VMware vSphere 6.0 Part 2 - vCenter, Alarms and Templates
4.3 (118 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
1,635 students enrolled
Wishlisted Wishlist

Please confirm that you want to add VMware vSphere 6.0 Part 2 - vCenter, Alarms and Templates to your Wishlist.

Add to Wishlist

VMware vSphere 6.0 Part 2 - vCenter, Alarms and Templates

Learn VMware vSphere vCenter Installation & Configuration, Clones & Templates, Permissions, Alarms and vSphere Converter
4.3 (118 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
1,635 students enrolled
Created by Larry Karnis
Last updated 6/2017
Current price: $10 Original price: $20 Discount: 50% off
5 hours left at this price!
30-Day Money-Back Guarantee
  • 10.5 hours on-demand video
  • 3 Supplemental Resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
What Will I Learn?
  • Explain the role of vCenter Server in a vSphere environment
  • Install, configure and administer vCenter Server appliance
  • Rapidly deploy Virtual Machines using VM Templates and Clones
  • Understand and use vSphere permissions
  • Monitor vCenter inventory with Alarms
  • Use VMware vCenter Converter to perform physical-to-virtual workload consolidations
View Curriculum
  • You should have a good understanding of operating systems such as Windows or Linux
  • You should have a working knowledge of Ethernet and TCP/IP networks
  • You should know how to install and configure ESXi
  • You should have a working knowledge of Standard Virtual Switches
  • You should know how to create and administer Virtual Machines using ESXi 6

VMware vSphere 6.0 is the platform businesses depend on to deploy, manage and run their virtualized Windows and Linux workloads.

In this course you will learn how to add vCenter management services to your stand alone ESXi environment. Once you have vCenter working, we will show you how to rapidly deploy new VMs via Templates and Clones, how to control vCenter access with Permissions, how to monitor your inventory with Alarms and how to migrate workloads into your new vSphere environment with VMware vCenter Converter.

                                            ***** New! This course is now 100% downloadable *****

Learn vCenter Server and Core vCenter Features

This course covers five major topics that all vSphere 6 vCenter administrators must know:

  • First, we start by learning how to install and configure vCenter including vCenter for Windows and vCenter Server Appliance (vCSA). From there, learn how to create vCenter's inventory hierarchy, how to join vCenter to an Active Directory domain, how to import an ESXi host into vCenter management, how to connect to and use Web Client. We will also learn how to access VM consoles using both the VMware Remote Console application and the Web Client Console.
  • vCenter enables rapid, effective VM deployment using both Templates and Clones. We will see how to perform cold/hot VM cloning to make a one-time copies of VMs. We will then see how to create Template VMs - which are used for rapid copy-and-customize VM deployments. We will look at vCenter's Guest OS Customization Wizard and use it to easily establish new Name and Network properties for our rapidly deployed VMs.
  • Next,we will learn how to manage access and Permissions on both standalone ESXi hosts and in vCenter managed environments.
  • vCenter has extensive ESXi host, Storage, VM and Cluster monitoring capabilities. We will learn how to use vCenter Alarms to identify exactly the inventory objects we wish to monitor, what conditions we need to check and what actions we want vCenter to take when exceptional circumstances are detected.
  • In the final chapter of this course, we will learn how to install and use VMware vCenter Converter. Converter is a workload migration and consolidation tool that lets you migrate Windows or Linux workloads from source physical or foreign virtual machines (e.g. Hyper-V or XenServer) to ESXi Virtual Machines.

The skills you will acquire in this course will help make you a more effective vSphere 6 administrator.

Who is the target audience?
  • This course is intended for anyone who wants to learn how to install, configure and use the core components of VMware vSphere 6.0 including vCenter Server
Students Who Viewed This Course Also Viewed
Curriculum For This Course
219 Lectures
Install and Configure vCenter Server
62 Lectures 03:17:59

Once you introduce vCenter to your network, vCenter will act as a management proxy accepting inbound vSphere Client connections and performing the appropriate back-end work on the vSphere Client's behalf.

vCenter can proxy all requests including ESXi host requests and VM requests (including Remote Consoles). Remote Console proxies are especially useful because you do not need to be concerned about which host your VM runs on to open a console to it. If the VM moves (say through VMotion) your console session will be proxied by vCenter through to the new host without your having to take any action.

As a management proxy, vCenter accepts requests to perform some action, decides how that action needs to be completed and then takes the appropriate steps. For example, if you connect the vSphere Client to vCenter and then power on a VM, vCenter will:

- determine if you have permission to power on the VM

- determine which host currently holds the VM you wish to power on

- send that host the appropriate power on request

- monitor the status of that request (updating your vSphere Client session), and

- inform you of the completion status of the request

Preview 01:57

vCenter Server Appliance has a lengthy and involved install process that involves completing multiple tasks with significant waits in between.

In this first task, we will install the Client Integration Plugin and launch the vCenter Server Appliance web based installer. We will go through the install wizard and identify our ESXi target host, our new VM's size, name, network properties, database and more. When we finish the wizard the new vCenter Server Appliance will be imported onto our selected ESXi host.

The import process takes about 20-30 minutes (and is not included in this video because it is really boring!)

Preview 15:23

vCenter acts as a management proxy for ESXi hosts and Virtual Machines. When a user logs into vCenter, their permission settings are consulted and vCenter displays only that subset of the inventory over which the user has some rights. In this way, unauthorized inventory items are kept private.

When users interact with vCenter, vCenter takes the desired action (on the appropriate host) on their behalf. For example, if a vCenter user powers on a VM, vCenter will:

- check to see if the user has power management rights, and if so, vCenter will

- contact the host on which the VM resides and

- issue a VM power on command

vCenter Server for Windows is a 64-bit application built on Microsoft's .Net framework. vCenter also acts as an enabler for advanced VMware capabilities including:

VMotion – hot migration of VMs from one host to another

Distributed Resource Scheduler – automated VM/host load balancing using VMotion

High Availability Clusters – automatic VM placement, boot after an ESXi host failure

vCenter functionality can also be extended using modules. VMware currently offers modules for Capacity Planner (what hosts do I have and would they make a good VM), Converter (physical to virtual migration) and Update Manager.

Preview 02:10

The vCenter Server Appliance includes the open source PostgreSQL database. Unlike free versions of Oracle, DB2, MS SQL Server, PostgreSQL has no vendor imposed limitations. You can give it as much CPU, RAM as you like, it can run as many threads as it wants and it can create/access databases as large as you need.

Preview 03:13

vCenter normally sits on your management LAN segment. It is not necessary for you to deploy a separate physical or virtual LAN segment for vCenter but it is a good idea to isolate management traffic from the spikes and load of production, storage and/or back up networks.

VMware uses only encrypted connections between its client and server software. That is, all data exchanges between the vSphere Client, vCenter and ESXi is encrypted using strong (SSL) encryption. The ESXi firewall, by default, does not allow non-encrypted protocols (e.g.: FTP, Telnet, HTTP) but instead does permit their encrypted counterparts such as SFTP, SSH and HTTPS.

Preview 02:30

SQL Server is available in four editions. These editions can function locally (run on the same box as vCenter) or remotely (on a separate server). vCenter uses Open Database Connectivity (ODBC) to connect to remote database services. If you intend to use a remote database service, then you will need to have your DBA team:

- create a new database instance for you

- assign your account the appropriate roles within SQL Server

- use SQL Server authentication and not Windows (i.e.: Active Directory)

If you run SQL Server on the same box on which you run vCenter (very reasonable for smaller deployments), then you must define your vCenter/SQL Server connection to:

- Use a SYSTEM DSN (File or User DSNs will test correctly but will not function)

- Use MS local or AD based authentication, or use SQL authentication

Furthermore, you must ensure that you have enough room on the local system for the files that make up your SQL database (minimum 6GB).

MS SQL Server is a resource intensive application. If you run full SQL Server on your vCenter server, ensure you have a minimum of 6+GB of RAM to help maintain performance.

Microsoft SQL Server

vCenter stores all of its data in a SQL database. The single largest class of data it stores inside SQL is performance data. Using the vCenter Server Settings > Statistics window, you can take control of how much performance data is stored. You can also estimate total database size based on the number of ESXi hosts and VMs under management.

The first step is to fine tune how performance data is retained. VMware updates performance statistics every 20 seconds (Performance tab in the vSphere Client) but stores only 5 minute summaries into the SQL database. 5 minute summaries are held for 24 hours before they are rolled up into 30 minute aggregates. These 30 minute aggregates are then held for 1 week before they are further rolled up into 2 hour aggregates. Then, after one month, 2 hour summaries are reduced to 1 day averages. In this way, VMware attempts to provide usable performance data without overpopulating the database. You can edit the time intervals by clicking on any existing interval and clicking Edit. Statistics are the single largest consumer of database storage.

Once the vCenter knows how performance data is handled, it can estimate how much SQL data space (rows and total space) is needed once you tell it how many ESXi hosts and VMs will be managed by vCenter. Note that 20 ESXi hosts and 500 VMs using the default data retention and aggregation policies will only occupy about 3.9GB of database space making this size deployment the theoretical maximum for either of the free (Oracle or SQL Server) databases. Note: performance and other issues will ensure your MS SQL Express database remains small.

