Archives for 2009

I’m now a VMware vSphere VCP!

Whoohoo! Passed my VMware vSphere VCP exam today. I guess all that studying was worth it after all! Scored 419.

Note, if you have a VCP 3.0 VMware just extended the deadline to January 31, 2010 to take the VCP 4.0 exam without the upgrade class. The original deadline was December 31, 2009. Second shot vouchers have also been extended to January 15, 2010.

HP ESXi 4.0 U1 Installable now Available

If you use HP Proliant servers and want the HP-ized version of ESXi 4.0 update 1 you can now download it from here. The ISO image is about 380MB. The only difference between the HP download and the vanilla VMware ESXi 4.0 U1 ISO image is the inclusion of Proliant specific CIM providers that provide ESX and vCenter with Proliant health status information about array controllers, network cards, temperature, and also uses the iLO watchdog timer to verify the machine hasn’t frozen. Couple this with the Veeam nWorks Management pack for Microsoft Systems Center 2007 (SCOM), and you get full end to end physical, virtual, OS and application health status within SCOM. Very cool!

In case you didn’t know, any future patches to the HP version of ESXi 4.0 U1 can be directly downloaded from VMware’s web site. There are no HP specific patches, as VMware distributes vendor specific CIM updates in their regular patch bundles. If the updater detects you are using a vendor specific ESXi installation, it will preserve and/or update the CIM providers as needed.

Finally, don’t use the HP version of ESXi on non-HP hardware. It will purple screen on you after a few minutes since the iLO ASIC isn’t present and the watchdog timer will freak out and crash the system.

New EMC Celerra VSA for ESX/Workstation Released

The free ‘non-production use’ EMC Celerra VSA (virtual iSCSI appliance) is a great way to test iSCSI and SRM in a lab or evaluation environment. A few days ago EMC released a new version of the virtual appliance (, based on the latest physical EMC Celerra product. You can find a complete list of all the new features, how-to guides, and other goodies here.

With this appliance you can test vMotion and SRM in your home lab, on the cheap. Great for studying for the VCP exam, or just getting experience with the advanced shared storage features of vSphere.

Cisco Nexus 1000v hits v1.2

Cisco has released a minor update to the Nexus 1000v. They have a video showing some new features. Most of them are security related, and are summarized below. It appears to me VDS is designed to interoperate with the vShields Zones technology in vSphere.

  • Layer 3 control A VSM can be Layer 3 accessible and control hosts that reside in a separate Layer 2 network
  • Virtual Service Domain (VSD) Virtual service domains (VSDs) allow you to classify and separate traffic for network services. Interfaces within a VSD are shielded by a service VM (SVM) that provides a specialized service like a firewall, deep packet inspection (application aware networking), or monitoring.
  • iSCSI Multipath The iSCSI multipath feature sets up multiple routes between a server and its storage devices for maintaining a constant connection and balancing the traffic load.
  • DHCP Snooping DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP server.
  • Dynamic ARP Inspection Dynamic ARP Inspection (DAI) validates ARP requests and response.
  • MAC Pinning If one or more upstream switches do not support port channels, you can use MAC pinning to assign each Ethernet port member to a particular port channel subgroup.
  • Static Pinning You can use vPC-HM to configure a port channel subgroup so that traffic is forwarded only through its member ports by assigning (or pinning) one of the following to the subgroup: vEthernet interface, the Control VLAN e Packet VLAN.

Update: Good information from Cisco here, including a PDF of the new features. VSM installation Guide is here. VEM installation guide is here. Cisco also has a host of new documentation for v1.2 you can find here (on the left side).

What’s new in Server 2008 R2? A lot!

Ars Technica has a really excellent summary of the major new features in Windows Server 2008 R2. Some of the new features that jumped out at me are:

  • Full Aero Glass with RDP. Great for virtual desktops.
  • Remote server management tool now is network enabled so you can manage remote servers.
  • Remote Server Administration Tools (RSAT) is available for Windows 7 to fully manage your servers without RDP.
  • Includes PowerShell 2.0.
  • .Net Framework added to server core.
  • Offline Domain Join for clients/servers.
  • Active Directory recycle bin for ‘oopsies’
  • Active Directory Administration center for simplifying helpdesk access to AD
  • GPO Preferences allow you to customize a lot of settings such as scheduling power saver modes, mapping printers, or controlling a user’s environment. Goodbye logon scripts.
  • You can have multiple firewall policies active at once, which are all network location aware.

Check out the whole article for a lot more detail on each of these features. As the article mentions, Server 2008 R2 is not a traditional R2 release with minor tweaks. R2 is a major update to the server OS from the kernel on up.

You can download a huge Server 2008 R2 feature guide here.

Make SQL 2005/2008 Thin Provisioning Friendly

Today I was reading a whitepaper by 3PAR regarding SQL 2008 performance on their storage arrays. It’s an interesting comparison of wide striping, RAID levels, mixed workloads, and number of disks. While browsing through the document I stumbled upon a SQL 2005/2008 feature which I was unaware of, but is important in thin provisioned environments.

Typically with SQL 2005/2008 when you create a database, say 100GB, SQL creates the entire file and zeros out all of the contents. Depending on the database size, this can take a long time. While this is happening, your storage array sees all of this data being written and allocates storage to that volume. Even though the database is empty, since zeros were written the array thinks it is holding data. Clearly, this defeats thin provisioning.

