter.
7 (Optional) On the IPv4 settings page, select an option for obtaining IP addresses.
Option Description
Obtain IPv4 settings automatically Use DHCP to obtain IP settings. A DHCP server must be present on the network.
Use static IPv4 settings Enter the IPv4 IP address and subnet mask for the VMkernel adapter.
The VMkernel Default Gateway and DNS server addresses for IPv4 are obtained from the
selected TCP/IP stack.
VMware, Inc.
Select the Override default gateway for this adapter check box and enter a gateway
address, if you want to specify a different gateway for the VMkernel
adapter.
8 (Optional) On the IPv6 settings page, select an option for obtaining IPv6 addresses.
Option Description
Obtain IPv6 addresses automatically Use DHCP to obtain IPv6 addresses. A DHCPv6 server must be present on the network.
through DHCP
Obtain IPv6 addresses automatically Use router advertisement to obtain IPv6 addresses.
through Router Advertisement In ESXi 6.5 and later router advertisement is enabled by default and supports the M and O
flags in accordance with RFC 4861.
Static IPv6 addresses a Click Add IPv6 address to add a new IPv6 address.
b Enter the IPv6 address and subnet prefix length, and click OK.
c To change the VMkernel default gateway, click Override default gateway for this
adapter.
The VMkernel Default Gateway address for IPv6 is obtained from the selected
TCP/IP stack.
9 Review your settings selections on the Ready to complete page and click Finish.
Add Hosts to a vSphere Distributed Switch

To manage the networking of your vSphere environment by using a vSphere Distributed Switch, you must associate
hosts with the switch. You connect the physical NICs, VMkernel adapters, and virtual machine network adapters of
the hosts to the distributed switch.
Prerequisites
 Verify that enough uplinks are available on the distributed switch to assign to the physical NICs that you want
to connect to the switch.
 Verify that there is at least one distributed port group on the distributed switch.
 Verify that the distributed port group have active uplinks configured in its teaming and failover policy.
If you migrate or create VMkernel adapters for iSCSI, verify that the teaming and failover policy of the target
distributed port group meets the requirements for iSCSI:
 Verify that only one uplink is active, the standby list is empty, and the rest of the uplinks are unused.
 Verify that only one physical NIC per host is assigned to the active uplink.
Procedure
VMware, Inc.
2 Right-click the distributed switch and select Add and Manage Hosts.
3 On the Select task page, select Add hosts, and click Next.
4 On the Select hosts page,
a Select the host(s) from the list of available hosts under All hosts.
b To view the selected hosts, click Selected.
The selected hosts are displayed.
c To filter the hosts based on their compatibility, click Compatibility.
Note While adding hosts to the vSphere Distributed Switch with Network Offloads compatbility, you can
only add compatible adapters that are backed by compatible DPU.
d To select all the available hosts, click Select All.
5 Click Next.
6 On the Manage physical adapters page, you can add or remove network adapters to the distributed
switch by assigning or unassigning an uplink.
7 To manage adapters on all hosts that have the same physical network adapter, select
Adapters on all hosts.
a Click Select All to select all hosts.
b To assign an uplink to the host, select an uplink from the drop-down menu.
c To unassign an uplink from the hosts, select None from the drop-down menu.
d To see more details about the hosts, expand the network adapter listed under Physical network
adapters.
e You can view the switches that use this VMkernel adapter in In use by switch.
For instance, if you assign uplink1 to vmnic1, it is assigned to all the hosts that have vmnic1 as its
physical network adapter.
8 To manage adapters per host, select Adapters per host.
a Select the individual host from the list.
b To assign an uplink to the host, select an uplink from the drop-down menu.
c To unassign an uplink from the host, select None from the drop-down menu.
If you select physical NICs that are assigned to other standard or distributed switches, the NICs are migrated to
the current distributed switch.
VMware, Inc.
For consistent network configuration, you can connect one and the same physical NIC on every host to the
same uplink on the distributed switch.
For instance, if you are adding two hosts connect vmnic1 on each host to Uplink1 on the distributed switch.
9 Click Next.
Note If a host does not have an assigned physical network adapter, then a warning appears.
10 On the Manage VMkernel adapters page, you can manage VMkernel adapters to the distributed
switch.
11 To manage VMkernel adapters on all hosts that have the same VMkernel adapter, select
Adapters on all hosts.
a To select all the hosts, click Select All.
b Click Assign Port Group.
You can see all the available port groups.
c To assign a port group, click Assign.
d To unassign a port group, click Unassign.
e You can view the switches that use this VMkernel adapter in In use by switch.
f To see more details about the hosts, expand the VMkernel adapter listed under Name.
For instance, if you assign DPortGroup1 to vmk0, the port group is assigned to all the hosts that has vmk0
as its VMkernel network adapter.
12 To manage VMkernel adapter per host, select Adapters per host.
a Select the individual host from the list.
b Click Assign Port Group.
You can see all the available port groups.
c To assign a port group, click Assign.
d To unassign a port group, click Unassign.
13 Click Next.
14 On the Migrate VM networking page, select the check box Migrate virtual machine
networking to migrate virtual machines to a distributed switch.
15 To configure per network adapter, click Assign port group. a To
assign a port group, click Assign.
VMware, Inc.
For instance, the port group is assigned to all the virtual machines that have the same network adapter.
b To unassign port groups, click Unassign.
16 To configure per virtual machine, click Assign port group.
a To assign a port group, click Assign.
b To unassign a port group, click Unassign.
17 Click Next.
18 On the Ready to Complete page of the Add and Manage Hosts wizard, review the settings for the virtual
machine.
19 Click Finish.
You have now successfully added a host to the vSphere distributed switch.
What to do next
Having hosts associated with the distributed switch, you can manage physical network adapters, VMkernel adapters,
and virtual machine network adapters.
vSphere Network I/O Control

