Professional Documents
Culture Documents
Procedures Guide
vSphere 8.0.x
vSphere Installation and Configuration Procedures Guide
You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave. Palo
VMware, Inc. 2
vSphere Installation and Configuration Procedures Guide
Alto, CA 94304
www.vmware.com
©
Copyright 2023 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 3
Contents
Contents.........................................................................................................................................................3
Purpose and Assumptions..............................................................................................................................4
VMware Products and Versions................................................................................................................4
Architecture Models..................................................................................................................................4
Procedures......................................................................................................................................................6
Preparation.................................................................................................................................................6
Deployment and Configuration...............................................................................................................27
Integrations Deployment and Configuration.........................................................................................101
References..................................................................................................................................................102
vSphere References...............................................................................................................................102
VMware, Inc.
Purpose and Assumptions
This document provides step-by-step instructions for installing, configuring and deploying the solution for Customer.
This document is written with the assumption that the administrator who uses these procedures is familiar with the
products being used. It is not intended for administrators without prior knowledge of the concepts and terminology.
Architecture Models
Architecture Models
Standardization of software configuration improves predictability, supportability and speed of delivery.
VMware designs are comprehensive and cover everything from hardware configuration and specification to detailed
software configuration based on Customer's requirements. It can also cover the required third-party components to
support day 2 operations. The result is a highly available, scalable and robust platform, that is vigorously tested.
VMware Professional Services leverages practices that have been and rigorously tested and are a part of:
VMware, Inc.
Using these designs introduce standardization through the best practices to increase the speed of delivery as well as
consistency during deployment.
VMware, Inc.
Procedures
This section provides step-by-step procedures for common configuration tasks to be performed during the deployment
of the product in Customer's environment.
Preparation
Preparation
This section describes the preparation tasks which are required for the deployment of the solution. It is split up into
technology sections.
To install or upgrade ESXi, your system must meet specific hardware and software requirements as described by
the following detail.
VMware, Inc.
Partition Use Type
ESX-OSData Acts as the unified location to store additional modules. Not used for VMFS-L
Consolidates the legacy /scratch partition, locker partition for VMware Tools, and core dump
destinations.
Caution In case the installation media is a USB or an SD card device, best practice is to create
ESX-OSData partitions on persistent storage device that is not shared between ESXi hosts.
The ESX-OSData volume is divided into two high-level categories of data, persistent and non- persistent data.
Persistent data contains of data written infrequently, for example, VMware Tools ISOs, configurations, and core
dumps.
Non-persistent data contains of frequently written data, for example, logs, VMFS global traces, vSAN Entry
Persistence Daemon (EPD) data, vSAN traces, and real-time databases.
Partition sizes, except for the system boot partition, can vary depending on the size of the boot media used. If the
boot media is a high-endurance one with capacity larger than 142 GB, a VMFS datastore is created automatically to
VMware, Inc.
store virtual machine data.
You can review the boot media capacity and the automatic sizing as configured by the ESXi installer by using the
vSphere Client and navigating to the Partition Details view. Alternatively, you can use ESXCLI, for example the
esxcli storage filesystem list command.
Table 2-2. ESXi System Storage Sizes, Depending on the Used Boot Media and Its Capacity.
Boot-bank 0 500 MB 1 GB 4 GB 4 GB
Boot-bank 1 500 MB 1 GB 4 GB 4 GB
You can use the ESXi installer boot option systemMediaSize to limit the size of system storage partitions on the
boot media. If your system has a small footprint that does not require the maximum of 128 GB of system storage size,
you can limit it to the minimum of 32 GB. The systemMediaSize parameter accepts the following values:
The selected value must fit the purpose of your system. For example, a system with 1 TB of memory must use the
minimum of 64 GB for system storage. To set the boot option at install time, for example
systemMediaSize=small, refer to Enter Boot Options to Start an Installation or Upgrade Script. For more
information, see Knowledge Base article 81166.
The sub-systems that require access to the ESXi partitions, access these partitions by using the following symbolic
links:
Boot-bank 0 /bootbank
Boot-bank 1 /altbootbank
VMware, Inc.
System Storage Volume Symbolic Link
To install or upgrade ESXi, your hardware and system resources must meet the following requirements:
Supported server platform. For a list of supported platforms, see the VMware Compatibility Guide at
http://www.vmware.com/resources/compatibility.
ESXi 8.0 supports a broad range of multi-core of 64-bit x86 processors. For a complete
list of supported processors, see the VMware compatibility guide at http://www.vmware.com/
resources/compatibility.
ESXi 8.0 requires the NX/XD bit to be enabled for the CPU in the BIOS.
ESXi 8.0 requires a minimum of 8 GB of physical RAM. Provide at least 12 GB of RAM to run virtual
machines in typical production environments.
To support 64-bit virtual machines, support for hardware virtualization (Intel VT-x or AMD RVI) must be
enabled on x64 CPUs.
One or more Gigabit or faster Ethernet controllers. For a list of supported network
adapter models, see the VMware Compatibility Guide at http://www.vmware.com/resources/ compatibility.
ESXi 8.0 requires a boot disk of at least 32 GB of persistent storage such as HDD, SSD, or NVMe. A
boot device must not be shared between ESXi hosts.
SCSI disk or a local, non-network, RAID LUN with unpartitioned space for the virtual machines.
For Serial ATA (SATA), a disk connected through supported SAS controllers or supported
VMware, Inc.
on-board SATA controllers. SATA disks are considered remote, not local. These disks are not used as a scratch
partition by default because they are seen as remote.
Note You cannot connect a SATA CD-ROM device to a virtual machine on an ESXi host. To use the SATA
CD-ROM device, you must use IDE emulation mode.
Storage Systems
For a list of supported storage systems, see the VMware Compatibility Guide at http://
www.vmware.com/resources/compatibility. Starting with ESXi 8.0, you cannot use software adapters for Fibre
Channel over Ethernet (FCoE), only hardware FCoE adapters.
In vSphere 8.0, support for legacy BIOS is limited and booting ESXi hosts from the Unified Extensible Firmware
Interface (UEFI) is recommended. With UEFI, you can boot systems from hard drives, CD-ROM drives, or USB
media. vSphere Auto Deploy supports network booting and provisioning of ESXi hosts with UEFI. If your
system has supported data processing units (DPU), you can only use UEFI to install and boot ESXi on the DPUs.
For more information on VMware plans to deprecate support for legacy BIOS in server platforms, see
Knowledge Base article https://kb.vmware.com/s/article/84233.
ESXi can boot from a disk larger than 2 TB if the system firmware and the firmware on any add-in card that you are
using support it. See the vendor documentation.
For best performance of an ESXi 8.0 installation, use a persistent storage device that is a minimum of 32 GB for
boot devices. Upgrading to ESXi 8.0 requires a boot device that is a minimum of
8 GB. When booting from a local disk, SAN or iSCSI LUN, at least a 32 GB disk is required to allow for the
creation of system storage volumes, which include a boot partition, boot banks, and a VMFS-L based ESX-
OSData volume. The ESX-OSData volume takes on the role of the legacy / scratch partition, locker partition
for VMware Tools, and core dump destination.
Note In ESXi 8.0, the ESX-OSData volume is considered a unified partition and the separate components, such as
/scratch and VMware Tools, are consolidated into a single persistent OSDATA partition.
Other options for best performance of an ESXi 8.0 installation are the following:
A local disk of 128 GB or larger for optimal support of ESX-OSData. The disk contains the boot partition,
ESX-OSData volume and a VMFS datastore.
VMware, Inc.
To provide resiliency in case of device failure, a RAID 1 mirrored device is recommended.
Legacy SD and USB devices are supported with the following limitations:
SD and USB devices are supported for boot bank partitions. The use of SD and USB devices for storing
ESX-OSData partitions is being deprecated and best practice is to provide a separate persistent local device
with a minimum of 32 GB to store the ESX-OSData volume. The persistent local boot device can be an
industrial grade M.2 flash (SLC and MLC), SAS, SATA, HDD, SSD, or a NVMe device. The optimal
capacity for persistent local devices is 128 GB.
If you do not provide persistent storage, you see an alarm such as Secondary persistent device
not found. Please move installation to persistent storage as support for
SD-Card/USB only configuration is being deprecated.
You must use an SD flash device that is approved by the server vendor for the particular server model on which
you want to install ESXi on an SD flash storage device. You can find a list of validated devices on
partnerweb.vmware.com.
See Knowledge Base article 85685 on updated guidance for SD card or USB-based environments.
To chose a proper SD or USB boot device, see Knowledge Base article 82515.
The upgrade process to ESXi 8.0 from versions earlier than 7.x repartitions the boot device and consolidates the
original core dump, locker, and scratch partitions into the ESX-OSData volume.
If a custom core dump destination is not configured, then the default core dump location is a file in the ESX-
OSData volume.
If the syslog service is configured to store log files on the 4 GB VFAT scratch partition, the log files in
var/run/log are migrated to the ESX-OSData volume.
VMware Tools are migrated from the locker partition and the partition is wiped.
The core dump partition is wiped. The application core dump files that are stored on the scratch
partition are deleted.
Note Rollback to an earlier version of ESXi is not possible due to the repartitioning process of the boot device. To
use an earlier version of ESXi after upgrading to version 8.0, you must create a backup of the boot device before the
upgrade, and restore the ESXi boot device from the backup.
If you use USB or SD devices to perform an upgrade, best practice is to allocate an ESX-OSData region on an
available persistent disk or a SAN LUN. If persistent storage or a SAN LUN are
VMware, Inc.
not available, ESX-OSData is automatically created on a RAM disk. VMFS can also be used for ESX-OSData
partition.
After upgrade, if ESX-OSData resides on a RAM disk and a new persistent device is found on subsequent
boots, and this device has the setting autoPartition=True, ESX-OSData is automatically created on
the new persistent device. ESX-OSData does not move between
persistent storage automatically, but you can manually change the ESX-OSData location on a supported storage.
To reconfigure /scratch, see Set the Scratch Partition from the vSphere Client.
To configure the size of ESXi system partitions, you can use the systemMediaSize option. For more
information, see Knowledge Base article https://kb.vmware.com/s/article/81166.
In Auto Deploy installations, the installer attempts to allocate a scratch region on an available local disk or datastore.
If no local disk or datastore is found, installation fails.
For environments that boot from a SAN or use Auto Deploy, the ESX-OSData volume for each ESXi host must
be set up on a separate SAN LUN.
RAM ESXi hosts require more RAM than typical servers. ESXi
8.0 requires a minimum of 8 GB of physical RAM. Provide at least
12 GB of RAM to take full advantage of ESXi features and run
virtual machines in typical production environments. An ESXi host
must have sufficient RAM to run concurrent virtual machines. The
following examples are provided to help you calculate the RAM
required by the virtual machines running on the ESXi host.
Operating four virtual machines with
Red Hat Enterprise Linux or Windows XP requires at least 3 GB of
RAM for baseline performance. This figure includes 1024 MB for
the virtual machines, 256 MB minimum for each operating system
as recommended by vendors.
Running these four virtual machines with 512 MB RAM requires that
the ESXi host have 4 GB RAM, which includes 2048 MB for the
virtual machines.
These calculations do not include possible memory savings from using
variable overhead memory for each virtual
VMware, Inc.
machine. See vSphere Resource Management.
Dedicated Fast Ethernet adapters for virtual machines Place the management network and virtual machine networks on
different physical network cards. Dedicated Gigabit Ethernet cards for
virtual machines, such as
Intel PRO 1000 adapters, improve throughput to virtual
machines with high network traffic.
Disk location Place all data that your virtual machines use on physical disks
allocated specifically to virtual machines.
Performance is better when you do not place your virtual machines on
the disk containing the ESXi boot image. Use physical disks that are
large enough to hold disk images that all the virtual machines use.
VMFS6 partitioning The ESXi installer creates the initial VMFS volumes on the first
blank local disk found. To add disks or modify the original
configuration, use the vSphere Client. This practice ensures that the
starting sectors of partitions are 64K-aligned, which improves
storage performance.
Note For SAS-only environments, the installer might not format the
disks. For some SAS disks, it is not possible
to identify whether the disks are local or remote. After the
installation, you can use the vSphere Client to set up VMFS.
ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block
incoming and outgoing traffic, except traffic for services that are enabled
in the host's security profile. For the list of supported ports and protocols in the ESXi firewall, see the VMware
Ports and Protocols Tool™ at https://ports.vmware.com/.
The VMware Ports and Protocols Tool lists port information for services that are installed by default. If you install
other VIBs on your host, additional services and firewall ports might become available. The information is primarily
for services that are visible in the vSphere Client but the VMware Ports and Protocols Tool includes some other ports
as well.
VMware, Inc.
If you used Auto Deploy to install your ESXi 8.0 host, or if you set up a log directory separate from the default
location in a scratch directory on the VMFS volume, you might need to change your current log size and rotation
settings to ensure that enough space is available for system logging .
All vSphere components use this infrastructure. The default values for log capacity in this infrastructure vary,
depending on the amount of storage available and on how you have configured system logging. Hosts that are
deployed with Auto Deploy store logs on a RAM disk, which means that the amount of space available for logs is
small.
If your host is deployed with Auto Deploy, reconfigure your log storage in one of the following ways:
If you redirect logs to non-default storage, such as a NAS or NFS store, you might also want to reconfigure log sizing
and rotations for hosts that are installed to disk.
You do not need to reconfigure log storage for ESXi hosts that use the default configuration, which stores logs in a
scratch directory on the VMFS volume. For these hosts, ESXi 8.0 configures logs to best suit your installation, and
provides enough space to accommodate log messages.
Table 2-5. Recommended Minimum Size and Rotation Configuration for hostd, vpxa, and fdm Logs
Note The default requirements for ESXi passwords can change from one release to the next. You can
check and change the default password restrictions by using the
VMware, Inc.
Security.PasswordQualityControl advanced system setting.
ESXi Passwords
ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or
the VMware Host Client.
By default, you must include a mix of at least three from the following four character classes: lowercase
letters, uppercase letters, numbers, and special characters such as underscore or dash when you create a
password.
Passwords must not contain the user name or parts of the user name.
Note An uppercase character that begins a password does not count toward the number of character classes used. A
number that ends a password does not count toward the number of character classes used. A dictionary word used
inside a password reduces the overall password strength.
The following password candidates illustrate potential passwords if the option is set as follows.
retry=3 min=disabled,disabled,disabled,7,7
With this setting, a user is prompted up to three times (retry=3) for a new password that is not sufficiently
strong or if the password was not entered correctly twice. Passwords with one or two character classes and
pass phrases are not allowed, because the first three items are
deactivated. Passwords from three- and four-character classes require seven characters. See the
pam_passwdqc man page for details on other options, such as max, passphrase, and so on. With these
Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two.
The minimum number of required character classes is three.
xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum
number of required character classes is three.
VMware, Inc.
ESXi Pass Phrase
Instead of a password, you can also use a pass phrase. However, pass phrases are deactivated by default. You
can change the default setting and other settings by using the Security.PasswordQualityControl
advanced system setting from the vSphere Client.
retry=3 min=disabled,disabled,16,7,7
This example allows pass phrases of at least 16 characters and at least three words.
For legacy hosts, changing the /etc/pam.d/passwd file is still supported, but changing the file is
deprecated for future releases. Use the Security.PasswordQualityControl advanced system setting
instead.
You can change the default restriction on passwords or pass phrases by using the
Security.PasswordQualityControl advanced system setting for your ESXi host. See the vCenter Server
and Host Management documentation for information on changing ESXi advanced system settings.
You can change the default, for example, to require a minimum of 15 characters and a minimum number of four
words (passphrase=4), as follows:
Note Not all possible combinations of password options have been tested. Perform testing after you change the
default password settings.
This example sets the password complexity requirement to require eight characters from four character classes
that enforce a significant password difference, a remembered history of five passwords, and a 90 day rotation
policy:
min=disabled,disabled,disabled,disabled,8 similar=deny
Account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct
Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed
attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.
VMware, Inc.
