VMworld 2017: Virtualizing AD

Session: VIRT1374BU: Matt Liebowitz

AD Replication
-Update sequence number (USN) tracks updates and are globally unique
-InvocationID – Identifies DC’s instance in the AD database
-USN + InvocationID = Replicable transaction

Why Virtualize AD?
-Fully supported by Microsoft
-AD is friendly towards virtualization (low I/O, low resource)
-Physical DCs waste resources

Common objections to virtualizing DCs
-Fear of stolen vmdk
-Privilege escalation – VC admins do not need to be domain admins and vice versa
-Must keep xx role physical – no technical or support reason. Myth
-Timekeeping is hard in VMs

Time Sync
-VM guest will get time re-set with vMotion and resuming from suspend. If there’s a ESXi host with bad time/date, it can cause weird “random” problems when DRS moves DCs around.
-There’s a set of ~8 advanced VMX settings to totally disable time sync from guest to ESXi host. Recommended for AD servers. See screenshot below.

Virtual machine security and Encryption
-vSphere supports VMDK encryption
-Virtualization based security – WS2016 feature – supported in future vSphere version

Best Practices

Domain Controller Sizing
USN Rollback
Happens when a DC is sent back into time (e.g. snapshot rollback)
-DCs can get orphaned if this happens since replication is broken
-If this happens, it’s a support call to MS and a very long, long process to fix it

VM Generation ID
-A way for the hypervisor to expose a 128-bit generation ID to the VM guest
-Need vSphere 5.0 U2 or later
-Active Directory tracks this number and prevents USN rollback
-Can be used for safety and VM cloning

Domain Controller Cloning
-Microsoft has an established process to do this, using hypervisor snapshots.
-Do NOT hot clone your DCs! Totally unsupported and will cause a huge mess.

VMworld 2017: Extreme Performance

Session: SER2724BU

Performance Best Practice Guide for vSphere 6.5 guide is now out. Download now!

Baseline best practices
-Use the most current release
-HW selection makes a difference
-Refer to best practice guides
-Evaluate power management
-Rightsize your workloads
-Keep hyperthreading enabled
-Use DRS to manage contention
-Do NOT use resource pools – more harm than good
-Monitor oversubscription
-Use paravirtualized drivers

-Compute: Contention – CPU ready, co-stop
-Memory: Oversubscription – balloon, swap
-Storage: Service time – device and kernel latency

-Poor NUMA locality (N%L)
-pNUMA does not match vNUMA
-VM config should match physical topology (don’t make wide VMs)
-Don’t create a VM with a larger vCore count than pCores

Keep things up to date
-Virtual hardware can make a performance difference
-38 changes were made in vHW 11 alone
-Use latest vHW

Power Management
-New in 6.5 is %A/MPERF in ESXtop to see power management. Over 100% means turbomode.
-“Balanced” mode allows turbomode
-Always set BIOS to “os controlled”
-High performance caps turbo opportunity – good for large VMs – required for latency sensitive workloads
-“high performance mode” should be used for benchmarking since it results in the most stable results

-25% more performance, approximately
-Latest processes may be higher performance

VMworld 2017: vSphere SSO Architecture

Session: SER2940BU. Speakers: Emad Younis, Adam Eckerle

Embedded PSC: Totally supported for production usage. It’s not just test/dev. Use this model if you don’t need enhanced linked mode. This is a simple model, and use it if it supports your needs.

External PSC: Allows linking of vCenters via linked mode. Tags, roles, global permissions, licensing all replicate throughout the entire SSO domain. Up to 15 vCenters can point to a single PSC in 6.5 U1. Not recommended, but you can do it.

In vSphere 5.5 you can consolidate SSO domains. So consolidate BEFORE you deploy any 6.x versions. After you deploy any 6.x component, you are locked into your SSO domains. If doing this merge, make sure you un-install/remove the embedded SSO component before you upgrade to vSphere 6.x.

Within an SSO domain, you can’t mix versions of products. So if you have islands of vCenters, you may NOT want them linked together. This will require that you upgrade everything together. Very applicable to vBlock environments and their islands of vCenters.

A site is a logical grouping of PSCs. PSCs are multi-master and replicate every 30 seconds.

Recommendation: If you have multiple PSCs spread across multiple sites, you can optionally use “vdcrepadmin” to add more replication agreements. Do NOT add just for the sake of adding. Only add agreements if absolutely needed.

In vSphere 6.5 you can only repoint a vCenter intrasite to another PSC (not across sites). Refer to “cmsso-util”. This is not allowed due to the added latency and causing performance issues.

