Network Time Sync for VMware ESXi Hosts

January 28, 2012 Time Syncing, VMware No comments

In a virtual infrastructure, network time synchronization is critical to keep servers on the same schedule as the services they rely on. For VMware ESXi hosts, you can implement Network Time Protocol (NTP) synchronization using the vSphere Client.

More on VMware networking

There are many reasons you should synchronize time for ESXi hosts. If they are integrated with Active Directory, for instance, you need time to be properly synchronized. You also need the time to be consistent when creating and resuming snapshots, because snapshots take point-in-time images of the server state. Luckily, setting up network time synchronization with the vSphere Client is pretty easy.

VMware network time synchronization: A walkthrough

To configure NTP synchronization, select the host, and on the Configuration tab, select Time Configuration under Software. You’ll now see the existing time synchronization status on that host. Next, click Properties. This selection shows the Time Configuration screen, where you can see the current time on the host. Make sure it’s not too different from the actual time, because a host that’s more than 1,000 seconds is considered “insane” and won’t synchronize.

After you set the local time on the host, select NTP Client Enabled. This activates NTP time synchronization for your host. Reboot the server, then go to Options to make sure NTP has been enabled. This gives you access to the NTP Startup Policy, where you should select “Start and stop with host.”

You’re not done with network time synchronization yet, though. Now, you need to choose NTP servers that your VMware ESXi hosts should synchronize with. Click NTP Settings and you’ll see the current list of NTP servers. By default, it’s empty. Click Add to add the name or address of the NTP server you’d like to use. The interface prompts you for an address, but you can enter a name that can be resolved by DNS as well.

If you’re not sure which NTP server to use for VMware network time synchronization, the Internet NTP servers in pool.ntp.org work well. You only need to choose one server from this group to add to the NTP servers list. If you want to synchronize with an internal or proprietary NTP server, however, you should specify at least two NTP servers.

At this point, make sure the option to restart the NTP server is selected. Click OK three times to save and apply your changes. From the Configuration screen on your ESXi host, you should now see that the NTP Client is running, and it will also show the list of current NTP servers your host is using.

With your ESXi hosts synchronized to the correct time, all the services and events that depend on time will function properly. More importantly, you won’t waste any more time because of misconfigured network time

Whats the diffference between VMware vCLI and VMware PowerCLI

January 28, 2012 Command Line, IT No comments

To automate the management of an ESXi deployment, VMware has created easy-to-use scripting tools for managing day-to-day operations. You can write scripts with the same functionality as the vSphere client to automate manual tasks , allowing you to manage small- to large-scale environments efficiently. These tools work well with both ESXi and ESX hosts, allowing you to easily administer mixed environments.

Both PowerCLI and vCLI are built on the same interface as the vSphere Client. They can be pointed directly at an ESXi host or they can be pointed at vCenter. When pointed at a host, they can execute commands directly on an ESXi host, similar to how a command in the Console OS of ESX operates on only that host. Local authentication is required in this case. Alternatively, when communicating through vCenter, the vCLI and PowerCLI commands benefit from the same authentication (e.g. Active Directory), roles and privileges, and event logging as vSphere Client interactions. This provides for a much more secure and audit-able management framework

VMware vSphere™ PowerCLI

VMware vSphere PowerCLI is a powerful command line tool for automating all aspects of vSphere management, including host, network, storage, VM, guest OS and more. PowerCLI is distributed as a Windows PowerShell snapin, and includes more than 150 PowerShell cmdlets, along with documentation and samples. PowerCLI seamlessly blends the vSphere platform with Windows and .NET, which means you can use PowerCLI by itself or within many different 3rd-party tools

VMware vSphere™ Command Line Interface (vCLI)

VMware vSphere™ Command Line Interface (vCLI) is a set of command-line utilities that help you provision, configure and maintain your ESX and ESXi hosts. The vCLI command set allows you to run common system administration commands against VMware ESXi systems from any machine with network access to those systems. You can run most vCLI commands against a vCenter Server system and target any ESXi system that the vCenter Server system manages. There are commands that can completely automate the initial configuration of an ESXi host and others that provide troubleshooting and diagnostic capabilities. VMware provides vCLI packages for installation on both Windows and Linux systems

VMware vSphere™ Management Assistant (vMA)

The VMware vSphere™ Management Assistant (vMA) is a virtual appliance that brings together all the tools you need to manage vSphere. vMA packages the vSphere Command Line Interface, the vSphere SDK for Perl, as well as logging and authentication modules into one convenient bundle. vMA can also host 3rd-party agents for added management power.

And another Dilbert

January 26, 2012 IT No comments

NTFS Permissions after copying or moving Files

January 24, 2012 microsoft No comments

Useful for Reference.

Copying Files and Folders

When copying folder or files from one folder to another folder or from one partition to another partition, permissions for this files or folders may change.

  1. When copying a folder or file within same NTFS partition, the copy of the folder or file inherits the destination folder permissions
  2. When copying a folder or file between different NTFS partitions, the copy of the folder or file inherits the destination folder permissions.
  3. When copying folders or files to non NTFS partitions such as File Allocation table (FAT), the files or folders will lose their all NTFS permissions.

