com
mcse2012.blogfa.com
azarpara.vahid@gmail.com
You access and log in to your student desktop system to perform all lab activities for this course.
Use the following information from the class configuration handout:
Student desktop user name
Standard lab password
1 . Ask your instructor how to log in to the student desktop system in your lab environment.
For example, your instructor might have you use Remote Desktop Connection to connect to the
student desktop system.
2. Log in to the student desktop system, using your student desktop user name and the standard lab
password.
You verify that licenses for VMware vCenter Server and the VMware ESXi hosts are valid.
Use the following information from the class configuration handout:
Standard lab password
1 . Log in to the VMware vSphere Web Client interface.
a. On the student desktop machine task bar, click the Internet Explorer shortcut.
b. From the Favorites bar, select vSphere Web Clients > SA-VCSA-0 1.
c. If you receive a security exception for vSphere Web Client, click the Continue to this
website (not recommended) link to open the login screen.
d. Log in with administrator@vsphere.local (the vCenter Server administrator user name) and
the standard lab password.
e. Point to the Home icon and select Home.
2. Verify that the licenses for the vCenter Server system and the ESXi hosts are valid.
a. On the Home page under Administration, click the Licensing icon.
b. In the center pane, click the Assets tab.
c. On the vCenter Server systems tab, verify that the vCenter Server system has a valid license.
d. Click the Hosts tab.
e. Verify that all ESXi hosts have valid licenses.
f. If the vCenter Server system and the ES Xi hosts are not licensed or have licenses that are
expired, go to task 3 .
g. If the licenses are valid, go to task 4.
mcse2012.blogfa.com
Task 3: Assign Valid vSphere Licenses
If the vCenter Server system and ESXi hosts licenses are expired, you assign valid licenses to these
VMware vSphere components.
Use the following information from the class configuration handout:
vCenter Server license key
vSphere Enterprise Plus license key
1 . In the center pane, click the Licenses tab.
2. Click the Create New Licenses icon (green plus sign).
The New Licenses wizard appears.
3. In the License keys (one per line) text box, enter the 1 icense keys that your instructor gave you
(one per line) and click Next.
4. On the Edit license names page, enter the new license names vcenter Server and
Enterprise Plus in the License Name text boxes and click Next.
You create a distributed switch that functions as a single virtual switch across all associated hosts in
your vSphere environment.
1 . In vSphere Web Client, point to the Home icon and select Networking.
2. In the left pane, expand the inventory until you see SA Datacenter.
3. Right-click S A Datacenter and select Distributed Switch > New Distributed Switch.
4. On the Name and location page, enter dvs -Lab in the Name text box and click Next.
5. On the Select version page, leave Distributed switch: 6.5.0 selected and click Next.
6. On the Edit settings page, enter pg-SA Production in the Port group name text box, keep
all other defaults, and click Next.
7. On the Ready to complete page, review the configuration settings and click Finish.
The dvs-Lab distributed switch is listed in the left pane, also called the Navigator pane.
8. Configure the pg-SA Production port group to use only Uplink 2 .
a. In the left pane, expand dvs-Lab and right-click pg-SA Production.
b. Select Edit Settings.
c. In the Edit Settings window, select Teaming and failover on the left.
d. Select Uplink 1 and click the down arrow until the uplink appears under Unused uplinks.
e. Select Uplink 3 and click the down arrow to move it to the Unused uplinks section.
Failover order
Active uplinks
Uplink2
standby uplinks
Unused uplinks
1Jiii!1 Uplink 1
Uplink3
Uplink4
g. Click OK
You add ESXi hosts and physical adapters to the distributed switch.
1 . In the Navigator pane, right-click the dvs-Lab distributed switch and select Add and Manage
Hosts.
2 . On the Select task page, leave Add hosts clicked and click Next.
3. On the Select hosts page, click New Hosts (the green plus sign).
4. Select sa-esxi-0 1.vclass.local and sa-esxi-02.vclass.local and click OK.
Do not select sa-esxi-03.vclass.local.
5. Click Next.
6. On the Select network adapter tasks page, deselect the Manage VMkernel adapters check box
and leave the Manage physical adapters check box selected.
7. Click Next.
tJ sa-esxl-01.vclass.local
0 n this SWllC h
On other swilcheslunclaimed
liiiiil vmnic2
Iii! vmnic3
tJ sa-esxi-02.vclass.local
9. On the Analyze impact page, verify that the status is No impact for both ESXi hosts and click Next.
1 0 . On the Ready to complete page, review your settings and click Finish.
You examine the configuration of the distributed switch uplink, which is bound to the associated
physical interfaces on the ESXi hosts. You also examine other distributed switch features, including
the maximum transmission unit (MTU) value, VLAN capabilities, LACP aggregation groups,
NetFlow, and VMware vSphere Network 110 Control.
1 . In the Navigator pane, select the dvs-Lab distributed switch.
2. In the center pane, click the Configure tab and select Topology on the left.
pg-SA Production
1--
8 ... dvs-Lab-DVUplinks-81
O vmnic2 sa-esxi-02.vclass.local 8
O vmnic2 sa-esxi-01.vclass.local 8
Uplink 3 (0 NIC Adapters)
4. Verify that for both ESXi hosts the vmnic2 is attached and appears under Uplink 2.
5. In the center pane, click Properties on the left and verify the settings.
Network I/O Control is enabled.
Number of uplinks is 4.
The MTU size is 1500 bytes.
The Cisco Discovery Protocol is implemented.
6. Click each additional configuration link on the left and verify the settings.
LACP LAG is not defined.
Private VLAN is not defined.
NetFlow collector is not defined.
Port mirroring is not configured.
Health check is not enabled.
7. In the Navigator pane, select the pg-SA Production port group.
8. Click the Configure tab and select Properties on the left.
9. Verify the distributed port group settings.
Port binding is set to static binding.
Port allocation is set to elastic.
The number of ports is eight.
You move the virtual machines from the pg-SA Management port group on the dvs-SA Datacenter
distributed switch to the pg-SA Production port group on the dvs-Lab distributed switch.
Use the following information from the class configuration handout:
Standard lab password
1 . In the Navigator pane, right-click the dvs-Lab distributed switch and select Migrate VMs to
Another Network.
e. Click Next.
f. On the Select virtual machines to migrate page, select the All virtual machines check box.
A warning message states that the destination network is inaccessible for one or more
virtual machines and that these virtual machines are not selected for migration.
g. Click OK.
The LAB-VC S-0 1 virtual machine is dimmed. You cannot migrate this virtual machine,
because it is hosted on the sa-esxi-03 .vclass. local host, which is inaccessible to the pg-SA
Production port group.
h. Click Next.
3 . On the Ready to complete page, review the settings and click Finish.
You enable the health check service on the dvs-Lab distributed switch.
1 . In vSphere Web Client, point to the Home icon and select Networking.
2. In the Navigator pane, select the dvs-Lab distributed switch.
3. In the center pane, click the Configure tab and select Health check on the left.
4. Click Edit.
5. Set VLAN and M T U to Enabled.
7. Click OK
You purposely cause errors by configuring an inval id VLAN ID on the pg-SA Production port group
and setting the MTU value to 9000 on the dvs-Lab distributed switch. These misconfigurations are
reported by the distributed switch health check service.
I M P O RTANT
Use only the dvs-Lab distributed switch for this task. Do not try to cause errors on the dvs-SA
Datacenter distributed switch.
VLAN ID 37 is not a valid VLAN ID because the physical switch is not configured for
VLAN 37. An invalid VLAN ID causes an error after you save the configuration.
e. Click OK.
2. Misconfigure the distributed switch by setting the MTU value to 9000.
a. In the Navigator pane, right-click the dvs-Lab distributed switch and select Settings > Edit
Settings.
You restore the dvs-Lab distributed switch configuration to reset any configuration change made
since the configuration was saved.
1 . In the Navigator pane, right-click the dvs-Lab distributed switch and select Settings > Restore
Configuration.
3. Leave Restore distributed switch and all port groups clicked and click Next.
4. On the Ready to complete page, review the settings and click Finish.
5 . If you lose connection to vSphere Web Client, restart the Internet Explorer browser.
6. After the switch configuration is restored, verify the configuration.
a. View the Health panel and verify that the overall health of the dvs-Lab distributed switch is
back to normal.
You might need to click the Refresh icon in the vSphere Web Client interface to update
the status.
b. View the VLAN settings of the pg-SA Production port group and verify that no VLAN is
configured.
c. View the advanced settings of the dvs-Lab distributed switch and verify that the MTU
value is 1 500.
7. Point to the Home icon and select Home.
You use the LinuxO l virtual machine to capture and monitor mirrored traffic.
1. If you are logged out of vSphere Web Client, log back in.
a. Open a new tab in Internet Explorer.
b. From the Favorites bar, select vSphere Web Clients > SA-VCSA-0 1.
c. Log in with administrator@vsphere.local (the vCenter Server administrator user name) and
the standard lab password.
2. In vSphere Web Client, point to the Home icon and select Hosts and Clusters.
3 . In the left pane, expand SA Datacenter and expand the S A Management cluster.
4. In the left pane, log in to the LinuxO 1 virtual machine console.
a. Right-click LinuxOl and select Open Console.
b. If prompted, click the Continue t o this website (not recommended) link to continue.
You should be logged in to LinuxO l as root.
c. If you are not logged in, then log in as user root with the standard lab password.
13
5. In the LinuxO 1 console, monitor ICMP network traffic.
t cpdump -nn i cmp
6. Monitor the command output for a few seconds and verify that ICMP traffic is not being
captured.
tcpdump output remains silent until ICMP traffic is detected on the network.
7. Leave the console window open, with the t cpdump command running uninterrupted.
8. In the Internet Explorer window, click the vSphere Web Client tab.
1 1 . If the p i n g command does not work, enter service network restart and repeat step 1 0 .
1 2 . After the p i ng command begins working, click the LinuxO l console tab.
1 3 . In the LinuxO 1 console window, verify that the running t cpdump command output remains
silent and has not captured any ICMP traffic .
You configure port mirroring so that the port connected to the Linux02 machine is the mirror source
and the port connected to the LinuxO 1 machine is the mirror destination. All the traffic present on
the Linux02 port is forwarded to the LinuxO 1 port for examination.
1 . In the Internet Explorer window, click the vSphere Web Client tab.
2. Point to the Home icon and select Networking.
Select sources
Select the source distributed po
Port ID Host
+
b. In the Select Ports dialog box, select the check box for the row with a connected entity of
Linux02 and click OK.
c. Click Next.
9. On the Select destinations page, configure the port mirroring destination.
a. Click the Select distributed ports icon.
b. In the Select Ports dialog box, select the check box for the row with a connected entity of
LinuxO I and click OK.
c. Click Next.
1 0 . On the Ready to complete page, review the settings and click Finish.
With mirroring between ports configured, you view the t cpdump command output and verify that
any ICMP traffic appearing on the Linux02 port is duplicated on the LinuxO 1 port.
1 . In the Internet Explorer window, click the Linux02 console tab.
2 . Verify that the p i ng command is still reaching the default router IP address.
