Professional Documents
Culture Documents
PD005 InstallGuide Vsphere 7.0.x
PD005 InstallGuide Vsphere 7.0.x
Procedures Guide
vSphere 7.0.x
vSphere Installation and Configuration Procedures Guide
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
2
vSphere Installation and Configuration Procedures Guide
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3
Contents
Contents.............................................................................................................................................................3
Purpose and Assumptions.................................................................................................................................5
VMware Products and Versions...................................................................................................................5
Architecture Models.....................................................................................................................................5
Procedures.........................................................................................................................................................6
Preparation....................................................................................................................................................6
ESXi Host Deploy Preparation.................................................................................................................6
ESXi Hardware Requirements.............................................................................................................6
Recommendations for Enhanced ESXi Performance..........................................................................9
Incoming and Outgoing Firewall Ports for ESXi Hosts....................................................................11
Required Free Space for System Logging.........................................................................................13
ESXi Passwords and Account Lockout.............................................................................................14
vCenter Server Deploy Preparation........................................................................................................16
System Requirements for the vCenter Server Appliance...................................................................16
Preparing for Deployment of the vCenter Server Appliance.............................................................21
Prerequisites for Deploying the vCenter Server Appliance...............................................................25
vSphere Network Infrastructure Deploy Preparation.............................................................................26
vSphere Storage Infrastructure Deploy Preparation...............................................................................26
High Availability Deploy Preparation....................................................................................................26
Dynamic Resourcing Deploy Preparation..............................................................................................27
Virtual Machine Deploy Preparation......................................................................................................27
Deployment and Configuration..................................................................................................................27
ESXi Host Deployment and Configuration............................................................................................27
Installing ESXi Interactively..............................................................................................................27
Setting Up ESXi.................................................................................................................................30
3 Select Set static IP address and network configuration.......................................................34
3 Select Use the following DNS server addresses and hostname..........................................35
vCenter Server Deployment and Configuration.....................................................................................35
Deploy the vCenter Server Appliance by Using the GUI..................................................................37
vCenter Server Infrastructure Configuration.....................................................................................43
Datacenter.Create datacenter...............................................................................................48
Host.Inventory.Create cluster..............................................................................................49
Renew Certificates.........................................................................................................................52
Make VMCA an Intermediate CA.................................................................................................53
Replace Certificates with Custom Certificates..............................................................................53
Set as Default.................................................................................................................................60
Permissions....................................................................................................................................64
Users and Groups...........................................................................................................................64
Privileges.......................................................................................................................................64
Roles..............................................................................................................................................64
4 Select Use Network Time Protocol (enable NTP client).....................................................66
vSphere Network Infrastructure Deployment and Configuration..........................................................68
Create a vSphere Distributed Switch.................................................................................................69
2 Select Distributed Switch > New Distributed Switch.........................................................69
Add a Distributed Port Group............................................................................................................70
Create a VMkernel Adapter on a Host Associated with a vSphere Distributed Switch....................74
Add Hosts to a vSphere Distributed Switch.......................................................................................76
vSphere Network I/O Control............................................................................................................78
vSphere Storage Infrastructure Deployment and Configuration............................................................79
VMware, Inc.
Configuring iSCSI for vSphere..........................................................................................................79
Dynamic Discovery.......................................................................................................................87
Static Discovery.............................................................................................................................88
Create an NFS Datastore....................................................................................................................89
Create a VMFS Datastore..................................................................................................................90
Finish.............................................................................................................................................91
Enable Storage I/O Control................................................................................................................91
High Availability Deployment and Configuration.................................................................................92
Creating a vSphere HA Cluster..........................................................................................................92
Dynamic Resource Scheduling Deployment and Configuration............................................................94
Host Configuration for vMotion........................................................................................................94
Using DRS Clusters to Manage Resources........................................................................................96
Load Balancing..............................................................................................................................97
Power management........................................................................................................................97
Affinity Rules................................................................................................................................97
Integrations Deployment and Configuration..............................................................................................99
vSphere Integrations Deployment and Configuration............................................................................99
References.....................................................................................................................................................100
vSphere References...................................................................................................................................100
VMware, Inc.
vSphere Installation and Configuration Procedures Guide
This document provides step-by-step instructions for installing, configuring and deploying the solution.
This document is written with the assumption that the administrator who uses these procedures is familiar with the
products being used. It is not intended for administrators without prior knowledge of the concepts and
terminology.
Architecture Models
Architecture Models
Standardization of software configuration improves predictability, supportability and speed of delivery.
Considering these benefits, VMware has developed the VMware Validated Designs (VVD).
These designs are comprehensive and cover everything from hardware configuration and specification to
detailed software configuration. It also covers the required third-party components to support day 2 operations.
The result is a highly available, scalable and robust platform, that is vigorously tested.
To support the VVD, VMware Professional Services has defined several architecture models that leverage the best
practices found in the VVD. These designs have greater flexibility of hardware configuration, specification and
software components, than when utilizing the VVD as a whole.
These architecture models do not provide the guarantees of the VVD, but do introduce standardization
through the best practices to increase the speed of delivery.
VMware, Inc.
6
vSphere Installation and Configuration Procedures Guide
Procedures
This section provides step-by-step procedures for common configuration tasks to be performed during the
deployment of the product.
Preparation
Preparation
This section describes the preparation tasks which are required for the deployment of the solution. It is split
up into technology sections.
To install or upgrade ESXi, your system must meet specific hardware and software requirements as described by the
following detail.
To install or upgrade ESXi, your hardware and system resources must meet the following requirements:
Supported server platform. For a list of supported platforms, see the VMware Compatibility Guide at
http://www.vmware.com/resources/compatibility.
ESXi 7.0 supports a broad range of multi-core of 64-bit x86 processors. For a complete list of supported
processors, see the VMware compatibility guide at http://www.vmware.com/ resources/compatibility.
ESXi 7.0 requires the NX/XD bit to be enabled for the CPU in the BIOS.
VMware, Inc.
7
vSphere Installation and Configuration Procedures Guide
ESXi 7.0 requires a minimum of 4 GB of physical RAM. Provide at least 8 GB of RAM to run virtual
machines in typical production environments.
To support 64-bit virtual machines, support for hardware virtualization (Intel VT-x or AMD RVI) must be
enabled on x64 CPUs.
One or more Gigabit or faster Ethernet controllers. For a list of supported network adapter models, see the
VMware Compatibility Guide at http://www.vmware.com/resources/ compatibility.
ESXi 7.0 requires a boot disk of at least 8 GB for USB or SD devices, and 32 GB for other device types such
as HDD, SSD, or NVMe. A boot device must not be shared between ESXi hosts.
SCSI disk or a local, non-network, RAID LUN with unpartitioned space for the virtual machines.
For Serial ATA (SATA), a disk connected through supported SAS controllers or supported on- board SATA
controllers. SATA disks are considered remote, not local. These disks are not used as a scratch partition by
default because they are seen as remote.
Note You cannot connect a SATA CD-ROM device to a virtual machine on an ESXi host. To use the SATA
CD-ROM device, you must use IDE emulation mode.
Storage Systems
For a list of supported storage systems, see the VMware Compatibility Guide at http://
www.vmware.com/resources/compatibility. For Software Fibre Channel over Ethernet (FCoE), see Installing
and Booting ESXi with Software FCoE.
vSphere 7.0 supports booting ESXi hosts from the Unified Extensible Firmware Interface (UEFI). With UEFI,
you can boot systems from hard drives, CD-ROM drives, or USB media.
VMware Auto Deploy supports network booting and provisioning of ESXi hosts with UEFI.
ESXi can boot from a disk larger than 2 TB if the system firmware and the firmware on any add-in card that you are
using support it. See the vendor documentation.
Installing ESXi7.0 requires a boot device that is a minimum of 8 GB for USB or SD devices, and 32 GB for other
device types. Upgrading to ESXi7.0 requires a boot device that is a minimum of 4 GB. When booting from a local
disk, SAN or iSCSI LUN, a 32 GB disk is required to allow for the creation of system storage volumes, which
include a boot partition, boot banks, and a VMFS-L based ESX-OSData volume. The ESX-OSData volume takes on
the role of the legacy /scratch partition, VM-tools, and core dump destination.
An 8 GB USB or SD and an additional 32 GB local disk. The ESXi boot partitions reside on the USB or SD
and the ESX-OSData volume resides on the local disk.
VMware, Inc.
8
vSphere Installation and Configuration Procedures Guide
A local disk with a minimum of 32 GB. The disk contains the boot partitions and ESX-OSData volume.
A local disk of 142 GB or larger. The disk contains the boot partitions, ESX-OSData volume, and VMFS
datastore.
The ESXi7.0 system storage volumes can occupy up to 138 GB of disk space. A VMFS datastore is only created if
the local disk device has at least 4 GB additional free space. To share a boot device with a local VMFS datastore,
you need to use a local disk of 142 GB or larger.
If a local disk cannot be found, then ESXi7.0 operates in degraded mode where certain functionality is disabled
and the /scratch partition is on the RAM disk, linked to /tmp. You can reconfigure /scratch to use a
separate disk or LUN. For best performance and memory optimization, do not run ESXi in degraded mode.
The upgrade process to ESXi7.0 repartitions the boot device and consolidates the original core dump, locker, and
scratch partitions into the ESX-OSData volume.
If a custom core dump destination is not configured, then the default core dump location is a file in the ESX-
OSData volume.
If the syslog service is configured to store log files on the 4 GB VFAT scratch partition, the log files in
var/run/log are migrated to the ESX-OSData volume.
VMware Tools are migrated from the locker partition and the partition is wiped.
The core dump partition is wiped. The application core dump files that are stored on the scratch partition
are deleted.
Note Rollback to an earlier version of ESXi is not possible due to the repartitioning process of the boot device. To
use an earlier version of ESXi after upgrading to version 7.0, you must create a backup of the boot device before the
upgrade, and restore the ESXi boot device from the backup.
Due to the I/O sensitivity of USB and SD devices, the installer only creates a VMFS-L locker partition on these
devices to store VM-tools and core dump files. When installing or upgrading on USB or SD devices, the installer
attempts to allocate an ESX-OSData region on an available local disk. A datastore is used for /scratch, if there is
no available space. If no local disk or datastore is found, /scratch is placed on the RAM disk. After the
installation or upgrade, reconfigure / scratch to use a persistent datastore or add a new disk for system storage
volumes.
To reconfigure /scratch, see Set the Scratch Partition from the vSphere Client.
Although an 8 GB USB or SD device is sufficient for a minimal installation, you should use a larger device. The
additional space is used for an expanded core dump file and the extra flash cells of a high-quality USB flash drive
can prolong the life of the boot media. Use a 32 GB or larger high- quality USB flash drive. See Knowledge Base
article http://kb.vmware.com/kb/2004784.
VMware, Inc.
9
vSphere Installation and Configuration Procedures Guide
In Auto Deploy installations, the installer attempts to allocate a scratch region on an available local disk or
datastore. If no local disk or datastore is found, the /scratch partition is placed on the RAM disk. Reconfigure
/scratch to use a persistent datastore after the installation.
For environments that boot from a SAN or use Auto Deploy, the ESX-OSData volume for each ESXi host must be
set up on a separate SAN LUN. However, if /scratch is configured not to use ESX-OSData, you do not need to
allocate a separate LUN for /scratch for each host. You can co-locate the scratch regions for multiple ESXi
hosts onto a single LUN. The number of hosts assigned to any single LUN should be weighed against the LUN size
and the I/O behavior of the virtual machines.
ESXi 7.0 Installation on M.2 and Other Non-USB Low-End Flash Media
Unlike USB flash devices, the ESXi installer creates system storage volumes and a VMFS datastore on M.2 and
other non-USB low-end flash media. If you deploy a virtual machine or migrate a virtual machine to this boot
device datastore, the boot device can be worn out quickly depending on the endurance of the flash device and the
characteristics of the workload. As even read-only workloads can cause problems on low-end flash devices, you
should install ESXi only on high-endurance flash media.
Important If you install ESXi on M.2 or other non-USB low-end flash media, delete the VMFS datastore on the
device immediately after installation. For more information on removing VMFS datastores, see the vSphere
Storage documentation.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
RAM ESXi hosts require more RAM than typical servers. Provide at least 8
GB of RAM to take full advantage of ESXi features and run virtual
machines in typical production environments. An ESXi host must have
sufficient RAM to run concurrent virtual machines. The following
examples are provided to help you calculate the RAM required by the
virtual machines running on the ESXi host.
Operating four virtual machines with
Red Hat Enterprise Linux or Windows XP requires at least 3 GB of
RAM for baseline performance. This figure includes 1024 MB for the
virtual machines, 256 MB minimum for each operating system as
recommended by vendors.
Running these four virtual machines with 512 MB RAM requires that
the ESXi host have 4 GB RAM, which includes 2048 MB for the
virtual machines.
These calculations do not include possible memory savings from using
variable overhead memory for each virtual
machine. See vSphere Resource Management.
Dedicated Fast Ethernet adapters for virtual machines Place the management network and virtual machine networks on
different physical network cards. Dedicated Gigabit Ethernet cards
for virtual machines, such as Intel PRO 1000 adapters, improve
throughput to virtual machines with high network traffic.
Disk location Place all data that your virtual machines use on physical disks
allocated specifically to virtual machines.
Performance is better when you do not place your virtual machines
on the disk containing the ESXi boot image. Use physical disks that
are large enough to hold disk images
that all the virtual machines use.
VMFS6 partitioning The ESXi installer creates the initial VMFS volumes on the first blank
local disk found. To add disks or modify the original configuration,
use the vSphere Client. This practice ensures that the starting sectors
of partitions are 64K- aligned, which improves storage performance.
Note For SAS-only environments, the installer might not format the
disks. For some SAS disks, it is not possible to identify whether the
disks are local or remote. After the installation, you can use the
vSphere Client to set up VMFS.
Hardware compatibility Use devices in your server that are supported by ESXi 7.0 drivers. See
the Hardware Compatibility Guide at http://
www.vmware.com/resources/compatibility.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
The following table lists the firewalls for services that are installed by default. If you install other VIBs on your
host, additional services and firewall ports might become available. The information is primarily for services that
are visible in the vSphere Client but the table includes some other ports as well.
5988 TCP CIM Server Server for CIM (Common Information Model).
427 TCP, CIM SLP The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM
UDP servers.
8301, 8302 UDP DVSSync DVSSync ports are used for synchronizing states of distributed virtual ports between
hosts that have VMware FT record/replay enabled. Only hosts that run primary or
backup virtual machines must have these ports open. On hosts that are not using
VMware FT these ports do not have to be open.
902 TCP NFC Network File Copy (NFC) provides a file-type-aware FTP service for vSphere
components. ESXi uses NFC for operations such as copying and moving data
between datastores by default.
12345, 23451 UDP vSAN Clustering VMware vSAN Cluster Monitoring and Membership Directory Service. Uses
Service UDP-based IP multicast to establish cluster members and distribute vSAN
metadata to all cluster members. If disabled, vSAN does not work.
8200, 8100, TCP, Fault Tolerance Traffic between hosts for vSphere Fault Tolerance (FT).
8300 UDP
6999 UDP NSX Distributed NSX Virtual Distributed Router service. The firewall port associated with this service
Logical Router is opened when NSX VIBs are installed and the VDR module is created. If no VDR
Service instances are associated with the host, the port does not have to be open.
This service was called NSX Distributed Logical Router in earlier versions
of the product.
2233 TCP vSAN Transport vSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO.
If disabled, vSAN does not work.