3PAR mentioned a feature in SQL 2005/2008 called Instant File Initialization. If you enable this feature, when you create a new database no zeros are written so creation is nearly instant! Imagine that. This is thin provisioning friendly, since virtually no data is written until the application needs to store data. So if you create a 100GB SharePoint database, your storage array will only allocate storage as SharePoint fills up the database.

Pretty nifty! So how do you enable this? According to the SQL 2005 security best practices whitepaper, you should grant the group SQLServer2005MSSQLUser$MachineName$MSSQLSERVER “Perform Volume Maintenance tasks” user right on the SQL server. This can be done via GPO, or editing the machine’s local security policy. Be sure to restart the SQL services, so it knows you granted this right. If you are using SQL 2008, then group is called SQLServerMSSQLUser$MachineName$MSSQLSERVER.

Now when you create a 100GB database, it could literally take a couple of seconds instead of many minutes. Even if your storage array isn’t thin provisioning enabled, if you are using VMware vSphere 4.0 and thin provisioned virtual disks, you can gain the same benefit.

The feature works on standard as well as enterprise edition versions of SQL, and on Server 2003 and later. Log files are not instantly created and will be fully zeroized. But your log files are generally just 10 to 20 percent of the total database size, so you still save a lot of space.

Nothing is free in life, so there may be a slight performance penalty when new data is written to the database since space was not previously allocated. Microsoft discusses the feature here, and encourages using this feature to enhance performance.

Exchange 2010 Roll-Up 1 Released

Wow and Exchange 2010 was just recently released and now there’s rollup 1. You can download it here. Fairly short list of bug fixes, but involves the crashing of some Exchange services so probably best to install the patch.

Critical Adobe Flash and Air player vulnerabilites

*Shocked* to see that Adobe has major security problems with Flash Player and Air. Be sure to download the latest versions, released on December 8th, here. You can read the related security bulletin here.

VMware vSphere 4.0U1 lacks broad Server 2008 R2 Support

I was very disappointed when I was looking over the vSphere 4.0 Update 1 compatibility matrix. I was hoping for wide spread Server 2008 R2 support for all roles. When in fact, the only support for Server 2008 R2 is as a guest VM. The matrix doesn’t even show vSphere client support for 2008 R2. Given that Update 1 was released months after R2 went gold, I’m quite disappointed.

VMware really needs to align their releases better with the latest Microsoft operating systems. My project is planning to upgrade from 2003 directly to 2008 R2, but companies like VMware throw monkey wrenches in the works when they lag by many months Microsoft releases. 95% of VMware runs Windows so it would make sense they put more effort into staying current. So now we will be forced to support three major operating systems instead of just two.

One change for Update 1 that is welcomed is that Orchestrator is now supported on SQL 2008, finally! You can check out the entire compatibility matrix for vSphere 4.0 Update 1 here.

Oh, and even their support for Windows Server 2008 SP2 is spotty. VUM and Orchestrator are not supported on SP2. Yes, they can’t even muster support for SP2 which was released in May, before the launch date of vSphere. Very poor support, IMHO.

VMware vCenter 4.0 Update Manager SSL Certificates

You can check out the improved, and officially supported method here. This works for vCenter 4.0 and 4.1.

After a significant effort of research and trial and error, it appears I have gotten VMware Update Manager (VUM) 4.0 Update 1 to use SSL certificates generated from an internal Microsoft CA. This completes my quest to replace all SSL certificates that vCenter 4.0 U1 and ESXi 4.0 hosts use. This method is somewhat of a ‘hack’, but so far everything seems to be working well. I haven’t tried this with the gold release of vCenter Update Manager 4.0, so I can’t comment if this procedure works or not.

In my scenario I have VUM installed on a separate server from vCenter. This is a recommended best practice in larger environments. But I’d think this method works equally well with vCenter and VUM co-located on the same server. In that case, you should be able to re-use the certificates you generated for your vCenter server since they have the same FQDN.

1. Read my article about vCenter SSL certificate generation.
2. Perform the exact same steps to generate a certificate (steps 1-9) but use the FQDN of the VUM server, if it’s on a dedicated server.
3. Find the SSL directory path for Update Manager on your system. In my case it’s located at:
D:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL
4. Compress all of the existing files in the SSL directory into a .ZIP for safe keeping.
5. Stop the VMware Update Manager Service.
6. Replace rui.crt, rui.key and rui.pfx with the new certificates.
7. De-Install VUM. Yes, remove it.
8. Re-install VUM using the exact same settings as your first install, and use the existing database.
9. Launch the vSphere client and open the vCenter Server Status window.
10. Verify everything has a green check, including all VMware Update Manager components.

If you see any errors about health service, or get weird login errors when launching the vSphere Client, something is broke. The key to this whole process is de-installing and re-installing VUM. This resets some credentials, the thumbprint in the ADAM instance, and uses the new certificates you installed. VMware should really make this easier!

You should also be able to pre-position the SSL certificates into the proper directory pior to ANY VUM installation, and it will use them. That would avoid a de-install and re-install. Depending on your installation parameters and whether you are x86 or x64, the directory path will vary.