Part 1: Bootstrap vCenter Server Appliance 6.5 on vSAN 6.6:

I have recently installed vSphere 6.5 and vSAN 6.6 in our lab, I have got 4 vSAN Hybrid ready nodes ,  which I will use to setup a vSAN cluster.

Most interesting thing with the 6.5 vSphere release apart from the HTML client and other enhancements  is the ability to bootstrap VCSA on a target host by creating a vSAN datastore. With earlier version we used to deploy the VCSA on a temporary data store and later storage vMotioed to the vSAN datastore.

“Jase McCarty” has written a cool blog on the same, you can refer to the below link for details:

Bootstrap the VCSA onto vSAN 6.6

However, I will try to cover the deployment in more details including all the screenshot which can help people deploying vSAN 6.6 for the first time. So let’s get started.

I have installed ESXi 6. 5 on all 4 nodes. It’s time to install the vCenter to configure the vSAN Cluster.

Mount the VCSA installer and run the installer.exe file:1

Wizard is similar to previous VCSA 6.x install until we reach the “Install – Stage 1: Deploy PSC” page:11.png


I am deploying the External PSC appliance, however the process is similar for Embedded PSC as well.1

The Screenshot is self-explanatory, I am deploying the vCenter appliance on ESXi host “” .


Select yes for the certificate warning.



This is where we will be creating a vSAN datastore locally on the host and install VCSA. Note that during bootstrapping, you don’t need to have vSAN Network configured on all the nodes. At this moment vSAN Datastore is local to the host, I will cover in another blog post how to expand the vSAN Datastore by claiming the disk from other nodes in the cluster.




Provided you are using a vSAN compatible controller and Drives, ESXi will detect the flash and HDD resources in the server. In case ESXi is not detecting Flash or HDD, you can manually tag local storage resources as SSD or HDD in this step. For checking the vSAN compatibility, refer to the link below:

VMware Compatibility Guide



Enter the required networking details for the PSC, make sure to configure the DNS host name resolution (forward and reverse) of PSC before deployment .


Finish and wait, the deployment took less than 5 minutes




Looking at the host client, I can now see a new “vSAN datastore” and PSC getting deployed on newly created vSAN Datastore.


Once done, we need to configure the appliance size and SSO in stage 2, refer to the below screenshots:




Here you can either join the PSC to an existing SSO (if exists) to run a linked mode configuration or if it is a new deployment select the “create new SSO domain”.



That’s it for PSC deployment, now we need to run the same installer, this time we will install the vCenter server.






Select the vSAN datastore created during the PSC installation.


Enter the network configuration for the vCenter server:




Finish and wait, you can actually see the VCSA deployment progress by login in to the target host.






With this now we need to configure the SSO for the vCenter server to complete the deployment.



That’s it for this post , I have covered the expansion of vSAN datastore by claiming storage resources from rest of the hosts in below post :

Expending vSAN 6.6 Datastore after initial VCSA bootstrap

Migrating from vCenter Server Embedded PSC to External PSC in vCenter Server 6

For the past few weeks i am working on enhancing my VMware home lab setup to be more scalable and enterprise grade , which gave me an opportunity to migrate the embededd PSC to external to extend my vCenter Single Sign-On domain with more vCenter Server instances to support multi site NSX and SRM use cases, you can reconfigure and repoint the existing vCenter Server instance to an external Platform Services Controller.

Few things to note before starting the migration :

  • The process is relatively straightforwad but remember there is no coming back once you migrate the embedded PSC to external .
  • Make Sure to take the snapshot of vCenter Server , in case anything gone wrong during the migration you can revert back vCenter to the last working state
  • Non Ephemeral virtual port groups are not supported by the PSC , as a workaround we need to create a new Ephemeral port group in the same VLAN (if using VLANs) as vCenter server network for the sake of deployment of new PSC . You can migrate the PSC network to non ephemeral port group after the migration completes successfully .


This is what I am running in my lab currently , a vCenter server appliance with embedded PSC:


I want to achieve the below topology with External PSC:


Lets start this by installing the external Platform Services Controller instance as a replication partner of the existing embedded Platform Services Controller instance in the same vCenter Single Sign-On site.

