vSphere 5.5 Toolkit v1.55 Released

Yes, time to update my vSphere 5.5 Toolkit with a few more features and bug fixes. For those of you that need to replace your vSphere 5.5 SSL certificates, the process can be somewhat cumbersome and time consuming. While VMware has a tool to help you replace the certificates once you create them (SSL certificate automation tool), it has limited functionality in helping you create all the files needed as pre-reqs to running the tool.

Since my vSphere 5.1 installation series was so popular, for vSphere 5.5 I wanted kick it up a few notches. So I wrote the vSphere 5.5 Toolkit script that has a number of features to ease your SSL pain. For a complete list of features, click here. To date it has had over 3,200 downloads. Now live is a minor update, for your deployment pleasure. v1.55 of my Toolkit script is now available for download here.

Derek Seaman vCenter 5.5 Toolkit

What’s new since v1.50?

Root Certificate Validation (New)

This version addresses an issue where sometimes the automatic download of a root or subordinate CA certificate would result in HTML code and not a Base64 certificate. The root cause of this issue is how Microsoft implemented the certificate download feature. Because the root certificates can be renewed, there’s a counter called “renewal” in the download URL to specify which certificate to download.

My script does not have logic to download all certificates and pick out the newest one (maybe in future versions). But what it will do is validate the file contents to ensure a certain string is present which indicates the file contains a Base64 encoded certificate. If the file is invalid an error will appear and the script halts. If that happens, search for “renewal” in the script (two locations) and decrement the number to 0. If it downloads an old certificate that expired, increment the number up by one until it gets the most recent version.

The script also checks manually downloaded base64.cer and interm64.cer certificate files for the same string, to validate they are Base64 encoded. It’s easy to use the wrong file type, which will greatly confuse the VMware certificate replacement tool. All of your certificate files should look like the example below, with —–BEGIN CERTIFICATE—–.

1-11-2014 2-25-42 PM

If your certificates are invalid, then you will get a red warning as shown below.

1-11-2014 2-46-54 PM

Certificate Request Changes (New)

VMware notified me that an upcoming change to a KB article was in the works. According to VMware the Web Client certificate needs the IP address in the SAN field with both DNS and IP extensions (e.g. DNS:10.10.10.10, IP:10.10.10.10). Apparently this is for maximum cross-browser compatibility across IE, Chrome and Firefox. For simplicity all certificate requests have both extensions in this version. If you don’t have any web client issues due to using an IP address vice the FQDN, then you don’t need to re-issue the web client certificate. If you do have issues, then this is probably the reason. You only need to update the web client certificate, not the 250 other vCenter certificates.

ESXi Host Support (If you missed it)

While not new to v1.55, version v1.50 released on December 22, 2013 added fairly robust ESXi host support. I didn’t blog about that version, so some of you may not be aware of it. I did Tweet, so make sure you follow me on Twitter for more timely news. You can manually enter several ESXi hosts to replace the certificates on, or give it an input file of hostnames. SSH is NOT required (uses HTTPS), and should be backwards compatible with vSphere 4.x and later although I have not personally tested it. This supports an Online Microsoft CA, offline CA, or third-party CA.

Summary

Given the positive feedback on the tool, it appears to be doing what I intended: Simplify the vCenter 5.5 installation process and make security easier. If you experience any problems or bugs, please leave a comment. I can’t promise to fix everything, but I’ll try to fit it into my schedule. Again, you can download the latest version from here.

vSphere 5.5 Install Pt. 15: Install vCenter

10-12-2013 8-30-50 PMThe previous 14 installments have all been leading up to this, installing vCenter. Yes, we are finally here. In this post we install vCenter, the windows vSphere client, fix profile driven storage, and configure vCenter to support a clustered SQL database. This post is not the end of the road, as we still need to secure vCenter with trusted SSL certificates and secure our ESXi servers.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install vCenter

1. If you are continuing from the last installment, then you should be logged into your vCenter server as the vCenter service account. If not, login as the vCenter service account. This is very important!

2. Launch the vSphere 5.5 installer and select vCenter Server.

10-12-2013 8-34-20 PM3. Go through the wizard until you get to the license key window. Enter a valid vCenter 5.x license key. Or, you can skip that screen for evaluation mode.

10-12-2013 8-35-55 PM

4. On the database option screen change the option to use an existing database. Your DSN should be listed from the pull down menu.

10-12-2013 8-37-23 PM

5. Since we are logged in with out service account and using Windows authentication we can’t change any options here.

10-12-2013 8-38-43 PM

6. You may get a warning about the recover model for your SQL database. If you use Full Recovery mode then you need to do regular backups to clear the logs. If you are in a lab or home environment you may want to change it to simple. Consult your DBA for best practices in your production environment.

10-12-2013 8-39-43 PM7. Enter the service account password.

10-12-2013 8-42-13 PM

8. Choose whether you want a standalone vCenter instance or linked mode. Remember Linked Mode can only interoperate with vCenters at the same release level.

10-12-2013 8-44-27 PM

9. Review the port numbers, but I would not change any of them.

10-12-2013 8-45-52 PM

10. Choose the inventory size based on your environment.

10-12-2013 8-46-47 PM

11. Enter the SSO password that you used during the SSO configuration.

10-12-2013 8-47-43 PM

12. Again, a thumbprint of the SSO certificate is shown. You should have memorized it by now and can verify it without referring back to the certificate.

10-12-2013 8-50-56 PM

13. I recommend leaving the administrator@vsphere.local default. Later on we will configure a delegate group for vCenter access.

10-12-2013 8-51-57 PM

14. Confirm the Inventory Service settings.

10-12-2013 8-53-29 PM

15. Confirm the installation directory then click Install.

10-12-2013 8-54-44 PM

16. After several minutes vCenter should successfully install.

Install vSphere Client

Although VMware is really limiting what you can do with the Windows vSphere client, it is still needed for some functionality such as VUM remediation, SRM, and connecting to ESXi hosts. So go back to the vSphere 5.5 installer and install the vSphere Client.

10-12-2013 9-55-49 PM

After you install and launch the client you will see a big warning on the login window. Clearly, the Windows VI is going to suffer a mob hit in the near future and end up in an unmarked grave. So learn the web client, and remember HW v10 VMs can only be modified via the web client.

10-21-2013 9-03-26 PM

Profile Driven Storage

If you are installing vCenter under a Windows service account, then we need to make a tweak to the Profile Driven Storage service. The installer configures it to run under Local System privileges, but that doesn’t work to well.

