PD005 InstallGuide Vsphere 7.0.x

vSphere Installation and Configuration
Procedures Guide
vSphere 7.0.x
vSphere Installation and Configuration Procedures Guide
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
2
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3
Contents
Contents.............................................................................................................................................................3
Purpose and Assumptions.................................................................................................................................5
VMware Products and Versions...................................................................................................................5
Architecture Models.....................................................................................................................................5
Procedures.........................................................................................................................................................6
Preparation....................................................................................................................................................6
ESXi Host Deploy Preparation.................................................................................................................6
ESXi Hardware Requirements.............................................................................................................6
Recommendations for Enhanced ESXi Performance..........................................................................9
Incoming and Outgoing Firewall Ports for ESXi Hosts....................................................................11
Required Free Space for System Logging.........................................................................................13
ESXi Passwords and Account Lockout.............................................................................................14
vCenter Server Deploy Preparation........................................................................................................16
System Requirements for the vCenter Server Appliance...................................................................16
Preparing for Deployment of the vCenter Server Appliance.............................................................21
Prerequisites for Deploying the vCenter Server Appliance...............................................................25
vSphere Network Infrastructure Deploy Preparation.............................................................................26
vSphere Storage Infrastructure Deploy Preparation...............................................................................26
High Availability Deploy Preparation....................................................................................................26
Dynamic Resourcing Deploy Preparation..............................................................................................27
Virtual Machine Deploy Preparation......................................................................................................27
Deployment and Configuration..................................................................................................................27
ESXi Host Deployment and Configuration............................................................................................27
Installing ESXi Interactively..............................................................................................................27
Setting Up ESXi.................................................................................................................................30
3 Select Set static IP address and network configuration.......................................................34
3 Select Use the following DNS server addresses and hostname..........................................35
vCenter Server Deployment and Configuration.....................................................................................35
Deploy the vCenter Server Appliance by Using the GUI..................................................................37
vCenter Server Infrastructure Configuration.....................................................................................43
 Datacenter.Create datacenter...............................................................................................48
 Host.Inventory.Create cluster..............................................................................................49
Renew Certificates.........................................................................................................................52
Make VMCA an Intermediate CA.................................................................................................53
Replace Certificates with Custom Certificates..............................................................................53
Set as Default.................................................................................................................................60
Permissions....................................................................................................................................64
Users and Groups...........................................................................................................................64
Privileges.......................................................................................................................................64
Roles..............................................................................................................................................64
4 Select Use Network Time Protocol (enable NTP client).....................................................66
vSphere Network Infrastructure Deployment and Configuration..........................................................68
Create a vSphere Distributed Switch.................................................................................................69
2 Select Distributed Switch > New Distributed Switch.........................................................69
Add a Distributed Port Group............................................................................................................70
Create a VMkernel Adapter on a Host Associated with a vSphere Distributed Switch....................74
Add Hosts to a vSphere Distributed Switch.......................................................................................76
vSphere Network I/O Control............................................................................................................78
vSphere Storage Infrastructure Deployment and Configuration............................................................79
VMware, Inc.
Configuring iSCSI for vSphere..........................................................................................................79
Dynamic Discovery.......................................................................................................................87
Static Discovery.............................................................................................................................88
Create an NFS Datastore....................................................................................................................89
Create a VMFS Datastore..................................................................................................................90
Finish.............................................................................................................................................91
Enable Storage I/O Control................................................................................................................91
High Availability Deployment and Configuration.................................................................................92
Creating a vSphere HA Cluster..........................................................................................................92
Dynamic Resource Scheduling Deployment and Configuration............................................................94
Host Configuration for vMotion........................................................................................................94
Using DRS Clusters to Manage Resources........................................................................................96
Load Balancing..............................................................................................................................97
Power management........................................................................................................................97
Affinity Rules................................................................................................................................97
Integrations Deployment and Configuration..............................................................................................99
vSphere Integrations Deployment and Configuration............................................................................99
References.....................................................................................................................................................100
vSphere References...................................................................................................................................100
VMware, Inc.
Purpose and Assumptions
This document provides step-by-step instructions for installing, configuring and deploying the solution.
This document is written with the assumption that the administrator who uses these procedures is familiar with the
products being used. It is not intended for administrators without prior knowledge of the concepts and
terminology.
This chapter includes the following topics:
 VMware Products and Versions
 Architecture Models
VMware Products and Versions

The following table lists the product versions used in this service. The build numbers here refer to the downloaded
installer version of this guide.
Table 1-1. VMware Products and Versions

VMware Product Version Number
VMware ESXi™ 7.0 Update 1 - build 16850804
VMware vCenter® Server Appliance™ 7.0 Update 1 - Build 16860138
Architecture Models
Standardization of software configuration improves predictability, supportability and speed of delivery.
Considering these benefits, VMware has developed the VMware Validated Designs (VVD).
These designs are comprehensive and cover everything from hardware configuration and specification to
detailed software configuration. It also covers the required third-party components to support day 2 operations.
The result is a highly available, scalable and robust platform, that is vigorously tested.
To support the VVD, VMware Professional Services has defined several architecture models that leverage the best
practices found in the VVD. These designs have greater flexibility of hardware configuration, specification and
software components, than when utilizing the VVD as a whole.
These architecture models do not provide the guarantees of the VVD, but do introduce standardization
through the best practices to increase the speed of delivery.
VMware, Inc.
6
Procedures
This section provides step-by-step procedures for common configuration tasks to be performed during the
deployment of the product.
This chapter includes the following topics:
 Preparation
 Deployment and Configuration
 Integrations Deployment and Configuration
Preparation
This section describes the preparation tasks which are required for the deployment of the solution. It is split
up into technology sections.
ESXi Host Deploy Preparation

This section describes the preparation steps required for the ESXi host installation.
To install or upgrade ESXi, your system must meet specific hardware and software requirements as described by the
following detail.
ESXi Hardware Requirements