161 UDP SNMP Server Allows the host to connect to an SNMP server.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
8080 TCP vsanvp vSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that
is part of vCenter to access information about vSAN storage profiles, capabilities, and
compliance. If disabled, vSAN Storage Profile Based Management (SPBM) does not
work.
80 TCP vSphere Web Welcome page, with download links for different interfaces.
Access
9080 TCP I/O Filter Service Used by the I/O Filters storage feature.
427 TCP, UDP CIM SLP The CIM client uses the Service Location Protocol, version 2 (SLPv2)
to find CIM servers.
8301, 8302 UDP DVSSync DVSSync ports are used for synchronizing states of distributed virtual
ports between hosts that have VMware FT record/replay enabled. Only
hosts that run primary or backup virtual machines must have these ports
open. On hosts that are not using VMware FT these ports do not have to
be open.
44046, 31031 TCP HBR Used for an ongoing replication traffic by vSphere
Replication and VMware Site Recovery Manager.
902 TCP NFC Network File Copy (NFC) provides a file-type-aware FTP service
for vSphere components. ESXi uses NFC for operations such as
copying and moving data between datastores by default.
12345 23451 UDP vSAN Clustering Cluster Monitoring, Membership, and Directory Service used by vSAN.
Service
80, 8200, 8100, 8300 TCP, UDP Fault Tolerance Supports VMware Fault Tolerance.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
5671 TCP rabbitmqproxy A proxy running on the ESXi host. This proxy allows applications that
are running inside virtual machines to communicate with the AMQP
brokers that are running in the vCenter network domain.
The virtual machine does not have to be on the network, that is, no
NIC is required. Ensure that outgoing connection IP addresses include
at least the brokers in use or future.
You can add brokers later to scale up.
2233 TCP vSAN Transport Used for RDT traffic (Unicast peer to peer communication) between
vSAN nodes.
8000 TCP vMotion Required for virtual machine migration with vMotion.
Table 2-4. Firewall Ports for Services That Are Not Visible in the UI by Default
Proto
Port col Service Comment
5900 -5964 TCP RFB protocol The RFB protocol is a simple protocol for remote access to graphical user
interfaces.
8889 TCP OpenWSMAN Web Services Management (WS-Management is a DMTF open standard for the
Daemon management of servers, devices, applications, and Web services.
All vSphere components use this infrastructure. The default values for log capacity in this infrastructure vary,
depending on the amount of storage available and on how you have configured system logging. Hosts that are
deployed with Auto Deploy store logs on a RAM disk, which means that the amount of space available for logs is
small.
If your host is deployed with Auto Deploy, reconfigure your log storage in one of the following ways:
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
If you redirect logs to non-default storage, such as a NAS or NFS store, you might also want to reconfigure log
sizing and rotations for hosts that are installed to disk.
You do not need to reconfigure log storage for ESXi hosts that use the default configuration, which stores logs in a
scratch directory on the VMFS volume. For these hosts, ESXi7.0 configures logs to best suit your installation, and
provides enough space to accommodate log messages.
Table 2-5. Recommended Minimum Size and Rotation Configuration for hostd, vpxa, and fdm Logs
Number of Rotations to
Log Maximum Log File Size Preserve Minimum Disk Space Required
VirtualCenter Agent 5 MB 10 50 MB
(vpxa)
For information about setting up a remote log server, see Configure Syslog on ESXi Hosts.
Note The default requirements for ESXi passwords can change from one release to the next. You can check and
change the default password restrictions using the Security.PasswordQualityControl advanced option.
ESXi Passwords
ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the
VMware Host Client.
By default, you have to include a mix of characters from four character classes: lowercase letters, uppercase
letters, numbers, and special characters such as underscore or dash when you create a password.
Note An uppercase character that begins a password does not count toward the number of character classes used.
A number that ends a password does not count toward the number of character classes used.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
The following password candidates illustrate potential passwords if the option is set as follows.
items are disabled. Passwords from three- and four-character classes require seven characters. See the
pam_passwdqc man page for details.
Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two.
The minimum number of required character classes is three.
xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum
number of required character classes is three.
Instead of a password, you can also use a pass phrase. However, pass phrases are disabled by default. You can change
this default or other settings, by using the Security.PasswordQualityControl advanced option from the
vSphere Client.
This example
retry=3 allows pass phrases of at least 16 characters and at least three words, separated by spaces.
min=disabled,disabled,16,7,7
For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file is deprecated
for future releases. Use the Security.PasswordQualityControl advanced option instead.
You can change the default restriction on passwords or pass phrases by using the
Security.PasswordQualityControl advanced option for your ESXi host. See vCenter Server and Host
Management documentation for information on setting ESXi advanced options.
You can change the default, for example, to require a minimum of 15 characters and a minimum number of four
words, as follows:
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
Note Not all possible combinations of password options have been tested. Perform additional testing after you change
the default password settings.
Account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct
Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed
attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.
You can configure the login behavior for your ESXi host with the following advanced options:
Security.PasswordHistory. Number of passwords to remember for each user. Zero disables password
history.
See the vCenter Server and Host Management documentation for information on setting ESXi advanced
options.
To install or upgrade vCenter Server, your system must meet specific hardware and software requirements as
described by the following detail.
When you use Fully Qualified Domain Names, verify that the client machine from which you are deploying the
appliance and the network on which you are deploying the appliance use the same DNS server.
Before you deploy the appliance, synchronize the clocks of the target server and all vCenter Server instances on
the vSphere network. Unsynchronized clocks might result in authentication problems and can cause the
installation to fail or prevent the appliance services from starting. See Synchronizing Clocks on the vSphere
Network.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
When you deploy the vCenter Server appliance, you can select to deploy an appliance that is suitable for the
size of your vSphere environment. The option that you select determines the number of CPUs and the amount
of memory for the appliance.
The hardware requirements for a vCenter Server appliance depend on the size of your vSphere inventory.
Note If you want to add an ESXi host with more than 512 LUNs and 2,048 paths to the vCenter Server inventory,
you must deploy a vCenter Server appliance for a large or x-large environment.
When you deploy the vCenter Server appliance, the ESXi host or DRS cluster on which you deploy the appliance
must meet minimum storage requirements. The required storage depends not only on the size of the vSphere
environment and the storage size, but also on the disk provisioning mode.
The storage requirements are different for each vSphere environment size and depend on your database size
requirements.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
Note The storage requirements include the requirements for the vSphere Lifecycle Manager that runs as a
service in the vCenter Server appliance.
The VMware vCenter Server appliance can be deployed on ESXi 6.5 hosts or later, or on vCenter Server instances
6.5 or later.
You can deploy the vCenter Server appliance using the GUI or CLI installer. You run the installer from a network
client machine that you use to connect to the target server and deploy the appliance on the server. You can
connect directly to an ESXi 6.5 host on which to deploy the appliance. You can also connect to a vCenter Server
6.5 instance to deploy the appliance on an ESXi host or DRS cluster that resides in the vCenter Server inventory.
For information about the requirements for network client machine, see System Requirements for the vCenter Server
Installer.
The vCenter Server system must be able to send data to every managed host and receive data from the vSphere
Client. To enable migration and provisioning activities between managed hosts, the source and destination hosts
must be able to receive data from each other.
If a port is in use or is blocked using a denylist, the vCenter Server installer displays an error message. You must
use another port number to proceed with the installation. There are internal ports that are used only for inter-
process communication.
VMware uses designated ports for communication. Additionally, the managed hosts monitor designated ports for
data from vCenter Server. If a built-in firewall exists between any of these elements, the installer opens the ports
during the installation or upgrade process. For custom firewalls, you must manually open the required ports. If you
have a firewall between two managed hosts and you want to perform source or target activities, such as migration or
cloning, you must configure a means for the managed hosts to receive data.
To configure the vCenter Server system to use a different port to receive vSphere Client data, see the vCenter
Server and Host Management documentation.
VMware, Inc.
1
vSphere Installation and Configuration Procedures Guide
53 DNS service No
88 TCP Active Directory server. This port must be open for host No
to join Active Directory. If you use native Active
Directory, the port must be open on vCenter Server.
389 TCP/UDP This port must be open on the local and all remote vCenter Server to vCenter
instances of vCenter Server. This port is the LDAP port Server
number for the Directory Services for the vCenter Server
group. If another service is running on this port, it might
be preferable to remove it or change its port to a
different port. You can run the LDAP service on any
port from 1025 through 65535.
443 TCP The default port that the vCenter Server system uses to vCenter Server to vCenter
listen for connections from the vSphere Client. To enable Server
the vCenter Server system to receive data from the
vSphere Client, open port 443 in the firewall.
The vCenter Server system also uses port 443 to
monitor data transfer from SDK clients.
This port is also used for the following services:
WS-Management (also requires port 80 to be
open)
Third-party network management client
connections to vCenter Server
Third-party network management clients access
to hosts
514 TCP/UDP vSphere Syslog Service port for the vCenter Server No
appliance.
VMware, Inc.
2
vSphere Installation and Configuration Procedures Guide
902 TCP/UDP The default port that the vCenter Server system uses to No
send data to managed hosts. Managed hosts also send a
regular heartbeat over UDP port 902 to the vCenter
Server system. This port must not be blocked by
firewalls between the server and the hosts or between
hosts.
Port 902 must not be blocked between the VMware Host
Client and the hosts. The VMware Host Client uses this
port to display virtual machine consoles.
1514 TCP vSphere Syslog Service TLS port for the vCenter Server No
appliance.
VMware, Inc.
21
vSphere Installation and Configuration Procedures Guide
For more information about firewall configuration, see the vSphere Security documentation.
When you deploy the vCenter Server appliance with a static IP address, you ensure that in case of system restart,
the IP address of the appliance remains the same.
Before you deploy the vCenter Server appliance with a static IP address, you must verify that this IP address has a
valid internal domain name system (DNS) registration.
When you deploy the vCenter Server appliance, the installation of the web server component that supports the
vSphere Client fails if the installer cannot look up the fully qualified domain name (FQDN) for the appliance
from its IP address. Reverse lookup is implemented using PTR records.
If you plan to use an FQDN for the appliance system name, you must verify that the FQDN is resolvable by a
DNS server, by adding forward and reverse DNS A records.
You can use the nslookup command to verify that the DNS reverse lookup service returns an FQDN when
queried with the IP address and to verify that the FQDN is resolvable.
Ensure that the ESXi host management interface has a valid DNS resolution from the vCenter Server and all
vSphere Client instances. Ensure that the vCenter Server has a valid DNS resolution from all ESXi hosts and
vSphere Client.
The machine from which you deploy the appliance must run on a Windows, Linux, or Mac operating system that
meets the operating system requirements. See System Requirements for the vCenter Server Installer.
VMware, Inc.
22
vSphere Installation and Configuration Procedures Guide
You can run the vCenter Server GUI or CLI installer from a network client machine that is running on a Windows,
Linux, or Mac operating system of a supported version.
To ensure optimal performance of the GUI and CLI installers, use a client machine that meets the minimum
hardware requirements.
Table 2-9. System Requirements for the GUI and CLI Installers
Operating System Supported Versions Minimum Hardware Configuration for Optimal Performance
Windows Windows 8, 8.1, 10 4 GB RAM, 2 CPU having 4 cores with 2.3 GHz, 32 GB hard disk, 1 NIC
Windows 2012 x64 bit
Windows 2012 R2
x64 bit
Windows 2016 x64 bit
Windows 2019 x64
Linux SUSE 15 4 GB RAM, 1 CPU having 2 cores with 2.3 GHz, 16 GB hard disk, 1 NIC
Ubuntu 16.04 and
Note The CLI installer requires 64-bit OS.
18.04
Mac macOS v10.13, 10.14, 8 GB RAM, 1 CPU having 4 cores with 2.4 GHz, 150 GB hard disk, 1 NIC
10.15
macOS High Sierra,
Mojave, Catalina
Note For client machines that run on Mac 10.13 or later, concurrent GUI deployments of multiple appliances are
unsupported. You must deploy the appliances in a sequence.
Note Visual C++ redistributable libraries need to be installed to run the CLI installer on versions of Windows
older than Windows 10. The Microsoft installers for these libraries are located in the
vcsa-cli-installer/win32/vcredist directory.
Note Deploying the vCenter Server appliance with the GUI requires a minimum resolution of 1024x768 to
properly display. Lower resolutions can truncate the UI elements.
VMware releases the vCenter Server appliance ISO image, which contains GUI and CLI installers for the vCenter
Server appliance.
With the GUI and CLI executable files that are included in the vCenter Server installer, you can:
Converge older versions of vCenter Server with an external Platform Services Controller to the current
VMware, Inc.
23
vSphere Installation and Configuration Procedures Guide
version of vCenter Server.
VMware, Inc.
24
vSphere Installation and Configuration Procedures Guide
Prerequisites
Verify that your client machine meets the system requirements for the vCenter Server installer. See
System Requirements for the vCenter Server Installer.
Procedure
VMware-VCSA-all-version_number-build_number.iso
See the VMware Web site topic Using MD5 Checksums at http://www.vmware.com/
download/md5.html.
3 Mount the ISO image to the client machine from which you want to deploy, upgrade, migrate, or restore the
appliance.
Note ISO mounting software that does not allow more than eight directory levels, for example, MagicISO
Maker on Windows, is unsupported.
Open the readme.txt file and review the information about the other files and directories in the vCenter Server
appliance ISO image.
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML Tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent the
vCenter Server vmware-vpxd service from starting.
VMware, Inc.
25
vSphere Installation and Configuration Procedures Guide
Time inconsistencies in vSphere can cause firstboot to fail at different services depending on where in the
environment time is not accurate and when the time is synchronized. Problems most commonly occur when the
target ESXi host for the destination vCenter Server is not synchronized with NTP or PTP. Similarly, issues can arise
if the destination vCenter Server migrates to an ESXi host set to a different time due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or
upgrading a vCenter Server.
The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
When upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external Platform
Services Controller is synchronized to NTP or PTP.
If you are upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, verify that the source vCenter
Server or vCenter Server appliance and external Platform Services Controller have the correct time.
When you upgrade a vCenter Server 6.5 or 6.7 instance with an external Platform Services Controller to
vSphere 7.0, the upgrade process converts to a vCenter Server instance with an embedded Platform Services
Controller.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP server or a PTP server, you can use the VMware Host Client. For
information about editing the time configuration of an ESXi host, see vSphere Single Host Management -
VMware Host Client.
To learn how to change time synchronization settings for vCenter Server, see "Configure the System Time
Zone and Time Synchronization Settings" in vCenter Server Configuration.
To learn how to edit time configuration for a host by using the vSphere Client, see "Editing Time Configuration
for a Host" in vCenter Server and Host Management.
To establish a secure TLS connection to a vCenter Server (the server), the system where you are running the CLI
installer (the client) must not have its system clock slower or faster than the server's system clock by an acceptable
limit (tolerance).
See Table 2-10. Client Clock Tolerance for specific values for each deployment scenario.
Note The client clock values are applicable only for vCenter Server 6.7 and later.
VMware, Inc.
26
vSphere Installation and Configuration Procedures Guide
Linking one vCenter Server with When deploying the second vCenter Server,
another vCenter Server the clock tolerance for the client and the
first vCenter Server must not exceed 10
minutes.
Installing a vCenter Server appliance using a The maximum clock tolerance between the
container vCenter Server with a client and the container vCenter Server is 8
*._on_vc.json template. hours 20 minutes.
General Prerequisites
Verify that your system meets the minimum software and hardware requirements. See System
Requirements for the vCenter Server Appliance.