VMware recommends a max of 100ms between PSCs in the “same” logical site. VMware will support all PSCs in the same site, but it’s not recommended. VMware does not want vCenters talking to remote PSCs.

There’s no current method to migrate from a Windows vCenter with an external PSC o the VCSA with an embedded PSC. VMware said in the future this scenario may be possible.

You can NOT move a vCenter from one SSO domain to another (today).

Built-in SSO load balancing is possibly in a future vSphere release. No third party LB needed, such as F5 or NetScaler.

If you globally want to deploy multiple vCenters, don’t do a global SSO domain. It can be a disaster. Setup regional SSO domains for best performance.

VMworld 2017: Predictive DRS Best Practices

Session: SER2849BU

Case 1: VMs performance can suffer due to resource constraints/surges

Case 2: Inefficient usage of resources due to reserving capacity for peak loads.

-Move VMs after contention occurs

-Statically reserve more resource
-Learn workload pattern, and move before VMs spike

What is the best solution? Predictive DRS

What is Predictive DRS?
-DRS enabled with predictions
-DRS scheduling + vROPs analytics

How does it work?
-Resource usage from vCenter
-vROPs consumes the data
-Predictions are made
-DRS invoked to perform optimizations

vROps Dynamic Thresholds (DT)
-Sophisticated analytics – 10 algorithms
-Learns normal behavior
-Detects hourly, daily, monthly patterns
-Generates upper and lower dynamic thresholds
-Predictions are then sent to vCenter

Software Requirements
-vSphere 6.5 Enterprise Plus
-vROps 6.4 or 6.5
-Time sync between vCenter and vROps needs to be less than 5 minutes

Speaker shows a demo of  a ‘follow the sun’ scenario with workloads spiking at different times on a regular pattern. pDRS learned the pattern, and vMotioned VMs to make sure VMs had enough resources. He shows a performance graph, where pDRS headed off performance issues and it resulted in consistent VM performance.

DPM with Predictions
Speaker asks audience to raise hands if anyone is using DPM. Two people raise their hands.
-Predictions can proactively power up ESXi hosts to absorb the workload demand

-Workloads it can predict: Periodic usage pattern
-Short spikes of a few minutes will not be predicted
-The more consistent the workload, the more accurate it will be

Learning Period
-Set to 14 days by default
-The longer the period, the better the accuracy
-Predictions only happen after 14 days

-Compute dynamic thresholds – Calculated once a day, or push a button to force a new calculation.
-Lookahead interval – Amount of time DRS looks ahead while accounting for predictions – default is 1 hour

Identify vMotions due to Preditions
-Not a clear answer as there can be a mix of VMs with predictions and those without
-pDRS moves are only in logs


VMworld 2017: Day 2 Keynote

Pat Gelsinger walks on stage and welcomes Michael Dell to the stage. Pat and Michael are doing a prepared Q&A.

First question is regarding lackluster support, such as quality of people and hold times. Pat says he is disappointed in hearing such feedback, as he thinks they have good NPS scores. But Pat said they are very focused, and will have some internal followup. VMware is also introducing Skyline, and proactive support. They want to be your best technology partner.

Second question is about AI, future topics, machine learning. Michael says he are in the most exciting times in human history. Cost of making something intelligent is almost zero. It’s game on! An enormous amount of data created from IoT is amazing. They overlay interesting computer science on top of this data, and the possibilities are endless. Dell thinks a lot about data and AI. Dell is seeing lots of new use cases. If you are not thinking about how you will be using this new data, you are doing it wrong. Pat speaks up and says in 1984 he was architecting the 486 and how they could use it for AI back then. But real AI wasn’t possible until the scale of compute and storage today. Michael says there is a coming boom in edge data, and new requirements in how you deal with that data.

Next question is in the area of SMB, and “don’t forget about us.” Michael says most new jobs are created in small and medium size business. Dell has added 10s of thousands of new small and medium customers. Dell is reimagining their products to support the SMB. Pat states they have 500,000 customers and most of them are SMBs. Pat commits to make sure SMB is kept in mind.

Next question is about ecosystem, HCI, and breadth of partnerships. Michael says he is committed to a thriving ecosystem, and is key part of VMware’s success. He says the partner ecosystem is as strong as ever. Amazing things going on with NSX. VMworld has 400+ partners here. Pat says he’s not so excited about some of the partnerships.

Synergy. Creating value together. How is Dell and VMware innovating together? Michael says cross-selling and deep level of deep technical integration with their stacks, while retaining an open ecosystem. Pat also states strong synergy, like VXrail. Michael says customers have lots of innovation around containers and new applications.

CEO of Pivotal (Rob) comes on stage.

