Hol Sdc 1410 Upd PDF En

HOL-SDC-1410-UPD

Table of ContentsLab Overview - HOL-SDC-1410 - What's New with vSphere 6?...................................................... 3

Lab Guidance........................................................................................................................ 4What is Virtualization?........................................................................................................... 5

Module 1 - What's New in vSphere 6 (90 Minutes) ........................................................................ 16What's New in vSphere 6.0? ............................................................................................... 17Content Library.................................................................................................................... 33Migrating a Virtual Machine between Two vCenters ........................................................... 61vSphere Web Client Enhancements ................................................................................... 78ESXi Security Enhancements ............................................................................................. 87vSphere SSL Certificates .................................................................................................... 99Network I/O Control Enhancements (NIOC) ......................................................................113

Module 2 - Introduction to Management with vCenter Server (60 Min) ........................................ 128What is vSphere?.............................................................................................................. 129ESXi Install and Configure ................................................................................................ 130vCenter 6.0 Overview........................................................................................................ 131Using the vSphere 6.0 Web Client .................................................................................... 136Using Tagging and Search to Find Objects Quickly .......................................................... 162Understanding High Availability (HA) and Distributed Resource Scheduler (DRS) .......... 181vSphere 6.0 Fault Tolerance Provides Continuous Availability ......................................... 192Monitoring Events and Creating Alarms............................................................................ 194Configure Shares and Resources ..................................................................................... 205

Module 3 - Introduction to vSphere Networking And Security (60 Min)........................................ 212vSphere Networking Enhancements................................................................................. 213Configuring vSphere Standard Switch .............................................................................. 217Adding and Configuring a vSphere Distributed Switch ..................................................... 238Using Host Lockdown Mode ............................................................................................. 268Configuring the Host Services and Firewall ...................................................................... 281User Access and Authentication Roles ............................................................................. 282Understanding Single Sign On.......................................................................................... 294Adding an ESXi Host to Active Directory .......................................................................... 313

Module 4 - Introduction to vSphere Storage (60 Min) .................................................................. 320vSphere Storage Overview ............................................................................................... 321Creating and Configuring vSphere Datastores ................................................................. 325Storage vMotion ................................................................................................................ 363Managing Virtual Machine Disks ....................................................................................... 369Working with Virtual Machine Snapshots .......................................................................... 381Cloning Virtual Machines and Using Templates................................................................ 397vSphere Datastore Cluster ................................................................................................ 413vSphere Data Protection ................................................................................................... 422vSphere Replication Overview .......................................................................................... 423Virtual Volumes ................................................................................................................. 424

Page 2HOL-SDC-1410-UPD

Lab Overview - HOL-SDC-1410 - What's Newwith vSphere 6?


Lab GuidanceThis introductory lab demonstrates the core features and functions of vSphere and vCenter 6.0.This is an excellent place to begin your Virtualization 101 experience.

This lab will walk you through the core features of vSphere and vCenter, including storage andnetworking. The lab is broken into three Modules and the Modules can be taken in any order.

Module 1 - What's New with vSphere 6 (90 Minutes) Module 2 - An Introduction to Management with vCenter Server (60 Minutes) Module 3 - An Introduction to vSphere Networking and Security (60 Minutes) Module 4 - An Introduction to vSphere Storage (60 Minutes)

NOTE: If you are using a device with non-US keyboard layout, you might find it difficult to enter CLI

commands, user names and passwords throughout the modules in this lab. Refer to the file README.txt on

the desktop for additional information on resolving the keyboard issue.

Each Module will take approximately 60-90 minutes to complete, but based on your experiencethis could take more or less time.

We have included videos throughout the modules. To get the most out of these videos, it isrecommenced that you have headphones to hear the audio. The timing of each video is noted nextto the title. In some cases, videos are included for tasks we are unable to show in a labenvironment, while others are there to provide additional information. Some of these videos maycontain an earlier edition of vSphere, however, the steps and concepts are primarily the same.

Lab Captains: Doug Baer, Bill Call, Adam Eckerle, Cleavon Roberts, Dave Rollins and PaulSchlosser.


What is Virtualization?If you are not familiar with Virtualization, this lesson will give you an introduction to it.

Virtualization:

(noun)

Today's x86 computer hardware was designed to run a single operating system and a singleapplication, leaving most machines vastly underutilized. Virtualization lets you run multiple virtualmachines on a single physical machine, with each virtual machine sharing the resources of thatone physical computer across multiple environments. Different virtual machines can run differentoperating systems and multiple applications on the same physical computer.


Virtualization Defined

Virtualization is placing an additional layer of software called a hypervisor on top of your physicalserver. The hypervisor enables you to install multiple operating systems and applications on asingle server.


Separation

By isolating the operating system from the hardware, you can create a virtualization-based x86platform. VMware's hypervisor based virtualizaton products and solutions provide you thefundamental technology for x86 virtualization.


Partitioning

In this screen, you can see how partitioning helps improve utilization.


Isolation

You can isolate a VM to find and fix bugs and faults without affecting other VMs and operatingsystems. Once fixed, an entire VM Restore can be perfomed in minutes.


Encapsulation

Encapsulation simplifies management by helping you copy, move and restore VMs by treatingentire VMs as files.


Hardware Independence

VMs are not dependent on any physical hardware or vendor, making your IT more flexible andscalable.


Benefits

Virtualization enables you to consolidate servers and contain applications, resulting in highavailability and scalability of critical applications.


Simplify Recovery

Virtualization eliminates the need for any hardware configuration, OS reinstallation andconfiguration, or backup agents. A simple restore can recover an entire VM.


Reduce Storage Costs

A technology called thin-provisioning helps you optimize space utilization and reduce storagecosts. It provides storage to VMs when it's needed, and shares space with other VMs.


Cost Avoidance


Module 1 - What's New in vSphere 6 (90Minutes)


What's New in vSphere 6.0?On the next page, we've listed the new features in vSphere and vCenter 6.0. They have beenbroken up into three sections, vSphere/vCenter, Networking, and Storage. Also, where applicable,we have noted any labs that highlight new features, with the 'M' indicating the Module number ofthe lab. For example, next to vSphere Replication Enhancements, you will see a reference toHOL-SDC-1405/M2. This would mean you would find the vSphere Replication Module in HOL-SDC-1405, Module 2. If you do need assistance, just ask a Proctor for help!

That being said, if you do have time left over after completing your selected Module, feel free toexplore some of these new features!


What's New in vSphere & vCenter 6.0

At a high level, these are the new features of vSphere and vCenter v6.0.

You will find more details on some of the features below.


Scalability - Configuration Maximums

The Configuration Maximums have increased across the board for vSphere Hosts in 6.0. EachvSphere Host can now support:

480 Physical CPUs per Host Up to 12TB of Physical Memory 1000 VMs per Host 64 Hosts per Cluster

Scalability - Virtual Hardware v11

This release of vSphere gives us Virtual Hardware v11. Some of the highlights include:

128 vCPUs 4 TB RAM Hot-add RAM now vNUMA aware WDDM 1.1 GDI acceleration features xHCI 1.0 controller compatible with OS X 10.8+ xHCI driver A virtual machine can now have a maximum of 32 serial ports Serial and parallel ports can now be removed


Local ESXi Account and Password Management Enhancements

In the latest release of vSphere 6.0, we expand support for account management on ESXi Hosts.

New ESXCLI Commands:

CLI interface for managing ESXi local user accounts and permissions Coarse grained permission management ESXCLI can be invoked against vCenter instead of directly accessing the ESXi host. Previously, the account and permission management functionality for ESXi hosts was

available only with direct host connections.

Password Complexity:

Previously customers had to manually edit by hand the file /etc/pam.d/passwd, now theycan do it from VIM API OptionManager.updateValues().

Advanced options can also be accessed through vCenter, so there is not need to make adirect host connection.

PowerCLI cmdlet allows setting host advanced configuration options

Account Lockout:

Security.AccountLockFailures - "Maximum allowed failed login attempts before locking outa user's account. Zero disables account locking.

Default: 10 tries

Security.AccountUnlockTime - "Duration in seconds to lock out a user's account afterexceeding the maximum allowed failed login attempts.

Default: 2 minutes


vCenter Server 6.0 Platform Services Controller

The Platform Services Controller (PSC) includes common services that are used across the suite.