Database Size Estimator

Windows vCenter Installer App

Installing vCenter Server Appliance

Activate the Client Integration Plug-in

vCSA Ready to Start the Install

Select target ESXi 6.0 host

Set vCSA Password

Platform Service Controller (PSC)

Embedded / External PSC

Set SSO Password, Domain

Note that the Tiny size is the absolute minimum CPU and Memory that vCenter Appliance can (barely) run. If you select Tiny, then the initial install of vCenter Appliance will proceed very slowly as the VM uses all available resources to install the appliance, configure all services, initialize the vPostgres database, etc.

In the author's own experience, during the install process, a vCenter Appliance needs more than 6GHz of cycles and about 11GB of RAM to function without CPU/RAM resource starvation. However, once the install has completed, vCenter Appliance will happily run on 2 vCPU cores and 8GB of RAM.

There is no option to customize the vCenter Appliance hardware during the install process (other than selecting Tiny, Small, Medium or Large). Once the VM has completed its initial install, you can change the hardware:

- perform an orderly shutdown of your vCenter Appliance

- Edit the VM's settings and dial CPU up to 3 cores and RAM to 12GB

- Power on the vCenter appliance and continue with the installation

Select vCSA Installation Size

Set vCSA Target Datastore

Set vCSA Target Datastore

Ready to Complete vCSA Deployment Wizard

vCenter Server Appliance Deployment Completed

vCenter Lab – Parts 1, 2 Only

Picking up where we left off on the first vCenter HowTo, we will take our freshly installed vCenter Server Appliance and perform an orderly shutdown. When the VM is powered off, we will upgrade it's virtual hardware to 3 vCPU cores and 12GB of RAM (the minimum virtual hardware needed to minimize CPU starvation and avoid paging). We will then power on our vCSA, log in via Web Client and configure the base SuSE Enterprise Linux OS so that it can join our Active Directory domain. Once we reboot again, we will configure Single Sign On so that it can query our ESXLab domain.

vCenter HowTo - Resize vCSA, Join Linux to AD, Configure SSO for AD

Log in to vCSA using Web Client

Add vCSA to Active Directory

Add vCSA to Active Directory

Update Single Sign-on

Grant Admin Rights to Domain Accounts

It is generally a bad idea to attempt to work with an ESXi host directly if that host is also being managed by vCenter. Here's why...

ESXi hosts always permit direct vSphere Client logins. Once a host has been imported into vCenter, the only reason to connect to it directly is to perform maintenance – and then only if you can't fix the problem through vCenter.

If you use the vSphere Client to connect directly to an ESXi host that is being managed by vCenter then:

- The ESXi host will accept your connection

- It will do whatever you say (if you log in as root)

- It will carry out your requests even if they conflict with vCenter

- It will make reasonable (but not guaranteed) efforts to advise vCenter what it is doing

The result is that vCenter may become confused about the state of your ESXi host and it's VMs because their configuration settings, etc. are changing outside of vCenter's control.

In extreme cases, vCenter may decide that your host has failed and may initiate either DRS load balance or HA VM failure recovery to correct the problem. It may also remove your ESXi host from a cluster if vCenter feelsit has lost control of the ESXi host. For these reasons:

It is a bad idea to directly interact with an ESXi host that is under vCenter control.

Don't Bypass vCenter

vCenter adds a new, top navigation layer to the standard VirtualCenter inventory views. This new view makes it easy to get to the most popular vCenter functions quickly and easily. It also makes it easy for 3rd party companies to add their product to vCenter (so that you can find it easily!).

Note: The fourth category, Solutions and Applications, is not presented until add-on software is installed into that category.

Home View in vSphere Client

vCenter adds a new, top navigation layer to the standard VirtualCenter inventory views. This new view makes it easy to get to the most popular vCenter functions quickly and easily. It also makes it easy for 3rd party companies to add their product to vCenter (so that you can find it easily!).

Note: The fourth category, Solutions and Applications, is not presented until add-on software is installed into that category.

Home View in Web Client

The fundamental unit of organization in a vCenter inventory is the Datacenter. A Datacenter is a collection of ESX Servers, Networks and Datastores that will be used cooperatively to run virtual machines.

While it is common for a vCenter Datacenter to match a physical data center, it is not a requirement. For instance, a physical facility could contain servers, network, storage, etc. for multiple clients with no intention to be shared across clients. This is quite common when multiple stake-holders share a rented facility. It may also be the case that funding (such as a government grant) may strictly limit the purpose to which hardware can be used. In both cases, it makes sense to isolate hardware in vCenter's inventory by creating separate vCenter Datacenters for each stake-holder or project.

Organizing Inventory

The business organization may be mapped inside vCenter by using folders above a datacenter. In the example above, folders are used to represent geographical deployment of datacenters across a multi-national organization.

Folders act not only to hold datacenters (such as the USA and North AM folders) but also as a point at which permissions can be set. In the example above, permissions might be assigned as follows:

Local administrators could be given Datacenter Administrator rights at their particular datacenter. With this permission, they would have full administrative rights over all of the hardware and VMs only within their datacenter.

Second-tier administrators could be assigned appropriate rights at either the North America or Asia folder. These more experienced administrators rights would inherit down into datacenters below the folder so that one permission assignment would grant them rights to all of the facility within their country.

Finally, top tier administrators could be given rights at the World Wide Operations folder or at the root folder. With permissions assigned at this level, they would be free to enter and work in any datacenter within the organization.

Folders Organize Datacenters

Folders are a key organizational element within a datacenter. Folders are used to provide technical, functional, political or geographic structure to the items within a datacenter as follows:

Technical – A folder that contains similar objects (e.g.: Windows 2003 Server VMs)

Functional – A folder that contains VMs that perform a similar function (e.g.: Web Servers)

Political – Folders used to contain all inventory items owned by a unit of the organization. An example of this might be Sales VMs or Human Resources VMs.

Geographic – VMs assigned to a particular geographic region.

There is no preferred way to use folders to impart structure to your inventory. The best approach is to create a hierarchy that maps naturally to the various structures within your organization.

Note that folders can contain sub-folders so you could implement a multi-tier hierarchy (e.g.: Sales > Web Servers > Windows 2003).

Just like folders above datacenters, folders within datacenters act as objects to which permissions can be assigned. That way, users can be assigned the appropriate rights at the appropriate folder and those rights will inherit down into that branch of the inventory.

Folders in Datacenters

ESXi Host Managed by vCenter

In vSphere Client, the navigation would be

Home > Administration > Sessions

vCenter Sessions

vCenter includes a simple task scheduler. With this feature you can select a particular action, select an inventory object for that action and then specify the date/time that action is to occur.

When you add a scheduled task, you complete the same wizard for that task that you would if you were doing the task now. The only difference is you get a chance to name the task (for later recall) and assign a date and time (or times) to run the task. This makes it easy to re-run a task either periodically or when needed.

If you have tasks that you've already scheduled, they will show in the tab. Completed tasks will show in the Tasks and Events tab.

vCenter Task Scheduler

Task Console

Events Console

Web Access Remote Console

Remote Console Menu Items

Review / Edit Virtual Hardware

VM Actions Menu

vSphere C# Client – Use Cases

Functions Only in Web Client

vCenter Maximums

vCSA Changes from vSphere 5.5

For more information on how to set up the VMCA, please see the supplemental material at the end of this section.

VMware Certificate Authority

VMCA Options

Custom Certificate Management

vCSA Management Interface

Best Practices

vCenter Lab - Parts 3, 4 and 5

In this HowTo, we complete our vCenter Server Appliance configuration by adding Active Directory Domain accounts to vCenter and giving them the Administrator role. We then build an inventory hierarchy with a new Datacenter object and new folders and then add our ESXi host to vCenter management. We finish by installing the VMware Remote Console (VMRC) Windows application so we can easily interact with VM console windows from our local desktop.

vCenter HowTo - Update Permissions, Create Inventory, Add Host, Install/Use VMRC

Review & Questions
Rapid VM Deployment using Templates and Clones
58 Lectures 03:18:54
Templates, Clones

Project Plan

VM Rapid Deployment

A Template is a virtual machine that has been converted into a VM rapid deployment image through vCenter (no templating capability with standalone ESXi). A Template starts off as a VM. Once you feel that the VM is perfect, power it off and convert it into a Template. This marks it as a no-power-on VM so that the Template cannot be accidentally powered on or put into service.

Templates serve as an image source. New VMs can be rapidly created from existing templates by simply deploying a new VM from the template. When deploying a new VM from a template, you get the same:

- Hardware (VCPUs, memory size, NICs, SCSI HBAs, SCSI disks)

- Resource settings (shares, reservations, limits)

- Same hardware configuration (NIC plugged into the same Port Group)

- Customized settings (VM > Edit Settings... > Options)

What is new in the VM's

- Name. A new name is assigned to the VM

- Resource Pools and folders. The VM can be deployed into any Resource Pool or folder

- ESXi host. The VM can be created on any available host

- Datacenter. A VM can be deployed to a completely different datacenter

- Identity. Through Guest OS Customization, you can set a new identity for the VM

so your new VM does not conflict with existing VMs or physical servers

Template Theory

Templates pay off the most when significant effort is put into getting the VM used to create the template absolutely perfect. Administrators creating a new VM that will serve as a rapid deployment template should take the time to:

- Install the Guest OS as per the company's policy and best practices

- Secure and lock down the OS

- Apply any patches, updates or Service Packs to the OS

- Install any middleware (security, antivirus, etc. software)

- Install any 3rd party applications onto the OS

- Perform any other post install steps appropriate for the workload

However, because the VMwill be used only as a Template, you do not need to establish a final identity or configuration for the VM. At this time, you do not need to:

- Set a permanent FQDN, IP properties, License, etc.