3 . Click the LinuxO l console tab.
4. In the LinuxO 1 console, examine the t cpdump output in the terminal window.
The output looks similar to the screenshot.
Linux01
11 : 1.:1: /.H. 'i 13'J'JH Ip 1'?1. ./.H.11./.H1 > 1'?1. ./.H.1H.1H: ICMP P.cho rf(llf-".'St 1 i<I :nH4H, SF.
'I -}7.1 , lc1111th f14
1J :I. J:/. ll . '.1 144 '? ') II' 1'?1. ./.H.1H.1H > Ul..1.H.11 ./.H1: ICM!' (!t:hll I' ql
l
lJ , id :L!H41l, SCC{
'.124, Icnqth 64
Ll:/.J:2'J.'.,14b21l II' UZ.ZH.11./.Hl > li/..ZH.lH.lU: ICM!' echo re4uest, id JJH4U, se
ci '1/.1, Icnuth h4
U:2J:?.'J.1l>l'.16 IP 1'12./.H.lU.lU > U2.2H.11.2Ul: ICMP t:cho repltJ, id :UU4B, se11
'1/.'1, I e1111th f14
5 . Record the local address that appears in the captured traffic. ----
10. Using the command output, verify that the Linux02 IP address matches the address that you
recorded in step 5.
l l . Close the LinuxOl and Linux02 console tabs.
1 2 . Shut down LinuxO l and Linux02.
a. Point to the Home icon and select Hosts and Clusters.
b. In the left pane, right-click LinuxO l and select Power > Shut Down Guest OS.
You create two small datastores for use by your vCenter Server instance as simple tiered storage.
Each datastore is approximately 8 GB in size.
1 . If you are logged out of vSphere Web Client, log back in.
2. Point to the Home icon and select Storage.
3 . Create a datastore named Gold.
a. In the Navigator pane, right-click SA Datacenter and select Storage > New Datastore.
17
f. In the disk/LUN l ist, select the entry for the lowest LUN number attached to an iSCSI
device.
Local drives are labeled as Local VMware Disk. Do not select these drives.
g. If iSCSI devices are not present, ask the instructor for instructions on how to add them.
h. Click Next.
1. On the VMFS version page, leave VMFS 6 clicked and click Next.
J. On the Partition configuration page, keep the defaults and click Next.
k. On the Ready to complete page, review the settings and click Finish.
I. Verify that the Gold datastore appears in the Navigator pane.
4. Create a datastore named Silver.
a. In the Navigator pane, right-click SA Datacenter and select Storage > New Datastore.
1. On the Ready to complete page, review the settings and click Finish.
Use VMware vSphere Storage vMotion to migrate the VMO l virtual machine to the Gold
datastore.
1 . Power on VMO l .
a. Point to the Home icon and select Hosts and Clusters.
b. Right-click VMO l and select Power > Power On.
You create the tags necessary to implement simple tiering. The Storage Tiers tag category contains
the Gold and Silver identifier tags associated with individual datastores.
1 . Point to the Home icon and select Tags & Custom Attributes from the list.
2. In the center pane, click the Tags tab.
[ Tags 1 Categories J
Tag Name
e. Keep the default values for the remaining settings and click OK.
4. Create a Silver Tier identifier tag.
a. In the center pane, click the New Tag icon.
b. In the Name text box, enter Silver Tier.
c. Select Storage Tiers from the Category drop-down menu and click OK.
5. Assign the Gold Tier tag to the Gold datastore.
a. Point to the Home icon and select Storage.
b. In the left pane, right-click the Gold datastore and select Tags & Custom Attributes >
Assign Tag.
f. In the Tags panel, verify that the Gold Tier tag is associated with the Gold datastore.
e. In the Tags panel, verify that the Silver Tier tag is associated with the Silver datastore .
You assign storage policies to virtual machines and specify the configuration settings to be enforced.
1 . Point to the Home icon and select Policies and Profiles.
3 VM storage Policies
g. Click Add tags, select the Gold T ier check box, and click OK.
h. Click Next.
1. On the Storage compatibility page, verify that the Gold datastore is listed under Compatible
storage and click Next.
You assign the Gold and Silver storage policies to individual virtual machines and mitigate
compliance issues.
1 . Power off VMO 1 .
A storage policy can be assigned to a virtual machine while the virtual machine is either
powered on or powered off.
a. Point to the Home icon and select Hosts and Clusters.
b. Right-click VMO l and select Power > Power Off.
c. In the list, verify that the Gold Tier policy is assigned to VM home and Hard disk 1 and
click OK
d. In the left pane, select VMO l.
e. In the center pane, click the Summary tab.
f. In the VM Storage Policies panel, verify that Gold Tier Policy appears and that VMO l is
compliant.
The VMO 1 virtual machine is compliant because it was already moved to a policy
appropriate datastore .
Check Compliance
c. In the list, verify that the Silver Tier policy is assigned to VM home and Hard disk 1 and
click OK
d. In the left pane, select VM02.
e. In the center pane, click the Summary tab.
Check Compliance
.:::t
With a virtual machine storage policy assigned to the VM02 virtual machine, datastores are
listed as either Compatible or Incompatible.
d. On the Ready to complete page, review the migration details and click Finish.
e. In the Recent Tasks pane, monitor the migration task to completion.
The migration must complete successfully.
5. Verify that VM02 is reported as compliant.
a. In the center pane, click the Check Compliance link in the VM Storage Policies panel.
b. Verify that the status changes to Compliant.
6. Point to the Home icon and select Home.
Task 1 : C reate a Datastore Cluster with vSphere Storage DRS Enab led
You create a datastore cluster that is enabled for VMware vSphere Storage DRS. The Gold and
Silver datastores are reused as members of the cluster.
1 . If you are logged out of vSphere Web Client, log back in.
2. Point to the Home icon and select Storage.
3. In the left pane, right-click S A Datacenter and select Storage> New Datastore Cluster.
25
5. On the Storage DRS Automation page, view the automation settings.
a. Leave No Automation (Manual Mode) selected.
b. Keep the rest of the defaults and click Next.
6. On the Storage DRS Runtime Settings page, keep the defaults and click Next.
7. On the Select Clusters and Hosts page, select the SA Management check box on the Filter tab
and click Next.
8. On the Select Datastores page, select the datastores for the datastore cluster.
a. Select Show all datastores from the drop-down menu.
b. Select the Gold and Silver check boxes and click Next.
9. On the Ready to Complete page, review the configuration summary and click Finish.
In a production environment, the best practice is to select datastores that are connected to all
hosts in the cluster and to group them by storage capabilities.
10. In the left pane, expand Cluster-DRS and verify that the Gold and Silver datastores appear.
..... IJ sa-vcsa-01.vclass.local
..,.. JIT3. SA Datacenter
..,.. Cluster-DRS
I Gold
I Silver
Imbalances are checked every 8 hours.
Minimum space utilization difference is 5 percent.
You place a datastore in maintenance mode to demonstrate the capabilities of vSphere Storage DRS.
1 . Put the Silver datastore in maintenance mode.
a. In the left pane, right-click the Silver datastore.
b. Select Maintenance Mode> Enter Maintenance Mode.
c . In the SDRS Maintenance Mode Migration Recommendations dialog box, read the
provided recommendation description.
d. Click Apply Recommendations.
e. If prompted to apply recommendations despite warnings, click Yes.
The VM02 virtual machine is migrated to the Gold datastore .
f. In the Recent Tasks pane, monitor the migration task to completion.
2. In the left pane, verify that the Silver datastore is in maintenance mode.
r1!2.
...... sa-vcsa-01.vclass.local
....,.. fil SA Datacenter
....,.. Cluster-DRS
Gold
I Silver I
3 . Click the Refresh icon in the vSphere Web Client interface.
You configure vSphere Storage DRS to maintain a balance in usage across all datastores in a cluster.
The cluster imbalance is mitigated by using vSphere Storage DRS recommendations.
1 . Point to the Home icon and select Storage.
2. In the left pane, select Cluster-DRS.
3. In the center pane, click the Configure tab and select Storage DRS on the left.
4. Configure vSphere Storage DRS so that recommendations are reported.
a. In the vSphere Storage DRS panel, click Edit.
b. In the Edit Storage DRS Settings dialog box, expand the Storage DRS Automation
section.
c. Next to Space Threshold, drag the Utilized Space slider to the far left to set the threshold
to 50 percent.
The imbalance between the Gold and Silver datastore util ization is detected at a 50 percent
space threshold trigger.
d. Click OK.
b. In the bottom-right corner of the Storage DRS Recommendations panel, click Apply
Recommendations.
You remove the vSphere Storage DRS cluster to prepare for the next lab.
1 . Point to the Home icon and select Hosts and Clusters.
2. Power off the VMO l and VM02 virtual machines.
3. Delete the vSphere Storage DRS cluster.
a. Point to the Home icon and select Storage.
b. In the left pane, right-click Cluster-DRS and select Delete.
c . When prompted, click Yes to delete the datastore cluster.
d. After the cluster is deleted, verify that the Gold and Silver datastores appear in the left
pane, directly under the data center.
4. Point to the Home icon and select Home.
You register the storage provider, and you confirm its URL and version. You also view the storage
systems that are made available by the storage provider.
1 . In vSphere Web Client, point to the Home icon and select Hosts and Clusters.
2. At the top of the left pane, select sa-vcsa-01.vclass.local (your VMware vCenter Server
Appl iance instance).
3. In the center pane, click the Configure tab and select Storage Providers on the left side.
4. In the center pane, click the Register a new storage provider icon.
Storage Providers
31
5. In the New Storage Provider dialog box, configure the VASA storage provider.
Option Action
6. Click OK.
7. Click Yes to acknowledge and accept the self-signed certificate warning.
8 . Validate that the VASASource storage provider appears in the Storage Providers list.
Q1. I n the storage providers win dow, what i s the storage provider U R L for VASASource?
Q2. Which version of vSphere API for Storage Awareness ap pears in the VASA API
Ve rsion column?
Q3. Which types of storage systems are l isted for this storage provider?
I >C
e. In the Create a new folder window, enter SA-NAS in the Enter a name fo r the new folder
text box and click Create.
The creation of the folder validates that the datastore is available.
You create a virtual volume datastore that is backed by an iSCSI protocol endpoint.
1 . Create a virtual volume datastore that uses the iSCSI storage container.
a. In the left pane, right-click SA Datacenter and select Storage> New Datastore.
The New Datastore wizard appears.
b. On the Location page, click Next.
c . On the Type page, click VVol and click Next.
d. On the Name and container selection page, enter SA- iSCS I -VVol in the Datastore name
text box.
e. In the Backing Storage Container list, select SA-iSCSI-vVol and click Next.
f. On the Select hosts accessibility page, select the sa-esxi-0 1 .vclass.local check box and
click Next.
g. On the Ready to complete page, click Finish.
2. In the Recent Tasks pane, monitor the Create Virtual Volume datastore task to completion.
3. After the task completes, click the Refresh icon in vSphere Web Client.
Q1 . Why is the virtual volume datastore that is backed by the iSCSI container marked as
i nactive?
