Since this isn’t a testable section, we won’t cover this. If there is enough of an ask, I may add a bit in here.
We’ve already discussed use cases and why you might utilize snapshots. Now let’s take a look at how to create and manage snapshots. There are several ways we can access snapshots. One is by right-clicking on the VM and then choosing “Snapshots.”
Another way you can access snapshots is to go to the Snapshot Tab for the VM
The method for taking a snapshot is pretty straightforward. You click on the “Take Snapshot” button in either of those, and it will prompt you with a new window. That window looks like this.
You should fill in a descriptive name for it (perhaps outlining why and the date and time) and then decide if you want to include the VM’s memory contents. If you decide to include the memory, there is no need to quiesce the guest file system so that that option will remain grayed out. If you uncheck the memory box, the other will become available. Quiescing will allow you to stun or pause the VM briefly to ensure there is no data in-flight that is not snapshotted. Once you finish, this is what the tab will look like (if you notice, I took 2 snapshots to show the tree effect)
You can see the first one on top, then one more I made underneath. On the right side, you can see the details about the snapshot. I can do several things now with the snapshots. I can revert and delete it. If I revert to the first one, That will change where I am in the timeline. Here is what happens.
If I had deleted the first one, I would have stayed in the same place, but it would have merged the next snapshot changes, if any. If I delete the second one while I am reverted to the first, the second one just goes away. And if I delete all, it will just merge all changes. Keep in mind, if you hadn’t snapshotted the memory and you revert, it will turn the machine off to revert. This is the same as deleted. Here is a handy table from VMware to tell if the machine will be powered off or not.
Again, you don’t want to have snapshots running too long, and make sure you name them descriptively so that if you do have to come back at some point, you know what has been snapshotted.
There are several options available to you to create a new virtual machine. When you right-click on a cluster, host, or Folder and select New Virtual Machine, you will be presented with the following Menu.
There are several options to create a new VM there. You can also right-click and select Deploy OVF template, or you can create a preconfigured VM appliance. You also create a VM from a physical machine using the P2V tool.
As you go throughout the wizard above, you need to select a location, host, datastore, and what you will run on it. (An OVF template, you don’t need to select what will run on it, but still need to choose a location, host, and storage for it.
Creating a new VM via PowerCLI isn’t hard either; it can be done with a command like the following:
New-VM -Name ‘TestVM’ –VMHost ‘VMHost-1’ -Datastore ‘TestDatastore’ -DiskGB 40 -MemoryGB 8 -NumCpu 2 -NetworkName ‘Virtual Machine Network’
That creates a new VM with the name TestVM on VMHost-1 storing its 40 GB VMDK on the TestDatastore. A lot simpler than going through a long wizard to me.
You can manage VMs through the HTML5 client, API, PowerCLI (PowerShell), or even through the ESXi host console. There are even some options you can only do using PowerCLI. You are presented with a large number of options when you right-click on a VM. To change the VM’s settings, you can click on “Edit Settings” and get the following screen.
Keep in mind that some options can only be changed when the VM is powered off.
There are numerous places for you to manage storage, depending on what you need to do. For example, when setting up ISCSI adapters, you can accomplish this by clicking on the host. Then select the Configure tab and then Storage Adapters and ISCSI Adapter. From there, you can add ISCSI targets by clicking on the Dynamic Discovery or Static.
As you can see, I already have several targets inputted. Once you add them, you rescan storage for the host to query for devices. Those devices will show up under devices, as shown here.
If there isn’t already a datastore on the device, you can format it by right-clicking on one of the hosts and selecting storage and then New Datastore. You can then choose to format it with VMFS. Likewise, if you are mounting an NFS export or creating a vVol, you can use the same action.
You will need to supply a name for the datastore and select what device will back it. Then, if VMFS, select if you want to use VMFS 6 or 5. Some of the reasons you would want to choose VMFS 6 would be automatic space reclamation or if you are using 4Kn storage devices.
Storage policies enable an administrator to make it simpler to choose storage when creating or moving VMs. You can specify characteristics or even resilience types if using vSAN.
