Part 2: Expending vSAN 6.6 Datastore after initial VCSA bootstrap

This post is in continuation with my previous post “Bootstrap vCenter Server Appliance 6.5 on vSAN 6.6” ,refer to the below link:

Bootstrap vCenter Server Appliance 6.5 on vSAN 6.6

I will cover the expansion of the vSAN datastore created during the VCSA bootstrap in the previous blog post.

The first thing after vCenter deployment is to add the hosts in vCenter and configure the VMkernel interface for vSAN traffic (and any other VMkernel interface) on each host. I have personally configured the VMK interface on the standard switches and later migrated them to the VDS (I am not covering the standard to distributed switch migration in this post).

This is how VMkernel networking looks on hosts:


Now turn on the vSAN by clicking on edit option under Cluster -> VSAN –> General -> Edit


Cluster –> configure -> under vSAN click on Disk management ->claim disks


In manual mode vSAN will show you all the eligible HDD and SSD which can be claimed from the Hosts in the cluster with vSAN VMK configured


Above is the list of all the HDD from the 3 hosts, to claim the HDD simply click on “claim for capacity tier”.


Similarly we can claim all the flash resources from the eligible host by clicking on “claim for cache tier” .


Once you claim the SSD and HDD resources, vSAN will start the creation of the disk groups, you can see this in the vCenter recent tasks:


Go to the vSAN Datastore summary to confirm if the total capacity is reflecting the storage from all vSAN host in the cluster.


That’s all for this. Let me know if you have any feedback’s and do share this is you consider the posts worth sharing.

Migrating from vCenter Server Embedded PSC to External PSC in vCenter Server 6

For the past few weeks i am working on enhancing my VMware home lab setup to be more scalable and enterprise grade , which gave me an opportunity to migrate the embededd PSC to external to extend my vCenter Single Sign-On domain with more vCenter Server instances to support multi site NSX and SRM use cases, you can reconfigure and repoint the existing vCenter Server instance to an external Platform Services Controller.

Few things to note before starting the migration :

  • The process is relatively straightforwad but remember there is no coming back once you migrate the embedded PSC to external .
  • Make Sure to take the snapshot of vCenter Server , in case anything gone wrong during the migration you can revert back vCenter to the last working state
  • Non Ephemeral virtual port groups are not supported by the PSC , as a workaround we need to create a new Ephemeral port group in the same VLAN (if using VLANs) as vCenter server network for the sake of deployment of new PSC . You can migrate the PSC network to non ephemeral port group after the migration completes successfully .


This is what I am running in my lab currently , a vCenter server appliance with embedded PSC:


I want to achieve the below topology with External PSC:


Lets start this by installing the external Platform Services Controller instance as a replication partner of the existing embedded Platform Services Controller instance in the same vCenter Single Sign-On site.

Mount the VCSA ISO and start the installation .


Enter the credentials of the ESXi host where you are planning to deploy the PSC appliance.


Acceppt the self sigh certificate .



Here select “Install Platform Service Controller” .1.png

Select Join an SSO domain in an existing vCenetr PSC:


Join the exsiting site and select the SSO site name:




As I have explained before e, if you have not created a Ephemeral virtual port group you will  not be able to select a network to deploy the new PSC.


Go back to vCenter and create a Distributed port group with Ephemeral port binding which will be used for the PSC Deployment.


Enter the standard networking parameters and complete the deployment wizard.



Click on finish and wait for the deployment completion . This process will take approx: 8-10 minutes.


You will get the below screen once PSC deployed successfully.


Now , Log in to the vCenter Server instance with an embedded Platform Services Controller.Verify that all Platform Services Controller services are running by executing the below command:

service-control –status –all


The final step is to run the below command to repoint the embedded PSC to new deployed external PSC:

cmsso-util reconfigure –repoint-psc psc_fqdn_or_static_ip –username username –domain-name domain_name –passwd password [–dc-port port_number]

Use the  –dc-port  option if the external Platform Services Controller runs on a custom HTTPS port. The default value of the HTTPS port is 443.


If you have followed all the instructions mentioned above, you will get the below success message: “vCenter Server has been successfully reconfigured and repointed to the external PSC .


That was it , PSC has been successfully migrated from Embedded to external! I hope it was helpful .

