Archives for July 2014

Nutanix and Veeam HyperV Best Practices

Earlier this year I had the distinct pleasure of working with Luca Dell’oca (@Dellock6) from Veeam on a Nutanix + Veeam Backup and Replication + VMware vSphere whitepaper. You can check out that post and whitepaper here. Now, just a few months later, we’ve collaborated on a Nutanix + Veeam + Hyper-V 2012 R2 backup whitepaper. The new whitepaper is available here.

The goal of these two joint whitepapers are to enable our mutual customers deploy Veeam Backup and Replication 7 on Nutanix, when used with the two leading virtualization platforms. Both whitepapers are approximately 20 pages, and go into a lot of great detail. We tested both solutions in the lab, to ensure what we are recommending works in the real world. This is not high level marketing fluff, folks. No fluff zone. We detail the best practices for using Nutanix SMB 3.0 shares with Hyper-V 2012 R2 and Veeam Backup and Replication 7.0.

Veeam is a very popular backup solution, which now has in excess of 101,000 global customers. They are also a sponsor of my blog. The web-scale Nutanix solution and support of the Hyper-V 2012 R2 VSS platform compliment the Veeam Backup and Replication product, to provide a robust backup and restore solution. This allows you to meet your RPO and RTO requirements, in a fully supported and efficient manner. I’ve always been impressed with how easy Veeam is to configure, compared to some of the competition in the market. One of Nutanix’s hallmarks is also uncompromising simplicity, so both products can be quickly and easily deployed.

For those of you familiar with our joint solution for VMware, in there we deployed a small Veeam backup proxy VM on each node which locally backed up the VMs on that node. Hyper-V is a bit different, and actually more streamlined. Veeam installs a tiny backup agent on each Hyper-V parent partition, which handles the backup proxy functions. This means you don’t need to deploy a new VM on each node, saving some physical resources. The model is essentially linear scale-out of your backup infrastructure, distributing the load across your Nutanix nodes. Great complimentary technology in action.

Nutanix CVM

Since Nutanix fully supports multi-hypervisor deployments, it’s great to see the ability to leverage Microsoft VSS snapshots as part of the backup process. Veeam can take application consistent backups of enterprise applications like SQL, Exchange and Active Directory by leveraging Nutanix-based SMB 3.0 VSS snapshots. You are not relegated to just crash consistent backups, which may not meet your organization’s requirements. Support is provided in Nutanix NOS 3.5.4, and later, including 4.0.


One of the great aspects of our joint whitepaper is the variety of deployment models that we cover. This ranges from an all Nutanix solution, to hybrid using an existing physical Veeam backup server, or a dedicated backup appliance. Every customer is different, and this choice lets you pick which one best fits your environment.

2014-07-09_10-28-14The full gamut of Veeam restore are available to Nutanix customers, including the ability to do fast restores and directly test your backups. No restore modifications are needed if you are using the Nutanix platform.

Best Practice Checklist

As part of the whitepaper we provide a detailed best practices checklist, so you can quickly see what the join solution recommends and make sure you are following them. I won’t cover all 16+ here, but here are some highlights:

  • Use Hyper-V 2012 R2
  • Use a 64-bit operating system for the Veeam server(s)
  • Use Veeam Backup and Replication 7.0 patch 4 (or later)
  • Avoid active full backups and use reversed incrementals or forward incremental with synthetic full
  • Deploy a Veeam proxy agent on each Hyper-V parent partition
  • Configure backup jobs to use VSS for application consistency
  • Use Nutanix NOS 3.5.4 or 4.0 (or later)


A lot of collaboration went into whitepaper, and went well beyond just Luca and myself writing the paper and getting it out of the door. We also tested the solution in the lab, to verify the settings and software versions worked as advertised. The VMware version of the paper was very well received, and so I hope this Hyper-V version is equally helpful to customers. You can download the full 23 page whitepaper here.

Aspiring VCDX Study Guide Link-O-Rama

VCDX5-DCVWith all of the recent newly minted VCDXs I thought I would start compiling a list of resources for those aspiring to become a VMware VCDX. This will be a living page, which hopefully will have links added as people make me aware of new content on the web.

There’s always a flurry of activity after defenses when newly minted VCDXs blog about their experiences. I was no exception to that rule, when I was minted VCDX #125. If you know of VCDX content that I don’t have links to here, please leave a comment to this post and I’ll add the links as I have time. Many of the pages below have additional links on them, so there’s a wealth of information here at your fingertips.

