Section 7 – Administrative and Operational Tasks in a VMware vSphere Solution
Objective 7.1 – Manage virtual networking
I’ve gone over virtual networking a bit already. But there are two basic types of switches to manage in vSphere. Virtual Standard Switches and Virtual Distributed Switches. They both have the same components. Virtual Ports Groups, VMkernel Ports, and Uplink Ports. Here is a diagram depicting how it might look on a host
VMkernel ports are used for management purposes. When you set it up, you can choose using it for the following purposes
- vMotion – this is used to migrate VMs
- Provisioning – used for VM cold migration, cloning, and snapshot migration.
- Fault Tolerance logging – enables Fault Tolerance logging on the host (you can only have one per host)
- Management – management communication between hosts (should have minimum of two for redundancy)
- vSphere Replication – Handles outgoing replication data sent to the vSphere Replication Server
- vSphere Replication NFC – Handles incoming replication data on the target replication site.
- vSAN – allows for vSAN traffic, every host that is part of a vSAN cluster must have one.
VM Port Groups are for VM network traffic. Each of the VMs have a virtual NIC which will be part of a VM port group.
Uplink ports are connected to physical NICs. A Virtual Distributed Switch will have an uplink port group that physical NICs from multiple hosts.
You can manage your networking from a few locations in the HTML5 client. You can also manage hosts from the host HTML5 client. In the HTML5 client you manage networking from Host > Configure > Networking shown here.
You can then change manage the components as needed. If you need to manage a Virtual Distributed Switch you can do that there as well or you can create a VDS on the networking tab in the navigation pane.
You can configure shares and other settings here as well as you can see. You can find more info here if needed.
There is also managing the virtual networking of the VM. If you right click on the VM and then select Edit Settings. You can edit the networking adapter type and what virtual network the VM is connected to.
You can also migrate multiple VMs to another network if you go to the network tab in the navigation pane. Clicking the following will pop up a wizard.
In the wizard you select the destination network.
Then you select all the VMs you want to migrate.
Then you complete it.
Objective 7.2 – Manage datastores
Datastores are logical storage units that can use disk space on one disk or span several. There are multiple types of datastores:
To manage them, you can navigate to the Datastores tab on the navigation pane and select the datastore you want to manage. Then click on Configure on the object pane in the middle.
From this screen you can increase the capacity. Enable SIOC, and edit Space Reclamation priority. Using the Connectivity and Multipathing, you can edit what hosts have access to this datastore. You can also see what files and VMs are on this datastore. You can perform basic file functions through this as well.
To dig a little deeper though. How did we get here? How do we see the original device? To do that we have to go back to the host configuration. There we look at two main things. Storage Adapters and Storage Devices
This will show us what our host is able to get to. If we don’t have access to something we may need to either add it if it’s ISCSI or NFS or Protocol Endpoint if its a vVOL. Once we can see the RAW device or we have finished setting up the share or protocol endpoint, we can right click on a host and select Storage > New Datastore. This pops up a wizard that looks like this
The next screen will allow us to give the datastore a name and what device we want to use for it. Then we choose a VMFS version. We would choose 5 if we still had older hosts running older vSphere. We would choose 6 if we had all 6.5 or 6.7. Why would you want to use it? Look here for a nice table. You can then partition it if desired and finish.
Objective 7.3 – Configure a storage policy
- To create a storage policy, click on the Menu drop down at the top of your HTML5 client and choose Policies and Profiles
- Click on VM Storage Policies
- Select Create VM Storage Policy and on the popup wizard, give it a name.
- This screen allows you to choose between Host Based Services or Datastore Specific rules. Host based are specific services that particular host may provide such as caching, encryption, etc. These can be used in conjunction with Datastore specific rules which are directed to specific datastores. Such as I tag a specific datastore as “Gold” storage and I create a Storage policy that requires a VM to use “Gold” storage. I am going to use the tag-based placement option.
- I have already created a Tag category called Storage Type and I am going to tell it to Use storage tagged with the “Gold” tag. I could tell it to not use that tag as well. Multiple Rules can be used at the same time.
- I have one Datastore tagged as “Gold” Storage.
- That’s it. Click Finish and you have created a Storage Policy. Just to show you what host based services might look like here is a screenshot
Objective 7.4 – Configure host security
There are several built-in features that can secure a host. Let’s go over them
- Lockdown Mode – When enabled this prevents users from logging directly into the host. It will only be accessible through the local console if you are on an accepted user list or vCenter. You can also turn off the Direct Console UI completely. This can be found under Configure > Security Profile
- Host Image Profile Acceptance Level – This is like driver signing on a Microsoft Windows machine. This will only allow bundles or drivers with an acceptance level you set.