VMware AppVolumes 3.0 Deployment and configuration Part 1

I had setup VMware App Volume 3.0 environment in my lab last week and want to share my  experience.

VMware App Volumes 3.0 enables you to deploy applications to users. These users may be widely separated in space, be using different operating systems, or using different versions of applications. VMware App Volumes 3.0 also enables you to monitor application usage.

First thing to setup the App Volume is to deploy the App Volume virtual appliance.
System Requirements for App Voulme virtual appliance are below:
– vSphere 6.0U1 and above (previous versions of vSphere are not supported)
– 4 vCPUs
– minimum of 80 GB disk space
– minimum of 4 GB memory

Lets get started now with Deployment of App volume virtual appliance and initial configuration:

Quite straight forward process , simply deploy the App Volume OVA and follow the installation wizard.


After the deployment is done , Login to the App Volumes console using default “username: root” and “password: 123”. Once you login you will be prompted to set new pas sword.Subsequently you will be asked to configure the active directory.1112

Once done click on domain bind.  Once the binding is complete, you will need to add a super administrator user group for App Volume appliance from your active directory domain.13

Now you can login to App Volume web interface using the user group added in the previously.14

Next step is to integrate vCenter Server to the App Volume.15161718.png

Now you should be able to add vCenter server without any error.

In the Next Blog post i will cover the App Volume Agent installation and App Capture installation and configuration.

VMware NSX Installation and Configuration Part 3 –NSX Manager vCenter Integration,SSO,Syslog & License confguration

1 In a Web browser, navigate to the NSX Manager appliance GUI at https://IP or FQDN and log in as admin with the password that you configured during NSX Manager Installation.

2 Under Appliance Management, click Manage vCenter Registration.


3 Edit the vCenter Server element to point to the vCenter Server’s IP address or hostname, and enter the vCenter Server user name and password. For the user name, the best practice is to enter administrator@vsphere.local or an alternative account that you have created. Do not use the root account.

4 Check that the certificate thumbprint matches the certificate of the vCenter Server. If you installed a CA-signed certificate on the CA server, you are presented with the thumbprint of the CA-signed certificate. Otherwise, you are presented with a self-signed certificate.

5 Do not tick Modify plugin script download location, unless the NSX Manager is behind a firewall type of masking device. This option allows you to enter an alternate IP address for NSX Manager. Note that putting NSX Manager behind a firewall of this type is not recommended.

6 Confirm that the vCenter Server status is Connected.




7 If vCenter Web Client is already open, log out of vCenter and log back in with the same Administrator role used to register NSX Manager with vCenter. If you do not do this, vCenter Web Client will not display the Networking & Security icon on the Home tab. Click the Networking & Security icon and confirm that you can see the newly deployed NSX Manager


Configure Single Sign On:

SSO makes vSphere and NSX more secure by allowing the various components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately.

You can configure lookup service on the NSX Manager and provide the SSO administrator credentials to register NSX Management Service as an SSO user. Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP.

With SSO, NSX supports authentication using authenticated Security Assertion Markup Language (SAML) tokens from a trusted source via REST API calls. NSX Manager can also acquire authentication SAML tokens for use with other VMware solutions. NSX caches group information for SSO users. Changes to group memberships will take up to 60 minutes to propagate from the identity provider (for example, active directory) to NSX.


1 Log in to the NSX Manager virtual appliance. In a Web browser, navigate to the NSX Manager appliance GUI at https://, and log in as admin with the password that you configured during NSX Manager Installation.

2 Click the Manage tab, then click NSX Management Service.

3 Type the name or IP address of the host that has the lookup service. If you are using vCenter to perform the lookup service, enter the vCenter Server’s IP address or hostname, and enter the vCenter Server user name and password.

4 Type the port number. Enter port 443 if you are using vSphere 6.0. For vSphere 5.5, use port number 7444. The Lookup Service URL is displayed based on the specified host and port.




Specify a Syslog Server:

If you specify a syslog server, NSX Manager sends all audit logs and system events to the syslog server. Syslog data is useful for troubleshooting and reviewing data logged during installation and configuration. NSX Edge supports two syslog servers. NSX Manager and NSX Controllers support one syslog server.