5. Create a folder on the datastore and validate that the folder is not available.
a. In the left pane, select the SA-iSCS I-VVol datastore.
b. In the center pane, click the Files tab.
c . In the center pane, click the Create a new folder icon.
d. In the Create a new folder window, enter SA- iSCSI in the Enter a name for the new
folder text box and click Create.
The folder creation fails, validating that the datastore is not accessible.
e . Close the folder creation failure alert.
6. Add the Storage Provider as a target to the host's iSCSI storage adapter.
a. Point to the Home icon and select Hosts and Clusters.
J. Click OK
storage Adapters
You configure a local content library that you publish externally for other content libraries to
subscribe to.
1 . In vSphere Web Client, point to the Home icon and select Content Libraries.
2. In the center pane, click the Objects tab and click the Create a new content library icon.
fJ Content Libraries
37
3. On the Name and location page, name the content library and verify the vCenter Server
location.
a. In the Name text box, enter SA- Source.
b. In the vCenter Server drop-down menu, verify that sa-vcsa-01.vclass.local is selected and
click Next.
4. On the Configure content library page, configure a local content library.
a. Leave Local content library selected.
b. Select the Publish externally check box.
c. Select the Enable authentication check box.
d. In the Password and Confirm password text boxes, enter the standard lab password.
e. Click Next.
5. On the Add storage page, select the datastore to use for the content library.
a. Click Select a datastore.
You upload an Open Virtualization Format (OVF) file from your student desktop to the new content
library.
1 . In the center pane, right-click the SA-Source library and select Import Item.
2. In the Import Library Item window, click Local file and click Browse.
3. In the Choose File to Upload window, click the Desktop icon on the left bar.
4. Double-click the Class Materials and Licenses folder and double-click the Downloads folder.
5 . In the Downloads folder, double-click the SampleVM folder.
6. Double-click SampleVM.ovf.
7. In the Select referenced files window, click Browse.
8. Select the SampleVM-1 .vmdk file, click Open, and click OK.
9. Click OK.
1 0 . View the Recent Tasks pane to monitor the task to completion.
f. Click Next.
You use vSphere Web Client to clone a virtual machine template into the published content l ibrary.
1 . Point to the Home icon and select Hosts and Clusters.
2. In the left pane, right-click the VMO l virtual machine and select Clone > Clone to Template
in Library.
5. In the Recent Tasks pane, view the tasks that start up and monitor the tasks to completion.
6. View the template list in both libraries.
a. Point to the Home icon and select Content Libraries.
b. In the left pane, select the SA-S ource library.
c. In the center pane, click the Templates tab and verify that both templates are listed.
d. In the left pane, select the SA-Subscriber library.
e. In the center pane, view the Templates tab and verify that only the original template is
listed.
You use vSphere Web Client to deploy a new virtual machine from the VMO I -Library template
available in the SA-Subscriber library.
I . In the left pane, select the SA-Subscriber library.
2. In the center pane, right-click VMOl-Library and select New VM from T his Template.
7. On the Select networks page, keep the default and click Next.
8 . On the Ready to complete page, click Finish.
9. View the Stored Content Locally column.
The column value changed to Yes because this template is now needed because it is used to
deploy a virtual machine.
1 0 . In the Recent Tasks pane, view the tasks that are started and monitor the tasks to completion.
1 1 . Verify that the virtual machine is deployed.
a. Point to the Home icon and select Hosts and Clusters.
b. In the left pane, verify that the VM03 virtual machine is displayed in the inventory.
1 2 . Point to the Home icon and select Home.
A host profile is a configuration template that is applied to any or all ESXi hosts in a cluster to
verify and enforce specific configuration rules. Normally, a host profile has a reference host.
You export a profile for importation. The imported profile lacks a reference host.
1 . In vSphere Web Client, point to the Home icon and select Policies and Profiles.
2. In the left pane, select Host Profiles.
43
3. Extract a host profile from an ESXi host.
a. In the Objects panel, click the Extract profile from a host icon (green plus sign).
The Extract Host Profile wizard appears.
b. On the Select Host page, click sa-esxi-0 1 .vclass.local and click Next.
c. On the Name and Description page, enter Loca l - Profile in the Name text box and click
Next.
You import the host profile that you exported in task 1 . Because host profiles do not store the
reference host, host profiles can easily be imported and exported.
1 . At the top of the Objects panel, click the Import Host Profile icon.
Objects
I flt 1
'---
Lo c a l- P rofile 0
2. In the Import Host Profile dialog box, import the host profile that you previously saved.
a. Click Browse, navigate to the desktop of the student machine, select the profile.vpf file,
and click Open .
b. Enter Imported- Profile in the Name text box and click OK.
c. In the Recent Tasks pane, monitor the task to completion.
Hosts and clusters can be attached or detached from a host profile in the host profiles view or in the
Hosts and Clusters inventory.
1 . In the Objects panel, click the Imported-Profile link to navigate to that object.
2. In the center pane, click the Configure tab.
You can review and edit the comprehensive list of configuration settings that define the host
profile.
3. Select Attach/Detach Hosts and Clusters from the Actions drop-down menu.
q
. R e m e diate.
Settings View:
Atta ch/Detach Hosts a n d Clusters...
b. Click Attach> to move the selected host to the list on the right and click Next.
A list of settings that can be customized for the first ESXi host appears. The customized
values are prepopulated based on information extracted from the selected host.
c. Review the host customization settings and click Finish.
d. In the Recent Tasks pane, monitor the task to completion.
You run a compliance check to verify the attached host configuration against all the settings that are
specified by the host profile.
1 . In the center pane, click the Monitor tab and click Compliance.
2. Select sa-esxi -01.vclass.local and click the Check Host Profile Compliance icon.
You test host profile compliance verification and remediation by introducing a noncompliant change
on the host. The noncompliant change is that you remove the vmnic2 adapter from the dvs-Lab
distributed switch.
1 . Point to the Home icon and select Networking.
2. In the left pane, right-click the dvs-Lab distributed switch and select Add and Manage Hosts.
The Add and Manage Hosts wizard appears.
3. On the Select task page, select Manage host networking and click Next.
4. On the Select hosts page, click Attached hosts.
5. In the Select member hosts window, select the sa-esxi-0 1.vclass.local check box and click OK.
6. Click Next.
7. On the Select network adapter tasks page, deselect the Manage VMkernel adapters check box
and click Next.
8 . On the Manage physical network adapters page, unassign the vmnic2 adapter on sa-esxi-
0 1 .vclass.local.
a. Under the sa-esxi-0 1 . vclass.local, select vmnic2 and record the attached uplink.
You run a compliance check to detect noncompliant configuration changes that were made to hosts
attached to a host profile.
1 . Point to the Home icon and select Policies and Profiles.
Q1. How d o the resu lts of the compliance check d iffer from the compl iance check
performed in task 4?
Q2. In the new category, does the specific issue reported relate to the config uration
change made in tas k 5?
[ Issues I S c h e d u l e d Tasks f 1
C o m p lian c e
H o st/ C l u st e r
For the host to enter maintenance mode, the virtual machines on this host must be powered
off or moved to another host. All virtual machines on this host are currently powered off.
c . Expand the ESXi host to review the host customization tasks to b e performed.
d. Click Finish.
9. In the Recent Tasks pane, monitor the remediation and subsequent compliance check tasks to
completion.
1 0 . Verify that the host is now compliant.
1 1 . Verify the action taken by host remediation.
a. Point to the Home icon and select Networking.
b. In the left pane, select the dvs-Lab distributed switch.
c . In the center pane, click the Configure tab and click Topology on the left.
d. Verify that remediation automatically reconnected vmnic2 on sa-esxi-0 1 . vclass.local to the
appropriate uplink.
51
Task 1 : Create a Co ntai ner for Autodep loyed H osts
You create a folder in the vCenter Server inventory into which autodeployed hosts are placed. A
deploy rule assigns hosts to this folder.
1 . In vSphere Web Client, point to the Home icon and select Hosts and Clusters.
2. In the Hosts and Clusters inventory tree, right-click S A Datacenter and select New Folder >
New Host and Cluster Folder from the drop-down menu.
3 . Enter Auto-Deployed -Hosts in the folder name text box and click OK.
At this stage, you can create clusters, folders, or other vSphere configurations to apply to
autodeployed hosts. Deploy rules enable selective application of host profiles and destination
containers to hosts that are booting up.
The VMware vSphere Auto Deploy capability is already installed on vCenter Server Appliance,
but the service is not started by default. You start the service and set the startup type to automatic.
1 . Point to the Home icon and select Home.
2. Select the vSphere Auto Deploy service.
a. In the center pane, click the System Configuration icon under Administration.
b. In the left pane, select Services.
c. Under Services, select Auto Deploy.
3 . Start the vSphere Auto Deploy service.
a. Select Start from the Actions drop-down menu.
b. In the center pane, view the Summary tab and verify that the service state is Running.
4. Configure the vSphere Auto Deploy service to automatically start when vCenter Server starts.
a. Select Edit Startup Type from the Actions drop-down menu.
b. In the Edit Startup Type window, click Automatic and click OK.
c . In the Summary tab, verify that the startup type is Automatic.
On vCenter Server Appliance, the VMware vSphere ESXi Image Builder CLI capability is
already installed, but the service is not started by default.
1 . In the left pane under Services, select ImageBuilder Service.
2. Start the vSphere ESXi Image Builder service.
a. Select Start from the Actions drop-down menu.
b. In the center pane, view the Summary tab and verify that the service state is Running.
3. Configure the vSphere ESXi Image Builder service to automatically start when vCenter Server
starts.
a. Select Edit Startup Type from the Actions drop-down menu.
b. In the Edit Startup Type window, select Automatic and click OK.
c. In the Summary tab, verify that the startup type is Automatic.
4. Make the Auto Deploy icon visible in vSphere Web Client.
The Auto Deploy icon is not visible until you log out and log back in to vSphere Web Client.
a. Log out of vSphere Web Client.
b. Log in to vSphere Web Client as administrator@vsphere .local, using the standard lab
password.
You use vSphere Web Client to import an ESXi software depot into vCenter Server and to create a
custom software depot.
I. Point to the Home icon and select Home.
2. In the center pane, click the Auto Deploy icon under Operations and Policies.
Auto Deploy
Getting Started Software Depots
Auto Deploy
Getting Started Software Depots l
@] )j (q_ Filter
d. Click OK.
You use vSphere Web Client to clone an image profile and export the profile to a ZIP archive.
1. Clone an image profile.
a. In the center pane, select SA Depot on the Software Depots tab.
b. Under Image Profiles, select the image profile whose name ends in -
no t o o l s
-
.
f I m a g e Profi l e s I Software P a c k a g e s J
I Clone... 1 1\) C o m p a re To . . . .ij Ex1
f I m a g e Profi l e s ] S oftware P a c k a g e s J
+ I / )(
J. In the Export Image Profile dialog box, verify that the image is generated successfully and
click Close.
Deployment rules associate host profiles, image profiles, destination containers, and many other
capabilities to hosts engaged in the autodeploy process. Different sets of rules can associate different
characteristics to hosts, based on several conditions and qualifiers, such as the network on which the
host boots.