- Host Encryption Mode – This setting encrypts any core dumps from the host.
- Firewall – There is a stateless firewall included in ESXi. Most ports are locked by default. If you want to add a new port not already in the list you will need to do it at command line.
Objective 7.5 – Configure role-based user management
Role-based management allows you to assign a set of permissions to a user or group. This is great as this makes it easier to assign just the permissions you need to a user and no more. This is great for security. VMware provides a number of Roles pre-configured. These can’t be changed. What you can do, is clone them and change the clones. You can also create your own custom role. In order to do this, you click on the Menu and go to Administration
You can see the predefined roles when you select Roles under Access Control
To clone you select one and then click the Clone icon
You need to name it and click ok on the window the pops up. To edit the clone you just made, click on the Pencil icon after selecting the new role. Then select the privileges you want to allow or disallow by clicking on the check boxes.
You can see the privileges already assigned to a role by clicking on the Privileges button on the side.
You then assign the roles under the Global Permissions item. You can use one of the built-in user or groups or you can add a new user/group. You can add the group from any of the Identity sources you have setup already.
When you add or edit the permissions you set the role.
There is a special role called No Access as well that you can assign to a user to keep them from accessing specific objects or privileges.
Objective 7.6 – Configure and use vSphere Compute and Storage cluster options
After you create a cluster, you can right click on it and select settings, or click on the configure tab in the center, object pane
Quickly going through the options available. There is DRS and HA we’ve already gone over. We then have:
- QuickStart – is a wizard to help you configure your cluster.
- General – lets you change the swap file location for your VMs. This will be the default setting for the cluster. Default VM compatibility is the default VM Hardware version for the cluster.
- Licensing – This is only used if you vSAN
- VMware EVC – This was mentioned previously as well. Enhanced vMotion Compatibility. This allows you to use disparate versions of processors and vMotion between them.
- VM/Host Groups – This is the VM Groups and Host groups you can setup to create Affinity or Anti-Affinity rules
- VM Host Rules – These are the Affinity or Anti-Affinity rules.
- VM Overrides – This allows you to override cluster settings for DRS/HA restart or response for individual VMs.
- Host Options – Allows for host power management. You enter in your IPMI settings per Server
- Host Profile – This will be gone over in a few objectives, but creates a settings template for all hosts in the cluster.
- I/O filters – You can install I/O filters here (VAIO) This can be a plugin such as backup or disaster recovery filters.
- Alarm Definitions – This is where you can add/enable/disable/delete alarms for your cluster (applies to objects in the cluster)
- Scheduled Tasks – You can schedule certain tasks for off hours. New Virtual Machine, Add Host, or Edit DRS.
- vSAN – This won’t say much here unless it’s turned on.
A Datastore Cluster or Storage Cluster (unless referring to VSAN cluster) is created by right-clicking on the datacenter in the Storage heading on the object pane.
- This launches a wizard to go through. You will need to enter a Datastore Cluster name and you should turn on Storage DRS
- You then are presented with more options than anyone should be. The first is what level of automation would you like, but then you have all these other options which I will leave at cluster default. Each one of them will check certain metrics or alarms and move the VM storage based on what it sees.
- Now you need to decide storage DRS runtime settings. These are thresholds you set before it takes action to move data around. I’m leaving defaults again.
- You then select your cluster and / or hosts that will participate in sharing their datastores in this.
- Select the datastores that will make up this Datastore cluster
- It gives you final summary screen and you click Finish.
Objective 7.7 – Perform different types of migrations
We’ve already gone over the types of migrations possible. Now let’s see how to accomplish them.
- To migrate a VM, whether you migrate the VM or storage, you need to right click on the VM and choose Migrate.
- You are given the option of 3 types of migration. vMotion = Compute resource only, svMotion = Change storage only, or enhanced or xvMotion is both. The screens after depend on which you choose here. I will choose both so you see both screens.
- For the compute resource to migrate to, I need to choose either a cluster, or individual host. A handy little tidbit that’s nice is the upper right-hand corner. VM origin tells you where this VM is sitting right now, both host and datastore.
- Select storage next.
- Next, select the network for this VM to use.
- vSphere gives a summary, click Finish and it will migrate.
Objective 7.8 – Manage resources of a vSphere environment
There are several resources that can be managed in a vSphere environment. There are mechanisms built-in to vSphere to allow that. You can create resource pools, assign shares for CPU, memory, disk, and network resources. You can also create reservations and limits. Let’s define a few of those and how they work.