Configuring Login Behavior
You can configure the login behavior for your ESXi host with the following advanced system settings:
See the vCenter Server and Host Management documentation for information on setting ESXi advanced
options.
Download the installer for ESXi. You can obtain the software either from an OEM or from the VMware download
portal at https://customerconnect.vmware.com/.
Prerequisites
Procedure
4 Select a VMware vSphere version from the Select Version drop-down menu.
Note vSphere 8.0 removes insecure default ciphers such as SHA1 and MD5 and replaces them with secure
ciphers such as SHA256.
VMware, Inc.
For an evaluation copy of ESXi, go to https://www.vmware.com/try-vmware.html.
For more information on ESXi downloads, see VMware knowledge base article https://
kb.vmware.com/s/article/2107518.
For product patches to ESXi, see VMware knowledge base article 1021623 or go to https://
my.vmware.com/group/vmware/patch.
In an interactive installation, the system prompts you for the required system information. In a scripted installation,
you must supply this information in the installation script.
For future use, note the values you use during the installation. These notes are useful if you must reinstall ESXi and
reenter the values that you originally selected.
Required or
Information Optional Default Comments
IP address Optional DHCP You can allow DHCP to configure the network during
installation. After installation, you can change the
Subnet mask Optional Calculated based on the IP address
network settings.
Required or
Information Optional Default Comments
Host name Required for None The vSphere Client can use either the host name
static IP or the IP address to access the ESXi host.
settings
Install location Required None Must be at least 5 GB if you install the components on a
single disk.
Migrate existing ESXi Required if you None If you have an existing ESXi 5.x installation, the
settings. are installing ESXi installer offers a choice between preserving or
Preserve existing VMFS ESXi on a drive overwriting the VMFS datastore during installation
datastore. with an existing
ESXi
installation.
VMware, Inc.
Root password Required None The root password must contain between 8 and 40
characters. For information about passwords see
the vSphere Security documentation.
The ESXi installer must be accessible to the system on which you are installing ESXi. The following
Boot from a CD/DVD. See Download and Burn the ESXi Installer ISO Image to a CD or DVD.
Boot from a remote location using a remote management application. See #unique_22
You can also create an installer ISO image that includes a custom installation script. See #unique_23.
Procedure
To install or upgrade vCenter Server, your system must meet specific hardware and software requirements as
described by the following detail.
When you use Fully Qualified Domain Names, verify that the client machine from which you are deploying the
appliance and the network on which you are deploying the appliance use the same DNS server.
Before you deploy the appliance, synchronize the clocks of the target server and all vCenter Server instances on the
vSphere network. Unsynchronized clocks might result in authentication problems and can cause the installation to
fail or prevent the appliance services from starting. See Synchronizing Clocks on the vSphere Network.
VMware, Inc.
When you deploy the vCenter Server appliance, the ESXi host or DRS cluster on which you deploy the appliance
must meet minimum storage requirements. The required storage depends not only on the size of the vSphere
environment and the storage size, but also on the disk provisioning mode.
The storage requirements are different for each vSphere environment size and depend on your database size
requirements.
Note The storage requirements include the requirements for the vSphere Lifecycle Manager that runs as a service in
the vCenter Server appliance.
The VMware vCenter Server appliance can be deployed on ESXi 6.7 hosts or later, or on vCenter Server instances
6.7 or later.
You can deploy the vCenter Server appliance using the GUI or CLI installer. You run the installer from a network
client machine that you use to connect to the target server and deploy the appliance on the server. You can connect
directly to an ESXi 6.7 host on which to deploy the appliance. You can also connect to a vCenter Server 6.7 instance
to deploy the appliance on an ESXi host or DRS cluster that resides in the vCenter Server inventory.
For information about the requirements for network client machine, see System Requirements for the vCenter Server
Installer.
VMware, Inc.
Required Ports for vCenter Server
The vCenter Server system must be able to send data to every managed host and receive
data from the vSphere Client. To enable migration and provisioning activities between managed hosts, the source and
destination hosts must be able to receive data from each other through predetermined TCP and UDP ports.
vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from
outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports. For the
list of all supported ports and protocols in vSphere, see the VMware Ports and Protocols Tool™ at
https://ports.vmware.com.
During installation, if a port is in use or is blocked using a denylist, the vCenter Server installer displays an error
message. You must use another port number to proceed with the installation. There are internal ports that are used
only for inter-process communication.
VMware uses designated ports for communication. Additionally, the managed hosts monitor designated ports for data
from vCenter Server. If a built-in firewall exists between any of these elements, the installer opens the ports during
the installation or upgrade process. For custom firewalls, you must manually open the required ports. If you have a
firewall between two managed hosts and you want to perform source or target activities, such as migration or cloning,
you must configure a means for the managed hosts to receive data.
To configure the vCenter Server system to use a different port to receive vSphere Client data, see the vCenter
Server and Host Management documentation.
When you deploy the vCenter Server appliance with a static IP address, you ensure that in case of system restart, the
IP address of the appliance remains the same.
Before you deploy the vCenter Server appliance with a static IP address, you must verify that this IP address has a
valid internal domain name system (DNS) registration.
When you deploy the vCenter Server appliance, the installation of the web server component that supports the
vSphere Client fails if the installer cannot look up the fully qualified domain name (FQDN) for the appliance from its
IP address. Reverse lookup is implemented using PTR records.
If you plan to use an FQDN for the appliance system name, you must verify that the FQDN is resolvable by a DNS
server, by adding forward and reverse DNS A records.
You can use the nslookup command to verify that the DNS reverse lookup service returns an FQDN when
queried with the IP address and to verify that the FQDN is resolvable.
If you use DHCP instead of a static IP address for the vCenter Server appliance, verify that the appliance name is
VMware, Inc.
updated in the domain name service (DNS). If you can ping the appliance name, the name is updated in DNS.
Ensure that the ESXi host management interface has a valid DNS resolution from the vCenter Server and all
vSphere Client instances. Ensure that the vCenter Server has a valid DNS resolution from all ESXi hosts and
vSphere Client.
VMware has tested and supports the following guest operating systems and browser versions for the vSphere
Client.
Mac OS
Note Later versions of these browsers are likely to work, but have not been tested.
The machine from which you deploy the appliance must run on a Windows, Linux, or Mac operating system that
meets the operating system requirements. See System Requirements for the vCenter Server Installer.
You can run the vCenter Server GUI or CLI installer from a network client machine that is running on a Windows,
Linux, or Mac operating system of a supported version.
To ensure optimal performance of the GUI and CLI installers, use a client machine that meets the minimum hardware
requirements.
Table 2-7. System Requirements for the GUI and CLI Installers
VMware, Inc.
Operating System Supported Versions Minimum Hardware Configuration for Optimal Performance
Windows Windows 10, 11 4 GB RAM, 2 CPU having 4 cores with 2.3 GHz, 32 GB hard disk, 1 NIC
Windows 2016 x64
bit
Windows 2019 x64
bit
Windows 2022 x64
bit
Linux SUSE 15 4 GB RAM, 1 CPU having 2 cores with 2.3 GHz, 16 GB hard disk, 1 NIC
Ubuntu 18.04,
Note The CLI installer requires 64-bit OS.
20.04, 21.10
Mac macOS 10.15, 11, 12 8 GB RAM, 1 CPU having 4 cores with 2.4 GHz, 150 GB hard disk, 1 NIC
macOS Catalina, Big
Sur, Monterey
Note For client machines that run on Mac 10.15 or later, concurrent GUI deployments of multiple appliances are
unsupported. You must deploy the appliances in a sequence.
Note Visual C++ redistributable libraries need to be installed to run the CLI installer on versions of Windows
older than Windows 10. The Microsoft installers for these libraries are located in the vcsa-cli-
installer/win32/vcredist directory.
Note Deploying the vCenter Server appliance with the GUI requires a minimum resolution of 1024x768 to properly
display. Lower resolutions can truncate the UI elements.
VMware releases the vCenter Server appliance ISO image, which contains GUI and CLI installers for the vCenter
Server appliance.
With the GUI and CLI executable files that are included in the vCenter Server installer, you can:
Converge older versions of vCenter Server with an external Platform Services Controller to the current version
of vCenter Server.
Prerequisites
VMware, Inc.
Create a Customer Connect account at https://my.vmware.com/web/vmware/.
Verify that your client machine meets the system requirements for the vCenter Server installer. See System
Requirements for the vCenter Server Installer.
Procedure
8 Mount the ISO image to the client machine from which you want to deploy, upgrade, migrate, or restore the
appliance.
Note ISO mounting software that does not allow more than eight directory levels, for example, MagicISO
Maker on Windows, is unsupported.
Important Due to a security change in MacOS Catalina, you must modify the security settings on your
computer until the vCenter Server deployment completes. If you attempt to run the installer under MacOS
Catalina without modifying the security settings, the vCenter Server installer reports the error: ovftool
cannot be opened because the developer cannot be verified. For more information, see KB
79416.
What to do next
Open the readme.txt file and review the information about the other files and directories in the vCenter Server
VMware, Inc.
appliance ISO image.
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent
the vCenter Server vmware-vpxd service from starting.
Time inconsistencies in vSphere can cause the first boot of a component in your environment to fail at different
services depending on where in the environment time is not accurate and when the time is synchronized. Problems
most commonly occur when the target ESXi host for the destination vCenter Server is not synchronized with NTP
or PTP. Similarly, issues can arise if the destination vCenter Server migrates to an ESXi host set to a different time
due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or upgrading
a vCenter Server instance.
The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
When upgrading or migrating from vSphere 6.7 to vSphere 8.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external
Platform Services Controller is synchronized to NTP or PTP.
If you are upgrading or migrating from vSphere 6.7 to vSphere 8.0, verify that the source vCenter Server or
vCenter Server appliance and external Platform Services Controller have the correct time.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP or a PTP server, you can use the VMware Host Client. For information
about editing the time configuration of an ESXi host, see topic Edit the Time
Configuration of an ESXi Host in the VMware Host Client in the vSphere Single Host Management -
VMware Host Client documentation.
To learn how to change time synchronization settings for vCenter Server, see topic Configure the System
Time Zone and Time Synchronization Settings in the vCenter Server Configuration
documentation.
To learn how to edit the time configuration for a host by using the vSphere Client, see topic Editing the Time
Configuration Settings of a Host in the vCenter Server and Host Management documentation.
VMware, Inc.
To establish a secure TLS connection to a vCenter Server (the server), the system where you are running the CLI
installer (the client) must not have its system clock slower or faster than the server's system clock by an
acceptable limit (tolerance).
See Table 2-8. Client Clock Tolerance for specific values for each deployment scenario.
Note The client clock values are applicable only for vCenter Server 6.7 and later.
Linking one vCenter Server with another When deploying the second vCenter Server,
vCenter Server the clock tolerance for the client and the first
vCenter Server must not exceed 10 minutes.
Installing a vCenter Server appliance using a The maximum clock tolerance between the
container vCenter Server with a client and the container vCenter Server is 8
*._on_vc.json template.
hours 20 minutes.
General Prerequisites
Verify that your system meets the minimum software and hardware requirements. See System Requirements
for the vCenter Server Appliance.
If you want to deploy the appliance on an ESXi host, verify that the ESXi host is not in lockdown or
maintenance mode and not part of a fully automated DRS cluster.
If you want to deploy the appliance on a DRS cluster of the inventory of a vCenter Server instance,
verify that the cluster contains at least one ESXi host that is not in lockdown or maintenance mode.
If you plan to use NTP servers for time synchronization, verify that the NTP servers are running and that the
time between the NTP servers and the target server on which you want to deploy the appliance is synchronized.
If you want to deploy the appliance on a vSAN ESA cluster with vSAN ESA encryption, you must
enable vSAN ESA encryption before installing vCenter Server. vSAN Express
VMware, Inc.
Storage Architecture is a next-generation architecture designed to get the most out of high- performance storage
devices, resulting in greater performance and efficiency. You can enable vSAN ESA encryption through vSAN
SDK or vSAN API.
When deploying a new vCenter Server as part of an Enhanced Linked Mode deployment, create an image-based
backup of the existing vCenter Server nodes in your environment. You can use the backup as a precaution in case
there is a failure during the deployment process.
If the deployment fails, delete the newly deployed vCenter Server appliance, and restore the vCenter Server nodes
from their respective image-based backups. You must restore all the nodes in the environment from their image-
based backups. Failing to do so can cause the replication partners to be out of synchronization with the restored
node.
To learn more about creating vCenter Enhanced Linked Mode deployments, see #unique_37.
Network Prerequisites
If you plan to assign a static IP address and an FQDN as a system name in the network settings of the appliance,
verify that you have configured the forward and reverse DNS records for the IP address.
Prior to starting the installation and configuration of the vSphere Network Infrastructure the following preparation
steps are required:
ESXi host hardware must have the appropriate network connectivity in the datacenter provisioned
and connected
Appropriate IP addresses, DNS, VLANs, and the like should be available, assigned and configured as
required for the design.
Prior to starting the installation and configuration of the vSphere Storage Infrastructure the following preparation
steps are required:
External storage systems should be provisioned, and appropriate configuration of LUNs, Zoning, and the like
should be available for configuration of the storage. Steps are only provided for configuration steps specific to
VMware products, that are required to generically setup storage.
VMware, Inc.
Storage vendor should be contacted to ensure their best practices are being followed.
Prior to starting the installation and configuration of High Availability the following preparation steps are required:
The vCenter Server Appliance that later becomes the Active node, has been deployed. vCenter for
windows is not supported.
Appropriate access and privileges have been granted to modify that vCenter Server Appliance and
the ESXi host on which it runs.
During network setup, static IP addresses for the management network are required. The management and
cluster network addresses must be IPv4 or IPv6. They cannot be mixed.
Consultant Note Remove this section if Fault Tolerance is not in the engagement.
Prior to starting the installation and configuration of DRS the following preparation steps are required:
Prior to starting the installation and configuration of the virtual machine configurations the following preparation
steps are required:
Sizing and Operating System details for the templates must be decided.
VMware, Inc.
This section describes the preparation steps for activating vSphere+.
Prior to starting the deployment and configuration of vSphere+ make sure that the following steps are completed:
The latest version of the vCenter Cloud Gateway Appliance has been downloaded.
The network latency and bandwidth requirements are met. For details see the Configuration Maximums page
for vSphere.
Network ports have been opened as appropriate for your given configuration. Details can be found in the Port
Requirements section of the vCenter Cloud Gateway Requirements Page.
The first building block of the deployment is the ESXi host. Installing an ESXi host creates a virtualization layer that
runs on physical servers and abstracts processor, memory, storage, and other resources that one or more virtual
machines can consume, and is generally required to build the rest of the infrastructure. This may include vCenter
Server but could also include many other optional modules or products.
For more information, refer to the product documentation available on the VMware vSphere 8.0 Documentation
Center Web site (https://docs.vmware.com/en/VMware-vSphere/index.html).This section describes how to install and
configure ESXi Hosts.
In a typical interactive installation, you boot the ESXi installer and respond to the installer prompts to install ESXi
to the local host disk. The installer reformats and partitions the target disk and installs the ESXi boot image. If you
have not installed ESXi on the target disk before, all data on the drive is overwritten, including hardware vendor
partitions, operating system partitions, and associated data.
Note To ensure that you do not lose any data, migrate the data to another machine before you install ESXi.
If you are installing ESXi on a disk that contains a previous installation of ESXi or ESX, or a
VMFS datastore, the installer provides you with options for upgrading. See the vSphere Upgrade
documentation.
VMware, Inc.
Install ESXi Interactively
You use the ESXi CD/DVD or a USB flash drive to install the ESXi software onto a SAS, SATA, SCSI hard drive, or
USB drive.
Prerequisites
You must have the ESXi installer ISO in one of the following locations:
On CD or DVD. If you do not have the installation CD/DVD, you can create one. See Download
and Burn the ESXi Installer ISO Image to a CD or DVD
Note You can also PXE boot the ESXi installer to run an interactive installation or a scripted installation. See
#unique_21.