- Configure any applications, or

- Perform other configuration tasks necessary to put the VM into service

These steps will be performed at actual deployment time on a new VM that is created from this template.

A key benefit of templating (other than rapid deployment) is that junior admins can deploy from known good images in little time and in full compliance with corporate standards and policies.

Template Benefits

A Template is a vCenter inventory item that only shows up in the VMs and Templates view (and specifically not in the Hosts and Clusters view). However, it is possible to turn a powered off VM into a Template while in the Hosts and Clusters view. If you do this, once the New Template wizard completes the VM will disappear from the Hosts and Clusters inventory (because it is no longer a VM, it is now a Template).


ESXi VM virtual disks can be either pre-allocated (Thick Disk) or allocated to current needs and grow as more data is added to the virtual disk (Thin Disk). With Thick virtual disks, there is no risk that, when the VM attempts to perform I/Os against the virtual disk, the declared space isn't available. Thick virtual disks are more likely to be contiguous, allowing the VM to complete I/Os more efficiently.

But Thick virtual disks often include significant disk space allocated for future use. While this might be appropriate for an in-service VM, it is a potential waste of SAN storage for VMs whose storage needs grow slowly. It is also a waste for of space for template VMs (that will never be put into service as a VM).

VMware has an alternative disk format called a Thin disk (aka Sparse or Compact disk format). Thin disks only allocate actual used disk blocks in the virtual disk file (declared but unused disk blocks are not allocated) so a Thin virtual disk will take up (potentially much) less physical disk space than the same disk in Thick format. With Thin disks new storage is added to the virtual disk file as new data is written by the VM to it's virtual disk. This may lead to performance issues on VMs that do a lot of I/O because you can now get fragmentation at the VMFS/VMDK level and at the guest OS (i.e.: NTFS) level.

You can convert virtual disks from Thin to Thick format while a VM is powered on:

Right-click VM's datastore > VM' folder > Right-click virtual disk > Inflate

The only way to convert a Thick disk to a Thin disk is to Storage VMotion

Disk Formats

Thick Disk Use Cases

Thin Disk Use Cases

The Clone Virtual Machine to Template or Convert Virtual Machine to Template wizards include a step that lets you select the Template's disk format. Select Thick (Monolithic) or Thin (Compact or Sparse) depending on your needs.

Lazy Zeroed vs. Eager Zeroed

VMware zeros out virtual disk blocks when the first read attempt is made to the block. This is done for security reasons. There are two strategies used to zero out disks.

Thick Provisioned Lazy Zeroed – Disk is pre-allocated to full size but disk blocks are not zeroed out until the first read or write attempt is made to the disk block

Thick Provisioned Eager Zeroed – Virtual disks are fully allocated in advance. The entire virtual disk is filled with zeros

Select Target VM Disk Format

Templates can be created from powered off or powered on VMs. If the VM is powered on the VM is snapshotted, cloned and then the clone is turned into a template.

After you complete the installation and configuration of your VM, be sure to perform an orderly shutdown of your VM. If you simply power off the VM, then the file system of the file system(s) on the virtual machine may be left in a 'filesystem dirty and needs to be cleaned' state (i.e.: chkdsk (Windows) or fsck (Linux)).

Convert to Template

This choice is usually selected when you built your VM specifically to turn it into a Template (i.e.: your VM was created pro-actively to simply/standardize future VM deployments).

Clone to Template

Is most likely selected during the creation of a new production VM. The scenario might be something like... You just spent significant time building a perfect VM. You installed the Guest OS, secured it, locked it down and performed other configurations necessary to conform to your company's best practices. Just before you put the VM into production, you power it down and select Clone to Template... This leaves the original VM intact and gives you the chance to harvest a new Template based on all of your good work. In this case, you not only get your production VM, you get a Template that lets you rapidly deploy new VMs based on this image.

Creating a New Template

If you build a Template using the Clone to Template... menu option, then your new Template is almost completely identical to the original VM used to create this Template. The only differences between the original VM and the Template are:

- The Template VM gets a new virtual NIC MAC address

- The Template gets a new virtual motherboard hardware UUID

- Host, datastore, NIC port group and other properties may be different as well

All other OS properties are identical, including the guest OS identity (SID. License, FQDN, IP properties and other settings). The virtual hardware is also identical (same number of VCPUs, virtual NICs, virtual SCSI HBAs, virtual disk number & sizes, virtual disk contents, etc. Finally, any customizations you applied to the VM (e.g.: Edit Settings... > Options) are carried over to the new VM.

Because a Template shares all guest OS properties with the source VM, any attempt to power on the Template (Convert Template to VM then Power On) could result in undesirable behavior. An IP address conflict could result in both VMs dropping off the network.

A Windows SID conflict could result in both VMs being rejected by Active Directory or the local Domain Controller. And, a License conflict (same license deployed over and over again) could leave your organization liable to significant costs and penalties (unless you have an MS Enterprise agreement that allows for a license to be used repeatedly).

Template Properties

Templates show up in the VMs and Templates view but not in the Hosts and Clusters view. To see Templates in the Hosts & Clusters view, pick any high level inventory item (e.g.: Hosts and Clusters, datacenter, folders containing either hosts or clusters, a host or a cluster), and then click the Virtual Machines tab. Templates will appear in the roster of VMs visible to the selected inventory item.

Note that objects in the Virtual Machines tab have the same right-click menu that they would have if they were in the standard inventory view!

Templates in Hosts and Clusters

Once your Template is built, you can easily deploy new virtual machines from the Template. Simply right-click on the Template and select Deploy Virtual Machine from this Template.

This launches a 5-step wizard that takes you through all the steps necessary to build your VM. Including:

Name – provide a new name for your VM (to be used in the vSphere Client to refer to your VM)

Assign Host/Cluster/Resource Pool – identify the target ESXi host or cluster for the new VM along with the resource container (Resource Pool) for the new VM

Datastore – select a datastore visible to the target ESXi host/cluster for the VMs files

Disk Format – Select either Thick or Thin provisioned disks

Guest OS Customization – Provides a new Guest OS identity, license, etc. for the VM

Go – build the new VM from the above specifications

Deploy VM From Template

Any powered on/off VM can be cloned using either the Clone... or Clone to Template... menu options. Clone makes an exact duplicate of the VM including virtual hardware, settings, virtual disk, etc. Both of these menu options take you through a wizard that lets you specify the ESXi host/cluster, datastore, etc. for the new VM.

Because a clone of a VM is an exact copy, you need to be careful selecting deployment options for your new VM. When deploying a new VM as a clone of a production VM, you should consider:

- Changing the Port Group of any virtual NICs to a test/dev/QA isolated network

- Deploying the VM onto a different ESXi host/cluster (e.g.: test/dev/QA or Disaster

Recovery host/cluster rather than your production host/cluster

- Using Guest OS Customization to change the identity of the VM

Clones can greatly facilitate:

- Testing of patches, configuration changes, updates, etc

- Development (as the new Dev. VM is the same as the production VM

- Training as users get their own private VM with live corporate data that they recognize

- Disaster Recovery. A cloned VM could be deployed to your DR site to provide a recent

copy of a production VM

- Configuration changes. Validate any configuration changes on your clone VM before

applying the change(s) to production VMs

- etc.

Clone a VM

You can also Clone a Template. In this case, the result is a new Template that is a copy of an existing Template. Use this procedure to fork a template... For example, you build a Windows Template as follows:

- You build a new, perfect Windows 2003 Server VM with just the base Windows OS

- You patch, upgrade, Service Pack and configure the VM to make it fit corporate best

practices and procedures

- You power the VM off and convert it to a Template. You now have a Windows 2003
rapid deployment VM image

Next, you find you need to deploy a number of new VMs based on your original Windows Template but you need to install/configure a new application into it. To do this, you could:

- Clone the Windows Template

- Convert the clone of the Windows Template to a VM

- Use Guest OS customization to assign a new unique (and temporary) identity to the VM

- Boot the VM and install the 3rd party application into the VM

- Customize, configure, etc. the application

- Shut down the VM and convert it to a new Template

You now have a new VM that is Windows + Application. Note that you didn't have to start from scratch. All you did was leverage your existing work to complete just the necessary changes to make your application function properly.

Clone a Template

Template maintenance is very easy to perform. For example, If you need to do any of:

- Apply Guest OS patches or updates

- Apply application patches or updates

- Add/remove OS or application software

- Make configuration changes to your template (e.g.: for security purposes)

- etc.

You can easily convert your Template back to a VM.