These include SSO, Licensing and the VMware Certificate Authority (VMCA) The PSC is the first piece that is either installed or upgraded. When upgrading a SSO

instance becomes a PSC. There are two models of deployment, embedded and centralized.

Embedded means the PSC and vCenter Server are installed on a single virtualmachine. Embedded is recommended for sites with a single SSO solution suchas a single vCenter.

Centralized means the PSC and vCenter Server are installed on different virtualmachines. Centralized is recommended for sites with two or more SSO solutionssuch as multiple vCenter Servers, vRealize Automation, etc. When deploying inthe centralized model it is recommended to make the PSC highly available as tonot have a single point of failure, in addition to utilizing vSphere HA a load balancercan be placed in front of two or more PSCs to create a highly available PSCarchitecture.

The PSC and vCenter servers can be mixed and matched, meaning you can deploy AppliancePSCs along with Windows PSCs with Windows and Appliance based vCenter Servers. Anycombination uses the PSCs built in replication.

What's New in vSphere 6.0 - Networking and Security

Networking in vSphere 6.0 has received some significant improvements which has led to thefollowing new vMotion capabilities:

Cross vSwitch vMotion Cross vCenter vMotion Long Distance vMotion vMotion across Layer 3 boundaries


More detail on each of these follows as well as details on the improved Network I/O Control(NIOC) version 3.

Cross vSwitch vMotion

Cross vSwitch vMotion allows you to seamlessly migrate a VM across different virtual switcheswhile performing a vMotion.

No longer restricted by the network you created on the vSwitches in order to vMotion avirtual machine.

Requires the source and destination portgroups to share the same L2. The IP addresswithin the VM will not change.

vMotion will work across a mix of switches (standard and distributed). Previously, youcould only vMotion from vSS to vSS or within a single vDS. This limitation has beenremoved.

The following Cross vSwitch vMotion migrations are possible:

vSS to vSS vSS to vDS vDS to vDS vDS to VSS is not allowed

Another added feature is that vDS to vDS migration transfers the vDS metadata to the destinationvDS (network statistics).


Cross vCenter vMotion

Expanding on the Cross vSwitch vMotion enhancement, we are also excited to announce supportfor Cross vCenter vMotion.

vMotion can now perform the following changes simultaneously.

Change compute (vMotion) - Performs the migration of virtual machines across computehosts

Change storage (Storage vMotion) - Performs the migration of the virtual machine disksacross datastores

Change network (Cross vSwitch vMotion) - Performs the migration of a VM across differentvirtual switches

and finally

Change vCenter (Cross vCenter vMotion) - Performs the migration of the vCenter whichmanages the VM.

All of these types of vMotion are seamless to the guest OS. Like with vSwitch vMotion, CrossvCenter vMotion requires L2 network connectiviy since the IP of the VM will not be changed. Thisfunctionality builds upon Enhanced vMotion and shared storage is not required. Target support forlocal (single site), metro (multiple well-connected sites), and cross-continental sites.


Long Distance vMotion

Long Distance vMotion is an extension of Cross vCenter vMotion however targeted forenvironments where vCenter servers are spread across large geographic distances and where thelatency across sites is 100ms or less. Although spread across a long distance, all the standardvMotion guarantees are honored.

This does not require VVOLs to work. A VMFS/NFS system will work also.

Use Cases:

Migrate VMs across physical servers that spread across a large geographic distancewithout interruption to applications

Perform a permanent migration for VMs in another datacenter. Migrate VMs to another site to avoid imminent disaster. Distribute VMs across sites to balance system load. Follow the sun support.

Requirements:

The requirements for Long Distance vMotion are the same as Cross vCenter vMotion,except with the addition of the maximum latency between the source and destination sitesmust be 100 ms or less, and there is 250 Mbps of available bandwidth.

To stress the point: The VM network will need to be a stretched L2 because the IP of theguest OS will not change. If the destination portgroup is not in the same L2 domain as thesource, you will lose network connectivity to the guest OS. This means in some topologies,such as metro or cross-continental, you will need a stretched L2 technology in place. Thestretched L2 technologies are not specified. Any technology that can present the L2network to the vSphere hosts will work, because its unknown to ESX how the physicalnetwork is configured. Some examples of technologies that would work are VXLAN, NSXL2 Gateway Services, or GIF/GRE tunnels.

There is no defined maximum distance that will be supported as long as the network meetsthese requirements. Your mileage may vary, but are eventually constrained by the laws ofphysics.


The vMotion network can now be configured to operate over an L3 connection. Moredetails on this are in the next slide.

Network I/O Control v3

Network I/O Control Version 3 allows administrators or service providers to reserve or guaranteebandwidth to a vNIC in a virtual machine or at a higher level the Distributed Port Group.

This ensures that other virtual machines or tenants in a multi-tenancy environment dont impactthe SLA of other virtual machines or tenants sharing the same upstream links.

Use Cases:

Allows private or public cloud administrators to guarantee bandwidth to business units ortenants. --> This is done at the VDS port group level.

Allows vSphere administrators to guarantee bandwidth to mission critical virtual machines.--> This is done at the VMNIC level.


What's New in vSphere 6.0 Storage & Availability

At a high level, these are the new Storage & Availability features of vSphere 6.0.

You will find more details on some of the features below.

VMware Virtual Volumes

VVOLS changes the way storage is architected and consumed. Using external arrays withoutVVOLS, typically the LUN is the unit of both capacity and policy. In other words, you create LUNs


with fixed capacity and fixed data services. Then, VMs are assigned to LUNs based on their dataservice needs. This can result in problems when a LUN with a certain data service runs out ofcapacity, while other LUNs still have plenty of room to spare. The effect of this is that typicallyadmins overprovision their storage arrays, just to be on the safe side.

With VVOLS, it is totally different. Each VM is assigned its own storage policy, and all VMs usestorage from the same common pool. Storage architects need only provision for the total capacityof all VMs, without worrying about different buckets with different policies. Moreover, the policy ofa VM can be changed, and this doesnt require that it be moved to a different LUN.

VVOLS - VASA Provider

The VASA Provider is the component that exposes the storage services which a VVOLS array canprovide. It also understands VASA APIs for operations such as the creation of virtual volumefiles. It can be thought of as the control plane element of VVOLS. A VASA provider can beimplemented in the firmware of an array, or it can be in a separate VM that runs on the clusterwhich is accessing the VVOLS storage (e.g., as a part of the arrays management server virtualappliance)


VVOLS - Storage Container (SC)

A storage container is a logical construct for grouping Virtual Volumes. It is set up by the storageadmin, and the capacity of the container can be defined. As mentioned before, VVOLS allows youto separate capacity management from policy management. Containers provide the ability toisolate or partition storage according to whatever need or requirement you may have. If you dontwant to have any partitioning, you could simply have one storage container for the entire array.The maximum number of containers depends upon the particular array model.

VVOLS - Storage Policy-Based Management

Instead of being based on static, per-LUN assignment, storage policies with VVOLS are managedthrough the Storage Policy-Based Management framework of vSphere. This framework uses the


VASA APIs to query the storage array about what data services it offers, and then exposes themto vSphere as capabilities. These capabilities can then be grouped together into rules andrulesets, which are then assigned to VMs when they get deployed. When configuring the array,the storage admin can choose which capabilities to expose or not expose to vSphere.

To get more detailed information on VVOLS consider taking HOL-SDC-1429 - Virtual Volumes(VVOLS) Setup and Enablement.

vSphere 6.0 Fault Tolerance

The benefits of Fault Tolerance are:

Protect mission critical, high performance applications regardless of OS Continuous availability - Zero downtime, zero data loss for infrastructure failures Fully automated response

The new version of Fault Tolerance greatly expands the use cases for FT to approximately 90% ofworkloads with these new features:

Enhanced virtual disk support - Now supports any disk format (thin, thick or EZT) Now supports hot configure of FT - No longer required to turn off VM to enable FT Greatly increased FT host compatibility - If you can vMotion a VM between hosts you can

use FT

The new technology used by FT is called Fast Checkpointing and is basically a heavily modifiedversion of an xvMotion (cross-vCenter vMotion) that never ends and executes many morecheckpoints (multiple/sec).

FT logging (traffic between hosts where primary and secondary are running) is very bandwidthintensive and will use a dedicated 10G nic on each host. This isnt required, but highlyrecommended as at a minimum an FT protected VM will use more . If FT doesnt get thebandwidth it needs the impact is that the protected VM will run slower.


vSphere FT 6.0 New Capabilities

DRS is supported for initial placement of VMs only.