1 In a Web browser, navigate to the NSX Manager appliance GUI at https://.

2 Log in as admin with the password that you configured during NSX Manager installation.

3 Click Manage Appliance Settings.



4 From the Settings panel, click General.

5 Click Edit next to Syslog Server.

6 Type the IP address or hostname, port, and protocol of the syslog server. If you do not specify a port, the default UDP port for the IP address/host name of the syslog server is used.


Install and Assign NSX for vSphere License:

In vSphere 6.0, complete the following steps to add a license for NSX.

a Log in to the vSphere Web Client.

b Click Administration and then click Licenses.

c Click the Assets tab, then the Solutions tab.

d Select NSX for vSphere in the Solutions list. From the All Actions drop-down menu, select Assign license….

e Click the Add ( ) icon. Enter a license key and click Next. Add a name for the license, and click Next. Click Finish to add the license.

f Select the new license.

g (Optional) Click the View Features icon to view what features are enabled with this license. View the Capacity column to view the capacity of the license.

h Click OK to assign the new license to NSX.




In the next blog , i will talk about the NSC Controller cluster deployment and configuration.

ESXi Certificates in vSphere 6

Starting from vSphere 6.0, VMCA (VMware Certificate Authority) provisions each new ESXi host with certificates when they are added to the vCenter Server system.1.png

In contrast to vCenter Server Certificates, ESXi certificates are not stored in VECS (VMware Endpoint Certificate Store). Instead they are stored locally on each host in /etc/vmware/ssl


An upgrade to ESXi 6.0 replaces existing thumbprint certificates with VMCA signed certificates, custom certificates are retained. However if you select renew certificates in vSphere web client, VMCA pushes a fresh VMCA signed certificate to the host and overwrites any existing certificate even a custom certificate.2.png

To prevent overwriting custom certificate, you can change the certificate mode from vSphere Web Client. There can be three kind of certificate mode in vSphere 6.0:

  • Thumbprint mode: To accommodate any legacy host
  • VMCA Mode: Which uses VMCA as a root CA
  • Custom Mode: To use only third party certificate


To set certificate mode in vSphere web client, go to vCenter Server – Manage – Settings – Advance Settings – click edit3.png

In the filter box, enter “certm” to display only certificate management keys.4.png


Change the value of “vpxd.certmgmtmode” to custom, if you intend to manage you own certificate and thumbprint if you want to use thumbprint mode and click OK.

Restart the vCenter server service. The mode always apply to all the host managed by vCenter server system that uses that mode.

Port Mirroring in vSphere Distributed Switch(VDS)

In this blog, I will shows how to configure and use the Port Mirroring functionality in the vSphere Distributed Switch.

Port mirroring is the capability on a network switch to send a copy of network packets seen on a switch port to a network-monitoring device connected to another switch port. Port mirroring is also referred to as Switch Port Analyzer (SPAN) on Cisco switches. In VMware vSphere, a Distributed Switch provides a similar port mirroring capability that is available on a physical network switch. After a port mirror session is configured with a destination—a virtual machine, a vmknic or an uplink port—the Distributed Switch copies packets to the destination.

In this blog I will use Linux01 VM to capture and monitor mirrored traffic of Linux02 VM.

  1. In the vSphere web client , go to VM and Templates in the inventory tree and open the console of Linux01 machine which I will configure to capture the traffic from Linux02 VM1
  2. Monitor the command output for a few seconds and verify that ICMP traffic is not being captured. tcpdump output remains silent until ICMP traffic is detected on the network
  3. Leave the console window open, with the tcpdump command running uninterrupted
  4. In vSphere Web Client under VM and Templates, Right-click the Linux02 virtual machine and select Power > Power On.
  5. After the Linux02 virtual machine starts, sign on as root. The Linux02 virtual machine is used as the traffic source to be monitored.
  6. At the Linux02 command prompt, ping the default router. In my case my router in on
  7. Go back to Linux01 VM again and click the Linux01 console tab.
  8. In the console window, verify that the running tcpdump command is the same as before and has not captured any ICMP traffic

Now i will configure the Distributed Switch for port mirroring

  • In the Web Client on the left pane, click the Networking icon.
  • In the Networking inventory tree, select the dvs-Lab distributed switch.
  • In the middle pane, click the Manage tab and click the Settings tab.
  • Click the Port mirroring link.
  • In the Port mirroring panel, click the New link.