Verify that the server hardware clock is set to UTC. This setting is in the system BIOS or UEFI.
Verify that a keyboard and monitor are attached to the machine on which the ESXi software is installed.
Alternatively, use a remote management application. See #unique_22.
Consider disconnecting your network storage. This action decreases the time it takes the installer to search for
available disk drives. When you disconnect network storage, any files on the disconnected disks are
unavailable at installation.
Do not disconnect a LUN that contains an existing ESX or ESXi installation. Do not disconnect a VMFS
datastore that contains the Service Console of an existing ESX installation. These actions can affect the
outcome of the installation.
Gather the information required by the ESXi installation wizard. See Required Information for ESXi
Installation.
Verify that ESXi Embedded is not present on the host machine. ESXi Installable and ESXi
Embedded cannot exist on the same host.
Procedure
1 Insert the ESXi installer CD/DVD into the CD/DVD-ROM drive, or attach the Installer USB flash drive and
restart the machine.
2 Set the BIOS or UEFI to boot from the CD-ROM device or the USB flash drive.
Note If your system has supported NVIDIA or Pensando data processing units (DPUs), you can only use
VMware, Inc.
UEFI to install and boot ESXi on the DPUs.
See your hardware vendor documentation for information on changing boot order.
After scanning for available devices completes, if your system has supported DPUs, you see them listed with
their respective PCI slots.
3 If your system has supported DPUs, select the DPU on which you want to install ESXi and press Enter.
In the DPU Details screen, you see all properties of the DPU device.
With vSphere 8.0, if your system has supported DPUs, always consider the installation, re- installation or
upgrade of ESXi on the DPUs in a lockstep with ESXi on hosts.
4 On the Select a Disk to Install or Upgrade ESXi page, select the drive on which to install ESXi, and press
Enter.
Note Do not rely on the disk order in the list to select a disk. The disk order is determined by the BIOS or
EUFI and might be out of order. This might occur on systems where drives are continuously being added and
removed.
If you select a disk that contains data, the Confirm Disk Selection page appears.
If you are installing on a disc with a previous ESXi or ESX installation or VMFS datastore, the installer provides
several choices.
Important If you are upgrading or migrating an existing ESXi installation, see the VMware ESXi
Upgrade documentation.
If you select a disk that is in vSAN disk group, the resulting installation depends on the type of disk and the
group size:
If you select an SSD, the SSD and all underlying HDDs in the same disk group are wiped.
If you select an HDD, and the disk group size is greater than two, only the selected HDD is wiped.
If you select an HDD disk, and the disk group size is two or less, the SSD and the selected HDD is
wiped.
For more information about managing vSAN disk groups, see the vSphere Storage
documentation.
If you select an SD or USB device, you see a warning that prompts you to select a persistent disk to store the
ESXi-OSData partition. In the Select a Disk to store ESX OSData screen, select a persistent storage device
with minimum 32 GB available space.
VMware, Inc.
5 Select the keyboard type for the host.
You can change the keyboard type after installation in the direct console.
You can change the password after installation in the direct console.
8 When the installation is complete, remove the installation CD, DVD, or USB flash drive.
10 Set the first boot device to be the drive on which you installed ESXi in Step 4.
For information about changing boot order, see your hardware vendor documentation.
Note UEFI systems might require additional steps to set the boot device. See #unique_49
Results
After the installation is complete, you can migrate existing VMFS data to the ESXi host.
You can boot a single machine from each ESXi image. Booting multiple devices from a single shared ESXi image
is not supported.
What to do next
Set up basic administration and network configuration for ESXi. See #unique_50.
Setting Up ESXi
These topics provide information about using the direct console user interface and configuring defaults for ESXi.
You can use the VMware Host Client, the vSphere Client and vCenter Server to manage your ESXi hosts.
For instructions about downloading and installing vCenter Server and the vCenter Server components, see vCenter
Server Installation and Setup. For information about installing the VMware Host Client, see vSphere Single
Host Management.
Use the direct console interface for initial ESXi configuration and troubleshooting.
Connect a keyboard and monitor to the host to use the direct console. After the host completes the autoconfiguration
phase, the direct console appears on the monitor. You can examine the default network configuration and change
any settings that are not compatible with your network environment.
VMware, Inc.
Key operations available to you in the direct console include:
Configuring hosts
Troubleshooting
You can also use vSphere Client to manage the host by using vCenter Server.
Action Key
Enable ESXi Shell and SSH Access with the Direct Console User Interface
Use the direct console user interface to enable the ESXi Shell.
Procedure
1 From the Direct Console User Interface, press F2 to access the System Customization menu.
Enable SSH
VMware, Inc.
4 Press Enter to enable the service.
The availability timeout setting is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled. After the timeout period, if you have not logged in, the shell is deactivated.
Note If you are logged in when the timeout period elapses, your session will persist. However, the ESXi
Shell is deactivated, preventing other users from logging in.
a From the Troubleshooting Mode Options menu, select Modify ESXi Shell and SSH timeouts
and press Enter.
The availability timeout is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled.
c Press Enter.
The idle timeout is the number of minutes that can elapse before the user is logged out of an idle
interactive sessions. Changes to the idle timeout apply the next time a user logs in to the ESXi Shell and
do not affect existing sessions.
6 Press Esc until you return to the main menu of the Direct Console User Interface.
You can use the direct console to set the password for the administrator account (root).
The administrative user name for the ESXi host is root. By default, the administrative password is not set.
Procedure
2 (Optional) If a password is already set up, type the password in the Old Password line and press Enter.
3 In the New Password line, type a new password and press Enter.
ESXi requires one IP address for the management network. To configure basic network settings, use the vSphere
VMware, Inc.
Client or the direct console.
Use the vSphere Client if you are satisfied with the IP address assigned by the DHCP server. Use the direct
You are not satisfied with the IP address assigned by the DHCP server.
You are not allowed to use the IP address assigned by the DHCP server.
ESXi does not have an IP address. This situation might occur if the autoconfiguration phase did not succeed in
configuring DHCP.
The wrong network adapter was selected during the autoconfiguration phase.
Use ESXCLI commands to configure your network settings. See esxcli network Commands.
Network Access to Your ESXi Host
The default behavior is to configure the ESXi management network using DHCP. You can override the default
behavior and use static IP settings for the management network after the installation is completed.
Scenario Approach
You want to accept the DHCP-configured IP settings. In the ESXi direct console, you can find the IP address assigned through
DHCP to the ESXi management interface. You can use that IP address to
connect to the host from the vSphere Client and customize settings,
including changing the management IP address.
One of the following is true: During the autoconfiguration phase, the software assigns the link local IP
You do not have a DHCP server. address, which is in the subnet 169.254.x.x/16. The assigned IP address
The ESXi host is not connected to a DHCP appears on the direct console.
server. You can override the link local IP address by configuring a static IP address
functioning properly.
The ESXi host is connected to a functioning DHCP server, During the autoconfiguration phase, the software assigns a DHCP- configured IP
but you do not want to use the DHCP- configured IP address.
address. You can make the initial connection by using the DHCP-configured IP address.
Then you can configure a static IP address.
If you have physical access to the ESXi host, you can override
the DHCP-configured IP address by configuring a static IP address using the
direct console.
Your security deployment policies do not permit Follow the setup procedure in #unique_58.
unconfigured hosts to be powered on the network.
VMware, Inc.
network.
Examples of external management software include the vCenter Server and SNMP client. Network adapters on the
host are named vmnicN, where N is a unique number identifying the network adapter, for example, vmnic0, vmnic1,
and so forth.
During the autoconfiguration phase, the ESXi host chooses vmnic0 for management traffic. You can
override the default choice by manually choosing the network adapter that carries management traffic for
the host. In some cases, you might want to use a Gigabit Ethernet
network adapter for your management traffic. Another way to help ensure availability is to select multiple
network adapters. Using multiple network adapters enables load balancing and failover capabilities.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
Results
After the network is functional, you can use the vSphere Client to connect to the ESXi host through vCenter Server.
Set the VLAN ID
You can set the virtual LAN (VLAN) ID number of the ESXi host.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
For DHCP to work, your network environment must have a DHCP server. If DHCP is not available, the host assigns
the link local IP address, which is in the subnet 169.254.x.x/16. The assigned IP address appears on the direct console.
If you do not have physical monitor access to the host, you can access the direct console using a remote management
application. See #unique_22
When you have access to the direct console, you can optionally configure a static network address. The default
subnet mask is 255.255.0.0.
Configure IP Settings from the Direct Console
If you have physical access to the host or remote access to the direct console, you can use the direct console to
VMware, Inc.
configure the IP address, subnet mask, and default gateway.
Procedure
4 Enter the IP address, subnet mask, and default gateway and press Enter.
The default is automatic. For automatic DNS to work, your network environment must have a DHCP server and a
DNS server.
In network environments where automatic DNS is not available or not desirable, you can configure static DNS
information, including a host name, a primary name server, a secondary name server, and DNS suffixes.
Configure DNS Settings from the Direct Console
If you have physical access to the host or remote access to the direct console, you can use the direct console to
configure DNS information.
Procedure
4 Enter the primary server, an alternative server (optional), and the host name.
Procedure
VMware, Inc.
Pings the default gateway
Procedure
1 From the direct console, select Test Management Network and press Enter.
For more information, refer to the product documentation available on the VMware vSphere 8.0 Documentation
Center Web site (https://docs.vmware.com/en/VMware-vSphere/index.html).
Installing a vCenter Server system creates the central point for configuring, provisioning, and managing virtualized IT
environments. You must install the vCenter Server system software before you can add the hosts and data centers to
be managed and monitored.
With vSphere 8.0 a single architecture exists, simplifying the required design for the environment. This design
deploys vCenter Server appliance in an embedded configuration.
With vSphere 8.0, the vCenter Server Appliance is the only platform for running vCenter Server. vCenter Server for
Windows is not available.
This document describes installation and deployment of vCenter that will be standalone as shown in the below
figure:
VMware, Inc.
Or that will be linked together using Enhanced Linked Mode with other vCenter servers as shown in the below
figure:
Note Although vCenter Server 8.0 supports connections between vCenter Server and vCenter Server components
using IPv4 IP addresses, VMware recommends that you use a FQDN to configure the services. In the case of an
IPv6 environment, you must use the FQDN or host name of the vCenter Server system.
VMware, Inc.
GUI deployment from a Windows, Linux, or Mac machine that is in the network on which you want to deploy the
appliance.
Prerequisites
See #unique_69.
With stage 1 of the deployment process, you deploy the OVA file, which is included in the vCenter Server installer,
as a vCenter Server appliance.
Procedure
For Windows OS, go to the win32 subdirectory, and run the installer.exe file.
For Linux OS, go to the lin64 subdirectory, and run the installer file.
For Mac OS, go to the mac subdirectory, and run the Installer.app file.
3 Review the Introduction page to understand the deployment process and click Next.
VMware, Inc.
5 Connect to the target server on which you want to deploy the vCenter Server appliance.
Option Steps
You can connect to an 1 Enter the FQDN or IP address of the ESXi host.
ESXi host on which to 2 Enter the HTTPS port of the ESXi host.
deploy the appliance. 3 Enter the user name and password of a user with administrative privileges on the ESXi host, for
example, the root user.
4 Click Next.
5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is installed
on the target ESXi host, and click Yes to accept the certificate thumbprint.
You can connect to a 1 Enter the FQDN or IP address of the vCenter Server instance.
vCenter Server instance 2 Enter the HTTPS port of the vCenter Server instance.
and browse 3 Enter the user name and password of user with vCenter Single Sign-On administrative
the inventory to select an privileges on the vCenter Server instance, for example, the
ESXi host or DRS cluster administrator@your_domain_name user.
on which to deploy the 4 Click Next.
appliance. 5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is installed
on the target vCenter Server instance, and click Yes to accept the certificate thumbprint.
6 Select the data center or data center folder that contains the ESXi host or DRS cluster on which you
want to deploy the appliance, and click Next
Note You must select a data center or data center folder that contains at least one ESXi host that is not in
lockdown or maintenance mode.
7 Select the ESXi host or DRS cluster on which you want to deploy the appliance, and click
Next.
6 On the Set up appliance VM page, enter a name for the vCenter Server appliance, set the password for
the root user, and click Next.
The appliance name must not contain a percent sign (%), backslash (\), or forward slash (/) and must be no more
than 80 characters in length.
The password must contain only lower ASCII characters without spaces, at least eight characters, a number,
uppercase and lowercase letters, and a special character, for example, an exclamation mark (!), hash key (#), at
sign (@), or brackets (()).
7 Select the deployment size for the vCenter Server appliance for your vSphere inventory.
See #unique_71 for information about the deployment sizes you can select. The option that you select
determines the number of CPUs and the amount of memory for the appliance.
8 Select the storage size for the vCenter Server appliance, and click Next.
The required storage depends not only on the size of the vSphere environment, but also on the disk
provisioning mode. See Storage Requirements for the vCenter Server Appliance.
9 Select the storage location for the vCenter Server appliance where all the virtual machine configuration
files and virtual disks will be stored.
VMware, Inc.
Option Action
Install on an existing datastore accessible from Select a datastore from the list of compatible datastores.
the target host
Install on a new vSAN cluster containing the Specify the required details to create a new vSAN cluster or a vSAN Express
target host Storage Architecture (vSAN ESA) cluster to store the vCenter Server appliance.
Install on an existing vSAN datastore and claim Specify the required details to create a cluster on the vSAN datastore. This option is
additional disks displayed only if your environment contains a vSAN datastore.
To enable thin provisioning, select Enable Thin Disk Mode. NFS datastores are thin provisioned by default.
10 (Optional) If you selected vSAN as your storage location, you must claim disks for storage.
For vSAN, claim disks separately for cache tier and capacity tier.
For vSAN ESA, claim disks from the list of compatible disks.
The IP address or the FQDN of the appliance is used as a system name. It is recommended to use an FQDN.
However, if you want to use an IP address, use static IP address allocation for the appliance, because IP
addresses allocated by DHCP might change.
Option Action
IP version Select the version for the appliance IP address. You can
select either IPv4 or IPv6.
The wizard prompts you to enter the IP address and network settings.
DHCP
A DHCP server is used to allocate the IP address. Select this option only if a DHCP
server is available in your environment.
If there is an enabled DDNS in your environment, you can enter a preferred fully
qualified domain name (FQDN) for the appliance.
Common Ports You can customize the HTTP and HTTPS ports (optional).
If specifying a custom HTTP and HTTPS port number, ensure that you do not use a port
number already in use by vCenter Server, or the default HTTP and HTTPS ports of 80 and
443.
12 On the Ready to complete stage 1 page, review the deployment settings for the vCenter Server appliance and
VMware, Inc.
click Finish to start the OVA deployment process.
13 Wait for the OVA deployment to finish, and click Continue to proceed with stage 2 of the deployment
process to set up and start the services of the newly deployed appliance.
Note If you exit the wizard by clicking Close, you must log in to the vCenter Server Management Interface to
set up and start the services.
Results
The newly deployed vCenter Server appliance is running on the target server but the services are not started.
When the OVA deployment finishes, you are redirected to stage 2 of the deployment process to set up and start the
services of the newly deployed vCenter Server appliance.
Procedure
1 Review the introduction to stage 2 of the deployment process and click Next.
2 Configure the time settings in the appliance, optionally enable remote SSH access to the appliance, and
click Next.
Option Description
Synchronize time with the ESXi host Enables periodic time synchronization, and VMware Tools sets the time of the guest
operating system to be the same as the time of the ESXi host.
Synchronize time with NTP servers Uses a Network Time Protocol server for synchronizing the time. If you select this option,
you must enter the names or IP addresses of the NTP servers separated by commas.
Option Description
Create a new Single Sign-On domain Creates a new vCenter Single Sign-On domain.
a Enter the domain name, for example vsphere.local.
b Set the password for the vCenter Single Sign-On administrator account.