Datastores are logical storage units that can use disk space on one disk or span several. You can navigate to the Datastores tab on the navigation pane to manage them and select the datastore you want to manage. Then click on Configure on the object pane in the middle.
From this screen, you can increase the capacity. Enable SIOC, and edit Space Reclamation priority. Using the Connectivity and Multipathing, you can edit what hosts have access to this datastore. You can also see what files and VMs are on this datastore. You can perform essential file functions through this as well.
Check objective 7.4 for the creation of virtual machine storage policies.
To create a storage cluster, right-click on the datacenter under the datastore tab and click on storage > New Datastore Cluster.
You then need to go through a wizard to configure the storage cluster options. First, give it a name, and select if you want to turn on Storage DRS. This will allow you to manage all the datastore inside as one aggregate pool of storage. It will also suggest placement or move VMs as needed, depending on what automation level you have set up.
The next screen gives you options to configure for SDRS. You can check on the ‘I’ at the end of each for more information about that setting.
The next screen allows you to configure latency threshold settings to start moving VMs if experienced.
Next, you select clusters that will be given access to the Storage Cluster (or hosts)
Next, add the datastores that will be in the storage cluster.
Check over the summary and then finish.
If you need to configure the cluster afterward, you can click on the cluster and select the middle panes configure.
Some everyday use cases for affinity and anti-affinity rules will be if a VM needs to stay on a specific host due to a specific hardware key or license restriction. Another would be if you have multiple domain controllers for resilience, you wouldn’t want a scenario where both of them would be on the same physical host. This would be an example of a VM-VM anti-affinity rule. Another might be if you have a multi-tiered app that needs to be kept together on the same host for some reason. That would be a VM-Host affinity rule.
These rules are set up under the cluster configuration under VM/Host Groups and VM/Host Rules. There are two pieces to setup. You have to either make a VM group or Host group depending on which type of rule you want to use. I will take the Active Directory use case and create a VM to VM anti-affinity rule. First, I need to define the VMs.
Cluster > Configure > VM/Host Rules > Add
Give it a name and then choose the type “Separate Virtual Machines.” Next, select both the VMs that will be in this group.
When finished, it will look like this.
Notice the rule is enabled, and there are no conflicts. That’s all there is to it!
We’ve already covered the type of migrations that are possible. Let’s now go over how to perform them. There are several ways to initiate the migration. You can drag the VM over to the host or datastore you want to put it on. How would you do that? If you are in either the hosts and cluster or datastore section, you can click on the VMs tab. (like in the example picture)
From there, click on one of the VMs or multiple and drag it where you want to migrate it to. It will then pop up the wizard to finish. You can also right-click on a VM and then select migrate. If you do the latter, you have to choose the type of migration. Next, you click where you want the VM to migrate to, either host or datastore. You also need to select the network to attach to and vMotion priority. That’s all!
We’ve covered what roles are already, but a short refresher is that a role is just a container for a group of privileges. Each object in the vSphere world has permissions associated with it. This is how you control who can do what. You assign a user a role, and that allows them to have specific privileges and do tasks.
vCenter has built-in system roles that cannot be changed. However, they CAN be cloned, and you can modify the clone to have more or fewer privileges. To find those roles, Click on Menu > Administration > Access Control > Roles. If you click on a role and then click on privileges, you can see what each role can do. Choose the one with the least amount of privileges needed for the task and then clone that.
To clone, click on the role you want to use; for example, I chose Virtual Machine User. Then you can click on the clone. You can just create a new role if you know all the privileges needed for that role.
When you click clone, the Clone Role window comes up and asks you to give it a name and optionally a description.
Click, OK, and your role has been created. We now need to modify it to add permissions, however. So we select the role and then click on the pencil icon.
We are now given a plethora of options to edit the role.
After adding the privileges, we then click on next and then finish. If we need to, we can give a user role access to a specific object. To do that, navigate to the object. Then click on the permissions tab.
Then click on the plus icon and add in the user and choose the role you want them to have.
Click OK, and that user should have access to that specific object now.
There are many options for securing your vSphere environment. We will now show you where to find those and how to enable them.