Backing Up FT VMs

FT VMs can now be backed up using standard backup software, the same as all other VMs (FTVMs could always be backed up using agents). They are backed up using snapshots throughVADP.

Snapshots are not user-configurable users cant take snapshots. It is only supported as part ofVADP.


Availability - vSphere Replication

The features on this slide are new in vSphere Replication (VR) 6.0

Compression can be enabled when configuring replication for a VM. It is disabled bydefault.

Updates are compressed at source (vSphere host) and stay compressed until written tostorage. This does cost some CPU cycles on source host (compress) and target storagehost (decompress).

Uses FastLZ compression libraries. Fast LZ provides a nice balance betweenperformance, compression, and limited overhead (CPU).

Typical compression ratio is 1.7 to 1

Best results when using vSphere 6.0 at source and target along with vSphere Replication (VR) 6.0appliance(s). Other configurations supported - example: Source is vSphere 6.0, target is vSphere5.5. vSphere Replication Server (VRS) must decompress packets internally (costing VR applianceCPU cycles) before writing to storage.

With VR 6.0, VR traffic can be isolated from other vSphere host traffic. At source, a NIC can be specified for VR traffic. NIOC can be used to control replication

bandwidth utilization. At target, VR appliances can have multiple vmnics with separate IP addresses to separate

incoming replication traffic, management traffic, and NFC traffic to target host(s). At target, NIC can be specified for incoming NFC traffic that will be written to storage. The user must, of course, set up the appropriate network configuration (vSwitches, VLANs,

etc.) to separate traffic into isolated, controllable flows.

VMware Tools in vSphere 2015 includes a freeze/thaw mechanism for quiescing certain Linuxdistributions at the file system level for improved recovery reliability. See vSphere documentationfor specifics on supported Linux distributions.

Consider taking HOL-SDC-1405 Module 2 to explore VR 6.0 in more detail.


VMware vSphere 6 (4:22)

This video highlights some of the new features in vSphere 6.


Content LibraryA new feature introduced in vSphere 2015 is the Content Library. The Content Library arecontainer objects for VM templates, vApp templates, ISO images and other files across yourvCloud Suite environment. CvSphere administrators can use the templates in the library to deployvirtual machines and vApps in the vSphere inventory. Sharing templates and files across multiplevCenter Server instances in same or different locations brings out consistency, compliance,efficiency, and automation in deploying workloads at scale.

In this lesson, we will walk through the process of creating a Content Library and synchronizing itto a second vCenter Server.

Open the vSphere Web Client

If you are not already in the vSphere Web Client, launch the Google Chrome browser from theDesktop.

The vSphere Web Client login page should appear and tick the 'Use Windows sessionauthentication' box and click 'Login'.


vCenter Inventory Lists

Once logged into the vSphere Web Client, click on 'vCenter Inventory Lists'.

Content Libraries

Now click on the 'Content Libraries' tab.


Objects

Finally, click on the 'Objects' tab.

To create a new Content Library, click on the 'Create a New Library' button.

New Library - Name

When the New Library wizard appears, start by naming your Content Library'StandardVMTemplates' and leave the vCenter Server as vcsa-01a.corp.local.

Click 'Next' to continue.


New Library - Configure library

There are two options available when creating a Content Library, a Local content library and aSubscribed content library.

When you choose a Local content library, it will only be accessible in the vCenter Server where itis created. By default, it is only available to the account that created it. If you select the option'Publish content library externally', the Content Library can be shared with other users on the sameor other vCenter Server instances. You also have the option to password protect the ContentLibrary by selecting the 'Enable authentication option.

The Subscribed content library is used to subscribe to a published Content Library. We will beusing this option later to synchronize the Content Library to the second vCenter Server.

For now, we will create a Local content library.

1. Tick the boxes for both 'Publish content library externally' and 'Enable authentication'.2. In the Password field, use the password VMware1!

When you have finished, click 'Next'.


New Library - Add Storage

Now we need to decide where to place the new Content Library and we have a few optionsavailable to use.

Enter a local file system path or an NFS URL - With this option, we can use the localstorage of the vCenter Server, running either the appliance version or on Windows. If youare running the appliance version , this can be an NFS mount. If you are running vCenterServer on Windows, this can be either a path local to the vCenter Server (ie d:\contentlibrary) or a CIFS share (ie \\vc-w12-01a\content library).

Select a Datastore - with this option, we can use a datastore from our vCenter Serverinventory.

Choose the second option, 'Select a Datastore' and select the 'ds-site-a-nfs01' datastore. Click'Next'.


New Library - Ready to complete

Verify your settings and click the 'Finish' button to create the new Content Library.

New Content Library

You should now see the newly create Content Library appear.


Adding a VM Template to the Content Library

Now that we have created the Content Library, let's add something to it!

Click on the Home icon and select 'VMs and Templates'.


Clone Template to Library

Right-click on the linux-micro-02a template and select the 'Clone to Library' option.


Adding Template to Library

Under the Filter tab, select the Standard VM Templates content library and click OK.


Open the Tasks Console

Let's monitor the progress by opening the Tasks Console.

Click on the Home icon and select Tasks.

Progress...

You can follow the progress of the task in the Tasks Console. You can see the Template wascloned to an OVF package, Exported as an OVF template, then transfer to the Content Library.


Verify the template was added

Now we'll verify the VM Template was added to the library.

Select the 'vCenter Inventory Lists' tab.

Content Libraries

Next select the 'Content Libraries' tab.


Open the Content Library

Finally, click on the 'Standard VM Templates' content library.

Template Added

Here we can see the template that we just cloned to the content library.


Synchronizing Content to another vCenter Server

Now that we have content to share, let's synchronize it with the second vCenter Server.

Click the Content Libraries back button.

Edit Settings...

Right click on the 'StandardVMTemplates' content library and select 'Edit Settings...'


Copy URL

In the Edit Library window, click the 'Copy Link' button next to the subscription URL and click OK.We will need this when we setup the synchronization to the other vCenter Server.

Home

Click on the Home icon and select Hosts and Clusters.


Select vcsa-01b.corp.local

Select the second vCenter Server, 'vcsa-01b.corp.local' and click the Content Libraries tab. youmay have to scroll a bit to the right to see it.

Create New Library

To add the new content library, click the 'Create New Library' button.


New Library - Name

Name your new library 'vcsa-01a-Templates'.

In the vCenter Server drop down box, select 'vcsa-01b-corp,local' and click 'Next'.

New Library - Configure Library

This time we will select the 'Subscribed content library' button.

Click the mouse in the Subscribed content library field and press Ctrl+V on the keyboard to pastethe URL.

We also set a password on the Content Library, so you will need to tick the 'Enable authentication'box and enter VMware1! as the password.


Now we have a choice to make as to how much on the content we download.

Download all library content immediately - with this option, all the content from thelibrary will be download to the new content library. All items will be available immediately.

Download library content as needed - this option is useful if some of the items in thecatalog may not be needed or you need to save space. When you need an item from thecontent library, you will need to synchronize it manually. You can choose to synchronizean individual item or the entire catalog.

Let's synchronize all the library content immediately by selecting the 'Download all library contentimmediately' radio button (if not already selected).

Click 'Next'.

New Library - Add storage

We have the same options here as we did when we created the first content library. Let's stickwith the datastore option.

Choose the 'Select a datastore' radio button and then select the 'ds-site-b-nfs01' datastore.


New Library - Ready to complete

Verify things look good and click 'Finish' to synchronize the content library to vcsa-01b.corp.local.

Newly created Content Library

In a few seconds, you will see your new Content Library appear!


Monitor the task

Open the Tasks console by selecting the Home icon and then choose Tasks.

Tasks Console

You can see in the Tasks Console the Content Library being created and then synchronized.

You may need to click the refresh button to see an update.


Deploy a VM from the Sync'd Library

Now that we have the Content Library sync'd to the the second vCenter Server, let's deploy a VMfrom it.

Start by clicking the Home icon and select Hosts and Clusters.

Open the Content Library on vcsa-01b.corp.local

Click on vcsa-01b.corp.local and make sure you are on the Related Objects tab. Again, you mayhave to scroll over the right to see the Content Library tab, but click on it, then click on vcsa-01a-Templates.