Pivotal says they are now working with world class companies, and in use at 50% of the fortune 500. Michael says all customers are facing similar challenges, such as finding new value in their apps. Rob says customers has thousands of legacy applications. Pivotal has been working with containers for a very long time. Pivotal container (with a K) service (PKS) is a new offering! It uses Google cloud engine, NSX, and comes out of the box with full integration and kubernetes. Sam from Google cloud comes on stage. Sam says containers are coming at warp speed. Google has taken 10 years of container orchestration and know how to run billions of containers. They’ve poured that into Kubernetes, and GKE (Google Kubernetes Engine). Sam says customers want to run compute wherever they want. PKS built on Cloud Foundry. Michael says customers wanted partnership and integration.

VMware CTO Ray O’Farrell comes on stage. Ray says many of the new services are delivered as SaaS. They are also aiming at developers to help make your company unique. Ray will now do demos of a variety of VMware products. Ray plays a video about a fictitious company to help illustrate problems that companies face today. They then run through a few VMware products and how they solve the customer problems. They give a demo of AppDefense and various other products.

VMworld: What’s new in vSphere

Session: SER2342BU Mike Adams

vSphere 6.5 Updates:

Simplified experience – One appliance, modern APIs, simplified architecture

Built-in security- Secure data, secure infrastructure, secure access, better logging, trusted boot chain

Universal app platform – Any application, anywhere, VMware core technology

Proactive data center mgt – Predictive DRS, proactive HA, integration of vSphere & vROPS

–vSphere 6.5 upgrade path finder (google it)

vSphere 6.5 U1

HTML5 GUI has 90% functionality
vCenter Server Foundation now supports 4 hosts
vSphere 6.0 U3 to vSphere 6.5 U1 upgrade path supported
Product tested for over 8 months
vSphere 6.5 support is now 5 years (Nov 21, 2021)

New Areas for vSphere
vSphere scale-out PnP approach for big data and HPC – difference license
EULA restrictions on what workloads – HPC and big data only
Trying out a ‘basic’ edition in China for 2Qs – reduced feature set

vSphere Tech Preview and Highlights
Hybrid linked mode across multiple clouds – Mixed version support, data sharing, cross-cloud deployments
ESXi Upgrade without a reboot – Hot upgrading of ESXi version
NVMe support
NVM – tech preview
QAT – Quick assistant – roadmap (Chip from Intel) – compression and encryption acceleration
FPGA – roadmap

VMware Cloud on AWS
vSphere, vSAN, and NSX plus vCenter
Consumption model is host level – minimum 4 hosts up to 16 per cluster
Take ~2 hours to deploy
Add a new host in under 10 minutes
DRS can proactively add a new host to load balance
1yr is 30% less than on demand and 3-yr is 50% than on-demand
15-20% more than regular public cloud costs
Cloud is on a quarterly update schedule and will trickle down to on-site installs
Direct connect is optional

VMware AppDefense

Capture, detect, respond
You do not have to have NSX, but is better with it

Bits and Bytes

vSphere 5.0 and 5.1 EOS was 8/24/2016
vSphere 5.5 EOS is 9/9/2018
vCenter on windows going away after the next major version
Flex client (Flash) will not be offered after the next major version


VMworld 2017: Storage at memory speed

Session: FUT3040BU, Richard Brunner

Speed analysis is dependent on storage and database access latency. A key component is local storage latency – nothing can compete with DRAM

What if you can move storage closer to the processing? You can with byte-addressable persistent memory (PMEM)

Future vSphere will bring PMEM support using virtualized NVDIMM device

What is PMEM? Few hundred nanoseconds latency; byte-level access; regular non-privileged access; load/store CPU instructions

Updating storage at a finer grain level – read/modify/write latency is vastly less than block-storage

Uses: fast-caching layer; database logs; etc.

With future vSphere release – no VM driver needed. Guest storage is directly mapped to PMEM transparently.

PMEM is vMotion and FT compatible

DIMM size can range from 8 GiB to 100s of GiB

PMEM Tech: 3D XPoint; HPE DIMMs; HybriDIMM

All PMEM solutions need a way of ensuring that the last set of updates have ‘made it’ to the persistent media

Server hardware, firmware, and software support

VMware Implementation of PMEM

Concept: Virtualize and manage NVDIMMs; accelerate legacy legacy and modified applications; virtual disks stored on PMEM; Byte addressable virtual hardware

Two access methods: vSCSI with VMDK; vNVDIMM with modern OS (WS2016)