1 . Create a deployment rule.
a. In the center pane, click the Deploy Rules tab.
b. Click the New Deploy Rule icon.
The New Deploy Rule wizard appears.
c. On the Name and hosts page, enter S A Deploy Rule in the Name text box.
d. Verify that Hosts that match the following pattern is clicked.
e . From the <Add pattern> list, select 1Pv4.
f. In the 1Pv4 text box, enter 1 7 2 . 2 0 . 1 0 . 2 1 9 and click Next.
1 72.20. 1 0 . 2 1 9 is the IP address that you will assign to the ESXi host to autodeploy.
g. On the Select image profile page, select My Depot from the Software depot list.
h. Verify that the clone of the image profile is selected and click Next.
1. On the Select host profile page, click Autodeployed-Host-Profile and click Next.
Autodeployed-Host-Profile is preconfigured for use in this lab.
J. On the Select host location page, expand SA Datacenter and select Auto-Deployed-Hosts.
k. Click Next.
1. On the Ready to complete page, click Finish.
m. In the Recent Tasks pane, monitor the task to completion.
This task takes several minutes.
n. Verify that the deploy rule is successfully created.
Task 7: Confi g u re D H C P
You configure a single DHCP reservation in the Management network scope to focus vSphere Auto
Deploy on a single ESXi host based on the host MAC address. Individual reservations are used,
instead of configuring options for a full scope. More realistically, you can simultaneously
autodeploy hosts using the same DHCP scope with different options set for each reservation.
Use the following information from the class configuration handout:
MAC address of ESXi host to autodeploy
1 . On the student machine desktop, click the DHCP icon in the task bar.
c. In the IP address text box, enter 172 . 2o . 1o . 219 (the IP address of the ES Xi host to
autodeploy).
d. In the MAC address text box, enter the MAC address of the ESXi host to autodeploy.
The MAC address is in the class configuration handout.
You must use hyphens, not colons, between hexadecimal values.
For example: 00-50-56-0 1-34-28
e. Leave the rest of the settings at their defaults and click Add.
f. Click Close.
The new reservation appears in the DHCP console window, in the right pane.
7. In the left pane, expand Reservations so that your new reservation appears.
The reservation name is in the form [ 1 72 .20 . 1 0 .2 1 9] SA_reservation.
8 . Select your reservation and verify that options inherited from the parent scope appear in the
right pane.
The scope-inherited options should include the following items:
003 Router
006 DNS Servers
0 1 5 DNS Domain Name
9. In the left pane, right-click your reservation and select Configure Options.
1 0 . On the General tab of the Reserved Options dialog box, scroll down to the 066 Boot Server
Host Name option.
1 1 . Select the 066 Boot Server Host Name check box and enter 1 7 2 . 2 0 . 1 0 . 94 in the String
value text box.
1 3 . Click OK
vCenter Server Appliance is already configured to serve as a TFTP server for vSphere Auto Deploy.
The service must be started.
1. Start an S SH session to vCenter Server Appliance.
a. On the student desktop task bar, click the MTPuT T Y shortcut.
b. In the Servers pane on the left, double-click SA-VCSA-01.
Q2. In the /var/li b/tftpboot file list, do you see the TFTP boot image filename that you
entered when configuring DHCP options for your reservation?
The TFTP service does not start automatically when the vSphere Auto Deploy service is started
from vSphere Web Client.
7. Open the TFTP firewall port on the vCenter Server Appliance instance.
iptab l e s -A p o r t_f i l t e r -p udp -m udp --dport 69 -j A C C E P T
8. Enter exit and enter exit again to close the MTPuTTY window.
You move out of your student desktop and use the VMware OneCloud Web interface to open a
console to the ESXi host to autodeploy.
1 . Verify that you have your student login credentials.
Your login credentials are sent to you in a class welcome email. Your instructor can help you if
you have lost your login information.
2. Record the VMware OneCloud URL provided by your instructor. _____
Sto p p e d Open
8 . In the vApp panel, click the Open link above the Stop icon.
The vCloud Director OneCloud interface changes to the My Cloud tab, with the vApp details
in the right pane.
9. In the right pane, click the Virtual Machines tab.
1 0 . In the virtual machines list, find SA-ESXi-04.
SA-ESXi-04 is the name of the ESXi host to autodeploy.
Task 1 1 : Power O n the ESXi H ost and Mon itor the Bootup Process
You power on the ESXi host to autodeploy (SA-ESXi-04), and you monitor the ESXi host console
to observe the autodeploy process.
1 . Power off and power on the ESXi host to autodeploy.
a. Right-click SA-ESXi-04 and select Power Off.
b. Click Yes to confirm the power-off operation.
c . Right-click SA-ESXi-04 and select Power On.
2. When the ESXi host status changes to Powered On, right-click SA-ESXi-04 and select Popout
Console.
A new window shows the console view of the selected ESXi host.
3. If the Internet Explorer pop-up blocker blocks the console from opening, select the Always
allow pop-ups option and repeat step 2.
Each autodeployed host must be minimally configured so that the host can handle workloads as a
member of a cluster. You perform the minimal configuration of the host networking.
1 . Restore the minimized Internet Explorer window and click the vSphere Web Client tab.
2 . Point to the Home icon and select Hosts and Clusters.
3. In the left pane, expand the Auto-Deployed-Hosts folder.
The autodeployed host appears in the folder, with the reservation IP as the host name.
4. Point to the Home icon and select Policies and Profiles.
5. In the left pane, click Host Profiles.
6. In the left pane, select Autodeployed-Host-Profile.
7. In the center pane, click the Monitor tab and click Compliance.
8 . In the host list, select the autodeployed ESXi host.
9. Click the Check Host Profile Compliance icon.
1 0 . In the Recent Tasks pane, monitor the task and wait for the compliance check to complete.
1 1 . Verify that the ESXi host is in compliance with the host profile.
1 2 . Point to the Home icon and select Home.
65
Task 1 : Set vSphere DRS to Manual Mode
You set the VMware vSphere Distributed Resource Scheduler automation mode to manual to
ensure that vSphere DRS does not migrate virtual machines to different hosts.
This lab requires that the virtual machines remain on their current host.
1 . In vSphere Web Client, point to the Home icon and select Hosts and Clusters.
You run a test program to generate continuous database activity on the test virtual machine for
statistical analysis. The test virtual machine is configured with one vCPU.
1 . Confirm that the LinuxO l virtual machine is hosted on sa-esxi-0 1 .vclass.local.
a. In the left pane, select LinuxO l .
b. In the center pane, click the Summary tab.
c. On the Select a compute resource page, select sa-esxi-0 1.vclass.local and click Next.
d. On the Select networks page, keep the default and click Next.
e. On the Ready to complete page, click Finish.
f. Wait for the migration to complete.
3 . Power on the LinuxO 1 virtual machine.
4. In the Power On Recommendations dialog box, verify that LinuxO l will be placed on sa-esxi-
0 1 . vclass.local and click OK.
The test program generates database operations to a medium-size database and writes output to
the screen. The program must run uninterrupted.
You use the e s xtop command to observe performance statistics for supported objects.
1. Start an SSH session to sa-esxi-0 l .vclass. local.
a. On the student desktop task bar, click the MTPuT T Y shortcut.
b. In the Servers pane on the left, double-click SA-ESXi-0 1.
c . I f the PuTTY security alert appears, click Yes.
You are automatically logged in to the appliance as user root.
2. Start e s xtop.
By default, e s xtop starts with the CPU screen.
3. Change the update delay from the default (5 seconds) to 1 0 seconds.
a. Enter s .
b . Enter 1 0 .
c . Press Enter.
4. To filter the CPU screen output only to the virtual machines, enter uppercase v
By default, the CPU screen shows statistics for virtual machine processes and active ESXi host
processes.
5. In the output table, find the LinuxO 1 virtual machine statistics.
You modify the LinuxO l virtual machine to have two vCPUs, and you restart the test script.
1 . Shut down the LinuxO l virtual machine.
2. Wait for the running indicator to be removed from the LinuxO l virtual machine icon in the
inventory tree.
3 . Add a second vCPU to the LinuxO l virtual machine.
a. In the left pane, right-click LinuxO l and select Edit Settings.
b. On the Virtual Hardware tab in the Edit Settings dialog box, select 2 from the CPU drop
down menu and click OK.
c. In the Recent Tasks pane, monitor the reconfiguration task to completion.
4. Power on the LinuxO l virtual machine and verify that LinuxO l will be placed on sa-esxi-
0 1 . vclass.local.
5. Click the LinuxO l console tab and log in to LinuxO l as user root with the standard lab
password.
This script generates database operations to a medium-size database. The number of threads is
set to 1 . The script must run uninterrupted.
You configure the third case parameters by running a two-threaded test program on a virtual
machine with two vCPUs.
1 . On the LinuxO l console tab, start the two-threaded test program .
. / starttest2
This script generates database operations to a medium-size database. The number of threads is
set to 2 . The script must run uninterrupted.
71
Task 1 : Generate Database Activity i n the Test Vi rtual Machin e
This test program performs continuous database operations to a medium-size database. The
number of threads is set to 2 . The script must run uninterrupted.
You use resource allocation reports to determine whether memory is overcommitted for a virtual
machine.
1 . In the Internet Explorer window, click the vSphere Web Client tab.
2 . Point to the Home icon and select Hosts and Clusters.
3 . In the left pane, select the LinuxO l virtual machine .
4. In the center pane, click the Monitor tab and click Utilization.
5. Find the Virtual Machine Memory panel.
6. Record the value for VM Consumed. -----
7. Find the Guest Memory panel, in the lower-left corner of the pane.
8 . Record the value for Active Guest Memory. ----
Q1. I s the consumed host memory greater than the active guest memory?
If the consumed host memory is greater than the active guest memory, memory is not
overcommitted. If the consumed host memory is less than active guest memory, then
overcommitment is occurring and might cause degraded performance.
The counter value is reported with each iteration that the test script performs. Use the
counter reported in the last iteration.
You start a memory test on the ResourceHogO 1 and ResourceHog02 virtual machines.
1. Switch to the vSphere Web Client tab in Internet Explorer.
2. Power on, open a console, and boot to the ResourceHogO 1 virtual machine.
You must enter the console within 30 seconds.
a. Right-click ResourceHogO l and select Power > Power On.
b. In the Power On Recommendations window, verify that ResourceHogO 1 will be placed on
sa-esxi-0 1 .vclass.local and click OK.
c. Right-click ResourceHogO l and select Open Console.
d. Click anywhere in the console window.
e . At the BIOS screen, press Enter.
f. At the boot : prompt, press Enter to load the Ultimate Boot CD menu.
If you see a Boot ing prompt, you did not enter the console within 30 seconds. You must
return to substep a to reset the power on the virtual machine and enter the console to the
virtual machine within 30 seconds.
g. Use the arrow keys and the Enter key to select Mainboard Tools > Memory Tests>
Memtest86+ Vl.70.
The exact keystroke sequence is Enter, down arrow, down arrow, Enter, down arrow, down
arrow, Enter.
h. After the memory test utility is running, press Ctrl+Alt to release the pointer focus.