Use vSphere Network I/O Control to allocate network bandwidth to business-critical applications and to resolve
situations where several types of traffic compete for common resources.
What is vSphere Network I/O Control
vSphere Network I/O Control version 3 introduces a mechanism to reserve bandwidth for system traffic based on the
capacity of the physical adapters on a host. It enables fine-grained resource control at the VM network adapter level
similar to the model that you use for allocating CPU and memory resources..
Version 3 of the Network I/O Control feature offers improved network resource reservation and allocation across the
entire switch.
Models for Bandwidth Resource Reservation
Network I/O Control version 3 supports separate models for resource management of system traffic related to
infrastructure services, such as vSphere Fault Tolerance, and of virtual machines.
The two traffic categories have different nature. System traffic is strictly associated with an ESXi host. The
network traffic routes change when you migrate a virtual machine across the
environment. To provide network resources to a virtual machine regardless of its host, in Network I/O Control you
can configure resource allocation for virtual machines that is valid in the scope of the entire distributed switch.
Bandwidth Guarantee to Virtual Machines
VMware, Inc.
Network I/O Control version 3 provisions bandwidth to the network adapters of virtual machines by using
constructs of shares, reservation and limit. Based on these constructs, to receive sufficient bandwidth, virtualized
workloads can rely on admission control in vSphere Distributed Switch, vSphere DRS and vSphere HA. See
#unique_118.
Availability of Features
SR-IOV is not available for virtual machines configured to use Network I/O Control version 3.
Enable Network I/O Control on a vSphere Distributed Switch
Enable network resource management on a vSphere Distributed Switch to guarantee minimum bandwidth to system
traffic for vSphere features and to virtual machine traffic.
Procedure
2 From the Actions menu, select Settings > Edit Settings.
3 From the Network I/O Control drop-down menu, select Enable.
Note When Network Offloads compatibility is enabled, the Network I/O Control is disabled. When Network
Offloads is set to None, Network I/O Control is supported.
4 Click OK.
Results
When enabled, the model that Network I/O Control uses to handle bandwidth allocation for system traffic and
virtual machine traffic is based on the Network I/O Control version that is active on the distributed switch. See
What is vSphere Network I/O Control .
vSphere Storage Infrastructure Deployment and Configuration

This section describes how to deploy the vSphere Storage Infrastructure.
Consultant Note Remove all Sections which do not apply to the engagement. Storage is dependent on the
customer in most cases. More details can be found here:
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-storage/ GUID-
8AE88758-20C1-4873-99C7-181EF9ACFA70.html
Configuring iSCSI for vSphere

If iSCSI is being used for storage this section describes general steps to configure the storage to be presented to the
VMware, Inc.
ESXi hosts.
Configure the Software iSCSI Adapter
With the software-based iSCSI implementation, you can use standard NICs to connect your host to a remote
iSCSI target on the IP network. The software iSCSI adapter that is built into ESXi facilitates this connection by
communicating with the physical NICs through the network stack.
When you use the software iSCSI adapters, consider the following:
 Designate a separate network adapter for iSCSI. Do not use iSCSI on 100 Mbps or slower adapters.
 Avoid hard coding the name of the software adapter, vmhbaXX, in the scripts. It is possible for the name to
change from one ESXi release to another. The change might cause failures of
your existing scripts if they use the hardcoded old name. The name change does not affect the behavior of the
iSCSI software adapter.
The process of configuring the software iSCSI adapter involves several steps.
Step Description
Activate or Disable the Software iSCSI Activate your software iSCSI adapter so that your host can use it to access iSCSI storage.
Adapter
Modify General Properties for If needed, change the default iSCSI name and alias assigned to your adapter.
iSCSI or iSER Adapters
Configure Port Binding for iSCSI or Configure connections for the traffic between the iSCSI component and the physical network adapters.
iSER The process of configuring these connections is called port binding.
Configure Dynamic or Static Discovery Set up dynamic discovery. With dynamic discovery, each time the initiator contacts a specified iSCSI
for iSCSI and iSER on ESXi Host storage system, it sends the SendTargets request to the system. The iSCSI system responds by
supplying a list of available targets to the initiator. In addition to the dynamic discovery method, you
can use static discovery and manually enter information for the targets.
#unique_127 If your iSCSI environment uses the Challenge Handshake Authentication Protocol (CHAP), configure it
for your adapter.
#unique_128 You can also configure different CHAP credentials for each discovery address or static target.
#unique_129 If your iSCSI environment supports Jumbo Frames, enable them for the adapter.
Activate or Disable the Software iSCSI Adapter
You must activate your software iSCSI adapter so that your ESXi host can use it to access iSCSI storage. If you do
not need the software iSCSI adapter after activation, you can disable it.
You can activate only one software iSCSI adapter.
Prerequisites
Required privilege: Host.Configuration.Storage Partition Configuration
VMware, Inc.
Note If you boot from iSCSI using the software iSCSI adapter, the adapter is enabled and the network
configuration is created at the first boot. If you disable the adapter, it is reenabled each time you boot the host.
Procedure
1 In the vSphere Client, navigate to the ESXi host.
3 Enable or disable the adapter.
Option Description
Enable the software iSCSI adapter a Under Storage, click Storage Adapters, and click the Add icon.
b Select Software iSCSI Adapter and confirm that you want to add the adapter.
The software iSCSI adapter (vmhba#) is enabled and appears on the list of storage
adapters. After enabling the adapter, the host assigns the default iSCSI name to it.
You can now complete the adapter configuration.
Disable the software iSCSI adapter a Under Storage, click Storage Adapters, and select the adapter (vmhba#) to disable.
b Click the Properties tab.
c Click Disable and confirm that you want to disable the adapter.
The status indicates that the adapter is disabled. d
Reboot the host.
After the reboot, the adapter no longer appears on the list of storage adapters. The
storage devices associated with the adapter become inaccessible. You can later activate
the adapter.
Modify General Properties for iSCSI or iSER Adapters

You can change default name and alias assigned to your iSCSI or iSER storage adapters by the ESXi host. For
the independent hardware iSCSI adapters, you can also change the default IP settings.
Important When you modify any default properties for your adapters, make sure to use correct formats for their
names and IP addresses.
Prerequisites
Required privilege: Host .Configuration.Storage Partition Configuration
Procedure
VMware, Inc.
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
4 Click the Properties tab, and click Edit in the General panel.
5 (Optional) Modify the following general properties.
Option Description
iSCSI Name Unique name formed according to iSCSI standards that identifies the iSCSI adapter. If you
change the name, make sure that the name you enter
is worldwide unique and properly formatted. Otherwise, certain storage
devices might not recognize the iSCSI adapter.
iSCSI Alias A friendly name you use instead of the iSCSI name.
Results
If you change the iSCSI name, it is used for new iSCSI sessions. For existing sessions, the new settings are not used
until you log out and log in again.
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
 #unique_130
 #unique_131
 Configure the Software iSCSI Adapter
 #unique_132
Setting Up Network for iSCSI and iSER