- Reservations – this is the amount of the resource that is guaranteed. If the resource can’t be given, the VM will not power on.
- Limits – are the maximum amount of that resource you will allow for that VM. The issue with limits is if you have extra resources vSphere will still not allow that VM to have more resources.
- Shares are used to compete for the resources between. Shares will only come into play when there is contention for it. During regular periods when all the VMs are happy and there is plenty of resources, shares don’t matter.
Resource Pools can also be created to slice off resources. You can have reservations on Resource Pools as well, but you can do a bit more. You can have expandable reservations to borrow resources from its parent if it needs to. This is what you need to configure when you create a CPU and Memory Resource Pool
You can also assign this on an individual VM basis
To assign disk shares you can look at the individual VM
You can also assign shares and manage network resources on Virtual Distributed Switches with Network I/O Control enabled.
Objective 7.9 – Create and manage VMs using different methods
There are several methods to create VMs. You can:
You can also deploy from an OVF template, use the OVF Tool or create a VM from a physical using the P2V tool. For the purposes of the exam they more than likely just want you to know about the ones in the picture and deploying from an OVF template.
You can manage VMs through the HTML5 client, API, PowerCLI (PowerShell) or even through the ESXi host console. There are even some options you can only do using PowerCLI. Creating a new VM via PowerCLI isn’t hard either, it can be done with command like the following:
New-VM -Name ‘TestVM’ –VMHost ‘VMHost-1’ -Datastore ‘TestDatastore’ -DiskGB 40 -MemoryGB 8 -NumCpu 2 -NetworkName ‘Virtual Machine Network’
That creates a new VM with the name TestVM on VMHost-1 storing its 40GB VMDK on the TestDatastore. A lot simpler than going through a long wizard to me.
Objective 7.10 – Create and manage templates
Templates are VMs that have been converted so that they can’t be turned on. They are used as base server machines or VDI base workstations. Creating them is a simple process. You can do this with a running VM by cloning it (creating a copy) and making the copy a Template. If you want to convert the machine you are working on, it will need to be turned off. I will go over both ways to do this.
- Right click on the VM to be converted. We will start with a running VM.
- Give the VM Template a name
- Choose a location for the template
- Choose storage for the template
- Complete by clicking Finish.
For a machine that is turned off you can clone it as well, but you have the option of turning that VM into a template. To do that:
- Right click on the VM you want to change to a template.
- If you choose Convert to template, it asks you if you are sure and then does it. If you Export OVF this will save an OVF file to your desktop that is the VM in template format that you can import like an appliance.
Objective 7.11 – Manage different VMware vCenter Server objects
I’ve gone over how to manage different types of objects so I will take a stab here and guess that they are referring to the actual vCenter Server objects and not clusters, hosts, etc.
To manage the vCenter Server object, there is a couple of places to go to. The first is Administration > System Configuration. This location will allow you to export a support bundle, converge an external PSC to embedded, and decommission PSC. Oh, you can also reboot it.
The next place you can configure the vCenter is by clicking on the vCenter in the navigation pane and then go to the configure tab in the object pane. You can see that here
This is just changing the settings on the vCenter server itself and not the object.
If anyone has a thought on what they may be looking here if I didn’t cover it, reach out to me.
Objective 7.12 – Setup permissions on datastores, clusters, vCenter, and hosts
Permissions can be set on most objects in the vSphere environment. To do that you need to navigate to the Permissions tab in the object pane. Here is an example
You can see how you can assign permissions to it. Click on the ‘+’ in order to add another user or group to it. You can also edit an existing permission by clicking on the pencil icon. You can also propagate this permission to its children with the Propagate to children checkbox.
If a user has conflicting permissions, the explicit permissions will win over general. This allows you to assign a user “No Access” to an object and it will win over having group rights to it. The user documentation has this really well. (From the VMware Documentation here)
If multiple group permissions are defined on the same object and a user belongs to two or more of those groups, two situations are possible:
No permission for the user is defined directly on the object. In that case, the user has the privileges that the groups have on that object.
A permission for the user is defined directly on the object. In that case, the user’s permission takes precedence over all group permissions.
Objective 7.13 – Identify and interpret affinity/anti affinity rules
Affinity and Anti-Affinity rules exist on a DRS enabled cluster. They are typically used for the following reasons:
- Affinity Rules – Used for multi-tier app VMs or other VMs that communicate heavily or depend on each other in order to run. It can also be used to keep a VM running on a specific host for licensing or other purposes.
- Anti-Affinity Rules – Use to keep VMs separate from each other or keep them from running on separate hosts.