Make sure that the host meets the minimum hardware configurations supported by ESXi7.0.
Hardware and System Resources
To install or upgrade ESXi, your hardware and system resources must meet the following requirements:
 Supported server platform. For a list of supported platforms, see the VMware Compatibility Guide at
http://www.vmware.com/resources/compatibility.
 ESXi 7.0 requires a host with at least two CPU cores.
 ESXi 7.0 supports a broad range of multi-core of 64-bit x86 processors. For a complete list of supported
processors, see the VMware compatibility guide at http://www.vmware.com/ resources/compatibility.
 ESXi 7.0 requires the NX/XD bit to be enabled for the CPU in the BIOS.
VMware, Inc.
7
 ESXi 7.0 requires a minimum of 4 GB of physical RAM. Provide at least 8 GB of RAM to run virtual
machines in typical production environments.
 To support 64-bit virtual machines, support for hardware virtualization (Intel VT-x or AMD RVI) must be
enabled on x64 CPUs.
 One or more Gigabit or faster Ethernet controllers. For a list of supported network adapter models, see the
VMware Compatibility Guide at http://www.vmware.com/resources/ compatibility.
 ESXi 7.0 requires a boot disk of at least 8 GB for USB or SD devices, and 32 GB for other device types such
as HDD, SSD, or NVMe. A boot device must not be shared between ESXi hosts.
 SCSI disk or a local, non-network, RAID LUN with unpartitioned space for the virtual machines.
 For Serial ATA (SATA), a disk connected through supported SAS controllers or supported on- board SATA
controllers. SATA disks are considered remote, not local. These disks are not used as a scratch partition by
default because they are seen as remote.
Note You cannot connect a SATA CD-ROM device to a virtual machine on an ESXi host. To use the SATA
CD-ROM device, you must use IDE emulation mode.
Storage Systems
For a list of supported storage systems, see the VMware Compatibility Guide at http://
www.vmware.com/resources/compatibility. For Software Fibre Channel over Ethernet (FCoE), see Installing
and Booting ESXi with Software FCoE.
ESXi Booting Requirements
vSphere 7.0 supports booting ESXi hosts from the Unified Extensible Firmware Interface (UEFI). With UEFI,
you can boot systems from hard drives, CD-ROM drives, or USB media.
VMware Auto Deploy supports network booting and provisioning of ESXi hosts with UEFI.
ESXi can boot from a disk larger than 2 TB if the system firmware and the firmware on any add-in card that you are
using support it. See the vendor documentation.
Storage Requirements for ESXi7.0 Installation or Upgrade
Installing ESXi7.0 requires a boot device that is a minimum of 8 GB for USB or SD devices, and 32 GB for other
device types. Upgrading to ESXi7.0 requires a boot device that is a minimum of 4 GB. When booting from a local
disk, SAN or iSCSI LUN, a 32 GB disk is required to allow for the creation of system storage volumes, which
include a boot partition, boot banks, and a VMFS-L based ESX-OSData volume. The ESX-OSData volume takes on
the role of the legacy /scratch partition, VM-tools, and core dump destination.
The recommended ESXi7.0 install options are the following:
 An 8 GB USB or SD and an additional 32 GB local disk. The ESXi boot partitions reside on the USB or SD
and the ESX-OSData volume resides on the local disk.
VMware, Inc.
8
 A local disk with a minimum of 32 GB. The disk contains the boot partitions and ESX-OSData volume.
 A local disk of 142 GB or larger. The disk contains the boot partitions, ESX-OSData volume, and VMFS
datastore.
The ESXi7.0 system storage volumes can occupy up to 138 GB of disk space. A VMFS datastore is only created if
the local disk device has at least 4 GB additional free space. To share a boot device with a local VMFS datastore,
you need to use a local disk of 142 GB or larger.
If a local disk cannot be found, then ESXi7.0 operates in degraded mode where certain functionality is disabled
and the /scratch partition is on the RAM disk, linked to /tmp. You can reconfigure /scratch to use a
separate disk or LUN. For best performance and memory optimization, do not run ESXi in degraded mode.
The upgrade process to ESXi7.0 repartitions the boot device and consolidates the original core dump, locker, and
scratch partitions into the ESX-OSData volume.
The following events occur during the repartitioning process:
 If a custom core dump destination is not configured, then the default core dump location is a file in the ESX-
OSData volume.
 If the syslog service is configured to store log files on the 4 GB VFAT scratch partition, the log files in
var/run/log are migrated to the ESX-OSData volume.
 VMware Tools are migrated from the locker partition and the partition is wiped.
 The core dump partition is wiped. The application core dump files that are stored on the scratch partition
are deleted.
Note Rollback to an earlier version of ESXi is not possible due to the repartitioning process of the boot device. To
use an earlier version of ESXi after upgrading to version 7.0, you must create a backup of the boot device before the
upgrade, and restore the ESXi boot device from the backup.
Due to the I/O sensitivity of USB and SD devices, the installer only creates a VMFS-L locker partition on these
devices to store VM-tools and core dump files. When installing or upgrading on USB or SD devices, the installer
attempts to allocate an ESX-OSData region on an available local disk. A datastore is used for /scratch, if there is
no available space. If no local disk or datastore is found, /scratch is placed on the RAM disk. After the
installation or upgrade, reconfigure / scratch to use a persistent datastore or add a new disk for system storage
volumes.
To reconfigure /scratch, see Set the Scratch Partition from the vSphere Client.
Although an 8 GB USB or SD device is sufficient for a minimal installation, you should use a larger device. The
additional space is used for an expanded core dump file and the extra flash cells of a high-quality USB flash drive
can prolong the life of the boot media. Use a 32 GB or larger high- quality USB flash drive. See Knowledge Base
article http://kb.vmware.com/kb/2004784.
VMware, Inc.
9
In Auto Deploy installations, the installer attempts to allocate a scratch region on an available local disk or
datastore. If no local disk or datastore is found, the /scratch partition is placed on the RAM disk. Reconfigure
/scratch to use a persistent datastore after the installation.
For environments that boot from a SAN or use Auto Deploy, the ESX-OSData volume for each ESXi host must be
set up on a separate SAN LUN. However, if /scratch is configured not to use ESX-OSData, you do not need to
allocate a separate LUN for /scratch for each host. You can co-locate the scratch regions for multiple ESXi
hosts onto a single LUN. The number of hosts assigned to any single LUN should be weighed against the LUN size
and the I/O behavior of the virtual machines.
ESXi 7.0 Installation on M.2 and Other Non-USB Low-End Flash Media
Unlike USB flash devices, the ESXi installer creates system storage volumes and a VMFS datastore on M.2 and
other non-USB low-end flash media. If you deploy a virtual machine or migrate a virtual machine to this boot
device datastore, the boot device can be worn out quickly depending on the endurance of the flash device and the
characteristics of the workload. As even read-only workloads can cause problems on low-end flash devices, you
should install ESXi only on high-endurance flash media.
Important If you install ESXi on M.2 or other non-USB low-end flash media, delete the VMFS datastore on the
device immediately after installation. For more information on removing VMFS datastores, see the vSphere
Storage documentation.
Recommendations for Enhanced ESXi Performance

To enhance performance, install or upgrade ESXi on a robust system with more RAM than the minimum
required and with multiple physical disks.
For ESXi system requirements, see ESXi Hardware Requirements.
VMware, Inc.
1
Table 2-1. Recommendations for Enhanced Performance

System Element Recommendation
RAM ESXi hosts require more RAM than typical servers. Provide at least 8
GB of RAM to take full advantage of ESXi features and run virtual
machines in typical production environments. An ESXi host must have
sufficient RAM to run concurrent virtual machines. The following
examples are provided to help you calculate the RAM required by the
virtual machines running on the ESXi host.
Operating four virtual machines with
Red Hat Enterprise Linux or Windows XP requires at least 3 GB of
RAM for baseline performance. This figure includes 1024 MB for the
virtual machines, 256 MB minimum for each operating system as
recommended by vendors.
Running these four virtual machines with 512 MB RAM requires that
the ESXi host have 4 GB RAM, which includes 2048 MB for the
virtual machines.
These calculations do not include possible memory savings from using
variable overhead memory for each virtual
machine. See vSphere Resource Management.
Dedicated Fast Ethernet adapters for virtual machines Place the management network and virtual machine networks on
different physical network cards. Dedicated Gigabit Ethernet cards
for virtual machines, such as Intel PRO 1000 adapters, improve
throughput to virtual machines with high network traffic.
Disk location Place all data that your virtual machines use on physical disks
allocated specifically to virtual machines.
Performance is better when you do not place your virtual machines
on the disk containing the ESXi boot image. Use physical disks that
are large enough to hold disk images
that all the virtual machines use.
VMFS6 partitioning The ESXi installer creates the initial VMFS volumes on the first blank
local disk found. To add disks or modify the original configuration,
use the vSphere Client. This practice ensures that the starting sectors
of partitions are 64K- aligned, which improves storage performance.
Note For SAS-only environments, the installer might not format the
disks. For some SAS disks, it is not possible to identify whether the
disks are local or remote. After the installation, you can use the
vSphere Client to set up VMFS.
Processors Faster processors improve ESXi performance. For certain

workloads, larger caches improve ESXi performance.
Hardware compatibility Use devices in your server that are supported by ESXi 7.0 drivers. See
the Hardware Compatibility Guide at http://
www.vmware.com/resources/compatibility.
VMware, Inc.
1
Incoming and Outgoing Firewall Ports for ESXi Hosts

The vSphere Client and the VMware Host Client allow you to open and close firewall ports for each service or
to allow traffic from selected IP addresses.
The following table lists the firewalls for services that are installed by default. If you install other VIBs on your
host, additional services and firewall ports might become available. The information is primarily for services that
are visible in the vSphere Client but the table includes some other ports as well.
Table 2-2. Incoming Firewall Connections

Protoc
Port ol Service Description
5988 TCP CIM Server Server for CIM (Common Information Model).
5989 TCP CIM Secure Server Secure server for CIM.
427 TCP, CIM SLP The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM
UDP servers.
546 DHCPv6 DHCP client for IPv6.
8301, 8302 UDP DVSSync DVSSync ports are used for synchronizing states of distributed virtual ports between
hosts that have VMware FT record/replay enabled. Only hosts that run primary or
backup virtual machines must have these ports open. On hosts that are not using
VMware FT these ports do not have to be open.
902 TCP NFC Network File Copy (NFC) provides a file-type-aware FTP service for vSphere
components. ESXi uses NFC for operations such as copying and moving data
between datastores by default.
12345, 23451 UDP vSAN Clustering VMware vSAN Cluster Monitoring and Membership Directory Service. Uses
Service UDP-based IP multicast to establish cluster members and distribute vSAN
metadata to all cluster members. If disabled, vSAN does not work.
68 UDP DHCP Client DHCP client for IPv4.
53 UDP DNS Client DNS client.
8200, 8100, TCP, Fault Tolerance Traffic between hosts for vSphere Fault Tolerance (FT).
8300 UDP
6999 UDP NSX Distributed NSX Virtual Distributed Router service. The firewall port associated with this service
Logical Router is opened when NSX VIBs are installed and the VDR module is created. If no VDR
Service instances are associated with the host, the port does not have to be open.
This service was called NSX Distributed Logical Router in earlier versions
of the product.
2233 TCP vSAN Transport vSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO.
If disabled, vSAN does not work.
161 UDP SNMP Server Allows the host to connect to an SNMP server.
22 TCP SSH Server Required for SSH access.
VMware, Inc.
1
Table 2-2. Incoming Firewall Connections (continued)