  • In the Add Port Mirroring Session dialog box, leave the Distributed Port Mirroring     radio button selected and click Next.4
  • Under Edit properties, select Enabled from the Status drop-down menu.
  • From the Normal I/O on destination ports drop-down menu, select Allowed.
  • Click Next5
  • Under Select sources, click the Select distributed ports icon.6
  • In the Select Ports dialog box, select the check box for the row with a connected entity of Linux02 and click OK.7.png
  • click Next8
  • Under Select destinations, click the Select distributed ports icon.9
  • In the Select Ports dialog box, select the check box for the row with a connected entity of Linux01 and click OK.10
  • Click Next11.png
  • Under Ready to complete, review settings and click Finish.12
  • In the Firefox window, click theLinux02 console tab.
  • Verify that the ping command is still reaching the default router at
  • In the Linux01 console, examine the tcpdump output in the terminal window.
  • The output looks similar to the following example13.png
  • You can see Now that the Linux01 (destination) has started mirroring the ICMP pings from Linux02 VM (Source).

Host & storage advance performance charts in vSphere Web Client

In this blog post I will talk about some of the advance storage and host performance charts that we can create in vSphere web client to review performance statistics of vSphere environment.

I will start with the basic storage and performance graph available in vSphere Web Client and later we will look into some advance options which help us in understanding the current performance statistics of vSphere environment.

 Storage overview charts:

(i) Log in to vSphere web client with the SSO administrator credential

(ii) In the left pane, click the Storage icon.


(iii)Expand the Storage inventory tree and select the Shared datastore you want to analyze.

(iv) In the middle pane, click the Monitor tab and click the Performance tab

(v) Above the charts, verify that Space is selected from the View drop-down menu.

(vi)Review the overview charts to find the performance values.

(vii) Space that is used by virtual disks, in the By File Type chart2.png

(viii) Total space that is used by the top objects, in the By Virtual Machines (Top 5) chart



ESXi Host overview charts:

(i) In the left pane, click the Hosts and Clusters icon.


(ii) In the Hosts and Clusters inventory tree, select the host you want to analyze, in my  case it is esxi01.vclass.local.

(iii) In the center pane, click the Monitor tab and click the Performance tab.

(iv) Above the charts, verify that Home is selected from the View drop-down menu.

(v) The time of any significant CPU spike, in the CPU (%) chart5

(vi) The time of any significant latency spike, in the Disk (ms) chart



Now I will show how to configure advance custom charts in vSphere Web Client:

(i) In the chart links panel, click the Advanced link.

(ii) Collapse the links panel by clicking the << icon.

(iii) The viewable chart area can be increased by collapsing the chart links panel.

(iv) Above the chart graphic, select Memory from the View drop-down menu.

(v) The View drop-down menu appears above the top-right corner of the graphical chart, to the right of the chart title.

(vi) To the left of the View drop-down menu, click the Chart Options link and customize the chart options.

7.png(vii) In the Chart Metrics panel on the left side of the window, verify that only Memory is selected.

(viii) Select Real-time from the Timespan drop-down menu.

(ix) Select Stacked Graph per VM from the Chart Type drop-down menu.

(x) In the Select object for this chart panel, click all to select all the listed objects.

(xi) In the Select counters for this chart panel, click none to deselect all counters and select the Usage check box.

(xii) Click OK to close the Chart Options window.


The customized chart displays the memory usage counter for all virtual machines that are in a running state, as well as for the ESXi host.

9.png(i) Examine the performance chart legend.

(ii)Scroll down to uncover the performance chart legend.

(iii)The Average column is the last column in the table and might not appear until more space is made available by resizing columns.

(iv)Point to the average column values to determine the average memory usage for esxi01.vclass.local and the Linux01 virtual machine.

(v)Export an advanced chart as a graphic image.

(vi)Scroll to the top of the chart pane.

(vii)Click the Export icon and select To PNG.


The exported image looks like below:


Like this we can create custom advance charts for CPU and storage parameters as well.