10-12-2013 10-05-25 PM

Open the service properties and change the Log On to use your vCenter service account. Restart the service.

Database Clustering

If you are clustering your SQL database, then we need to make a manual configuration change to vCenter. I’m assuming since supporting clustering was a last minute addition, they didn’t have time to add GUI option to the installer. If you are using a standalone SQL server, skip this section.

1. Navigate to C:\ProgramData\VMware\VMware VirtualCenter and make a backup of the vpxd.cfg file.

2. Stop the VMware VirtualCenter Server service. It make take a few minutes for it to stop.

3. Open the vpxd.cfg file in Wordpad (NOT Notepad). Scroll down and find the <vpxd> tag. Insert the three lines which I have highlighted below.

10-21-2013 8-51-16 PM

4. Save the file (without any text formatting), then restart the VMware VirtualCenter Server and VMware VirtualCenter Management Webserver services.

5. Log into the vSphere Web Client and verify that you can see your vCenter server and inventory.

Summary

In this post we installed  vCenter, fixed a permission bug with the profile driven storage service, and enabled SQL clustering support. What’s left to do? Secure vCenter with trusted SSL certificates, install VUM, and secure our ESXi hosts. Check out vCenter SSL in Part 16.

vSphere 5.5 Install Pt. 13: Install Inventory Svc

10-12-2013 11-53-39 AMThe vCenter inventory service has two primary purposes in life. First, it’s a cache of objects which the web client accesses. This cache enables the offloading of retrieving objects from the vCenter core service (vpxd). This can also lessen the load on your back-end database if the vCenter service isn’t constantly doing queries (most of which are reads). The legacy Windows VI client does not use the inventory service, which is why it can get pokey in very large environments. It also has an effect of reducing vCenter CPU utilization, allowing more client sessions.

Following VMware’s new guidance for vCenter 5.5, we are installing the inventory service on the same VM as vCenter. You should KISS your vCenter folks. In this post we will install the inventory service and secure it with a trusted SSL certificate.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction 
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 

vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting 
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Install Inventory Service

1. Mount the vCenter ISO if it’s not still mounted from the previous installs. Start the installer and select the vCenter Inventory Service.

10-12-2013 11-58-27 AM

2. Click through the wizard until you get to the Destination Folder. Because the web client only works on the C drive, I’ve resigned myself to putting everything on the C drive. So I left this the default.

10-12-2013 12-06-33 PM

3. Validate that the FQDN of the local server is correct.

10-12-2013 12-12-37 PM

4. I’d leave all the default port numbers.

10-12-2013 12-13-48 PM

5. The JVM memory will greatly depend on your environment. Do not skimp here, as memory is critical for performance. Remember to possibly adjust your vCenter VM’s memory here if you select medium or large. vCenter 5.5 all-in-one servers LOVE memory.

10-12-2013 12-15-17 PM

6. Enter your vCenter SSO password and validate the lookup service URL is correct.

10-12-2013 12-16-50 PM

7. Just like the web client it presents the thumbprint of your SSO SSL certificate. That’s the same value as before, so I’m not going to cover how to look it up again.

10-12-2013 12-19-21 PM

8. At this point a Ready to Install box should appear. Click Install and wait a few minutes.

Automated Inventory Service SSL

Note: I’m assuming here you are following this guide to the letter and replacing SSL certificates as we go. By doing this we can skip some steps in the VMware tool that are needed if doing SSL replacement post-full installs. If you are replacing certs at the end of a complete vCenter install, you must follow the planner steps in the VMware tool.

1. Open elevated command prompt (not PowerShell) and launch the VMware SSL replacement tool. Select Option 4 from the main menu.

10-12-2013 12-42-45 PM

2. All we need to do here is update the SSL certificate.

10-12-2013 12-44-44 PM

3. If everything goes well, it will successfully replace the certificate.

10-12-2013 12-49-47 PM

4. To validate the certificate has been updated you can go to https://YourvCenterServer:10443. You will see a ‘HTTP status 400 – Bad Request” but that’s normal since we didn’t pass it any data. What counts is that it responds, and that the cert is trusted. If you get some other error or the certificate is wrong, then something went terribly, terribly wrong.

10-12-2013 12-58-03 PM

Summary

The inventory service is easy to install, and easy to secure with custom SSL certificates. You can also quickly check the health with a simple web browser. So this is one of the easiest services to install and configure. Next up in Part 14 is configuring your SQL databases and DSNs so we can finally get to installing vCenter.

vSphere 5.5 Install Pt. 6: Certificate Template

10-5-2013 3-51-55 PMNow that you understand what type of SSL certificates you need and how many vCenter 5.5 requires, we need to create a Certificate Authority template that will mint proper certificates. You may very well be able to get away with the Microsoft “Web server” template, but it is missing a few properties that VMware still lists as a requirement. So to ensure you don’t run into any problems, this installment shows you how to setup those properties.

I’m assuming you are using a Microsoft CA for this exercise. Technically you can use any CA, so don’t think that you are just limited to Microsoft’s implementation. Certificates are standardized in the X.509 format. In a real enterprise environment CAs should be heavily locked down and you probably won’t have permissions to change anything on the CA. Find your CA administrator and have them complete this section. If you aren’t using a Microsoft CA, then the steps below won’t exactly apply to you. But research how to configure your CA for the “required” properties.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Certificate Template

1. Logon to your Microsoft root CA. In this case I’m using Windows Server 2012. Launch the Certification Authority console. I’ve already created a custom template, VMware-SSL. But ignore that for now (just like a cooking show I have my template already done in the oven) and locate the Certificate Template container. Right click and select Manage.

10-2-2013 7-17-46 PM

2. Locate the Web Server template, right click and duplicate it.

10-2-2013 7-19-36 PM

3. Don’t change anything on the compatibility tab. Don’t think you are clever and try changing the default value to something like Windows Server 2012. #Fail. On the General tab rename the template. I like using VMware-SSL because it has no spaces, so the template name and display name are the same. This avoids confusion down the road where a script requires the template name as a parameter. Spaces are allowed, but let’s not confuse the situation anymore than needed…we are already confused enough.

10-2-2013 7-22-52 PM

4. Click on the Extensions tab then highlight Application Policies. Click Edit and add Client Authentication.

10-2-2013 7-26-23 PM

5. Click on Key Usage and check the box to allow encryption of user data. Close out of all the certificate properties windows.