Remember that once you convert your Template back to a VM, the new VM has the same OS and IP properties as the VM used as the Template source (i.e.: you selected Clone to Template... from a functioning VM). To avoid any Guest OS/network identity conflicts you can:

1. Plug your VM into an Internal only (isolated) virtual LAN segment before power on
or disconnect the VM's virtual NIC from it's configured Port Group

2. Use Guest OS Customization to give your new VM a unique identity

Template Maintenance

Guest OS Customization is the process of establishing a new Identity for your VM. The official way to establish a new identity for Windows is with the appropriate version of Microsoft's System Preparation (Sysprep) tool. Each major version of Windows has a unique Sysprep tool used to reset the Windows identity. Sysprep 1.1 was used for Windows 2000 while Sysprep 2003 works for Win2k3 Server. There are also different versions of Sysprep for Microsoft 32-bit and 64-bit operating systems. Sysprep tools are free downloads from Microsoft's web site.

Sysprep can remove and/or apply a new identity to a Windows OS. It can work off a response file (in batch mode) to set the new identity according to the values in the response file or, Sysprep can simply wipe the current Windows identity, in which case you will be prompted to establish a new identity for the VM the next time the VM boots.

Guest OS Customization works as follows. You are prompted for Guest OS identity values. Once the VM is deployed, vCenter then mounts the VMs C: drive and copies over Sysprep and the response file. When the VM boots, Sysprep is run with the response file to establish the VM's identity. After Sysprep finishes, the VM reboots and is now ready to function with it's new identity.

Windows VM Customization

Legacy Windows Customization

Enable SSH on vCSA Appliance

Enable PI Shell on vCSA

Upload Sysprep Files to vCSA

There are two major differences between Windows and non-Windows OS' that simplify Guest OS customization:

1. With non-Windows, there is no SID or license to set/defend

2. Non-Windows OS' use well documented plain text files for their properties

As a result of these two differences, vCenter can easily establish a new identity for a Linux, FreeBSD, Solaris or NetWare VM without the need for 3rd party tools. When deploying a new VM, all VC needs to do is copy over the new configuration and arrange for the VM to apply the configuration at first boot (using a simple script).

Non-Windows OS Customization


AV – Anti-virus

AS – Anti-spam

IDPS – Host or Network based Intrusion detection and prevention systems

UTM – Unified Threat Management

Note that you are unlikely to find Windows as the base OS of non-commercial virtual appliances because Microsoft does not have a Windows base OS that can be freely deployed. Consequently, most activity in the non-commercial virtual appliance space uses Operating Systems that can be freely deployed including Open Solaris, Free BSD and Linux.

Pre-Built Virtual Machines

Virtual Appliance Examples

Virtual appliances have many benefits over traditional physical appliances:

- They use your existing virtual infrastructure hardware so they benefit from enterprise

class CPUs, storage, networks, back up , recovery, etc.

- They can be easily clonedfor back up, disaster recovery and redundancy purposes

- If resources become an issue, you can power them off and add CPU, memory, etc.

Physical appliances force you to go through costly redundancy and upgrade purchases

- Fast to deploy and evaluate. Just download directly from VMware's web site.

Virtual Appliance Pros

However, there are some concerns about virtual appliances:

- They put more load on your virtual infrastructure (more VMs to run)

- They may lack commercial support

- They may not have all of the features you would expect from a physical machine

- Benchmark their performance before assuming that performance will be on par with

a physical appliance

- They likely use open source operating systems. Is your organization prepared to adopt

open source and provide support, security, etc.?

Virtual Appliance Cons

Virtual appliances can be imported directly into your virtual infrastructure from either VMware's web site, from local files or from any URL.

Virtual appliances are typically distributed in Open Virtual Machine Format (OVF). An OVF format VM contains both a VMX file (VM properties) and a VMDK file (VM virtual disk).VMware also has OVA format virtual appliances. An OVA VM is an archive that contains both the OVF VMX file and VMDK file – in a single file.

OVF is a VMware championed, vendor neutral VM format that promotes the free exchange of Virtual Machines. OVF compliant VMs consist of:

- a .vmx file that fully specifies the properties of the VM

- a .vmdk file for the virtual disk image of the VM (in Compact format)

OVF is an open (fully documented and published by VMware), royalty-free format that can be used by any vendor to create compliant OVF format VMs.

Import Virtual Machines

You can also export your existing powered off VMs in OVF format. You could do this so that you could create VMs for:

- Training purposes. Have users run the OVF VM in free VMware products like Player or


- Test, development or Quality Assurance (QA) purposes

- Off site back up of production VMs in a space efficient format

- Distribution of VM based products

- Free trial samples of VM based products

- etc.

Export OVF Template

Virtual CPU Tips

Only vSphere Advanced and Enterprise+ editions can run 8 vCPU VMs. All other editions are limited to 4 vCPU (or vCPU cores)

If you type in a number that is greater than the number of physical CPU cores on your server, your VM will not be able to boot (because it cannot get enough hardware resources to run)

If you set this value to zero, your VM will not be able to power on – because it cannot run with zero vCPU cores!

The number of cores/CPU divided by the number of CPUs in the Hardware tab must be a positive, whole number. That is, if we set the number of CPUs in the Hardware tab to 2 and the number of cores/vCPU to 2, then 2/2 = 1 and we are good. But, if we set the number of CPUs in the hardware tab to 3 and the number of cores/vCPU to 2, we'd get 3/2 = 1.5 which is an error!

Don't forget to check if your Guest OS can use 2-core, 4-core or 8-core vCPUs.

E.g: You can present your VM with 2, quad-core CPUs with the following settings:

- Number of vCPUs in your VM: 8

- cpuid.coresPerSocket = 4

Change VM vCPU Cores / Sockets

Multi-core vCPUs Best Practice

vCPUs Core Maxims

Microsoft provides a feature on Windows 7 called Windows on Windows (WoW/64) that enables Windows 7 to run virtual XP environments – which would enable Windows 7 to run applications that were designed for (and only work with) XP.

In the past, VMware vCPUs could not pass CPU virtualization features to vCPUs so WoW in a Windows 7 desktop VM would not work. In vSphere 5.1, WoW now works because vCPUs can now see virtualizaion capable vCPUs.

pCPU to vCPU H/W Virtualization

VMware is vague about which operating systems support either CPU or Memory Hot Plug. The easiest way to tell if CPU/Memory hot plug is supported by the OS in your VM is to:

1. Power down your VM

2. Enable CPU/Memory Hot Plug

3. Power on your VM

If CPU hotpug is greyed out once you enable CPU/Memory Hot Plug, then VMware doesn't support Hot Plug for your Guest OS.

If Memory Hot Plug is greyed out once you enable CPU/Memory Hot Plug, then VMware doesn't support Hot Plug for your Guest OS.

Hot Plug Hardware OS Support

Hot Plug CPU/Memory

Hotplugging vCPUs

Hot Plug vCPU Use Cases

Hot Plug Memory Use Cases

Hot Plug RAM Strategy

Hot Add Memory

You can hot add memory to any VM where:

1. Memory Hot Plug has been enabled

2. Memory hot-add is supported in the Guest OS (Windows 2k3 and newer)

Many guest OS' have restrictions on the amount of memory that can be hot added. In the example above, the guest OS (WIndows Server 2003) will not accept a total in excess of 8GB through hot-add. Since our OS is running with 512MB (the base setting), there is plenty of room to add additional memory to our VM.

Use memory hot-add to add memory to VMs that are experiencing guest OS paging but where there is no corresponding ESXi VMkernel paging. In this case, the VM's applications are demanding more memory than the VM has so the guest OS has no choice but to page.

Note: You cannot hot-remove memory. To remove memory from a VM temporarily, use a Custom Limit. To permanently remove memory from a VM, shut it down and dial down it's memory settings.

Dynamically Add Memory

VM 2D / 3D Video Support

Windows 7 Basic 3D Video

VMware is working to enable full virtual 3D CAD workstations. This works as follows:

- Provision your ESXi hosts with one or more supported nVidia Quadro cards

- Create View VMs and declare hardware accelerated video

- Declare how much Video RAM your VM will have. That declaration becomes a reservation on a physical nVidia Quadro card

- The VM sees the physical Quadro card (but with reduced RAM)

- The VM can run any 3D enabled application at hardware speeds

Note: This feature is in development. It works on vSphere 5.1 but VMware has yet to release a version of View to take advantage of it. When this feature becomes generally available, you will be able to replace many dedicated graphics workstations with one or two ESXi hosts and give your designers 3D accelerated VMs.

Hardware 3D Video

All VMs Support Simple Changes

To add virtual hardware click the Add button on the Virtual Machine Properties window. If the VM is powered on, some hardware items will be greyed out. Depending on the Guest OS, you can hot-add NICs, CPUs and/or RAM. VMware lets you to hot-add a virtual SCSI disk to any VM.

You can add a new virtual SCSI disk to any VM but the Guest OS must be hot plug aware for you to make immediate use of this storage. Fortunately, Windows 2000 (or newer), Solaris and modern Linux are all capable of dynamically finding and using hot added SCSI disks.