8000 TCP
Protoc vMotion Required for a virtual machine migration with vMotion. ESXi hosts listen on port
Port olService 8000 for TCP connections from remote ESXi hosts for vMotion traffic.
Description
8080 TCP vsanvp vSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that
is part of vCenter to access information about vSAN storage profiles, capabilities, and
compliance. If disabled, vSAN Storage Profile Based Management (SPBM) does not
work.
80 TCP vSphere Web Welcome page, with download links for different interfaces.
Access
5900 -5964 TCP RFB protocol
80, 9000 TCP vSphere Lifecycle

Manager
9080 TCP I/O Filter Service Used by the I/O Filters storage feature.
Table 2-3. Outgoing Firewall Connections

Port Protocol Service Description
427 TCP, UDP CIM SLP The CIM client uses the Service Location Protocol, version 2 (SLPv2)
to find CIM servers.
547 TCP, UDP DHCPv6 DHCP client for IPv6.
8301, 8302 UDP DVSSync DVSSync ports are used for synchronizing states of distributed virtual
ports between hosts that have VMware FT record/replay enabled. Only
hosts that run primary or backup virtual machines must have these ports
open. On hosts that are not using VMware FT these ports do not have to
be open.
44046, 31031 TCP HBR Used for an ongoing replication traffic by vSphere
Replication and VMware Site Recovery Manager.
902 TCP NFC Network File Copy (NFC) provides a file-type-aware FTP service
for vSphere components. ESXi uses NFC for operations such as
copying and moving data between datastores by default.
9 UDP WOL Used by Wake on LAN.
12345 23451 UDP vSAN Clustering Cluster Monitoring, Membership, and Directory Service used by vSAN.
Service
68 UDP DHCP Client DHCP client.
53 TCP, UDP DNS Client DNS client.
80, 8200, 8100, 8300 TCP, UDP Fault Tolerance Supports VMware Fault Tolerance.
3260 TCP Software iSCSI Supports software iSCSI.

Client
VMware, Inc.
1
Table 2-3. Outgoing Firewall Connections (continued)

PortProtocolServiceDescription
6999 UDP NSX Distributed The firewall port associated with this service is opened when NSX VIBs
Logical Router are installed and the VDR module is created. If no VDR instances are
Service associated with the host, the port does not have to be open.
5671 TCP rabbitmqproxy A proxy running on the ESXi host. This proxy allows applications that
are running inside virtual machines to communicate with the AMQP
brokers that are running in the vCenter network domain.
The virtual machine does not have to be on the network, that is, no
NIC is required. Ensure that outgoing connection IP addresses include
at least the brokers in use or future.
You can add brokers later to scale up.
2233 TCP vSAN Transport Used for RDT traffic (Unicast peer to peer communication) between
vSAN nodes.
8000 TCP vMotion Required for virtual machine migration with vMotion.
902 UDP VMware vCenter vCenter Server agent.

Agent
8080 TCP vsanvp Used for vSAN Vendor Provider traffic.
80, 9000 TCP vSphere Lifecycle

Manager
Table 2-4. Firewall Ports for Services That Are Not Visible in the UI by Default
Proto
Port col Service Comment
5900 -5964 TCP RFB protocol The RFB protocol is a simple protocol for remote access to graphical user
interfaces.
8889 TCP OpenWSMAN Web Services Management (WS-Management is a DMTF open standard for the
Daemon management of servers, devices, applications, and Web services.
Required Free Space for System Logging

If you used Auto Deploy to install your ESXi7.0 host, or if you set up a log directory separate from the default
location in a scratch directory on the VMFS volume, you might need to change your current log size and rotation
settings to ensure that enough space is available for system logging .
All vSphere components use this infrastructure. The default values for log capacity in this infrastructure vary,
depending on the amount of storage available and on how you have configured system logging. Hosts that are
deployed with Auto Deploy store logs on a RAM disk, which means that the amount of space available for logs is
small.
If your host is deployed with Auto Deploy, reconfigure your log storage in one of the following ways:
 Redirect logs over the network to a remote collector.
VMware, Inc.
1
 Redirect logs to a NAS or NFS store.
If you redirect logs to non-default storage, such as a NAS or NFS store, you might also want to reconfigure log
sizing and rotations for hosts that are installed to disk.
You do not need to reconfigure log storage for ESXi hosts that use the default configuration, which stores logs in a
scratch directory on the VMFS volume. For these hosts, ESXi7.0 configures logs to best suit your installation, and
provides enough space to accommodate log messages.
Table 2-5. Recommended Minimum Size and Rotation Configuration for hostd, vpxa, and fdm Logs
Number of Rotations to
Log Maximum Log File Size Preserve Minimum Disk Space Required
Management Agent 10 MB 10 100 MB

(hostd)
VirtualCenter Agent 5 MB 10 50 MB
(vpxa)
vSphere HA agent (Fault 5 MB 10 50 MB

Domain Manager, fdm)
For information about setting up a remote log server, see Configure Syslog on ESXi Hosts.
ESXi Passwords and Account Lockout

For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and
character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced
option. You can also set the number of passwords to remember for each user using the
Security.PasswordHistory advanced option.
Note The default requirements for ESXi passwords can change from one release to the next. You can check and
change the default password restrictions using the Security.PasswordQualityControl advanced option.
ESXi Passwords
ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the
VMware Host Client.
 By default, you have to include a mix of characters from four character classes: lowercase letters, uppercase
letters, numbers, and special characters such as underscore or dash when you create a password.
 By default, password length is more than 7 and less than 40.
 Passwords cannot contain a dictionary word or part of a dictionary word.
Note An uppercase character that begins a password does not count toward the number of character classes used.
A number that ends a password does not count toward the number of character classes used.
VMware, Inc.
1
Example ESXi Passwords
The following password candidates illustrate potential passwords if the option is set as follows.
With this setting,

retry=3 passwords with one or two character classes and pass phrases are not allowed, because the first three
min=disabled,disabled,disabled,7,7
items are disabled. Passwords from three- and four-character classes require seven characters. See the
pam_passwdqc man page for details.
With these settings, the following passwords are allowed.
 xQaTEhb!: Contains eight characters from three character classes.
 xQaT3#A: Contains seven characters from four character classes.
The following password candidates do not meet requirements.
 Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two.
The minimum number of required character classes is three.
 xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum
number of required character classes is three.
ESXi Pass Phrase
Instead of a password, you can also use a pass phrase. However, pass phrases are disabled by default. You can change
this default or other settings, by using the Security.PasswordQualityControl advanced option from the
vSphere Client.
For example, you can change the option to the following.
This example
retry=3 allows pass phrases of at least 16 characters and at least three words, separated by spaces.
min=disabled,disabled,16,7,7
For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file is deprecated
for future releases. Use the Security.PasswordQualityControl advanced option instead.
Changing Default Password Restrictions
You can change the default restriction on passwords or pass phrases by using the
Security.PasswordQualityControl advanced option for your ESXi host. See vCenter Server and Host
Management documentation for information on setting ESXi advanced options.
You can change the default, for example, to require a minimum of 15 characters and a minimum number of four
words, as follows:
retry=3 min=disabled,disabled,15,7,7 passphrase=4
VMware, Inc.
1
See the man page for pam_passwdqc for details.
Note Not all possible combinations of password options have been tested. Perform additional testing after you change
the default password settings.
ESXi Account Lockout Behavior
Account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct
Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed
attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.
Configuring Login Behavior
You can configure the login behavior for your ESXi host with the following advanced options:
 Security.AccountLockFailures. Maximum number of failed login attempts before a user's account is

locked. Zero disables account locking.
 Security.AccountUnlockTime. Number of seconds that a user is locked out.
 Security.PasswordHistory. Number of passwords to remember for each user. Zero disables password
history.
See the vCenter Server and Host Management documentation for information on setting ESXi advanced
options.
vCenter Server Deploy Preparation

This section describes the preparation steps required for the vCenter Server installation.
To install or upgrade vCenter Server, your system must meet specific hardware and software requirements as
described by the following detail.
System Requirements for the vCenter Server Appliance

You can deploy the vCenter Server appliance on an ESXi host 6.5 or later, or on a vCenter Server instance 6.5 or
later. Your system must also meet specific software and hardware requirements.
When you use Fully Qualified Domain Names, verify that the client machine from which you are deploying the
appliance and the network on which you are deploying the appliance use the same DNS server.
Before you deploy the appliance, synchronize the clocks of the target server and all vCenter Server instances on
the vSphere network. Unsynchronized clocks might result in authentication problems and can cause the
installation to fail or prevent the appliance services from starting. See Synchronizing Clocks on the vSphere
Network.
VMware, Inc.
1
Hardware Requirements for the vCenter Server Appliance
When you deploy the vCenter Server appliance, you can select to deploy an appliance that is suitable for the
size of your vSphere environment. The option that you select determines the number of CPUs and the amount
of memory for the appliance.
Hardware Requirements for the vCenter Server Appliance
The hardware requirements for a vCenter Server appliance depend on the size of your vSphere inventory.
Table 2-6. Hardware Requirements for a vCenter Server Appliance