Click on Templates

Click on the Templates tab to view the available Templates.

Right-click on linux-micro-02a

Right-click on linux-micro-02a and select New VM from This Template.


Select a Name and Location

Name your new VM 'linux-micro-03a' and select Datacenter Site B.

Click Next.

Select a Resource

Click on Cluster Site B, then click Next.


Review Details

Click Next on the Review Details Page.

Select Storage

In the Select virtual disk format, select 'Thin provision' from the drop-down menu. Also, make sureyou ds-site-b-nfs01 is selected as the datastore.

Depending on what modules in this lab you have completed previously, you may see additionaldatastores.

Click Next.


Select Networks

Leave the default VM network selected and click Next.

Ready to Complete

Review your settings and click Finish to deploy the new VM!


Monitor the task

Open the Tasks console by selecting the Home icon and then choose Tasks.

Monitor Progress

You can monitor the progress of the new virtual machine being created.

When all tasks have been completed successfully, you may proceed to the next step.


VMs and Templates

Click on the Home icon and select VMs and Templates.


New VM Created

Expand vcsa-01b.corp.local and Datacenter Site B and you see your newly created VM!

Are you up for a challenge?

If you are up for a challenge, why not see if you can add the TinyLinux-1 VM to theStandardVMTemplates Content Library by taking a clone of it. You can then synchronize it thevcsa-01a-Templates Content Library. The only trick here is that you will need to manuallysynchronize the library. The Content Libraries do synchronize, but on regular intervals of 6 hours.The screen shot above shows the Synchronize Library button that will need to be clicked after the

clone is added to the StandardVMTemplates Content Library in order to manually synchronize it tothe vcsa-01a-Templates Content Library.


Conclusion

This concludes this lesson.


Migrating a Virtual Machine between Two vCentersvMotion has been a standard feature of VMware virtual infrastructure since early 2004. Migratinga powered-on VM between different vCenters while preserving network connectivity wasintroduced in 2015 with vSphere 6.

Let's take a look around.

1. Select "Use Windows session authentication".

2. Click the "Login" button.

This will pass through your current credentials (CORP\Administrator) to the Platform ServicesController for confirmation that you are allowed to access the system and your assigned roles.Notice that the login proceeds immediately with vSphere 6.


A Familiar View

Feel free to click the push pins for the "Alarms", "Work In Progress" and "Recent Tasks" panes.This will give you a little more room to work. You open the pane by clicking on the closed pane

and then re-close it by clicking on the closed pane button again.

Click on "Hosts and Clusters".

Focus on linux-micro-01a

Expand both vCenter inventories. The linux-micro-01a virtual machine should be powered on. Ifnot, please power it on.


Review the virtual network adapter connection

Expand the "VM Hardware" pane. Notice that a single virtual network adapter is connected to the"VM Network" portgroup which is on virtual Standard Switch. Click on the "VM Network" link.

Review the networks in the data centers

Expand the network inventories in both vCenters. There is a virtual Distributed Switch in both datacenters as well as the standard switch. We will migrate the linux-micro-01a VM from the StandardSwitch on esx-01a Site A to the Distributed Switch in Site B.


Click the "Recent Objects" control to return to the linux-micro-01aVM

Simply highlight "linux-micro-01a" and click to return to this recently viewed object. This is a newtime-saver in the vSphere 6 Web Client.


Prepare to test networking during the migration

1. Open the Windows Start menu.

2. Click the "ping-linux-micro-01a" short cut.


Verify the continuous ping to linux-micro-01a

After the ping has started, minimize the Windows command window. The continuous ping willverify network connectivity during the cross-vCenter vMotion.


Prepare to test networking even further

Open PuTTy from the Windows start bar along the bottom.

1. Select "linux-micro-01a.corp.local"

2. Press the "Load" button

3. Press the "Open" button

Login proceeds

Public key SSH authentication is set up so no password is required.


Test networking from the VM

Let's start a continuous ping to Control Center from the VM we will be migrating.

Enter 'ping 192.168.110.10'.

Now you are ready to migrate.

Migrate the VM

Minimize the current PuTTy session (don't close it!) and go back to the vSphere Web Client.

Right click on the 'linix-micro-01a' VM and select 'Migrate'.


Select the migration type

When the Migrate Wizard appears, select "Change both compute resource and storage'. Leavethe default option of 'Select compute resource first' selected.

Click 'Next'.

Select compute resource

Expand vcsa-01b.corp.local and select 'Cluster Site B' and click 'Next'.


Select storage

On the next screen, you can leave the defaults selected. Just click 'Next' to continue.

Select folder

Place the VM in Datacenter Site B by selecting it and click 'Next' to continue.


Select network

You may click 'Next' to continue. Remember that the target "VM Network" at Site B is a distributedport group and the Distributed Virtual Switch and the VM is currently connected to a VirtualStandard Switch on esx-01a in Site A.

Select vMotion priority

You can leave the default setting and click 'Next'.


Ready to complete

Verify your settings and click 'Finish' to migrate the VM.


Monitor Ping

Switch back to the PuTTy session and Command prompt and watch the pings. You may see apacket drop or a slightly longer delay during the vMotion cut over. Notice that Layer 2 networkingfor the VM Network is stretched between the two sites and that the VM retains its IP address whenit migrates between sites.


Back in the vSphere Web Client

Go back to the vSphere Web Client and you should now see the 'linux-micro-01a' VM running inCluster Site B.

Monitor linux-micro-01a

Click on 'linux-micro-01a' and select the Monitor tab, then Events.

You will notice that all the events for the VM were carried over as it moved to the new vCenterServer. This is also true for any of the performance data.


Check the VM network configuration

Click on the "VM Network" link as before.

Network migration complete

Click on "Related Objects". Notice that "linux-micro-01a" is now connected to the "VM Network"port group on the "vds-site-b" Virtual Distributed Switch. It was migrated from a Virtual StandardSwitch on Site A.


Review vmkernel networking

1. Click on the "Hosts and Clusters" icon.

2. Select "esx-01b.corp.local"

3. Open the "Manage" tab

4. Select "Networking"

5. Click on "TCP/IP configuration"

Notice that new with vSphere 6, multiple TCP/IP stacks are provided for vmkernel ports. The"vMotion" TCP/IP stack is using a different default gateway address than the default TCP/IP stackwhich is used for the management network.

Feel free to check a vSphere 6 host on Site A and compare vmkernel TCP/IP configurations.

In order to accomplish vMotion from the Site A vCenter to the Site B vCenter, vMotion traffic wasrouted between the sites. We simulated two sites in this vMotion exercise to show the flexibility ofthis new capability. In real life, the VM's layer 2 network must be stretched and 100ms RTT or lessmust be maintained on the vMotion network.


Lesson Cleanup - PuTTy

Go back to the PuTTy session and press Ctrl+C to end the ping. Next type in 'exit' to terminate thePuTTy session.

Lesson Cleanup - Command Prompt

Now go back to the Command Prompt and press Ctrl+C to end the ping. Type 'exit' to close theCommand Prompt.

Conclusion

Cross vCenter vMotion is a powerful new capability with a number of use cases. It could be usedto migrate between legacy Windows vCenter and a new vCenter appliance or anytime if makessense to migrate VMs to a completely new set of virtual infrastructure. And of course it can beused to migrate VMs between data centers for planned maintenance or other business purposes.


vSphere Web Client EnhancementsvSphere Web Client includes significant performance and usability improvements.

The performance improvements include login times that are up to 13 times faster, right-clickmenus that are visible and usable four times faster, and other actions that are now at least 50percent faster. This puts vSphere Web Client on a par with the standalone VMware vSphereClient.

Let's take a look at some of the new usability improvements made to the vSphere Web Client.

Launch Google Chrome

From the desktop, launch the Google Chrome browser.


Login to the vSphere Web Client

Login to the vSphere Web Client by ticking the 'Use Windows session authentication' and click theLogin button.

You may notice how quickly the login process is compared to earlier versions of the vSphere WebClient.

Home Drop-down Menu

The first usability update we'll look at is the new Home drop-down menu. Near the top of thebrowser, click the Home icon.


With this new drop-down menu, you can easily access any area of the vSphere Web Client fromany screen.

Click on 'Hosts and Clusters'.

Expand vcsa-01a.corp.local

Use the twist arrow to expand vcsa-01a.corp.local until you can see the two hosts and virtualmachines.