Add Virtual Hardware

Use the Options tab to adjust the behavior of your VM.

General – Lets you set custom configuration parameters

Boot Options – Lets you set BIOS countdown timers or one-time boot to BIOS

Swap File Location – lets you place VM swap files on local storage so that VM swap I/O does not complete with normal production I/Os sent to shared SAN storage

Virtual Machine Options

Use Resources to adjust the behavior and priority of your VM from a CPU, Memory, Disk and Advanced Disk perspective.

CPU – Set Shares, Reservations or Limits to control CPU scheduling for this VM

Memory – Set Shares, Reservations or Limits to control memory allocation to the VM

Disk – Set LUN shares to ensure that the VM gets predictable access to busy LUNs

Advanced CPU – enable/disable Hyperthreading and processor affinity for the VM

Virtual Machine Resources

When you hot-add a virtual SCSI disk a new .vmdk file is created in the datastore and of the size and name specified to provide storage for the virtual disk. Once the wizard is completed, you need to use guest OS disk management tools (e.g.: Disk Manager for Windows) to scan for the new disk, partition it and add it to your VM. Once this is done, you can start using your new storage resource.

In newer OS', the hot added (or hot grown) disk may just pop up in Disk Management with out the need to Rescan for it.

Hot Add Virtual Disk

Normally, when you add a virtual disk, storage is provided for the virtual disk by a corresponding .vmdk file. What do you do if you want to present an existing SAN LUN as a virtual disk to a VM? You use a Raw Device Map (RDM).

RDMs are physical SAN LUNs that were likely used by physically deployed workloads (OS + application). You want to virtualize the workload but not the virtual disk. There are many reasons for keeping the virtual disk as a physical LUN, such as:

- Capacity management. Using the SAN management tools you can resize the LUN
(make it larger) to meet capacity issues. This is highly desirable on workloads whose
data storage needs grow regularly (e.g.: SQL databases and MS Exchange). Converting
the physical LUN to a virtual disk would take away this feature because virtual disks

cannot be dynamically resized

- Performance. Virtual disks in VMFS' have the overhead of VMFS on top of the normal

OS file system overhead (NTFS or Linux ext3 overhead). While this might only be 3-6%

it could be enough to impact the workload.

- SAN Management. SANs can perform LUN shadowing (duplication) and snapshotting

(one time copy) of active LUNs. Organizations often use these features for disaster

recovery and back up purposes (e.g.: shadow to DR site, snapshot to back up)

- Migrations. If a physical LUN is usable by a VM then you can always back out of any

virtualization initiative by simply powering off the VM and going back to physical HW

- Clustering. You can use a VM to act as a stand by node in a 2-node Active/Stand By

MS Fail Over Cluster. This lets you run your workload physically and to use a VM when
ever the physical machine fails, is down for maintenance, etc.

Raw Device Map (RDM)

Once you've added your new (hot add) SCSI disk, you can use Guest OS disk management tools to scan for and add the new volume.

In the case of the screen grab above, Windows Computer Management > Disk Management is being used to rescan for new disks.

After Hot Add - Rescan Disks

What's New in vSphere 6.0

Work with VMs Lab

In this HowTo, we introduce Virtual Machinee Clones (one-time copies of a VM) and Templates (rapid VM deployment images). We start by turning a VM into a Template, Then we deploy a new VM from that Template. We use Guest OS Customizations to capture a set of Guest OS (Windows) properties that we can use to facilitate future VM deployments. We end by Cloning a Template to a new Template.

Templates and Clones HowTo - Working with Templates and Guest OS Customizations

Continuing where we left off on the First Templates and Clones How To, we examine our new VM's constituent files and see how to rapidly deploy a new VM using a Template and and existing Guest OS Customization Specification.

Templates and Clones HowTo - Rapidly Deploying VMs. VM Constituent Files

In this HowTo, I show you how to hot-add and hot-grow virtual disks on a Windows Server 2008 Virtual Machine.

Please note that hot-add and hot-remove capability depends on both virtual hardware verson and Guest OS support. Hot-add vCPU and vRAM was added in virtual hardware version 7 (introduced in vSphere 4.1) and has been enhanced in newer virtual hardware versions.

With Windows Server 2008 R2, 2012 and 2016, VMware supports:

  • Hot add / remove virtual NICs
  • Hot add virtual USB 1.1, 2.0 and 3.0 virtual USB controllers
  • Hot add and remove virtual USB devices
  • Hot add and remove virtual disks
  • Hot add vCPU sockets (but not cores)
  • Hot add vRAM
  • Hot remove vCPU sockets and / or vRAM is not supported by any virtual hardware version
Templates and Clones HowTo - Hot Adding / Growing Virtual Disks

In this short HowTo, I show you how to how add space to a Windows VM's C: drive and then how to use Disk Management to hot grow the C: partition and NTFS filesystem into the newly added space.

Templates and Clones HowTo - Hot Growing the C: drive of a Windows VM

In this HowTo, I show you how to enable Hot-add vCPU and Hot-add vRAM and then how to actually hot add memory to a running VM and verify that the additional memory was recognized by the Guest OS.

Templates and Clones HowTo - Hot Adding Virtual CPU and Virtual RAM

Review & Questions
vCenter and ESXi Permissions
28 Lectures 01:21:20
ESXi / vSphere Security & Permission Model

Security & Permission Model

Project Plan

The ability to carry out an action is called a privilege and every possible action has an associated name. Because there are hundreds of possible actions relating to the various types of inventory objects (folders, clusters, datacenters, hosts, VMs, etc.) it would be impractical to grant users or groups rights on an individual privilege by privilege basis.

VMware's solution to this problem is the Role. A Role is a named set of privileges typically related to some function. For example, the VM Power User role is a name assigned to a set of privileges that lets a user with this role:

Power Manage the VM – Power on/off, suspend, resume, send CTL-ALT-DEL

Remote Console – launch the Remote Console application to interact with a VM

Change Settings – Work with the Edit Settings menu to adjust a VM's Options/Resources

Add Hardware – Manipulate the VM's virtual hardware

Adjust Media – (Dis)Connect removable media. Define media sources

Clearly these functions are appropriate for someone who owns a VM. By creating a role with these Privileges preassigned, a user can be granted all of the Role's capabilities simply by assigning the VM user the VM Power User role on the VM.

Privileges and Roles

Overview of Stock Roles

By default Single Sign On only knows about local vCenter Appliance accounts – it does not automatically add the AD domain it is joined to as an Identity Source (directory that can be queried for user account information and where authentication requests can be made).

We added the ESXLAB domain to our vCSA appliance in the vCenter lab (Lab 6)

Permissions – Users / Groups

In the above slide, users Sally and Mike are assigned Administrator rights on the Production datacenter. This would grant them rights on the datacenter and all inventory objects below the datacenter. In that way, they can manage the hosts, clusters, folders, resource pools, etc. within their datacenter.

Jane is assigned VM User rights on the Production VMs folder. This would give her full VM User rights on that folder but not on any other objects.

Sam is assigned the Read Only role on the FilePrint-w2k3-c VM. Sam would be able to monitor the state, health, hardware settings, resource assignments, configuration and performance of VMs but would not have any rights to adjust these settings or to otherwise interact with the VM.

Note: By default, rights assigned to a branch (folder, cluster, host, datacenter, resource pool, etc.) inventory item inherit down into all sub-items.

Assigned Permissions

vCenter checks User permissions first and if none are found, then checks Group permissions before performing an action.

vCenter starts by checking to see if a local user permission is present. If it is, that permission applies. If no local permission is present, vCenter checks the object's parent inventory item has an assigned user permission. If yes, the parent's permission applies.

This process repeats until vCenter has either

- Finds an applicable User permission, or

- Fails to find a User permission and reached the top of the inventory

If no User permission is found, the process repeats with Group permissions.

The result is that

- Either a user permission is found and applied, or the User is a member of a Group
that has an assigned permission, or

- No User or Group permission can be found; so the default is No Access

Determining Permissions

To simplify the task of working with Roles, privileges are organized into a hierarchy. One way to view the privilege hierarchy for a role is when you are adding a permission. To add a permission, you:

- Right click the object in vCenter or ESXi inventory

- Select Add Permissions...

- Use the Add button to populate the list of users/groups who will receive rights

- Click the Role drop down to select the appropriate role

- Review the hierarchy under the All Properties root node

Note that Inherit Down is an optional property (that is checked by default).

Assign Users/Groups to a Role

Local, Domain, SSO Users, Groups

Role assignments are visible only to your vCenter Administrator account. This is normally administrator@<sso domain>

Once you log in with this account, you can navigate to:

Home Menu > Administration > Roles

You can then review, edit add roles to your environment.

Role Assignments

Working with Roles

You can edit a role by right clicking it and selecting Edit Role... When you do this, the privilege hierarchy is drawn with three types of check boxes:

Empty – no rights from this branch are granted

Checked – all rights from this branch are granted

Grey Checked – only some rights from this branch are granted. To see which rights are granted, you would need to expand the branch (possibly to many levels).

Editing a Role

vCenter grants privileges associated with a user or groups role in the inventory. In the above example:

Sally & Mike hold full Administrator rights on the Production datacenter. Mike holds Read Only rights on the Production VMs folder (and all objects in that folder).