3 . Switch to the vSphere Web Client tab.
4. Repeat step 2 for the ResourceHog02 virtual machine.
You record and evaluate memory statistics with a significant load consuming ESXi host memory.
1 . Switch to the MTPuTTY window.
2 . After at least one minute of statistics collection, record the values for the ResourceHog02,
ResourceHogO 1 , and LinuxO 1 virtual machines in the class configuration handout.
MCTL?
MCTLSZ
MCTLTGT
SWCUR
SWTGT
SWR/s
SWW/s
01. For Linux0 1 , does the value of MCTLSZ converge with the value of M CTLTGT?
02. For Linux0 1 , does the value of SWCUR converge with the value of SWTGT?
3 . Monitor the statistics output until the host reaches a steady state where the counters in each set
are close in value to each other.
If the counters in each set are close in value to each other, the host has reached a steady state.
4. To determine which virtual machines do not have the balloon driver installed, examine the
MCTL? value for each virtual machine.
The MCTL? field indicates the presence of the balloon driver. If the MCTL? value is Y, then
that virtual machine has a balloon driver installed. Otherwise, the virtual machine lacks a
balloon driver.
03. Which virtual machines do not have the balloon driver i nstalled?
5. To determine whether the virtual machines are swapping, examine the values for SWR/s and
SWWIs for each virtual machine.
Q5. What are the %SWPWT values for each of the virtual machines?
Q6. What is the memory state: high, clear, soft, hard, or low?
c. Compare this opm value with the value that you recorded in task 4, step 2, substep b.
You stop the test script on the LinuxO l virtual machine. You also stop the memory tests on
ResourceHogO 1 and ResourceHog02.
1 . In the MTPuTTY window, select View > Servers to display the Servers pane on the left.
2 . Keep e s xtop running in the MTPuTTY window
3. Switch to the Internet Explorer window
4. On the LinuxOl console tab, press Ctrl+C to stop the test script.
Keep the console tab open.
5 . Close the ResourceHogO l and ResourceHog02 console tabs.
6. On the vSphere Web Client tab, power off the ResourceHogO l and ResourceHog02 virtual
machines.
You use several test scripts on the LinuxO l virtual machine to generate continuous random and
sequential I/O operations against both local and remote (network) datastores.
The LinuxO l virtual machine is located on sa-esxi-0 1 .vclass. local and is configured with two hard
drives to serve as local and remote I/O targets . The SCSI (0: 1 ) drive is stored on SA-ESXi-0 1-Local,
the local datastore. The SCSI (0:2) drive is stored on SA- Shared-0 1 -Remote, the remote datastore.
You monitor storage preparation tasks to completion and then change folders.
1 . In the Internet Explorer window, click the LinuxOl console tab.
2. If necessary, log in as user root with the standard lab password.
77
3 . Configure storage .
. / s t o r ageco n f i g . s h
The storage preparation might take a few minutes to complete. The script must run
uninterrupted to completion.
4. When the script is complete, navigate to the test scripts folder.
cd a i o - s t re s s
Task 2: Meas ure Contin uous Seq uential Write Activity to a Virtual Disk
on a Remote Datastore
You run the l o g w r i t e . s h test script to generate continuous sequential write activity to the hard
disk on the remote datastore.
1 . Start the l o gwr i t e . s h test script.
. / logwr ite . s h
6. Enter u to display individual device output, and examine the reads and writes to the devices.
One of the remote devices has more disk 1/0 activity than the others.
7. Enter v to display virtual machine output.
8 . After 30 seconds of statistics collection, record the values for the LinuxO 1 virtual machine in
the Sequential Writes/Remote Datastore column in the class configuration handout.
READS/s
WRITES/s
Task 3: Meas ure Contin uous Random Write Activ ity to a Virtual Disk
on a Rem ote Datastore
You run the dataw r i t e . s h test script to generate continuous random write activity to the virtual
machine hard disk on the remote datastore.
1 . In the LinuxO l console, start the da t a w r i t e . sh test script.
. / da t a w r i t e . s h
Task 4 : Meas ure Contin uous Random Read Activity to a Virtual Disk
on a Remote Datastore
You run the f i l e s e rver2 . s h test script to generate continuous random read activity from the hard
disk on the remote datastore.
1 . In the LinuxO l console, start the f i l e s e rver2 . s h test script.
. / f i l e s e r ver2 . s h
Task 5: Meas ure Contin uous Random Read Activity to a Virtual Disk
on a Local Datastore
You run the f i l e s e rverl . sh test script to generate continuous random read activity from the
virtual machine hard disk on the local datastore attached to the ESXi host.
I. In the LinuxO I console, start the f i l e s e rverl . s h test script.
. / f i l e s e r verl . s h
This test script first creates the file to be read, which can take 5 minutes or more.
The test script must run uninterrupted.
2. Monitor the script output.
The output remains silent during file creation.
3. After the S t a r t ing w i t h random r e a d message appears, view information in e s xtop.
a. Enter d to display device adapter output.
Your instructor conducts an in-class review to compare test results from each group.
1 . Record the conclusions that you draw from the test data collected in tasks 2 through 5.
2. In the Internet Explorer window, leave the vSphere Web Client and the LinuxO l tabs open for
the next lab.
You use the e s xtop network statistics screen to monitor network performance.
1 . View the MTPuTTY session to the sa-esxi-01 host.
MTPuTTY should be logged in to the sa-esxi-0 1 host, and e s xtop should be running.
2. If MTPuTTY is not logged in, and e s xtop is not running, start a new MTPuTTY session to
sa-esxi-0 l .vclass. local.
a. In the MTPuTTY window, open a connection to SA-ESXi-0 1 .
b. Enter esxtop at the command prompt.
c . Set a 1 0-second update delay.
83
3. Enter n to switch to the network statistics screen.
4. Remove unused counters to make the e s xtop network screen easier to monitor.
a. Enter f to display the Current Field Order table.
b. In the Current Field Order table, enter g and j to remove PKTRX/s and PKTTX/s from the
e s xtop display.
Task 2: Prepare the C l ient and the Server Vi rtual Machi nes
You use scripts on the LinuxO 1 and Linux02 virtual machines to generate network traffic so that
network performance can be measured.
The LinuxO l virtual machine acts as a client, and the Linux02 virtual machine acts as a server. The
Linux:O l virtual machine is connected to the pg-SA Production port group. You move the Linux02
virtual machine to the pg-SA Management port group so that the virtual machines are connected to
different virtual switches, forcing their traffic to traverse the physical network.
1 . Migrate the Linux02 virtual machine to the pg-SA Management port group.
a. In the Internet Explorer window, click the vSphere Web Client tab.
d. For the source network, leave Specific network selected, click Browse, select pg-SA
Production, and click OK.
e. For the destination network, click Browse, select the pg-SA Management port group, and
click OK.
f. Click Next.
g. On the Select virtual machines to migrate page, select the Linux02 check box and click
Next.
The Linux02 IP address starts with 1 72.20. 1 0 (the management network DHCP range).
3 . View the IP address of the LinuxO l virtual machine.
a. In the left pane, select the LinuxO l virtual machine .
b. From the Summary tab, record the LinuxO l IP address. _____
The LinuxO l IP address starts with 1 72.20. 1 1 (the production network DHCP range).
4. Start the server on Linux02.
a. In the left pane, right-click the Linux02 virtual machine and select Open Console.
b. In the Linux02 console window, log in as user root with the standard lab password.
c . Navigate to the network scripts folder.
cd netp e r f
S t a r t i n g n e t s e r v e r at p o r t 12865
S t a r t i n g n e t s e r v e r a t h o s t na m e 0 . . e . e p o rt 12865
ee : e e : ee 1 . 1netse rve r I
ee : e e : ee g re p n e t s e r v e r
You measure the network performance of the ESXi host network interface with the LinuxO l and
Linux02 virtual machines positioned on different physical network segments across a router.
Requests sent from the LinuxO 1 client enter the physical network through the ES Xi network
interface vmnic2 that is bound to a dvs-Lab distributed switch uplink. The client requests are routed
to the management network where the Linux02 server is positioned, using the pg-SA Management
port group on the dvs-SA Datacenter distributed switch.
1. Switch to the LinuxOl console tab.
2 . Start the client on LinuxO 1 .
a. Navigate to the network scripts folder.
cd / r o o t /netp e r f
You use traffic shaping to control the network speed to simulate congestion.
1. Switch to the Internet Explorer window and click the vSphere Web Client tab.
2 . Point to the Home icon and select Networking.
3 . In the networking inventory, expand the dvs-Lab distributed switch.
4. Right-click the pg-SA Production port group and select Edit Settings.
5. In the Edit Settings dialog box, click Traffic shaping on the left.
Option Action
8 . Verify that you configured both ingress and egress traffic shaping and click OK
9. Monitor network performance and record your findings.
a. Switch to the MTPuTTY window.
b. In the e s xtop output, find the vmnic2 physical interface item.
c. After 30 seconds of statistics collection, record the values for vmnic2 in the vmnic2 1 0 Mb/
s column in the class configuration handout.
MbTX/s
MbRX/s
1 0 . Disable ingress and egress traffic shaping.
a. Switch to the vSphere Web Client tab in the Internet Explorer window.
b. Right-click the pg-SA Production port group and select Edit Settings.
You migrate the Linux02 virtual machine back to the pg-SA Production port group to show that
virtual machines communicating on the same ESXi host and virtual switch port group can
communicate at a faster rate than the rate dictated by the physical network hardware.
1. Stop the client.
a. In the Internet Explorer window, click the LinuxO l console tab.
b. In the LinuxO 1 console, press Ctrl+C to stop the test script.
2. Stop the server.
a. Click the Linux02 console tab.
b. In the Linux02 console, end the server program.
ps -ef I grep ne t s e r ver
kill process_id
In the k i l l command, process_id is the netserver process I D as reported by the p s
command.
In the example ps output, the netserver process ID is 6487. The screenshot does not
include the leftmost columns of the p s output.
I I
I J '
64 8 7 1 e e9 : 5 5 ? ee : e e : e 9 . /netse rve r
7 629 6393 2 1 9 : 4 1 pts/l ee : 9 B : e 9 g r ep n e t s e r v e r
3 . Migrate the Linux02 virtual machine to the pg-SA Production port group.
a. Click the vSphere Web Client tab.
b. In the left pane, right-click the dvs-Lab distributed switch and select Migrate VMs to
Another Network.
c. For the source network, leave Specific network selected, click Browse, select pg-SA
Management, and click OK.
d. For the destination network, click Browse, select the pg-SA Production port group, and
click OK.
e. Click Next.
f. Under Select virtual machines to migrate, select the Linux02 check box and click Next.
g. Click Finish.
h. In the Recent Tasks pane, monitor the migration task to completion.
4. In the Internet Explorer window, click the Linux02 console tab.
The network service might take up to a minute to restart and acquire a new DHCP address.
b. Verify that a new DHCP-assigned address was acquired.
i fconfig
c. In the i f c o n f i g command output, verify that the IP address starts with 1 72.20. 1 1 (the
production network DHCP range).
d. Record the postmigration Linux02 IP address. _____
Task 6: Restart the Test and Meas ure Netwo rk Activ ity
You measure network activity when the client and the server communicate across a virtual network
contained within a single ESXi host and port group.