Join an existing vCenter Single Sign- On Joins a new vCenter Single Sign-On server to an existing vCenter Single Sign-On domain.
domain You must provide the information about the vCenter Single Sign-On server to which you
join the new vCenter Single Sign-On server.
a Enter the fully qualified domain name (FQDN) or IP address of the
vCenter Single Sign-On server to join.
b Enter the HTTPS port to use for communication with the vCenter Single Sign-On
VMware, Inc.
server.
c Enter the domain name for the vCenter Single Sign-On you are joining, for
example vsphere.local.
When you select to join an existing vCenter Single Sign-On domain, you enable the Enhanced Linked Mode
feature. The infrastructure data is replicated with the joined vCenter Single
Sign-On server.
4 Review the VMware Customer Experience Improvement Program (CEIP) page and choose if you want to
join the program.
For information about the CEIP, see the Configuring Customer Experience Improvement Program section in
vCenter Server and Host Management.
5 On the Ready to complete page, review the configuration settings for the vCenter Server appliance, click
Finish, and click OK to complete stage 2 of the deployment process and set up the appliance.
6 (Optional) After the initial setup finishes, enter the URL from the browser with
https://vcenter_server_appliance_fqdn/ui to go to the vSphere Client and log in to the vCenter
Server instance in the vCenter Server appliance, or click the https://
vcenter_server_appliance_fqdn:443 to go the vCenter Server appliance Getting Started page.
You are redirected to the vCenter Server appliance Getting Started page.
What to do next
You can configure high availability for the vCenter Server appliance. For information about providing vCenter
Server appliance high availability, see vSphere Availability.
With vSphere 8.0, all of the configuration is done from the vSphere HTML5 Web Client. The flex-based
Web Client no longer available.
You must assign a license to a vCenter Server system before its evaluation period expires or its currently assigned
license expires. If you upgrade, combine, or divide vCenter Server licenses in Customer Connect, you must assign
the new licenses to vCenter Server systems and remove the old licenses.
VMware, Inc.
Prerequisites
To view and manage licenses in the vSphere environment, you must have the Global.Licenses
privilege on the vCenter Server system, where the vSphere Client runs.
Procedure
5 In the Assign License dialog box, select the task that you want to perform.
In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Details about the product, product features, capacity, and expiration period appear on
the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the vCenter Server system, and one instance from the license capacity is allocated for the
vCenter Server system.
You must assign a license to an ESXi host before its evaluation period expires or its currently assigned license
expires. If you upgrade, combine, or divide vSphere licenses in Customer Connect, you must assign the new
licenses to ESXi hosts and remove the old licenses.
Prerequisites
To view and manage licenses in the vSphere environment, you must have the Global.Licenses
privilege on the vCenter Server system, where the vSphere Client runs.
VMware, Inc.
Procedure
5 In the Assign License dialog box, select the task that you want to perform.
In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Details about the product, product features, capacity, and expiration period appear on
the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the host. Capacity from the license is allocated according to the license use of the host.
You must assign a license to a vSAN cluster before its evaluation period expires or its currently assigned license
expires.
If you upgrade, combine, or divide vSAN licenses, you must assign the new licenses to vSAN clusters. When you
assign a vSAN license to a cluster, the amount of license capacity used equals the total number of CPUs in the hosts
participating in the cluster. The license use of the vSAN cluster is recalculated and updated every time you add or
remove a host from the cluster. For information about managing licenses and licensing terminology and definitions,
see the vCenter Server and Host Management documentation.
When you enable vSAN on a cluster, you can use vSAN in evaluation mode to explore its features. The evaluation
period starts when vSAN is enabled, and expires after 60 days. To use vSAN, you must license the cluster before the
evaluation period expires. Just like vSphere licenses, vSAN licenses have per CPU capacity. Some advanced features,
such as all-flash configuration and stretched clusters, require a license that supports the feature.
Prerequisites
VMware, Inc.
To view and manage vSAN licenses, you must have the Global.Licenses privilege on the vCenter
Server systems.
Procedure
A virtual data center is a container for all the inventory objects required to complete a fully functional environment
for operating virtual machines. You can create multiple data centers to organize groups of environments to meet
different user needs. For example, you can create
a data center for each organizational unit in your enterprise or create some data centers for high-
performance environments and other data centers for less demanding environments.
Prerequisites
Required privileges:
Datacenter.Create datacenter
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
3 (Optional) Enter a name for the data center and click OK.
What to do next
Add hosts, clusters, resource pools, vApps, networking, datastores, and virtual machines to the data center.
A cluster is a group of hosts. When a host is added to a cluster, the resources of the host become part of the resources
of the cluster. The cluster manages the resources of all hosts that it contains.
Starting with vSphere 6.7, you can create and configure a cluster that is hyper-converged. The hyper-converged
infrastructure collapses compute, storage, and networking on a single software layer that runs on industry standard
x86 servers.
VMware, Inc.
You can create and configure a cluster by using the simplified Quickstart workflow in the vSphere Client. On the
Cluster quickstart page, there are three cards for configuring your new cluster.
Table 2-11. The cards initiating wizards for renaming and configuring a new cluster
Cluster Quickstart
Workflow Description
1. Cluster basics You can edit the cluster name and enable or disable cluster services. The card lists the services you enabled.
2. Add hosts You can add new ESXi hosts. After the hosts are added, the card shows the total number of hosts present in the
cluster and displays health check validation for those hosts.
3.Configure cluster You can configure network settings for vMotion traffic, review and customize cluster services. After the cluster is
configured, the card provides details on configuration mismatch and reports cluster health results through the vSAN
Health service.
The Skip Quickstart button prompts you to continue configuring the cluster and its hosts manually. To confirm
exiting the simplified configuration workflow, click Continue. After you dismiss the Cluster quickstart workflow,
you cannot restore it for the current cluster.
If you plan to enable vSphere High Availability (HA), vSphere Distributed Resource Scheduler (DRS), and the
VMware vSAN features, you must create clusters.
Starting with vSphere 7.0, you can create a cluster that you manage with a single image. By using vSphere Lifecycle
Manager images, you can easily update and upgrade the software and firmware on the hosts in the cluster. Starting
with vSphere 7.0 Update 2, during cluster creation, you can select a reference host and use the image on that host as
the image for the newly created cluster. For more information about using images to manage ESXi hosts and
clusters, see the Managing Host and Cluster Lifecycle documentation.
Starting with vSphere 7.0 Update 1, vSphere Cluster Services (vCLS) is enabled by default and runs in all vSphere
clusters. vCLS ensures that if vCenter Server becomes unavailable, cluster services remain available to maintain the
resources and health of the workloads that run in the clusters. For more information about vCLS, see #unique_79.
Create a vSphere Cluster with vSphere Client
You create a new vSphere cluster object by using the vSphere Client.
Starting with vSphere 7.0, the clusters that you create can use vSphere Lifecycle Manager images for host updates
and upgrades.
A vSphere Lifecycle Manager image is a combination of vSphere software, driver software, and desired firmware
with regard to the underlying host hardware. The image that a cluster uses defines the full software set that you want
to run on all ESXi hosts in the cluster: the ESXi version, additional VMware-provided software, and vendor software,
such as firmware and drivers.
The image that you define during cluster creation is not immediately applied to the hosts. If you do not set up an
image for the cluster, the cluster uses baselines and baseline groups. Starting with vSphere 7.0 Update 2, during
cluster creation, you can select a reference host and use the image on that host as the image for the newly created
VMware, Inc.
cluster. For more information about using images and baselines to manage hosts in clusters, see the Managing
Host and Cluster Lifecycle documentation.
Prerequisites
Verify that a data center, or a folder within a data center, exists in the inventory.
Verify that hosts have the same ESXi version and patch level.
Obtain the user name and password of the root user account for the host.
Verify that hosts do not have a manual vSAN configuration or a manual networking
configuration.
To create a cluster that you manage with a single image, review the requirements and limitations
information in the Managing Host and Cluster Lifecycle documentation.
Required privileges:
Host.Inventory.Create cluster
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
Option Description
To use DRS with this cluster a Slide the switch to the right to enable the DRS service.
b (Optional) Click the info icon on the left to see the Default Settings for the DRS
service. The default values are:
Automation Level: Fully Automated Migration
Threshold: 3
To use vSphere HA with this cluster a Slide the switch to the right to enable the vSphere HA service.
b (Optional) Click the info icon on the left to see the Default Settings for the vSphere
HA service. You are present with the following default values:
VM Monitoring: Disabled
VMware, Inc.
To use vSAN with this cluster Slide the switch to the right to enable the vSAN service.
For more information on vSAN, see Creating a vSAN Cluster in the vSAN Planning and
Deployment documentation.
6 (Optional) To create a cluster that you manage with a single image, select the Manage all hosts in the cluster
with a single image check box.
For information about creating a cluster that you manage with a single image, see the Managing Host and
Cluster Lifecycle documentation.
7 Click Next.
The cluster appears in the vCenter Server inventory. The Quickstart workflow appears under
Configure > Configuration.
Results
What to do next
You can use the Quickstart workflow to easily configure and expand the cluster. You can also skip the Quickstart
workflow and continue configuring the cluster and its hosts manually.
You can also add hosts to a DRS cluster. For more information, see the vSphere Resource Management
documentation.
When you add the first three hosts to the cluster, vSphere Cluster Services (vCLS) agent virtual machines are
added by default to the cluster. A quorum of up to three vCLS agent virtual machines are required to run in a
cluster, one agent virtual machine per host. For more information about vCLS, see #unique_79.
Prerequisites
Verify that hosts have the same ESXi version and patch level.
Obtain the user name and password of the root user account for the host.
Verify that hosts do not have a manual vSAN configuration or a manual networking
configuration.
Verify that you have the proper privileges. Different sets of privileges apply when you add multiple hosts to a
cluster and a single host to a cluster or a data center. For more information, see Required Privileges for
VMware, Inc.
Common Tasks in the vSphere Security documentation.
To add a host to a cluster that you manage with a single image, see the Managing Host and Cluster
Lifecycle documentation.
Procedure
4 On the Add hosts wizard, add new or existing hosts to the cluster.
Add hosts that are not part of the vCenter Server inventory.
b Populate the IP Address and credentials text boxes for those hosts.
c (Optional) To add more new hosts, click the Add Host button.
d (Optional) To reuse the credentials for all added hosts, select the Use the same credentials
for all hosts check box.
Add hosts that are managed by your vCenter Server instance and are in the same data center as your
cluster. The hosts must not be part of another cluster on the vCenter Server instance.
b From the list, select the hosts that you want to add to the cluster.
5 Click Next.
The Host summary page lists all hosts that will be added to the cluster and related warnings.
Note If a host cannot be validated automatically by the system, you are prompted to manually validate its
certificate and accept its thumbprint in the Security Alert pop-up.
6 On the Host summary page, review the details of the added hosts and click Next.
7 (Optional) On the Import Image page, select the host whose image to use as the image for the cluster.
The Import Image page appears when you add hosts to a cluster managed with a single image. For information
about adding a host to a cluster that you manage with a single image, see the Managing Host and Cluster
Lifecycle documentation.
8 On the Ready to complete page, review the IP addresses or FQDN of the added hosts and click Finish.
VMware, Inc.
Review the number of added hosts and the health check validation, performed by the vSAN Health service, in the
Add hostscard.
Results
All hosts are placed in maintenance mode and added to your cluster. You can manually exit the maintenance mode.
What to do next
You can view and manage certificates by using the vSphere Client. The vSphere
View the machine SSL, VMware Certificate Authority (VMCA) root, Trusted Root, and Security Token
Service (STS) certificates.
Add new Trusted Root certificates, and renew or replace existing machine SSL and STS certificates.
Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the certificate
when the Certificate Authority returns it.
Most parts of the certificate replacement workflows are supported fully from the vSphere Client. Other certificate
replacement workflows are supported by the vSphere Certificate Manager utility. See #unique_83.
To understand more about options for replacing the default certificates, see #unique_84.
Note If you use the VMCA as an intermediate CA, or use custom certificates, you might encounter significant
complexity and the potential for a negative impact to your security, and an unnecessary increase in your
operational risk. For more information about managing certificates within a vSphere environment, see the blog
post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at
http://vmware.com/go/hybridvmca.
Set the Threshold for vCenter Certificate Expiration Warnings Using the vSphere Client vCenter Server monitors
all certificates in the VMware Endpoint Certificate Store (VECS) and issues an alarm when a certificate is 30
days or less from its expiration. You can use the vSphere Client to change how soon you are warned with the
vpxd.cert.threshold advanced option.
Procedure
VMware, Inc.
1 Log in to the vSphere Client.
5 Change the setting of vpxd.cert.threshold to the desired value and click Save.
Renew VMCA Certificates with New VMCA-Signed Certificates Using the vSphere Client
You can replace all VMCA-signed certificates with new VMCA-signed certificates. This process is called
renewing certificates. You can renew selected certificates or all certificates in your environment from the
vSphere Client.
Prerequisites
For certificate management, you have to supply the password of the administrator of the local domain
(administrator@vsphere.local by default). If you are renewing certificates for a vCenter Server system, you also have
to supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter Server
system.
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 If the system prompts you, enter the credentials of your vCenter Server.
5 Renew the VMCA-signed machine SSL certificate for the local system.
a From the Machine SSL Certificate tile, click Actions > Renew.
c Click Renew.
vCenter Server services restart automatically. You must log back in because restarting the services ends the
UI session.
VMware, Inc.
Replace Certificates with Custom Certificates Using the vSphere Client
You can use the vSphere Client to replace the default certificates with custom certificates.
You can use the vSphere Client to generate CSRs for each machine, and replace certificates when you receive them
from your internal or third-party Certificate Authority (CA). When you submit the CSRs to your internal or third-
party CA, the CA returns signed certificates and the root certificate. You can upload both the root certificate and the
signed certificates from the vSphere Client.
Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom
Certificates)
The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must
have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to
generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is
ready.
Prerequisites
Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
CRT format
x509 version 3
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
a Under the Machine SSL Certificate tile, click Actions > Generate Certificate Signing Request
(CSR).
VMware, Inc.
b Enter your certificate information and click Next.
Starting in vSphere 8.0, 3072 (bits) is the default value for the key size. 2048 is no longer supported when
generating a CSR by using the vSphere Client. vCenter Server still does accept custom certificates bearing
a key length of 2048 bits. However, starting in vSphere 8.0, you can only generate CSRs using the vSphere
Client with a minimum key length of 3072 bits.
Note When you use vCenter Server to generate a CSR with a key size of 16384 bits, the generation takes a
few minutes to complete because of the CPU-intensive nature of the operation.
d Click Finish.
What to do next
When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store. See Add
Custom Certificates Using the vSphere Client.
Generate Certificate Signing Requests Using the Certificate Manager (Custom Certificates)
You can use the vSphere Certificate Manager utility to generate Certificate Signing Requests (CSRs) that you can
then use with your enterprise CA or send to an external certificate authority. You can use the certificates with the
different supported certificate replacement processes.
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and on the type
of certificate you want to replace.
For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or
for the administrator of the vCenter Single Sign-On domain that you are connecting to.
You are prompted for the host name or IP address of the vCenter Server.
To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which are
stored in the certool.cfg file. For most fields, you can accept the default or provide site-specific values.
The FQDN of the machine is required.
Note Starting in vSphere 8.0, if you use vCenter Server to generate the CSR, the key size is changed to 3072 bits
from 2048 by default.
Procedure
VMware, Inc.
1 Log in to each vCenter Server (the vCenter Server shell) in your environment and start the vSphere
Certificate Manager.
/usr/lib/vmware-vmca/bin/certificate-manager
4 Select Option 1, Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate, to generate
the CSR, answer the prompts and exit vSphere Certificate Manager.
As part of the process, you have to provide a directory. vSphere Certificate Manager places the certificate
and key files in the directory.
5 If you also want to replace all solution user certificates, restart vSphere Certificate Manager and selection
Option 5, Replace Solution user certificates with Custom Certificate.