Number of vCPUs Memory
Tiny environment (up to 10 hosts or 100 2 12 GB

virtual machines)
Small environment (up to 100 hosts or 1,000 4 19 GB

virtual machines)
Medium environment (up to 400 hosts or 8 28 GB

4,000 virtual machine)
Large environment (up to 1,000 hosts or 16 37 GB

10,000 virtual machines)
X-Large environment (up to 2,500 hosts 24 56 GB

or 45,000 virtual machines)
Note If you want to add an ESXi host with more than 512 LUNs and 2,048 paths to the vCenter Server inventory,
you must deploy a vCenter Server appliance for a large or x-large environment.
Storage Requirements for the vCenter Server Appliance
When you deploy the vCenter Server appliance, the ESXi host or DRS cluster on which you deploy the appliance
must meet minimum storage requirements. The required storage depends not only on the size of the vSphere
environment and the storage size, but also on the disk provisioning mode.
Storage Requirements for the vCenter Server Appliance
The storage requirements are different for each vSphere environment size and depend on your database size
requirements.
Table 2-7. Storage Requirements for a vCenter Server Appliance

Default Storage Size Large Storage Size X-Large Storage Size
Tiny environment (up to 10 415 GB 1490 GB 3245 GB
hosts or 100 virtual machines)
Small environment (up to 100 480 GB 1535 GB 3295 GB

hosts or 1,000 virtual
machines)
VMware, Inc.
1
Table 2-7. Storage Requirements for a vCenter Server Appliance (continued)

Default
MediumStorage SizeLarge
environment (up to Storage
400 SizeX-Large
700 GB Storage Size 1700 GB 3460 GB
hosts or 4,000 virtual machine)
Large environment (up to 1,000 1065 GB 1765 GB 3525 GB

hosts or 10,000 virtual machines)
X-Large environment (up to 1805 GB 1905 GB 3665 GB

2,500 hosts or 45,000 virtual
machines)
Note The storage requirements include the requirements for the vSphere Lifecycle Manager that runs as a
service in the vCenter Server appliance.
Software Requirements for the vCenter Server Appliance
The VMware vCenter Server appliance can be deployed on ESXi 6.5 hosts or later, or on vCenter Server instances
6.5 or later.
You can deploy the vCenter Server appliance using the GUI or CLI installer. You run the installer from a network
client machine that you use to connect to the target server and deploy the appliance on the server. You can
connect directly to an ESXi 6.5 host on which to deploy the appliance. You can also connect to a vCenter Server
6.5 instance to deploy the appliance on an ESXi host or DRS cluster that resides in the vCenter Server inventory.
For information about the requirements for network client machine, see System Requirements for the vCenter Server
Installer.
Required Ports for vCenter Server
The vCenter Server system must be able to send data to every managed host and receive data from the vSphere
Client. To enable migration and provisioning activities between managed hosts, the source and destination hosts
must be able to receive data from each other.
If a port is in use or is blocked using a denylist, the vCenter Server installer displays an error message. You must
use another port number to proceed with the installation. There are internal ports that are used only for inter-
process communication.
VMware uses designated ports for communication. Additionally, the managed hosts monitor designated ports for
data from vCenter Server. If a built-in firewall exists between any of these elements, the installer opens the ports
during the installation or upgrade process. For custom firewalls, you must manually open the required ports. If you
have a firewall between two managed hosts and you want to perform source or target activities, such as migration or
cloning, you must configure a means for the managed hosts to receive data.
To configure the vCenter Server system to use a different port to receive vSphere Client data, see the vCenter
Server and Host Management documentation.
VMware, Inc.
1
Table 2-8. Ports Required for Communication Between Components

Used for Node-to-Node
Port Protocol Description Communication
22 TCP System port for SSHD. No
53 DNS service No
80 TCP vCenter Server requires port 80 for direct HTTP No

connections. Port 80 redirects requests to HTTPS port
443. This redirection is useful if you accidentally use
http://server instead of https:// server.
WS-Management (also requires port 443 to be open).
88 TCP Active Directory server. This port must be open for host No
to join Active Directory. If you use native Active
Directory, the port must be open on vCenter Server.
389 TCP/UDP This port must be open on the local and all remote vCenter Server to vCenter
instances of vCenter Server. This port is the LDAP port Server
number for the Directory Services for the vCenter Server
group. If another service is running on this port, it might
be preferable to remove it or change its port to a
different port. You can run the LDAP service on any
port from 1025 through 65535.
443 TCP The default port that the vCenter Server system uses to vCenter Server to vCenter
listen for connections from the vSphere Client. To enable Server
the vCenter Server system to receive data from the
vSphere Client, open port 443 in the firewall.
The vCenter Server system also uses port 443 to
monitor data transfer from SDK clients.
This port is also used for the following services:
 WS-Management (also requires port 80 to be
open)
 Third-party network management client
connections to vCenter Server
 Third-party network management clients access
to hosts
514 TCP/UDP vSphere Syslog Service port for the vCenter Server No
appliance.
636 TCP vCenter Single Sign-On LDAPS During upgrade from

For backward compatibility with vSphere 6.5 only. vSphere 6.5 only.
VMware, Inc.
2
Table 2-8. Ports Required for Communication Between Components (continued)

902 TCP/UDP The default port that the vCenter Server system uses to No
send data to managed hosts. Managed hosts also send a
regular heartbeat over UDP port 902 to the vCenter
Server system. This port must not be blocked by
firewalls between the server and the hosts or between
hosts.
Port 902 must not be blocked between the VMware Host
Client and the hosts. The VMware Host Client uses this
port to display virtual machine consoles.
1514 TCP vSphere Syslog Service TLS port for the vCenter Server No
appliance.
2012 TCP Control interface RPC for vCenter Single Sign-On No
2014 TCP RPC port for all VMCA (VMware Certificate No

Authority) APIs
2015 TCP DNS management No
2020 TCP/UDP Authentication framework management No
5480 TCP Appliance Management Interface No

Open endpoint serving all HTTPS, XMLRPS, and
JSON-RPC requests over HTTPS.
6500 TCP/UDP ESXi Dump Collector port No
6501 TCP Auto Deploy service No
6502 TCP Auto Deploy management No
7080, TCP Secure Token Service No

12721
Note Internal ports
7081 TCP vSphere Client No
Note Internal port
7475, TCP VMware vSphere Authentication Proxy No

7476
8200, TCP Appliance management No

8201,
Note Internal ports
8300,
8301
8084 TCP vSphere Lifecycle Manager SOAP port No
The port used by vSphere Lifecycle Manager client
plug-in to connect to the vSphere Lifecycle Manager
SOAP server.
9084 TCP vSphere Lifecycle Manager Web Server Port No

The HTTP port used by ESXi hosts to access host patch
files from vSphere Lifecycle Manager server.
VMware, Inc.
21
Table 2-8. Ports Required for Communication Between Components (continued)

9087 TCP vSphere Lifecycle Manager Web SSL Port No

The HTTPS port used by vSphere Lifecycle Manager
client plug-in to upload host upgrade files to vSphere
Lifecycle Manager server.
9443 TCP vSphere Client HTTPS No
For more information about firewall configuration, see the vSphere Security documentation.
DNS Requirements for the vCenter Server Appliance
When you deploy the vCenter Server appliance with a static IP address, you ensure that in case of system restart,
the IP address of the appliance remains the same.
Before you deploy the vCenter Server appliance with a static IP address, you must verify that this IP address has a
valid internal domain name system (DNS) registration.
When you deploy the vCenter Server appliance, the installation of the web server component that supports the
vSphere Client fails if the installer cannot look up the fully qualified domain name (FQDN) for the appliance
from its IP address. Reverse lookup is implemented using PTR records.
If you plan to use an FQDN for the appliance system name, you must verify that the FQDN is resolvable by a
DNS server, by adding forward and reverse DNS A records.
You can use the nslookup command to verify that the DNS reverse lookup service returns an FQDN when
queried with the IP address and to verify that the FQDN is resolvable.
If you use DHCP

nslookup instead -nodefname
-nosearch of a static IP FQDN_or_IP_address
address for the vCenter Server appliance, verify that the appliance name
is updated in the domain name service (DNS). If you can ping the appliance name, the name is updated in DNS.
Ensure that the ESXi host management interface has a valid DNS resolution from the vCenter Server and all
vSphere Client instances. Ensure that the vCenter Server has a valid DNS resolution from all ESXi hosts and
vSphere Client.
Preparing for Deployment of the vCenter Server Appliance