We’ll start with host lockdown mode. If enabled, lockdown mode prevents users from logging directly into the host itself. There are multiple levels of lockdown. Normal allows access through either the local console (in front of the machine) or vCenter Server. Strick locks down the host so that it can only be accessed through vCenter Server. To enable one of those modes, navigate to the host in Clusters and Hosts. Then select Configure, then Security Profile.
Once there, click “Edit.”
There are your options. You also have the option to select exception users. You will need to click on that on the left to enter them in.
Exemptions should be made sparingly. Under the security profile, you also have the option for Host Encryption mode and Host Image Profile Acceptance Level. The latter prevents software from running if they don’t have a certain acceptance level from VMware. The host encryption mode must be enabled to create Encrypted VMs or other encryption type tasks. It becomes enabled most of the time when performing a task, such as creating an encrypted VM.
To create an encrypted VM, you need to first have a Key Management Server, or KMS, in place. Once you do, you can go to the VM settings and then VM Options to perform encryption tasks.
You might also notice an option there for Virtualization Based Security. I can’t use it on this VM because it requires Windows 10 or Server 2016+ OSs. You also need to enable
ESXi will then create a virtual TPM 2.0 and allow that to be installed and used in Windows just like a real Trusted Platform Module device. This can also be enabled on the VM during creation here.
You can then see it enabled on the VM Options screen.
The last subject we’ll cover here is certificates. To get to certificates in the HTML5 web client, you click on Menu> Administration > Certificate Management
You can see two certificates there currently. We’ve already covered the different practices for certificates, so we just need to cover how to change them here. To add a new Trusted Root Certificate, just click on the Add and then tell vSphere where it is located. To replace the Machine certificate, click on Actions, and you can renew, import and replace, or generate a certificate signing request for a certificate authority. If you want to read more on that subject, head to VMware’s site here.
Host profiles provide a mechanism to automate and create a base template for your hosts. Using host profiles, you can create host uniformity. VMware will inform you if your host is not in compliance yet, and then you can take steps to remediate it.
It’s accessed under Policies and Profiles
There is a process to it. Here it is:
You can use baselines to update and upgrade hosts or clusters, or other objects. First, you will need a baseline. You can use one of the two default baselines that VMware has included for you, or you can create a new one. To create a new one, click on Menu and select Lifecycle Manager. Under Lifecycle Manager, go to the Baseline tab and then click New.
Next, give it a name and optionally a description. Select what type of content it will contain. Upgrade, Patch, or Extension.
I have a couple of ISOs already installed (I chose to upgrade), and I will use this to upgrade the host to the new 7.0 Update 1.
Then click Finish on the summary page.
That’s only half of the story, however. We now need to tell it to apply this baseline to an object. We do that by going back to Hosts and Clusters. Click on the object we want to manage, select Updates and Baselines, and scroll down and click Attach.
Select Attach Baseline. If you notice, we could have created the baseline from here as well. Select the VCP 2020 Upgrade (or whatever one you created) and click on Attach.
It will now show up in the attached baselines for the object. You can now select just that one, and you can use either stage or remediate. Stage will load the software or patches to the host/s and then wait for your reboot. Remediate will do everything now. It will utilize DRS or wait until all running VMs are powered off or moved before proceeding.
It will then kick-off and remediate the hosts unless you need to move some VMs first.
We’ve already utilized parts of the vSphere Lifecycle Manager to perform updates and upgrades. There are a few more things we could go over, however. The Image Depot we’ve already covered a bit. This shows the ESXi versions, drivers, and components available to us to use. The Updates tab will show us a list of all the updates included in the baselines we’ve created and VMware’s default baselines. You can filter them if you are looking for specific patches. You can also create a baseline that only has a subset of the updates or patches in them if you’ve determined that one or more may be detrimental to your environment.
The Imported ISOs tab is where you can import whole ISOs of ESXi to use for upgrades. You can also use an ISO if the OEM has made one available to upgrade a driver.
In the next tab, baselines we’ve used in the previous objective. We can also duplicate one if we need to change one slightly for a specific host.