6 Supply the password and the vCenter Server IP address or host name if prompted.
7 Select Option 1, Generate Certificate Signing Request(s) and Key(s) for Solution User Certificates, to
generate the CSRs, answer the prompts and exit vSphere Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and key files
in the directory.
What to do next
Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client
If you want to use third-party certificates in your environment, you must add a trusted root certificate to the
certificate store. You can do so using the vSphere Client.
Prerequisites
Obtain the custom root certificate from your third-party or in-house certificate authority (CA).
vSphere accepts only valid CA certificates for import. To be valid, a CA certificate must have the CA bit and the
keyCertSign bit set in the basic constraint and the key usage X.509 v3 certificate extensions respectively. This
implies that the certificate is a CA and its purpose is for certificate signing. See
https://www.rfc-editor.org/rfc/rfc5280 for more information.
Procedure
VMware, Inc.
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 If the system prompts you, enter the credentials of your vCenter Server.
7 Click Add.
Prerequisites
Generate certificate signing requests (CSRs) for each certificate that you want to replace. See Generate
Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom Certificates). Place
the certificate and private key in a location that the vCenter Server can access.
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 If the system prompts you, enter the credentials of your vCenter Server.
5 Under the Machine SSL Certificate tile, click Actions > Import and Replace Certificate.
VMware, Inc.
6 Click the appropriate certificate replacement option and click Next.
Option Description
Replace with VMCA Creates a VMCA-generated CSR to replace the current certificate.
Replace with certificate generated from Use a certificate signed using a vCenter Server generated CSR to replace the current
vCenter Server certificate.
Replace with external CA certificate Use a certificate signed by an external CA to replace the current certificate.
(requires private key)
8 Click Replace.
When a user logs in with just a user name, vCenter Single Sign-On checks in the default identity source whether
that user can authenticate. When a user logs in and includes the domain name in the login screen, vCenter Single
Sign-On checks the specified domain if that domain has been added as an identity source. You can add identity
sources, remove identity sources, and change the default.
You configure vCenter Single Sign-On from the vSphere Client. To configure vCenter Single Sign-On, you
must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator
privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation,
only the vCenter Single Sign-On administrator (administrator@vsphere.local by default) can authenticate to
vCenter Single Sign-On.
Note In vSphere 7.0 Update 2 and later, you can enable FIPS on vCenter Server. See the vSphere Security
documentation. AD over LDAP and IWA are not supported when FIPS is enabled. Use external identity provider
federation when in FIPS mode. See #unique_95.
Note In vSphere 7.0 Update 2 and later, you can enable FIPS on vCenter Server. See the vSphere Security
documentation. AD over LDAP and IWA are not supported when FIPS is enabled. Use external identity provider
federation when in FIPS mode. For more information about configuring vCenter Server Identity Provider Federation,
see vSphere Authentication documentation.
An administrator can add identity sources, set the default identity source, and create users and groups in the
VMware, Inc.
vsphere.local identity source.
The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine
where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the
identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single
Sign-On.
Note At any time, only one default domain exists. If a user from a non-default domain logs in, that user must add the
domain name to authenticate successfully. The domain name is in the form:
DOMAIN\user
Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP
identity sources.
Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On allows
you to specify a single Active Directory domain as an identity source. The domain can have child domains or
be a forest root domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts supported
with vCenter Single Sign-On.
OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity
sources.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require
strong authentication and encryption. This change will impact how vCenter Server authenticates to Active
Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable
LDAPS. For more information about
this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/
advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere- channel-binding-
signing-adv190023.html.
For more information about vCenter Single Sign-On, see vSphere Authentication.
Set the Default Domain for vCenter Single Sign-On
Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default
domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the
default domain must include the domain name when they log in.
When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on whether the
user is in the domain that is set as the default identity source.
Users who are in the default domain can log in with their user name and password.
VMware, Inc.
Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the
default domain can log in to vCenter Server but must specify the domain in one of the following ways.
Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter
Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active
Directory determines whether users of other domains in the hierarchy are authenticated or not.
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 Under the Identity Provider tab, click Identity Sources, select an identity source, and click Set as Default.
5 Click OK.
In the domain display, the default domain shows (default) in the Type column.
An identity source can be an Active Directory over LDAP, a native Active Directory (Integrated Windows
Authentication) domain, or an OpenLDAP directory service. See Identity Sources for vCenter Server with
vCenter Single Sign-On.
Immediately after installation, the vsphere.local domain (or the domain you specified during installation) with the
vCenter Single Sign-On internal users is available.
Note If you have updated or replaced your Active Directory SSL certificate, you must remove and re-add the
identity source in vCenter Server.
VMware, Inc.
Prerequisites
If you are adding an Active Directory (Integrated Windows Authentication) identity source, the vCenter Server must
be in the Active Directory domain. See #unique_98.
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 Under the Identity Provider tab, click Identity Sources, and click Add.
5 Select the identity source and enter the identity source settings.
Option Description
Active Directory (Integrated Windows Use this option for native Active Directory implementations. The machine on which the
Authentication) vCenter Single Sign-On service is running must be in an Active Directory domain if you
want to use this option.
See Active Directory Identity Source Settings.
Active Directory over LDAP This option requires that you specify the domain controller and other information. See
Active Directory over LDAP and OpenLDAP Server Identity Source Settings.
OpenLDAP Use this option for an OpenLDAP identity source. See Active Directory over LDAP and
OpenLDAP Server Identity Source Settings.
Note If the user account is locked or disabled, authentications and group and user searches in the Active
Directory domain fail. The user account must have read-only access over the User and Group OU, and must be
able to read user and group attributes. Active Directory provides this access by default. Use a special service
user for improved security.
6 Click Add.
What to do next
Initially, each user is assigned the No Access role. A vCenter Server administrator must assign the user at least to
the Read Only role before the user can log in. See the vSphere Security documentation.
VMware, Inc.
Active Directory Identity Source Settings
If you select the Active Directory (Integrated Windows Authentication) identity source type, you can use the local
machine account as your SPN (Service Principal Name) or specify an SPN explicitly. You can use this option only
if the vCenter Single Sign-On server is joined to an Active Directory domain.
Prerequisites for Using an Active Directory (Integrated Windows Authentication) Identity Source
You can set up vCenter Single Sign-On to use an Active Directory (Integrated Windows Authentication) identity
source only if that identity source is available. Follow the instructions in the vCenter Server Configuration
documentation.
Note Active Directory (Integrated Windows Authentication) always uses the root of the Active Directory domain
forest. To configure your Integrated Windows Authentication identity source with a child domain within your
Active Directory forest, see the VMware knowledge base article at http://kb.vmware.com/kb/2070433.
Select Use machine account to speed up configuration. If you expect to rename the local machine on which
vCenter Single Sign-On runs, specifying an SPN explicitly is preferable.
If you have enabled diagnostic event logging in your Active Directory to identify where hardening might be
needed, you might see a log event with Event ID 2889 on that directory server. Event ID 2889 is generated as an
anomaly rather than a security risk when using Integrated Windows Authentication. For more information about
Event ID 2889, see the VMware knowledge base article at https://kb.vmware.com/s/article/78644.
Domain name FQDN of the domain name, for example, mydomain.com. Do not
provide an IP address. This domain name must be DNS-resolvable
by the vCenter Server system.
Use machine account Select this option to use the local machine account as the SPN. When
you select this option, you specify only the domain name. Do not
select this option if you expect to rename this machine.
Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You
must specify an SPN, a user who can authenticate with the identity
source, and a password for the user.
VMware, Inc.
Text Box Description
Service Principal Name (SPN) SPN that helps Kerberos to identify the Active Directory service.
Include the domain in the name, for example, STS/example.com.
User Principal Name (UPN) Password Name and password of a user who can authenticate with this identity
source. Use the email address format, for example,
jchin@mydomain.com. You can verify the User Principal Name
with the Active Directory Service Interfaces Editor (ADSI Edit).
Active Directory over LDAP and OpenLDAP Server Identity Source Settings
The Active Directory over LDAP identity source is preferred over the Active Directory (Integrated Windows
Authentication) option. The OpenLDAP Server identity source is available for environments that use
OpenLDAP.
If you are configuring an OpenLDAP identity source, see the VMware knowledge base article at
http://kb.vmware.com/kb/2064977 for additional requirements.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require
strong authentication and encryption. This change will impact how vCenter Server authenticates to Active
Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable
LDAPS. For more information about
this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/
advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere- channel-binding-
signing-adv190023.html.
Table 2-13. Active Directory over LDAP and OpenLDAP Server Settings
Option Description
Base DN for users Base Distinguished Name for users. Enter the DN from which
to start user searches. For example,
cn=Users,dc=myCorp,dc=com.
Base DN for groups The Base Distinguished Name for groups. Enter the DN from
which to start group searches. For example,
cn=Groups,dc=myCorp,dc=com.
VMware, Inc.
Domain alias For Active Directory identity sources, the domain's NetBIOS name.
Add the NetBIOS name of the Active Directory domain as an alias
of the identity source if you are using SSPI authentications.
For OpenLDAP identity sources, the domain name in
capital letters is added if you do not specify an alias.
Option Description
User name ID of a user in the domain who has a minimum of read- only access
to Base DN for users and groups. The ID can be in any of these
formats:
UPN (user@domain.com)
NetBIOS (DOMAIN\user)
DN (cn=user,cn=Users,dc=domain,dc=com)
The user name must be fully-qualified. An entry of "user" does not
work.
Connect to Domain controller to connect to. Can be any domain controller in the
domain, or specific controllers.
Primary Server URL Primary domain controller LDAP server for the domain. You can
use either the host name or the IP address.
Use the format ldap://hostname_or_IPaddress:port or
ldaps://hostname_or_IPaddress:port. The port is
typically 389 for LDAP connections and 636 for LDAPS connections.
For Active Directory multi-domain controller deployments, the port is
typically 3268 for LDAP and 3269 for LDAPS.
A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use
ldaps:// in the primary or the secondary LDAP URL.
Secondary server URL Address of a secondary domain controller LDAP server that is used
for failover. You can use either the host name or the IP address.
SSL certificates If you want to use LDAPS with your Active Directory LDAP Server
or OpenLDAP Server identity source, click Browse to select a
certificate. To export the root CA certificate from Active Directory,
consult the Microsoft documentation.
A permission is set on an object in the vCenter Server object hierarchy. Each permission associates the object with a
group or user and the group's or user's access role. For example, you can select a virtual machine object, add one
permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role to
User 2.
VMware, Inc.
By assigning a different role to a group of users on different objects, you control the tasks that those users can
perform in your vSphere environment. For example, to allow a group to configure memory for the host, select that
host and add a permission that grants a role to that group that includes the Host.Configuration.Memory
Configuration privilege.
You can assign permissions to objects at different levels of the hierarchy, for example, you can assign permissions to
a host object or to a folder object that includes all host objects. See #unique_103. You can also assign propagating
permissions to a global root object to apply the permissions to all object in all solutions. See #unique_104.
Add a Permission to an Inventory Object
After you create users and groups and define roles, you must assign the users and groups and their roles to the
relevant inventory objects. You can assign the same propagating permissions to multiple objects simultaneously by
moving the objects into a folder and setting the permissions on the folder.
When you assign permissions, the user and the group names must match Active Directory precisely,
including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you
experience problems with groups.
Prerequisites
On the object whose permissions you want to modify, you must have a role that includes the
Permissions.Modify permission privilege.
Procedure
1 Browse to the object for which you want to assign permissions in the vSphere Client object navigator.
4 (Optional) If you have configured an external identity provider for federated authentication, the domain of that
identity provider is available to select in the Domain drop-down menu.
5 Select the user or group that will have the privileges defined by the selected role.
a From the User drop-down menu, select the domain for the user or group.
VMware, Inc.
7 (Optional) To propagate the permissions, select the Propagate to children check box.
The role is applied to the selected object and propagates to the child objects.
8 Click OK.
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent
the vCenter Server vmware-vpxd service from starting.
Time inconsistencies in vSphere can cause the first boot of a component in your environment to fail at different
services depending on where in the environment time is not accurate and when the time is synchronized. Problems
most commonly occur when the target ESXi host for the destination vCenter Server is not synchronized with NTP
or PTP. Similarly, issues can arise if the destination vCenter Server migrates to an ESXi host set to a different time
due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or upgrading
a vCenter Server instance.
The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
When upgrading or migrating from vSphere 6.7 to vSphere 8.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external
Platform Services Controller is synchronized to NTP or PTP.
If you are upgrading or migrating from vSphere 6.7 to vSphere 8.0, verify that the source vCenter Server or
vCenter Server appliance and external Platform Services Controller have the correct time.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP or a PTP server, you can use the VMware Host Client. For information
about editing the time configuration of an ESXi host, see topic Edit the Time
Configuration of an ESXi Host in the VMware Host Client in the vSphere Single Host Management -
VMware Host Client documentation.
To learn how to change time synchronization settings for vCenter Server, see topic Configure the System
Time Zone and Time Synchronization Settings in the vCenter Server Configuration
documentation.
VMware, Inc.
To learn how to edit the time configuration for a host by using the vSphere Client, see topic Editing the Time
Configuration Settings of a Host in the vCenter Server and Host Management documentation.
Synchronize ESXi Clocks with a Network Time Server
Before you install vCenter Server, make sure all machines on your vSphere network have their clocks
synchronized.
This task explains how to set up NTP from the VMware Host Client.
Procedure
1 Start the VMware Host Client, and connect to the ESXi host.
2 Click Manage.
3 Under System, click Time & date, and click Edit settings.
5 In the NTP servers text box, enter the IP address or fully qualified domain name of one or more NTP
servers to synchronize with.
6 From the NTP Service Start-up Policy drop-down menu, select Start and stop with host.
7 Click Save.
When you deploy vCenter Server, you can choose the time synchronization method to be either by using an NTP
server or by using VMware Tools. In case the time settings in your vSphere network change, you can edit the
vCenter Server and configure the time synchronization settings by using the commands in the appliance shell.
When you enable periodic time synchronization, VMware Tools sets the time of the guest operating system to be
the same as the time of the host.
After time synchronization occurs, VMware Tools checks once every minute to determine whether the clocks on the
guest operating system and the host still match. If not, the clock on the guest operating system is synchronized to
match the clock on the host.
Native time synchronization software, such as Network Time Protocol (NTP), is typically more accurate than
VMware Tools periodic time synchronization and is therefore preferred. You can use only one form of periodic time
synchronization in vCenter Server. If you decide to use native time synchronization software, vCenter Server
VMware Tools periodic time synchronization is deactivated.
Add or Replace NTP Servers in the vCenter Server Configuration
To set up the vCenter Server to use NTP-based time synchronization, you must add the NTP servers to the vCenter
Server configuration.
VMware, Inc.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
2 Add NTP servers to the vCenter Server configuration by running the following ntp.set
command.
This command removes the current NTP servers (if any) and adds the new NTP servers to the configuration. If
the time synchronization is based on an NTP server, then the NTP daemon is restarted to reload the new NTP
servers. Otherwise, this command replaces the current NTP servers in the NTP configuration with the new NTP
servers you specify.
3 (Optional) To verify that you successfully applied the new NTP configuration settings, run the following
command.
ntp.get
The command returns a space-separated list of the servers configured for NTP synchronization. If the NTP
synchronization is activated, the command returns that the NTP configuration is in Up status. If the NTP
synchronization is deactivated, the command returns that the NTP configuration is in Down status.
4 (Optional) To verify if the NTP server is reachable, run the following command.
What to do next
If the NTP synchronization is deactivated, you can configure the time synchronization settings in the vCenter
Server to be based on an NTP server. See Synchronize the Time in vCenter Server with an NTP Server.
Prerequisites
Set up one or more Network Time Protocol (NTP) servers in the vCenter Server configuration. See Add or Replace
VMware, Inc.
NTP Servers in the vCenter Server Configuration.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
3 (Optional) Run the command to verify that you successfully applied the NTP synchronization.
timesync.get
These steps in addition to additional service steps, for example when VMware NSX is used, are required for this
design.