Mount the VCSA ISO and start the installation .


Enter the credentials of the ESXi host where you are planning to deploy the PSC appliance.


Acceppt the self sigh certificate .



Here select “Install Platform Service Controller” .1.png

Select Join an SSO domain in an existing vCenetr PSC:


Join the exsiting site and select the SSO site name:




As I have explained before e, if you have not created a Ephemeral virtual port group you will  not be able to select a network to deploy the new PSC.


Go back to vCenter and create a Distributed port group with Ephemeral port binding which will be used for the PSC Deployment.


Enter the standard networking parameters and complete the deployment wizard.



Click on finish and wait for the deployment completion . This process will take approx: 8-10 minutes.


You will get the below screen once PSC deployed successfully.


Now , Log in to the vCenter Server instance with an embedded Platform Services Controller.Verify that all Platform Services Controller services are running by executing the below command:

service-control –status –all


The final step is to run the below command to repoint the embedded PSC to new deployed external PSC:

cmsso-util reconfigure –repoint-psc psc_fqdn_or_static_ip –username username –domain-name domain_name –passwd password [–dc-port port_number]

Use the  –dc-port  option if the external Platform Services Controller runs on a custom HTTPS port. The default value of the HTTPS port is 443.


If you have followed all the instructions mentioned above, you will get the below success message: “vCenter Server has been successfully reconfigured and repointed to the external PSC .


That was it , PSC has been successfully migrated from Embedded to external! I hope it was helpful .

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

This blog is one of the shortest blog i have written so far , however i have seen a lot of confusion around certificates in vSphere 6 so thought of writing a quick one on this.

The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens.

You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.

You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate.


1 Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.

2 Browse to Administration > Single Sign-On > Configuration.

3 Select the Certificates tab, then the STS Signing sub tab, and click the Add STS Signing Certificate icon.1

4 Click Browse to browse to the key store JKS file that contains the new certificate and  click  open.


If the key store file is valid, the STS certificate table is populated with the certificate information.

5 Click OK.

The new certificate information appears on the STS Signing tab.

Now you should Restart the vSphere Web Client service. You can find all services in the System Configuration area of Administration.

Port Mirroring in vSphere Distributed Switch(VDS)

In this blog, I will shows how to configure and use the Port Mirroring functionality in the vSphere Distributed Switch.

Port mirroring is the capability on a network switch to send a copy of network packets seen on a switch port to a network-monitoring device connected to another switch port. Port mirroring is also referred to as Switch Port Analyzer (SPAN) on Cisco switches. In VMware vSphere, a Distributed Switch provides a similar port mirroring capability that is available on a physical network switch. After a port mirror session is configured with a destination—a virtual machine, a vmknic or an uplink port—the Distributed Switch copies packets to the destination.

In this blog I will use Linux01 VM to capture and monitor mirrored traffic of Linux02 VM.

  1. In the vSphere web client , go to VM and Templates in the inventory tree and open the console of Linux01 machine which I will configure to capture the traffic from Linux02 VM1
  2. Monitor the command output for a few seconds and verify that ICMP traffic is not being captured. tcpdump output remains silent until ICMP traffic is detected on the network
  3. Leave the console window open, with the tcpdump command running uninterrupted
  4. In vSphere Web Client under VM and Templates, Right-click the Linux02 virtual machine and select Power > Power On.
  5. After the Linux02 virtual machine starts, sign on as root. The Linux02 virtual machine is used as the traffic source to be monitored.
  6. At the Linux02 command prompt, ping the default router. In my case my router in on
  7. Go back to Linux01 VM again and click the Linux01 console tab.
  8. In the console window, verify that the running tcpdump command is the same as before and has not captured any ICMP traffic

Now i will configure the Distributed Switch for port mirroring

  • In the Web Client on the left pane, click the Networking icon.
  • In the Networking inventory tree, select the dvs-Lab distributed switch.
  • In the middle pane, click the Manage tab and click the Settings tab.
  • Click the Port mirroring link.
  • In the Port mirroring panel, click the New link.