Certain types of iSCSI adapters depend on the VMkernel networking. These adapters include the software or
dependent hardware iSCSI adapters, and the VMware iSCSI over RDMA (iSER) adapter. If your environment
includes any of these adapters, you must configure connections for the traffic between the iSCSI or iSER
component and the physical network adapters.
Configuring the network connection involves creating a virtual VMkernel adapter for each physical network adapter.
You use 1:1 mapping between each virtual and physical network adapter. You then associate the VMkernel adapter
with an appropriate iSCSI or iSER adapter. This process is called port binding.
VMware, Inc.
Follow these rules when configuring the port binding:
 You can connect the software iSCSI adapter with any physical NICs available on your host.
 The dependent iSCSI adapters must be connected only to their own physical NICs.
 You must connect the iSER adapter only to the RDMA-capable network adapter.
For specific considerations on when and how to use network connections with software iSCSI, see the VMware
knowledge base article at http://kb.vmware.com/kb/2038869.
Multiple Network Adapters in iSCSI or iSER Configuration
If your host has more than one physical network adapter for iSCSI or iSER, you can use the adapters for
multipathing.
You can use multiple physical adapters in a single or multiple switch configurations.
In the multiple switch configuration, you designate a separate vSphere switch for each virtual-to- physical adapter
pair.
Figure 2-5. 1:1 Adapter Mapping on Separate vSphere Standard Switches
VMware, Inc.
An alternative is to add all NICs and VMkernel adapters to the single vSphere switch. The number of VMkernel
adapters must correspond to the number of physical adapters on the vSphere Standard switch. The single switch
configuration is not appropriate for iSER because iSER does not support NIC teaming.
Figure 2-6. 1:1 Adapter Mapping on a Single vSphere Standard Switch
For that type of configuration, you must override the default network setup and make sure that each VMkernel
adapter maps to only one corresponding active physical adapter, as the table indicates.
VMkernel Adapter (vmk#) Physical Network Adapter (vmnic#)
vmk1 (iSCSI1) Active Adapters

vmnic1
Unused Adapters
vmnic2
vmk2 (iSCSI2) Active Adapters
vmnic2
Unused Adapters
vmnic1
You can also use distributed switches. For more information about vSphere distributed switches and how to change
VMware, Inc.
the default network policy, see the vSphere Networking documentation.
The following considerations apply when you use multiple physical adapters:
 Physical network adapters must be on the same subnet as the storage system they connect to.
 (Applies only to iSCSI and not to iSER) If you use separate vSphere switches, you must connect them to
different IP subnets. Otherwise, VMkernel adapters might experience connectivity problems and the host fails
to discover the LUNs.
 The single switch configuration is not appropriate for iSER because iSER does not support NIC teaming.
Do not use port binding when any of the following conditions exist:
 Array target iSCSI ports are in a different broadcast domain and IP subnet.
 VMkernel adapters used for iSCSI connectivity exist in different broadcast domains, IP subnets, or
use different virtual switches.
Note In iSER configurations, the VMkernel adapters used for iSER connectivity cannot be used for
converged traffic. The VMkernel adapters that you created to enable connectivity between the ESXi host
with iSER and the iSER target must be used only for iSER traffic.
Configure Port Binding for iSCSI or iSER

The port binding creates connections for the traffic between certain types of iSCSI and iSER adapters and the
physical network adapters.
The following types of adapters require the port binding:
 Software iSCSI adapter
 Dependent hardware iSCSI adapter
 VMware iSCSI over RDMA (iSER) adapter
The following tasks discuss the network configuration with a vSphere Standard switch and a single physical network
adapter. If you have multiple network adapters, see Multiple Network Adapters in iSCSI or iSER Configuration.
Note iSER does not support NIC teaming. When configuring port binding for iSER, use only one RDMA-
enabled physical adapter (vmnic#) and one VMkernel adapter (vmk#) per vSwitch.
® ®
™ NSX You can also use the
VMware vSphere Distributed Switch and VMware Virtual Switch in
the port biding configuration. For information about NSX virtual switches, see the VMware NSX Data Center
for vSphere documentation.
If you use a vSphere distributed switch with multiple uplink ports, for port binding, create a separate distributed port
VMware, Inc.
group per each physical NIC. Then set the team policy so that each distributed port group has only one active uplink
port. For detailed information on distributed switches, see the vSphere Networking documentation.
Create a Single VMkernel Adapter for iSCSI or iSER
Connect the VMkernel, which runs services for iSCSI storage, to a physical network adapter on your ESXi host.
You then use the created VMkernel adapter in the port binding configuration with the iSCSI or iSER adapters.
Prerequisites
 If you are creating a VMkernel adapter for dependent hardware iSCSI, you must use the physical
network adapter (vmnic#) that corresponds to the iSCSI component. See #unique_136.
 With the iSER adapter, make sure to use an appropriate RDMA-capable vmnic#. See #unique_137.
Procedure
2 Select Add Networking from the right-click menu.
3 Select VMkernel Network Adapter, and click Next.
4 Select New standard switch to create a vSphere Standard switch.
5 Click the Add adapters icon, and select an appropriate network adapter (vmnic#) to use for iSCSI.
Make sure to assign the adapter to Active Adapters.
6 Enter a network label.
A network label is a friendly name that identifies the VMkernel adapter that you are creating, for example,
iSCSI or iSER.
7 Specify the IP settings.
8 Review the information and click Finish.
You created the virtual VMkernel adapter (vmk#) for a physical network adapter (vmnic#) on your host.
9 Verify your configuration.
a Under Networking, select VMkernel Adapters, and select the VMkernel adapter (vmk#) from the list.
b Click the Policies tab, and verify that the corresponding physical network adapter (vmnic#) appears as an
active adapter under Teaming and failover.
VMware, Inc.
What to do next
If your host has one physical network adapter for iSCSI traffic, bind the VMkernel adapter that you created to the
iSCSI or iSER vmhba adapter.
If you have multiple network adapters, you can create additional VMkernel adapters and then perform iSCSI
binding. The number of virtual adapters must correspond to the number of physical adapters on the host. For
information, see Multiple Network Adapters in iSCSI or iSER Configuration.
Bind iSCSI or iSER Adapters to VMkernel Adapters