Moving Files and Folders

When moving a file or a folder, permissions may get changed depending on the destination folder permissions.

Note: To move folders and files within an NTFS partitions you must have both permissions, for the destination folder you should have write permission and modify permissions for source file or folder to configure the options. You need to have modified permission for folder or file to move as Windows 2000 will remove the file or folder from the main folder after copying it to the folder destination.

  1. When moving a file to a folder within the same NTFS partition, the folder or file will retains its original permissions.
  2. When moving a folder or file between different NTFS partitions, the file or folder will inherit the destination folder permissions.
  3. When moving files to folders on NTFS partitions to non NTFS partitions the folders and files will lose their all NTFS permissions, as NTFS permissions are not supported by non NTFS partitions.

ICACLS Permissions

January 24, 2012 microsoft No comments

In my last role, we had to create large folder structures including permissioning very quickly in Windows 2008 R2 and as a result we came across ICALCS which proved very useful .

ICACLS name /save aclfile [/T] [/C]

Store the acls for all matching file/folder names into aclfile for later use with /restore.

ICACLS directory [/substitute SidOld SidNew […]] /restore aclfile [/C]

Applies the stored acls to files in directory.

ICACLS name /setowner user [/T] [/C]

Changes the owner of all matching names.

ICACLS name /findsid Sid [/T] [/C]

Finds all matching names that contain an ACL explicitly mentioning Sid.

ICACLS name /verify [/T] [/C]

Finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts.

ICACLS name /resize [/T] [/C] [/L]

Changes incorrect recorded lengths of ACLs to true lengths.

ICACLS name /reset [/T] [/C]

Replaces acls with default inherited acls for all matching files.

ICACLS name [/grant[:r] Sid:perm[…]]

                       [/deny Sid:perm […]]

                       [/remove[:g|:d]] Sid[…]] [/T] [/C]

With :r, the permissions replace any previously granted explicit permissions.

Without :r, the permissions are added to any previously granted explicit permissions.

/deny Sid:perm explicitly denies the specified user access rights.

An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed.

/remove[:[g|d]] Sid removes all occurrences of Sid in the acl.

With :g, it removes all occurrences of granted rights to that Sid.

With :d, it removes all occurrences of denied rights to that Sid.

 

Note:

Sids may be in either numeric or friendly name form. If a numeric form is given, affix a * to the start of the SID.

/T indicates that this operation is performed on all matching files/directories below the directories specified in the name.

/C indicates that this operation will continue on all file errors.

Error messages will still be displayed.

 

ICACLS preserves the canonical ordering of ACE entries:

Explicit denials

Explicit grants

Inherited denials

Inherited grants

 

Perm is a permission mask and can be specified in one of two forms:

1. A sequence of simple rights:

F – full access

M – modify access

RX – read and execute access

R – read-only access

W – write-only access

 

2. A comma-separated list in parentheses of specific rights:

D – delete

RC – read control

WDAC – write DAC

WO – write owner

S – synchronize

AS – access system security

MA – maximum allowed

GR – generic read

GW – generic write

GE – generic execute

GA – generic all

RD – read data/list directory

WD – write data/add file

AD – append data/add subdirectory

REA – read extended attributes

WEA – write extended attributes

X – execute/traverse

DC – delete child

RA – read attributes

WA – write attributes

 

Inheritance rights may precede either form and are applied only to directories:

(OI) – object inherit

(CI) – container inherit

(IO) – inherit only

(NP) – don’t propagate inherit

 

Examples:

icacls c:\windows\* /save AclFile /T

– Will save the ACLs for all files under c:\windows and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile

– Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories

icacls file /grant Administrator:(D,WDAC)

– Will grant the user Administrator Delete and Write DAC permissions to file

icacls file /grant Administrator:(OI)(CI)M

– Will grant the user Administrator Modify permissions to the file and ripple this downwards for file and folder permissions

icacls file /grant *S-1-1-0:(D,WDAC)

– Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file

 

Folder Path Spaces

If there are spaces in the folder path names, you will need to put quotes in as follows

ICACLS “C:\Test Folder\Second Part\Third Part” /grant user123:(OI)(CI)R

Dilbert

January 23, 2012 IT No comments

Mastering VMware vSphere 5.0

January 23, 2012 Certification, VMware No comments

This book has proved invaluable to my understanding of VMware. Well recommended.

VMware VCP 5.0 Certification

January 23, 2012 Certification No comments

VMware offers world-class certifications designed to validate and recognize IT professionals with the technical capabilities and real-world experience needed to effectively install, manage, deploy and support VMware products and solutions. VMware certifications are available in two areas of virtualization: Datacenter and Desktop. Each specialty is broken down into three distinct certification levels reflective of skill and competency level.

http://www.vmware.com/certification

Please see the below Link for the Exam Blueprint

http://communities.vmware.com/docs/DOC-16726

The VCP510 exam consists of 85 questions and a short pre-exam survey consisting of 8 questions.

The passing score for this exam is 300, using a scaled scoring method. The scale is from 100-500. Scaled scores are calculated using a mathematical formula that considers a variety of factors, including the number and type of exam questions included in a specific version of the exam. Because this combination may vary in different versions of the same examination, scaled scores provide a fair score for each individual based on the version of the exam taken.