  • In the Add Port Mirroring Session dialog box, leave the Distributed Port Mirroring     radio button selected and click Next.4
  • Under Edit properties, select Enabled from the Status drop-down menu.
  • From the Normal I/O on destination ports drop-down menu, select Allowed.
  • Click Next5
  • Under Select sources, click the Select distributed ports icon.6
  • In the Select Ports dialog box, select the check box for the row with a connected entity of Linux02 and click OK.7.png
  • click Next8
  • Under Select destinations, click the Select distributed ports icon.9
  • In the Select Ports dialog box, select the check box for the row with a connected entity of Linux01 and click OK.10
  • Click Next11.png
  • Under Ready to complete, review settings and click Finish.12
  • In the Firefox window, click theLinux02 console tab.
  • Verify that the ping command is still reaching the default router at
  • In the Linux01 console, examine the tcpdump output in the terminal window.
  • The output looks similar to the following example13.png
  • You can see Now that the Linux01 (destination) has started mirroring the ICMP pings from Linux02 VM (Source).

Host & storage advance performance charts in vSphere Web Client

In this blog post I will talk about some of the advance storage and host performance charts that we can create in vSphere web client to review performance statistics of vSphere environment.

I will start with the basic storage and performance graph available in vSphere Web Client and later we will look into some advance options which help us in understanding the current performance statistics of vSphere environment.

 Storage overview charts:

(i) Log in to vSphere web client with the SSO administrator credential

(ii) In the left pane, click the Storage icon.


(iii)Expand the Storage inventory tree and select the Shared datastore you want to analyze.

(iv) In the middle pane, click the Monitor tab and click the Performance tab

(v) Above the charts, verify that Space is selected from the View drop-down menu.

(vi)Review the overview charts to find the performance values.

(vii) Space that is used by virtual disks, in the By File Type chart2.png

(viii) Total space that is used by the top objects, in the By Virtual Machines (Top 5) chart



ESXi Host overview charts:

(i) In the left pane, click the Hosts and Clusters icon.


(ii) In the Hosts and Clusters inventory tree, select the host you want to analyze, in my  case it is esxi01.vclass.local.

(iii) In the center pane, click the Monitor tab and click the Performance tab.

(iv) Above the charts, verify that Home is selected from the View drop-down menu.

(v) The time of any significant CPU spike, in the CPU (%) chart5

(vi) The time of any significant latency spike, in the Disk (ms) chart



Now I will show how to configure advance custom charts in vSphere Web Client:

(i) In the chart links panel, click the Advanced link.

(ii) Collapse the links panel by clicking the << icon.

(iii) The viewable chart area can be increased by collapsing the chart links panel.

(iv) Above the chart graphic, select Memory from the View drop-down menu.

(v) The View drop-down menu appears above the top-right corner of the graphical chart, to the right of the chart title.

(vi) To the left of the View drop-down menu, click the Chart Options link and customize the chart options.

7.png(vii) In the Chart Metrics panel on the left side of the window, verify that only Memory is selected.

(viii) Select Real-time from the Timespan drop-down menu.

(ix) Select Stacked Graph per VM from the Chart Type drop-down menu.

(x) In the Select object for this chart panel, click all to select all the listed objects.

(xi) In the Select counters for this chart panel, click none to deselect all counters and select the Usage check box.

(xii) Click OK to close the Chart Options window.


The customized chart displays the memory usage counter for all virtual machines that are in a running state, as well as for the ESXi host.

9.png(i) Examine the performance chart legend.

(ii)Scroll down to uncover the performance chart legend.

(iii)The Average column is the last column in the table and might not appear until more space is made available by resizing columns.

(iv)Point to the average column values to determine the average memory usage for esxi01.vclass.local and the Linux01 virtual machine.

(v)Export an advanced chart as a graphic image.

(vi)Scroll to the top of the chart pane.

(vii)Click the Export icon and select To PNG.


The exported image looks like below:


Like this we can create custom advance charts for CPU and storage parameters as well.

I am planning to write a blog post on resxtop commands in future which can be used to capture performance data via command line.

i hope you liked the post , any feedback’s from the readers regarding the content are welcomed.  keep learning and sharing.