These rules can be setup as “Must” rules or “Should” rules. Just like it sounds the Must will prevent the machines from doing what is instructed and if they can’t comply with the rule they won’t start. The Should rules will try everything they can to comply but for example, you are down to one host, the machines will still run there as that is their only option.
You create groups that are made up of either VMs or hosts and then create a rule that defines the relationship between them. You set them up underneath the Configure tab under your cluster. Here is what that looks like:
You would create the VM and/or host groups. Then you create the rules that will govern them.
Objective 7.14 – Understand use cases for alarms
Use cases for alarms are plentiful. You don’t want errors and issues happening in the background without you knowing. Even better, it would be great to get notice of these events before they happen. That is what alarms can do for you. They can notify you in response to events or conditions that occur to objects in your vSphere environment. There are default alarms setup for hosts and virtual machines already existing for you. You can also setup alarms for many objects. An alarm requires a trigger. This can be one of two things.
- Condition or State. This is monitoring the condition or state of an object. And example of this would be a datastore is using 80 percent of its storage. Or a host is experiencing high CPU usage.
- Event. This would be something like a host hardware changes, or leaves a cluster.
You can setup an alarm by right clicking on the object and then click on Alarms > New Alarm Definition.
Objective 7.15 – Utilize VMware vSphere Update Manager (VUM)
VUM (vSphere Update Manager) is VMware’s server and management utility to patch and upgrade its software. While there were many requirements to get VUM working on previous versions of vSphere, in 6.7 its pretty easy. Though its not completely simple, it does make more sense once you use it for a little bit. First, we need to define a few terms.
Baseline – is one or more patches, extension or upgrade that you want to apply to your vSphere Infrastructure. You can have dynamic patches or static. Dynamic baselines will automatically download and add new patches. I don’t necessarily recommend this as you don’t know how a patch will affect your environment without testing. Now if it’s a test environment go for it! VMware includes two dynamic baselines for patches predefined for you. You can create your own.
Baseline Group – Includes multiple baselines. The pre-defined ones are Non-Critical and Critical Patches. Unless one causes an issue, it would be good to have both of those. I created a group that includes both called Baseline Group 1.
You can create a baseline that includes an upgrade say from 6.5 to 6.7 as well. There are settings that go along with this service and here is what they look like.
- Patch Downloads concerns itself with getting your updates.
- Patch Setup concerns itself with where it is getting them from. Do you need a proxy?
- Recall Notification. Occasionally VMware needs to recall a patch that isn’t up to par. This setting will notify you there is a recall and what it is and make sure it doesn’t apply that patch to any hosts.
- Network Connectivity. Connectivity for VUM. Mainly port numbers and host name.
- Patch Downloads concerns itself with getting your updates.
- Hosts – When you apply the baselines to a host, what do you want it with the VMs, host if it uses PXE to boot, and retries.
- VMs – If you are remediating VMs do you want to take a snapshot automatically and how long do you want to keep them.
- Hosts – When you apply the baselines to a host, what do you want it with the VMs, host if it uses PXE to boot, and retries.
The setup of the server is just the first step though. You now need to get these patches to the hosts and VMs. You have two options when you apply them. You can Stage, or Remediate. Stage will just load the patches on it and wait for you to tell it to take action. Remediate takes immediate action. You can do this by going to the update tab for the object. Here is the update for the cluster.
At the bottom you notice I attached the baseline. This is needed to stage or remediate your hosts and VMs. You can then check them by Checking Compliance. You may also notice you can update VMware Tools and VM Hardware versions en masse. (may require VM reboot)
Objective 7.16 – Configure and manage host profiles
Host profiles provide a mechanism to automate and create a base template for your hosts. Using host profiles, you can make all your hosts exactly the same. VMware will inform you if your host is not in compliance yet and then you can take steps to remediate it.
You access it under Policies and Profiles
There is a process to it. Here it is:
- Click on Host Profiles on the navigation pane on the left.
- Next is Extract Host Profile. This is going to be taking a host you select and that will be the “baseline”
- This will pop up a wizard. This is where you select the host.
- Give it a name and a description and then Finish
- Once that is done, you now have a window that looks like this
- Yes, its small. The point is when you click on the host profile you now have additional options above. Notice as well that the profile is also a hyperlink. Click on it.
- Click on the Actions to attach to hosts or clusters.
So that is the end of this study guide. If you find something incorrect in it or I didn’t understand the Blueprint from VMware, let me know. I appreciate you taking the time to read through and hope you were able to use it. I really appreciate the community and all the things its done for me, which is why I love doing things like this. Thanks!!
Mike Wilson (IT-Muscle.com / @IT_Muscle )