Before you deploy the vCenter Server appliance, you must download the vCenter Server installer ISO file and
mount it to a network virtual machine or physical server from which you want to perform the deployment.
The machine from which you deploy the appliance must run on a Windows, Linux, or Mac operating system that
meets the operating system requirements. See System Requirements for the vCenter Server Installer.
VMware, Inc.
22
System Requirements for the vCenter Server Installer
You can run the vCenter Server GUI or CLI installer from a network client machine that is running on a Windows,
Linux, or Mac operating system of a supported version.
To ensure optimal performance of the GUI and CLI installers, use a client machine that meets the minimum
hardware requirements.
Table 2-9. System Requirements for the GUI and CLI Installers
Operating System Supported Versions Minimum Hardware Configuration for Optimal Performance
Windows  Windows 8, 8.1, 10 4 GB RAM, 2 CPU having 4 cores with 2.3 GHz, 32 GB hard disk, 1 NIC
 Windows 2012 x64 bit
 Windows 2012 R2
x64 bit
 Windows 2016 x64 bit
 Windows 2019 x64
Linux  SUSE 15 4 GB RAM, 1 CPU having 2 cores with 2.3 GHz, 16 GB hard disk, 1 NIC
 Ubuntu 16.04 and
Note The CLI installer requires 64-bit OS.
18.04
Mac  macOS v10.13, 10.14, 8 GB RAM, 1 CPU having 4 cores with 2.4 GHz, 150 GB hard disk, 1 NIC
10.15
 macOS High Sierra,
Mojave, Catalina
Note For client machines that run on Mac 10.13 or later, concurrent GUI deployments of multiple appliances are
unsupported. You must deploy the appliances in a sequence.
Note Visual C++ redistributable libraries need to be installed to run the CLI installer on versions of Windows
older than Windows 10. The Microsoft installers for these libraries are located in the
vcsa-cli-installer/win32/vcredist directory.
Note Deploying the vCenter Server appliance with the GUI requires a minimum resolution of 1024x768 to
properly display. Lower resolutions can truncate the UI elements.
Download and Mount the vCenter Server Installer
VMware releases the vCenter Server appliance ISO image, which contains GUI and CLI installers for the vCenter
Server appliance.
With the GUI and CLI executable files that are included in the vCenter Server installer, you can:
 Deploy the vCenter Server appliance.
 Upgrade the vCenter Server appliance.
 Converge older versions of vCenter Server with an external Platform Services Controller to the current
VMware, Inc.
23
version of vCenter Server.
VMware, Inc.
24
 Restore a vCenter Server appliance from a file-based backup.
Prerequisites
 Create a My VMware account at https://my.vmware.com/web/vmware/.
 Verify that your client machine meets the system requirements for the vCenter Server installer. See
System Requirements for the vCenter Server Installer.
Procedure
1 From the VMware Web site at https://my.vmware.com/web/vmware/downloads, download the vCenter

Server appliance ISO image.
VMware-VCSA-all-version_number-build_number.iso
2 Confirm that the md5sum is correct.
See the VMware Web site topic Using MD5 Checksums at http://www.vmware.com/
download/md5.html.
3 Mount the ISO image to the client machine from which you want to deploy, upgrade, migrate, or restore the
appliance.
Note ISO mounting software that does not allow more than eight directory levels, for example, MagicISO
Maker on Windows, is unsupported.
For Linux OS and Mac OS, Archive Manager is unsupported.
For Mac OS, you can use DiskImageMounter.

For Ubuntu 14.04, you can use Disk Image Mounter. For
SUSE 12 OS, you can use the terminal.
$ sudo mkdir mount_dir

What to do next
$ sudo mount -o loop VMware-vCSA-all-version_number-build_number.iso mount_dir
Open the readme.txt file and review the information about the other files and directories in the vCenter Server
appliance ISO image.
Synchronizing Clocks on the vSphere Network
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML Tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent the
vCenter Server vmware-vpxd service from starting.
VMware, Inc.
25
Time inconsistencies in vSphere can cause firstboot to fail at different services depending on where in the
environment time is not accurate and when the time is synchronized. Problems most commonly occur when the
target ESXi host for the destination vCenter Server is not synchronized with NTP or PTP. Similarly, issues can arise
if the destination vCenter Server migrates to an ESXi host set to a different time due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or
upgrading a vCenter Server.
 The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
 The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
 When upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external Platform
Services Controller is synchronized to NTP or PTP.
 If you are upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, verify that the source vCenter
Server or vCenter Server appliance and external Platform Services Controller have the correct time.
 When you upgrade a vCenter Server 6.5 or 6.7 instance with an external Platform Services Controller to
vSphere 7.0, the upgrade process converts to a vCenter Server instance with an embedded Platform Services
Controller.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP server or a PTP server, you can use the VMware Host Client. For
information about editing the time configuration of an ESXi host, see vSphere Single Host Management -
VMware Host Client.
To learn how to change time synchronization settings for vCenter Server, see "Configure the System Time
Zone and Time Synchronization Settings" in vCenter Server Configuration.
To learn how to edit time configuration for a host by using the vSphere Client, see "Editing Time Configuration
for a Host" in vCenter Server and Host Management.
System Clock Synchronization Between the Client and Server
To establish a secure TLS connection to a vCenter Server (the server), the system where you are running the CLI
installer (the client) must not have its system clock slower or faster than the server's system clock by an acceptable
limit (tolerance).
See Table 2-10. Client Clock Tolerance for specific values for each deployment scenario.
Note The client clock values are applicable only for vCenter Server 6.7 and later.
VMware, Inc.
26
Table 2-10. Client Clock Tolerance

Deployment Scenario Clock Tolerance Connection Notes
Linking one vCenter Server with When deploying the second vCenter Server,
another vCenter Server the clock tolerance for the client and the
first vCenter Server must not exceed 10
minutes.
Installing a vCenter Server appliance using a The maximum clock tolerance between the
container vCenter Server with a client and the container vCenter Server is 8
*._on_vc.json template. hours 20 minutes.
Prerequisites for Deploying the vCenter Server Appliance

To ensure a successful deployment of the vCenter Server appliance, you must perform some required tasks and
pre-checks before running the installer.
General Prerequisites
 Download and Mount the vCenter Server Installer.
Target System Prerequisites
 Verify that your system meets the minimum software and hardware requirements. See System
Requirements for the vCenter Server Appliance.
 If you want to deploy the appliance on an ESXi host, verify that the ESXi host is not in lockdown or
maintenance mode and not part of a fully automated DRS cluster.
 If you want to deploy the appliance on a DRS cluster of the inventory of a vCenter Server instance, verify
that the cluster contains at least one ESXi host that is not in lockdown or maintenance mode.
 If you plan to use NTP servers for time synchronization, verify that the NTP servers are running and that the
time between the NTP servers and the target server on which you want to deploy the appliance is
synchronized.
vCenter Enhanced Linked Mode Prerequisites
When deploying a new vCenter Server as part of an Enhanced Linked Mode deployment, create an image-based
backup of the existing vCenter Server nodes in your environment. You can use the backup as a precaution in case
there is a failure during the deployment process.
If the deployment fails, delete the newly deployed vCenter Server appliance, and restore the vCenter Server
nodes from their respective image-based backups. You must restore all the nodes in the environment from
their image-based backups. Failing to do so can cause the replication partners to be out of synchronization with
the restored node.
 To learn more about creating vCenter Enhanced Linked Mode deployments, see Creating vCenter Server
Linked Mode Groups.
VMware, Inc.
27
 To learn about image-based backs, see Image-Based Back Up and Restore of a vCenter Server
Environment.
VMware, Inc.
28
Network Prerequisites
If you plan to assign a static IP address and an FQDN as a system name in the network settings of the appliance,
verify that you have configured the forward and reverse DNS records for the IP address.
vSphere Network Infrastructure Deploy Preparation

This section describes the preparation steps required for the vSphere Network Infrastructure deployment.
Prior to starting the installation and configuration of the vSphere Network Infrastructure the following
preparation steps are required:
 ESXi host hardware must have the appropriate network connectivity in the datacenter provisioned and
connected
 Appropriate IP addresses, DNS, VLANs, and the like should be available, assigned and configured as
required for the design.
vSphere Storage Infrastructure Deploy Preparation

This section describes the preparation steps required for the vSphere Storage Infrastructure deployment.
Prior to starting the installation and configuration of the vSphere Storage Infrastructure the following
 External storage systems should be provisioned, and appropriate configuration of LUNs, Zoning, and the like
should be available for configuration of the storage. Steps are only provided for configuration steps specific to
VMware products, that are required to generically setup storage.
 Storage vendor should be contacted to ensure their best practices are being followed.
High Availability Deploy Preparation