Right-click on esx-01a.corp

Another usability enhancement is the right-click actions.

Try this by right-clicking on 'esx-01a.corp.local'. The first thing you should notice is that the menuitself appears much faster.

The second thing to notice is the menu items are no more than one layer deep. This helps toavoid searching through multiple layers of menus to find the task you need.

Recent Tasks Pane

At the bottom of the Navigator, you will now see a link for Recent Tasks. Click on it to open up theRecent Tasks pane.


Recent Tasks

In the Recent Tasks pane, you will find the most recent tasks, updated in real time making it easierto view. In the Recent Tasks pane, you have the ability to:

1. Pin the Recent Tasks pane to another part of the vSphere Web Client (more in this later!).2. View additional tasks.3. Hide the Recent Tasks pane.

Docking the Recent Tasks Pane

If you click on the Thumbnail in the Recent Tasks pane, it will dock it to the bottom of the vSphereWeb Client.

Click on the Thumbnail to give it a try.


Customizing the UI

You can also move the Recent Tasks pane (or any other pane) by clicking and dragging the paneon the title bar.

Left-click and drag anywhere on the Recent Tasks title bar. You'll notice four areas indicatingwhere you can dock the Recent Tasks pane. Let's move it over the right side by dragging it in thedirection of the right arrow. Move your mouse to the two blue arrows to the right until that side ofthe screen turns blue, then click your mouse to move the pane there.


Resizing the Pane

You do have the ability to re-size the pane by clicking in the empty space between panes anddragging it in the desired direction.


Move it Back!

In its current position, most of the useful information the Recent Tasks pane provides is cut off.

Let's move it back to its original location on the bottom of the screen by clicking the Recent Taskstitle bar and dragging it to the bottom.


That's Better!

This layout seems to work better for me, but it is subject to personal preference which is one of thebest parts of the vSphere Web Client, being able to customize it to how it works best for you.

Lesson Clean Up

To prepare for the next lesson, click on the thumbnail to hide the Recent Tasks pane back to thebottom of the vSphere Web Client. This will give us more real estate for the lessons that follow. Ifthe Recent Tasks pane is needed, the lesson will guide you to it.


ESXi Security EnhancementsNew security features have been implemented in vSphere 2015 and this lesson will focusspecifically on updates to ESXi.

Some of the new updates worth mentioning are:

Account Management

ESXi 6.0 enables management of local accounts on the ESXi server, using new ESXCLIcommands. The ability to add, list, remove, and modify accounts across all hosts in a cluster canbe centrally managed using a vCenter Server system. Previously, the account and permissionmanagement functionality for ESXi hosts was available only with direct host connections. Setting,removing, and listing local permissions on ESXi servers can also be centrally managed.

Account Lockout

There are two new settings available in ESXi Host Advanced System Settings for the managementof local account failed login attempts and account lockout duration. These parameters affect SSHand vSphere Web Services connections but not DCUI and console shell access.

These Advanced Settings can be found at the ESXi host level and are:

Security.AccountLockFailures - Maximum number of failed login attempts before the user'saccount is locked. By default, this setting is 10.

Security.AcountUnlockTime - Number of seconds that user is locked out. By default, thissetting is 120 seconds (2 minutes).

Password Complexity Rules

In previous versions of ESXi, password complexity changes had to be made by hand-editing the/etc/pam.d/passwd file on each ESXi host. In vSphere 6.0, this has been moved to an entry in HostAdvanced System Settings, enabling centrally managed setting changes for all hosts in a cluster.Use caution when editing this setting, the settings here are used for PAM's configuration file.

The Advanced Setting can be found at the ESXi host level and is:

Security.PasswordQualityControl

Flexible Lockdown Modes

Prior to vSphere 6.0, there was one lockdown mode. Feedback from customers indicated that thislockdown mode was inflexible in some use cases. With vSphere 6.0, the introduction of twolockdown modes aims to improve that.

The first mode is normal lockdown mode. The DCUI access is not stopped, and users on theDCUI.Access list can access DCUI. The second mode is strict lockdown mode. In this mode,DCUI is stopped.

There is also a new functionality called Exception Users. These are local accounts or MicrosoftActive Directory accounts with permissions defined locally on the host where these users have


host access. These Exception Users are not recommended for general user accounts but arerecommended for use by third-party applicationsService Accounts, for examplethat needhost access when either normal or strict lockdown mode is enabled. Permissions on theseaccounts should be set to the bare minimum required for the application to do its task and with anaccount that needs only read-only permissions to the ESXi host

Smart Card Authentication to DCUI

This functionality is for U.S. federal customers only. It enables DCUI login access using aCommon Access Card (CAC) and Personal Identity Verification (PIV). An ESXi host must be partof an Active Directory domain.

In this lesson, we will take a close look at the improved auditing feature in ESXi.

Improved Auditing in ESXi

In prior versions of vSphere, it was difficult to track accountability for actions vCenter Serverperformed on an ESXi host. Any action vCenter performed against an ESXi host would becaptured in log files, however it would only list the account vCenter used to communicate with theESXi host, vpxuser. One of the new enhancements to vSphere 2015 is the ability to log the userthat performed the action in vCenter against an ESXi host.

In this lesson we will enable a service on an ESXi host and review the log files to see thisinformation being captured.

Launch the Vsphere Web Client

If you are not already in the vSphere Web Client, launch the Google Chrome Browser from theDesktop. You should automatically be redirected to the vSphere Web Client login page.


Tick the 'Use Windows session authentication' box and click the 'Login' button.

Hosts and Clusters

At the Home page, click the Hosts and Clusters icon.


Select esx-01a.corp.local

In the Navigator, select 'esx-01a.corp.local'.

Next, click on the Manage tab and then make sure you are in the Settings tab and click SecurityProfile.


Scroll down to Services

You will need to scroll down in the center pane until you see the Services section and click the Editbutton.


CIM Server

Scroll down until you see the CIM Server service and click on it.

Click the Start button.


Wait for the CIM Server to start...

Once you see the CIM Server service update to Running, click OK.

Open a PuTTy Session

From the Taskbar, click on the PuTTy icon.


Open esx-01a.corp.local

Click on esx-01a.corp.local and click the Open button.

cd /var/log

You should be automatically logged into the ESXi host.

At the command prompt, enter:

cd /var/log

And press the Enter key.


Maximize the Window

To better view the log file, maximize the PuTTy window.

Search the vpxd.log file

We will use the grep command to search for the string 'ServiceSystem.start". This string appearsin the hostd.log file anytime a Service is started on an ESXi host.

Type the following command and press the Enter:

grep "ServiceSystem.start" hostd.log

Search Results

In the search results we can see that a service was started and it was initiated by vpxuser onbehalf of CORP\Administrator.


End the PuTTy Session

Type 'exit' to terminate the PuTTy session.

vSphere Web Client

Back in the vSphere Web Client, click on the Edit button in the Services section.


Stop the CIM Server service

You will need to scroll down in order to see the CIM Server. Once you find it, click on CIM Server.

You may have to click the triangle next to Service Details, then click the Stop button.

Click Yes to confirm you want the to stop the service.


Exit the Security Profile window

Once the service has stopped, click OK to close the Security Profile window.

Conclusion

This concludes the lesson on ESXi Security Enhancements.


vSphere SSL CertificatesSecure communication between components of a distributed system is critical to preservingintegrity of the system as a whole. vSphere components use Secure Sockets Layer (SSL) tocommunicate securely with one other and with ESXi hosts. SSL is a standard for creating anencrypted link between two devices. Communications secured in this manner ensure both dataconfidentiality and integrity; data is protected, and cannot be modified in transit without detection.

vCenter Server services like the Web Client use their certificates for the initial authentication tovCenter Single Sign-On (SSO). SSO then assigns each component a SAML token that thecomponent uses for ongoing authentication.

Security Warning!

Just about every vSphere administrator is familiar with the Security Warning dialog that shows upwhen the vCenter C# client is loaded. Initially, most vSphere components use what is known as aself-signed certificate. This provides an encrypted connection but does not guarantee that the hostreceiving the data is the one you think it is.


Privacy Error!

Web browsers are becoming increasingly paranoid about the certificates that are trusted bydefault. These messages can be scary, but the hoops you need to jump through to accept thepotentially unsafe communication can be really annoying. The bottom line is that you don't know,so you have to assume the worst. Nobody wants to be the target of a lawsuit.