If you want to deploy the appliance on an ESXi host, verify that the ESXi host is not in lockdown or
maintenance mode and not part of a fully automated DRS cluster.
If you want to deploy the appliance on a DRS cluster of the inventory of a vCenter Server instance, verify
that the cluster contains at least one ESXi host that is not in lockdown or maintenance mode.
If you plan to use NTP servers for time synchronization, verify that the NTP servers are running and that the
time between the NTP servers and the target server on which you want to deploy the appliance is
synchronized.
When deploying a new vCenter Server as part of an Enhanced Linked Mode deployment, create an image-based
backup of the existing vCenter Server nodes in your environment. You can use the backup as a precaution in case
there is a failure during the deployment process.
If the deployment fails, delete the newly deployed vCenter Server appliance, and restore the vCenter Server
nodes from their respective image-based backups. You must restore all the nodes in the environment from
their image-based backups. Failing to do so can cause the replication partners to be out of synchronization with
the restored node.
To learn more about creating vCenter Enhanced Linked Mode deployments, see Creating vCenter Server
Linked Mode Groups.
VMware, Inc.
27
vSphere Installation and Configuration Procedures Guide
To learn about image-based backs, see Image-Based Back Up and Restore of a vCenter Server
Environment.
VMware, Inc.
28
vSphere Installation and Configuration Procedures Guide
Network Prerequisites
If you plan to assign a static IP address and an FQDN as a system name in the network settings of the appliance,
verify that you have configured the forward and reverse DNS records for the IP address.
Prior to starting the installation and configuration of the vSphere Network Infrastructure the following
preparation steps are required:
ESXi host hardware must have the appropriate network connectivity in the datacenter provisioned and
connected
Appropriate IP addresses, DNS, VLANs, and the like should be available, assigned and configured as
required for the design.
Prior to starting the installation and configuration of the vSphere Storage Infrastructure the following
preparation steps are required:
External storage systems should be provisioned, and appropriate configuration of LUNs, Zoning, and the like
should be available for configuration of the storage. Steps are only provided for configuration steps specific to
VMware products, that are required to generically setup storage.
Storage vendor should be contacted to ensure their best practices are being followed.
Prior to starting the installation and configuration of High Availability the following preparation steps are
required:
The vCenter Server Appliance that later becomes the Active node, has been deployed. vCenter for
windows is not supported.
Appropriate access and privileges have been granted to modify that vCenter Server Appliance and
the ESXi host on which it runs.
VMware, Inc.
29
vSphere Installation and Configuration Procedures Guide
During network setup, static IP addresses for the management network are required. The management and
cluster network addresses must be IPv4 or IPv6. They cannot be mixed.
Prior to starting the installation and configuration of DRS the following preparation steps are required:
Prior to starting the installation and configuration of the virtual machine configurations the following
preparation steps are required:
Sizing and Operating System details for the templates must be decided.
The first building block of the deployment is the ESXi host. Installing an ESXi host creates a virtualization layer
that runs on physical servers and abstracts processor, memory, storage, and other resources that one or more
virtual machines can consume, and is generally required to build the rest of the infrastructure. This may include
vCenter Server but could also include many other optional modules or products.
For more information, refer to the product documentation available on the VMware vSphere 7.0 Update 1
Documentation Center Web site (https://docs.vmware.com/en/VMware-vSphere/ index.html).This section
describes how to install and configure ESXi Hosts.
VMware, Inc.
30
vSphere Installation and Configuration Procedures Guide
In a typical interactive installation, you boot the ESXi installer and respond to the installer prompts to install ESXi
to the local host disk. The installer reformats and partitions the target disk and installs the ESXi boot image. If you
have not installed ESXi on the target disk before, all data on the drive is overwritten, including hardware vendor
partitions, operating system partitions, and associated data.
Note To ensure that you do not lose any data, migrate the data to another machine before you install ESXi.
If you are installing ESXi on a disk that contains a previous installation of ESXi or ESX, or a VMFS datastore, the
installer provides you with options for upgrading. See the vSphere Upgrade documentation.
You use the ESXi CD/DVD or a USB flash drive to install the ESXi software onto a SAS, SATA, SCSI hard
drive, or USB drive.
Prerequisites
You must have the ESXi installer ISO in one of the following locations:
On CD or DVD. If you do not have the installation CD/DVD, you can create one. See
Download and Burn the ESXi Installer ISO Image onto a CD or DVD
On a USB flash drive. See Format a USB Flash Drive to Boot the ESXi Installation.
Note You can also PXE boot the ESXi installer to run an interactive installation or a scripted installation. See
Network Booting the ESXi Installer.
Verify that the server hardware clock is set to UTC. This setting is in the system BIOS.
Verify that a keyboard and monitor are attached to the machine on which the ESXi software is installed.
Alternatively, use a remote management application. See Using Remote Management Applications.
Consider disconnecting your network storage. This action decreases the time it takes the installer to search
for available disk drives. When you disconnect network storage, any files on the disconnected disks are
unavailable at installation.
Do not disconnect a LUN that contains an existing ESX or ESXi installation. Do not disconnect a VMFS
datastore that contains the Service Console of an existing ESX installation. These actions can affect the
outcome of the installation.
Gather the information required by the ESXi installation wizard. See Required Information for ESXi
Installation.
Verify that ESXi Embedded is not present on the host machine. ESXi Installable and ESXi
Embedded cannot exist on the same host.
VMware, Inc.
31
vSphere Installation and Configuration Procedures Guide
Procedure
1 Insert the ESXi installer CD/DVD into the CD/DVD-ROM drive, or attach the Installer USB flash drive and
restart the machine.
2 Set the BIOS to boot from the CD-ROM device or the USB flash drive.
See your hardware vendor documentation for information on changing boot order.
3 On the Select a Disk page, select the drive on which to install ESXi, and press Enter.
Note Do not rely on the disk order in the list to select a disk. The disk order is determined by the BIOS and
might be out of order. This might occur on systems where drives are continuously being added and removed.
If you select a disk that contains data, the Confirm Disk Selection page appears.
If you are installing on a disc with a previous ESXi or ESX installation or VMFS datastore, the installer
provides several choices.
Important If you are upgrading or migrating an existing ESXi installation, see the VMware ESXi Upgrade
documentation.
If you select a disk that is in vSAN disk group, the resulting installation depends on the type of disk and the
group size:
If you select an SSD, the SSD and all underlying HDDs in the same disk group are wiped.
If you select an HDD, and the disk group size is greater than two, only the selected HDD is wiped.
If you select an HDD disk, and the disk group size is two or less, the SSD and the selected HDD is wiped.
For more information about managing vSAN disk groups, see the vSphere Storage
documentation.
You can change the keyboard type after installation in the direct console.
You can change the password after installation in the direct console.
7 When the installation is complete, remove the installation CD, DVD, or USB flash drive.
VMware, Inc.
32
vSphere Installation and Configuration Procedures Guide
9 Set the first boot device to be the drive on which you installed ESXi in Step 3.
For information about changing boot order, see your hardware vendor documentation.
Note UEFI systems might require additional steps to set the boot device. See Host Fails to Boot After ESXi Is
Installed in UEFI Mode
Results
After the installation is complete, you can migrate existing VMFS data to the ESXi host.
You can boot a single machine from each ESXi image. Booting multiple devices from a single shared ESXi
image is not supported.
What to do next
Set up basic administration and network configuration for ESXi. See After You Install and Set Up ESXi.
Setting Up ESXi
These topics provide information about using the direct console user interface and configuring defaults for ESXi.
Use the direct console interface for initial ESXi configuration and troubleshooting.
Connect a keyboard and monitor to the host to use the direct console. After the host completes the
autoconfiguration phase, the direct console appears on the monitor. You can examine the default network
configuration and change any settings that are not compatible with your network environment.
Configuring hosts
Troubleshooting
You can also use vSphere Client to manage the host by using vCenter Server.
VMware, Inc.
33
vSphere Installation and Configuration Procedures Guide
Enable ESXi Shell and SSH Access with the Direct Console User Interface
Use the direct console user interface to enable the ESXi Shell.
Procedure
1 From the Direct Console User Interface, press F2 to access the System Customization menu.
Enable SSH
The availability timeout setting is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled. After the timeout period, if you have not logged in, the shell is disabled.
Note If you are logged in when the timeout period elapses, your session will persist. However, the ESXi
Shell will be disabled, preventing other users from logging in.
a From the Troubleshooting Mode Options menu, select Modify ESXi Shell and SSH timeouts
and press Enter.
The availability timeout is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled.
VMware, Inc.
34
vSphere Installation and Configuration Procedures Guide
c Press Enter.
The idle timeout is the number of minutes that can elapse before the user is logged out of an idle interactive
sessions. Changes to the idle timeout apply the next time a user logs in to the ESXi Shell and do not affect
existing sessions.
6 Press Esc until you return to the main menu of the Direct Console User Interface.
You can use the VMware Host Client, the vSphere Client and vCenter Server to manage your ESXi hosts.
For instructions about downloading and installing vCenter Server and the vCenter Server components, see
vCenter Server Installation and Setup. For information about installing the VMware Host Client, see vSphere
Single Host Management.
You can use the direct console to set the password for the administrator account (root).
The administrative user name for the ESXi host is root. By default, the administrative password is not set.
Procedure
2 (Optional) If a password is already set up, type the password in the Old Password line and press Enter.
3 In the New Password line, type a new password and press Enter.
ESXi requires one IP address for the management network. To configure basic network settings, use the vSphere
Client or the direct console.
Use the vSphere Client if you are satisfied with the IP address assigned by the DHCP server. Use the direct
You are not satisfied with the IP address assigned by the DHCP server.
You are not allowed to use the IP address assigned by the DHCP server.
ESXi does not have an IP address. This situation might occur if the autoconfiguration phase did not succeed
in configuring DHCP.
The wrong network adapter was selected during the autoconfiguration phase.
VMware, Inc.
35
vSphere Installation and Configuration Procedures Guide
You want to accept the DHCP-configured IP In the ESXi direct console, you can find the IP address assigned through DHCP
settings. to the ESXi management interface. You can use that IP address to connect to the
host from the vSphere Client and customize settings, including changing the
management IP address.
One of the following is true: During the autoconfiguration phase, the software assigns the link local IP
You do not have a DHCP server. address, which is in the subnet 169.254.x.x/16. The assigned IP address appears
The ESXi host is not connected to a DHCP server. on the direct console.
Your connected DHCP server is not functioning You can override the link local IP address by configuring a static IP address
The ESXi host is connected to a functioning DHCP server, During the autoconfiguration phase, the software assigns a DHCP- configured
but you do not want to use the DHCP- configured IP IP address.
address. You can make the initial connection by using the DHCP-configured IP address.
Then you can configure a static IP address.
If you have physical access to the ESXi host, you can override the DHCP-
configured IP address by configuring a static IP address using
the direct console.
Your security deployment policies do not permit Follow the setup procedure in Configure the Network Settings on a Host That Is
unconfigured hosts to be powered on the network. Not Attached to the Network.
Examples of external management software include the vCenter Server and SNMP client. Network adapters on
the host are named vmnicN, where N is a unique number identifying the network adapter, for example, vmnic0,
vmnic1, and so forth.
During the autoconfiguration phase, the ESXi host chooses vmnic0 for management traffic. You can override the
default choice by manually choosing the network adapter that carries management traffic for the host. In some
cases, you might want to use a Gigabit Ethernet network adapter for your management traffic. Another way to help
ensure availability is to select multiple network adapters. Using multiple network adapters enables load balancing
and failover capabilities.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
VMware, Inc.
36
vSphere Installation and Configuration Procedures Guide
Results
After the network is functional, you can use the vSphere Client to connect to the ESXi host through vCenter
Server.
Set the VLAN ID
You can set the virtual LAN (VLAN) ID number of the ESXi host.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
For DHCP to work, your network environment must have a DHCP server. If DHCP is not available, the host
assigns the link local IP address, which is in the subnet 169.254.x.x/16. The assigned IP address appears on the
direct console. If you do not have physical monitor access to the host, you can access the direct console using a
remote management application. See Using Remote Management Applications
When you have access to the direct console, you can optionally configure a static network address. The
default subnet mask is 255.255.0.0.
Configure IP Settings from the Direct Console
If you have physical access to the host or remote access to the direct console, you can use the direct console to
configure the IP address, subnet mask, and default gateway.
Procedure
4 Enter the IP address, subnet mask, and default gateway and press Enter.
The default is automatic. For automatic DNS to work, your network environment must have a DHCP server
and a DNS server.
In network environments where automatic DNS is not available or not desirable, you can configure static DNS
information, including a host name, a primary name server, a secondary name server, and DNS suffixes.
VMware, Inc.
37
vSphere Installation and Configuration Procedures Guide
Configure DNS Settings from the Direct Console
VMware, Inc.
38
vSphere Installation and Configuration Procedures Guide
If you have physical access to the host or remote access to the direct console, you can use the direct console to
configure DNS information.
Procedure
4 Enter the primary server, an alternative server (optional), and the host name.
Procedure
Procedure
1 From the direct console, select Test Management Network and press Enter.
For more information, refer to the product documentation available on the VMware vSphere 7.0 Update 1
Documentation Center Web site (https://docs.vmware.com/en/VMware-vSphere/ index.html).
Installing a vCenter Server system creates the central point for configuring, provisioning, and managing
VMware, Inc.
39
vSphere Installation and Configuration Procedures Guide
virtualized IT environments. You must install the vCenter Server system software before you can add the hosts
and data centers to be managed and monitored.
VMware, Inc.
40
vSphere Installation and Configuration Procedures Guide
With vSphere 7.0 a single architecture exists, simplifying the required design for the environment. This design
deploys vCenter Server appliance in an embedded configuration.
With vSphere 7.0, the vCenter Server Appliance is the only platform for running vCenter Server. vCenter Server
for Windows is not available.
This document describes installation and deployment of vCenter that will be standalone as shown in the below
figure:
Or that will be linked together using Enhanced Linked Mode with other vCenter servers as shown in the below
figure:
VMware, Inc.
41
vSphere Installation and Configuration Procedures Guide
Note Although vCenter Server 7.0 supports connections between vCenter Server and vCenter Server components
using IPv4 IP addresses, VMware recommends that you use a FQDN to configure the services. In the case of an
IPv6 environment, you must use the FQDN or host name of the vCenter Server system.
VMware, Inc.
42
vSphere Installation and Configuration Procedures Guide
Prerequisites
With stage 1 of the deployment process, you deploy the OVA file, which is included in the vCenter Server
installer, as a vCenter Server appliance.
Procedure
For Windows OS, go to the win32 subdirectory, and run the installer.exe file.
For Linux OS, go to the lin64 subdirectory, and run the installer file.
For Mac OS, go to the mac subdirectory, and run the Installer.app file.
3 Review the Introduction page to understand the deployment process and click Next.
VMware, Inc.
43
vSphere Installation and Configuration Procedures Guide
5 Connect to the target server on which you want to deploy the vCenter Server appliance.
Option Steps
You can connect to an 1 Enter the FQDN or IP address of the ESXi host.
ESXi host on which to 2 Enter the HTTPS port of the ESXi host.
deploy the appliance. 3 Enter the user name and password of a user with administrative privileges on the ESXi host, for
example, the root user.
4 Click Next.
5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is
installed on the target ESXi host, and click Yes to accept the certificate thumbprint.