This section describes the preparation steps required for the High Availability Deployment.
Prior to starting the installation and configuration of High Availability the following preparation steps are
required:
 No steps are required to prepare for vSphere HA Deployment.
 For vCenter Server HA, the following prerequisites apply:
<Consultant: Remove this section if vCenter HA will not be deployed.>
 The vCenter Server Appliance that later becomes the Active node, has been deployed. vCenter for
windows is not supported.
 Appropriate access and privileges have been granted to modify that vCenter Server Appliance and
the ESXi host on which it runs.
VMware, Inc.
29
 During network setup, static IP addresses for the management network are required. The management and
cluster network addresses must be IPv4 or IPv6. They cannot be mixed.
 If Fault Tolerance will be configured the following prerequisites apply:
<Consultant: Remove this section if Fault Tolerance is not in the engagement.>
 Fault Tolerance Network must be available and configured.
Dynamic Resourcing Deploy Preparation

This section describes the preparation steps required for the Dynamic Resourcing Deployment.
Prior to starting the installation and configuration of DRS the following preparation steps are required:
 VMware vMotion network must be configured and available.
Virtual Machine Deploy Preparation

This section describes the preparation steps required for the Virtual Machine Deployment.
Prior to starting the installation and configuration of the virtual machine configurations the following
 Sizing and Operating System details for the templates must be decided.
Deployment and Configuration

This section describes the deployment details for the product.
ESXi Host Deployment and Configuration

A VMware vSphere implementation involves multiple VMware software components.
The first building block of the deployment is the ESXi host. Installing an ESXi host creates a virtualization layer
that runs on physical servers and abstracts processor, memory, storage, and other resources that one or more
virtual machines can consume, and is generally required to build the rest of the infrastructure. This may include
vCenter Server but could also include many other optional modules or products.
For more information, refer to the product documentation available on the VMware vSphere 7.0 Update 1
Documentation Center Web site (https://docs.vmware.com/en/VMware-vSphere/ index.html).This section
describes how to install and configure ESXi Hosts.
Installing ESXi Interactively

Use the interactive installation option for small deployments of fewer than five hosts.
VMware, Inc.
30
In a typical interactive installation, you boot the ESXi installer and respond to the installer prompts to install ESXi
to the local host disk. The installer reformats and partitions the target disk and installs the ESXi boot image. If you
have not installed ESXi on the target disk before, all data on the drive is overwritten, including hardware vendor
partitions, operating system partitions, and associated data.
Note To ensure that you do not lose any data, migrate the data to another machine before you install ESXi.
If you are installing ESXi on a disk that contains a previous installation of ESXi or ESX, or a VMFS datastore, the
installer provides you with options for upgrading. See the vSphere Upgrade documentation.
Install ESXi Interactively
You use the ESXi CD/DVD or a USB flash drive to install the ESXi software onto a SAS, SATA, SCSI hard
drive, or USB drive.
Prerequisites
 You must have the ESXi installer ISO in one of the following locations:
 On CD or DVD. If you do not have the installation CD/DVD, you can create one. See
Download and Burn the ESXi Installer ISO Image onto a CD or DVD
 On a USB flash drive. See Format a USB Flash Drive to Boot the ESXi Installation.
Note You can also PXE boot the ESXi installer to run an interactive installation or a scripted installation. See
Network Booting the ESXi Installer.
 Verify that the server hardware clock is set to UTC. This setting is in the system BIOS.
 Verify that a keyboard and monitor are attached to the machine on which the ESXi software is installed.
Alternatively, use a remote management application. See Using Remote Management Applications.
 Consider disconnecting your network storage. This action decreases the time it takes the installer to search
for available disk drives. When you disconnect network storage, any files on the disconnected disks are
unavailable at installation.
Do not disconnect a LUN that contains an existing ESX or ESXi installation. Do not disconnect a VMFS
datastore that contains the Service Console of an existing ESX installation. These actions can affect the
outcome of the installation.
 Gather the information required by the ESXi installation wizard. See Required Information for ESXi
Installation.
 Verify that ESXi Embedded is not present on the host machine. ESXi Installable and ESXi
Embedded cannot exist on the same host.
VMware, Inc.
31
Procedure
1 Insert the ESXi installer CD/DVD into the CD/DVD-ROM drive, or attach the Installer USB flash drive and
restart the machine.
2 Set the BIOS to boot from the CD-ROM device or the USB flash drive.
See your hardware vendor documentation for information on changing boot order.
3 On the Select a Disk page, select the drive on which to install ESXi, and press Enter.
Press F1 for information about the selected disk.
Note Do not rely on the disk order in the list to select a disk. The disk order is determined by the BIOS and
might be out of order. This might occur on systems where drives are continuously being added and removed.
If you select a disk that contains data, the Confirm Disk Selection page appears.
If you are installing on a disc with a previous ESXi or ESX installation or VMFS datastore, the installer
provides several choices.
Important If you are upgrading or migrating an existing ESXi installation, see the VMware ESXi Upgrade
documentation.
If you select a disk that is in vSAN disk group, the resulting installation depends on the type of disk and the
group size:
 If you select an SSD, the SSD and all underlying HDDs in the same disk group are wiped.
 If you select an HDD, and the disk group size is greater than two, only the selected HDD is wiped.
 If you select an HDD disk, and the disk group size is two or less, the SSD and the selected HDD is wiped.
For more information about managing vSAN disk groups, see the vSphere Storage
documentation.
4 Select the keyboard type for the host.
You can change the keyboard type after installation in the direct console.
5 Enter the root password for the host.
You can change the password after installation in the direct console.
6 Press Enter to start the installation.
7 When the installation is complete, remove the installation CD, DVD, or USB flash drive.
8 Press Enter to reboot the host.
VMware, Inc.
32
9 Set the first boot device to be the drive on which you installed ESXi in Step 3.
For information about changing boot order, see your hardware vendor documentation.
Note UEFI systems might require additional steps to set the boot device. See Host Fails to Boot After ESXi Is
Installed in UEFI Mode
Results
After the installation is complete, you can migrate existing VMFS data to the ESXi host.
You can boot a single machine from each ESXi image. Booting multiple devices from a single shared ESXi
image is not supported.
What to do next
Set up basic administration and network configuration for ESXi. See After You Install and Set Up ESXi.
Setting Up ESXi
These topics provide information about using the direct console user interface and configuring defaults for ESXi.
About the Direct Console ESXi Interface
Use the direct console interface for initial ESXi configuration and troubleshooting.
Connect a keyboard and monitor to the host to use the direct console. After the host completes the
autoconfiguration phase, the direct console appears on the monitor. You can examine the default network
configuration and change any settings that are not compatible with your network environment.
Key operations available to you in the direct console include:
 Configuring hosts
 Setting up administrative access
 Troubleshooting
You can also use vSphere Client to manage the host by using vCenter Server.
Table 2-11. Navigating in the Direct Console

Action Key
View and change the configuration F2
Change the user interface to high-contrast mode F4
Shut down or restart the host F12
View the VMkernel log Alt+F12
Switch to the shell console Alt+F1
Switch to the direct console user interface Alt+F2
VMware, Inc.
33
Table 2-11. Navigating in the Direct Console (continued)

ActionKey
Move the selection between fields Arrow keys
Select a menu item Enter
Toggle a value Spacebar
Confirm sensitive commands, such as resetting F11

configuration defaults
Save and exit Enter
Exit without saving Esc
Exit system logs q
Enable ESXi Shell and SSH Access with the Direct Console User Interface
Use the direct console user interface to enable the ESXi Shell.
Procedure
1 From the Direct Console User Interface, press F2 to access the System Customization menu.
2 Select Troubleshooting Options and press Enter.
3 From the Troubleshooting Mode Options menu, select a service to enable.
 Enable ESXi Shell
 Enable SSH
4 Press Enter to enable the service.
5 (Optional) Set the timeout for the ESXi Shell.
By default, timeouts for the ESXi Shell is 0 (disabled).
The availability timeout setting is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled. After the timeout period, if you have not logged in, the shell is disabled.
Note If you are logged in when the timeout period elapses, your session will persist. However, the ESXi
Shell will be disabled, preventing other users from logging in.
a From the Troubleshooting Mode Options menu, select Modify ESXi Shell and SSH timeouts
and press Enter.
b Enter the availability timeout in minutes.
The availability timeout is the number of minutes that can elapse before you must log in after the ESXi
Shell is enabled.
VMware, Inc.
34
c Press Enter.
d Enter the idle timeout.
The idle timeout is the number of minutes that can elapse before the user is logged out of an idle interactive
sessions. Changes to the idle timeout apply the next time a user logs in to the ESXi Shell and do not affect
existing sessions.
6 Press Esc until you return to the main menu of the Direct Console User Interface.
Managing ESXi Remotely
You can use the VMware Host Client, the vSphere Client and vCenter Server to manage your ESXi hosts.
For instructions about downloading and installing vCenter Server and the vCenter Server components, see
vCenter Server Installation and Setup. For information about installing the VMware Host Client, see vSphere
Single Host Management.
Set the Password for the Administrator Account
You can use the direct console to set the password for the administrator account (root).
The administrative user name for the ESXi host is root. By default, the administrative password is not set.
Procedure
1 From the direct console, select Configure Password.
2 (Optional) If a password is already set up, type the password in the Old Password line and press Enter.
3 In the New Password line, type a new password and press Enter.
4 Retype the new password and press Enter.
Configuring Network Settings
ESXi requires one IP address for the management network. To configure basic network settings, use the vSphere
Client or the direct console.
Use the vSphere Client if you are satisfied with the IP address assigned by the DHCP server. Use the direct
console for network configuration in the following cases:
 You are not satisfied with the IP address assigned by the DHCP server.
 You are not allowed to use the IP address assigned by the DHCP server.
 ESXi does not have an IP address. This situation might occur if the autoconfiguration phase did not succeed
in configuring DHCP.
 The wrong network adapter was selected during the autoconfiguration phase.
VMware, Inc.
35
Network Access to Your ESXi Host