On the ESXi host, bind an iSCSI or iSER adapter with a VMkernel adapter.
Prerequisites
Create a virtual VMkernel adapter for each physical network adapter on your host. If you use multiple VMkernel
adapters, set up the correct network policy.
Procedure
3 Under Storage, click Storage Adapters, and select the appropriate iSCSI or iSER adapter (vmhba# )
from the list.
4 Click the Network Port Binding tab and click the Add icon.
5 Select a VMkernel adapter to bind with the iSCSI or iSER adapter.
Note Make sure that the network policy for the VMkernel adapter is compliant with the binding
requirements.
VMware, Inc.
You can bind the software iSCSI adapter to one or more VMkernel adapters. For a dependent hardware iSCSI
adapter or the iSER adapter, only one VMkernel adapter associated with the correct physical NIC is available.
6 Click OK.
The network connection appears on the list of network port bindings for the iSCSI or iSER adapter.
Configure Dynamic or Static Discovery for iSCSI and iSER on ESXi Host
You need to set up target discovery addresses, so that the iSCSI or iSER storage adapter can determine which storage
resource on the network is available for access.
The ESXi system supports these discovery methods:
Dynamic Discovery
Also known as SendTargets discovery. Each time the initiator contacts a specified iSCSI server, the initiator
sends the SendTargets request to the server. The server responds by supplying a list of available targets to the
initiator. The names and IP addresses of these targets appear on the Static Discovery tab. If you remove a static
target added by dynamic discovery, the target might be returned to the list the next time a rescan happens, the
storage adapter is reset, or the host is rebooted.
Note With software and dependent hardware iSCSI, ESXi filters target addresses based on the IP family of the
iSCSI server address specified. If the address is IPv4, IPv6 addresses that might come in the SendTargets
response from the iSCSI server are filtered out. When DNS names are used to specify an iSCSI server, or when
the SendTargets response from the iSCSI server has DNS names, ESXi relies on the IP family of the first
resolved entry from DNS lookup.
Static Discovery
In addition to the dynamic discovery method, you can use static discovery and manually enter information for
the targets. The iSCSI or iSER adapter uses a list of targets that you provide to contact and communicate with
VMware, Inc.
the iSCSI servers.
When you set up static or dynamic discovery, you can only add new iSCSI targets. You cannot change any
parameters of an existing target. To make changes, remove the existing target and add a new one.
Prerequisites
Procedure
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
4 Configure the discovery method.
Discovery Method Description
Dynamic Discovery a Click Dynamic Discovery and click Add.

b Enter the IP address or DNS name of the storage system and click OK.
c Rescan the iSCSI adapter.
After establishing the SendTargets session with the iSCSI system, your host populates the
Static Discovery list with all newly discovered targets.
Note A dynamically discovered target remains on the list even after it is removed from the
array side.
Static Discovery a Click Static Discovery and click Add.

b Enter the target’s information and click OK
c Rescan the iSCSI adapter.
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
 #unique_130
 #unique_131
 Configure the Software iSCSI Adapter
 #unique_132
Create an NFS Datastore

You can use the New Datastore wizard to mount an NFS volume.
Prerequisites
VMware, Inc.
 Set up NFS storage environment.
 If you plan to use Kerberos authentication with the NFS 4.1 datastore, make sure to configure the ESXi hosts
for Kerberos authentication.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
2 From the right-click menu, select Storage > New Datastore.
3 Select NFS as the datastore type and specify an NFS version.
 NFS 3
 NFS 4.1
Important If multiple hosts access the same datastore, you must use the same protocol on all hosts.
4 Enter the datastore parameters.
Option Description
Datastore name The system enforces a 42 character limit for the datastore name.
Folder The mount point folder name
Server The server name or IP address. You can use IPv6 or IPv4 formats. With NFS 4.1,
you can add multiple IP addresses or server names if the
NFS server supports trunking. The ESXi host uses these values to achieve
multipathing to the NFS server mount point.
5 Select Mount NFS read only if the volume is exported as read-only by the NFS server.
6 To use Kerberos security with NFS 4.1, enable Kerberos and select an appropriate Kerberos model.
Option Description
Use Kerberos for authentication only Supports identity verification

(krb5)
Use Kerberos for authentication and data In addition to identity verification, provides data integrity services. These services
integrity (krb5i) help to protect the NFS traffic from tampering by checking data packets for any
potential modifications.
If you do not enable Kerberos, the datastore uses the default AUTH_SYS security.
7 If you are creating a datastore at the data center or cluster level, select hosts that mount the datastore.
8 Review the configuration options and click Finish.
Create a VMFS Datastore
VMware, Inc.
VMFS datastores serve as repositories for virtual machines. You can set up VMFS datastores on any SCSI-based
storage devices that the host discovers, including Fibre Channel, iSCSI, and local storage devices.
Prerequisites
1 Install and configure any adapters that your storage requires.
2 To discover newly added storage devices, perform a rescan. See #unique_141.
3 Verify that storage devices you are planning to use for your datastores are available. See #unique_142.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
2 From the right-click menu, select Storage > New Datastore.
3 Select VMFS as the datastore type.
4 Enter the datastore name and if necessary, select the placement location for the datastore.
The system enforces a 42 character limit for the datastore name.
5 Select the device to use for your datastore.
Important The device you select must not have any values displayed in the Snapshot Volume column. If a
value is present, the device contains a copy of an existing VMFS datastore. For information on managing
datastore copies, see #unique_143.
6 Specify the datastore version.
Option Description
VMFS6 Default format on all hosts that support VMFS6. The ESXi hosts of version 6.0 or earlier
cannot recognize the VMFS6 datastore.
VMFS5 VMFS5 datastore supports access by the ESXi hosts of version 6.7 or earlier.
7 Define configuration details for the datastore.
Note The required minimum size for a VMFS6 datastore is 2 GB.
a Specify partition configuration.
Option Description
Use all available partitions Dedicates the entire disk to a single VMFS datastore. If you select this option, all file
systems and data currently stored on this device are destroyed.
VMware, Inc.
Use free space Deploys a VMFS datastore in the remaining free space of the disk.
b If the space allocated for the datastore is excessive for your purposes, adjust the capacity values in the
Datastore Size field.
By default, the entire free space on the storage device is allocated.
c For VMFS6, specify the block size and define space reclamation parameters. See #unique_144.
8 In the Ready to Complete page, review the datastore configuration information and click
Finish.
Results
The datastore on the SCSI-based storage device is created. It is available to all hosts that have access to the device.
What to do next
After you create the VMFS datastore, you can perform the following tasks:
 Change the capacity of the datastore. See #unique_145.
 Edit space reclamation settings. See #unique_146.
 Enable shared vmdk support. See #unique_147.
Enable Storage I/O Control