10-2-2013 7-28-40 PM

6. Back in the CA window issue the new VMware-SSL template, by selecting the menu item shown below. A list of available templates will appear, and just click on VMware-SSL. It should now appear in the right pane, as you can see below. Sometimes CAs can be slow, and it could take a couple of minutes to appear. Do not panic; be patient. Once it appears you now have a good template to use for VMware certificates (vCenter, ESXi hosts, etc.).

10-2-2013 7-31-03 PM

Summary

Creating a certificate template is not tricky and only takes a couple of minutes. It may take a few minutes for the new certificate type to replicate in AD. So don’t be too surprised if you can’t immediately see it. The steps are pretty much the same on Windows Server 2008 and later, so don’t worry if you aren’t yet using Windows Server 2012.

In Part 7 we (finally) get to mount the vCenter 5.5 ISO and install the SSO service. So yes, this install series is finally getting to the point were we can install something. But hopefully you are better educated about vCenter 5.5 than you were before you stumbled on this series. Impress your friends at your next cocktail party about SSL OU values and PEM files.

vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade

ESXi 5.5 upgradeIn this installment of the vSphere 5.5 installation how-to series we cover upgrading ESXi hosts, VMs, and VMFS. As stated in my vCenter 5.5 upgrade post, I’m not going to do a step-by-step screenshot filled posts for upgrades. Why? Too many different deployment types for that to be widely useful. But you do need to understand ESXi/VM/VMFS upgrade best practices, recommended order, and gotchas. That’s what this post is for.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn 
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi 5.5 Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

Upgrade Overview

First of all, planning is key. Even in a lab environment you want to settle on an upgrade strategy and understand the order. Order is huge!  At a high level the order is:

1) vCenter
2) VUM
3) ESXi hosts
4) VMs
5) VMFS

But don’t just plow ahead full steam ahead and forget about things like vCenter plug-ins, VDI dependencies, backup software support, SRM, and the plethora of other VMware and third-party products. Once you get vCenter and VUM updated it is fully supported to do rolling ESXi host upgrades. Now you have to think about VM hardware versions, VM tools, and VDS configuration.

Bottom line: Think through and plan the ENTIRE upgrade before starting any part of it, including vCenter.

VIBs and Image Profiles

Understanding how VMware packages ESXi is important to better understand the upgrade path. Vendors like HP, Cisco, Dell, and others provide customized ESXi ISO media. VMware packages software (drivers, agents, etc.) as VIBs (vSphere Installation Bundle). It’s similar to a zip file or tarball. VIBs can be bundled into an ISO file (such as the ESXi installer), or as a zip depot file.

An image profile defines the VIBs which will be installed. A “standard” profile contains VMware tools and a “no-tools” profile has no VMware tools (mostly for autodeploy). You can use the image builder CLI to create a custom profile. In fact, I have a blog article here about how to build a custom ESXi ISO for Cisco UCS here.

9-29-2013 2-45-06 PM

If you want to view the VIBs on your ESXi host use the following command:

esxcli software vib list

There are many third party custom ISOs, bundles, and online depots. VMware recommends that you use a vendor customized ISO for your hardware. Some vendors are extremely timely (HP 5.5 ISO here), while others lag or nearly non-existent (Cisco). I know from personal experience the HP install ISOs are heavily customized, while the Cisco ones only have a handful of drivers. Tip: Do NOT use the HP ISO on non-HP hardware. The core software packaged on VMware ISOs and vendor ISOs is the same.

Upgrading vSphere Hosts

The big question is: Should I upgrade the host or do a fresh install? Unlike vCenter where VMware recommends to do a fresh install, if possible, they recommend upgrading ESXi hosts. You can leverage features like HA, DRS, storage vMotion, and host profiles to quickly roll through hosts. Fresh installs should be limited to a small number of hosts, maybe for test purposes. Or if you are really bored at work, then knock yourself out.

Before you upgrade check the VMware Compatibility Guide. Just because your host works with 5.0 or 5.1, does NOT mean it will work with 5.5. For example, historically HP BladeSystem has needed newer firmware to address gotchas with new ESXi builds. Don’t just blow this step off and think you have a tier-1 vendor so all is good. Likely specific firmware versions will be required/approved. Also, with 5.5 VMware removed some drivers like RealTek NICs. So if you do a fresh install you may suddenly be missing your NICs on a whitebox server. Doh!

Release Notes

The vSphere 5.5 release notes are quite lengthy. A number of support calls can be avoided by getting a heads up of issues. That’s why planning is so important. Get a cup of coffee or Five Hour Energy and read every issue in the release notes. It can pay dividends! The vSphere 5.5 release notes are here.

ESXi Upgrade Methods

  • ESXi Installer – Boot from ISO, choose upgrade
  • vSphere Update Manager – Import ISO, create upgrade baseline, remediate
  • ESXCLI – Stage ZIP, execute ‘esxcli system profile update’
  • Scripted Upgrades – Update/customize upgrade script

The most popular and automated method is using VUM. It will orchestrate host maintenance modes, respect DRS directives, and generally make it seamless. You can directly upgrade from ESX/ESXi 4.x and ESXi 5.x. No stairstep upgrade is needed.

Upgrading Clusters

Rolling upgrades within clusters are supported and highly recommended. You can mix ESX/ESXi 4.x and ESXi 5.x hosts in the same cluster. Be careful with VM hardware compatibility in such situations though. Be sure to leverage HA, DRS, vMotion and storage vMotion to enable minimal/zero downtime upgrade. If you are using Enterprise Plus, leverage host profiles. It minimizes configuration drift and enables stricter configuration control.

Upgrading ESXi Hosts

The boot disk is not re-partitioned during the upgrade process. However, the contents ARE overwritten. If there’s a VMFS datastore on the boot volume it will be preserved. Same for scratch. Absolute minimum is 1GB of space on your boot volume. Here’s a good KB on boot volume sizing. I personally use 5-6GB LUNs for boot-from-SAN configurations. The figure below shows the basic partition layout of an ESXi installation.

9-29-2013 3-42-30 PM

VM Upgrades

VMware has changed their nomenclature in how they refer to VM hardware compatibility. Previously they always called out the specific “hardware” version such as 4, 7, 9, etc. But that didn’t obviously relate to a specific release, and people got confused. Plus they thought on my gosh I’m on HW 4 and they are up 9, I’m way out of date…upgrade!