The Certificate Authority

Some people have resigned themselves to clicking the Ignore button every time they need to loginto vCenter. Others have worked around the system by explicitly trusting the presented certificates


for each device on every machine they use. That is operationally intensive and frequentlyinfeasible, depending on the number of devices and certificates in play.

This is where the Certificate Authority (CA) can be very helpful. With one of these in place, everycertificate issued by the trusted authority is automatically trusted via the chain of trust built duringits integration: you trust the CA-issued certificates because the trusted CA tells you that they aregood. Secure communication with no more warnings!

There are many public CAs out there that will sell certificates to you, but purchasing a certificatefor each component/service is costly and unnecessary. Creating and managing your ownEnterprise Certificate Authority is not a trivial undertaking, but setting one up just to securecommunication between vSphere components might be overkill.

Even with a basic CA in place, the complexity involved with replacing all of the vSphere 5.x servicecertificates is about as pleasant as getting a root canal or sitting through a certification exam!Thankfully, this process has been greatly improved in vSphere 6.

Introducing the VMware Certificate Authority

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) issues certificates for VMwaresolution users, machine certificates for machines on which services are running, and ESXi hostcertificates.

There are three different modes of operation for the VMCA, each with specific use cases,described below. Note that VMCA is not a general purpose CA and its supported use is limited toVMware components.

Default VMCA: VMCA uses a self-signed root certificate. It issues certificates to vCenter, ESXi,service users, etc. and manages these certificates. These certificates have a chain of trust thatstops at the VMCA root certificate.

Enterprise VMCA: VMCA is configured as a subordinate CA and is issued subordinate CAsigning certificate by an Enterprise Root CA. In this configuration, issued certificates have a chainof trust that terminates on the Enterprise CAs root certificate. Certificates issued using the defaultVMCA configuration, prior to replacing the VMCAs self-signed root certificate with a CA signingcert will be regenerated and pushed out to the components.

Custom: This configuration completely bypasses the VMCA and is only intended for thosecustomers that want to completely manage their own certificates. A certificate will need to begenerated and installed manually (or via some external automated process) for each component,similar to the process used for managing CA-issued certificates in vSphere 5.x.

Note that in Default and Enterprise modes VMCA certificates can be easily regenerated ondemand. In the Custom mode, you must ensure that the certificates are generated through someother process.


What does this look like?

In the lab, we are using the default VMCA configuration and have added the root VMCA certificateto the local machine's Trusted Root Certification Authorities store in Windows. This is used byInternet Explorer, Chrome, and the VMware C# Client.

Open the Trusted Root Certificates link (1) from the Desktop and locate the certificate (2) that wasIssued to CA and by CA. This is the VMCA's root certificate. You may also notice that there is aCONTROLCENTER-CA certificate in this list. This is the CA that runs on the ControlCentermachine in the labs and can be used to issue certificates to machines and services that are not yetintegrated with the VMCA.

You may see two entries for each of these CAs. There is no harm in this and is the result of aGroup Policy that is in effect to automatically add these two certificates to the Trusted RootCertification Authorities store for any Windows machine that joins our CORP domain.

Certificate Management for ESXi Hosts

In vSphere 6, certificate management for ESXi hosts is performed from the vSphere Web Client.

Launch Firefox using the icon on the desktop or task bar. The Site A Web Client should loadautomatically when Firefox opens


1. Click the Use Windows session authentication checkbox2. Click Login

Go to Hosts and Clusters View

In the Navigator pane on the left, click on the Hosts and Clusters link (1) to open that view of theinventory.

Checking ESXi host's Certificate

1. Select the esx-01a.corp.local host in the inventory list2. Click on the Manage tab3. Click on the Certificate section


Notice that the host's SSL certificate details are displayed, including the status, issuer, andexpiration date.

Reissuing an ESXi host's SSL Certificate

1. Renewing the certificate for the esx-01a.corp.local host from this screen is as simple asclicking the Renew button and answering Yes to the confirmation prompt.

2. From a screen where the host object is visible, it is also possible to right-click on the hostobject and navigate to Certificates > Renew Certificate to achieve the same result. Thisoption is especially useful for renewing certificates for many hosts at once because itsupports multiple selection.

Choose one of these methods and renew the certificate for the esx-01a.corp.local host.

Notice that the Valid from and Valid to dates update to reflect today and 5 years from today,respectively. This is the default lifetime for VMCA certificates.


vCenter Certificate Management Settings

Out of the box, the certificates issued to hosts use certificates that are valid for 5 years. We wouldlike certificates that are valid for 10 years -- I don't like to keep checking. The parameters for hostcertificates are stored inthe vCenter Advanced Settings.

1. Select the vCenter Server vcsa-01a.corp.local2. Click on the Manage tab3. Click Settings4. Click Advanced Settings5. Enter "certs" into the Search box

The parameter to edit is vpxd.certmgmt.certs.daysValid. This parameter has a valid range of 1to 5,475 (~15 years).

Click the Edit button to bring up the Advanced Settings Editor.


Change validity period of host certificates

This window can be used to edit all of the Advanced Settings.

1. Enter "daysValid" into the Filter box to filter the list.2. Highlight 1825 and replace it with 3650 to change from 5 to 10 years.3. Click the OK button to save the change


Enact the change on the esx-01a.corp.local host

Making the change to 10-year certificates does not cause them to automatically regenerate.

1. Click on the esx-01a.corp.local host in the inventory list and navigate to the Manage >Settings > Certificate area, as before.

2. Note the current "Valid to" date, which should be roughly 5 years away.3. Click the Renew button (1) and wait for the screen to refresh-- it should happen

automatically4. Notice that the "Valid to" date (2) is now ~10 years away from today.

If required, this procedure can be used to change the default Organization (VMware),Organizational Unit (VMware Engineering), State (California), Locality (Palo Alto), Country (US),and Administrator Email address fields that are part of these host certificates.

Note that this is much simpler than the previous method of using WinSCP to copy rui.key andrui.crt files to and from ESXi hosts after generating certificate requests by hand and fulfilling themfrom an external CA. In addition, the VMCA keeps track of the expiration dates for thesecertificates and will apply the Yellow and Red badges to the host objects to indicate that they arenearing the end of their validity period.


Viewing vCenter Certificates with the Web Client

It is possible to view all certificates issued by the VMCA by logging in with the Web Client as auser with privileges for VMware Certificate Authority. This is a user that is a member of theCAAdmins vCenter Single Sign-On group. By default, the SSO administrator has this access.

1. If you are currently logged in as another user in the Web Client, click on your user nameand select Logout

2. At the login screen, enter the User name [email protected] and passwordVMware1!

3. Click the Login button

Navigate to Administration

In the Navigator, click on Administration


Locate System Configuration

Near the bottom of the Administration list in the Navigator, find System Configuration underDeployment. In the screen shot, the other sections have been collapsed to save space.

Open the Certificate Authority

1. Click on the Nodes item under System Configuration2. Select the psc-01a.corp.local node. In the lab, we have two vCenter Server appliances

and an external Platform Services Controller (PSC). The VMCA is a component of thePSC.

3. Click the Manage tab4. Select Certificate Authority

As an added measure of security, it is required to enter the current user's password once again tobrowse the CA.

Click on the Verify Password link in the middle of the Certificate Authority panel and enter thepassword VMware1! when prompted.


Browse Active Certificates

1. Click on Active Certificates to get a list of all currently active certificates. You can also listRevoked and Expired certificates here, but there are none in this lab.

2. Scroll to the bottom of the list and click on the last certificate3. If you have completed previous exercises in this section, notice that the "Valid To" date of

the latest certificate is ~10 years from today.4. Due to the small size of the console screens in the lab environment, it may be difficult to

see details of the certificates in this table view. Click on the Certificate icon (4) to open amore detailed view of the selected certificate.

Note that the green check marks next to the "Valid To" dates mean that the certificates are withintheir validity period and have not expired.


Show Certificate Details

This screen shows more detailed information about the 10-year certificate that was issued in anearlier exercise -- or whichever certificate was selected in the main table view. Note that thisinformation is read-only and intended for reference purposes only.

On smaller screens, the OK button may be drawn off the bottom of the screen. Double-click on thetitle bar of this dialog (1) to resize it and display the buttons. Click OK or Cancel depending onyour preference; they serve the same purpose here.

Log out

This concludes the module.