You can easily bookmark this permalink: (all lower case). The mentorship program is brand new, and a huge value add. Be sure to take advantage of it if you will be defending. If you are working your way towards a VCDX, you must get on Twitter. Great way to find people, get answers, learn about study groups, etc. Use the hashtag #VCDX.

The biggest piece of advice I can give to aspiring VCDXs is to join a study group in your area as soon as you decide to go for your VCDX. From brainstorming about your documentation taxonomy, to doing peer reviews, mock defenses, etc. this experience is invaluable. Don’t wait until the last minute before your defense to find a study group.


VCDX Boot Camp: Preparing for the VCDX Panel Defense
Storage Implementation in vSphere 5.0
Networking for VMware Administrators
vSphere 5.1 Clustering Deepdive
VMware vSphere 5 Clustering Technical Deepdive
Mastering VMware vSphere 5.5 
VMware vSphere Design
Essential VSAN
Disaster Recovery using VMware vSphere Replication and SRM
VMware vSphere 5.x Datacenter Design Cookbook
Virtualizing SQL Server with VMware
VCAP5-DCD Official Cert Guide

Official Certification Home Pages

VCDX-Datacenter Virtualization
VCDX-Network Virtualization


VMware vSphere Design Workshop


7 VMware VCDX Prep Videos
Few dozen VMware Certification Pro Videos
How to become a VCDX
VCDX Program, John Arrasjid
VMworld 2013: Software Defined Storage the VCDX Way
YouTube Videos
Artur Krzywdzinski, VCDX #77: VCDX Video and Presentation Online

VCDX Journey Stories

Derek Seaman, VCDX #125: VCDX in 180 Days
Josh Coen, VCDX #129: My VCDX Journey
Joe Silvagi, VCDX #175 My VCDX Journey <<New
Rob Nolan, VCDX #178: My VCDX Journey <<New
Hersey Cartwright VCDX #128: VCDX CXXVIII (#128)
Harsha Hosur, VCDX #135: My VCDX Journey (and stumbles along the way)
Joe Clarke, VCDX #138: How the path to VCDX will change you 
Niran Even-Chen, VCDX #142: To VCDX with a fictitious design
James Charter, VCDX #106: A VCDX Journey
Josh Odgers, VCDX #83: My VCDX Journey
Ray Heffer, VCDX #122: Achievement Unlocked: The tale of Double VCDX Certifications
Craig Kilborn: VCDX Defense – A Reality
Brad Christian: Running a VCDX Study Group and some lessons learned
Chris Kranz, VCDX #47: VCDX Journey
Simon Long, VCDX #105: Double VCDX
Samir Roshan, VCDX #124: The Path Less Traveled: My VCDX Experience
Tom Fojta, VCDX #99: My Journey to VCDX-Cloud
Jason Nash, VCDX #49: My VCDX Defense..or how I flew to San Francisco to Choke
Jason Nash, VCDX #49: Double VCDX and the new VCDX-NV
Frank Denneman, VCDX #029: VCDX Number 029
Joep Piscaer, VCDX #101: VCDX 101
Hugo Phan, VCDX: My VCDX Journey
Chris Wahl, VCDX #104: Go Go Gadget VCDX
Chris Wahl, VCDX #104: Double VCDX – What does it all mean?
Gregg Robertson: Extra VCDX Experience Achievement Unlocked
Magnus Andersson, VCDX #56: VCDX
Sunny Dua: Part 1 : VCDX – The Saga Of The Lost Title : The Design 
Andrew Brydon, VCDX #139: VCDX Presentation
Safouh Kharrat, VCDX #136: My VCDX Journey

VCDX Study Content

Derek Seaman, VCDX #125: VCDX-DCV Architecture Guide Outline
Joe Silvagi, VCDX #175, So you want to be a VCDX? Complete series
Rene Van Den Bedem, VCDX #133:  VCDX Prep Series (must read)
Josh Odgers, VCDX #83: Architecture Decisions
Michael Webster, VCDX #66: VCDX Application built on a foundation of beta software not good strategy for success 
Michael Webster, VCDX #66: VCDX Candidate Tips from Down Under Part 1
Michael Webster, VCDX #66: My Recommendations for VCDX Candidates
Paul Meehan, VCDX Constraint: LBT
Duncan Epping, VCDX #007: VCDX Tips from VCDX001 John Arrasjid
PlanetVM: VCDX Advice from VCDX001
Chris Colotti, VCDX #37: VCDX Defense Tips
Chris Wahl, VCDX #104: Using Sphere Elimination for Troubleshooting
Frank Denneman, VCDX #029: VCDX Tip: The Application Form
Duncan Epping, VCDX #007: 5 Tips for preparing for your VCDX Defense
Duncan Epping, VCDX #007: Cloud Infrastructure Case Study (Excellent)
Craig Kilborn: VCDX Paying it Forward
Tim Antonowicz, VCDX#112: VCDX Preparation Q&A
Matt Vandenbeld VCDX#107: VCDX Presentation Advice
VMware Cloud Architecture ToolKit (vCAT)
VCDX vBrownBag series
Gregg Robertson: VCDX Prep Round 2 (massive list of links)
Rectify your VCDX Design Issues in Defense Presentation
Handling sub-optimal design decisions before the VCDX Defense
Incorporating Business Requirements into your VCDX Presentation
Artur Krzywdzinski, VCDX #77:  Most Common Errors in VCDX Applications
Sunny Dua, VCDX – The Design and Defense Preparation
Frank Buechsel, Three Troubleshooting Scenarios