The default behavior is to configure the ESXi management network using DHCP. You can override the default
behavior and use static IP settings for the management network after the installation is completed.
Table 2-12. Network Configuration Scenarios Supported by ESXi

Scenario Approach
You want to accept the DHCP-configured IP In the ESXi direct console, you can find the IP address assigned through DHCP
settings. to the ESXi management interface. You can use that IP address to connect to the
host from the vSphere Client and customize settings, including changing the
management IP address.
One of the following is true: During the autoconfiguration phase, the software assigns the link local IP
 You do not have a DHCP server. address, which is in the subnet 169.254.x.x/16. The assigned IP address appears
 The ESXi host is not connected to a DHCP server. on the direct console.
 Your connected DHCP server is not functioning You can override the link local IP address by configuring a static IP address
properly. using the direct console.
The ESXi host is connected to a functioning DHCP server, During the autoconfiguration phase, the software assigns a DHCP- configured
but you do not want to use the DHCP- configured IP IP address.
address. You can make the initial connection by using the DHCP-configured IP address.
Then you can configure a static IP address.
If you have physical access to the ESXi host, you can override the DHCP-
configured IP address by configuring a static IP address using
the direct console.
Your security deployment policies do not permit Follow the setup procedure in Configure the Network Settings on a Host That Is
unconfigured hosts to be powered on the network. Not Attached to the Network.
Choose Network Adapters for the Management Network

Traffic between an ESXi host and any external management software is transmitted through an Ethernet network
adapter on the host. You can use the direct console to choose the network adapters that are used by the
management network.
Examples of external management software include the vCenter Server and SNMP client. Network adapters on
the host are named vmnicN, where N is a unique number identifying the network adapter, for example, vmnic0,
vmnic1, and so forth.
During the autoconfiguration phase, the ESXi host chooses vmnic0 for management traffic. You can override the
default choice by manually choosing the network adapter that carries management traffic for the host. In some
cases, you might want to use a Gigabit Ethernet network adapter for your management traffic. Another way to help
ensure availability is to select multiple network adapters. Using multiple network adapters enables load balancing
and failover capabilities.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
2 Select Network Adapters and press Enter.
VMware, Inc.
36
3 Select a network adapter and press Enter.
Results
After the network is functional, you can use the vSphere Client to connect to the ESXi host through vCenter
Server.
Set the VLAN ID
You can set the virtual LAN (VLAN) ID number of the ESXi host.
Procedure
1 From the direct console, select Configure Management Network and press Enter.
2 Select VLAN and press Enter.
3 Enter a VLAN ID number from 1 through 4094.
Configuring IP Settings for ESXi

By default, DHCP sets the IP address, subnet mask, and default gateway. For future
reference, write down the IP address.
For DHCP to work, your network environment must have a DHCP server. If DHCP is not available, the host
assigns the link local IP address, which is in the subnet 169.254.x.x/16. The assigned IP address appears on the
direct console. If you do not have physical monitor access to the host, you can access the direct console using a
remote management application. See Using Remote Management Applications
When you have access to the direct console, you can optionally configure a static network address. The
default subnet mask is 255.255.0.0.
Configure IP Settings from the Direct Console
If you have physical access to the host or remote access to the direct console, you can use the direct console to
configure the IP address, subnet mask, and default gateway.
Procedure
1 Select Configure Management Network and press Enter.
2 Select IP Configuration and press Enter.
3 Select Set static IP address and network configuration.
4 Enter the IP address, subnet mask, and default gateway and press Enter.
Configuring DNS for ESXi

You can select either manual or automatic DNS configuration of the ESXi host.
The default is automatic. For automatic DNS to work, your network environment must have a DHCP server
and a DNS server.
In network environments where automatic DNS is not available or not desirable, you can configure static DNS
information, including a host name, a primary name server, a secondary name server, and DNS suffixes.
VMware, Inc.
37
Configure DNS Settings from the Direct Console
VMware, Inc.
38
If you have physical access to the host or remote access to the direct console, you can use the direct console to
configure DNS information.
Procedure
1 Select Configure Management Network and press Enter.
2 Select DNS Configuration and press Enter.
3 Select Use the following DNS server addresses and hostname.
4 Enter the primary server, an alternative server (optional), and the host name.
Configure DNS Suffixes

If you have physical access to the host, you can use the direct console to configure DNS information. By
default, DHCP acquires the DNS suffixes.
Procedure
1 From the direct console, select Configure Management Network.
2 Select Custom DNS Suffixes and press Enter.
3 Enter new DNS suffixes.
Test the Management Network

You can use the direct console to do simple network connectivity tests. The direct
console performs the following tests.
 Pings the default gateway
 Pings the primary DNS name server
 Pings the secondary DNS nameserver
 Resolves the configured host name
Procedure
1 From the direct console, select Test Management Network and press Enter.
2 Press Enter to start the test.
vCenter Server Deployment and Configuration

A VMware vSphere implementation involves multiple VMware software components. Once the ESXi hosts are
installed, the vCenter Server Infrastructure is next.
For more information, refer to the product documentation available on the VMware vSphere 7.0 Update 1
Documentation Center Web site (https://docs.vmware.com/en/VMware-vSphere/ index.html).
Installing a vCenter Server system creates the central point for configuring, provisioning, and managing
VMware, Inc.
39
virtualized IT environments. You must install the vCenter Server system software before you can add the hosts
and data centers to be managed and monitored.
VMware, Inc.
40
With vSphere 7.0 a single architecture exists, simplifying the required design for the environment. This design
deploys vCenter Server appliance in an embedded configuration.
With vSphere 7.0, the vCenter Server Appliance is the only platform for running vCenter Server. vCenter Server
for Windows is not available.
This document describes installation and deployment of vCenter that will be standalone as shown in the below
figure:
Figure 2-1. Embedded vCenter Server
Or that will be linked together using Enhanced Linked Mode with other vCenter servers as shown in the below
figure:
VMware, Inc.
41
Figure 2-2. Enhanced Linked Mode
Note Although vCenter Server 7.0 supports connections between vCenter Server and vCenter Server components
using IPv4 IP addresses, VMware recommends that you use a FQDN to configure the services. In the case of an
IPv6 environment, you must use the FQDN or host name of the vCenter Server system.
Deploy the vCenter Server Appliance by Using the GUI