You can connect to a 1 Enter the FQDN or IP address of the vCenter Server instance.
vCenter Server instance 2 Enter the HTTPS port of the vCenter Server instance.
and browse the inventory 3 Enter the user name and password of user with vCenter Single Sign-On administrative privileges on
to select an ESXi host or the vCenter Server instance, for example, the administrator@your_domain_name user.
DRS cluster on which to
4 Click Next.
deploy the appliance.
5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is
installed on the target vCenter Server instance, and click Yes to accept the certificate thumbprint.
6 Select the data center or data center folder that contains the ESXi host or DRS cluster on which you
want to deploy the appliance, and click Next
Note You must select a data center or data center folder that contains at least one ESXi host that is not
in lockdown or maintenance mode.
7 Select the ESXi host or DRS cluster on which you want to deploy the appliance, and click Next.
6 On the Set up appliance VM page, enter a name for the vCenter Server appliance, set the password for the
root user, and click Next.
The appliance name must not contain a percent sign (%), backslash (\), or forward slash (/) and must be no
more than 80 characters in length.
The password must contain only lower ASCII characters without spaces, at least eight characters, a number,
uppercase and lowercase letters, and a special character, for example, an exclamation mark (!), hash key (#), at
sign (@), or brackets (()).
7 Select the deployment size for the vCenter Server appliance for your vSphere inventory.
VMware, Inc.
44
vSphere Installation and Configuration Procedures Guide
8 Select the storage size for the vCenter Server appliance, and click Next.
Storage Description for Description for Description for Description for Description for X-
Size Tiny Deployment Small Deployment Medium Large Deployment Large Deployment
Option Size Size Deployment Size Size Size
9 From the list of available datastores, select the location where all the virtual machine configuration files and
virtual disks will be stored and, optionally, enable thin provisioning by selecting Enable Thin Disk Mode.
NFS datastores are thin provisioned by default.
The IP address or the FQDN of the appliance is used as a system name. It is recommended to use an FQDN.
However, if you want to use an IP address, use static IP address allocation for the appliance, because IP
addresses allocated by DHCP might change.
Option Action
IP version Select the version for the appliance IP address. You can
select either IPv4 or IPv6.
VMware, Inc.
45
vSphere Installation and Configuration Procedures Guide
OptionAction
The wizard prompts you to enter the IP address and network settings.
DHCP
A DHCP server is used to allocate the IP address. Select this option only if a DHCP
server is available in your environment.
11 On the Ready to complete stage 1 page, review the deployment settings for the vCenter Server appliance
and click Finish to start the OVA deployment process.
12 Wait for the OVA deployment to finish, and click Continue to proceed with stage 2 of the deployment
process to set up and start the services of the newly deployed appliance.
Note If you exit the wizard by clicking Close, you must log in to the vCenter Server Management
Interface to set up and start the services.
Results
The newly deployed vCenter Server appliance is running on the target server but the services are not started.
When the OVA deployment finishes, you are redirected to stage 2 of the deployment process to set up and start the
services of the newly deployed vCenter Server appliance.
Procedure
1 Review the introduction to stage 2 of the deployment process and click Next.
2 Configure the time settings in the appliance, optionally enable remote SSH access to the appliance, and
click Next.
Option Description
Synchronize time with the ESXi host Enables periodic time synchronization, and VMware Tools sets the time of the guest
operating system to be the same as the time of the ESXi host.
Synchronize time with NTP servers Uses a Network Time Protocol server for synchronizing the time. If you select this
option, you must enter the names or IP addresses of the NTP servers separated by
commas.
VMware, Inc.
46
vSphere Installation and Configuration Procedures Guide
Option Description
Create a new Single Sign-On domain Creates a new vCenter Single Sign-On domain.
a Enter the domain name, for example vsphere.local.
b Set the password for the vCenter Single Sign-On administrator account.
Join an existing vCenter Single Sign- On Joins a new vCenter Single Sign-On server to an existing vCenter Single Sign-On domain.
domain You must provide the information about the vCenter Single Sign-On server to which you
join the new vCenter Single Sign-On server.
a Enter the fully qualified domain name (FQDN) or IP address of the
vCenter Single Sign-On server to join.
b Enter the HTTPS port to use for communication with the vCenter Single Sign-On
server.
c Enter the domain name for the vCenter Single Sign-On you are joining, for example
vsphere.local.
d Enter the password of the vCenter Single Sign-On administrator account. e Click Next.
When you select to join an existing vCenter Single Sign-On domain, you enable the Enhanced Linked Mode
feature. The infrastructure data is replicated with the joined vCenter Single Sign- On server.
4 Review the VMware Customer Experience Improvement Program (CEIP) page and choose if you want to
join the program.
For information about the CEIP, see the Configuring Customer Experience Improvement Program
section in vCenter Server and Host Management.
5 On the Ready to complete page, review the configuration settings for the vCenter Server appliance, click
Finish, and click OK to complete stage 2 of the deployment process and set up the appliance.
6 (Optional) After the initial setup finishes, enter the URL from the browser with https://
vcenter_server_appliance_fqdn/ui to go to the vSphere Client and log in to the vCenter Server instance in
the vCenter Server appliance, or click the https:// vcenter_server_appliance_fqdn:443 to go the vCenter
Server appliance Getting Started page.
You are redirected to the vCenter Server appliance Getting Started page.
What to do next
You can configure high availability for the vCenter Server appliance. For information about providing
vCenter Server appliance high availability, see vSphere Availability.
VMware, Inc.
47
vSphere Installation and Configuration Procedures Guide
With vSphere 7.0, all of the configuration is done from the vSphere HTML5 Web Client. The flex- based Web
Client no longer available.
Managing Licenses
To license an asset in vSphere, you must assign it a license that holds an appropriate product license key. You
can use the license management functionality in the vSphere Client to license multiple assets at a time from a
central place. Assets are vCenter Server systems, hosts, vSAN clusters, Supervisor Clusters, and solutions.
In vSphere, you can assign one license to multiple assets of the same type if the license has enough capacity. You
can assign a suite license to all components that belong to the suite product edition. For example, you can assign
one vSphere license to multiple ESXi hosts, but you cannot assign two licenses to one host. If you have a vCloud
Suite license, you can assign the license to ESXi hosts, vCloud Networking and Security, vCenter Site Recovery
Manager, and so on.
Prerequisites
To view and manage licenses in the vSphere environment, you must have the
Global.Licenses privilege on the vCenter Server system, where the vSphere Client runs.
Procedure
4 On the Enter licenses keys page, enter one license key per line, and click Next.
The license key is a 25-symbol string of letters and digits in the format
XXXXX-XXXXX-XXXXX-XXXXX-XXXXX. You can enter a list of keys in one operation. A new license will be
created for every license key that you enter.
5 On the Edit license names page, rename the new licenses as appropriate and click Next .
VMware, Inc.
48
vSphere Installation and Configuration Procedures Guide
6 On the Ready to complete page, review the new licenses and click Finish.
VMware, Inc.
49
vSphere Installation and Configuration Procedures Guide
Results
A new license is created for every license key that you entered.
What to do next
Assign the new licenses to hosts, vCenter Server systems, or other products that you use with vSphere. You must
not keep unassigned licenses in the inventory.
Prerequisites
To view and manage licenses in the vSphere environment, you must have the
Global.Licenses privilege on the vCenter Server system, where the vSphere Client runs.
Procedure
4 On the Assets tab, click the vCenter Server systems, Hosts, vSAN Clusters, Supervisor Clusters, or
Solutions tab.
VMware, Inc.
50
vSphere Installation and Configuration Procedures Guide
7 In the Assign License dialog box, select the task that you want to perform.
In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Details about the product, product features, capacity, and expiration period appear
on the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the assets. Capacity from the license is allocated according to the license use of the
assets. For example, if you assign the license to 3 hosts with 4 CPUs each, the consumed license capacity is 12
CPUs.
Configure License Settings for an ESXi Host
You must assign a license to an ESXi host before its evaluation period expires or its currently assigned license
expires. If you upgrade, combine, or divide vSphere licenses in My VMware, you must assign the new licenses to
ESXi hosts and remove the old licenses.
Prerequisites
To view and manage licenses in the vSphere environment, you must have the
Global.Licenses privilege on the vCenter Server system, where the vSphere Client runs.
Procedure
VMware, Inc.
51
vSphere Installation and Configuration Procedures Guide
5 In the Assign License dialog box, select the task that you want to perform.
In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Details about the product, product features, capacity, and expiration period appear
on the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the host. Capacity from the license is allocated according to the license use of the host.
Configure License Settings for vCenter Server
You must assign a license to a vCenter Server system before its evaluation period expires or its currently assigned
license expires. If you upgrade, combine, or divide vCenter Server licenses in My VMware, you must assign the
new licenses to vCenter Server systems and remove the old licenses.
Prerequisites
To view and manage licenses in the vSphere environment, you must have the
Global.Licenses privilege on the vCenter Server system, where the vSphere Client runs.
Procedure
VMware, Inc.
52
vSphere Installation and Configuration Procedures Guide
5 In the Assign License dialog box, select the task that you want to perform.
In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Details about the product, product features, capacity, and expiration period appear
on the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the vCenter Server system, and one instance from the license capacity is allocated for the
vCenter Server system.
Configure License Settings for a vSAN Cluster
You must assign a license to a vSAN cluster before its evaluation period expires or its currently assigned license
expires.
If you upgrade, combine, or divide vSAN licenses, you must assign the new licenses to vSAN clusters. When you
assign a vSAN license to a cluster, the amount of license capacity used equals the total number of CPUs in the
hosts participating in the cluster. The license use of the vSAN cluster is recalculated and updated every time you
add or remove a host from the cluster. For information about managing licenses and licensing terminology and
definitions, see the vCenter Server and Host Management documentation.
When you enable vSAN on a cluster, you can use vSAN in evaluation mode to explore its features. The
evaluation period starts when vSAN is enabled, and expires after 60 days. To use vSAN, you must license the
cluster before the evaluation period expires. Just like vSphere licenses, vSAN licenses have per CPU capacity.
Some advanced features, such as all-flash configuration and stretched clusters, require a license that supports the
feature.
Prerequisites
To view and manage vSAN licenses, you must have the Global.Licenses privilege on the vCenter Server
systems.
Procedure
VMware, Inc.
53
vSphere Installation and Configuration Procedures Guide
3 Right-click your vSAN cluster, and choose menu Assign License.
VMware, Inc.
54
vSphere Installation and Configuration Procedures Guide
A virtual data center is a container for all the inventory objects required to complete a fully functional
environment for operating virtual machines. You can create multiple data centers to organize groups of
environments to meet different user needs. For example, you can create a data center for each organizational unit
in your enterprise or create some data centers for high- performance environments and other data centers for less
demanding environments.
Prerequisites
Required privileges:
Datacenter.Create datacenter
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
3 (Optional) Enter a name for the data center and click OK.
What to do next
Add hosts, clusters, resource pools, vApps, networking, datastores, and virtual machines to the data center.
A cluster is a group of hosts. When a host is added to a cluster, the resources of the host become part of the
resources of the cluster. The cluster manages the resources of all hosts that it contains.
Starting with vSphere 6.7, you can create and configure a cluster that is hyper-converged. The hyper-converged
infrastructure collapses compute, storage, and networking on a single software layer that runs on industry standard
x86 servers.
You can create and configure a cluster by using the simplified Quickstart workflow in the vSphere Client. On the
Cluster quickstart page, there are three cards for configuring your new cluster.
Table 2-13. The cards initiating wizards for renaming and configuring a new cluster
Cluster Quickstart
Workflow Description
1. Cluster basics You can edit the cluster name and enable or disable cluster services. The card lists the services you enabled.
2. Add hosts You can add new ESXi hosts. After the hosts are added, the card shows the total number of the hosts present in the
cluster and health check validation for those hosts.
3. Configure cluster You can configure network settings for vMotion traffic, review and customize cluster services. After the cluster is
configured, the card provides details on configuration mismatch and reports cluster health results through the
vSAN Health service.
VMware, Inc.
55
vSphere Installation and Configuration Procedures Guide
The Skip Quickstart button prompts you to continue configuring the cluster and its hosts manually. To
confirm exiting the simplified configuration workflow, click Continue. After you dismiss the Cluster
quickstart workflow, you cannot restore it for the current cluster.
You must create clusters if you plan to enable vSphere High Availability (HA), vSphere Distributed Resource
Scheduler (DRS), and the VMware vSAN features.
Starting with vSphere 7.0, you can create a cluster that you manage with a single image. By using vSphere
Lifecycle Manager images, you can easily update and upgrade the software and firmware on the hosts in the
cluster. For more information about using images to manage ESXi hosts and clusters, see the Managing Host and
Cluster Lifecycle documentation.
Starting with vSphere 7.0 Update 1, vSphere Cluster Services (vCLS) is enabled by default and runs in all vSphere
clusters. vCLS ensures that if vCenter Server becomes unavailable, cluster services remain available to maintain
the resources and health of the workloads that run in the clusters. For more information about vCLS, see vSphere
Cluster Services (vCLS).
Create a Cluster
You create a new and empty cluster object by using the Quickstart workflow in the vSphere Client.
Starting with vSphere 7.0, the clusters that you create can use vSphere Lifecycle Manager images for host
updates and upgrades.
A vSphere Lifecycle Manager image is a combination of vSphere software, driver software, and desired firmware
with regard to the underlying host hardware. The image that a cluster uses defines the full software set that you
want to run on the ESXi hosts in the cluster: the ESXi version, additional VMware-provided software, and vendor
software, such as firmware and drivers.
The image that you define during cluster creation is not immediately applied to the hosts. If you do not set up an
image for the cluster, the cluster uses baselines and baseline groups. For more information about using images and
baselines to manage hosts in clusters, see the Managing Host and Cluster Lifecycle documentation.
Prerequisites
Verify that a data center, or a folder within a data center, exists in the inventory.
Verify that hosts have the same ESXi version and patch level.
Obtain the user name and password of the root user account for the host.
Verify that hosts do not have a manual vSAN configuration or a manual networking configuration.
To create a cluster that you manage with a single image, review the requirements and limitations information
in the Managing Host and Cluster Lifecycle documentation and verify that you have an ESXi image available
in the vSphere Lifecycle Manager depot.
Required privileges:
Host.Inventory.Create cluster
VMware, Inc.
56
vSphere Installation and Configuration Procedures Guide
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
Option Description
To use DRS with this cluster a Slide the switch to the right to enable the DRS service.
b (Optional) Click the info icon on the left to see the Default Settings for the DRS
service. The default values are:
Automation Level: Fully Automated Migration
Threshold: 3
To use vSphere HA with this cluster a Slide the switch to the right to enable the vSphere HA service.
b (Optional) Click the info icon on the left to see the Default Settings for the vSphere
HA service. You are present with the following default values:
VM Monitoring: Disabled
To use vSAN with this cluster Slide the switch to the right to enable the vSAN service.
For more information on vSAN, see Creating a vSAN Cluster in the vSAN Planning
and Deployment documentation.
6 (Optional) To create a cluster that you manage by a single image, select the Manage all hosts in the cluster
with a single image check box.
Verify you have an ESXi Version 7.0 or later in the vSphere Lifecycle Manager repository. a Select
b (Optional) Select a Vendor Addon and a Vendor Addon version from the drop-down menu.
You can edit the image specification later from the Updates tab.
If you do not set up an image for the cluster, you must manage the cluster by using baselines and baseline
groups. You can switch from using baselines to using images at a later time.
7 Click OK.
The cluster appears in the vCenter Server inventory. The Quickstart service appears under the Configure
tab.
VMware, Inc.