Procedure
1 In the vSphere Client, right-click a data center from the inventory tree.
3 On the Name and location page, enter a name for the new distributed switch, or accept the generated name,
and click Next.
4 On the Select version page, select a distributed switch version and click Next.
Option Description
Distributed Switch: 8.0.0 Compatible with ESXi 8.0 and later. Features released with later vSphere distributed switch
versions are not supported.
Distributed Switch: 7.0.3 Compatible with ESXi 7.0.3 and later. Features released with later vSphere distributed
switch versions are not supported.
Distributed Switch: 7.0.2 ompatible with ESXi 7.0.2 and later. Features released with later vSphere distributed switch
versions are not supported.
VMware, Inc.
Distributed Switch: 7.0.0 Compatible with ESXi 7.0 and later. Features released with later vSphere distributed switch
versions are not supported.
Distributed Switch: 6.6.0 Compatible with ESXi 6.7 and later. Features released with later vSphere distributed switch
versions are not supported.
Distributed Switch: 6.5.0 Compatible with ESXi 6.5 and later. Features released with later vSphere distributed switch
versions are not supported.
a Use the drop-down menu to select the type of Network Offloads Compatibility.
By using Network offloads compatibility you can offload network and security functions to the DPU
device. DPU is a network card that has compute capability embedded in it. You can offload the networking
functionality from the ESXi host to DPU for better performance.
NVIDIA BlueField: If you select NVIDIA BlueField the Network I/O Control is disabled.
Note You can configure Network Offloads compatibility when you use vSphere Distributed Switch
8.0.0 and later.
Uplink ports connect the distributed switch to physical NICs on associated hosts. The number of uplink ports
is the maximum number of allowed physical connections to the distributed switch per host.
By using Network I/O Control you can prioritize the access to network resources for certain types of
infrastructure and workload traffic according to the requirements of your deployment. Network I/O Control
continuously monitors the I/O load over the network and dynamically allocates available resources.
d (Optional) Select the Create a default port group check box to create a new distributed port group
with default settings for this switch. Enter a Port group name, or accept the generated name.
If your system has custom port group requirements, create distributed port groups that meet those
requirements after you add the distributed switch.
6 On the Ready to complete page, review the settings you selected and click Finish.
Results
A distributed switch is created in the data center. You can view the features supported on the distributed switch as
VMware, Inc.
well as other details by navigating to the new distributed swit ch and clicking the Summary tab.
What to do next
Add hosts to the distributed switch and configure their network adapters on the switch.
Related to adding a port group, is applying VLAN tagging globally on all distributed ports. Using the VLAN
options you can select VLAN tags. To learn more, see #unique_113
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
2 Right-click the distributed switch and select Distributed port group > New distributed port group.
3 On the Name and location page, enter the name of the new distributed port group, or accept the generated
name, and click Next.
4 On the Configure settings page, set the general properties for the new distributed port group .
Setting Description
Port binding Select the ports that are assigned to virtual machines connected to this distributed port
group.
Static binding: Assign a port to a virtual machine when the virtual machine
connects to the distributed port group.
Ephemeral - no binding: No port binding. You can assign a virtual machine to a
distributed port group with ephemeral port binding also
when connected to the host.
Port allocation Elastic: The default number of ports is eight. When all the ports are assigned, a
new set of eight ports is created.
Fixed: The default number of ports is set to eight. When all the ports are
assigned, no additional ports are created.
Number of ports Enter the number of ports on the distributed port group.
Network resource pool To assign the new distributed port group to a user-defined network resource pool, use the
drop-down menu If you have not created a network resource pool, this menu is empty.
Note You cannot assign Network Resource Pool if Network Offloads is enabled.
SettingDescription
VMware, Inc.
VLAN Use the VLAN type drop-down menu to specify the type of VLAN traffic filtering and
marking:
None: Do not use VLAN. Select None if you are using External Switch Tagging.
VLAN: In the VLAN ID text box, enter a number between 1 and 4094 for Virtual
Switch Tagging.
VLAN trunking: Enter a VLAN trunk range.
Pass VLAN traffic with an ID to the guest OS. You can set multiple ranges and
individual VLANs by using a comma-separated list. For example: 1702-1705,
1848-1849
Advanced To customize the policy configurations for the new distributed port group, select this check
box.
5 Click Next.
6 (Optional) On the Security page, edit the security exceptions and click Next.
Setting Description
Promiscuous mode Reject: Placing an adapter in promiscuous mode from the guest operating
system does not result in receiving frames for other virtual machines.
Accept: If an adapter is placed in promiscuous mode from the guest operating
system, the switch allows the guest adapter to receive all frames passed on the
switch in compliance with the active VLAN policy for the port where the adapter is
connected.
Firewalls, port scanners, intrusion detection systems, and so on, must run in
promiscuous mode.
MAC address changes The MAC address change feature allows a VM to change its MAC address. A VM
connected to a port can run an administrative command to change the MAC address of its
vNIC and still send and receive traffic on that vNIC.
Reject: If the option is set to Reject and the guest OS changes the MAC address of
the adapter to a value different from the address in the .vmx configuration file,
then the switch drops all inbound frames to the virtual machine adapter.
If the guest OS changes the MAC address back, the virtual machine receives frames
again.
Accept: If the guest OS changes the MAC address of a network adapter,
the adapter receives frames to its new address.
Forged Transmits Reject: The switch drops any outbound frame with a source MAC address that is
different from the one in the .vmx configuration file.
Accept: The switch does not perform filtering and permits all outbound
frames.
7 (Optional) On the Security page, edit the MAC Learning policy and click Next.
VMware, Inc.
Setting Description
Status Enable or disable the MAC learning feature. The default is disabled.
Allow unicast flooding When a packet that is received by a port has an unknown destination MAC address, the
packet is dropped. With unknown unicast flooding enabled, the port floods unknown
unicast traffic to every port on the switch that has MAC learning and unknown unicast
flooding enabled. This property is enabled by default, if MAC learning is enabled.
MAC Limit The number of MAC addresses that can be learned is configurable. The maximum value is
4096 per port, which is the default.
MAC Limit Policy The policy for when the MAC limit is reached. The options are:
Drop - Packets from an unknown source MAC address are dropped.
Packets inbound to this MAC address will be treated as unknown unicast. The port will
receive the packets only if it has unknown unicast flooding enabled.
Allow - Packets from an unknown source MAC address are forwarded although
the address will not be learned. Packets inbound to this MAC address will be
treated as unknown unicast. The port will receive the packets only if it has
unknown unicast flooding enabled.
8 (Optional) On the Traffic shaping page, enable or disable Ingress or Egress traffic shaping and click Next.
Setting Description
Status If you enable either Ingress traffic shaping or Egress traffic shaping, you are setting
limits on the amount of networking bandwidth allocated for each virtual adapter associated
with this particular port group. If you disable the policy, services have a free, clear
connection to the physical network by default.
Note You cannot assign traffic shaping policies if Network Offloads Compatibility
enabled.
Average bandwidth This feature establishes the number of bits per second to allow across a port, averaged over
time. It is the allowed average load.
Peak bandwidth The maximum number of bits per second to allow across a port when it is sending and
receiving a burst of traffic. It tops the bandwidth used by a port whenever it is using its
burst bonus.
Burst size The maximum number of bytes to allow in a burst. If this parameter is set, a port can
gain a burst bonus when it does not use all its allocated bandwidth. Whenever the port
needs more bandwidth than specified by
Average bandwidth, it can temporarily transmit data at a faster speed if a burst bonus is
available. This parameter tops the number of bytes that can be accumulated in the burst
bonus and as a result transferred at a faster speed.
9 (Optional) On the Teaming and failover page, edit the settings and click Next.
Setting Description
VMware, Inc.
Route based on originating virtual port: Select an uplink based on the virtual
port where the traffic entered the distributed switch.
Route based on IP hash: Select an uplink based on a hash of the
source and destination IP addresses of each packet. For non-IP packets, whatever is at
those offsets is used to compute the hash.
Route based on source MAC hash: Select an uplink based on a hash of the source
Ethernet.
Route based on physical NIC load: Select an uplink based on the current loads of
physical NICs.
Use explicit failover order: Always use the highest order uplink from the list of
Active adapters which passes failover detection criteria.
Note IP-based teaming requires that the physical switch is configured with
EtherChannel. For all other options, disable EtherChannel.
Network failure detection Specify the method to use for failover detection.
Link status only: Relies solely on the link status that the network adapter provides.
This option detects failures, such as cable pulls and physical switch power failures, but
not configuration errors, such as a physical switch port being blocked by spanning tree
or that is misconfigured to the wrong VLAN or cable pulls on the other side of a
physical switch.
Beacon probing: Sends out and listens for beacon probes on all NICs in the team and
uses this information, in addition to link status, to determine link failure. This detects
many of the failures previously mentioned that are not detected by link status alone.
Notify switches Select Yes or No to notify switches in case of failover. If you select Yes, whenever a
virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic
can be routed over a different physical NIC in
the team because of a failover event, a notification is sent out over the network to update
the lookup tables on physical switches. In almost all cases, this process is desirable for the
lowest latency of failover occurrences and migrations with vMotion.
Note Do not use this option when the virtual machines using the port group
are using Microsoft Network Load Balancing in unicast mode. No such issue exists with
NLB running in multicast mode.
SettingDescription
Failover order Specify how to distribute the workload for uplinks. To use some uplinks but reserve others
for emergencies if the uplinks in use fail, set this condition by moving them into different
groups:
Active uplinks: Continue to use the uplink when the network adapter
VMware, Inc.
connectivity is up and active.
Standby uplinks : Use this uplink if one of the active adapters'
connectivity is down.
Unused uplinks : Do not use this uplink.
10 (Optional) On the Monitoring page, enable or disable NetFlow and click Next.
Setting Description
Enabled NetFlow is enabled on the distributed port group. NetFlow settings can be configured at the
vSphere Distributed Switch level.
Selecting Yes shuts down all ports in the port group. This action can disrupt the normal network operations
of the hosts or virtual machines using the ports.
12 On the Ready to complete page, review your settings and click Finish.
You should dedicate a single distributed port group per VMkernel adapter. For better isolation, you should
configure one VMkernel adapter with one traffic type.
Procedure
4 On the Select connection type page, select VMkernel Network Adapter and click Next.
5 From the Select an existing network option, select a distributed port group and click Next.
6 On the Port properties page, configure the settings for the VMkernel adapter.
VMware, Inc.
Option Description
Network label The network label is inherited from the label of the distributed port group.
Note The IPv6 option does not appear on hosts that do not have IPv6 enabled.
MTU Choose whether to get MTU for the network adapter from the switch or to set a custom
size. You cannot set the MTU size to a value greater than 9000 bytes.
TCP/IP stack Select a TCP/IP stack from the list. Once you set a TCP/IP stack for the VMkernel adapter,
you cannot change it later. If you select the vMotion or the Provisioning TCP/IP stack, you
will be able to use only these stacks to handle vMotion or Provisioning traffic on the host.
All VMkernel adapters for vMotion on the default TCP/IP stack are disabled for future
vMotion sessions. If you set the Provisioning TCP/IP stack, VMkernel adapters on the
default TCP/IP stack are disabled for operations that include Provisioning traffic, such as
virtual machine cold migration, cloning, and snapshot migration.
Available services You can enable services for the default TCP/IP stack on the host. Select from the available
services:
vMotion. Enables the VMkernel adapter to advertise itself to another host as the
network connection where vMotion traffic is sent. The migration with vMotion to the
selected host is not possible if the vMotion service
is not enabled for any VMkernel adapter on the default TCP/IP stack, or there are no
adapters using the vMotion TCP/IP stack.
Provisioning. Handles the data transferred for virtual machine cold migration,
cloning, and snapshot migration.
Fault Tolerance logging. Enables Fault Tolerance logging on the host. You can
use only one VMkernel adapter for FT traffic per host.
Management. Enables the management traffic for the host and vCenter Server.
Typically, hosts have such a VMkernel adapter created when the ESXi software is
installed. You can create another VMkernel adapter for management traffic on the
host to provide redundancy.
vSphere Replication. Handles the outgoing replication data that is sent from the
source ESXi host to the vSphere Replication server.
vSphere Replication NFC. Handles the incoming replication data on the target
replication site.
vSAN. Enables thevSAN traffic on the host. Every host that is part of a
vSAN cluster must have such a VMkernel adapter.
7 (Optional) On the IPv4 settings page, select an option for obtaining IP addresses.
Option Description
Obtain IPv4 settings automatically Use DHCP to obtain IP settings. A DHCP server must be present on the network.
Use static IPv4 settings Enter the IPv4 IP address and subnet mask for the VMkernel adapter.
The VMkernel Default Gateway and DNS server addresses for IPv4 are obtained from the
selected TCP/IP stack.
VMware, Inc.
Select the Override default gateway for this adapter check box and enter a gateway
address, if you want to specify a different gateway for the VMkernel
adapter.
8 (Optional) On the IPv6 settings page, select an option for obtaining IPv6 addresses.
Option Description
Obtain IPv6 addresses automatically Use DHCP to obtain IPv6 addresses. A DHCPv6 server must be present on the network.
through DHCP
Obtain IPv6 addresses automatically Use router advertisement to obtain IPv6 addresses.
through Router Advertisement In ESXi 6.5 and later router advertisement is enabled by default and supports the M and O
flags in accordance with RFC 4861.
Static IPv6 addresses a Click Add IPv6 address to add a new IPv6 address.
b Enter the IPv6 address and subnet prefix length, and click OK.
c To change the VMkernel default gateway, click Override default gateway for this
adapter.
The VMkernel Default Gateway address for IPv6 is obtained from the selected
TCP/IP stack.
9 Review your settings selections on the Ready to complete page and click Finish.
Prerequisites
Verify that enough uplinks are available on the distributed switch to assign to the physical NICs that you want
to connect to the switch.
Verify that there is at least one distributed port group on the distributed switch.
Verify that the distributed port group have active uplinks configured in its teaming and failover policy.
If you migrate or create VMkernel adapters for iSCSI, verify that the teaming and failover policy of the target
distributed port group meets the requirements for iSCSI:
Verify that only one uplink is active, the standby list is empty, and the rest of the uplinks are unused.
Verify that only one physical NIC per host is assigned to the active uplink.
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
VMware, Inc.
2 Right-click the distributed switch and select Add and Manage Hosts.
3 On the Select task page, select Add hosts, and click Next.
a Select the host(s) from the list of available hosts under All hosts.
Note While adding hosts to the vSphere Distributed Switch with Network Offloads compatbility, you can
only add compatible adapters that are backed by compatible DPU.
5 Click Next.
6 On the Manage physical adapters page, you can add or remove network adapters to the distributed
switch by assigning or unassigning an uplink.
7 To manage adapters on all hosts that have the same physical network adapter, select
Adapters on all hosts.
b To assign an uplink to the host, select an uplink from the drop-down menu.
c To unassign an uplink from the hosts, select None from the drop-down menu.
d To see more details about the hosts, expand the network adapter listed under Physical network
adapters.
e You can view the switches that use this VMkernel adapter in In use by switch.
For instance, if you assign uplink1 to vmnic1, it is assigned to all the hosts that have vmnic1 as its
physical network adapter.
b To assign an uplink to the host, select an uplink from the drop-down menu.
c To unassign an uplink from the host, select None from the drop-down menu.
If you select physical NICs that are assigned to other standard or distributed switches, the NICs are migrated to
the current distributed switch.
VMware, Inc.
For consistent network configuration, you can connect one and the same physical NIC on every host to the
same uplink on the distributed switch.
For instance, if you are adding two hosts connect vmnic1 on each host to Uplink1 on the distributed switch.
9 Click Next.
Note If a host does not have an assigned physical network adapter, then a warning appears.
10 On the Manage VMkernel adapters page, you can manage VMkernel adapters to the distributed
switch.
11 To manage VMkernel adapters on all hosts that have the same VMkernel adapter, select
Adapters on all hosts.
e You can view the switches that use this VMkernel adapter in In use by switch.
f To see more details about the hosts, expand the VMkernel adapter listed under Name.