1 . In the Linux02 console window, start the server program .
. /net s e rv e r
You use samples that you recorded to determine whether network performance was affected by the
simulated congestion in an expected manner and to determine the fastest network configuration.
1 . Stop the test.
a. Switch to the Internet Explorer window and click the LinuxOl console tab.
b. In the LinuxO 1 console, press Ctrl+C to stop the client script.
c. Click the Linux02 console tab.
d. In the Linux02 console, kill the server process to end the server program.
ps -ef I grep ne t s e r ver
k i l l process_ i d
Q2. Which test resulted in the h ighest throughput (hig hest values)?
You end e s xtop and you close the LinuxO l and Linux02 console tabs. You also change the
vSphere DRS automation mode to Fully Automated.
1 . In the MTPuTTY window, enter q to end e s xtop.
2. Close the MTPuTTY session.
3. In the Internet Explorer window, close the LinuxO l and Linux02 console tabs.
4. Power off LinuxO l and Linux02.
5. On the vSphere Web Client tab, point to the Home icon and select Hosts and Clusters.
93
4. On the Setup page for vRealize Log Insight, click Next.
5. On the Choose Deployment Type page, click Start New Deployment.
It can take a couple of minutes to start the new deployment.
6. On the Admin Credentials page, configure the email address and password.
Option Action
1 1 . On the Time Configuration page, synchronize server time with the ESXi host.
a. From the Sync Server T ime With drop-down menu, select ESX/ESXi host.
b. Click Save and Continue.
1 2 . On the SMTP Configuration page, click Skip.
You add your vSphere details to vRealize Log Insight so that it can use vSphere logs.
1 . In the top-right corner, click the menu icon and select Administration.
admin =
Option Action
You create events in the logs of ESXi hosts that will be analyzed by vRealize Log Insight. The
events are to allow and disallow access through the firewall for the SSH client.
1 . In vSphere Web Client, point to the Home icon and select Hosts and Clusters.
b. In the Edit Security Profile dialog box, deselect the SSH Client check box.
c. Click OK.
You examine the information provided by the standard dashboards available from vRealize Log
Insight.
illl General
Custom Dashboards
My Dashboards
Shared Dashboards
I General
I VMware - vSphere
Dashboards Interactive
7. Click the refresh icon and examine the changes made in the output.
8 . In the left pane, select vSphere-Overview and examine the dashboard.
Most of the charts in the dashboard contain no results because vRealize Log Insight is only now
starting to collect data.
9. In the left pane, select vSphere-ESXi and examine the dashboard.
1 0 . View the ESX/ESXi YOB events by component and event type panel.
The firewall. config.changed event type has a count of 6, which corresponds to the number of
times that you changed the firewall configuration on your ESXi hosts in task 3 .
You use vRealize Log Insight interactive analytics to search for types of events.
1 . At the top of the vRealize Log Insight interface, click Interactive Analytics.
2 . From the Chart Type drop-down menu, near the middle-right side o f the window, select Line.
Count of events
+ over time R...et
+ AD D Fl L u r n
b. From the time range drop-down menu, select Latest 6 hours of data.
h
o I1 Latest hour of d ata
23.a727t ...--
.
Latest 24 hours of d ata al lbac:k Fie I'
23.a 7 2 7 t ------.
> caill
7 days of data
to
Latest
-
All time
..
d. View all the events that are found.
xi hostname v I1_
co
... _n_
m_m
_ s____ "'_.l I sa-esxi-01
r f irewall
You use the reporting feature in vRealize Log Insight to examine the resources that it is using.
1 . In the top-right corner, click the menu icon and select Administration.
2 . In the left pane, select System Monitor.
3. In the center pane, select Resources and examine the output.
4. In the center pane, select Statistics and examine the output.
You log in to vRealize Log Insight as a user other than Admin, and you access various dashboards.
1 . At the top right of the vRealize Log Insight interface, click admin and select Logout.
2 . Log in to vRealize Log Insight as user regadmin.
a. In the Username text box, enter regadmin.
b. In the Password text box, enter the standard lab password and click Login.
3 . Verify that Interactive Analytics does not appear at the top of the vRealize Log Insight
interface.
The user regadmin is allowed only to view dashboards.
b. Ensure that General is selected from the drop-down menu at the top of the left pane.
c . In the left pane, select Overview and examine the dashboard.
d. In the left pane, select Event Types and examine the dashboard.
e. In the left pane, select Security and examine the dashboard.
f. From the drop-down menu at the top of the left pane, select VMware - vSphere.
In preparation for the next lab, you add a second adapter to the VCHA virtual machine and you
power on the VCHA virtual machine.
1 . In the vSphere Web Client tab, point to the Home icon and select Hosts and Clusters.
2. Add a second network adapter to the VCHA virtual machine.
a. In the left pane, right-click VCHA and select Edit Settings.
The Edit Settings dialog box appears.
b. Near the bottom of the dialog box, select Network from the New device drop-down menu.
c. Click Add.
The new network adapter is added to the virtual hardware list.
d. Select pg-VCHA-Cluster from the New Network drop-down menu.
You might have to select Show more networks from the drop-down menu before you can
select the pg-VCHA-Cluster network.
e. In the Edit Settings dialog box, click OK.
At the end of lab 1 3 , you added the second network adapter to the vCenter Server Appliance
instance that you will use for this lab exercise. The second network adapter is used for the private,
vCenter Server High Availability network, which is used for communication between the vCenter
Server High Availability nodes.
You ensure that the vCenter Server Appliance instance is powered on, you view information about
the network adapters, and you verify that the second network adapter is online.
1 . In the Internet Explorer window, click the vSphere Web Client tab.
2. Point to the Home icon and select Hosts and Clusters.
3 . In the left pane, verify that the VCHA virtual machine is powered on.
4. If you did not power on VCHA before the start of the lab, power on the virtual machine now.
5. View information about the network adapters connected to VCHA.
a. In the left pane, select VCHA.
b. In the center pane, click the Summary tab.
f. Under Networking Interfaces, verify that both nicO and nic l are up.
You use vSphere Web Client to log in to the vCenter Server Appliance instance that will be
configured for high availability.
1 . Open a new tab in Internet Explorer.
2 . In the Favorites bar, select vSphere Web Clients > VCHA.
3. When the security exception for vSphere Web Cl ient appears, click the Continue to this
website link to display the login screen.
If you did not power on VCHA before the start of this lab, then the Web server takes a few
minutes to initialize. When the Web server finishes initializing, the VMware vCenter Single
Sign-On login page appears.
4. In the User name text box, enter admin istrator@ vcha . local.
The domain is vcha. local, not vsphere.local.
5. In the Password text box, enter the standard lab password.
6. Click Login.
The vSphere Web Client page appears.
You configure the vCenter Server Appliance instance for high availability. You perform the
advanced configuration, which means that you must manually create the passive node and the
witness node.
1 . In the left pane, select vcha.vclass.local.
2 . In the center pane, click the Configure tab and select vCenter HA on the left.
3. In the upper-right corner of the center pane, click Configure.
The Configure vCenter HA wizard appears.
4. On the Select a configuration option page, select Advanced and click Next.
5. On the Connection IP settings page, configure the IP settings for the passive node and the
witness node.
a. Under Passive Node, enter 1 92 . 1 68 . 1 . 96 in the vCenter HA IP address text box.
This address is the IP address on the private vCenter Server High Availability network for
the passive node.
b. In the Subnet mask (prefix for 1Pv6) text box, enter 2 5 5 . 2 5 5 . 2 5 5 . o.
c. Under Witness Node, enter 1 92 . 1 6 8 . 1 . 97 in the vCenter HA IP address text box.
This address is the IP address on the private network for the witness node.
d. In the Subnet mask (prefix for IPv6) text box, enter 2 5 5 . 2 5 5 . 2 5 5 . o .
e. Click Next.
The Clone VMs page appears. Do not click Finish yet.
You must create the passive node and the witness node before you can complete the
vCenter Server High Availability configuration.
You create the passive node by cloning the vCenter Server High Availability active node. The active
node is the vCenter Server Appliance instance, VCHA. The passive node is created on sa-esxi-
02. vclass.local.
1 . In Internet Explorer, switch to the vSphere Web Client tab for sa-vcsa-01 .vclass.local.
2. In the left pane, right-click VCHA and select Clone> Clone t o Virtual Machine.
The Clone Existing Virtual Machine wizard appears.
3. On the Select a name and folder page, enter VCHA- Pass ive for the virtual machine name and
click Next.
5. Click Next.
6. On the Select storage page, select the datastore and virtual disk format.
a. Select SA-ESXi-02-Local.
b. From the Select virtual disk format drop-down menu, select Same format as source.
c. Click Next.
7. From the Select clone options page, select the Customize the operating system check box and
select the Power on virtual machine after creation check box.
8. Click Next.
9. On the Customize guest OS page, create a new customization specification for the passive node .
A preconfigured customization specification named VCHA Passive Specification was created
for the sake of convenience. As an alternative to performing step 9, you can select VCHA
Passive Specification and click Next, instead of creating a new customization specification.
c. On the Computer Name page, select the Enter a name check box and enter vcha in the
text box.
The computer name of the passive node must match the computer name of the active node.
d. In the Domain name text box, enter vc lass . local and click Next.
e . On the Time Zone page, configure the time zone settings and click Next.
Option Action
f. On the Configure Network page, select NICI and click the Edit icon.
g. Click Use the following IP settings.
Option Action
l. On the Configure Network page, select NIC2 and click the Edit icon.
Option Action
Option Action
1 1 . View the Recent Tasks pane and monitor the Clone Virtual Machine task to completion.
This task takes several minutes to complete.
You must wait for this task to complete before going to the next task.
1 2 . In the left pane, verify that the VCHA-Passive virtual machine appears and is powered on.
You create the witness node by cloning the vCenter Server High Availability active node. The active
node is the vCenter Server Appliance instance, VCHA. The witness node is created on sa-esxi-
03. vclass.local.
1 . In the left pane, right-click VCHA and select Clone > Clone to Virtual Machine.
The Clone Existing Virtual Machine wizard appears.
2 . On the Select a name and folder page, enter VCHA-Wi tness for the virtual machine name and
click Next.
3 . On the Select a compute resource page, expand the S A Management cluster and select sa-esxi-
03. vclass.local.
4. Click Next.
5. On the Select storage page, select the datastore and virtual disk format.
a. Select SA-ESXi-03-Local.
b. From the Select virtual disk format drop-down menu, select Same format as source.
c. Click Next.
6. From the Select clone options page, select the Customize the operating system check box and
select the Power on virtual machine after creation check box.
7. Click Next.
c. On the Computer Name page, select the Enter a name check box and enter vcha
wi tne ss in the text box.
The computer name of the witness node must not match the computer name of the active
node.
d. In the Domain name text box, enter vc lass . local and click Next.
e . On the Time Zone page, configure the time zone settings and click Next.