57
vSphere Installation and Configuration Procedures Guide
8 (Optional) To rename your cluster and to enable or disable cluster services, click Edit in the
Cluster basics card.
VMware, Inc.
58
vSphere Installation and Configuration Procedures Guide
Results
What to do next
You can also add hosts to a DRS cluster. For more information, see vSphere Resource Management.
When you add the first three hosts to the cluster, vSphere Cluster Services (vCLS) agent virtual machines are
added by default to the cluster. A quorum of up to three vCLS agent virual machines are required to run in a
cluster, one agent virtual machine per host. For more information about vCLS, see vSphere Cluster Services
(vCLS).
Prerequisites
Verify that hosts have the same ESXi version and patch level.
Obtain the user name and password of the root user account for the host.
Verify that hosts do not have a manual vSAN configuration or a manual networking configuration.
Verify that you have the proper privileges. Different sets of privileges apply when you add multiple hosts to
a cluster and a single host to a cluster or a data center. For more information, see Required Privileges for
Common Tasks in the vSphere Security documentation.
To add a host to a cluster that you manage with a single image, review the requirements andlimitations
information in the Managing Host and Cluster Lifecycle documentation.
Procedure
4 On the Add hosts page, under the New hosts tab, add hosts that are not part of the vCenter Server inventory
by populating the IP Address and credentials text boxes for those hosts.
5 (Optional) Select the Use the same credentials for all hosts option to reuse the
credentials for all added hosts.
6 On the Add hosts page, click the Existing hosts tab, and add hosts that are managed by the vCenter Server
and are in the same data center as your cluster.
VMware, Inc.
59
vSphere Installation and Configuration Procedures Guide
7 Click Next.
The Host summary page lists all hosts that will be added to the cluster and related warnings.
Note If a host cannot be validated automatically by the system, you are prompted to manually validate
its certificate and accept its thumbprint in the Security Alert pop-up.
8 On the Host summary page, review the details of the added hosts and click Next.
9 On the Ready to complete page, review the IP addresses or FQDN of the added hosts and click Finish.
Review the number of added hosts and the health check validation, performed by the vSAN Health service, in
the Add hosts card.
Results
All hosts are placed in maintenance mode and added to your cluster. You can manually exit the maintenance
mode.
What to do next
You can view and manage certificates by using the vSphere Client. You also can perform many certificate
management tasks with the vSphere Certificate Manager utility.
Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the
certificate when the Certificate Authority returns it.
Most parts of the certificate replacement workflows are supported fully from the vSphere Client. For generating
CSRs for machine SSL certificates, you can use either the vSphere Client or the Certificate Manage utility.
Supported Workflows
After you install a vCenter Server, the VMware Certificate Authority on that node provisions all other nodes in the
environment with certificates by default. See vSphere Security Certificates for the current recommendations for
managing certificates.
You can use one of the following workflows to renew or replace certificates.
VMware, Inc.
60
vSphere Installation and Configuration Procedures Guide
Renew Certificates
VMware, Inc.
61
vSphere Installation and Configuration Procedures Guide
You can have VMCA renew SSL certificates and solution user certificates in your environment from the
vSphere Client.
You can generate a CSR using the vSphere Certificate Manager utility. You can then edit the certificate you
receive from the CSR to add VMCA to the chain, and then add the certificate chain and private key to your
environment. When you then renew all certificates, VMCA provisions all machines and solution users with
certificates that the full chain has signed.
If you do not want to use VMCA, you can generate CSRs for the certificates that you want to replace. The CA
returns a root certificate and a signed certificate for each CSR. You can upload the root certificate and the
custom certificates from the vCenter Server.
Note If you use VMCA as an intermediate CA, or use custom certificates, you might encounter significant
complexity and the potential for a negative impact to your security, and an unnecessary increase in your
operational risk. For more information about managing certificates within a vSphere environment, see the blog
post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at
http://vmware.com/go/hybridvmca.
Procedure
5 Change the setting of vpxd.cert.threshold to the desired value and click Save.
Renew VMCA Certificates with New VMCA-Signed Certificates from the vSphere Client
You can replace all VMCA-signed certificates with new VMCA-signed certificates. This process is called
renewing certificates. You can renew selected certificates or all certificates in your environment from the vSphere
Client.
Prerequisites
For certificate management, you have to supply the password of the administrator of the local domain
(administrator@vsphere.local by default). If you are renewing certificates for a vCenter Server system, you also
VMware, Inc.
62
vSphere Installation and Configuration Procedures Guide
have to supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter
Server system.
VMware, Inc.
63
vSphere Installation and Configuration Procedures Guide
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 If the system prompts you, enter the credentials of your vCenter Server.
5 Renew the VMCA-signed machine SSL certificate for the local system. a
Click Renew.
vCenter Server services restart automatically. You must log back in because restarting the services ends the
UI session.
You can generate Certificate Signing Requests (CSRs) for each machine and for each solution user using the
Certificate Manager utility. You can also generate CSRs for each machine, and replace certificates when you
receive them from the third-party CA, using the vSphere Client. When you submit the CSRs to your internal or
third-party CA, the CA returns signed certificates and the root certificate. You can upload both the root certificate
and the signed certificates from the vCenter Server UI.
Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom
Certificates)
The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must
have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to
generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is
ready.
Prerequisites
Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
CRT format
VMware, Inc.
64
vSphere Installation and Configuration Procedures Guide
x509 version 3
VMware, Inc.
65
vSphere Installation and Configuration Procedures Guide
Contains the following Key Usages: Digital Signature, Non-Repudiation, Key Encipherment
Note Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any
custom certificates.
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
a Under Machine SSL Certificate, for the certificate you want to replace, click Actions > Generate
Certificate Signing Request (CSR).
Note When you use vCenter Server to generate a CSR with a key size of 16384 bits, the generation takes a
few minutes to complete because of the CPU-intensive nature of the operation.
Click Finish.
What to do next
When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store.
See Add Custom Certificates.
Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates) You can use
vSphere Certificate Manager to generate Certificate Signing Requests (CSRs) that you can then use with your
enterprise CA or send to an external certificate authority. You can use the certificates with the different
supported certificate replacement processes.
You can run the Certificate Manager tool from the command line as follows:
/usr/lib/vmware-vmca/bin/certificate-manager
VMware, Inc.
66
vSphere Installation and Configuration Procedures Guide
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and
on the type of certificate you want to replace.
For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or
for the administrator of the vCenter Single Sign-On domain that you are connecting to.
You are prompted for the host name or IP address of the vCenter Server.
To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which are stored
in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The
FQDN of the machine is required.
Procedure
1 On each machine in your environment, start vSphere Certificate Manager and select option 1.
2 Supply the password and the vCenter Server IP address or host name if prompted.
3 Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
4 If you also want to replace all solution user certificates, restart Certificate Manager.
5 Select option 5.
6 Supply the password and the vCenter Server IP address or host name if prompted.
7 Select option 1 to generate the CSRs, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
What to do next
Prerequisites
Obtain the custom root certificate from your third-party or in-house CA.
Procedure
VMware, Inc.
67
vSphere Installation and Configuration Procedures Guide
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
VMware, Inc.
68
vSphere Installation and Configuration Procedures Guide
4 If the system prompts you, enter the credentials of your vCenter Server.
7 Click Add.
Usually, replacing the machine SSL certificate for each component is sufficient.
Prerequisites
Generate certificate signing requests (CSRs) for each certificate that you want to replace. You can generate the
CSRs with the Certificate Manager utility. You can also generate a CSR for a machine SSL certificate using the
vSphere Client. Place the certificate and private key in a location that the vCenter Server can access.
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 If the system prompts you, enter the credentials of your vCenter Server.
5 Under Machine SSL Certificate, for the certificate that you want to replace, click Actions > Import and
Replace Certificate.
VMware, Inc.
69
vSphere Installation and Configuration Procedures Guide
Option Description
Replace with VMCA Creates a VMCA-generated CSR to replace the current certificate.
Replace with certificate generated from Use a certificate signed using a vCenter Server generated CSR to replace the current
vCenter Server certificate.
Replace with external CA certificate Use a certificate signed by an external CA to replace the current certificate.
(requires private key)
8 Click Replace.
When a user logs in with just a user name, vCenter Single Sign-On checks in the default identity source whether
that user can authenticate. When a user logs in and includes the domain name in the login screen, vCenter Single
Sign-On checks the specified domain if that domain has been added as an identity source. You can add identity
sources, remove identity sources, and change the default.
You configure vCenter Single Sign-On from the vSphere Client. To configure vCenter Single Sign- On, you must
have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign- On administrator privileges is
different from having the Administrator role on vCenter Server or ESXi. In a new installation, only the vCenter
Single Sign-On administrator (administrator@vsphere.local by default) can authenticate to vCenter Single Sign-On.
Identity Sources for vCenter Server with vCenter Single Sign-On
You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for
users and groups that the vCenter Single Sign-On server can use for user authentication.
Starting in vSphere 7.0, vCenter Server supports federated authentication to sign in to vCenter Server. VMware
encourages you to use federated authentication as vSphere moves towards token-based authentication. See
Understanding vCenter Server Identity Provider Federation.
An administrator can add identity sources, set the default identity source, and create users and groups in the
vsphere.local identity source.
The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine
where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the
identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single
Sign-On.
Note At any time, only one default domain exists. If a user from a non-default domain logs in, that user must
add the domain name (DOMAIN\user) to authenticate successfully.
VMware, Inc.
70
vSphere Installation and Configuration Procedures Guide
Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity
sources.
Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On
allows you to specify a single Active Directory domain as an identity source. The domain can have child
domains or be a forest root domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts
supported with vCenter Single Sign-On.
OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity
sources.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require strong
authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If
you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more
information about this Microsoft security update, see
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and
https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding- signing-adv190023.html.
For more information about vCenter Single Sign-On, see vSphere Authentication.
Set the Default Domain for vCenter Single Sign-On
Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default
domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the
default domain must include the domain name when they log in.
When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on
whether the user is in the domain that is set as the default identity source.
Users who are in the default domain can log in with their user name and password.
Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the
default domain can log in to vCenter Server but must specify the domain in one of the following ways.
Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter
Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory
determines whether users of other domains in the hierarchy are authenticated or not.
Procedure
VMware, Inc.
71
vSphere Installation and Configuration Procedures Guide
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 Under the Identity Provider tab, click Identity Sources, select an identity source, and click
Set as Default.
5 Click OK.
In the domain display, the default domain shows (default) in the Type column.
An identity source can be an Active Directory over LDAP, a native Active Directory (Integrated Windows
Authentication) domain, or an OpenLDAP directory service. See Identity Sources for vCenter Server with
vCenter Single Sign-On.
Immediately after installation, the vsphere.local domain (or the domain you specified during installation)
with the vCenter Single Sign-On internal users is available.
Prerequisites
If you are adding an Active Directory (Integrated Windows Authentication) identity source, the vCenter Server
must be in the Active Directory domain. See Add Platform Services Controller to an Active Directory Domain.
Procedure
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
4 Under the Identity Provider tab, click Identity Sources, and click Add.
VMware, Inc.
72
vSphere Installation and Configuration Procedures Guide
5 Select the identity source and enter the identity source settings.
Option Description
Active Directory (Integrated Use this option for native Active Directory implementations. The machine on which the
Windows Authentication) vCenter Single Sign-On service is running must be in an Active Directory domain if you
want to use this option.
See Active Directory Identity Source Settings.
Active Directory over LDAP This option requires that you specify the domain controller and other information. See
Active Directory over LDAP and OpenLDAP Server Identity Source Settings.
OpenLDAP Use this option for an OpenLDAP identity source. See Active Directory over LDAP and
OpenLDAP Server Identity Source Settings.
Note If the user account is locked or disabled, authentications and group and user searches in the Active
Directory domain fail. The user account must have read-only access over the User and Group OU, and must
be able to read user and group attributes. Active Directory provides this access by default. Use a special
service user for improved security.
6 Click Add.
What to do next
Initially, each user is assigned the No Access role. A vCenter Server administrator must assign the user at least to the
Read Only role before the user can log in. See the vSphere Security documentation.
Prerequisites for Using an Active Directory (Integrated Windows Authentication) Identity Source
You can set up vCenter Single Sign-On to use an Active Directory (Integrated Windows Authentication) identity
source only if that identity source is available. Follow the instructions in the vCenter Server Configuration
documentation.
Note Active Directory (Integrated Windows Authentication) always uses the root of the Active Directory domain
forest. To configure your Integrated Windows Authentication identity source with a child domain within your
Active Directory forest, see the VMware knowledge base article at http://kb.vmware.com/kb/2070433.
Select Use machine account to speed up configuration. If you expect to rename the local machine on
which vCenter Single Sign-On runs, specifying an SPN explicitly is preferable.
VMware, Inc.
73
vSphere Installation and Configuration Procedures Guide
If you have enabled diagnostic event logging in your Active Directory to identify where hardening might be
needed, you might see a log event with Event ID 2889 on that directory server. Event ID 2889 is generated as an
anomaly rather than a security risk when using Integrated Windows Authentication. For more information about
Event ID 2889, see the VMware knowledge base article at https://kb.vmware.com/s/article/78644.
Domain name FQDN of the domain name, for example, mydomain.com. Do not
provide an IP address. This domain name must be DNS-resolvable
by the vCenter Server system.
Use machine account Select this option to use the local machine account as the SPN.
When you select this option, you specify only the domain name. Do
not select this option if you expect to rename this machine.
Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You
must specify an SPN, a user who can authenticate with the identity
source, and a password for the user.
Service Principal Name (SPN) SPN that helps Kerberos to identify the Active Directory service.
Include the domain in the name, for example, STS/ example.com.
The SPN must be unique across the domain. Running the setspn
-S command checks that no duplicate is created. See the Microsoft
documentation for information on
setspn.
User Principal Name (UPN) Name and password of a user who can authenticate with this identity
Active Directory over LDAP and OpenLDAP Server Identity Source Settings
The Active Directory over LDAP identity source is preferred over the Active Directory (Integrated Windows
Authentication) option. The OpenLDAP Server identity source is available for environments that use OpenLDAP.
If you are configuring an OpenLDAP identity source, see the VMware knowledge base article at
http://kb.vmware.com/kb/2064977 for additional requirements.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require strong
authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If
you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more
information about this Microsoft security update, see
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and
https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding- signing-adv190023.html.
VMware, Inc.
74
vSphere Installation and Configuration Procedures Guide
Table 2-15. Active Directory over LDAP and OpenLDAP Server Settings
Option Description
Base DN for users Base Distinguished Name for users. Enter the DN from which to
start user searches. For example, cn=Users,dc=myCorp,dc=com.
Base DN for groups The Base Distinguished Name for groups. Enter the DN from
which to start group searches. For example,
cn=Groups,dc=myCorp,dc=com.
Domain alias For Active Directory identity sources, the domain's NetBIOS name.
Add the NetBIOS name of the Active Directory domain as an alias
of the identity source if you are using SSPI authentications.
For OpenLDAP identity sources, the domain name in capital
letters is added if you do not specify an alias.
User name ID of a user in the domain who has a minimum of read-only access to
Base DN for users and groups.
Primary Server URL Primary domain controller LDAP server for the domain. Use the
format ldap://hostname:port or
ldaps://hostname:port. The port is typically 389 for LDAP
connections and 636 for LDAPS connections. For Active Directory
multi-domain controller deployments, the port is typically 3268 for
LDAP and 3269 for LDAPS.
A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use
ldaps:// in the primary or secondary LDAP URL.
Secondary server URL Address of a secondary domain controller LDAP server that is
used for failover.