When resolving rights, vCenter uses the following rules to determine what privileges apply. First, vCenter checks to see if a user has a direct Role or indirect assignment on an object. If yes, grant the user the privileges assigned to that role.

If the user does not have user rights, vCenter repeats the process for either direct or indirect Group rights. The first permission found using the above strategy is used. If no permission is found, then the user has no rights on the inventory item.

Permission Examples - 1

vCenter resolves ambiguities regarding permission assignments according to the strategy outlined in the notes for slide 8-8.

For example, if user Mike has both an individual user assignment and is also a member of a group that is assigned rights to the same inventory object, vCenter discovers the user rights first and uses these rights rather than the assigned group rights. This would be true even if the group privilege granted more access than the assigned individual user permissions.

Consequently, directly assigned user rights always supersede any directly assigned group rights.

Permission Example 2

A special case arises when a user is a member of multiple groups that have rights directly assigned to the same object. In this case, vCenter grants all the rights for both groups to the user.

In the example above, the user Mike would receive all of the rights of the Administrator group and the Read Only group when working on the Production VMs folder.

Permission Example 3

vCenter uses authentication services of the Identity Sources (Directory Services) added to Single Sign on. By default, SSO queries the Active Directory server of the domain to which the base OS belongs.

vCenter can work with local users/groups and Active Directory users/groups. Since most organizations already have a significant investment in Active Directory, virtual infrastructure administrators can benefit from this investment by assigning AD users and group objects permissions in vCenter's inventory (rather than inventing new users and groups).

vCenter Users, Groups

vCenter uses authentication services of the Identity Sources (Directory Services) added to Single Sign on. By default, SSO queries the Active Directory server of the domain to which the base OS belongs.

vCenter can work with local users/groups and Active Directory users/groups. Since most organizations already have a significant investment in Active Directory, virtual infrastructure administrators can benefit from this investment by assigning AD users and group objects permissions in vCenter's inventory (rather than inventing new users and groups).

No Access Role

You can check the permissions that are active against any inventory item by clicking that item and then selecting the Permissions tab.

Permissions defined at the currently selected inventory object will have the value This Object under the Defined In column header.

Permissions that are inherited by the currently selected object will list the inventory object where they are defined in the Defined In column.

Checking Item Permissions

You can review the default permissions for vCenter as follows:

- Select either the Hosts and Clusters or VMs and Templates view

- Click on the top level inventory item

- Click the Permissions tab

- Review the contents of the Permissions tab

In the example (above), the ESXLAB\ESXLab Users group (3 person icon) is assigned the vCenter role Administrator at this object (top of the vCenter inventory). This means that anyone who is a member of this group is automatically granted full Administrator rights in vCenter

View vCenter Base Permissions

Permissions Best Practice

ESXi users are local users. ESXi has a minimal number of pre-defined users, and only the root user can log in by default.

The Users tab is only displayed when the vSphere Client is connected directly to ESXi. It is not displayed when the vSphere Client is logged into vCenter even if the currently selected inventory item is an ESXi host. You can add/edit/remove users at any time by right-clicking the background or a specific user.

Note: You can have ESXi join an Active Directory domain. If you do this, AD based users could be granted permission on the local ESXi host and then access it using the vSphere client. We actually completed having ESXi join a domain in Lab 2.

Best Practice

You should not have your ESXi join a domain for the purposes of allowing domain defined users log directly into ESXi using the vSphere Client. It is a best practice to have all users access ESXi indirectly through vCenter – and not directly. This is done to ensure that vCenter is the only way users can interact with your virtual infrastructure.

Many vSphere Administrators consider it a best practice to disable all local users (other than root, DCUI and vpxuser) when an ESXi host is added to vCenter.

Local ESXi Users

You can review default ESXi stand alone permissions by clicking the top of the inventory (the ESXi host) and then the Permissions tab. In this case we see that:

- Three users are defined; root, dcui and vpxuser

- All users have Administrator rights on this object

The root user is the Linux administrator account. So, if you know the root password, you have full control of your ESXi box.

The vpxuser is a vCenter account used by vCenter to log into ESXi hosts. vCenter does this when it wants an ESXi host to perform some action on vCenter's behalf. The vpxuser account password is stored in vCenter's database in an encrypted field. Since all communications between vCenter and ESXi are performed through encrypted connections there is no risk that someone sniffing the local LAN segment could ever acquire the vpxuser password.

The dcui user is active only when you hit F2 on the ESXi console and interact with it's configuration tools.

Note: The only way to reset the vpxuser account is to disconnect the ESXi host from vCenter and then reconnect the host back into vCenter. When you do this, vCenter assigns a new random password to the vpxuser. To do this you must have the root password for the ESXi box and you must have sufficient privileges within vCenter to add a host to inventory.

View ESXi Permissions

There are two key points with permissions:

1. Never, ever change VMware stock role settings

2. User/Permission assignments are checked on the fly, not just at login

Do Not Change VMware Stock Roles

If you change VMware created stock roles, then you run the risk of breaking the behavior of these roles. This may result in denying roles (and users assigned to them) the rights needed to do their job (e.g.: VM User role can no longer work with VMs). Or, you could grant too many rights so users could do things they shouldn't (e.g.: Read Only role can manipulate objects).

For these reasons, it is always best to clone a role or create a new role and then adjust the privilege assignments on these custom roles. If you get it wrong and need to back out, you can just re-assign users back to a VMware stock role.

Changes are Applied in Real Time

Any changes you make to user or group permissions are applied on the fly (that is, the instant you make the change). So, if you see someone doing something that you think they shouldn't be allowed to do, you can change their Role or edit their Role to prevent this action. Once you complete your work, they will no longer be able to perform the denied action. There is no log out/log in required for the changes to take effect!

Permission Best Practices

Permissions Lab

In this HowTo, we will create some new permission assignments and then test them to see if they work as expected. We will create a new permission assignment for the vCenter Server Appliance's root account and grant Administrator rights on the vCenter Server (and all child objects). We'll also try out the Read Only role on an Active Directory domain account.

Permissions HowTo - Create and Test Permission Assignments

In this second HowTo, we will take a stock role (provided by VMware with vCenter), clone it and customize it to suit our needs. We'll then assign the role to the esxlab\student1 user and verify that this user has the ability to perform actions permitted in our customized role.

Permissions HowTo - Clone and Edit Stock Roles to Make Custom Roles. Test Roles

Review & Questions
Infrastructure Monitoring with vCenter Alarms
22 Lectures 48:38
Virtual Infrastructure Monitoring with vCenter Alarms

vCenter has the ability to monitor and respond to resource stress on ESXi hosts, VMs, networks and Datastores and all other inventory items. If resource contention is detected, if a resource goes off line or other faults occur, vCenter can be configured to take any number of actions including sending e-mail alerts, issuing SNMP traps, etc.

vCenter can also monitor the health of ESXi hosts and alert you if a host disconnects from vCenter (due to a host crash or network connectivity issues). vCenter can also monitor a VM's power on state (e.g.: alert me if a production VM is ever powered down) and also VM heartbeat.

VMware Tools installs as a set of guest OS kernel level drivers. The VMware Tools heartbeat driver regularly reports back to the VMkernel that it is alive and healthy. Any loss of guest OS heartbeat would be indicative that the guest OS has stopped servicing its guest OS drivers – a clear indication that the guest OS has crashed or locked up.

vCenter Alarms

You can easily review the collective VM CPU and memory consumption... Click any higher level vCenter inventory object (Resource Pool, Host, Cluster, Folder, Datacenter) and then click the Virtual Machines tab. This tab includes three sortable columns that specifically report on VM CPU and memory consumption; Host CPU - MHz, Host Mem - MB and Guest Mem - %.

Alarms are displayed under the Status column. Normally a VM's resource status is Green, which means that they are only demanding a fraction of their allocated CPU and/or memory (i.e.: use less CPU than their declared vCPUs can deliver and less than their full memory declaration).

If a VM starts to demand a significant fraction of either it's CPU or memory allocation (usually more than 75%), then the VM's status will change to Yellow and a Yellow triangle will be added to the VM's icon in the inventory hierarchy (to indicate that the VM is experiencing a Yellow resource alarm).

If a VM demands a very high percentage (usually 90% or higher) of it's resource allocation, then the VM will Red alarm. The status column value will go to Red and the VM will be flagged with a red triangle in the inventory.

In the example above, the Larry-web-a and Larry-web-b VMs are clearly Red alarmed. Upon inspection, it appears that the VM has consumed all available CPU resources (compare current CPU use against the CPU clock frequency).

ESXi Host Alarms

You can add alarms anywhere in the inventory. If you add an alarm on a higher level object (folder, Datacenter, Resource Pool, cluster, etc.), then the alarm will propagate down to any child objects of the same type.

For example, normally you do not need to receive an alarm if a VM is powered off because Test, Development and QA VMs are often left powered off. But, you may be very interested to know if a production VM is ever powered off. To set a VM state alarm to monitor production VMs, simply select the folder or resource pool that contains your production VMs and define a VM power state alarm there.