Option Action
f. On the Configure Network page, select NICI and click the Edit icon.
g. Leave Use DHCP to obtain an IP address automatically clicked and click OK.
h. On the Configure Network page, select NIC2 and click the Edit icon.
1. Click Use the following IP settings, configure the IP settings for NIC2, and click OK.
Option Action
Option Action
I. Click Next.
m. On the Ready to complete page, review the settings and click Finish.
The Clone Existing Virtual Machine wizard reappears.
n. On the Customize guest OS page, select the witness node customization specification that
you created and click Next.
9. On the Ready to complete page, review the settings and click Finish.
1 0 . View the Recent Tasks pane and monitor the Clone Virtual Machine task to completion.
This task takes several minutes to complete.
You must wait until this task completes before continuing.
1 1 . In the left pane, verify that the VCHA-Witness virtual machine appears and is powered on.
1 2 . Wait at least one minute before going to the next task.
Waiting for at least one minute gives the wizard enough time to finish preparing the witness
node.
With the passive node and the witness node created, you finish configuring vCenter Server High
Availability on the high availability vCenter Server Appliance instance.
1 . In Internet Explorer, switch to the vSphere Web Client tab for vcha.vclass.local.
The Configure vCenter HA wizard is open.
2 . On the Clone VMs page, click Finish to complete the vCenter High Availability configuration.
c. Verify that the health is good for the active, passive, and witness nodes.
d. In the upper-right corner of the center pane, click the vCenter HA Settings link.
You remove the existing passive and witness nodes, and you revert the VCHA virtual machine to a
known good starting point.
I M P O RTA N T
Perform this task only if your vCenter Server High Availability configuration failed in task 6. If you
successfully configured vCenter Server High Availability in task 6, go to task 8.
1 . In Internet Explorer, switch to the vSphere Web Client tab for sa-vcsa-0 I .local.
2. Point to the Home icon and select Hosts and Clusters.
3. Power off the VCHA, VCHA-Passive, and VCHA-Witness virtual machines.
4. Revert to the last snapshot for VCHA.
a. Right-click VCHA and select Snapshots > Revert to Latest Snapshot.
b. Click Yes to confirm reverting to the latest (most recent) snapshot.
The latest snapshot has network adapter 2 already configured for you.
5. Delete the VCHA-Passive and VCHA-Witness virtual machines.
a. Right-click VCHA-Passive and select Delete from Disk.
You use vSphere Web Client to initiate a vCenter Server failover from the active vCenter Server
Appliance instance.
1 . In the upper-right corner in the center pane, click Initiate Failover.
2. In the Initiate vCenter HA Failover window, click Yes.
As the failover takes place, connectivity to the vCenter Server Appliance instance is lost for a
short time.
It might take 5 minutes before you see the Connection Error dialog box indicating a loss of
connectivity to the vCenter Server Appliance instance.
3. After connectivity to the vCenter Server instance is lost, close the vSphere Web Client tab to
vcha. vclass . local .
4. Open a new tab and select vSphere Web Clients > VCHA in the Favorites bar.
Failover takes several minutes to complete. It will still be in progress.
5. Periodically click the Refresh icon in the Web browser to refresh the tab.
You can expect to see Fai lover in P r ogre s s messages every time you refresh the browser
page for as long as 1 5 minutes before you see the VMware vCenter Single Sign-On screen.
Failover is complete when the VMware vCenter Single Sign-On screen appears.
You use vSphere Web Client to examine the settings and events to verify that the active vCenter
Server instance is the peer vCenter Server instance.
1 . In the vSphere Web Client tab for vcha.vclass. local, log in to as administrator@vcha.local with
the standard lab password.
It might take up to 5 minutes after you log in before the vSphere Web Client screen appears.
2 . In the left pane, click vcha.vclass.local at the top of the inventory tree.
3. In the center pane, click the Configure tab and click vCenter HA on the left.
4 . In the center pane, select the Active node.
5. In the Active Settings pane, view the IP address of the active node.
The IP address belongs to the VCHA-Passive virtual machine.
6. Verify that the virtual machine is the passive node, VCHA-Passive.
7. In the center pane, click the Monitor tab and click Tasks & Events.
In preparation for the next lab, you power on the LAB-VCS-0 1 virtual machine.
1 . On the vSphere Web Client tab for sa-vcsa-01 .vclass.local, point to the Home icon and select
Hosts and Clusters.
You log in to the Windows vCenter Server 5.5 system, verify that vCenter Server is running, and
view its inventory.
1 . In the Internet Explorer window, go to the vSphere Web Client tab for sa-vcsa-01 .vclass.local.
2 . Point to the Home icon and select Hosts and Clusters.
3. In the left pane, verify that the LAB-VCS-0 1 virtual machine is powered on.
4. If the LAB-VCS-0 1 virtual machine is not powered on, power it on and wait a few minutes for
it boot up completely and for the vCenter services to start.
115
5 . Use vSphere Web Client to log in to the Windows vCenter Server system.
a. Open a new tab in Internet Explorer.
b. From the Favorites bar, select vSphere Web Clients > LAB-VCS -0 1 .
If you did not power on LAB-VCS-0 1 before the start of this lab, then it takes a few
minutes for the vSphere Client Web server to initialize. When the Web server finishes
initializing, the vSphere Web Client login screen appears.
d. In the login screen, enter admin i s trator@ vsphere . local in the User name text box.
e. In the Password text box, enter the standard lab password and click Login.
Task 2: Start the M i g ration Assistant on the Wind ows vCenter Server
System
The Migration Assistant is an application that runs on the Windows vCenter Server 5.5 system. You
use the Migration Assistant to extract the configuration data from the Windows vCenter Server 5.5
system and send it to a vCenter Server Appliance 6.5 instance.
The Migration Assistant is in the m i g r a t i o n- a s s i s t ant folder.
I M P O RTA N T
You use the vCenter Server Appliance installer to perform stage 1 of the migration process.
1 . Mount the vCenter Server Appliance installer ISO file.
a. On the Student-a-O l desktop, double-click Class Materials and Licenses.
b. Double-click Downloads.
c. Double-click VMware-VCSA-all-6.5.0.iso.
This file contains the vCenter Server Appliance installer ISO image.
The installer ISO file is mounted as the E: drive.
2. Run the vCenter Server Appliance installer program.
a. Navigate to v c s a - u i - i n s t a l l e r \ w i n 3 2 .
The i n s t a l l e r . exe file is in this folder.
b. Double-click installer.exe to start the migration process.
c. If you see a security warning, click Run.
The vCenter Server Appliance 6.5 Installer window appears.
3. Select the Migrate option.
The Migrate - Stage 1 : Deploy appliance wizard appears.
4. On the Introduction page, read the information about what occurs during the migration process
and click Next.
5 . On the End user license agreement page, accept the license agreement and click Next.
6 . On the Connect to source server page, specify the Windows vCenter Server instance.
a. In the Source Windows server text box, enter lab-vc s - 0 1 . vclass . local.
b. In the SSO password text box, enter the standard lab password and click Next.
c. In the Verify Thumbprint window, click Yes to accept the certificate.
Option Action
1 2 . Click Next.
c. If you receive a security exception for VMware Host Client, click the Continue to this
website link.
The Stage 2 : vCenter Server Appliance with an Embedded PSC wizard appears.
Option Action
3. Click Next.
4. On the Select migration data page, select Configuration, events, tasks, and performance
metrics and click Next.
5. On the Configure CEIP page, deselect the Join the VMware's Customer Experience
Improvement Program (CEIP) check box and click Next.
6. On the Ready to complete page, select the I have backed u p the source vCenter Server and
all the required data from the database check box.
7. Click Finish.
The Shutdown Warning window warns that vCenter Server will shut down when the network
configuration is enabled on the destination vCenter Server Appliance.
Complete
Comp lete
Data uansfer and appliance setup has been completed successrully Click on one ofthe links below, to manage the
appliance Press dose to exit
Close
You confirm that the Windows vCenter Server system was migrated to vCenter Server Appliance.
1 . Use vSphere Web Client to log in to the newly migrated vCenter Server instance.
a. Open a new Internet Explorer tab.
b. From the Favorites bar, select vSphere Web Clients > LAB-VCS -0 1 .
c . I f you receive a security exception for vSphere Web Client, click the Continue to this
website link to display the login screen.
d. Log in with the vCenter Server Appliance user name and the standard lab password.
2. Point to the Home icon and select Host and Clusters.
You delete the new vCenter Server Appliance instance to free up resources in the lab.
1 . Click the vSphere Web Client tab for sa-vcsa-01 .vclass.Iocal.
2. Point to the Home icon and select Hosts and Clusters.
3. In the left pane, select VCSA-02.vclass.local.
4. Shut down VCSA-02.vclass.local.
5 . Right-click VCSA-02.vclass.local and select Delete from Disk.
6. Point to the Home icon and select Home.
You use vSphere Web Client to start VMware vSphere ESXi Shell and SSH services on your
host.
1 . In the Internet Explorer window, click the vSphere Web Client tab to sa-vcsa-0 1 .vclass. local.
2. Point to the Home icon and select Hosts and Clusters.
3. In the left pane, select sa-esxi-0 1.vclass.local.
4 . In the center pane, click the Configure tab.
5. On the left under System, click Security Profile.
6. In the center pane, scroll down to the Services panel.
To make navigation easier, you can minimize the Firewall Incoming Connections list and the
Firewall Outgoing Connections list.
7. Click Edit next to Services.
1 25
8 . Verify that the vSphere ESXi Shell service is running.
a. In the Edit Security Profile window, select ESXi Shell
b. In the Service Details pane, confirm that the correct settings are configured.
Startup policy is set to Start and stop with host.
Status is Running.
c. If the correct settings are not configured, change the startup policy to Start and stop with
host and click Start.
By default, this service is not configured to start with the host. This setting was enabled as
part of the lab kit configuration.
9. Verify that the SSH service is running.
a. In the Edit Security Profile window, select SSH.
b. In the Service Details pane, confirm that the correct settings are configured.
Startup policy is set to Start and stop with host.
Status is Running.
c. If the correct settings are not configured, change the startup policy to Start and stop with
host and click Start.
By default, this service is not configured to start with the host. This setting was enabled as
part of the lab kit configuration.
d. Click OK.
You use MTPuTTY to connect to the ESXi host and confirm that SSH is working.
1 . Click MTPuT T Y in the Windows desktop taskbar.
The MTPuTTY utility window appears.
2 . In the left pane, double-click SA-ESXi-0 1.
A new SA-ESXi-0 1 tab opens in the center pane.
MTPuTTY is configured to automatically log in to the ESXi host as user root.
3. If the login is successful, enter exit.
You use vSphere Web Client to enable lockdown mode for your assigned ESXi host.
1 . In the Internet Explorer window, click the vSphere Web Client tab.
2. In the left pane, select sa-esxi-01.vclass.local.
3 . In the center pane, click the Configure tab.
4 . On the left, click Security Profile and scroll down until the Lockdown Mode panel is visible.
5. Enable normal lockdown mode.
a. Click Edit next to Lockdown Mode.
The Lockdown Mode wizard appears.
b. On the Lockdown Mode page, click Normal.