The below links are the recommended documents from the Blueprint

VMware vSphere Basics

vSphere Installation and Setup Guide

vCenter Server and Host Management Guide

VMware Virtualisation Toolkit

vSphere Upgrade Guide

VMware vSphere Examples and Scenarios

Installing and Administering VMware vSphere Update Manager

vSphere Security Guide

VMware vCloud – Requirements for a Cloud

VMware vCloud – Service Definition for a Public Cloud

VMware vCloud – Service Definition for a Private Cloud

 vSphere 5.0 Licensing, Pricing and Packaging Whitepaper

 vSphere Networking guide

vSphere Storage Guide

VMware vSphere Storage Appliance Installation and Configuration guide

VMware vSphere Storage Appliance Administration guide

vSphere Virtual Machine Administration guide

Installing and Configuring VMware Tools Guide

OVF Tool User Guide

vSphere Availability guide

vSphere Resource Management guide

VMware Data Recovery Administration guide

vSphere Host Profiles guide

Reconfiguring VMware vSphere Update Manager

vSphere Monitoring and Performance guide

vSphere Troubleshooting guide

vSphere Resource Management guide

Cookie Monster

January 23, 2012 Personal No comments

Virtual vCenter – Pros and Cons

January 19, 2012 vCenter No comments

Over the years there have been some controversy over this topic. Should vCenter Server be a physical or a virtual machine?

The most important aspect is that both solutions are supported by VMware.

http://www.vmware.com/pdf/vi3_vc_in_vm.pdf

Physical Solution Pro’s

  • More scalable
  • Hardware upgrades can be carried out
  • It is not susceptible to a potential VI outage

Physical Solution Cons

  • A dedicated physical server is required
  • Extra Power usage
  • Extra cooling considerations
  • UPS considerations
  • Backup must be done using tradition tools
  • DR may be more difficult

Virtual Solution Pro’s

  • You do not need a dedicated physical server (a way to reach a greater consolidation)
  • Server Consolidation: instead of dedicating an entire physical server to VirtualCenter, you can run it in a virtual machine along with others on the same ESX Server host.
  • Mobility: by encapsulating the VirtualCenter server in a virtual machine, you can transfer it from one host to another, enabling maintenance and other activities.
  • Each backup solution that works for a VM work also in this case
  • Snapshots: A snapshot of the VirtualCenter virtual machine can be used for backup,
    archiving, and other similar purposes.
  • Availability: using VMware HA, you can provide high availability for the VirtualCenter server
  • You can via DRS rules place the vCenter on certain hosts so you know where it is.

Virtual Solution Con’s

  • It is susceptible to a potential VI outage
  • No cold migration
  • No cloning
  • It must contend for resources along with other VMs
  • If you wish to modify the hardware properties for the VirtualCenter virtual machine, you will need to schedule downtime for VirtualCenter. Then, you will need to connect to the ESX Server host directly with the VI Client, shut down the VirtualCenter virtual machine, and make the modifications.
  • Careful consideration and design thinking needs to built into a vSphere environment where a vDS will be used – See below

Virtual vCenter and vDS

VMware specifically state about running vCenter within a distributed switch and they said point blank, “it is not supported”. They said “Because vCenter governs the distributed switch environment, you can’t have vCenter within the distributed switch.”

If you lose your Virtual Center you will have no way in moving virtual machines between different port groups on the vNetwork Distributed Switch. In addition, you will not be able to get a virtual machine from the traditional virtual switch to a port group on the vNetwork Distributed Switch. Extra to that, you can’t move a VM to another VMware vNetwork Distributed Switch. So that means if you are using VMware vSphere vNetwork Distributed Switches & you lose virtual center you are almost disabled on the networking part. If you lose connectivity on the classic virtual switch & your adapter on the distributed switch are OK you still can’t move your virtual machines to that distributed switch till Virtual Center is back.”

Does this mean a virtual infrastructure design should keep a vSS around? I would say “yes!”. Perhaps it’s now more important to dedicate 2 of the ESX host’s pNICs for the ESX Service Console / ESXi Management VMKernel isolated as a vSS. The 2 pNICs are not only for redundancy anymore, but also to support one or more standby VM portgroups in case they’re needed as a recovery network for VMs normally using the vDS. Of course, that means creating the appropriate trunking, and VLANs ahead of time. Have everything ready for a quick and easy change of critical VMs when needed.

Therefore, a hybrid design using both a vSS and a vDS is a smart “safety net” to have. Especially when an admin has to point the vSphere client directly at an ESX/ESXi host. The “safety net” vSS portgroups will be available from each host and the VMs can be easily switched via the vSphere Client GUI.

See this useful article by Duncan Epping

http://www.yellow-bricks.com/2012/02/08/distributed-vswitches-and-vcenter-outage-whats-the-deal/

In the event that the worst happens and you lose connectivity

VMware has provided a KB Article 1010555 which will allow an admin to create a vSS and move the vCenter VM on to this switch

KB1010555

« Older Entries   Recent Entries »