SSL certificates If you want to use LDAPS with your Active Directory LDAP Server
or OpenLDAP Server identity source, click Browse to select a
certificate. To export the root CA certificate from Active Directory,
consult the Microsoft documentation.
A permission is set on an object in the vCenter object hierarchy. Each permission associates the object with a group
or user and the group's or user's access roles. For example, you can select a virtual machine object, add one
permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role
to User 2.
VMware, Inc.
75
vSphere Installation and Configuration Procedures Guide
By assigning a different role to a group of users on different objects, you control the tasks that those users can
perform in your vSphere environment. For example, to allow a group to configure memory for the host, select
that host and add a permission that grants a role to that group that includes the Host.Configuration.Memory
Configuration privilege.
To manage permissions from the vSphere Client, you need to understand the following concepts:
Permissions
Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies
for one group or user which privileges that group or user has on the object.
On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated
users. Users are authenticated through vCenter Single Sign-On. Users and groups must be defined in the
identity source that vCenter Single Sign-On uses to authenticate. Define users and groups using the tools in
your identity source, for example, Active Directory.
Privileges
Privileges are fine-grained access controls. You can group those privileges into roles, which you can then
map to users or groups.
Roles
Roles are sets of privileges. Roles allow you to assign permissions on an object based on a typical set of tasks
that users perform. Default roles, such as Administrator, are predefined on vCenter Server and cannot be
changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. You can create custom
roles either from scratch or by cloning and modifying sample roles. See Create a Custom Role.
You can assign permissions to objects at different levels of the hierarchy, for example, you can assign permissions
to a host object or to a folder object that includes all host objects. See Hierarchical Inheritance of Permissions. You
can also assign permissions to a global root object to apply the permissions to all object in all solutions. See Global
Permissions.
Add a Permission to an Inventory Object
After you create users and groups and define roles, you must assign the users and groups and their roles to the
relevant inventory objects. You can assign the same permissions to multiple objects simultaneously by moving
the objects into a folder and setting the permissions on the folder.
When you assign permissions, user and group names must match Active Directory precisely, including case. If you
upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.
VMware, Inc.
76
vSphere Installation and Configuration Procedures Guide
Prerequisites
On the object whose permissions you want to modify, you must have a role that includes the
Permissions.Modify permission privilege.
Procedure
1 Browse to the object for which you want to assign permissions in the vSphere Client object navigator.
4 Select the user or group that will have the privileges defined by the selected role. a From
the User drop-down menu, select the domain for the user or group.
6 (Optional) To propagate the permissions, select the Propagate to children check box.
The role is applied to the selected object and propagates to the child objects.
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML Tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent the
vCenter Server vmware-vpxd service from starting.
Time inconsistencies in vSphere can cause firstboot to fail at different services depending on where in the
environment time is not accurate and when the time is synchronized. Problems most commonly occur when the
target ESXi host for the destination vCenter Server is not synchronized with NTP or PTP. Similarly, issues can arise
if the destination vCenter Server migrates to an ESXi host set to a different time due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or
upgrading a vCenter Server.
The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
VMware, Inc.
77
vSphere Installation and Configuration Procedures Guide
When upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external Platform
Services Controller is synchronized to NTP or PTP.
If you are upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, verify that the source vCenter
Server or vCenter Server appliance and external Platform Services Controller have the correct time.
When you upgrade a vCenter Server 6.5 or 6.7 instance with an external Platform Services Controller to
vSphere 7.0, the upgrade process converts to a vCenter Server instance with an embedded Platform Services
Controller.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP server or a PTP server, you can use the VMware Host Client. For
information about editing the time configuration of an ESXi host, see vSphere Single Host Management -
VMware Host Client.
To learn how to change time synchronization settings for vCenter Server, see "Configure the System Time
Zone and Time Synchronization Settings" in vCenter Server Configuration.
To learn how to edit time configuration for a host by using the vSphere Client, see "Editing Time Configuration
for a Host" in vCenter Server and Host Management.
Synchronize ESXi Clocks with a Network Time Server
Before you install vCenter Server, make sure all machines on your vSphere network have their clocks
synchronized.
This task explains how to set up NTP from the VMware Host Client.
Procedure
1 Start the VMware Host Client, and connect to the ESXi host.
2 Click Manage.
3 Under System, click Time & date, and click Edit settings.
5 In the NTP servers text box, enter the IP address or fully qualified domain name of one or more NTP
servers to synchronize with.
6 From the NTP Service Start-up Policy drop-down menu, select Start and stop with host.
7 Click Save.
VMware, Inc.
78
vSphere Installation and Configuration Procedures Guide
When you deploy vCenter Server, you can choose the time synchronization method to be either by using an NTP
server or by using VMware Tools. In case the time settings in your vSphere network change, you can edit the
vCenter Server and configure the time synchronization settings by using the commands in the appliance shell.
When you enable periodic time synchronization, VMware Tools sets the time of the guest operating
system to be the same as the time of the host.
After time synchronization occurs, VMware Tools checks once every minute to determine whether the clocks on the
guest operating system and the host still match. If not, the clock on the guest operating system is synchronized to
match the clock on the host.
Native time synchronization software, such as Network Time Protocol (NTP), is typically more accurate than
VMware Tools periodic time synchronization and is therefore preferred. You can use only one form of periodic
time synchronization in vCenter Server. If you decide to use native time synchronization software, vCenter Server
VMware Tools periodic time synchronization is disabled, and the reverse.
Add or Replace NTP Servers in the vCenter Server Configuration
To set up the vCenter Server to use NTP-based time synchronization, you must add the NTP servers to the
vCenter Server configuration.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
2 Add NTP servers to the vCenter Server configuration by running the ntp.server.add
command.
Here IP-addresses-or-host-names
ntp.server.add is a comma-separated list of IP addresses or host names of the NTP servers.
--servers IP-addresses-or-host-names
This command adds NTP servers to the configuration. If the time synchronization is based on an NTP server,
then the NTP daemon is restarted to reload the new NTP servers. Otherwise, this command adds the new NTP
servers to the existing NTP configuration.
3 (Optional) To delete old NTP servers and add new ones to the vCenter Server configuration, run the
ntp.server.set command.
Here IP-addresses-or-host-names
ntp.server.set is a comma-separated list of IP addresses or host names of the NTP servers.
--servers IP-addresses-or-host-names
VMware, Inc.
79
vSphere Installation and Configuration Procedures Guide
This command deletes old NTP servers from the configuration and sets the input NTP servers in the
configuration. If the time synchronization is based on an NTP server, the NTP daemon is restarted to reload the
new NTP configuration. Otherwise, this command replaces the servers in NTP configuration with the servers
that you provide as input.
4 (Optional) Run the command to verify that you successfully applied the new NTP configuration
settings.
The command returns a space-separated list of the servers configured for NTP synchronization. If the NTP
ntp.get
synchronization is enabled, the command returns that the NTP configuration is in Up status. If the NTP
synchronization is disabled, the command returns that the NTP configuration is in Down status.
What to do next
If the NTP synchronization is disabled, you can configure the time synchronization settings in the vCenter Server to
be based on an NTP server. See Synchronize the Time in vCenter Server with an NTP Server.
Prerequisites
Set up one or more Network Time Protocol (NTP) servers in the vCenter Server configuration. See Add or
Replace NTP Servers in the vCenter Server Configuration.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
VMware, Inc.
80
vSphere Installation and Configuration Procedures Guide
These steps in addition to additional service steps, for example when VMware NSX is used, are required for this
design.
Procedure
1 In the vSphere Client, right-click a data center from the inventory tree.
3 On the Name and location page, enter a name for the new distributed switch, or accept the generated name,
and click Next.
4 On the Select version page, select a distributed switch version and click Next.
Option Description
Distributed Switch: 6.6.0 Compatible with ESXi 6.7 and later. Features released with later vSphere distributed
switch versions are not supported.
Distributed Switch: 6.5.0 Compatible with ESXi 6.5 and later. Features released with later vSphere distributed
switch versions are not supported.
5 On the Configure settings page, configure the distributed switch settings. a Use
Uplink ports connect the distributed switch to physical NICs on associated hosts. The number of uplink
ports is the maximum number of allowed physical connections to the distributed switch per host.
By using Network I/O Control you can prioritize the access to network resources for certain types of
infrastructure and workload traffic according to the requirements of your deployment. Network I/O
Control continuously monitors the I/O load over the network and dynamically allocates available
resources.
c (Optional) Select the Create a default port group check box to create a new distributed port group with
default settings for this switch. Enter a Port group name, or accept the generated name.
If your system has custom port group requirements, create distributed port groups that meet those
requirements after you add the distributed switch.
d Click Next.
6 On the Ready to complete page, review the settings you selected and click Finish.
VMware, Inc.
81
vSphere Installation and Configuration Procedures Guide
Use the Back button to edit any settings.
VMware, Inc.
82
vSphere Installation and Configuration Procedures Guide
Results
A distributed switch is created in the data center. You can view the features supported on the distributed switch as
well as other details by navigating to the new distributed switch and clicking the Summary tab.
What to do next
Add hosts to the distributed switch and configure their network adapters on the switch.
Related to adding a port group, is applying VLAN tagging globally on all distributed ports. Using the VLAN
options you can select VLAN tags. To learn more, see Configure VLAN Tagging on a Distributed Port Group or
Port
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
2 Right-click the distributed switch and select Distributed port group > New distributed port group.
3 On the Name and location page, enter the name of the new distributed port group, or accept the generated
name, and click Next.
4 On the Configure settings page, set the general properties for the new distributed port group and click Next.
Setting Description
Port binding Select when ports are assigned to virtual machines connected to this distributed
port group.
Static binding: Assign a port to a virtual machine when the virtual machine
connects to the distributed port group.
Ephemeral - no binding: No port binding. You can assign a virtual machine to a
distributed port group with ephemeral port binding also
when connected to the host.
Port allocation Elastic: The default number of ports is eight. When all ports are assigned, a
new set of eight ports is created.
Fixed: The default number of ports is set to eight. No additional ports are created
when all ports are assigned.
Number of ports Enter the number of ports on the distributed port group.
Network resource pool Use the drop-down menu to assign the new distributed port group to a user-defined
network resource pool. If you have not created a network resource pool, this menu is
empty.
VMware, Inc.
83
vSphere Installation and Configuration Procedures Guide
SettingDescription
VLAN Use the VLAN type drop-down menu to specify the type of VLAN traffic filtering and
marking:
None: Do not use VLAN. Select this if you are using External Switch Tagging.
VLAN: In the VLAN ID text box, enter a number between 1 and 4094 for Virtual
Switch Tagging.
VLAN trunking: Enter a VLAN trunk range.
Pass VLAN traffic with an ID to the guest OS. You can set multiple ranges and
individual VLANs by using a comma-separated list. For example: 1702-
1705, 1848-1849
Advanced To customize the policy configurations for the new distributed port group, select this
check box.
5 (Optional) On the Security page, edit the security exceptions and click Next.
Setting Description
Promiscuous mode Reject. Placing an adapter in promiscuous mode from the guest operating system
does not result in receiving frames for other virtual machines.
Accept. If an adapter is placed in promiscuous mode from the guest operating
system, the switch allows the guest adapter to receive all frames passed on the switch
in compliance with the active VLAN policy for the port where the adapter is
connected.
Firewalls, port scanners, intrusion detection systems, and so on, must run in
promiscuous mode.
MAC address changes Reject. If you set this option to Reject and the guest OS changes the MAC address
of the adapter to a value different from the address in the .vmx configuration file,
the switch drops all inbound frames to the virtual machine adapter.
If the guest OS changes the MAC address back, the virtual machine receives
frames again.
Accept. If the guest OS changes the MAC address of a network adapter,
the adapter receives frames to its new address.
Forged transmits Reject. The switch drops any outbound frame with a source MAC address that
is different from the one in the .vmx configuration file.
Accept. The switch does not perform filtering and permits all outbound
frames.
VMware, Inc.
84
vSphere Installation and Configuration Procedures Guide
6 (Optional) On the Traffic shaping page, enable or disable Ingress or Egress traffic shaping and click Next.
Setting Description
Status If you enable either Ingress traffic shaping or Egress traffic shaping, you are setting
limits on the amount of networking bandwidth allocated for each virtual adapter associated
with this particular port group. If you disable the policy, services have a free, clear
connection to the physical network by default.
Average bandwidth Establishes the number of bits per second to allow across a port, averaged over time. This
is the allowed average load.
Peak bandwidth The maximum number of bits per second to allow across a port when it is sending and
receiving a burst of traffic. This tops the bandwidth used by a port whenever it is using
its burst bonus.
Burst size The maximum number of bytes to allow in a burst. If this parameter is set, a port might gain
a burst bonus when it does not use all its allocated bandwidth. Whenever the port needs
more bandwidth than specified by Average bandwidth, it might temporarily transmit data
at a faster speed if a burst bonus is available. This parameter tops the number of bytes that
might be accumulated in the burst bonus and as a result transferred at a faster speed.
VMware, Inc.
85
vSphere Installation and Configuration Procedures Guide
7 (Optional) On the Teaming and failover page, edit the settings and click Next.
Setting Description
Note IP-based teaming requires that the physical switch is configured with
EtherChannel. For all other options, disable EtherChannel.
Network failure detection Specify the method to use for failover detection.
Link status only. Relies solely on the link status that the network adapter provides.
This option detects failures, such as cable pulls and physical switch power failures, but
not configuration errors, such as a physical switch port being blocked by spanning tree
or that is misconfigured to the wrong VLAN or cable pulls on the other side of a
physical switch.
Beacon probing. Sends out and listens for beacon probes on all NICs in the team
and uses this information, in addition to link status, to determine link failure. This
detects many of the failures previously mentioned that are not detected by link status
alone.
Notify switches Select Yes or No to notify switches in case of failover. If you select Yes, whenever a
virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic
might be routed over a different physical NIC in the team because of a failover event, a
notification is sent out over the network to update the lookup tables on physical switches.
In almost all cases, this process is desirable for the lowest latency of failover occurrences
and migrations with vMotion.
Note Do not use this option when the virtual machines using the port group
are using Microsoft Network Load Balancing in unicast mode. No such issue exists with
NLB running in multicast mode.
VMware, Inc.
86
vSphere Installation and Configuration Procedures Guide
SettingDescription
Failover order Specify how to distribute the workload for uplinks. To use some uplinks but reserve others
for emergencies if the uplinks in use fail, set this condition by moving them into different
groups:
Active uplinks. Continue to use the uplink when the network adapter
connectivity is up and active.
Standby uplinks . Use this uplink if one of the active adapters'
connectivity is down.
Unused uplinks . Do not use this uplink.
8 (Optional) On the Monitoring page, enable or disable NetFlow and click Next.
Setting Description
Enabled NetFlow is enabled on the distributed port group. NetFlow settings can be configured at
the vSphere Distributed Switch level.
Selecting Yes shuts down all ports in the port group. This action might disrupt the normal network
operations of the hosts or virtual machines using the ports.
10 On the Ready to complete page, review your settings and click Finish.
You should dedicate a single distributed port group per VMkernel adapter. For better isolation, you should
configure one VMkernel adapter with one traffic type.
Procedure
VMware, Inc.
87
vSphere Installation and Configuration Procedures Guide
2 On the Configure tab, expand Networking and select VMkernel adapters.
VMware, Inc.
88
vSphere Installation and Configuration Procedures Guide
4 On the Select connection type page, select VMkernel Network Adapter and click Next.
5 From the Select an existing network option, select a distributed port group and click Next.
6 On the Port properties page, configure the settings for the VMkernel adapter.
Option Description
Network label The network label is inherited from the label of the distributed port group.