Now VMware calls out the “Compatibility” level and ties that to a release of ESXi. For example, if under the covers the VM is HW v7 it will show ESX 4.x and later in the web GUI. Do NOT feel pressure to always upgrade the compatibility level. Sometimes you need to, such as provisioning a monster VM that wasn’t supported on older versions of ESXi. But if your VM is running perfectly fine in ESX 4.x compatibility mode, you really don’t need to upgrade. I’ve fallen into the HW upgrade trap, but after hearing VMware tell us not to worry, I’ll worry less about it.

9-29-2013 3-49-24 PM

Upgrading tools and VM hardware is OPTIONAL, and VMware officially supports N-4 versions. VM hardware versions are NOT backwards compatible, though. You won’t be running HW version 10 VMs on anything but vSphere 5.5.

Important Note: Any VM’s that are only compatible with vSphere 5.5 and later (hardware version 10) can NOT be modified by the Windows VI client. No adding memory, no changing networks, nothing. This poses a problem if you want to do things like add memory to your vCenter server and hot-add is not enabled. Also if you are in an emergency situation and need to change VM properties (networking, etc.) while vCenter is down you are out of luck. While I understand the Windows VI client will probably go away entirely in vSphere 6.0, today’s situation is not optimal. Unless you are pushing the boundaries of a VM’s size and REQUIRE vHW 10, I would strongly advise to cap the VMs at vHW 9. Don’t rush into vHW 10 mode.

VMware tools is a different story,thankfully. VMware tools are backward and forward compatible to a very large degree. Don’t freak out if your VM isn’t running the latest tools. VMware recommends you DO keep up (performance, security, compliance checking, etc.), but you have wide latitude. Backup software, HA, heartbeats and other functions rely on VMware tools so if they have problems, verify the tools version matches your host. VUM is excellent for verifying compliance.

9-29-2013 3-55-59 PM

For those of you that heard starting with vSphere 5.1 that upgrading VMware tools would no longer require a reboot, that’s not actually the case. The low-down is that VMware did make changes to VMware tools to leverage Windows hot-swap of some kernel modules. However, some modules like keyboard/mouse/USB still require reboots. VMware includes those non-hot-plug modules in each tools update. So the net result is still needing to reboot when doing VMtools updates. Perhaps in the future they will change that behavior, but that’s not in 5.1 or 5.5.

VMFS Upgrades

VMFS upgrades are simple, and completely non-disruptive. You can upgrade a VMFS datastore from VMFS-3 to VMFS-5 with running VMs. However, while this may sound perfect, keep reading as the reality is more complicated. The table below shows the differences between the two filesystem versions.

9-29-2013 4-02-44 PM

Ok so you are thinking, why is an upgrade not ideal? The problem is that an upgraded volume does NOT look the same under the covers from a freshly formatted VMFS-5 volume. The table below shows the differences. The most impacting can be the block size. In vSphere 4.x and earlier you had a choice of block sizes that ranged from 1MB to 8MB. If your array supports VAAI extensions the VMFS volumes must have the same block size if you are doing operations such as copying VMs. Otherwise the disk operations revert back to legacy mode and will run slower.

9-29-2013 4-05-15 PM

The VMware recommendation is to create a fresh VMFS datastore then storage vMotion your VMs into the datastore. After the datastore is evacuated re-format or decommission it. If you aren’t licensed for storage vMotion, then during your vCenter upgrade don’t input a product key. This gives you 60 days of the ‘enhanced’ license features.

Summary

  • Understand the vSphere Upgrade Process
  • Understand how ESXi is packaged and distributed
  • Understand patches vs. updates vs. upgrades
  • Know the different upgrade methods
  • Stay current on VMware tools
  • Upgrade VM HW compatibility only when needed
  • Freshly format VMFS5 volumes; don’t upgrade from VMFS3

Again, don’t feel pressure to immediately upgrade all of your VMs to hardware version 10 (vSphere 5.5 compatibility). As mentioned above, in vSphere 5.5 the only way to modify a VM that’s at HW version 10 is via the web client/vCenter. The Windows VI client will NOT let you modify VM properties. Makes it challenging to add more CPU/memory to your vCenter VM or recover from emergency situations where vCenter is down.

Next up in Part 5 is a deep dive on vCenter SSL Certificate requirements.

vSphere 5.5 Install Pt. 3: Upgrading vCenter

9-29-2013 7-39-13 AMUpgrades can be scary times with any enterprise product. The more your critical infrastructure relies on a particular solution, or set of solutions, the more imperative it is you fully understand and test the new product. vSphere 5.1 taught us that thorough testing cannot be skipped and you should not rush a new product into production.

Normally for my vSphere installation series I do NOT cover upgrades, or go through an upgrade process in the series. Why? Customer environments wildly vary and a simple lab upgrade will likely not look like or behave like YOUR environment. That’s why its so critical for you to test in your environment. My upgrade would not look like your upgrade.

But, what I am doing in this post and the next installment is covering upgrade best practices to help you understand your road ahead and things to keep in mind. It contains information from VMworld 2013 vSphere 5.5 upgrade sessions, plus links to resources that have been published post-GA. This post covers vCenter only, and the next installment covers VMs, VMFS, ESXi hosts, and other products.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi Upgrade Best Practices and Tips 
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

vSphere 5.5 Upgrade Overview

  • Plan your upgrade – Extremely important. KB on update sequence is here.
  • Five major steps: vCenter, VUM, ESXi, VMs, VMFS
  • Key VMware Sites to bookmark: Documentation Center, Compatibility Guide, Interop matrix
  • KB article here for vCenter 5.5 Upgrade using the Simple Installer
  • KB article here for vCenter 5.5 Upgrade using the Custom Installer
  • If you upgrade Windows with a service pack or other system changes and get locked out of SSO, read this KB to regain access
  • Upgrade vCenter to 5.5 before vSphere replication is upgraded (blog post here)

Prior to 5.1 life was simple. You had vCenter Server, vCenter Database server, and vSphere web client (introduced in 5.0, but rarely used). The vCenter server is NOT stateless, meaning the database is not all inclusive. The local vCenter server has SSL certificates and the ADAM database. ADAM is not just for linked mode but holds data such as licenses, roles, and permissions. So don’t stand up a fresh VM, install the “old” version on that VM then do an upgrade to 5.5 and expect everything to be there. It won’t be and further complicates your upgrade process. If you are using vSphere 5.1, then ‘tags’ are also stored locally on the vCenter server and thus not in the database.