Add Alarm

The Triggers tab lets you select the particular property or properties you wish to monitor. Just click the drop down under the Trigger Type field to select from available properties. Then, you can click under any of the other column headers to set the alarm Condition (Is Above, Is Below), and then the percentage that must be exceeded to trigger first a Yellow and then a Red alarm – along with the amount of time the alarm condition must persist before the alarm is triggered.

Create a Custom Alarm

The Triggers tab lets you select the particular property or properties you wish to monitor. Just click the drop down under the Trigger Type field to select from available properties. Then, you can click under any of the other column headers to set the alarm Condition (Is Above, Is Below), and then the percentage that must be exceeded to trigger first a Yellow and then a Red alarm – along with the amount of time the alarm condition must persist before the alarm is triggered.

ESXi Host Alarm Triggers

The Triggers tab lets you select the particular property or properties you wish to monitor. Just click the drop down under the Trigger Type field to select from available properties. Then, you can click under any of the other column headers to set the alarm Condition (Is Above, Is Below), and then the percentage that must be exceeded to trigger first a Yellow and then a Red alarm – along with the amount of time the alarm condition must persist before the alarm is triggered.

Datastore Alarm Triggers

VM alarms are similar to host alarms but they track VM resource consumption rather than host resource consumption. Notice that there are conditions that are specific to either ESXi Hosts or VMs and other Inventory items.

Virtual Machine Alarm Triggers

The last step to defining a new alarm is to specify the action to be taken once the alarm is tripped.

You can have many actions associated with an alarm. In the above example, the alarm (when triggered) will issue both an e-mail alert and also an SNMP trap to your local network monitoring software. You can have any number of actions associated with an alarm. Some alarm actions (such as send an e-mail) require an argument such as the recipient(s) for the e-mail.

Finally, you can set the specific alarm transition to which an action applies. For example, you could set different actions (or no actions) as an alarm goes from:

Green > Yellow, Yellow > Red

Red > Yellow, Yellow > Green

You can also have the action taken just once or have the action repeat.

For example, you could choose to receive an e-mail whenever a host experiences high CPU usage (Yellow > Red) and when the resource contention clears (Red > Yellow) but specify no actions on all other transitions.

Configure VM Alarm Actions

vCenter Triggered Alarms

You can review the predefined alarms that ship with vCenter – and there are a lot! Simply click the top of the inventory and then the Alarms tab. Click the definitions button and you will see all alarms.

You may want to click the Name column header to sort alarms by name.

Because these alarms are defined at the top of the inventory, they are the default alarms used by all ESXi hosts and VMs. You should review the alarm definitions both to review the alarm properties and also to add one or more alarm Actions.

Predefined Alarms often lack actions! So, even if they trigger, vCenterwill not do anything (other than put yellow or red triangles in the inventory hierarchy).

Default Alarm Definitions

vCenter can send e-mail alerts and/or send SNMP traps whenever an alarm is triggered. Before you can receive e-mails or traps from VC, you must configure vCenter with the properties required by each service.

For e-mail, you must provide vCenter with the IP address or FQDN of your local mail server along with a sender's e-mail address. vCenter will contact your mail server and will announce that the e-mail originated from the supplied e-mail address on every alert that generates an e-mail message. The e-mail account does not need to exist on the mail server (unless that is a requirement of your mail server).

Set Local Mail Server Properties

vCenter can send e-mail alerts and/or send SNMP traps whenever an alarm is triggered. Before you can receive e-mails or traps from VC, you must configure VC with the properties required by each service.

For SNMP, vCenter must know the IP address of your local Trap Receiver software, the port it is listening on and the community string (functions like an SNMP password). You can enable multiple trap receivers... which would be useful if you had two or more network monitoring tools.

Set SNMP Receivers Properties

Updated SNMP Settings

It's easy to edit custom alarms set on inventory objects. Just select the inventory object and then the Alarms tab. Review the list of alarms looking for alarms that have This Object in the Defined In column (as you cannot edit inherited alarms in sub-objects).

Right click the alarm row and click Edit Settings... to fine tune your custom alarms.

Change Custom Alarms

vCenter lets you acknowledge alarms. To do this, go to the Alarms tab of an object that is yellow or red alarmed and click the Triggered Alarms button. Find the alarm and click Acknowledge Alarm. This will disable future notifications/actions for this alarm – for as long as the current condition persists. Once the condition clears, the alarm will re-activate and you will be notified about future alarm triggers.

The person acknowledging the alarm and the date/time of acknowledgment is captured by vCenter.

Working with Active Alarms

Working with Object Alarms

Do not be over zealous with alarms. It is best to define alarms with benign actions (send e-mails, SNMP traps, etc.) first and then change to more direct actions only once you truly understand the consequences of triggering the action.

Alarm Best Practices

Alarm Targets

Alarms Worth Considering

Alarms Lab

Review & Questions
Physical to Virtual Migration with vSphere Converter
33 Lectures 01:16:35
Workload Migration with VMware vCenter Converter Standalone

vCenter Converter

VMware vCenter Converter is a general purpose VM conversion tool that makes it easy to cope with diverse VM and image formats. Converter's job is to facilitate the migration of physical and/or virtual machines from one host to another.

When in doubt, simply boot the source machine and point Converter at it. When in doubt, tell Converter that the source is simply a Powered on machine.

Source for supported source images - VMware Converter 5.5 release notes.

Converter Import Source Options

Converter VM Target Options

Project Plan

Note: Not all features supported on all operating systems...

Please see the Supplementary Material at the end of this Section for more information on Supported Operating Systems.

Supported Operating Systems

What's New in Converter 5.5.3

The key task completed by vCenter Converter is the cloning of a source disk to a virtual disk. This can be performed either hot (while the source machine is running) or cold. Of the two, Cold cloning is more trustworthy (because the source disk isn't being changed while it is being cloned) but involves down time.

The result of cloning source disk(s) is a corresponding virtual disk on a datastore. Once the disk has been cloned, vCenter Converter will build a VM around the virtual disk to match the hardware characteristics of the source machine.

Because the new virtual disk is a clone of the source machine's disk, there is a risk that booting the VM will cause an identity conflict with the source machine. While this isn't an issue if you have powered down the source machine, it is a concern if you are simply doing test migrations (to validate procedures, etc.) in preparation for a real migration. In this case, you can either:

- Boot the new VM on a completely isolated virtual network to avoid any

risk of identity clash, or

- Use Guest OS Customization to assign a new identity to the new VM

Please see the Supplemental Material at the end of this section for a link to download the Cold Clone Converter Live CD.

Clone & Update Disks

Install and Enable Converter

vCenter Converter goes through four steps to hot migrate a source machine to a virtual machine. While these are discrete steps, they are not executed sequentially – so you may find vCenter Converter creating the new target VM while the source disk is still being copied.

Converter Steps

vCenter Converter needs administrative level credentials for the source machine. You can supply the local machine Administrator password or you can use any other credentials that would grant Converter full administrator rights to the system.

vCenter Converter can P2V an active system... and will snapshot the system to quiesce local drives before copying the local volumes to new virtual disks. There are a couple of things to keep in mind during this process:

Quiet machines make for better conversions. If you can quiesce the local machine, then there is a much higher chance that the converted disks and the data they hold will be complete and usable. A simple way to do this is to wait for a maintenance window, shut down all applications, disable all unneeded services and then do the hot conversion.

There must be sufficient room on the local volumes for vCenter Converter to create snapshot files. Converter needs space to accumulate pending disk updates (and snapshot files are used for this purpose). If you do not have sufficient space, then the conversion process will either fail to start or will fail when the local volume fills up. You should have a minimum of 500MB to 1GB of free space before attempting a conversion on an active machine.

Prepare for Conversion

You begin the P2V process by launching the Converter client:

Start > All Programs > VMware > VMware vCenter Converter Standalone Client

Before beginning a conversion, you should:

- Get administrator level credentials on the source machine

- Audit the source machine to ensure it is a good candidate for conversion

- Verify that the source machine has room for a snapshot file for each disk

Next, select Import Machine... which launches the Import Machine Wizard.

Launch Converter Enterprise

Converter starts by extracting a profile of your machine including:

- Number of CPU cores

- Provisioned RAM

- Number ofNICs

- Number of NTFS volumes

Converter uses this information to build a comparable virtual machine. As we will see later, right-sizing your new VM after conversion is an important step – that helps ensure your VM isn't over provisioned.

Profile The Source Machine

Specify Conversion Target

Specify New VM Location

Specify Host, Datastore

This step lets you set detailed properties for your target VM, including:

- VM destination name and the folder it will live in

- Target disk properties including their new size and type (thin or thick)

- CPU count and memory size

- The number of virtual NICs in the target VM and the port group used

- Services running on the source VM that you may wish to disable on the

Target VM (such as server health monitoring agents)

- Advanced options such as; post copy disk synchronization, guest OS

Customization, etc.

The result is that you have full control over the conversion process!

Note: you must click the Edit link beside each property to change their values

Set Target VM Properties

A lack of free space on the disk being converted can prevent you from doing hot conversions...

vCenter Converter uses Microsoft Volume Shadow Copy Services to quiesce the local disk. VSSneeds between 500MB and 2+GB of free space on the disk being converted to hold snapshot files, converter agents, etc. If this space is not available, then Converter may not be able to hot convert your virtual machine.