1. Click on the name of the logged-in user, [email protected]. Click Logout


Conclusion

Secure Sockets Layer (SSL) allows secure communication, but management of the requiredenterprise trust infrastructure, commonly known as a Public Key Infrastructure (PKI), requiresmore than a passing understanding of the complexities involved.

vSphere 6 includes a more limited and focused PKI that has been configured for use specificallyby vSphere components. This infrastructure has been made simpler to manage than a generalpurpose PKI due to its more targeted use case: communication between various and well-definedcomponents of the distributed vSphere environment.

For those who are experienced with PKI concepts and already have an Enterprise deployment,VMware has provided the capability to integrate the new vSphere-specific CA with an existing PKIfor simpler management. If corporate policy requires, it is also possible for the existing enterprisePKI to manage all certificates required by the vSphere components.


Network I/O Control Enhancements (NIOC)vSphere Network I/O Control version 3 introduces a mechanism to reserve bandwidth for systemtraffic based on the capacity of the physical adapters on a host. It enables fine-grained resourcecontrol at the VM network adapter level similar to the model that you use for allocating CPU andmemory resources.

Models for Bandwidth Resource Reservation

Network I/O Control version 3 supports separate models for resource management of systemtraffic related to infrastructure services, such as vSphere Fault Tolerance, and of virtual machines.

The two traffic categories have different natures. System traffic is strictly associated with an ESXihost. The network traffic routes change when you migrate a virtual machine across theenvironment. To provide network resources to a virtual machine regardless of its host, in NetworkI/O Control you can configure resource allocation for virtual machines that is valid in the scope ofthe entire distributed switch.

Bandwidth Guarantee to Virtual Machines

Network I/O Control version 3 provisions bandwidth to the network adapters of virtual machines byusing constructs of shares, reservation and limit. Based on these constructs, to receive sufficientbandwidth, virtualized workloads can rely on admission control in the vSphere Distributed Switch,vSphere DRS and vSphere HA.

Network I/O Control Version 2 and Version 3 in vSphere 6.0

In vSphere 6.0, version 2 and version 3 of the Network I/O Control capability can coexist. The twoversions implement different models for allocating bandwidth to virtual machines and systemtraffic. In Network I/O Control version 2, you configure bandwidth allocation for virtual machines atthe physical adapter level. In contrast, version 3 lets you set up bandwidth allocation for virtualmachines at the level of the entire distributed switch.

When you upgrade a distributed switch, the Network I/O Control is also upgraded to version 3unless you are using features that are not available in Network I/O Control version 3, such as CoStagging and user-defined network resource pools. In this case, the difference in the resourceallocation models of version 2 and version 3 does not allow for non-disruptive upgrade. You cancontinue using version 2 to preserve your bandwidth allocation settings for virtual machines, oryou can switch to version 3 and tailor a bandwidth policy across the hosts connected to the switch.

In this lesson, we will walk through the steps needed to configure Network I/O Control at the vNIClevel.


Open the Google Chrome Browser

If you do not already have the vSphere Web Client running, open the Google Chrome browserfrom the desktop.

Login to the vSphere Web Client by ticking the box for 'Use Windows session authentication' andclick the Login button.

Select Networking

First, let's verify we are the vDS we want to use is running NIOC version 3 and is enabled.

Start by clicking the Networking icon.


Expand vcsa-01a.corp.local

Expand vcsa-01a.corp.local until you can see the distributed switch vds-site-a.

Edit Settings

Click on vds-site-a, then click on the Settings tab. Finally make sure you are on the Propertiestab.

We can see that Network I/O Control is enabled on the distributed switch.

Note: If it were not enabled, you would just need to click the Edit button, select Enable in theNetwork I/O Control drop-down box and click OK.


Verify the Network I/O Control Version

Now let's see what version of Network I/O Control we are running.

Click on the Resource Allocation tab. You may have to unpin the Navigation pane to see this.

Here you can see that we are running version 3, which is the required version for NIOC at thevNIC level.

Note: If the distributed switch was running an earlier version of NIOC, you just need to right-clickon the distributed switch in the Navigation pane and select 'Upgrade--> Upgrade Network I/OControl...'.

Configure Bandwidth Allocation

Much like virtual machine CPU and Memory reservations and limits, we will need to create themfor networking. In our case, since we want to reserve bandwidth for virtual machines, we'll modifythe reservations for virtual machine traffic.


Start by clicking on 'Virtual Machine Traffic' in the traffic types list and clicking the Edit button.

Reservation

In the Reservation box, type '2000' to reserve 2,000Mbs bandwidth for Virtual Machine traffic.Leave all other settings to their defaults.

Click OK to continue.

Reservation Set

Once you click OK, you will notice even though we have set a reservation of 2,000Mbs for virtualmachine traffic, it is not showing up under the Reservation Column. This is because we have justset the Reservation and not actually reserved it for a virtual machine.


Show the Navigation Bar (if you unpinned it).

Click on the Navigation link on the left hand side, if you unpinned it earlier.

Pin the Navigation Bar

Now click the thumbnail so it points down. This will pin the navigation bar back in place.


Select Hosts and Clusters

From the Home menu, select Hosts and Clusters.

Clone TinyLinux-01

So we don't interfere with other lessons you may want to take, let's clone linux-micro-01a.

Right-click on 'TinyLinux-01' and select Clone --> Clone to Virtual Machine...


Name your VM

Name your VM linux-nioc-01a and accept the default location of Datacenter Site A for the location.

Click Next to continue.


Select Cluster Site A

Place the VM on Cluster Site A by clicking on it.


Accept Default Storage

Just click Next for the storage selection.

Un-check All Boxes

Make sure to un-check all the boxes before clicking Next.


Ready to Complete

Verify the settings look correct and click Finish to clone the VM.

It should only take a minute to perform the clone operation. You can track the progress by clickingon the Recent Tasks link in the bottom left corner of the vSphere Web Client.


Edit the VM Settings

Right-click on the newly cloned VM, linux-nioc-01a and select Edit Settings...

Expand Network Adapter 1

Expand out Network adapter 1 and you will notice some new options. Now we can set how muchbandwidth to reserve for this specific vNIC on the virtual machine.

Let's give it all 1,000Mbs of the 2,000Mbs reservation we set.

Type 2000 in the Reservation box. Click OK.

Note: If you don't see this box, make sure you connected Network adapter 1 to VM Network (vds-site-a).


Viewing Reservation

You can now see the reservation is set so that this virtual machine's network adapter will have areserved 2,000Mbs of bandwidth.


Lesson Clean Up

Feel free to explore other options with NIOC. When you are finished with this lesson, pleasedelete the linux-nioc-01a virtual machine to avoid confusion in other lessons.

Just go back to the Hosts and Clusters view and right-click on the virtual machine linux-nioc-01aand select Delete from Disk.

Conclusion

This concludes Module 1 - What's New with vSphere 6. We hope you have enjoyed taking this laband don't forget to take the survey at the end.

If you have time remaining, here are the other Modules that are part of this lab, along with anestimated time to complete each one. Click on the 'Table of Contents' button to quickly jump tothat Module in the Manual.


Module 2 - An Introduction to Management with vCenter Server (60 Minutes) Module 3 - An Introduction to vSphere Networking and Security (60 Minutes) Module 4 - An Introduction to vSphere Storage (60 Minutes)


Module 2 - Introduction to Management withvCenter Server (60 Min)


What is vSphere?VMware vSphere is the world's leading virtualization platform. As virtualization & the vSphereplatform have continued to grow, organizations have faced new challenges. With vSphere, IT canrapidly provision Virtual Machines (VMs) but have found that management, capacity planning, andlifecycle management of these VMs has becoming increasingly difficult. VMware vSphere withOperations Management (vSOM) is a new solution that enables users to gain operational insightinto a vSphere infrastructure while also optimizing capacity. As vSphere environments continue togrow it is essential that users have proactive management that can deliver monitoring,performance, and capacity information at a glance. This detailed analysis enables users to get themost out of the virtualization platform by reclaiming unused capacity, rightsizing virtual machines,improving utilization, and also helping to increase consolidation ratios. This new VMware solutioncombines vSphere with vRealize Operations Standard.

Video: Introduction to VMware vSphere with OperationsManagement (5:48)

This video will show you how vSphere with Operations Management can help you manage a moreefficient and available environment.