Other Resources

VCDX By the Numbers
vBrownBag EMEA VCDX Prep Special
vBrownBag Brian Suhr VCDX Journey
VCDX Spotlight Series
VMware VCDX Community
Google+ VCAP/VCDX Forum
Common VMware Certification Questions Answered
VCDX Timer
Meet the VMware Certified Design Experts (Official Directory)
What is the value of a VCDX to the VMware Ecosystem Partner?
FAQ for Unsuccessful VCDX Candidates
It takes a village to achieve VCDX Certification
Applying VCDX Principles for a better VMware Architecture and Operations
How Long does it take to become a VCDX?
VMware Certification Links
2014 VCDX Defense Schedule
How to Plan a VMware VCDX Mock Defense Panel
Infrastructure Architect and VCDX Enablement
Presenting the VCDX Value to your boss (Chris Colotti)  <<New

VMware vSphere 5.5 Toolkit v1.58 Live

As many of you know, one of my passions throughout my IT career has been security. Having worked in the Federal Government space for most of my career, making sure solutions are secure is always a top priority. Securing your VMware infrastructure is very important, and one of the primary tasks is using trusted SSL certificates. So last year I wrote the vSphere 5.5 Toolkit PowerShell script, which has had over 9,000 downloads! I had no idea it would be so popular. Here’s a screenshot of the main menu:

vsphere 5.5 toolkit

Features of the SSL toolkit script include:

  • Downloads and installs the proper version of OpenSSL ( if it’s not already installed
  • Creates 2048 bit RSA private keys in the proper format
  • Creates a directory for each service bundle of SSL certificates
  • Generates seven OpenSSL configuration files, one for each certificate, in the appropriate directory
  • Downloads both root and subordinate root public certificates
  • Submits the CSRs to the online CA and downloads the certificates
  • Creates the needed service PEM files for the vCenter certificate automation tool
  • Creates the required root/subordinate PEM files
  • Handles the special SSO 5.5 certificate requirements
  • Does NOT require PowerCLI
  • Assumes all vCenter components are on one server
  • Automatically uses the hostname of the server you run the script on for all certificates
  • Creates a pre-filled vCenter Certificate Automation environment script – Just run!
  • Works with offline CAs
  • Creates SSO 5.5 certificate replacement files – Only used if manual replacing certs
  • Creates customized SQL vCenter and VUM database creation script
  • Creates SQL ODBC DSNs for vCenter and VUM
  • Automatically downloads and installs SQL 2008 R2 or SQL 2012 client package
  • Linux vCenter Server Appliance support for online minting and offline CSR creation
  • Creates certificates for Auto Deploy, Dump Collector, Syslog collector, Authentication Proxy
  • Support Microsoft CAs that require manual certificate approval

I’ve now updated the script with some minor modifications for v1.58, dated July 12, 2014:

  • Updated OpenSSL download to 0.9.8za
  • Removed SQL 2012 SP1 client download (link broken)
  • Fixed Database creation script bug
  • Added additional error handling and Powershell-ized more commands
  • Changed the file to use sts in the URI per KB2058519

These are incremental updates, and the base functionality has remained the same. I am hoping for vSphere v.Next that VMware will streamline the whole process and give SSL replacement a makeover. I have no idea if this is in the works or not.

As always, you can download the latest version of the toolkit script from: If you are using an older version I suggest you grab the latest copy. If you want full SSL lifecycle management and a paid solution, I recommend you check out the VSS Labs vCert Manager, which you can find out about here.