The final tab is settings. This tab controls when vSphere checks for new patches and downloads them. It also controls the depots where it looks. Under Host remediation, it controls the VMs and behavior while attempting to remediate the hosts or VMs.
Firmware upgrades can be accomplished in vSphere 7, but there are caveats. Firmware and driver add-ons are not distributed through VMware channels. They must be done using a particular vendor depot, which works in conjunction with a hardware support manager. So, while vLCM will let you know if the host is in compliance and can kick off the remediation process, the actual firmware upgrade is accomplished by the hardware support manager. Open Manage Integration for VMware vCenter from Dell is an example of a hardware support manager. It is distributed by Dell and deployed as an appliance (not free). Dell, HPE, and Lenovo hardware support managers are supported. Once installed, you register the appliance as a vCenter Server extension. In the case of Dell’s tool, it will interact with the iDRAC or remote access card to deploy the firmware.
VMware differentiates between updates and upgrades as: Upgrades are significant software changes, whereas updates make smaller updates to the software. Anything that involves a numbered release, such as 6.5 to 6.7 or 6.7 to 7.0, is an upgrade. A change going from vSphere 7.0 to 7.0 Update 1 is just an update or smaller change. An upgrade may make configuration changes to the host, whereas updates will not affect host configuration.
vSphere will, if allowed, periodically check VMware’s depot for new updates and will download them if configured to do so. You can see the configuration options here in the screenshot.
Driver and component updates can also be performed through the Lifecycle Manager in vSphere 7. Drivers are code to let vSphere know how to interact with hardware and utilize it. Components can be solutions, tools, or drivers. VMware has both downloaded from the VMware depot, but if you need to insert one that wasn’t included, you can do that too. Vendor add-ons usually are driver packs mean to support an OEM’s servers such as Dell or HP’s. Here you can see a screenshot of the listing of available vendor add-ons and components in Lifecycle Manager
If you need to add either a driver or component, you can do that at the top via “Actions” and then Import Updates.
It will then ask you for the location of the .zip or URL. It then adds the new update to the list.
The hardware compatibility check is a tool that allows you to choose a host and see if it is capable of running a particular ESXi version. More specifically – if that host is certified to run it. It will take the hardware it finds on the host and checks it against the VMware HCL (Hardware Compatibility List) or vSAN HCL if the host participates in a vSAN cluster. At the end of the scan, the tool will give you the results to export to a CSV file. Here is where it is and what it looks like below.
You would select a host, click on the Update tab, and then Hardware Compatibility. You can then select which version of ESXi you want to check.
One of the new abilities that vSphere 7 brought was using a single image for the whole cluster. This was able to promote uniformity and made the hosts easier to maintain and troubleshoot. Once you setup an image for a cluster, you can also export it to be imported and used in another cluster. This would be done for the same reasons as described above. The export process is done in the following location.
Go to the cluster > Updates > Image > ellipsis > export. This is assuming you have already set this up. You then are presented with a box that asks you what you want to export. JSON, ISO, or ZIP. If using for another cluster to import, you will need the JSON and zip.
To import, you will go to the same place on a cluster that has not been set up yet.
It will then ask you for the JSON file and zip.
An alarm can be set up for many different objects in vSphere. There are many predefined alarms, and you can create and configure new ones. To create a new alarm, Right-click on an object and select Alarms > New Alarm Definition.
Give the alarm a name and then click Next.
Now you need to select what the trigger will be. In this case, I want an alarm to happen if someone creates a resource pool. I then tell vSphere what I want it to do. In this case, I want a warning to appear and send me an email.
Next, I will add that if the resource pool is deleted, it can reset it to green.
Make sure the alarm is enabled and then click create.
I can now find this alarm if I go to the object > Configure > Alarm Definitions
You notice I can disable alarms under the same place, but I can’t edit the default alarms. I CAN edit mine, however. As you can see, I can set alarms for all sorts of events and have many things that will happen if the alarm’s criteria are met.
Conclusion
Well, that brings us to the end of another Study Guide. I hope it helped in some way, and I’m happy you were along for the ride! Till next time.
Mike