For instance, if you assign DPortGroup1 to vmk0, the port group is assigned to all the hosts that has vmk0
as its VMkernel network adapter.
13 Click Next.
14 On the Migrate VM networking page, select the check box Migrate virtual machine
networking to migrate virtual machines to a distributed switch.
VMware, Inc.
For instance, the port group is assigned to all the virtual machines that have the same network adapter.
17 Click Next.
18 On the Ready to Complete page of the Add and Manage Hosts wizard, review the settings for the virtual
machine.
19 Click Finish.
You have now successfully added a host to the vSphere distributed switch.
What to do next
Having hosts associated with the distributed switch, you can manage physical network adapters, VMkernel adapters,
and virtual machine network adapters.
vSphere Network I/O Control version 3 introduces a mechanism to reserve bandwidth for system traffic based on the
capacity of the physical adapters on a host. It enables fine-grained resource control at the VM network adapter level
similar to the model that you use for allocating CPU and memory resources..
Version 3 of the Network I/O Control feature offers improved network resource reservation and allocation across the
entire switch.
Network I/O Control version 3 supports separate models for resource management of system traffic related to
infrastructure services, such as vSphere Fault Tolerance, and of virtual machines.
The two traffic categories have different nature. System traffic is strictly associated with an ESXi host. The
network traffic routes change when you migrate a virtual machine across the
environment. To provide network resources to a virtual machine regardless of its host, in Network I/O Control you
can configure resource allocation for virtual machines that is valid in the scope of the entire distributed switch.
VMware, Inc.
Network I/O Control version 3 provisions bandwidth to the network adapters of virtual machines by using
constructs of shares, reservation and limit. Based on these constructs, to receive sufficient bandwidth, virtualized
workloads can rely on admission control in vSphere Distributed Switch, vSphere DRS and vSphere HA. See
#unique_118.
Availability of Features
SR-IOV is not available for virtual machines configured to use Network I/O Control version 3.
Enable network resource management on a vSphere Distributed Switch to guarantee minimum bandwidth to system
traffic for vSphere features and to virtual machine traffic.
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
Note When Network Offloads compatibility is enabled, the Network I/O Control is disabled. When Network
Offloads is set to None, Network I/O Control is supported.
4 Click OK.
Results
When enabled, the model that Network I/O Control uses to handle bandwidth allocation for system traffic and
virtual machine traffic is based on the Network I/O Control version that is active on the distributed switch. See
What is vSphere Network I/O Control .
Consultant Note Remove all Sections which do not apply to the engagement. Storage is dependent on the
customer in most cases. More details can be found here:
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-storage/ GUID-
8AE88758-20C1-4873-99C7-181EF9ACFA70.html
VMware, Inc.
ESXi hosts.
With the software-based iSCSI implementation, you can use standard NICs to connect your host to a remote
iSCSI target on the IP network. The software iSCSI adapter that is built into ESXi facilitates this connection by
communicating with the physical NICs through the network stack.
When you use the software iSCSI adapters, consider the following:
Designate a separate network adapter for iSCSI. Do not use iSCSI on 100 Mbps or slower adapters.
Avoid hard coding the name of the software adapter, vmhbaXX, in the scripts. It is possible for the name to
change from one ESXi release to another. The change might cause failures of
your existing scripts if they use the hardcoded old name. The name change does not affect the behavior of the
iSCSI software adapter.
The process of configuring the software iSCSI adapter involves several steps.
Step Description
Activate or Disable the Software iSCSI Activate your software iSCSI adapter so that your host can use it to access iSCSI storage.
Adapter
Modify General Properties for If needed, change the default iSCSI name and alias assigned to your adapter.
iSCSI or iSER Adapters
Configure Port Binding for iSCSI or Configure connections for the traffic between the iSCSI component and the physical network adapters.
iSER The process of configuring these connections is called port binding.
Configure Dynamic or Static Discovery Set up dynamic discovery. With dynamic discovery, each time the initiator contacts a specified iSCSI
for iSCSI and iSER on ESXi Host storage system, it sends the SendTargets request to the system. The iSCSI system responds by
supplying a list of available targets to the initiator. In addition to the dynamic discovery method, you
can use static discovery and manually enter information for the targets.
#unique_127 If your iSCSI environment uses the Challenge Handshake Authentication Protocol (CHAP), configure it
for your adapter.
#unique_128 You can also configure different CHAP credentials for each discovery address or static target.
#unique_129 If your iSCSI environment supports Jumbo Frames, enable them for the adapter.
Activate or Disable the Software iSCSI Adapter
You must activate your software iSCSI adapter so that your ESXi host can use it to access iSCSI storage. If you do
not need the software iSCSI adapter after activation, you can disable it.
Prerequisites
VMware, Inc.
Note If you boot from iSCSI using the software iSCSI adapter, the adapter is enabled and the network
configuration is created at the first boot. If you disable the adapter, it is reenabled each time you boot the host.
Procedure
Option Description
Enable the software iSCSI adapter a Under Storage, click Storage Adapters, and click the Add icon.
b Select Software iSCSI Adapter and confirm that you want to add the adapter.
The software iSCSI adapter (vmhba#) is enabled and appears on the list of storage
adapters. After enabling the adapter, the host assigns the default iSCSI name to it.
You can now complete the adapter configuration.
Disable the software iSCSI adapter a Under Storage, click Storage Adapters, and select the adapter (vmhba#) to disable.
b Click the Properties tab.
c Click Disable and confirm that you want to disable the adapter.
After the reboot, the adapter no longer appears on the list of storage adapters. The
storage devices associated with the adapter become inaccessible. You can later activate
the adapter.
Important When you modify any default properties for your adapters, make sure to use correct formats for their
names and IP addresses.
Prerequisites
Procedure
VMware, Inc.
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
4 Click the Properties tab, and click Edit in the General panel.
Option Description
iSCSI Name Unique name formed according to iSCSI standards that identifies the iSCSI adapter. If you
change the name, make sure that the name you enter
is worldwide unique and properly formatted. Otherwise, certain storage
devices might not recognize the iSCSI adapter.
iSCSI Alias A friendly name you use instead of the iSCSI name.
Results
If you change the iSCSI name, it is used for new iSCSI sessions. For existing sessions, the new settings are not used
until you log out and log in again.
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
#unique_130
#unique_131
#unique_132
Configuring the network connection involves creating a virtual VMkernel adapter for each physical network adapter.
You use 1:1 mapping between each virtual and physical network adapter. You then associate the VMkernel adapter
with an appropriate iSCSI or iSER adapter. This process is called port binding.
VMware, Inc.
Follow these rules when configuring the port binding:
You can connect the software iSCSI adapter with any physical NICs available on your host.
The dependent iSCSI adapters must be connected only to their own physical NICs.
You must connect the iSER adapter only to the RDMA-capable network adapter.
For specific considerations on when and how to use network connections with software iSCSI, see the VMware
knowledge base article at http://kb.vmware.com/kb/2038869.
Multiple Network Adapters in iSCSI or iSER Configuration
If your host has more than one physical network adapter for iSCSI or iSER, you can use the adapters for
multipathing.
You can use multiple physical adapters in a single or multiple switch configurations.
In the multiple switch configuration, you designate a separate vSphere switch for each virtual-to- physical adapter
pair.
VMware, Inc.
An alternative is to add all NICs and VMkernel adapters to the single vSphere switch. The number of VMkernel
adapters must correspond to the number of physical adapters on the vSphere Standard switch. The single switch
configuration is not appropriate for iSER because iSER does not support NIC teaming.
For that type of configuration, you must override the default network setup and make sure that each VMkernel
adapter maps to only one corresponding active physical adapter, as the table indicates.
You can also use distributed switches. For more information about vSphere distributed switches and how to change
VMware, Inc.
the default network policy, see the vSphere Networking documentation.
The following considerations apply when you use multiple physical adapters:
Physical network adapters must be on the same subnet as the storage system they connect to.
(Applies only to iSCSI and not to iSER) If you use separate vSphere switches, you must connect them to
different IP subnets. Otherwise, VMkernel adapters might experience connectivity problems and the host fails
to discover the LUNs.
The single switch configuration is not appropriate for iSER because iSER does not support NIC teaming.
Do not use port binding when any of the following conditions exist:
Array target iSCSI ports are in a different broadcast domain and IP subnet.
VMkernel adapters used for iSCSI connectivity exist in different broadcast domains, IP subnets, or
use different virtual switches.
Note In iSER configurations, the VMkernel adapters used for iSER connectivity cannot be used for
converged traffic. The VMkernel adapters that you created to enable connectivity between the ESXi host
with iSER and the iSER target must be used only for iSER traffic.
The following tasks discuss the network configuration with a vSphere Standard switch and a single physical network
adapter. If you have multiple network adapters, see Multiple Network Adapters in iSCSI or iSER Configuration.
Note iSER does not support NIC teaming. When configuring port binding for iSER, use only one RDMA-
enabled physical adapter (vmnic#) and one VMkernel adapter (vmk#) per vSwitch.
® ®
™ NSX You can also use the
VMware vSphere Distributed Switch and VMware Virtual Switch in
the port biding configuration. For information about NSX virtual switches, see the VMware NSX Data Center
for vSphere documentation.
If you use a vSphere distributed switch with multiple uplink ports, for port binding, create a separate distributed port
VMware, Inc.
group per each physical NIC. Then set the team policy so that each distributed port group has only one active uplink
port. For detailed information on distributed switches, see the vSphere Networking documentation.
Create a Single VMkernel Adapter for iSCSI or iSER
Connect the VMkernel, which runs services for iSCSI storage, to a physical network adapter on your ESXi host.
You then use the created VMkernel adapter in the port binding configuration with the iSCSI or iSER adapters.
Prerequisites
If you are creating a VMkernel adapter for dependent hardware iSCSI, you must use the physical
network adapter (vmnic#) that corresponds to the iSCSI component. See #unique_136.
With the iSER adapter, make sure to use an appropriate RDMA-capable vmnic#. See #unique_137.
Procedure
5 Click the Add adapters icon, and select an appropriate network adapter (vmnic#) to use for iSCSI.
A network label is a friendly name that identifies the VMkernel adapter that you are creating, for example,
iSCSI or iSER.
You created the virtual VMkernel adapter (vmk#) for a physical network adapter (vmnic#) on your host.
a Under Networking, select VMkernel Adapters, and select the VMkernel adapter (vmk#) from the list.
b Click the Policies tab, and verify that the corresponding physical network adapter (vmnic#) appears as an
active adapter under Teaming and failover.
VMware, Inc.
What to do next
If your host has one physical network adapter for iSCSI traffic, bind the VMkernel adapter that you created to the
iSCSI or iSER vmhba adapter.
If you have multiple network adapters, you can create additional VMkernel adapters and then perform iSCSI
binding. The number of virtual adapters must correspond to the number of physical adapters on the host. For
information, see Multiple Network Adapters in iSCSI or iSER Configuration.
Prerequisites
Create a virtual VMkernel adapter for each physical network adapter on your host. If you use multiple VMkernel
adapters, set up the correct network policy.
Procedure
3 Under Storage, click Storage Adapters, and select the appropriate iSCSI or iSER adapter (vmhba# )
from the list.
4 Click the Network Port Binding tab and click the Add icon.
Note Make sure that the network policy for the VMkernel adapter is compliant with the binding
requirements.
VMware, Inc.
You can bind the software iSCSI adapter to one or more VMkernel adapters. For a dependent hardware iSCSI
adapter or the iSER adapter, only one VMkernel adapter associated with the correct physical NIC is available.
6 Click OK.
The network connection appears on the list of network port bindings for the iSCSI or iSER adapter.
Configure Dynamic or Static Discovery for iSCSI and iSER on ESXi Host
You need to set up target discovery addresses, so that the iSCSI or iSER storage adapter can determine which storage
resource on the network is available for access.
Dynamic Discovery
Also known as SendTargets discovery. Each time the initiator contacts a specified iSCSI server, the initiator
sends the SendTargets request to the server. The server responds by supplying a list of available targets to the
initiator. The names and IP addresses of these targets appear on the Static Discovery tab. If you remove a static
target added by dynamic discovery, the target might be returned to the list the next time a rescan happens, the
storage adapter is reset, or the host is rebooted.
Note With software and dependent hardware iSCSI, ESXi filters target addresses based on the IP family of the
iSCSI server address specified. If the address is IPv4, IPv6 addresses that might come in the SendTargets
response from the iSCSI server are filtered out. When DNS names are used to specify an iSCSI server, or when
the SendTargets response from the iSCSI server has DNS names, ESXi relies on the IP family of the first
resolved entry from DNS lookup.
Static Discovery
In addition to the dynamic discovery method, you can use static discovery and manually enter information for
the targets. The iSCSI or iSER adapter uses a list of targets that you provide to contact and communicate with
VMware, Inc.
the iSCSI servers.
When you set up static or dynamic discovery, you can only add new iSCSI targets. You cannot change any
parameters of an existing target. To make changes, remove the existing target and add a new one.
Prerequisites
Procedure
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
Note A dynamically discovered target remains on the list even after it is removed from the
array side.
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
#unique_130
#unique_131
#unique_132
Prerequisites
VMware, Inc.
Set up NFS storage environment.
If you plan to use Kerberos authentication with the NFS 4.1 datastore, make sure to configure the ESXi hosts
for Kerberos authentication.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
NFS 3
NFS 4.1
Important If multiple hosts access the same datastore, you must use the same protocol on all hosts.
Option Description
Datastore name The system enforces a 42 character limit for the datastore name.
Server The server name or IP address. You can use IPv6 or IPv4 formats. With NFS 4.1,
you can add multiple IP addresses or server names if the
NFS server supports trunking. The ESXi host uses these values to achieve
multipathing to the NFS server mount point.
5 Select Mount NFS read only if the volume is exported as read-only by the NFS server.
6 To use Kerberos security with NFS 4.1, enable Kerberos and select an appropriate Kerberos model.
Option Description
Use Kerberos for authentication and data In addition to identity verification, provides data integrity services. These services
integrity (krb5i) help to protect the NFS traffic from tampering by checking data packets for any
potential modifications.
If you do not enable Kerberos, the datastore uses the default AUTH_SYS security.
7 If you are creating a datastore at the data center or cluster level, select hosts that mount the datastore.
VMware, Inc.
VMFS datastores serve as repositories for virtual machines. You can set up VMFS datastores on any SCSI-based
storage devices that the host discovers, including Fibre Channel, iSCSI, and local storage devices.
Prerequisites
3 Verify that storage devices you are planning to use for your datastores are available. See #unique_142.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
4 Enter the datastore name and if necessary, select the placement location for the datastore.
Important The device you select must not have any values displayed in the Snapshot Volume column. If a
value is present, the device contains a copy of an existing VMFS datastore. For information on managing
datastore copies, see #unique_143.
Option Description
VMFS6 Default format on all hosts that support VMFS6. The ESXi hosts of version 6.0 or earlier
cannot recognize the VMFS6 datastore.
VMFS5 VMFS5 datastore supports access by the ESXi hosts of version 6.7 or earlier.
Option Description
Use all available partitions Dedicates the entire disk to a single VMFS datastore. If you select this option, all file
systems and data currently stored on this device are destroyed.
VMware, Inc.
Use free space Deploys a VMFS datastore in the remaining free space of the disk.
b If the space allocated for the datastore is excessive for your purposes, adjust the capacity values in the
Datastore Size field.
c For VMFS6, specify the block size and define space reclamation parameters. See #unique_144.
8 In the Ready to Complete page, review the datastore configuration information and click
Finish.
Results
The datastore on the SCSI-based storage device is created. It is available to all hosts that have access to the device.
What to do next
After you create the VMFS datastore, you can perform the following tasks:
Procedure
6 Click OK.
Results
Under Datastore Capabilities, Storage I/O Control is enabled for the datastore.
VMware, Inc.
This section describes how to deploy the vSphere high availability configuration.