I am planning to write a blog post on resxtop commands in future which can be used to capture performance data via command line.

i hope you liked the post , any feedback’s from the readers regarding the content are welcomed.  keep learning and sharing.


Working with vSphere Management assistant

Before I talk about the various commands we can use with VMA , first let me explain bit about VMA.”vSphere Management Assistant enables administrators to run scripts or agent that interact with ESXi host and VMware vCenter server systems without authenticating each time. VSphere Management Assistant is easy to download and install, and configure through vSphere Web Client.

vSphere Management assistant is a virtual appliance that consist of following components:

– SUSE Linux Enterprise Server

– vmware tools

– vSphere SDK for Pearl

– vSPhere CLI

– Java JRE Version 1.6

– vi-fastpass , an authentication component for the appliance

vSphere Management Assistant requires ESXi Host that supports 64-bit virtual machines. The CPU on the ESXi host must be AMD opetron , rev E or later, or an Intel processor with EM64T support with VT default vSphere Management Assistant uses 1 vCPU , 600 MB RAM and 3 GB of virtual disk. VSphere Management Assistant is used with vSphere 5.x or 6.

Let’s get started now.

  • Start SSH and vSphere ESXi Shell Services on the ESXi host you want to manage from vSphere Management assistant
  • Login to VMware vSphere Management Assistant, You use PuTTY to establish an SSH session to the VMware vSphere Management Assistant appliance.
  • using vi-admin as the user name and password that you have set during the initial power on the appliance1.png
  • Now we need to add vCenter Server systems and ESXi hosts as vSphere Management Assistant target servers to simplify commands
  • Add the vCenter Server system as a server target.
  • vifp addserver vc01.vclass.local –authpolicy fpauth –username administrator@vsphere.local
  • Any user with sufficient vCenter Server privileges can be specified, including VMware vCente  Single Sign-On users. The vSphere administrator user name is used here because it is the default vCenter Server Appliance administrator account.
  • When prompted for a password, enter the password you have set
  • When prompted to store the user name and password in the credential store, enter yes.2
  • Add the ESXi host as a server target.
  • vifp addserver esxi01.vclass.local –authpolicy fpauth –username root
  • When prompted for a password, enter password yo have set3
  • List the configured target servers.
  • vifp listservers
  • vCenter Server system and the ESXi host appear in the list.vc01.vclass.local   and esxi01.vclass.local must be listed4
  • Now I will add ESXi host thumbprint to the certificate store on the vCenter Server system so that a trust relationship exists between the host and the server. This trust relationship is necessary to run ESXCLI commands.
  • Let me show what happens when I run the command without adding ESXi host thumbprint to the certificate store on the vCenter Server system5
  • Add the ESXi host thumbprint to the vCenter Server certificate store.
  • /usr/lib/vmware-vcli/apps/general/ add -s esxi01.vclass.local -t thumbprint
  • thumbprint is displayed in the last command. You can copy the thumbprint into the command by selecting and right-clicking it.6
  • Now you can use ESXCLI commands to query the ESXi host properties , I will show you some important command that you can use in day to day administration of vSphere environment
  • Set the ESXi host as the current target server.
  • vifptarget -s esxi01.vclass.local
  • As a result of running the command, the name of the target server appears as part of the command prompt.81.Display the CPU characteristics of the ESXi host.
  • esxcli hardware cpu list9
  • Use the command output to determine CPU characteristics.
  • Number of CPUs installed on the host
  • Brand of the first CPU
  • Family and model of the first CPU
  •  Core speed of the second CPU
  • 2.Display the ESXi host memory.
  • – esxcli hardware memory get10
  • Use the command output to determine memory characteristics.
  • Amount of physical memory
  • NUMA node count
  • 3.Display the platform on which the ESXi software is installed.
  • esxcli hardware platform get11
  • Use the command output to determine platform characteristics.
  • Product name
  • IPMI supported status
  • 4.List the software version of ESXi that is installed on the host.
  • esxcli system version get125.Display the time and date on the host.
  • esxcli hardware clock get

    6.Determine the system host name.

  • esxcli system hostname get

    7.Determine the system’s boot device.