Upgrade Matrix

  • In-place upgrade supports vCenter 4.x, 5.0.x, 5.1.x (must be 64-bit host)
  • VMware does NOT support directly migrating an existing 5.x or earlier vCenter Server to a new machine during the upgrade process
  • vCenter Server 5.5 can manage ESX/ESXi 4.x, 5.0.x  and 5.1.x hosts. It will NOT manage ESX 2.x or 3.x hosts.

System Requirements

  • Strongly recommend installing ALL vCenter components on a single VM – Simplified model
  • Simple install – 2 vCPUs, 12GB RAM, 100GB disk
  • Recommended for 400 hosts or 4000 VMs: 4 vCPU, 24GB RAM, 200GB disk
  • vCenter OS Support: Removes WS2003, only supports Windows Server 2008 SP2 and later (including WS2012 but NOT WS2012 R2)

New Install Vs. In Place Upgrade

VMware recommends a fresh install, but sometimes its not just possible. However, do check out the “Inventory Snapshot” Fling, which is a great (unsupported) tool to migrate hosts, VM, and permissions from one vCenter instance to another. It does NOT appear to support tags and currently has some vDS issues. Tags are not stored in the SQL database, so if you use tags then be sure to find a way to migrate them. If you are in a regulated industry and have strict audit requirements you may be legally required to maintain the historical data in your vCenter database and unable to start fresh.

If you have a sprawling 5.1 architecture, with different vCenter components on different VMs, strongly consider a fresh install and do not upgrade. As previously mentioned VMware now urges the “simple install” method where all components are on a single beefy VM. This is a great time to re-visit your architecture and make it easier to manage and follow 5.5 best practices. That’s not to say you can’t upgrade and consolidate at the same time, you can, and VMware has promised some blog posts on how to do just that.

I’ve read reports that upgrading a vCenter 5.1 instance with trusted SSL certificates to 5.5 had problems. I have not personally tried that yet, so I can’t report my own experience. So make sure you have full backups and a tested plan to revert back to 5.1 incase you experience problems.

VMware has stated that the vCenter Server appliance will be the ONLY deployment option sometime in the future. So if you are starting with a fresh install, do take a close look at the VCSA. It still has a few minor gotchas including no support for IPv6, Linked Mode or vCenter Heartbeat. Those features are probably not widely used, so if you aren’t using those features take a serious look at VCSA.

At this time an external SQL database is NOT supported for the VCSA, but in the future when Microsoft releases the ODBC driver for SUSE Linux (currently in tech preview), VMware will support it. VCSA is certified up to 100 hosts and 3000 VMs. If you need to scale beyond that, use Windows.

Installation – Then and Now

vSphere 5.5 features a new Install splash screen, and the component order is different from 5.1. Simple Install should only be used for the first vCenter. All subsequent vCenter/SSO installs should use the custom method. This is due to changes in SSO, and the new automatic replication among SSO servers. Even if you are doing a single vCenter install and want to customize it in ANY way, including directory paths, you must do the custom install.

Upgrade Paths

For “typical” single server upgrades the path is fairly simple. You can do an in place upgrade and all of the required components and configuration settings will be retained. If you are going from pre-5.1, then the only database in play is the vCenter database.

vCenter 5.5 upgrade

If you are already running 5.1, then the upgrade path is ever so slightly different. Since the SSO database in 5.1 is no more, that data is migrated into the new SSO internal database. So post upgrade you are left with only the vCenter upgrade. Yes, no more SQL authentication required or impossible to configure JDBC SSL.

vCenter 5.5 upgrade

If you are one of those adventurous customers that implemented a load balancer with SSO, VMware is really discouraging you to continue with that model. Its complex, SSL creates additional headaches, and just not needed in most environments. Big changes could be coming in the future, but it’s not recommended for 5.5. As mentioned in my previous installment, SSO Reborn, VMware recommends local SSO instances for each site/vCenter. SSO uses multi-master replication to sync data such as identity sources, users, group, and policies. A geographically distributed example is shown below. Notice the local SSO and vCenter instances at each site. VMware SSO 5.5

Linked Mode

Linked mode adds additional complications to the upgrade process. As you may recall you can’t link vCenters of different versions. So you first need to unjoin all vCenters from the linked mode group. Once you upgrade two vCenters to 5.5, you can then re-establish Linked Mode and add other 5.5 vCenters as they come online. The biggest problems with Linked Mode include DNS and NTP failures. It’s critical name resolution works (forward AND reverse) and that the server clocks are all synchronized. All vCenter servers that are linked must also be a part of the same SSO authentication domain.

Host Agent Pre-Upgrade Checker

A tool included on the vSphere 5.5 ISO is the Host Agent Pre-Upgrade checker. Personally I’ve never used it (slipped my mind that it existed). If you choose to use it some simple checks are done against your ESXi hosts to validate that an upgrade will be successful. It’s not exhaustive, so even if your hosts pass the check you could still run into issues. But it’s a little bit of insurance that major gotchas can be discovered ahead of time. It does check items such as sufficient disk space, functional network, file system consistency, required patches are applied.

vCenter Appliance

The VCSA has undergone major scalability increases in 5.5. In 5.1 it was only rated for 5 hosts and 50 VMs when using the embedded database. With 5.5 that is increased to 100 hosts and/or 3000 VMs. So that makes it a much more viable solution for enterprise customers. You can NOT migrate from the Windows vCenter to the VCSA. As mentioned before, there’s also no Linked Mode, vCenter Heartbeat or IPv6. Again, the road map is an appliance only model for vCenter, so now is an excellent time to try it out. VMware said upgrades to future versions will be pretty easy, simplifying life.

Update Manager

You can upgrade VUM from 4.x, 5.0 and 5.1 versions. VUM is still Windows only, so if you do deploy the VCSA you will still need a Windows server to host VUM. The web client in 5.5 also has limited VUM functionality, so the C# is still needed to do things like pushing patches and configuring baselines. During the upgrade you can’t change the installation or download paths. Scheduled tasks remain, but patch baselines are removed.

VMware has hinted/stated that VUM is going the way of the dodo bird. I would expect its replacement to be very different, and probably incorporated into the VCSA. I’m hoping in vSphere 6.0 there’s a good story on the VUM successor.

Summary

You need to carefully plan your upgrades, and understand all of the moving components. Generally you would start by upgrading vCenter, then your ESXi hosts. But you may have other products that depend on vCenter which need upgrading first. Thoroughly map out all of your dependencies, read the VMware documentation, then plan in an organized fashion how you are going to upgrade. If you are already on 5.1, custom SSL certificates may trip you up. So really make sure you have a full backup and roll-back plan in case things go pear shaped.