FT will be compatible with vNVDIMM for high availability

vCenter & DRS will support PMEM and manage it at a cluster level

Maintenance mode can also vacate powered off hosts too and move their data

New VM creation workflow will have a PMEM storage option

Add new device will now have a NVDIMM option – up to 64 per VM

Storage migration will also support NVDIMM

Modes of operation:

NVMe SSD – Requires emulation and multiple layers to access device – slowest mode

vPMEMDISK – No storage stack needed and faster performance

nNVDIMM – only Filesystem  needed – very fast

vNVDIMM DAX – (Direct access mode) directly maps blocks into the application (fastest)

DAX mode – 35GB of persistent  data written in a second (512KB random writes)

VMworld 2017: VMware Cloud on AWS: Storage

Session: STO1980BU, Ben Meadocroft, Matt Amdur

Any Cloud, Any Application, Any Device

VMware Cloud on AWS

  • SDDC running on AWS bare-metal
  • Sold, operated and supported by VMware
  • Support for containers and VMs
  • Global AWS footprint and availability

Physical host config:

Based on i3p.16xlarge
2 sockets
8x 1.788 NVMe GB – encryption with keys stored in AWS
36 cores per host
Raw capacity tier of 10TB per node
2 disk groups per host
No dedupe/compression
No vSAN encryption – uses HW encryption

Cluster config:
Cluster size of 4-16 nodes
Each cluster has 1 vCenter
vSAN now has 2 datastores – 1 for VMware only, 1 for customer only

Software upgrades of the cluster:
New host is provisioned and added to the cluster – so no HA capacity is lost
Software upgraded in a rolling fashion
After all software is upgraded, the ‘new’ host is removed
This is all done by VMware during customer scheduled maintenance windows

Cluster Failure remediation:
Host fails or problem identified
New host added to cluster (10 min)
Previous hosts evacuated from cluster
This process is all automated and transparent to the customer

Increase effective capacity from 5.7TB per host (w/ RAID5 ECX)
Enable dedupe/compression
Stretch vSAN clustering for increased data resiliency
Provide stretched networking for customer workloads
Nested fault domains – RAID-1 across AZ, RAID-5 within AZ
Disaster recovery on AWS

VM backup – VADP based backups
Disaster recovery – Third party VAIO-based DR
External storage access – In-guest access to cloud storage

VMworld 2017: App security with AppDefense and NSX

Session: SAI3237SU, Tom Corn, Sr. VP Security Products

Network exploitation is easier today due to the distributed nature of applications and components. Hack one layer, and you can move across boundaries via application firewall holes. We need to shrink the attack surface area. Least privilege. Align controls to applications. Microsegmentation is network layer least privilege. Securing the network can align security with applications. New notion of least privilege compute. This new concept is ‘ensuring good’ vs. ‘chasing bad’.

AppDefense: Capture; Detect; Respond

Capture: Intended state & runtime state. Hypervisor can see what’s running and what’s provisioned. Intended state engine hooks into vCenter and provisioning systems (Puppet, Chef, vRealize) and automation frameworks (Jenkins, Ansible, etc.). Machine learning kicks in and uses ESXi. Break this information into manifests for each VM and placed into a protective zone. A monitoring process is also in the protected zone. If something changes, AppDefense is aware. A library of incident responses (suspend, snapshot, block, alarm, quarantine, etc.) is included. Security teams will get notified and can work with the application teams.

Security ecosystem: Palo Alto, IBM Security, Symantec, RSA, Carbon Black, Trend, SecureWorks, etc.

AppDefense Demo

Shows a 3-tier application (web server, app, SQL database). Shows the manifest file for the service tiers. The ‘security’ guy comes on stage to review the application prior to app deployment. Next a hacker comes on stage to break into the app.

Kill chain (3 attacks): Exploitation, Extraction, Exfiltration

Hacker shows an SQL injection attack that opens a remote TCP connection to metasploit. The remote shell is a Windows CMD shell with admin rights.  He then uses a PowerShell script to extract the data from SQL. He then uses a python script to exfil the data.

AppDefense has puppet integration, and crawls Puppet config. AppDefense now knows about all the app tiers, and configuration and pulls that in. It auto-discovers ports, protocols, and visually displays a map. AppDefense can also pull in reputation data from third parties. After 10 days of learning, 90 pre-verified behaviors are captured. Only one needs manual review. For the manual review you can click ‘send to owner’ and sends to an Android mobile phone app for approval. The app owner can then approve or reject from their phone.

Now that the verified scope is done, you can then put the app into protected mode. The hypervisor will now start monitoring behaviors. Gives you a choice of remediation options (block, alert, snapshot, power off, suspend, quarantine). Admin is presented with the short list of rules they can enable/disable or make automatic or manual.