  • esxcli system boot device get15 8.Last command i want to highlight is vicfg-ntp commands in the vSphere Management Assistant which you can use to query and configure Network Time Protocol (NTP) settings.
  • (i) List the NTP servers that are configured onesxi01.vclass.local.
  • vicfg-ntp –list
  • NTP servers are not yet configured.16
  • (ii)  top the NTP service.
  • vicfg-ntp –stop
  • (iii) Add an NTP server.
  • vicfg-ntp –add


  • (iv) List the configured NTP server.
  • vicfg-ntp –list18.png
  • (v) Start the NTP service.
  • vicfg-ntp –start


Configuring vCenter Server 6 Appliance to use Active Directory Services

In this blog i will show how to configure Active directory in vCenter server appliance in vSphere 6 . i will also show how to grant the ESX Admins group in active directory right to log in to VMware vCenter Serve as administrators.

First we need to add the acitve directory to VCSA as follow:

– login to web client using administrator account.
– Point to the Home icon and select Home.
– In the left pane, click Administration and click System Configuration.1

– in the left pane, click Nodes and select vc01.vclass.local.(vCenter server)

– On the System Configuration page, click the Manage tab.
– In the middle pane, click Active Directory and click Join.3

– In the Domain text box, enter vclass.local.(enter your domain here)
– leave the Organizational unit text box empty.
– In the user name and password text boxes
– Click OK.4– At the top of the middle pane, click Actions and select Reboot.
– In the Reboot window, enter a reason for the reboot and click OK.5.png

– vCenter Server Appliance takes several minutes to reboot. You can refresh the vSphere     Web Client page, or close the browser window and reopen it, to show when the appliance is back up.
– After the reboot you should see the domain as below:


Now i will add active directory as an identity resource in web client and grant the ESX Admins group in active directory the right to log in to VMware vCenter Server™ as administrators.

– Point to the Home icon and select Home.
– In the left pane, click Administration.
– Under Single Sign-On, select Configuration.
– Click the Identity Sources tab.
– Click the Add Identity Source (green plus sign) icon.7.png

– In the Add identity source dialog box, select Active Directory as a LDAP Server for the Identify source type.
– In the Name text box, entervclass.local.
– In the Base DN for users text box, enter CN=Users, DC=vclass, DC=local.
– In the Domain name text box, entervclass.local.
– In the Domain alias text box, entervclass.
– In the Base DN for groups text box, enter CN=Users, DC=vclass, DC=local.
– In the Primary server URL text box, enter ldap://vclass.local:389.
– In the Username text box, enter username in domain\Administrator format.
– In the Password text box, enter password
– Click Test Connection. 8.png

– A dialog box appears indicating that the connection has been established.
– Click OK.
– Click OK to close the Add identity source dialog box.9.png
– In the left pane under Single-Sign-On, select Users and Groups.
– Click the Groups tab.
– Under Group Name, click Administrators.10.png
– In the bottom Group Members pane, click the Add member (blue person with green plus sign) icon.
– Select the domain you just added.
– Select the Domain Admins group and click Add.


-click OK.

i hope this blog was helpful. keep learning and keep sharing 🙂


License vCenter Server & ESXi Host in vSphere 6

This blog post is regarding assigning new licenses in vSphere 6 environment.

First thing is to add the vCenter and ESXi licenses in vSphere web client, for this:

– Log in to vSphere web client using administrator account.

-In the left pane, click Administration and click Licenses.


– In the middle pane, click the Licenses tab, in the middle pane, click the plus sign to create new licenses.


– In the text box on the Enter license keys page, enter the license keys one per line, and click next.3

– On the Edit license names page, enter the new license names for  vCenter Server and Enterprise Plus in the License Name dialog boxes and click Next.


On the Ready to complete page, click Finish.


Now that we have added the licenses to vCenter , its time to assign the vCenter server and ESXi host licenses.

Assign vCenter Server license key to the vCenter Server instance.
– In the middle pane, click the Assets tab, Click the vCenter Server systems tab and click the Assign License link.


– In the Assign License dialog box, select the vCenter Server license key.
– Click OK


Assign the vSphere Enterprise Plus Edition 6 license key to the ESXi host.
– In the center pane, click the Hosts tab and click the Assign License link.


In the Assign License dialog box, select the vSphere Enterprise Plus Edition 6 license key


Click OK.

I hope the post was helpful . keep learning and sharing 🙂