Next up in Part 4 are practices and tip for upgrading ESXi hosts, VMs, and VMFS datastores.

vSphere 5.5 Install Pt. 2: SSO Reborn

9-28-2013 10-05-38 PMImagine having this dream:

You are in the VMware company grocery store where each isle displays a VMware product, shelves fully and neatly stocked with product. You wonder over to the isle labeled ‘SSO 5.1’. To your horror you see a huge mess: SSL certs lying all over the floor, incorrectly configured OUs values, dazed and confused vSphere architects, JDBC connectors missing their SSL wrappers, and an angry mob of customers with a wide assortment of frightening medieval weapons.

You quickly find the store manager, Pat, and tell him “Cleanup on isle 5.1 needed, ASAP.” Magically a person named Justin appears wearing protective gear, a vSphere 5.5 shirt, and asks in British accent, “How may I help you?” You walk over to the mayhem on isle 5.1. Justin pulls out a VMware branded Harry Potter magic wand, and says a proper English incantation. Instantly you are transported one year into the future, the isle is restored to order, customers are cheering and the architects are building vast vSphere 5.5 empires. You suddenly wake up in night sweats and wonder…was that a dream or reality?

The New Reality

Since the SSO service was the center of attention this past year this blog post will highlight some of the issues with 5.1, and how VMware has addressed them in 5.5. The dream sequence above is not too far off from reality….SSO is all new, and dramatically improved. I think this is important to understand, which is why I’m including it the installation series. Think of it as required reading prior to starting the install process.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO 5.5 Reborn
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 5: SSL Deep Dive 
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

What is the SSO service?

vSphere 5.1 introduced the SSO service, and it wasn’t just because VMware wanted to write more code and complicate our lives. In fact, it was designed to simplify life and provide common authentication services to the vSphere platform. It NOT a replacement for existing single-sign-on products, and is only for VMware products. The vCenter SSO service creates an authentication domain where users are trusted to access available resources. You no longer directly log into the vCenter service, rather the SSO service first authenticates you. Some products like SRM and vCOPS don’t utilize SSO today, but will in 2014.

Challenges with vSphere 5.1 SSO include:

  • Did not work effectively in multi-forest/trusted domain environments
  • Did not scale well in environments with more than 15,000 users
  • Limited administration
  • Database complexity and insecurity (lack of SQL SSL support, used SQL authentication)
  • Extraordinary complex SSL certificate replacement process (no tool at GA)
  • Difficult to change and update
  • No clear VMware deployment architecture guidance
  • Non-existent diagnostics

vSphere 5.5 SSO Rays of Sunshine

This is not a What’s new in vSphere 5.5 post, but I will focus on one key improvement that is fundamental to the installation experience in vSphere 5.5. The infamous (OEM’d RSA) SSO service was given the boot and VMware wrote a brand new SSO service from scratch. Yes, SSO is still required, but its been fundamentally re-architected. Changes include:

  • No longer requires an external database, such as SQL server
  • Built-in multi-master replication for simplified deployments (no scripting required)
  • Greatly enhanced Active Directory support (no longer treats AD as a simple LDAP server)
  • Fully supports multiple forests and two-way trusts
  • Site awareness – Only supports grouping of objects (e.g. production and DR sites) in this release…exciting roadmap though
  • Multi-tenant
  • One deployment model (very different from vSphere 5.1)
  • Full suite of MMC snap-in management and diagnostics tools
  • Backwards compatible with vSphere 5.1 (important for upgrades)
  • Simple install vCenter scales up to 1,000 hosts and 10,000 VMs
  • SSO scale is not limited by hosts/VMs, since AD lookups are offloaded to AD

So yes, VMware listened to customer feedback and really went back to the (much needed) drawing board. The real proof in the pudding will be testing it in the real world and see how many “features” (aka bugs) crop up. I was recently quoted in a TechTarget article regarding some early issues found with vSphere 5.5. KB article on the issue is here.

SSO Design Considerations

Requirements

  • Your DNS infrastructure must be rock solid and fully functional. vCenter relies on Kerberos and the easiest way to break it is by bad or non-existent DNS. This is an enterprise solution, so make sure DNS is enterprise grade.
  • Must use Windows Server 2008 x64 SP2 or later (WS 2012 IS supported WS2012 R2 is NOT)
  • If natively authenticating Windows users the vCenter/SSO server(s) must be a member of the same AD domain
  • Make sure you set your vCenter administrator as administrator@vsphere.local, NOT a local OS account

Recommendations

  • Locate all vCenter services, including SSO, in a single VM
  • Do not install multiple SSO servers in a single site, or attempt to load balance multiple servers
  • If you have multiple vCenter servers around the world, install a local SSO server in the same authentication domain as all other vCenters
  • See “Monster Deployments” below if you have a dozen or more of vCenters

Identity Sources

There’s a nuance to “native” Active Directory support and treating AD as a simple LDAP server. SSO 5.5 only supports a single “native” Active directory domain, the one the SSO server is in. Native support is new to SSO 5.5, and addresses the complex AD topology limits in 5.1, and other related issues. Treating AD as an LDAP server brings with it all the issues of SSO 5.1, so that is not recommended. So yes a SSO server could technically use multiple AD domains/forests for authentication, but only one of them will enjoy full native capability.

  • Native Active Directory (STRONGLY recommended) – Only one native source allowed
  • Active Directory as an LDAP server (for 5.1 backwards compatibility and NOT recommended) – Multiple sources allowed
  • OpenLDAP
  • Local operating system accounts (NOT recommended)
  • Single sign-on users (replicated)

Here’s a screenshot from the Web Client Identity Source configuration screen:

10-5-2013 12-03-50 PM

Replication

  • Automatic replication between each SSO server in the same vSphere authentication domain
  • MMC snap-in allows you to review/add/remove/edit replication partners
  • Supports geographically separated SSO sites, and the ability to setup bridgehead servers
  • Each site is independent (no authentication failover)
  • Does not provide a single pane of glass view
  • Replicates SSO users and groups, SSO policies, identity sources
  • Site awareness but limited functionality in 5.5 (big futures on the roadmap)

vSphere 5.5 SSO

Monster Deployments

For service providers or monster corporations that have dozens or even 100 vCenter instaces (yes they DO exist), having 100 SSO servers all replicating is probably not ideal. For the limited use case of 6 or more vCenters connected via high speed LAN/MAN, VMware would like you to consider a dedicated SSO VM with a local web client install. All of the vCenter instances then leverage this centralized SSO service, reducing complexity and replication traffic. They hinted that on the road map are big changes to this architecture in the future, so it will be fun to see what 6.0 holds for us next year.