Resumes hacking attempt

Shows that the Python injection attack on the login page no longer works. The outbound connection is blocked. If somehow the attacker gets in another method, he launched his powershell script to extract the data. He was using a legit connection, but the process that does the connection is bad and AppDefense stops that.

Now they show the AppDefense console and the alarms triggered from the hacking attempts. AppDefense looks at the CLI that launches the connection and verifies that it is valid. For example, connecting to the DB via 1433 is normally allowed but AppDefense can see a powershell was making the connection and not the app and block it. Basic IP/port block/allow is not enough.

The hacker now looks inside the VM for the process that is blocking his actions. He then launches a script that injects into the security process some custom code. The AppDefense response to the tampering is to take an action, which is to suspend the VM. The hacker was then booted out.


VMworld 2017: Day 1 Keynote

Note: This week I’ll be live blogging from VMworld 2017. As always, this will be live, and so please excuse my typos and grammar issues.

Pat Gelsigner walks on stage. This is Pat’s 6th VMworld and he became CEO 5 years ago. Pat mentions the disaster in Houston and sends his prayers and thoughts.

Pat talks about science fiction now becoming fact. Quantum entanglement, zika resistant mosquitoes, self-driving cars, etc. Tech has left the nest. Tech is now restructuring entire industries.Digital media has now surpassed revenues for traditional media. Mentions real player and winamp. Some industries are only 1/10 of the way to a digital transformation. 200 years ago 85% of families were involved in agriculture. Today it’s 1-2%. Today is about higher paying jobs and higher quality life.

Fundamentally companies have to reshape themselves in the digital age. VMware vision: Any cloud, any application, any device. An ebb and flow between centralized computing and de-centralized computing (e.g. cloud moving to edge). Apps and IoT is exploding data. Pat mentions VMware Pulse IoT partnership in beta with Toyota and Fujitsu.

Apps are about unleashing your potential, on any device. Consumer simple but enterprise secure. Apps and identity; Management and security; Desktop and mobility. Airwatch manages iOS, Chomebooks, Android, Windows, etc. HP announces the partnership with VMware for Workspace ONE into HP’s managed services offering.

Sanjay Poonen comes on stage with a Captial One rep (Jennifer) to talk about EUC. Captial one bills themselves as a tech company that happens to also be a bank. They are an AirWatch and Workspace ONE customer. They want a consistent and unified experience, and they now have it. On the horizon: machine learning.

Back to Pat.

Private cloud – VMware has now virtualized the datacenter.

Today: A faster and simpler solution is needed. VMware Cloud Foundation with automated lifecycle management. V2.2 is now announced. Hyperconverged: vSAN has 10,000 customers. VMware vSphere 6.5 is mentioned.

Public cloud: VMware and AWS partnership. Welcomes the CEO (Andy Jassy) of AWS to the stage. The same operational consistency between on-site and public cloud. Flash a number of early beta customers on the screen. And they show a partner ecosystem slide with DXC, Accenture, and others. All availability zones will have a VMware option by the end of 2018.

VMware cloud strategy: Make private cloud easy, deep partnership, expand partner network

Consistent operational environments across clouds: Google, AWS, etc. That’s what VMware Cloud Services is all about. NSX is a common networking feature across clouds. Consistent infrastructure, consistent operations, richest network, delivering IT agility.

Sanjay Poonen back on stage with Medtronic (Medical device company). Company vision has changed from a medical device company to a services company.

Pat is back.

At the heart of everything VMware is doing is networking, and by extension, NSX. VMware is stretching NSX into the public cloud and containers. NSX will be as important to VMware as vSphere was the last 10 years.

Sanjay Poonen is back with a Cloud Architect from Sysco. NSX for them has been transformative. They are deploying microsegmentation today. Sysco also uses Workspace ONE. Currently transforming into product teams internally. Looking at micro-services, containers.

Pat is back.

Most important topic: Security. Attack vectors become more and more complex. “We the tech industry” have failed the customers. VMware has three parts to address this: Secure the infrastructure, integrated ecosystem, cyber hygiene.

Five pillars of cyber hygiene: Least privilege, microsegmentation, encyrption, multi-factor authentication, patching.

Workspace ONE and Airwatch bring together consistent management. vSAN encyrption. Most of security today is “chasing bad”. “Ensuring good” is better than trying to find all of the bad.

Introducing VMware Appdefense: Capture intended application, machine learning, then a network service. Real-time detection for deviation from good. Automate response.

Pat brings an IBM rep on to talk about their AppDefense partnership and excitement around the collaboration.




© 2017 - Sitemap