ESXi Install and ConfigureDue to the environment the Hands on Labs are running in and the high I/O it would cause, we arenot able to install software. Please use the following videos to walk through the process.

Video: Installing and Configuring vSphere (4:36)

The following video will walk through the process of installing and configuring vSphere.

Video: Overview of the DCUI (4:58)

This video will walk you through the Direct Console User Interface (DCUI).


vCenter 6.0 OverviewvCenter Server unifies resources from individual hosts so that those resources can be sharedamong virtual machines in the entire datacenter. It accomplishes this by managing the assignmentof virtual machines to the hosts and the assignment of resources to the virtual machines within agiven host based on the policies that the system administrator sets.

vSphere v6.0 Components

The above diagram shows how vCenter fits in the vSphere stack. With vCenter installed, youhave a central point of management. vCenter Server allows the use of advanced vSpherefeatures such as vSphere Distributed Resource Scheduler (DRS), vSphere High Availability (HA),vSphere vMotion, and vSphere Storage vMotion.

The other component is the vSphere Web Client. The vSphere Web Client is the interface tovCenter Server and multi-host environments. It also provides console access to virtual machines.The vSphere Web Client lets you perform all administrative tasks by using an in-browser interface.


vCenter 6.0 Components

Starting with vSphere 5.1 there are two methods to deploy vCenter. The first method is aWindows installation. With the Windows method, you can install vCenter Single Sign On,Inventory Service, and vCenter Server on the same host machine (as with vCenter Simple Install)or on different virtual machines.

The other method is a virtual appliance. The vCenter Server Appliance (vCSA) is a singlepreconfigured Linux-based virtual machine optimized for running vCenter Server and associatedservices.

Platform Services Controller (PSC)

The Platform Services Controller (PSC) includes common services that are used across the suite.These include Single Sign-On (SSO), Licensing, and the VMware Certificate Authority (VMCA).You will learn more about SSO and the VMCA in the following pages.


The PSC is the first piece that is either installed or upgraded. When upgrading a SSO instancebecomes a PSC. There are two models of deployment, embedded and centralized.

Embedded means the PSC and vCenter Server are installed on a single virtual machine. Embedded is recommended for sites with a single SSO solution such as a single vCenter.

Centralized means the PSC and vCenter Server are installed on different virtual machines. Centralized is recommended for sites with two or more SSO solutions such as multiplevCenter Servers, vRealize Automation, etc. When deploying in the centralized model it isrecommended to make the PSC highly available as to not have a single point of failure, inaddition to utilizing vSphere HA a load balancer can be placed in front of two or morePSCs to create a highly available PSC architecture.

The PSC and vCenter servers can be mixed and matched, meaning you can deploy AppliancePSCs along with Windows PSCs with Windows and appliance-based vCenter Servers. Anycombination uses the PSCs built in replication.

Use Case:

The PSC removes services from vCenter and makes them centralized across the vCloudSuite.

This gives customers a single point to manage all their vSphere roles and permissionsalong with licensing.

Reducing vCenter Server installation complexity allows customers to install or upgrade tovSphere 6 faster.

There are only two installs options: Embedded PSC which installs all components on a single virtual machine Centralized, the customer must install the PSC and vCenter Server separately

In either installation model all vCenter Server services are installed on the vCenter Serverreducing the complexity of planning and installing vCenter Server.

vCenter Single Sign On

vSphere 5.1 introduced vCenter Single Sign On (SSO) as part of the vCenter Server managementinfrastructure. This change affects the vCenter Server installation, upgrading, and operation.Authentication by vCenter Single Sign On makes the VMware cloud infrastructure platform moresecure by allowing the vSphere software components to communicate with each other through asecure token exchange mechanism, instead of requiring each component to authenticate a userseparately with a directory service like Active Directory.


vCenter Single Sign On - Typical Deployment

Starting with version 5.1, vSphere includes a vCenter Single Sign-On service as part of thevCenter Server management infrastructure.

Authentication with vCenter Single Sign-On makes vSphere more secure because the vSpheresoftware components communicate with each other by using a secure token exchangemechanism, and all other users also authenticate with vCenter Single Sign-On.

Starting with vSphere 6.0, vCenter Single Sign-On is either included in an embedded deployment,or part of the Platform Services Controller. The Platform Services Controller contains all of theservices that are necessary for the communication between vSphere components includingvCenter Single Sign-On, VMware Certificate Authority, VMware Lookup Service, and the licensingservice. For example, in the image above, SSO resides within the Platform Services Controller aspart of this multi-vCenter topology. Both Windows and the vCSA can participate in this topology.


vCenter Single Sign On - Single vCenter

In a single vCenter topology, the PSC (along with all of its associated services) can run on a singlemachine, also called the embedded deployment. This single machine could be a physicalWindows server, a Windows VM, or the vCSA.

While vCenter Server requires a database as shown above, SSO itself does not have such arequirement.

More Information on Single Sign On

The second Module in this lab, Introduction to vSphere Networking and Security covers SSO inmore detail.

However, you can also refer to the vCenter 6.0 Deployment Guide for more in-depth requirementsand considerations for SSO architecture in vCenter 6.0:

http://www.vmware.com/files/pdf/techpaper/vmware-vcenter-server6-deployment-guide.pdf


Using the vSphere 6.0 Web ClientThis lab will introduce the new vSphere 6.0 Web Client and its functionality.

The vSphere Web Client is the primary method for system administrators and end users to interactwith the virtual data center environment created by VMware vSphere. vSphere manages acollection of objects that make up the virtual data center, including hosts, clusters, virtualmachines, data storage, and networking resources.

The vSphere Web Client is a Web browser-based application that you can use to manage,monitor, and administer the objects that make up your virtualized data center. You can use thevSphere Web Client to observe and modify the vSphere environment in the following ways.

Viewing health, status, and performance information on vSphere objects

Issuing management and administration commands to vSphere objects

Creating, configuring, provisioning, or deleting vSphere objects

You can extend vSphere in different ways to create a solution for your unique IT infrastructure. Youcan extend the vSphere Web Client with additional GUI features to support these new capabilities,with which you can manage and monitor your unique vSphere environment.


Main Areas of the Web Client

The vSphere Web Client is broken into 6 main areas also referred to as panes.

1. The navigation tree or Navigator2. The main content area3. The Search bar4. The Work in Progress list5. The Alarms list6. And the Recent Tasks list

The layout of these panes can be customized. Click the push pin icon in the Navigator, RecentTasks, Work in Progress, or Alarms panes to minimize them. This can create more room for themain area if you are working on a small monitor or one with low resolution. You can also changewhere each of those panes are shown by dragging the title bar of the pane to one of the edges ofthe screen.

Please Note: In this lab, since we're limited to a small screen resolution, we've set all thepanes to be minimized by default to give you the most screen real estate possible. You canopen any or all panes at your convenience and click on the push pin in any pane to allow itto stay on the screen.


Review main areas of web interface

Start the Firefox web browser which will open to the "Site A Web Client".

1. Click the "Use Windows session authentication" check box2. Click "Login"


vCenter 6.0 Inventory

1. Click "vCenter Inventory Lists" in either the left-hand tree or the right-hand pane. ClickingvCenter Inventory Lists will take you to the inventory page where you find all the objectsassociated with vCenter Server systems such as datacenters, hosts, clusters, networking,storage, and virtual machines.

Child objects, Data Centers, and Hosts

1. Click the "Virtual Machines" inventory item. By selecting this inventory item, you arepresented with a list of the VMs which are located in this environment.


Virtual Machine Summary

1. Click the "w12-core" virtual machine.2. Click the "Summary Tab" for that virtual machine. On this page you are able to see all the

details regarding the virtual machine. There is a "Edit Settings" link as well to modify thesettings of the virtual machine.


Edit the settings of a virtual machine.

1. Click the arrow next to "VM Hardware" to expand this pane and expose the VM's hardwaresettings.

2. Click "Edit Settings" so a second network adapter can be added to the virtual machine.


Add a second network adapter

1. Now we need to add an additional network card to the VM.2. Click the drop down list for "New Device" and highlight the "Network" device. We need to

add a second network to the virtual machine.3. Click the Add button to add the new Network Card.

Page 142

Hol Sdc 1410 Upd PDF En

Documents

vsphere distributed

vsphere standard switch

vsphere ssl certificates

whats new

esxi security enhancements

continuous availability

vcenter server

host services