C. Click Exception Users on the left.
Users are not listed.
d. Click OK.
6. Verify that normal lockdown mode works properly.
The user root must be denied access in an SSH session. In general, all users, including user root,
will be denied access in an SSH session.
a. Go to the MT PuT T Y window.
b. In the left pane, double-click SA-ESXi-0 1.
MTPuTTY automatically tries to log in as root.
c. Verify that user root is not logged in and that the Acce s s Denied message appears.
d. Close the MTPuTTY window.
The DCUI.Access list is a list of local users on an ESXi host. These users have rights to disable
lockdown mode when a catastrophic failure occurs and administrators need direct host access again.
These users do not need the administrator role on the ESXi host.
1 . In the center pane on the left, click Advanced System Settings under System.
2. In the Advanced System Settings pane, scroll down to the DCUI.Access entry.
You can also use the Filter box and search for "DCUI ."
3. Examine the value of the DCUI.Access setting.
The root user is added to the DCUI.Access list by default. Thus, the root user can disable
lockdown mode but cannot bypass lockdown mode.
4. Point to the Home icon and select Home.
You examine the default certificates issued by VMware Certificate Authority in a nonproduction
vCenter Server system.
1 . In the Internet Explorer window, go to the vSphere Web Client tab for sa-vcsa-0 l .vclass.local.
2 . Point to the Home icon and select Administration.
3. In the left pane, click System Configuration.
4. In the left pane, click Nodes and click sa-vcsa-0 1.vclass.local.
5. In the center pane, click the Manage tab and click Certificate Authority.
6. In the Certificate Authority panel, click the Verify password link.
1 29
7. In the Password text box, enter the standard lab password and click OK.
Q1 . How many active certificates are in the certificate store for this node?
S u bj e ct
C = U S , CN=sa-vcsa-01 .vc l a s s . l o c a l
C = U S , CN=sa-vcsa-01 .vc l a s s . l o c a l
1 1 . Click OK
1 2 . Widen the Subject column in the center pane until you can see the CN= part of the subject
name for each certificate.
1 3 . Select the first certificate in the list that has a Subject field that begins with OU=.
1 4 . Click the Show Details for certificate icon.
Q5. Based on the Common name field under S u bject, what is the type of this
certificate?
1 5 . Click OK.
Q7. What are the names of the solution users that have certificates (from the
Subject field)?
Q8. What is the organ ization in the Issuer section of this certificate?
Task 2: Create a Windows 201 2 Certificate Autho rity Tem p late for
vSphere
You create a vSphere 6.5 certificate template on a Windows 20 1 2 Server domain controller that you
can use to create certificates that work with vSphere 6.5. The certificate template can be used to
create machine SSL or solution user certificates in VMware CA.
1 . Open a console to dc.vclass.local.
a. Click the Remote Desktop Connection Manager icon in the Windows desktop toolbar.
The Remote Desktop Connection Manager window appears.
b. In the left pane, double-click DC (vclass.local).
The desktop for dc.vclass.local appears in the center pane.
You are automatically logged in as a domain administrator.
f. Click OK.
g. Select Application Policies and click Edit.
h. In the Edit Application Policies Extension dialog box, click Add and select Client
Authentication.
J. Click the Request Handling tab and select the Allow private key to be exported check box.
k. Click O K to save the new certificate template.
I. Close the Certificate Templates Console window.
You use vSphere Certificate Manager to create a certificate signing request (CSR) that you use to
request a signed custom certificate from the domain controller certificate authority (CA) for the lab.
1. Start an S SH session with SA-VCSA-0 1 .
a. Click MTPuT T Y in the Windows desktop toolbar.
The MTPuTTY utility window appears.
b. In the left pane, double-click SA-VCSA-0 1.
A new SA-VCSA-01 tab opens in the center pane.
c. Enter shell to start a Bash shell.
2. Create a certificate signing request.
a. Enter /usr/lib/vmware-vmca/bin/certificate-manager and press Enter.
The vSphere Certificate Manager program starts.
b. Enter 1 to select the Replace Machine SSL certificate with Custom Certificate option.
c. Press Enter to accept the default user name of Adminstrator@vsphere.Iocal.
d. Enter the standard lab password.
e . Enter 1 to select the Generate Certificate Signing Request option.
f. For the output directory path, enter /var/ tmp .
The /var / tmp directory on Linux and UNIX systems is a temporary directory. The
contents of the /var /tmp directory are not deleted during a reboot.
You download the CSR from the vCenter Server system to your student desktop.
1 . Enter chsh - s /bin/bash to temporarily change the login shell of the root account to /bin/
bash.
This step is necessary for WinSCP to connect to the vCenter Server system so that you can
download the CSR to your student desktop.
2. Start the WinSCP application.
a. On the student desktop taskbar, click the WinSCP icon.
You request a signed custom certificate from the domain controller CA for the lab.
1 . Copy the contents of the vmca_ i s s ued_c s r . c s r file to the clipboard.
a. On your student desktop, open Windows Explorer and navigate to the
C : \Ma t e r i a l s \ Downloads folder.
f. Under Saved Request, press Ctrl+V to paste the CSR text into the Base-64-encoded
certificate request text box.
IHHi
The filename is case-sensitive and must exactly match the correct filename in order for the
script to use it.
IHHi
The filename is case-sensitive and must exactly match the correct filename in order for the
script to use it.
directory.
b. Right-click the cachain.p7b file and select Open.
The Certificate Manager Console opens.
c. In the left pane, expand the inventory tree until you see the Certificates folder.
d. Select the Certificates folder.
You should see two certificates: the root certificate for your domain controller and the
custom certificate for your vCenter Server Appliance instance.
The custom certificate appears as VMware. vSphere65 appears under the Certificate
Template column at the far right.
e. To export the root certificate, right-click the root certificate vclass-DC-CA and select All
Tasks > Export.
IHHi
The filename is case-sensitive and must exactly match the correct filename in order for the
script to use it.
k. Click Save.
1. On the File to Export page, click Next.
m. Click Finish.
n. Click OK.
Task 6: Replace a Machine Certifi cate with the New C ustom Certificate
You replace the machine SSL certificate for vCenter Server with the new custom certificate so that
VMware CA acts as a subordinate CA to the domain controller CA.
1 . Copy the certificate files from the student desktop to the vCenter Server system.
a. Switch to the WinSCP window.
b. In the WinSCP window, drag the machine_ssl.cer and root-64.cer files from the
C:\Materials\Downloads folder to the /var/tmp folder in the right pane.
This action copies the certificate files from the student desktop to the vCenter Server
system.
2 . In the MTPuTTY session, change the login shell of the root account back to the vCenter Server
Appliance shell.
a. Switch to the MTPuTTY window.
b. If the SSH session to SA-VCSA-0 1 is not open, reconnect to SA-VCSA-0 1 .
c. If you see the message t imed out wait ing for input : aut o - l o gout, enter she l l .
d. Enter chsh -s /bin/appliancesh to change the login shell of the root account back to
the vCenter Server Appliance shell.
This step returns the vCenter Server system to its more secure posture.
Option Action
Please provide valid custom key for Machine SSL Enter vmca_is sued_key . key.
You must wait for the process to complete. This process takes several minutes while the
services are restarted.
During this operation, notice the number of services that are updated.
h. Wait until the 1 0 0 % Comp l e t e [ A l l ta s k s comp l e ted succe s s f u l l y ] message
appears.
l. After the operation is 1 00 percent complete, press Ctrl+D.
Q1. What color i s the background o f the Internet Explorer location bar?
5. In Internet Explorer, click the Security report icon (padlock) to the right of the Location text
box.
6. View information about the machine certificate.
a. Click the View certificates link.
The Certificate dialog box appears.
In this dialog box, you can view the machine certificate that was used to authenticate the
vCenter Server system.
b. Click the Details tab.
c. Scroll down and click Subject Alternative Name.
QS. Why does Internet Explorer on your student desktop trust the vCenter Server
certificate?
You verify that you can access the key management server (KMS).
The KMS used in this lab is a simple Python-based key server that keeps keys while the KMS is running.
1 . Use MTPuTTY to log in to vCenter Server Appliance.
a. On the taskbar, click the MT PuT T Y icon.
b. In the left pane, double-click SA-VCSA-0 1.
You are logged in to vCenter Server Appliance as user root.
141
2. Ping sa-keyserver-0 1 , the key management server.
a. At the command prompt, enter shell.
b. At the shell command prompt, ping the key management server.
p i ng sa- k e y s e rve r - 0 1
You register the KMS with vCenter Server, and you mark the KMS cluster as the default.
1 . Point to the Home icon and select Hosts and Clusters.
2 . At the top of the left pane, select sa-vcsa-01.vclass.local.
3 . In the center pane, click the Configure tab and click Key Management Servers on the left.
4. Click Add KMS .
.... Settings
General
+ Add KMS ... I All Act i o n s .... -
5. In the Add KMS dialog box, enter SA KMS -Clu s ter in the Cluster name text box.
6. In the Server alias text box, enter KMS l .
7. In the Server address text box, enter 1 7 2 . 20 . 1 0 . 2 0 1 .
You create a virtual machine storage policy that includes only the encryption common rule.
Although a prebuilt policy called VM Encryption Policy is available, you should understand how
the policy is created.
1 . Point to the Home icon and select Policies and Profiles.
VM Storage Policies
Sto ra g e Pc
1 3 . Verify that your encryption policy appears in the storage policies list.
3. In the Edit VM Storage Policies dialog box, select S A Encryption Policy from the V M storage
policy drop-down menu.
You use encrypted vSphere vMotion to migrate VMO l (the encrypted virtual machine) and VM02
(an unencrypted virtual machine) to a different host.
1 . View the vSphere vMotion encryption state on VMO l .
a. In the left pane, right-click VMO l and select Edit Settings.
b. Click the VM Options tab.
c. Expand the Encryption panel.
Because VMO 1 is encrypted, the Encrypted vMotion state is always Required and cannot
be changed.
d. Click Cancel.
Task 6: Run a Complia nce Check and Remediate the Configuration Drift . . . . . . . . . . . . . 48
1. The Virtual Network Setting category appears. 2. Yes. The uplink i s not con nected t o the
If the category was previously reported , a new expected physical N I C on dvs-Lab.
issue is added relating to the uplink 3. Yes.
reconfiguration.
1 47
Lab 1 0: M o n itoring Memory Performance
1 48
Task 6: Replace a Machine Certificate with the New Custom Certificate . . . . . . . . . . . . . 1 37
1. The location bar can be blue or gray, but it 5. The domain controller CA is the root. The
should not be red. vCenter Server certificate is subordinate to
2. The certificate was issued to the vCenter the root certificate.
Server-Pl atform Services Controller system, 6. The student desktop is a member of the same
sa-vcsa-0 1 .vclass.local. Active Directory domain, and Internet Explorer
3. The domain controller CA issued the is using the same certificate store. Because
certificate. the vCenter Server certificate is signed by the
domain controller CA, Internet Explorer trusts
4. The certificate was signed now, so it is valid
the subordinate certificate.
from today.
1 49
1 50