Note The IPv6 option does not appear on hosts that do not have IPv6 enabled.
MTU Choose whether to get MTU for the network adapter from the switch or to set a custom
size. You cannot set the MTU size to a value greater than 9000 bytes.
TCP/IP stack Select a TCP/IP stack from the list. Once you set a TCP/IP stack for the VMkernel adapter,
you cannot change it later. If you select the vMotion or the Provisioning TCP/IP stack, you
will be able to use only these stacks to handle vMotion or Provisioning traffic on the host.
All VMkernel adapters for vMotion on the default TCP/IP stack are disabled for future
vMotion sessions. If you set the Provisioning TCP/IP stack, VMkernel adapters on the
default TCP/IP stack are disabled for operations that include Provisioning traffic, such as
virtual machine cold migration, cloning, and snapshot migration.
Available services You can enable services for the default TCP/IP stack on the host. Select from the available
services:
vMotion. Enables the VMkernel adapter to advertise itself to another host as the
network connection where vMotion traffic is sent. The migration with vMotion to the
selected host is not possible if the vMotion service is not enabled for any VMkernel
adapter on the default TCP/IP stack, or there are no adapters using the vMotion
TCP/IP stack.
Provisioning. Handles the data transferred for virtual machine cold migration,
cloning, and snapshot migration.
Fault Tolerance logging. Enables Fault Tolerance logging on the host. You can
use only one VMkernel adapter for FT traffic per host.
Management. Enables the management traffic for the host and vCenter Server.
Typically, hosts have such a VMkernel adapter created when the ESXi software is
installed. You can create another VMkernel adapter for management traffic on the
host to provide redundancy.
vSphere Replication. Handles the outgoing replication data that is sent from the
source ESXi host to the vSphere Replication server.
vSphere Replication NFC. Handles the incoming replication data on the target
replication site.
vSAN. Enables thevSAN traffic on the host. Every host that is part of a
vSAN cluster must have such a VMkernel adapter.
VMware, Inc.
89
vSphere Installation and Configuration Procedures Guide
7 (Optional) On the IPv4 settings page, select an option for obtaining IP addresses.
Option Description
Obtain IPv4 settings automatically Use DHCP to obtain IP settings. A DHCP server must be present on the network.
Use static IPv4 settings Enter the IPv4 IP address and subnet mask for the VMkernel adapter.
The VMkernel Default Gateway and DNS server addresses for IPv4 are obtained
from the selected TCP/IP stack.
Select the Override default gateway for this adapter check box and enter a gateway
address, if you want to specify a different gateway for the
VMkernel adapter.
8 (Optional) On the IPv6 settings page, select an option for obtaining IPv6 addresses.
Option Description
Obtain IPv6 addresses automatically Use DHCP to obtain IPv6 addresses. A DHCPv6 server must be present on the network.
through DHCP
Obtain IPv6 addresses automatically Use router advertisement to obtain IPv6 addresses.
through Router Advertisement In ESXi 6.5 and later router advertisement is enabled by default and supports the
M and O flags in accordance with RFC 4861.
Static IPv6 addresses a Click Add IPv6 address to add a new IPv6 address.
b Enter the IPv6 address and subnet prefix length, and click OK.
c To change the VMkernel default gateway, click Override default gateway
for this adapter.
The VMkernel Default Gateway address for IPv6 is obtained from the
selected TCP/IP stack.
9 Review your settings selections on the Ready to complete page and click Finish.
Prerequisites
Verify that enough uplinks are available on the distributed switch to assign to the physical NICs that you
want to connect to the switch.
Verify that there is at least one distributed port group on the distributed switch.
Verify that the distributed port group have active uplinks configured in its teaming and failover policy.
If you migrate or create VMkernel adapters for iSCSI, verify that the teaming and failover policy of the target
distributed port group meets the requirements for iSCSI:
Verify that only one uplink is active, the standby list is empty, and the rest of the uplinks are unused.
VMware, Inc.
90
vSphere Installation and Configuration Procedures Guide
Verify that only one physical NIC per host is assigned to the active uplink.
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
3 On the Select task page, select Add hosts, and click Next.
4 On the Select hosts page, click New hosts, select from the hosts in your data center, click OK, and then click
Next.
5 On the Select network adapter tasks page, select the tasks for configuring network adapters to the distributed
switch and click Next.
6 On the Manage physical network adapters page, configure physical NICs on the distributed switch.
If you select physical NICs that are already connected to other switches, they are migrated to the
current distributed switch.
For example, if you are adding two hosts connect vmnic1 on each host to Uplink1 on the distributed
switch.
7 Click Next.
9 Click Next.
10 (Optional) On the Migrate VM networking page, select the check box Migrate virtual machine networking to
configure virtual machine networking.
a To connect all network adapters of a virtual machine to a distributed port group, select the virtual
machine, or select an individual network adapter to connect only that adapter.
c Select a distributed port group from the list and click OK, and click Next.
11 Click Finish
VMware, Inc.
91
vSphere Installation and Configuration Procedures Guide
What to do next
Having hosts associated with the distributed switch, you can manage physical NICs, VMkernel adapters, and
virtual machine network adapters.
vSphere Network I/O Control version 3 introduces a mechanism to reserve bandwidth for system traffic based on
the capacity of the physical adapters on a host. It enables fine-grained resource control at the VM network adapter
level similar to the model that you use for allocating CPU and memory resources..
Version 3 of the Network I/O Control feature offers improved network resource reservation and allocation across
the entire switch.
Network I/O Control version 3 supports separate models for resource management of system traffic related to
infrastructure services, such as vSphere Fault Tolerance, and of virtual machines.
The two traffic categories have different nature. System traffic is strictly associated with an ESXi host. The network
traffic routes change when you migrate a virtual machine across the environment. To provide network resources to
a virtual machine regardless of its host, in Network I/O Control you can configure resource allocation for virtual
machines that is valid in the scope of the entire distributed switch.
Network I/O Control version 3 provisions bandwidth to the network adapters of virtual machines by using
constructs of shares, reservation and limit. Based on these constructs, to receive sufficient bandwidth, virtualized
workloads can rely on admission control in vSphere Distributed Switch, vSphere DRS and vSphere HA. See
Admission Control on Virtual Machine Traffic.
Availability of Features
SR-IOV is not available for virtual machines configured to use Network I/O Control version 3.
Enable network resource management on a vSphere Distributed Switch to guarantee minimum bandwidth to
system traffic for vSphere features and to virtual machine traffic.
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
VMware, Inc.
92
vSphere Installation and Configuration Procedures Guide
3 From the Network I/O Control drop-down menu, select Enable.
4 Click OK.
VMware, Inc.
93
vSphere Installation and Configuration Procedures Guide
Results
When enabled, the model that Network I/O Control uses to handle bandwidth allocation for system traffic
and virtual machine traffic is based on the Network I/O Control version that is active on the distributed
switch. See About vSphere Network I/O Control Version 3.
<Consultant Note>: Remove all Sections which do not apply to the engagement. Storage is dependent on
the customer in most cases. More details can be found here: https:// docs.vmware.com/en/VMware-
vSphere/7.0/com.vmware.vsphere.storage.doc/
GUID-8AE88758-20C1-4873-99C7-181EF9ACFA70.html
With the software-based iSCSI implementation, you can use standard NICs to connect your host to a remote iSCSI
target on the IP network. The software iSCSI adapter that is built into ESXi facilitates this connection by
communicating with the physical NICs through the network stack.
When you use the software iSCSI adapters, consider the following:
Designate a separate network adapter for iSCSI. Do not use iSCSI on 100 Mbps or slower adapters.
Avoid hard coding the name of the software adapter, vmhbaXX, in the scripts. It is possible for the name to
change from one ESXi release to another. The change might cause failures of your existing scripts if they use
the hardcoded old name. The name change does not affect the behavior of the iSCSI software adapter.
The process of configuring the software iSCSI adapter involves several steps.
Step Description
Activate or Disable the Software Activate your software iSCSI adapter so that your host can use it to access iSCSI storage.
iSCSI Adapter
Modify General Properties for iSCSI or If needed, change the default iSCSI name and alias assigned to your adapter.
iSER Adapters
Configure Port Binding for iSCSI or Configure connections for the traffic between the iSCSI component and the physical network
iSER adapters. The process of configuring these connections is called port binding.
VMware, Inc.
94
vSphere Installation and Configuration Procedures Guide
Configure Dynamic or Static Set up dynamic discovery. With dynamic discovery, each time the initiator contacts a specified
Discovery for iSCSI and iSER on iSCSI storage system, it sends the SendTargets request to the system. The iSCSI system responds
by supplying a list of available targets to the initiator. In addition to the dynamic discovery method,
ESXi Host
you can use static discovery and manually enter information for the targets.
VMware, Inc.
95
vSphere Installation and Configuration Procedures Guide
StepDescription
Set Up CHAP for iSCSI or iSER If your iSCSI environment uses the Challenge Handshake Authentication Protocol
Storage Adapter (CHAP), configure it for your adapter.
Set Up CHAP for iSCSI Target You can also configure different CHAP credentials for each discovery address or static target.
Enable Jumbo Frames for iSCSI If your iSCSI environment supports Jumbo Frames, enable them for the adapter.
Activate or Disable the Software iSCSI Adapter
You must activate your software iSCSI adapter so that your ESXi host can use it to access iSCSI storage. If you
do not need the software iSCSI adapter after activation, you can disable it.
Prerequisites
Note If you boot from iSCSI using the software iSCSI adapter, the adapter is enabled and the network
configuration is created at the first boot. If you disable the adapter, it is reenabled each time you boot the host.
Procedure
Option Description
Enable the software iSCSI adapter a Under Storage, click Storage Adapters, and click the Add icon.
b Select Software iSCSI Adapter and confirm that you want to add the adapter.
The software iSCSI adapter (vmhba#) is enabled and appears on the list of storage
adapters. After enabling the adapter, the host assigns the default iSCSI name to it.
You can now complete the adapter configuration.
Disable the software iSCSI adapter a Under Storage, click Storage Adapters, and select the adapter (vmhba#)
to disable.
b Click the Properties tab.
c Click Disable and confirm that you want to disable the adapter.
the host.
After the reboot, the adapter no longer appears on the list of storage adapters. The
storage devices associated with the adapter become inaccessible. You can later
activate the adapter.
VMware, Inc.
96
vSphere Installation and Configuration Procedures Guide
Important When you modify any default properties for your adapters, make sure to use correct formats for their
names and IP addresses.
Prerequisites
Procedure
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
4 Click the Properties tab, and click Edit in the General panel.
Option Description
iSCSI Name Unique name formed according to iSCSI standards that identifies the iSCSI adapter. If
you change the name, make sure that the name you enter is worldwide unique and
properly formatted. Otherwise, certain storage devices might not recognize the iSCSI
adapter.
iSCSI Alias A friendly name you use instead of the iSCSI name.
Results
If you change the iSCSI name, it is used for new iSCSI sessions. For existing sessions, the new settings are not
used until you log out and log in again.
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
VMware, Inc.
97
vSphere Installation and Configuration Procedures Guide
adapter. If your environment includes any of these adapters, you must configure connections for the traffic between
the iSCSI or iSER component and the physical network adapters.
Configuring the network connection involves creating a virtual VMkernel adapter for each physical network
adapter. You use 1:1 mapping between each virtual and physical network adapter. You then associate the
VMkernel adapter with an appropriate iSCSI or iSER adapter. This process is called port binding.
You can connect the software iSCSI adapter with any physical NICs available on your host.
The dependent iSCSI adapters must be connected only to their own physical NICs.
You must connect the iSER adapter only to the RDMA-capable network adapter.
For specific considerations on when and how to use network connections with software iSCSI, see the VMware
knowledge base article at http://kb.vmware.com/kb/2038869.
Multiple Network Adapters in iSCSI or iSER Configuration
If your host has more than one physical network adapter for iSCSI or iSER, you can use the adapters for
multipathing.
You can use multiple physical adapters in a single or multiple switch configurations.
In the multiple switch configuration, you designate a separate vSphere switch for each virtual-to- physical adapter
pair.
VMware, Inc.
98
vSphere Installation and Configuration Procedures Guide
An alternative is to add all NICs and VMkernel adapters to the single vSphere switch. The number of VMkernel
adapters must correspond to the number of physical adapters on the vSphere Standard switch. The single switch
configuration is not appropriate for iSER because iSER does not support NIC teaming.
For that type of configuration, you must override the default network setup and make sure that each VMkernel
adapter maps to only one corresponding active physical adapter, as the table indicates.
VMware, Inc.
99
vSphere Installation and Configuration Procedures Guide
You can also use distributed switches. For more information about vSphere distributed switches and how to
change the default network policy, see the vSphere Networking documentation.
The following considerations apply when you use multiple physical adapters:
Physical network adapters must be on the same subnet as the storage system they connect to.
(Applies only to iSCSI and not to iSER) If you use separate vSphere switches, you must connect them
to different IP subnets. Otherwise, VMkernel adapters might experience connectivity problems and the
host fails to discover the LUNs.
The single switch configuration is not appropriate for iSER because iSER does not support NIC teaming.
Do not use port binding when any of the following conditions exist:
Array target iSCSI ports are in a different broadcast domain and IP subnet.
VMkernel adapters used for iSCSI connectivity exist in different broadcast domains, IP subnets, or use
different virtual switches.
Note In iSER configurations, the VMkernel adapters used for iSER connectivity cannot be used for
converged traffic. The VMkernel adapters that you created to enable connectivity between the ESXi host
with iSER and the iSER target must be used only for iSER traffic.
The following tasks discuss the network configuration with a vSphere Standard switch and a single physical
network adapter. If you have multiple network adapters, see Multiple Network Adapters in iSCSI or iSER
Configuration.
Note iSER does not support NIC teaming. When configuring port binding for iSER, use only one RDMA-enabled
physical adapter (vmnic#) and one VMkernel adapter (vmk#) per vSwitch.
® ®
You can also use the VMware vSphere Distributed Switch™ and VMware NSX Virtual Switch™ in the port biding
configuration. For information about NSX virtual switches, see the VMware NSX Data Center for vSphere
documentation.
If you use a vSphere distributed switch with multiple uplink ports, for port binding, create a separate distributed
port group per each physical NIC. Then set the team policy so that each distributed port group has only one
active uplink port. For detailed information on distributed switches, see the vSphere Networking
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
documentation.
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
Prerequisites
If you are creating a VMkernel adapter for dependent hardware iSCSI, you must use the physical network
adapter (vmnic#) that corresponds to the iSCSI component. See Determine Association Between iSCSI and
Network Adapters.
With the iSER adapter, make sure to use an appropriate RDMA-capable vmnic#. See View RDMA Capable
Network Adapter.
Procedure
5 Click the Add adapters icon, and select an appropriate network adapter (vmnic#) to use for iSCSI.
A network label is a friendly name that identifies the VMkernel adapter that you are creating, for example,
iSCSI or iSER.
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
You created the virtual VMkernel adapter (vmk#) for a physical network adapter (vmnic#) on your host.
a Under Networking, select VMkernel Adapters, and select the VMkernel adapter (vmk#) from the list.
b Click the Policies tab, and verify that the corresponding physical network adapter (vmnic#)
appears as an active adapter under Teaming and failover.
What to do next
If your host has one physical network adapter for iSCSI traffic, bind the VMkernel adapter that you created to
the iSCSI or iSER vmhba adapter.