This architecture is NOT for a globally distributed company where vCenters are scattered all over the world. You should have local SSO servers, but they should all be a part of the same authentication domain.

9-29-2013 11-33-54 AMA

Backup/Restore

If you run vCenter as a VM (recommended) you can use the usual data protection tools including snapshots, and backup to disk and tape. VMware vDP now supports restoring directly to an ESXi host, so you could recover a vCenter VM. Like Active Directory, which is also features multi-master replication, you have to be very careful about restores.

Prior to vSphere 5.1 in combination with Windows Server 2012, USN rollback (which is extremely bad), can occur in AD if a snapshot is reverted or improper VM restore methodology was used. SSO 5.5 does not support the hypervisor GenerationID feature that Windows Server 2012 uses to protect against AD USN rollback problems. So in an environment with multiple replicating SSO 5.5 servers, you must be careful and ensure database integrity. Should you have an ‘oopsie’ moment and cause a SSO “USN rollback” like issue, the SSO database can be zeroed out and re-replicated.

Summary

The SSO service is here to stay, and it’s unavoidable if you are using vSphere 5.1 and later. VMware saw the customer pitchforks coming their way and addressed head on the major issues people had with 5.1. SSL certificates, covered in depth in an upcoming post. They are still complex and didn’t undergo major implementation changes (still need seven certs, etc.). But VMware has dramatically refined the tools (such as adding the SSO MMC snap-in), released the vCenter Certificate automation tool at GA time, and now their documentation actually matches the GA’d code. Even though much of the complexity is still there under the covers, it’s a very different world in terms of tools and documentation, which is huge.

Now that you’ve gotten a little background on the all new SSO service, I hope you are excited to see the new and improved version in action. Next up? In Part 3 learn about vCenter 5.5 upgrade best practices and tips.

vSphere 5.5 Install Pt. 1: Introduction

9-29-2013 5-00-14 PMAt VMworld 2013 in San Francisco VMware unveiled vSphere 5.5, the successor to vSphere 5.1. Customers are now chomping at the bit for vSphere 5.5 upgrade information. Of great anticipation was what VMware did to the vSphere 5.1 SSO service to address common complaints.

If you’ve been living under a rock, or haven’t tried vSphere 5.1, you’ve been missing out. While vSphere 5.1 brought a great number of new features to the table, it also brought a wee bit of frustration surrounding the new SSO (Single Sign-On) service and SSL certificates.

Exactly one year later we now have vSphere 5.5 dropped in our lap. Last year I put countless hours into writing a 15-part vCenter 5.1 install series, which earned me the nickname “SSL Guy” at VMworld. The amount of traffic that series continues to get floors me, and I’m glad the community has found it useful.

This year I will endeavor to one up myself, and do a better job with 5.5. Now that SSO and SSL are bit better understood (by myself and VMware), and massively improved, I shouldn’t have to revise the articles on a weekly basis like I did for the 5.1 series. I hope this series proves even clearer, more accurate, and fills in the gaps that VMware documentation sometimes has.

I’ve created a shortened permalink that you can use for quick reference: vexpert.me/Derek55 for this series. Feel free to use however you like…PowerPoint slides, email, etc. If you find this series helpful, please spread the word.

UPDATE November 3, 2013: VMware released vCenter 5.5a, to correct some bugs with SSO and other services. Please use the 5.5a media and not the 5.5 GA media. Find out more here.

Series Agenda

The exact number of installments and what I’ll cover is a bit fluid at the moment. But at a minimum it will cover the following topics:

  • Upgrade or fresh install?
  • Deep dive on what’s new in SSO 5.5
  • vCenter upgrade best practices and tips
  • ESXi upgrade best practices and tips
  • Right sizing your WS2012 vCenter VM (think big)
  • Creating vCenter SSL certificates (remember the 5.1 days)
  • VMware vCenter Certificate Automation Tool (hair loss reduction tool)
  • Manual SSL certificate replacement process
  • Using a SQL 2012 AlwaysOn Failover Cluster for the vCenter database
  • Installing the full vCenter stack of software on Windows Server 2012 (not R2)
  • Configuring VUM
  • ESXi host SSL certificate replacement
  • Deploying the vCenter Server Appliance (VCSA)
  • ..and possibly more…such as VSAN or vFlash Read Cache

I am fully anticipating the vSphere 5.5 installation will be easier, quicker, and cause less hair loss. If you are lucky it might even re-grow hair lost during your vSphere 5.1 deployment. I shall report my results after this series is complete.

While I have two entire blog posts dedicated to upgrade best practices and tips, the step-by-step instructions will assume a fresh install. This is the VMware recommended approach, but doesn’t work for everyone. Upgrade how-to’s are not very valuable, IMHO, since customer configurations will wildly vary. This is particularly true with SSO 5.1 and the many deployment options, coupled with little VMware best practices around SSO 5.1.

Database Support

VMware now officially supports SQL 2012 AlwaysOn failover clusters (using shared storage) for the vCenter database. It does NOT support AlwaysOn Availability groups or database mirroring. To that end I recently wrote a soup to nuts guide (12 parts) on how to install a SQL 2012 Failover Cluster on Windows Server 2012. If that’s something you want to do, you can dive head first into that while waiting on me to post the next vCenter installation installments. Many of you may not be clustering experts, so it should be enough to get you all the way up, with a ton of best practices incorporated. Here’s a quick reference chart for all of the SQL 2012 HA/DR options.

9-29-2013 5-44-04 PM

Best Practices Video

You can also check out this 20 minute video from VMware on vCenter 5.5 best practices. There’s also an accompanying KB article that has some good details as well. You can find that here.

Derek’s Toolkit Script

This year I’m doing something a little different to hopefully make life easier for you all. Last year in the vCenter 5.1 series I had numerous scripts and configuration files to help you through the SSL replacement process. While those worked, it still wasn’t as clear cut and easy to use as I would have liked.

So this year I’ve written a PowerShell script that I cover in-depth in Part 8, which takes most of the pain away in creating your certificate requests and making the files the VMware certificate automation tool needs. As I go through the series it will also do tasks like creating your ODBC connectors. The script will be updated on a regular basis. If there are any PowerShell experts out there that have ideas for making it better, I’m all ears. A sample screenshot of v1.56 is below.