Also remember to check out my 20 part vSphere 5.5 series, which covers the usage of the toolkit script and a whole lot more. You can find that series at:

Citrix Validated Solution for Nutanix on Hyper-V

Hot off the Citrix presses is a very thorough solution design document, called Citrix XenDesktop 7.1 on Microsoft Hyper-V Server 2012 R2 on Nutanix Virtual Computing Platform. Whew, that’s a quite a mouthful. What is it? It’s a document, nearly 100 pages long, detailing how to deploy both Citrix VDI (XenDesktop) and RDS (XenApp) for 1,000 users on the Nutanix platform.

It provides prescriptive guidance for these components including the design, configuration and deployment settings that customers can mirror and quickly adopt for their environment. This reduces risk, decreases deployment time, and increases confidence in the solution as a whole.

Components of the solution included Windows Server 2008 R2 for hosted shared desktops, Windows 7 x64 for hosted virtual desktops, all running on the Nutanix NX-3060 platform. Login VDI was used to simulate the 1,000 user workload for both scenarios. What I really like about the document is how thorough Citrix was in documenting every aspect of the test environment. And by every aspect, I really do mean every aspect.

For example, they list the complete list of required hardware, VM HW specs, load balancing details, user profile types, software versions down to all Windows baseline applications, licensing details, GPOs, NIC teaming setup, Hyper-V storage configuration, VMM configuration, shared folder paths, and a lot more. Everything you need to exactly replicate the configuration is in the document, and that’s no small feat.

I’m not easily impressed, and this document blew me away. The figure below is an example of 1,000 hosted shared desktops, and how they are distributed across several Nutanix nodes. 2014-07-09_13-37-11

And here’s another  diagram from the document showing the various Citrix components and how they relate to each other. 2014-07-09_13-36-40A

If this interests you at all, then I would highly suggest the you checkout all the available resources. This includes a webinar with Nutanix’s Lukas Lundell, a two-page solution brief here, and the complete 90+ page CVS document here. Happy reading!

VSS Labs vCert Manager Part 2

This is part 2 of the VSS Labs vCert Manager installation and configuration series. In Part 1 we got vCert Manager installed, and secured with a trusted SSL certificate. In this section we will get into the nuts and bolts configuration and start replacing certificates.

vCert Manager Configuration

1. First we will setup a SMTP server, which is used to send email notifications of various events such as expiring certificates. Login to vCert Manager and from the main menu select Settings. The in the left under Company Settings select Portal Settings.

2. Enter the SMTP server details for your organization. Notice that the tool supports SSL encrypted SMTP, and SMTP authentication. You can even test out the SMTP authentication from right within the tool. Here you can also setup different notification settings. I’ll just leave the defaults here.


3. You can also configure SYSLOG settings. You can easily change the port number, and protocol (TCP/UDP). This is great for services such as Splunk, where you can customize different SYSLOG listeners on different ports. Click the Save icon on the left to save all of your settings.


4. In the left pane click on Company Profile and fill out the details. These will be used for certificate generation.


5. In the left pane click on My Account. Here you can change the password for the default ‘admin’ account. Change it to a nice complex password.


6. In the left pane click on Sites change the site name to something relevant to you. This should reflect where the vCenter components reside. Mine are in San Diego.


7. The tool also supports role based access controls (RBAC), and you can add additional accounts that have different levels of permissions. Roles include Home, Cert Manager, Administration, Settings, Reports, Logs, About.

8. Now we need to establish a connection to our Microsoft CA. On the main page click on Administration in the top banner. In the left pane click on Certificate Authorities. Click on the green Add button. Fill in the details as needed. I would suggest setting up a service account that has proper permissions in your CA, vice your normal admin account like I show below. Better security, and better traceability. Shame on me. Click on Get Templates and select your VMware SSL template that you’ve already created.


After you add the CA, it will now be shown in the middle status pane.


9. In the left pane click on Infrastructures. Click on the green Add button. Enter your vCenter details, and service account information. Again, use a service account here and not your administrator account like I did. Test the connection to validate the information.


10. Now you will probably get a large certificate warning screen, since your vCenter certificate is probably not trusted at this point. Click on the I trust this certificate button.
















11. Next up is a credentials page where you need to enter passwords several times for the various components that it detects. After all of the passwords are entered, click on the Trust buttons for SSO and Inventory service. Note, that if you are using Windows authentication or SQL express for vCenter, just enter a dummy password in the DB Password field.



12. On the main menu bar click Cert Manager. You should now get a nice little graphic with the quantity of discovered components.


13. Click on the vCenter FQDN and you will see a table format of the same information. Click on the graphic to enlarge it.


We are now ready to actually replace the certificates. That will be coming up in Part 3. Stay tuned!