When you enable Storage I/O Control, ESXi monitors datastore latency and throttles the I/O load if the datastore
average latency exceeds the threshold.
Procedure
1 Browse to the datastore in the vSphere Client.
3 Click Settings and click General.
4 Click Edit for Datastore Capabilities.
5 Select the Enable Storage I/O Control check box.
6 Click OK.
Results
Under Datastore Capabilities, Storage I/O Control is enabled for the datastore.
High Availability Deployment and Configuration
VMware, Inc.
This section describes how to deploy the vSphere high availability configuration.
Creating a vSphere HA Cluster

vSphere HA operates in the context of a cluster of ESXi (or legacy ESX) hosts. You must create a cluster,
populate it with hosts, and configure vSphere HA settings before failover protection can be established.
When you create a vSphere HA cluster, you must configure a number of settings that determine how the feature
works. Before you do this, identify your cluster's nodes. These nodes are the ESXi hosts that will provide the
resources to support virtual machines and that vSphere HA will use
for failover protection. You should then determine how those nodes are to be connected to one another and to the
shared storage where your virtual machine data resides. After that networking architecture is in place, you can add the
hosts to the cluster and finish configuring vSphere HA.
You can activate and configure vSphere HA before you add host nodes to the cluster. However, until the hosts are
added, your cluster is not fully operational and some of the cluster settings are unavailable. For example, the Specify a
Failover Host admission control policy is unavailable until there is a host that can be designated as the failover host.
Note The Virtual Machine Startup and Shutdown (automatic startup) feature is deactivated for all virtual
machines residing on hosts that are in (or moved into) a vSphere HA cluster. Automatic startup is not supported
when used with vSphere HA.
Create a vSphere HA Cluster in the vSphere Client
To enable your cluster for vSphere HA, you must first create an empty cluster. After you plan the resources and
networking architecture of your cluster, use the vSphere Client to add hosts to the cluster and specify the cluster's
vSphere HA settings.
A vSphere HA-enabled cluster is a prerequisite for vSphere Fault Tolerance.
Prerequisites
 Verify that all virtual machines and their configuration files reside on shared storage.
 Verify that the hosts are configured to access the shared storage so that you can power on the virtual machines
by using different hosts in the cluster.
 Verify that hosts are configured to have access to the virtual machine network.
 Verify that you are using redundant management network connections for vSphere HA. For information
about setting up network redundancy, see #unique_152.
 Verify that you have configured hosts with at least two datastores to provide redundancy for vSphere HA
datastore heartbeating.
VMware, Inc.
 Connect vSphere Client to vCenter Server by using an account with cluster administrator permissions.
Procedure
1 In the vSphere Client, browse to the data center where you want the cluster to reside and click
New Cluster.
2 Complete the New Cluster wizard.
Do not turn on vSphere HA (or DRS).
3 Click OK to close the wizard and create an empty cluster.
4 Based on your plan for the resources and networking architecture of the cluster, use the vSphere Client
to add hosts to the cluster.
5 Browse to the cluster and enable vSphere HA.
a Click the Configure tab.
b Select vSphere Availability and click Edit.
c Select vSphere HA.
6 Under Failures and Responses select Enable Host Monitoring.
With Host Monitoring enabled, hosts in the cluster can exchange network heartbeats and vSphere HA can take
action when it detects failures. Host Monitoring is required for the vSphere Fault Tolerance recovery process to
work properly.
7 Select a setting for VM Monitoring.
Select VM Monitoring Only to restart individual virtual machines if their heartbeats are not received within a set
time. You can also select VM and Application Monitoring to enable application monitoring.
8 Click OK.
Results
You have a vSphere HA cluster, populated with hosts.
What to do next
Configure the appropriate vSphere HA settings for your cluster.
 Failures and responses
 Admission Control
 Heartbeat Datastores
 Advanced Options
VMware, Inc.
See #unique_153.
Dynamic Resource Scheduling Deployment and Configuration

This section describes how to deploy the vSphere dynamic resourcing configuration.
Host Configuration for vSphere vMotion

Before using vSphere vMotion, you must configure your hosts correctly. Ensure that
you have correctly configured your hosts.
 Each host must be correctly licensed for vSphere vMotion.
 Each host must meet shared storage requirements for vSphere vMotion.
 Each host must meet the networking requirements for vSphere vMotion.
vSphere vMotion Across Long Distances
You can perform reliable migrations between hosts and sites that are separated by high network round-trip latency
times. vSphere vMotion across long distances is enabled when the appropriate license is installed. No user
configuration is necessary.
For long-distance migration, verify the network latency between the hosts and your license.
 The round-trip time between the hosts must be up to 150 milliseconds.
 Your license must cover vSphere vMotion across long distances.
 You must place the traffic related to transfer of virtual machine files to the destination host on the
provisioning TCP/IP stack. See #unique_156.
vMotion Shared Storage Requirements
Configure hosts for vMotion with shared storage to ensure that virtual machines are accessible to both source and
target hosts.
During a migration with vMotion, the migrating virtual machine must be on storage accessible to both the
source and target hosts. Ensure that the hosts configured for vMotion use shared storage. Shared storage can be
on a Fibre Channel storage area network (SAN), or can be implemented using iSCSI and NAS.
If you use vMotion to migrate virtual machines with raw device mapping (RDM) files, make sure to maintain
consistent LUN IDs for RDMs across all participating hosts.
See the vSphere Storage documentation for information on SANs and RDMs.
vSphere vMotion Networking Requirements
VMware, Inc.
Migration with vMotion requires correctly configured network interfaces on source and target hosts.
Configure each host with at least one network interface for vMotion traffic. To ensure secure data transfer, the
vMotion network must be a secure network, accessible only to trusted parties. Additional bandwidth significantly
improves vMotion performance. When you migrate a virtual machine with vMotion without using shared storage,
the contents of the virtual disk is transferred over the network as well.
vSphere 6.5 and later allow the network traffic with vMotion to be encrypted. Encrypted vMotion depends on host
configuration, or on compatibility between the source and destination hosts.
Requirements for Concurrent vMotion Migrations
You must ensure that the vMotion network has at least 250 Mbps of dedicated bandwidth per concurrent vMotion
session. Greater bandwidth lets migrations complete more quickly. Gains in throughput resulting from WAN
optimization techniques do not count towards the 250-Mbps limit.
To determine the maximum number of concurrent vMotion operations possible, see #unique_159. These limits vary
with a host's link speed to the vMotion network.
Round-Trip Time for Long-Distance vMotion Migration
If you have the proper license applied to your environment, you can perform reliable migrations between hosts that
are separated by high network round-trip latency times. The maximum supported network round-trip time for
vMotion migrations is 150 milliseconds. This round-trip time lets you migrate virtual machines to another
geographical location at a longer distance.
Multiple-NIC vMotion
You can configure multiple NICs for vMotion by adding two or more NICs to the required standard or distributed
switch. For details, see Knowledge Base article KB 2007467.
Network Configuration
Configure the virtual networks on vMotion enabled hosts as follows:
 On each host, configure a VMkernel port group for vMotion.
To have the vMotion traffic routed across IP subnets, enable the vMotion TCP/IP stack on the host. See
#unique_160.
 If you are using standard switches for networking, ensure that the network labels used for the virtual machine
port groups are consistent across hosts. During a migration with vMotion, vCenter Server assigns virtual
machines to port groups based on matching network labels.
Note By default, you cannot use vMotion to migrate a virtual machine that is attached to a standard
switch with no physical uplinks configured, even if the destination host also has a no-uplink standard
switch with the same label.
VMware, Inc.
To override the default behavior, set the
config.migrate.test.CompatibleNetworks.VMOnVirtualIntranet advanced settings of
vCenter Server to false. The change takes effect immediately. For details about the setting, see Knowledge
Base article KB 1003832. For information about configuring advanced settings of vCenter Server, see vCenter
Server Configuration.
For information about configuring the vMotion network resources, see #unique_161.
For more information about vMotion networking requirements, see Knowledge Base article KB 59232.
Using DRS Clusters to Manage Resources