When you create a vSphere HA cluster, you must configure a number of settings that determine how the feature
works. Before you do this, identify your cluster's nodes. These nodes are the ESXi hosts that will provide the
resources to support virtual machines and that vSphere HA will use
for failover protection. You should then determine how those nodes are to be connected to one another and to the
shared storage where your virtual machine data resides. After that networking architecture is in place, you can add the
hosts to the cluster and finish configuring vSphere HA.
You can activate and configure vSphere HA before you add host nodes to the cluster. However, until the hosts are
added, your cluster is not fully operational and some of the cluster settings are unavailable. For example, the Specify a
Failover Host admission control policy is unavailable until there is a host that can be designated as the failover host.
Note The Virtual Machine Startup and Shutdown (automatic startup) feature is deactivated for all virtual
machines residing on hosts that are in (or moved into) a vSphere HA cluster. Automatic startup is not supported
when used with vSphere HA.
To enable your cluster for vSphere HA, you must first create an empty cluster. After you plan the resources and
networking architecture of your cluster, use the vSphere Client to add hosts to the cluster and specify the cluster's
vSphere HA settings.
Prerequisites
Verify that all virtual machines and their configuration files reside on shared storage.
Verify that the hosts are configured to access the shared storage so that you can power on the virtual machines
by using different hosts in the cluster.
Verify that hosts are configured to have access to the virtual machine network.
Verify that you are using redundant management network connections for vSphere HA. For information
about setting up network redundancy, see #unique_152.
Verify that you have configured hosts with at least two datastores to provide redundancy for vSphere HA
datastore heartbeating.
VMware, Inc.
Connect vSphere Client to vCenter Server by using an account with cluster administrator permissions.
Procedure
1 In the vSphere Client, browse to the data center where you want the cluster to reside and click
New Cluster.
4 Based on your plan for the resources and networking architecture of the cluster, use the vSphere Client
to add hosts to the cluster.
With Host Monitoring enabled, hosts in the cluster can exchange network heartbeats and vSphere HA can take
action when it detects failures. Host Monitoring is required for the vSphere Fault Tolerance recovery process to
work properly.
Select VM Monitoring Only to restart individual virtual machines if their heartbeats are not received within a set
time. You can also select VM and Application Monitoring to enable application monitoring.
8 Click OK.
Results
What to do next
Admission Control
Heartbeat Datastores
Advanced Options
VMware, Inc.
See #unique_153.
Each host must meet shared storage requirements for vSphere vMotion.
Each host must meet the networking requirements for vSphere vMotion.
You can perform reliable migrations between hosts and sites that are separated by high network round-trip latency
times. vSphere vMotion across long distances is enabled when the appropriate license is installed. No user
configuration is necessary.
For long-distance migration, verify the network latency between the hosts and your license.
You must place the traffic related to transfer of virtual machine files to the destination host on the
provisioning TCP/IP stack. See #unique_156.
Configure hosts for vMotion with shared storage to ensure that virtual machines are accessible to both source and
target hosts.
During a migration with vMotion, the migrating virtual machine must be on storage accessible to both the
source and target hosts. Ensure that the hosts configured for vMotion use shared storage. Shared storage can be
on a Fibre Channel storage area network (SAN), or can be implemented using iSCSI and NAS.
If you use vMotion to migrate virtual machines with raw device mapping (RDM) files, make sure to maintain
consistent LUN IDs for RDMs across all participating hosts.
See the vSphere Storage documentation for information on SANs and RDMs.
VMware, Inc.
Migration with vMotion requires correctly configured network interfaces on source and target hosts.
Configure each host with at least one network interface for vMotion traffic. To ensure secure data transfer, the
vMotion network must be a secure network, accessible only to trusted parties. Additional bandwidth significantly
improves vMotion performance. When you migrate a virtual machine with vMotion without using shared storage,
the contents of the virtual disk is transferred over the network as well.
vSphere 6.5 and later allow the network traffic with vMotion to be encrypted. Encrypted vMotion depends on host
configuration, or on compatibility between the source and destination hosts.
You must ensure that the vMotion network has at least 250 Mbps of dedicated bandwidth per concurrent vMotion
session. Greater bandwidth lets migrations complete more quickly. Gains in throughput resulting from WAN
optimization techniques do not count towards the 250-Mbps limit.
To determine the maximum number of concurrent vMotion operations possible, see #unique_159. These limits vary
with a host's link speed to the vMotion network.
If you have the proper license applied to your environment, you can perform reliable migrations between hosts that
are separated by high network round-trip latency times. The maximum supported network round-trip time for
vMotion migrations is 150 milliseconds. This round-trip time lets you migrate virtual machines to another
geographical location at a longer distance.
Multiple-NIC vMotion
You can configure multiple NICs for vMotion by adding two or more NICs to the required standard or distributed
switch. For details, see Knowledge Base article KB 2007467.
Network Configuration
To have the vMotion traffic routed across IP subnets, enable the vMotion TCP/IP stack on the host. See
#unique_160.
If you are using standard switches for networking, ensure that the network labels used for the virtual machine
port groups are consistent across hosts. During a migration with vMotion, vCenter Server assigns virtual
machines to port groups based on matching network labels.
Note By default, you cannot use vMotion to migrate a virtual machine that is attached to a standard
switch with no physical uplinks configured, even if the destination host also has a no-uplink standard
switch with the same label.
VMware, Inc.
To override the default behavior, set the
config.migrate.test.CompatibleNetworks.VMOnVirtualIntranet advanced settings of
vCenter Server to false. The change takes effect immediately. For details about the setting, see Knowledge
Base article KB 1003832. For information about configuring advanced settings of vCenter Server, see vCenter
Server Configuration.
For information about configuring the vMotion network resources, see #unique_161.
For more information about vMotion networking requirements, see Knowledge Base article KB 59232.
To customize your DRS cluster and the resources it contains you can configure affinity rules and you can add and
remove hosts and virtual machines. When a cluster’s settings and resources have been defined, you should ensure that
it is and remains a valid cluster. You can also use a valid DRS cluster to manage power resources and interoperate
with vSphere HA.
Note In this chapter, "Memory" can refer to physical RAM or Persistent Memory.
A cluster is a collection of ESXi hosts and associated virtual machines with shared resources
and a shared management interface. Before you can obtain the benefits of cluster-level resource management you
must create a cluster and activate DRS.
Depending on whether or not Enhanced vMotion Compatibility (EVC) is activated, DRS behaves differently when
you use vSphere Fault Tolerance (vSphere FT) virtual machines in your cluster.
Table 2-14. DRS Behavior with vSphere FT Virtual Machines and EVC
Enabled Enabled (Primary and Secondary VMs) Enabled (Primary and Secondary VMs)
Load Balancing
VMware, Inc.
The distribution and usage of CPU and memory resources for all hosts and virtual machines in the cluster are
continuously monitored. DRS compares these metrics to an ideal resource usage given the attributes of the
cluster’s resource pools and virtual machines, the current demand, and the imbalance target. DRS then
provides recommendations or performs virtual machine migrations accordingly. See #unique_166. When you
power on a virtual machine
in the cluster, DRS attempts to maintain proper load balancing by either placing the virtual machine on an
appropriate host or making a recommendation. See #unique_167.
Power management
When the vSphere Distributed Power Management (DPM) feature is enabled, DRS compares cluster and host-
level capacity to the demands of the cluster’s virtual machines, including recent historical demand. DRS then
recommends you place hosts in standby, or places hosts in standby power mode when sufficient excess
capacity is found. DRS powers-on hosts if capacity is needed. Depending on the resulting host power state
recommendations, virtual machines might need to be migrated to and from the hosts as well. See
#unique_168.
Affinity Rules
You can control the placement of virtual machines on hosts within a cluster, by assigning affinity rules. See
#unique_169.
Prerequisites
You can create a cluster without a special license, but you must have a license to enable a cluster for vSphere DRS
or vSphere HA.
Note vSphere DRS is a critical feature of vSphere which is required to maintain the health of the workloads
running inside vSphere Cluster. Starting with vSphere 7.0 Update 1, DRS depends on the availability of vCLS VMs.
See #unique_165 for more information.
Procedure
VMware, Inc.
Automation Level Action
6 Select the Predictive DRS check box. In addition to real-time metrics, DRS responds to forecasted
metrics provided by vRealize Operations server. You must also configure Predictive DRS in a
version of vRealize Operations that supports this feature.
7 Select Virtual Machine Automation check box to enable individual virtual machine automation levels.
Override for individual virtual machines can be set from the VM Overrides page.
8 Under Additional Options, select a check box to enforce one of the default policies.
Option Description
VM Distribution For availability, distribute a more even number of virtual machines across hosts. This is
secondary to DRS load balancing.
Memory Metric for Load Balancing Load balance based on consumed memory of virtual machines rather than active memory.
This setting is only recommended for clusters where host memory is not over-committed.
Note This setting is no longer supported and will not be displayed in vCenter 7.0.
Scalable Shares Enable scalable shares for the resource pools on this cluster.
11 Click OK.
What to do next
Note Under the Cluster Summary page, you can see Cluster Services which displays vSphere Cluster Services
health status.
You can view memory utilization for DRS in the vSphere Client. To find out more, see: (Viewing
VMware, Inc.
Distributed Resource Scheduler Memory Utilization )
Procedure
1 Log in to https://customerconnect.vmware.com/downloads/details?
downloadGroup=MCGW&productId=1307&rPId=88960 and download the ISO image for vCenter
Cloud Gateway Appliance.
2 In the installer ISO image, browse to the ui-installer/operating_system folder, and run the
installer.
For Windows OS, go the win32 subdirectory and run the installer.exe file.
For Linux OS, go to the lin64 subdirectory, and run the installer file.
For Mac OS, go to the mac subdirectory and run the Installer.app file.
Option Steps
You can connect to a 1 Enter the FQDN or IP address of the vCenter Server instance.
vCenter Server instance 2 Enter the HTTPS port of the vCenter Server instance.
and browse 3 Enter the user name and password of user with vCenter Single Sign-On administrative
the inventory to select the privileges on the vCenter Server instance, for example, the
cluster on which to install administrator@your_domain_name user.
vCenter Cloud Gateway 4 Click Next.
Appliance. 5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is installed
on the target vCenter Server instance, and click Yes to accept the certificate thumbprint.
6 Select the default VM Folder in the data center where the cluster resides and click Next.
7 Select the cluster where the vCenter Server you plan to subscribe to vSphere+ is deployed, and
click Next.
VMware, Inc.
Option Description
VM name Enter a name for the vCenter Cloud Gateway Appliance VM. The appliance name must not
contain a percent sign (%), backslash (\), or forward slash (/) and must not be more than 80
characters in length.
Set root password Set a root password for the vCenter Cloud Gateway Appliance VM.
The password must contain only lower ASCII characters without spaces, at least eight
characters, a number, uppercase and lowercase letters, and a special character. A few
examples of special character are, an exclamation mark (!), hash key (#), at sign (@), or
brackets ().
7 Select the datastore location for vCenter Cloud Gateway Appliance and click Next.
a Select the datastore where you want to place the vCenter Cloud Gateway Appliance VM.
b Select Enable Thin Disk Mode to conserve disk space by installing vCenter Cloud Gateway Appliance
using a thin disk.
8 Configure the network settings for vCenter Cloud Gateway Appliance and click Next.
Parameter Description
The wizard prompts you to enter the IP address and network settings.
Note Avoid using an IP address as a system name. If you use an IP address as a
system name, you cannot change the IP address and update
the DNS settings after the installation.
DHCP
A DHCP server is used to allocate the IP address. Select this option only if a DHCP
server is available in your environment.
FQDN If you have an enabled DDNS in your environment, you can enter a fully qualified domain
name (FQDN) for vCenter Cloud Gateway Appliance. If you enter an FQDN that already
exists, the installer warns you that this will cause an error in the installation unless you
isolate the network where vCenter Cloud Gateway Appliance is on. For example, you can
install vCenter Cloud Gateway Appliance on a different port group from the existing
FQDN.
Note Ensure that you add the FQDN in your DNS server before you start the installation.
VMware, Inc.
IP address If you selected a static IP address, enter the IP address for vCenter Cloud Gateway
Appliance. If you enter an IP address that already exists, the installer warns you that this
will cause an error in the installation unless you isolate
the network where vCenter Cloud Gateway Appliance is on. For example, you can install
vCenter Cloud Gateway Appliance on a different port group from the existing IP address.
Subnet mask or prefix length Enter the subnet mask or prefix length for the IP address.
Default Gateway Enter the default gateway that vCenter Cloud Gateway Appliance should use.
DNS Servers Enter the addresses of the DNS servers used by vCenter Cloud Gateway Appliance.
Select Synchronize Time with NTP servers and enter the address of one or more NTP servers in the
text box to use NTP servers for time synchronization.
Note Ensure that you enter the correct address for the NTP servers. Otherwise, the installation may not
complete successfully.
Select Synchronize Time with ESXi host to synchronize time with the host where you are installing
vCenter Cloud Gateway Appliance.
Results
vCenter Cloud Gateway Appliance is installed in your on-premises environment. A progress bar shows the progress
of the installation.
What to do next
To configure services, open the vCenter Cloud Gateway Appliance UI at https://gw-address:5480/ gw-platform/
where gw-address is the IP address or FQDN of vCenter Cloud Gateway Appliance.
Prerequisites
You must be the owner of the Organization that you register with vCenter Cloud Gateway.
Procedure
VMware, Inc.
1 In a web browser, go to https://gw-address:5480/gw-platform where gw-address is the IP
address or FQDN of vCenter Cloud Gateway.
3 On the Connect vCenter Cloud Gateway card, click Connect and log in with your vCenter Cloud
Gateway credentials.
4 Click Launch VMware Cloud Services and log in with your VMware Cloud credentials.
5 Select the Organization you want to connect and click Confirm Connection.
Note You cannot change the Organization after the registration is complete. Ensure that you select the correct
Organization.
6 Enter the code displayed in the vCenter Cloud Gateway interface and click Submit.
When you connect your vCenter Server to vCenter Cloud Gateway, it establishes a connection between your vCenter
Server and vSphere+.
Procedure
vCenter Cloud Gateway uses the credentials only for authentication purposes and does not store the
information.
4 Click Add vCenter Servers and enter your vCenter Server details.
5 (Optional) If you want to add multiple vCenter Servers, click Add vCenter Servers again and enter your
vCenter Server details.
Note You can connect up to 4 vCenter Server instances on each vCenter Cloud Gateway instance.
6 Click Next.
7 Select the check box to accept your vCenter Server sending data to VMware Cloud.
8 Click Connect N vCenter Server where N is the number of vCenter Servers that you want to connect.
VMware, Inc.
Subscribe vCenter Server to vSphere+
To unlock all the capabilities of vSphere+, subscribe your vCenter Server to vSphere+. When you
The vCenter Server and the connected hosts get enabled for subscription.
Your vCenter Server can only be used with vSphere+. If you want to manage hosts licensed with license
keys, you cannot reuse this vCenter Server. You must deploy a new vCenter Server.
You can configure and manage vSphere with Tanzu by using Tanzu Standard Runtime Edition included in
your vSphere+ subscription. See vSphere with Tanzu Configuration and Management. For more
information about Tanzu Standard Edition, see VMware Tanzu Documentation.
Prerequisites
Ensure that your vSphere environment meets all the requirements. See System Requirements for vSphere+.
Procedure
2 Click Inventory.
Click the individual vCenter Server in the List View, and then click Subscribe.
Any integrations applicable to these solutions will be included with the appropriate technology being deployed and
configured.
VMware, Inc.
References
The following section lists the documentation resources which were used for this document. This chapter
vSphere References
vSphere References
See the VMware vSphere 8.0 Documentation (https://docs.vmware.com/en/VMware-vSphere/ index.html) for product
documentation on vSphere components.
The following section lists the documentation resources which were used for this document.
VMware, Inc.
vSphere Networking
vSphere Storage
vSphere Security
vSphere Availability
VMware, Inc.