If you have multiple network adapters, you can create additional VMkernel adapters and then perform iSCSI
binding. The number of virtual adapters must correspond to the number of physical adapters on the host. For
information, see Multiple Network Adapters in iSCSI or iSER Configuration.
Prerequisites
Create a virtual VMkernel adapter for each physical network adapter on your host. If you use multiple
VMkernel adapters, set up the correct network policy.
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
Procedure
3 Under Storage, click Storage Adapters, and select the appropriate iSCSI or iSER adapter (vmhba# )
from the list.
4 Click the Network Port Binding tab and click the Add icon.
Note Make sure that the network policy for the VMkernel adapter is compliant with the binding
requirements.
You can bind the software iSCSI adapter to one or more VMkernel adapters. For a dependent hardware iSCSI
adapter or the iSER adapter, only one VMkernel adapter associated with the correct physical NIC is available.
6 Click OK.
The network connection appears on the list of network port bindings for the iSCSI or iSER adapter.
Configure Dynamic or Static Discovery for iSCSI and iSER on ESXi Host
You need to set up target discovery addresses, so that the iSCSI or iSER storage adapter can determine which
storage resource on the network is available for access.
Dynamic Discovery
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
Also known as SendTargets discovery. Each time the initiator contacts a specified iSCSI server, the initiator
sends the SendTargets request to the server. The server responds by supplying a list of available targets to the
initiator. The names and IP addresses of these targets appear on the Static Discovery tab. If you remove a
static target added by dynamic discovery, the target might be returned to the list the next time a rescan
happens, the storage adapter is reset, or the host is rebooted.
Note With software and dependent hardware iSCSI, ESXi filters target addresses based on the IP family of the
iSCSI server address specified. If the address is IPv4, IPv6 addresses that might come in the SendTargets
response from the iSCSI server are filtered out. When DNS names are used to specify an iSCSI server, or when
the SendTargets response from the iSCSI server has DNS names, ESXi relies on the IP family of the first
resolved entry from DNS lookup.
Static Discovery
In addition to the dynamic discovery method, you can use static discovery and manually enter information
for the targets. The iSCSI or iSER adapter uses a list of targets that you provide to contact and
communicate with the iSCSI servers.
When you set up static or dynamic discovery, you can only add new iSCSI targets. You cannot change any
parameters of an existing target. To make changes, remove the existing target and add a new one.
Prerequisites
Procedure
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
After establishing the SendTargets session with the iSCSI system, your host populates the
Static Discovery list with all newly discovered targets.
Note A dynamically discovered target remains on the list even after it is removed from the
array side.
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
Prerequisites
If you plan to use Kerberos authentication with the NFS 4.1 datastore, make sure to configure the ESXi hosts
for Kerberos authentication.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
NFS 3
NFS 4.1
Important If multiple hosts access the same datastore, you must use the same protocol on all hosts.
Option Description
Datastore name The system enforces a 42 character limit for the datastore name.
Server The server name or IP address. You can use IPv6 or IPv4 formats.
With NFS 4.1, you can add multiple IP addresses or server names if the NFS server
supports trunking. The ESXi host uses these values to achieve multipathing to the NFS
server mount point.
5 Select Mount NFS read only if the volume is exported as read-only by the NFS server.
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
6 To use Kerberos security with NFS 4.1, enable Kerberos and select an appropriate Kerberos model.
Option Description
Use Kerberos for authentication only Supports identity verification
(krb5)
Use Kerberos for authentication and data In addition to identity verification, provides data integrity services. These services help
integrity (krb5i) to protect the NFS traffic from tampering by checking data packets for any potential
modifications.
If you do not enable Kerberos, the datastore uses the default AUTH_SYS security.
7 If you are creating a datastore at the data center or cluster level, select hosts that mount the datastore.
Prerequisites
2 To discover newly added storage devices, perform a rescan. See Datastore Refresh and Storage Rescan
Operations.
3 Verify that storage devices you are planning to use for your datastores are available. See
Storage Device Characteristics.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
4 Enter the datastore name and if necessary, select the placement location for the datastore.
Important The device you select must not have any values displayed in the Snapshot Volume column. If
a value is present, the device contains a copy of an existing VMFS datastore. For information on managing
datastore copies, see Managing Duplicate VMFS Datastores.
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
Option Description
VMFS6 Default format on all hosts that support VMFS6. The ESXi hosts of version
6.0 or earlier cannot recognize the VMFS6 datastore.
VMFS5 VMFS5 datastore supports access by the ESXi hosts of version 6.7 or earlier.
Option Description
Use all available partitions Dedicates the entire disk to a single VMFS datastore. If you select this option, all
file systems and data currently stored on this device are destroyed.
Use free space Deploys a VMFS datastore in the remaining free space of the disk.
b If the space allocated for the datastore is excessive for your purposes, adjust the capacity values in the
Datastore Size field.
c For VMFS6, specify the block size and define space reclamation parameters. See VMFS Datastore and
Space Recalmation.
8 In the Ready to Complete page, review the datastore configuration information and click
Finish.
Results
The datastore on the SCSI-based storage device is created. It is available to all hosts that have access to the
device.
What to do next
After you create the VMFS datastore, you can perform the following tasks:
Enable shared vmdk support. See Enable or Disable Support for Clustered Virtual Disks on the VMFS6
Datastore.
VMware, Inc.
10
vSphere Installation and Configuration Procedures Guide
Procedure
6 Click OK.
Results
Under Datastore Capabilities, Storage I/O Control is enabled for the datastore.
When you create a vSphere HA cluster, you must configure a number of settings that determine how the feature
works. Before you do this, identify your cluster's nodes. These nodes are the ESXi hosts that will provide the
resources to support virtual machines and that vSphere HA will use for failover protection. You should then
determine how those nodes are to be connected to one another and to the shared storage where your virtual
machine data resides. After that networking architecture is in place, you can add the hosts to the cluster and finish
configuring vSphere HA.
You can enable and configure vSphere HA before you add host nodes to the cluster. However, until the hosts are
added, your cluster is not fully operational and some of the cluster settings are unavailable. For example, the Specify
a Failover Host admission control policy is unavailable until there is a host that can be designated as the failover
host.
Note The Virtual Machine Startup and Shutdown (automatic startup) feature is disabled for all virtual machines
residing on hosts that are in (or moved into) a vSphere HA cluster. Automatic startup is not supported when used with
vSphere HA.
To enable your cluster for vSphere HA, you must first create an empty cluster. After you plan the resources and
networking architecture of your cluster, use the vSphere Client to add hosts to the cluster and specify the cluster's
vSphere HA settings.
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
A vSphere HA-enabled cluster is a prerequisite for vSphere Fault Tolerance.
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
Prerequisites
Verify that all virtual machines and their configuration files reside on shared storage.
Verify that the hosts are configured to access the shared storage so that you can power on the virtual
machines by using different hosts in the cluster.
Verify that hosts are configured to have access to the virtual machine network.
Verify that you are using redundant management network connections for vSphere HA. For information
about setting up network redundancy, see Best Practices for Networking.
Verify that you have configured hosts with at least two datastores to provide redundancy for vSphere HA
datastore heartbeating.
Connect vSphere Client to vCenter Server by using an account with cluster administrator permissions.
Procedure
1 In the vSphere Client, browse to the data center where you want the cluster to reside and click New
Cluster.
4 Based on your plan for the resources and networking architecture of the cluster, use the vSphere Client to
add hosts to the cluster.
With Host Monitoring enabled, hosts in the cluster can exchange network heartbeats and vSphere HA can
take action when it detects failures. Host Monitoring is required for the vSphere Fault Tolerance recovery
process to work properly.
Select VM Monitoring Only to restart individual virtual machines if their heartbeats are not received
within a set time. You can also select VM and Application Monitoring to enable application monitoring.
8 Click OK.
Results
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
What to do next
Admission Control
Heartbeat Datastores
Advanced Options
Important The ESXi firewall in ESXi 6.5 and later does not allow per-network filtering of vMotion traffic.
Therefore, you must apply rules on your external firewall to ensure that no incoming connections can be
made to the vMotion socket on TCP port 8000.
You can perform reliable migrations between hosts and sites that are separated by high network round-trip latency
times. vMotion across long distances is enabled when the appropriate license is installed. No user configuration is
necessary.
For long-distance migration, verify the network latency between the hosts and your license.
You must place the traffic related to transfer of virtual machine files to the destination host on the provisioning
TCP/IP stack. See Place Cold Migratoin Traffic on the Provisioning TCP/IP Stack.
Configure hosts for vMotion with shared storage to ensure that virtual machines are accessible to both source and
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
target hosts.
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
During a migration with vMotion, the migrating virtual machine must be on storage accessible to both the source
and target hosts. Ensure that the hosts configured for vMotion use shared storage. Shared storage can be on a Fibre
Channel storage area network (SAN), or can be implemented using iSCSI and NAS.
If you use vMotion to migrate virtual machines with raw device mapping (RDM) files, make sure to maintain
consistent LUN IDs for RDMs across all participating hosts.
See the vSphere Storage documentation for information on SANs and RDMs.
Migration with vMotion requires correctly configured network interfaces on source and target hosts.
Configure each host with at least one network interface for vMotion traffic. To ensure secure data transfer, the
vMotion network must be a secure network, accessible only to trusted parties. Additional bandwidth significantly
improves vMotion performance. When you migrate a virtual machine with vMotion without using shared storage,
the contents of the virtual disk is transferred over the network as well.
vSphere 6.5 and later allow the network traffic with vMotion to be encrypted. Encrypted vMotion depends on host
configuration, or on compatibility between the source and destination hosts.
You must ensure that the vMotion network has at least 250 Mbps of dedicated bandwidth per concurrent vMotion
session. Greater bandwidth lets migrations complete more quickly. Gains in throughput resulting from WAN
optimization techniques do not count towards the 250-Mbps limit.
To determine the maximum number of concurrent vMotion operations possible, see Limits on Simultaneous
Migrations. These limits vary with a host's link speed to the vMotion network.
If you have the proper license applied to your environment, you can perform reliable migrations between hosts
that are separated by high network round-trip latency times. The maximum supported network round-trip time for
vMotion migrations is 150 milliseconds. This round-trip time lets you migrate virtual machines to another
geographical location at a longer distance.
Multiple-NIC vMotion
You can configure multiple NICs for vMotion by adding two or more NICs to the required standard or
distributed switch. For details, see Knowledge Base article KB 2007467.
Network Configuration
To have the vMotion traffic routed across IP subnets, enable the vMotion TCP/IP stack on the host. See Place
vMotion on vMotion TCP Stack.
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
If you are using standard switches for networking, ensure that the network labels used for the virtual machine
port groups are consistent across hosts. During a migration with vMotion, vCenter Server assigns virtual
machines to port groups based on matching network labels.
Note By default, you cannot use vMotion to migrate a virtual machine that is attached to a standard switch
with no physical uplinks configured, even if the destination host also has a no-uplink standard switch with
the same label.
For information about configuring the vMotion network resources, see Networking Best Practices for vSphere
vMotion.
For more information about vMotion networking requirements, see Knowledge Base article KB 59232.
To customize your DRS cluster and the resources it contains you can configure affinity rules and you can add and
remove hosts and virtual machines. When a cluster’s settings and resources have been defined, you should ensure
that it is and remains a valid cluster. You can also use a valid DRS cluster to manage power resources and
interoperate with vSphere HA.
Note In this chapter, "Memory" can refer to physical RAM or Persistent Memory.
A cluster is a collection of ESXi hosts and associated virtual machines with shared resources and a shared
management interface. Before you can obtain the benefits of cluster-level resource management you must create a
cluster and enable DRS.
Depending on whether or not Enhanced vMotion Compatibility (EVC) is enabled, DRS behaves differently when
you use vSphere Fault Tolerance (vSphere FT) virtual machines in your cluster.
Table 2-16. DRS Behavior with vSphere FT Virtual Machines and EVC
EVC DRS (Load Balancing) DRS (Initial Placement)
Enabled Enabled (Primary and Secondary VMs) Enabled (Primary and Secondary VMs)
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
Load Balancing
The distribution and usage of CPU and memory resources for all hosts and virtual machines in the cluster are
continuously monitored. DRS compares these metrics to an ideal resource usage given the attributes of the
cluster’s resource pools and virtual machines, the current demand, and the imbalance target. DRS then provides
recommendations or performs virtual machine migrations accordingly. See Virtual Machine Migration. When
you power on a virtual machine in the cluster, DRS attempts to maintain proper load balancing by either placing
the virtual machine on an appropriate host or making a recommendation. See Admission Control and Initial
Placement.
Power management
When the vSphere Distributed Power Management (DPM) feature is enabled, DRS compares cluster and host-
level capacity to the demands of the cluster’s virtual machines, including recent historical demand. DRS then
recommends you place hosts in standby, or places hosts in standby power mode when sufficient excess
capacity is found. DRS powers-on hosts if capacity is needed. Depending on the resulting host power state
recommendations, virtual machines might need to be migrated to and from the hosts as well. See Managing
Power Resources.
Affinity Rules
You can control the placement of virtual machines on hosts within a cluster, by assigning affinity rules.
See Using DRS Affinity Rules (RMG).
Prerequisites
You can create a cluster without a special license, but you must have a license to enable a cluster for vSphere DRS
or vSphere HA.
Note vSphere DRS is a critical feature of vSphere which is required to maintain the health of the workloads
running inside vSphere Cluster. Starting with vSphere 7.0 Update 1, DRS depends on the availability of vCLS
VMs. See vSphere Cluster Services (vCLS) for more information.
Procedure
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
6 Select the Predictive DRS check box. In addition to real-time metrics, DRS responds to forecasted
metrics provided by vRealize Operations server. You must also configure Predictive DRS in a version
of vRealize Operations that supports this feature.
7 Select Virtual Machine Automation check box to enable individual virtual machine automation
levels.
Override for individual virtual machines can be set from the VM Overrides page.
8 Under Additional Options, select a check box to enforce one of the default policies.
Option Description
VM Distribution For availability, distribute a more even number of virtual machines across hosts. This is
secondary to DRS load balancing.
Memory Metric for Load Balancing Load balance based on consumed memory of virtual machines rather than active
memory. This setting is only recommended for clusters where host memory is not over-
committed.
Note This setting is no longer supported and will not be displayed in vCenter 7.0.
Scalable Shares Enable scalable shares for the resource pools on this cluster.
11 Click OK.
What to do next
Note Under the Cluster Summary page, you can see Cluster Services which displays vSphere Cluster Services
health status.
You can view memory utilization for DRS in the vSphere Client. To find out more, see: Viewing
Distributed Resource Scheduler Memory Utilization
VMware, Inc.
11
vSphere Installation and Configuration Procedures Guide
(http://link.brightcove.com/services/player/bcpid2296383276001?
bctid=ref:video_vsphere67_drs)
Any integrations applicable to these solutions will be included with the appropriate technology being deployed
and configured.
VMware, Inc.
12
vSphere Installation and Configuration Procedures Guide
References
The following section lists the documentation resources which were used for this document. This chapter
vSphere References
vSphere References
See the VMware vSphere 7.0 Update 1 Documentation (https://docs.vmware.com/en/VMware-
vSphere/index.html) for product documentation on vSphere components.
The following section lists the documentation resources which were used for this document.
vSphere Networking
VMware, Inc.
12
vSphere Installation and Configuration Procedures Guide
vSphere Storage
vSphere Security
VMware, Inc.
12
vSphere Installation and Configuration Procedures Guide
vSphere Availability
VMware, Inc.
12