If you encounter this problem, you should try to free up disk space and try again. You may be able to free up enough disk space to allow Converter to proceed.

Please see the supplemental material at the end of the chapter for instructions on how to download the CCleaner disk cleanup utility.

Clone Source Machine Disk(s)

To resize the target disk:

- Click Edit beside Data to copy

- To skip a disk, uncheck it from the disk roster

- To change the target disk size (up or down), click the Destination Size field

- To change the target disk datastore, click the Destination Datastore field

Resize Target VM Disk

If your virtual disk size matches the source disk size, then Converter will perform a simple block by block copy of the source volume to the virtual disk. Depending on the size of the source volume, this copy could take a number of hours.

If the virtual disk size is different from the source disk size, the Converter will:

- Make the new virtual disk of the declared size

- Partition and format the virtual disk according to best practices for the target OS

- Align all partitions correctly for efficient storage access

- Copy all files/directories from the source volume to the virtual disk

File copies are used because that is the only way Converter can get the contents of the source volume to the new virtual disk. There are advantages and disadvantages to this approach

- Files are copied sequentially so the target disk is defragmented

- The copy is faster because only disk blocks owned by files and directories

are copied

- The target disk size does not need to match the source volume

- Overall copy speed for volume based cloning will be slower than for disk based

Copying Disk Volumes

Synchronize Changes

Post Conversion Tasks

As part of the P2V process vCenter Converter will make a new VM on your designated ESXi host. vCenter Converter tries to match the new VM's virtual hardware to the hardware profile of the machine being converted. As a result, unless you override the default settings, your new VM will have the same

- Number of vCPU cores as pCPU cores

- Memory size

- Number of NICs (up to 10)

- Number of virtual disks (subject to review and change)

- USB ports

It is important that you review the hardware configuration of your VM once the conversion process is completed. Over provisioning of physical hardware is one habit we do not want to carry over to our virtual world.

vCenter Converter will download, install and use Windows agents to synchronize and snapshot local source volumes. These agents are activated once vCenter Converter is told which disks will be converted (to virtual disks) and which disks will be left behind.

Create the New Virtual Machine

vCenter Converter needs to update the operating system files on the newly converted OS disk. vCenter Converter must:

- Update the OS HAL and Registry of the virtual disk so that the OS is

correctly configured to use VM virtual hardware

- Install Guest OS drivers for VMware virtual hardware

- Remove references to source machine drivers configured into the OS

- Add VMware Tools to the Guest OS

- etc.

These changes are made so that, when the VM first boots and performs a virtual hardware scan, it can recognize and use virtual devices. You should also be careful to remove any hardware specific health monitoring agents from the VM. Tools like HP's Insight Manager, Dell's Open Manage, or IBM's Director agents will complain bitterly when the hardware they were designed to monitor no longer exists (because the hardware is now virtual).

If this is a test conversion, you may also wish to perform Guest OS Customizations to assign a new identity to the converted VM. In this way, your new VM will not identity clash (duplicate license, IP, FQDN, etc.) with the source machine.

VM Reconfiguration

Use Guest OS customization when you are performing test conversions (i.e.: testing Converter before performing the final conversion). By using Guest OS Customization, you can ensure that your freshly converted VM doesn't identity conflict with the source machine.

Guest OS Customization

Once conversion has completed, vCenter will connect to the source machine one last time to remove the agents used during the conversion process. That way, there is no risk of residual Converter agents causing problems if the source machine is kept in service.

Before Converter agents are removed, vCenter Converter will commit any snapshots on source disks. Once the commit has completed, vCenter Converter will delete the associated snapshot files.

Converter Housekeeping

Perform a quick audit on the newly created VM. Review and adjust the virtual hardware as needed:

- Check to see that you have a CD/DVD Drive 1 device. If not, add it

- Check to see that you have a floppy 1 device. If not (and you need one) add it

- Adjust the VM's RAM allocation up/down to suit the workloads RAM needs

- Adjust the CPU count up/down to suit the VM's actual CPU needs; and to adjust

for the speed differences between the old source machine and the ESXi host

CPU speed

- Remove any virtual COM and LPT ports present (unless you need them)

- Etc.

Once the VM boots, log in and check Device Manager. Remove references to no-longer present devices. Correct any hardware warnings you see.

Run Control Panel > Add/Remove Programs. Check for server monitoring agents and remove any you find

Review Windows Services. Did all services start?

New VM Housekeeping

When selecting source machines for conversion, review the machine and applications looking for configurations that would prevent Converter from doing it's job, including:

- Hardware of a category that is not available with virtual hardware.

Examples would include Voice cards, Fax modems, etc.

- Workloads that require more hardware resources than a VM can deliver.

Examples would be workloads that need more than 8/32/64 cores of CPU cycles,

more than 1TB of RAM, etc.

- Applications that require high end 3D accelerated graphics. It is possible to install a 3D hardware accelerated graphics card into an ESXi host and share it's display memory with VMs. To do this, you must: be using Windows 7 or Windows 8 VMs, (not Windows Server), must have a supported nVidia Quadro or AMD FireGL card, and be running the VM in a VMware View 5.2 or higher environment

- Applications that are keyed to the source hardware (such as NIC MAC address, disk geometry, motherboard UUID), etc. You can copy the MAC address of the NIC in your source machine into your VM NIC (just Edit the VM's settings, select NIC1 and edit it's MAC address to match the source NIC MAC address)

USB devices can be carried over. To do this:

- Add a USB controller to your VM

- Plug the USB dongle into your ESXi host

- Configure a USB device at your VM and map it to the physical USB port on your ESXi host

Converter Caveats

Conversion in Progress

There are a couple of things that can slow down or stop a Converter P2V migration. You must open up the source machine's firewall sufficiently so that Converter can access the host on ports 137, 138, 139, 443, 445 and 902. You must not have software mirroring configured for the Windows boot volume (if you do, break the mirror, convert and then re-establish the mirror).

Converter works on most popular Windows releases and Linux, but not Solaris, BSD or NetWare, etc. If you need to P2V unsupported workloads, download VMware's stand alone Converter product or PlateSpin's Migrate product.

vCenter Converter can migrate source Windows 2003/2008/2012, Vista and Windows 7, 8 machines without the need to reboot. This is because the Windows 2003 kernel can dynamically load and unload kernel level drivers. Windows XP lacks this feature so you must reboot these operating systems after the snapshot agents are installed and also after the conversion has completed (to remove the Converter agents from Windows).

Trouble Spots

The P2V Admin ISO image is a great collection of tools that could come in very handy. It includes a number of tools (all free/open source) including:

- Disk defragmentation tools

- Partition alignment tools

- Guest OS drivers for virtual hardware

- Disk cloning tools

- File copy tools

- Sysprep files for W2k, Windows XP, W2k3 (all versions)

- Many additional utilities.

For instructions on how to download the P2V Admin ISO, see the supplemental material at the end of this Section.

Converter Best Practices

vCenter Converter Lab

Review & Questions
About the Instructor
Larry Karnis
4.3 Average rating
982 Reviews
3,663 Students
6 Courses
VMware vSphere Consultant/Mentor, VCP vSphere 2, 3, 4 and 5

Get VMware vSphere and View trained here... on Udemy!

What do you do if you need to learn VMware but can't afford the $4,000 - $6,000 charged for authorized training? Now you can enroll in my equivalent VMware training here on Udemy!

I have created a six courses that together offer over 32 hours of VMware vSphere 6 lectures (about 8 days of instructor lead training at 4hrs lecture per day). With Udemy, I can provide more insight and detail, without the time constraints that a normal instructor led training class would impose. My goal is to give you a similar or better training experience - at about 10% of the cost of classroom training.

I am an IT consultant / trainer with over 25 years of experience. I worked for 10 years as a UNIX programmer and administrator before moving to Linux in 1995. I've been working with VMware products since 2001 and now focus exclusively on VMware. I earned my first VMware Certified Professional (VCP) designation on ESX 2.0 in 2004 (VCP #: 993). I have also earned VCP in ESX 3, and in vSphere 4 and 5.

I have been providing VMware consulting and training for more than 10 years. I have lead literally hundreds of classes and taught thousands of people how to use VMware. I teach both introductory and advanced VMware classes.

I even worked for VMware as a VMware Certified Instructor (VCI) for almost five years. After leaving VMware, I decided to launch my own training business focused on VMware virtualization. Prior to working for VMware, I worked as a contract consultant and trainer for RedHat, Global Knowledge and Learning Tree.

I hold a Bachelor of Science in Computer Science and Math from the University of Toronto. I also hold numerous industry certifications including VMware Certified Professional on VMware Infrastructure 2 & 3 and vSphere 4 & 5 (ret.), VMware Certified Instructor (ret.), RedHat Certified Engineer (RHCE), RedHat Certified Instructor (RHCI) and RedHat Certified Examiner (RHCX) as well as certifications from LPI, HP, SCO and others.

I hope to see you in one of my Udemy VMware classes... If you have questions, please contact me directly.



Larry Karnis