1-11-2014 2-27-28 PM

You can also download the latest version at: vexpert.me/toolkit55

Summary

As I add new installments to the series this landing page will be updated with links to each part. The flow will be somewhat different than last year, due to the re-ordering of components and some SSL lessons learned. If you have other areas that you think I should cover, please leave a comment or Tweet me. I’m very active on Twitter, so if you use that medium, be sure to follow me @vDerekS. I’ll tweet about new posts as they get published. If you like the posts, sharing on social media and with co-workers is appreciated.

Feedback is always welcome, so leave comments about your experiences. This can help other people that may have the same problem. The 5.1 series literally had hundreds of reader comments. Some of which had to be censored due to expressed high frustration with 5.1.

One last comment…and I can’t stress this enough. You must, must, must read the vSphere 5.5 release notes. You can find the long document here.

Blog Series

SQL 2012 AlwaysOn Failover Cluster for vCenter
vSphere 5.5 Install Pt. 1: Introduction
vSphere 5.5 Install Pt. 2: SSO Reborn
vSphere 5.5 Install Pt. 3: vCenter Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 4: ESXi Upgrade Best Practices and Tips
vSphere 5.5 Install Pt. 5: SSL Deep Dive
vSphere 5.5 Install Pt. 6: SSL Certificate Template
vSphere 5.5 Install Pt. 7: Install SSO
vSphere 5.5 Install Pt. 8: Online SSL Minting
vSphere 5.5 Install Pt. 9: Offline SSL Minting
vSphere 5.5 Install Pt. 10: Update SSO Certificate
vSphere 5.5 Install Pt. 11: Install Web Client 
vSphere 5.5 Install Pt. 12: Configure SSO
vSphere 5.5 Install Pt. 13: Install Inventory Service
vSphere 5.5 Install Pt. 14: Create Databases
vSphere 5.5 Install Pt. 15: Install vCenter
vSphere 5.5 Install Pt. 16: vCenter SSL
vSphere 5.5 Install Pt. 17: Install VUM
vSphere 5.5 Install Pt. 18: VUM SSL
vSphere 5.5 Install Pt. 19: ESXi SSL Certificate

Permalink to this series: vexpert.me/Derek55
Permalink to the Toolkit script: vexpert.me/toolkit55

VMworld 2013: What’s new in vSphere 5.5

Twitter:#VSVC4605

This session was a fire hose of the top vSphere 5.5 features. There’s a lot that’s new in this release, and they’ve addressed many of the vSphere 5.1 SSO headaches. So if you skipped vSphere 5.1 (like I did) for production environments, then get ready for the vSphere 5.5 train and jump on board. This is a release that you won’t want to miss. Also learn why vCloud Director will be going the way of the Windows c# vSphere client (hint, think dodo bird).

Cloud Management Offerings

  • vSphere with Operations Management – new SKU in March 2013 -vSOM Enterprise + is $4245 per socket
  • vCloud Suite per CPU: Enterprise Plus is $11,495
  • Operations management – A large customer found 90% of VMs were over provisioned

What’s new in vSphere 5.5

Applications

  • vSphere Big Data Extensions – Optimize Hadoop workloads and extend project Serengeti
  • Pivotal and VMware vSphere – Building PaaS on-Prem
  • Latest chip set support – Intel E5 V2, Intel Atom C2000
  • OpenStack – Delivering architecture choices

Performance and Scale

  • 2x in configuration maximums
  • Up to 62TB VMDKs
  • Low latency application configuration 31% latency improvement
  • 320 pCPUs, 4TB RAM, 16 NUMA nodes, 4096 vCPUs
  • 4GB ESXi minimum RAM (e.g. for labs)

vSphere App HA

  • Detect and recover from application or OS failure
  • Supports most common packages apps (Exchange, SQL, Oracle, SharePoint, etc.)
  • vCloud Extensibility – APIs and ecosystem
  • Deployed as two virtual appliances
  • Tier 1 application protection at scale

vSphere Flash Read Cache

  • Virtualized flash resource managed just like CPU and memory
  • Per-VM hypervisor based read caching using server flash
  • Compatible with vMotion, DRS and HA
  • Accelerates performance for mission critical apps by up to 2x
  • Enables efficient use of server flash in virtual environments
  • Fully transparent to VMs

vSphere Big Data Extensions

  • Elastic scaling
  • Easy to use interface
  • Enhanced HA/FT leveraging vSphere
  • Higher cluster utilization

vSphere Replication

  • Still 15 minute RPO
  • Multiple point in time copies
  • Multiple replication appliances per vCenter
  • Support storage vMotion and storage DRS

vSphere Data Protection

  • 4x greater scalability – Advanced SKU (more $$)
  • Agent-based application awareness of Exchange and SQL – Advanced SKU only (extra $$)
  • Direct recovery – can recover VMs without vCenter
  • Restore individual VMDKs
  • Can restore with a different VADP appliance
  • 6x faster recovery
  • 4x more storage efficient
  • Managed from vSphere web client

vCenter Server 5.5

  • SSO: Improved user experience. SSO no longer requires SQL database.
  • vCenter Appliance supports 500 vSphere hosts and 5000 VMs
  • vCenter Databases – Official support for database clustering – Oracle RAC, SQL cluster
  • Added support for OS X vSphere web client
  • VM console access, deploy OVF templates
  • Drag and drop

Best of the Rest

  • Hardware version 10
  • MSCS support enhancements
  • VMFS heap enhancements
  • Enhanced LACP support
  • Enhanced SR-IOV
  • QoS tagging
  • Packet capture
  • 40G support
  • Support “reliable memory”
  • Hot-plug SSD PCie Devices
  • Expanded vGPU and GP-GPU support

License SKUs

  • Enterprise: Adds big data extensions and reliable memory
  • Enterprise Plus: Flash read cache and App HA

vSphere 5.5 Support Lifecycle

  • Normal 5 year support would end 2016 (based on vSphere 5 starting in 2011)
  • Support will be extended to 2018
  • Only applies to ESXi and vCenter 5.5

Reduce Complexity

  • vCloud Director is GOING AWAY post vSphere 5.5. Functionality migrated to vCAC and the virtualization platform
  • vCloud Automation Center – vCAC
  • vCloud director will also have extended support period like vSphere 5.5
© 2017 - Sitemap