After you create a DRS cluster, you can customize it and use it to manage resources.
To customize your DRS cluster and the resources it contains you can configure affinity rules and you can add and
remove hosts and virtual machines. When a cluster’s settings and resources have been defined, you should ensure that
it is and remains a valid cluster. You can also use a valid DRS cluster to manage power resources and interoperate
with vSphere HA.
Note In this chapter, "Memory" can refer to physical RAM or Persistent Memory.
Creating a DRS Cluster
A cluster is a collection of ESXi hosts and associated virtual machines with shared resources
and a shared management interface. Before you can obtain the benefits of cluster-level resource management you
must create a cluster and activate DRS.
Depending on whether or not Enhanced vMotion Compatibility (EVC) is activated, DRS behaves differently when
you use vSphere Fault Tolerance (vSphere FT) virtual machines in your cluster.
Table 2-14. DRS Behavior with vSphere FT Virtual Machines and EVC
EVC DRS (Load Balancing) DRS (Initial Placement)
Enabled Enabled (Primary and Secondary VMs) Enabled (Primary and Secondary VMs)
Disabled Disabled (Primary and Secondary VMs) Disabled (Primary VMs)

Fully Automated (Secondary VMs)
Edit Cluster Settings

When you add a host to a DRS cluster, the host’s resources become part of the cluster’s resources. In addition to this
aggregation of resources, with a DRS cluster you can support cluster- wide resource pools and enforce cluster-level
resource allocation policies.
The following cluster-level resource management capabilities are also available.
Load Balancing
VMware, Inc.
The distribution and usage of CPU and memory resources for all hosts and virtual machines in the cluster are
continuously monitored. DRS compares these metrics to an ideal resource usage given the attributes of the
cluster’s resource pools and virtual machines, the current demand, and the imbalance target. DRS then
provides recommendations or performs virtual machine migrations accordingly. See #unique_166. When you
power on a virtual machine
in the cluster, DRS attempts to maintain proper load balancing by either placing the virtual machine on an
appropriate host or making a recommendation. See #unique_167.
Power management
When the vSphere Distributed Power Management (DPM) feature is enabled, DRS compares cluster and host-
level capacity to the demands of the cluster’s virtual machines, including recent historical demand. DRS then
recommends you place hosts in standby, or places hosts in standby power mode when sufficient excess
capacity is found. DRS powers-on hosts if capacity is needed. Depending on the resulting host power state
recommendations, virtual machines might need to be migrated to and from the hosts as well. See
#unique_168.
Affinity Rules
You can control the placement of virtual machines on hosts within a cluster, by assigning affinity rules. See
#unique_169.
Prerequisites
You can create a cluster without a special license, but you must have a license to enable a cluster for vSphere DRS
or vSphere HA.
Note vSphere DRS is a critical feature of vSphere which is required to maintain the health of the workloads
running inside vSphere Cluster. Starting with vSphere 7.0 Update 1, DRS depends on the availability of vCLS VMs.
See #unique_165 for more information.
Procedure
1 Browse to a cluster in the vSphere Client.
2 Click the Configure tab and click Services.
3 Under vSphere DRS click Edit.
4 Under DRS Automation, select a default automation level for DRS.
VMware, Inc.
Automation Level Action
Manual  Initial placement: Recommended host is displayed.

 Migration: Recommendation is displayed.
Partially Automated  Initial placement: Automatic.

 Migration: Recommendation is displayed.
Fully Automated  Initial placement: Automatic.

 Migration: Recommendation is run automatically.
5 Set the Migration Threshold for DRS.
6 Select the Predictive DRS check box. In addition to real-time metrics, DRS responds to forecasted
metrics provided by vRealize Operations server. You must also configure Predictive DRS in a
version of vRealize Operations that supports this feature.
7 Select Virtual Machine Automation check box to enable individual virtual machine automation levels.
Override for individual virtual machines can be set from the VM Overrides page.
8 Under Additional Options, select a check box to enforce one of the default policies.
Option Description
VM Distribution For availability, distribute a more even number of virtual machines across hosts. This is
secondary to DRS load balancing.
Memory Metric for Load Balancing Load balance based on consumed memory of virtual machines rather than active memory.
This setting is only recommended for clusters where host memory is not over-committed.
Note This setting is no longer supported and will not be displayed in vCenter 7.0.
CPU Over-Commitment Control CPU over-commitment in the cluster.
Scalable Shares Enable scalable shares for the resource pools on this cluster.
9 Under Power Management, select Automation Level.
10 If DPM is enabled, set the DPM Threshold.
11 Click OK.
What to do next
Note Under the Cluster Summary page, you can see Cluster Services which displays vSphere Cluster Services
health status.
You can view memory utilization for DRS in the vSphere Client. To find out more, see: (Viewing
VMware, Inc.
Distributed Resource Scheduler Memory Utilization )
vSphere+ Deployment and Activation

This section describes how to Deploy and activate vSphere+.
Install vCenter Cloud Gateway Appliance Using the GUI

Download and install vCenter Cloud Gateway Appliance to access solutions available from VMware Cloud.
Procedure
1 Log in to https://customerconnect.vmware.com/downloads/details?
downloadGroup=MCGW&productId=1307&rPId=88960 and download the ISO image for vCenter
Cloud Gateway Appliance.
2 In the installer ISO image, browse to the ui-installer/operating_system folder, and run the
installer.
 For Windows OS, go the win32 subdirectory and run the installer.exe file.
 For Linux OS, go to the lin64 subdirectory, and run the installer file.
 For Mac OS, go to the mac subdirectory and run the Installer.app file.
3 Click Get Started.
4 Accept the End User License agreement and click Next.
5 Specify the deployment parameters and click Next.
Option Steps
You can connect to a 1 Enter the FQDN or IP address of the vCenter Server instance.
vCenter Server instance 2 Enter the HTTPS port of the vCenter Server instance.
and browse 3 Enter the user name and password of user with vCenter Single Sign-On administrative
the inventory to select the privileges on the vCenter Server instance, for example, the
cluster on which to install administrator@your_domain_name user.
vCenter Cloud Gateway 4 Click Next.
Appliance. 5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is installed
on the target vCenter Server instance, and click Yes to accept the certificate thumbprint.
6 Select the default VM Folder in the data center where the cluster resides and click Next.
7 Select the cluster where the vCenter Server you plan to subscribe to vSphere+ is deployed, and
click Next.
6 Set up the target appliance VM and click Next.
VMware, Inc.
Option Description
VM name Enter a name for the vCenter Cloud Gateway Appliance VM. The appliance name must not
contain a percent sign (%), backslash (\), or forward slash (/) and must not be more than 80
characters in length.
Set root password Set a root password for the vCenter Cloud Gateway Appliance VM.
The password must contain only lower ASCII characters without spaces, at least eight
characters, a number, uppercase and lowercase letters, and a special character. A few
examples of special character are, an exclamation mark (!), hash key (#), at sign (@), or
brackets ().
Confirm root password Confirm the password you set above.
7 Select the datastore location for vCenter Cloud Gateway Appliance and click Next.
a Select the datastore where you want to place the vCenter Cloud Gateway Appliance VM.
b Select Enable Thin Disk Mode to conserve disk space by installing vCenter Cloud Gateway Appliance
using a thin disk.
8 Configure the network settings for vCenter Cloud Gateway Appliance and click Next.
Parameter Description
Network Select the network.

The networks displayed in the drop-down menu depend on the network settings of the
target server. If you are installing vCenter Cloud Gateway Appliance directly on an ESXi
host, non-ephemeral distributed virtual port groups are not supported and are not displayed
in the drop-down menu.
IP version Select the IP address version.

You can select either IPv4 or IPv6.
IP assignment Select how to allocate the IP address.

 static
The wizard prompts you to enter the IP address and network settings.
Note Avoid using an IP address as a system name. If you use an IP address as a
system name, you cannot change the IP address and update
the DNS settings after the installation.
 DHCP
A DHCP server is used to allocate the IP address. Select this option only if a DHCP
server is available in your environment.
FQDN If you have an enabled DDNS in your environment, you can enter a fully qualified domain
name (FQDN) for vCenter Cloud Gateway Appliance. If you enter an FQDN that already
exists, the installer warns you that this will cause an error in the installation unless you
isolate the network where vCenter Cloud Gateway Appliance is on. For example, you can
install vCenter Cloud Gateway Appliance on a different port group from the existing
FQDN.
Note Ensure that you add the FQDN in your DNS server before you start the installation.
VMware, Inc.
IP address If you selected a static IP address, enter the IP address for vCenter Cloud Gateway
Appliance. If you enter an IP address that already exists, the installer warns you that this
will cause an error in the installation unless you isolate
the network where vCenter Cloud Gateway Appliance is on. For example, you can install
vCenter Cloud Gateway Appliance on a different port group from the existing IP address.
Subnet mask or prefix length Enter the subnet mask or prefix length for the IP address.
Default Gateway Enter the default gateway that vCenter Cloud Gateway Appliance should use.
DNS Servers Enter the addresses of the DNS servers used by vCenter Cloud Gateway Appliance.
9 Configure vCenter Cloud Gateway Appliance settings and click Next.
 Select Synchronize Time with NTP servers and enter the address of one or more NTP servers in the
text box to use NTP servers for time synchronization.
Note Ensure that you enter the correct address for the NTP servers. Otherwise, the installation may not
complete successfully.
 Select Synchronize Time with ESXi host to synchronize time with the host where you are installing
vCenter Cloud Gateway Appliance.
10 Click Finish to install vCenter Cloud Gateway Appliance.
Results
vCenter Cloud Gateway Appliance is installed in your on-premises environment. A progress bar shows the progress
of the installation.
What to do next
To configure services, open the vCenter Cloud Gateway Appliance UI at https://gw-address:5480/ gw-platform/
where gw-address is the IP address or FQDN of vCenter Cloud Gateway Appliance.
Connect vCenter Cloud Gateway to VMware Cloud

Connect vCenter Cloud Gateway to a VMware Cloud Organization to enable communication between vCenter
Cloud Gateway and VMware Cloud.
Prerequisites
 You must be the owner of the Organization that you register with vCenter Cloud Gateway.
 Ensure that your web browser is not blocking popups.
Procedure
VMware, Inc.
1 In a web browser, go to https://gw-address:5480/gw-platform where gw-address is the IP
address or FQDN of vCenter Cloud Gateway.
2 On the VMware Cloud card, click Get Started.
3 On the Connect vCenter Cloud Gateway card, click Connect and log in with your vCenter Cloud
Gateway credentials.
4 Click Launch VMware Cloud Services and log in with your VMware Cloud credentials.
5 Select the Organization you want to connect and click Confirm Connection.
Note You cannot change the Organization after the registration is complete. Ensure that you select the correct
Organization.
6 Enter the code displayed in the vCenter Cloud Gateway interface and click Submit.
Connect Your vCenter Server to vCenter Cloud Gateway

Connect your vCenter Server to vCenter Cloud Gateway to monitor your vSphere infrastructure from vSphere+.
When you connect your vCenter Server to vCenter Cloud Gateway, it establishes a connection between your vCenter
Server and vSphere+.
Procedure
1 In a web browser, go to https://gw-address:5480/gw-platform/ where gw-address is the IP

address or FQDN of vCenter Cloud Gateway.
2 On the VMware Cloud card, click Launch.
3 On the Connect vCenter Servers card, click Connect.
vCenter Cloud Gateway uses the credentials only for authentication purposes and does not store the
information.
4 Click Add vCenter Servers and enter your vCenter Server details.
5 (Optional) If you want to add multiple vCenter Servers, click Add vCenter Servers again and enter your
vCenter Server details.
Note You can connect up to 4 vCenter Server instances on each vCenter Cloud Gateway instance.
6 Click Next.
7 Select the check box to accept your vCenter Server sending data to VMware Cloud.
8 Click Connect N vCenter Server where N is the number of vCenter Servers that you want to connect.
VMware, Inc.
Subscribe vCenter Server to vSphere+
To unlock all the capabilities of vSphere+, subscribe your vCenter Server to vSphere+. When you
subscribe your vCenter Server to vSphere+:
 The vCenter Server and the connected hosts get enabled for subscription.
 All hosts connected to this vCenter Server are billed to vSphere+.
 Your vCenter Server can only be used with vSphere+. If you want to manage hosts licensed with license
keys, you cannot reuse this vCenter Server. You must deploy a new vCenter Server.
 You can configure and manage vSphere with Tanzu by using Tanzu Standard Runtime Edition included in
your vSphere+ subscription. See vSphere with Tanzu Configuration and Management. For more
information about Tanzu Standard Edition, see VMware Tanzu Documentation.
Prerequisites
Ensure that your vSphere environment meets all the requirements. See System Requirements for vSphere+.
Procedure
1 Log in to the VMware Cloud console at https://vmc.vmware.com.
2 Click Inventory.
3 Subscribe your vCenter Server by using either of the following methods:
 Click Subscribe in the notification.
 Click the individual vCenter Server in the List View, and then click Subscribe.
4 Select the eligible vCenter Server instances, and click Subscribe.
Integrations Deployment and Configuration

The following section contains the integrations applicable to the product configuration.
vSphere Integrations Deployment and Configuration

There are currently no integrations with vSphere because it is a provider that other solution elements are built upon.
Any integrations applicable to these solutions will be included with the appropriate technology being deployed and
configured.
VMware, Inc.
References
The following section lists the documentation resources which were used for this document. This chapter
includes the following topics:
 vSphere References
vSphere References
See the VMware vSphere 8.0 Documentation (https://docs.vmware.com/en/VMware-vSphere/ index.html) for product
documentation on vSphere components.
The following section lists the documentation resources which were used for this document.
 What’s New Features description and Release Notes
 Compatibility and Configuration Limits
 Configuration Maximums for VMware vSphere
 VMware Product Interoperability Matrix
 VMware Compatibility Guide
 ESXi and vCenter Server Product Documentation
 VMware ESXi Installation and Setup
 VMware ESXi Upgrade
 vCenter Server Installation and Setup
 vCenter Server Upgrade
 vCenter Server and Host Management
 vCenter Server Appliance Configuration
 Platform Services Controller Administration
 vSphere Virtual Machine Administration
 vSphere Host Profiles
VMware, Inc.
 vSphere Networking
 vSphere Storage
 vSphere Security
 vSphere Resource Management
 vSphere Availability
 vSphere Monitoring and Performance
 vSphere Single Host Management - VMware Host Client
VMware, Inc.

PD005 InstallGuide Vsphere 8.0.x

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PD005 InstallGuide Vsphere 8.0.x

Uploaded by

Copyright:

Available Formats

vSphere Installation and Configuration

This chapter includes the following topics:

 VMware Products and Versions

VMware Products and Versions

Table 1-1. VMware Products and Versions

VMware Product Version Number

VMware ESXi™ 8.0 - Build 20513097

VMware vCenter® Server Appliance™ 8.0 - Build 20519528

 A VMware Validated Solution Design Guidance

 The VMware Cloud Foundation Design Guidance

 Product Specific Designs as provided by the individual VMware Business Units.

This chapter includes the following topics:

 Deployment and Configuration

 Integrations Deployment and Configuration

ESXi Host Deploy Preparation

ESXi System Storage Overview

ESXi System Storage

The ESXi 8.0 system storage layout consists of four partitions:

Table 2-1. ESXi system storage partitions:

Partition Use Type

System Boot Stores boot loader and EFI modules. FAT16

Boot-bank 0 System space to store ESXi boot modules. FAT16

Boot-bank 1 System space to store ESXi boot modules. FAT16

booting and virtual machines.

Figure 2-1. Consolidated system storage in ESXi 8.0

ESXi System Storage Sizes

Boot Media Size 8-10 GB 10-32 GB 32-128 GB >128 GB

System Boot 100 MB 100 MB 100 MB 100 MB

ESX-OSData remaining space remaining space remaining space up to 128 GB

VMFS datastore remaining space for

 min (32 GB, for single disk or embedded servers)

 small (64 GB, for servers with at least 512 GB of RAM)

 default (128 GB)

 max (consume all available space, for multi-terabyte servers)

ESXi System Storage Links

Table 2-3. ESXi system storage symbolic links.

System Storage Volume Symbolic Link

Persistent data /productLocker

Non-persistent data /var/run

ESXi Hardware Requirements

Hardware and System Resources

 ESXi 8.0 requires a host with at least two CPU cores.

ESXi Booting Requirements

Storage Requirements for ESXi 8.0 Installation or Upgrade

 A device that supports the minimum of 128 terabytes written (TBW).

 A device that delivers at least 100 MB/s of sequential write speed.

Note GB units are 2^30 bytes or 1024*1024*1024 byte multiples.

The following events occur during the repartitioning process:

Recommendations for Enhanced ESXi Performance

For ESXi system requirements, see ESXi Hardware Requirements.

Table 2-4. Recommendations for Enhanced Performance

System Element Recommendation

System Element Recommendation

Processors Faster processors improve ESXi performance. For certain workloads,

Hardware compatibility Use devices in your server that are supported by

Incoming and Outgoing Firewall Ports for ESXi Hosts

Required Free Space for System Logging

 Redirect logs over the network to a remote collector.

 Redirect logs to a NAS or NFS store.

Number of Log Files to

Management Agent (hostd) 10 MB 10 100 MB

VirtualCenter Agent (vpxa) 5 MB 10 50 MB

vSphere HA agent (Fault 5 MB 10 50 MB

Note GB units are 2^30 bytes or 102410241024 byte multiples.