You can use the GUI installer to perform an interactive deployment of a vCenter Server appliance. You must run the
GUI deployment from a Windows, Linux, or Mac machine that is in the network on which you want to deploy the
appliance.
Figure 2-3. Deployment Workflow of a vCenter Server Appliance
VMware, Inc.
42
Prerequisites
 See Prerequisites for Deploying the vCenter Server Appliance.
 See Required Information for GUI Deployment of the vCSA.
Stage 1 - Deploy the OVA File as a vCenter Server Appliance
With stage 1 of the deployment process, you deploy the OVA file, which is included in the vCenter Server
installer, as a vCenter Server appliance.
Procedure
1 In the vCenter Server installer, navigate to the vcsa-ui-installer directory, go to the

subdirectory for your operating system, and run the installer executable file.
 For Windows OS, go to the win32 subdirectory, and run the installer.exe file.
 For Linux OS, go to the lin64 subdirectory, and run the installer file.
 For Mac OS, go to the mac subdirectory, and run the Installer.app file.
2 On the Home page, click Install to start the deployment wizard.
3 Review the Introduction page to understand the deployment process and click Next.
4 Read and accept the license agreement, and click Next.
VMware, Inc.
43
5 Connect to the target server on which you want to deploy the vCenter Server appliance.
Option Steps
You can connect to an 1 Enter the FQDN or IP address of the ESXi host.
ESXi host on which to 2 Enter the HTTPS port of the ESXi host.
deploy the appliance. 3 Enter the user name and password of a user with administrative privileges on the ESXi host, for
example, the root user.
4 Click Next.
5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is
installed on the target ESXi host, and click Yes to accept the certificate thumbprint.
You can connect to a 1 Enter the FQDN or IP address of the vCenter Server instance.
vCenter Server instance 2 Enter the HTTPS port of the vCenter Server instance.
and browse the inventory 3 Enter the user name and password of user with vCenter Single Sign-On administrative privileges on
to select an ESXi host or the vCenter Server instance, for example, the administrator@your_domain_name user.
DRS cluster on which to
4 Click Next.
deploy the appliance.
5 Verify that the certificate warning displays the SHA1 thumbprint of the SSL certificate that is
installed on the target vCenter Server instance, and click Yes to accept the certificate thumbprint.
6 Select the data center or data center folder that contains the ESXi host or DRS cluster on which you
want to deploy the appliance, and click Next
Note You must select a data center or data center folder that contains at least one ESXi host that is not
in lockdown or maintenance mode.
7 Select the ESXi host or DRS cluster on which you want to deploy the appliance, and click Next.
6 On the Set up appliance VM page, enter a name for the vCenter Server appliance, set the password for the
root user, and click Next.
The appliance name must not contain a percent sign (%), backslash (\), or forward slash (/) and must be no
more than 80 characters in length.
The password must contain only lower ASCII characters without spaces, at least eight characters, a number,
uppercase and lowercase letters, and a special character, for example, an exclamation mark (!), hash key (#), at
sign (@), or brackets (()).
7 Select the deployment size for the vCenter Server appliance for your vSphere inventory.
Deployment Size Option Description
Tiny Deploys an appliance with 2 vCPUs and 12 GB of memory.

Suitable for environments with up to 10 hosts or 100 virtual machines
Small Deploys an appliance with 4 CPUs and 19 GB of memory.

Suitable for environments with up to 100 hosts or 1,000 virtual machines
Medium Deploys an appliance with 8 CPUs and 28 GB of memory.

Suitable for environments with up to 400 hosts or 4,000 virtual machines
VMware, Inc.
44
Deployment Size OptionDescription
Large Deploys an appliance with 16 CPUs and 37 GB of memory.

Suitable for environments with up to 1,000 hosts or 10,000 virtual machines
X-Large Deploys an appliance with 24 CPUs and 56 GB of memory.

Suitable for environments with up to 2,000 hosts or 35,000 virtual machines
8 Select the storage size for the vCenter Server appliance, and click Next.
Storage Description for Description for Description for Description for Description for X-
Size Tiny Deployment Small Deployment Medium Large Deployment Large Deployment
Option Size Size Deployment Size Size Size
Default Deploys an appliance Deploys an Deploys an Deploys an Deploys an

with 315 GB of appliance with appliance with appliance with appliance with
storage. 380 GB of 600 GB of 965 GB of 1705 GB of
storage. storage. storage. storage.
Large Deploys an Deploys an Deploys an Deploys an Deploys an
appliance with appliance with appliance with appliance with appliance with
1390 GB of 1435 GB of 1600 GB of 1665 GB of 1805 GB of
storage. storage. storage. storage. storage.
X-Large Deploys an Deploys an Deploys an Deploys an Deploys an
appliance with appliance with appliance with appliance with appliance with
3145 GB of 3195GB of 3360 GB of 3425 GB of 3565 GB of
storage. storage. storage. storage. storage.
9 From the list of available datastores, select the location where all the virtual machine configuration files and
virtual disks will be stored and, optionally, enable thin provisioning by selecting Enable Thin Disk Mode.
NFS datastores are thin provisioned by default.
10 On the Configure network settings page, set up the network settings.
The IP address or the FQDN of the appliance is used as a system name. It is recommended to use an FQDN.
However, if you want to use an IP address, use static IP address allocation for the appliance, because IP
addresses allocated by DHCP might change.
Option Action
Network Select the network to which to connect the appliance.

The networks displayed in the drop-down menu depend on the network settings of the
target server. If you are deploying the appliance directly on an ESXi host, non-ephemeral
distributed virtual port groups are not supported and are not displayed in the drop-down
menu.
IP version Select the version for the appliance IP address. You can
select either IPv4 or IPv6.
VMware, Inc.
45
OptionAction
IP assignment Select how to allocate the IP address of the appliance.

 static
The wizard prompts you to enter the IP address and network settings.
 DHCP
A DHCP server is used to allocate the IP address. Select this option only if a DHCP
server is available in your environment.
If there is an enabled DDNS in your environment, you can enter a preferred

fully qualified domain name (FQDN) for the appliance.
Common Ports You can customize the HTTP and HTTPS ports (optional).
If specifying a custom HTTP and HTTPS port number, ensure that you do not use a port
number already in use by vCenter Server, or the default HTTP and HTTPS ports of 80 and
443.
11 On the Ready to complete stage 1 page, review the deployment settings for the vCenter Server appliance
and click Finish to start the OVA deployment process.
12 Wait for the OVA deployment to finish, and click Continue to proceed with stage 2 of the deployment
process to set up and start the services of the newly deployed appliance.
Note If you exit the wizard by clicking Close, you must log in to the vCenter Server Management
Interface to set up and start the services.
Results
The newly deployed vCenter Server appliance is running on the target server but the services are not started.
Stage 2 - Set up the Newly Deployed vCenter Server Appliance
When the OVA deployment finishes, you are redirected to stage 2 of the deployment process to set up and start the
services of the newly deployed vCenter Server appliance.
Procedure
1 Review the introduction to stage 2 of the deployment process and click Next.
2 Configure the time settings in the appliance, optionally enable remote SSH access to the appliance, and
click Next.
Option Description
Synchronize time with the ESXi host Enables periodic time synchronization, and VMware Tools sets the time of the guest
operating system to be the same as the time of the ESXi host.
Synchronize time with NTP servers Uses a Network Time Protocol server for synchronizing the time. If you select this
option, you must enter the names or IP addresses of the NTP servers separated by
commas.
VMware, Inc.
46
3 Create a new vCenter Single Sign-On domain or join an existing domain.
Option Description
Create a new Single Sign-On domain Creates a new vCenter Single Sign-On domain.
a Enter the domain name, for example vsphere.local.
b Set the password for the vCenter Single Sign-On administrator account.
This is the password for the user administrator@your_domain_name. c Confirm

the administrator password, and click Next.
Join an existing vCenter Single Sign- On Joins a new vCenter Single Sign-On server to an existing vCenter Single Sign-On domain.
domain You must provide the information about the vCenter Single Sign-On server to which you
join the new vCenter Single Sign-On server.
a Enter the fully qualified domain name (FQDN) or IP address of the
vCenter Single Sign-On server to join.
b Enter the HTTPS port to use for communication with the vCenter Single Sign-On
server.
c Enter the domain name for the vCenter Single Sign-On you are joining, for example
vsphere.local.
d Enter the password of the vCenter Single Sign-On administrator account. e Click Next.
When you select to join an existing vCenter Single Sign-On domain, you enable the Enhanced Linked Mode
feature. The infrastructure data is replicated with the joined vCenter Single Sign- On server.
4 Review the VMware Customer Experience Improvement Program (CEIP) page and choose if you want to
join the program.
For information about the CEIP, see the Configuring Customer Experience Improvement Program
section in vCenter Server and Host Management.
5 On the Ready to complete page, review the configuration settings for the vCenter Server appliance, click
Finish, and click OK to complete stage 2 of the deployment process and set up the appliance.
6 (Optional) After the initial setup finishes, enter the URL from the browser with https://
vcenter_server_appliance_fqdn/ui to go to the vSphere Client and log in to the vCenter Server instance in
the vCenter Server appliance, or click the https:// vcenter_server_appliance_fqdn:443 to go the vCenter
Server appliance Getting Started page.
7 Click Close to exit the wizard.
You are redirected to the vCenter Server appliance Getting Started page.
What to do next
You can configure high availability for the vCenter Server appliance. For information about providing
vCenter Server appliance high availability, see vSphere Availability.
VMware, Inc.
47
vCenter Server Infrastructure Configuration

After vCenter Server and the Platform Services Controller are installed, perform these tasks (where
appropriate) to configure the systems.
With vSphere 7.0, all of the configuration is done from the vSphere HTML5 Web Client. The flex- based Web
Client no longer available.
Managing Licenses
To license an asset in vSphere, you must assign it a license that holds an appropriate product license key. You
can use the license management functionality in the vSphere Client to license multiple assets at a time from a
central place. Assets are vCenter Server systems, hosts, vSAN clusters, Supervisor Clusters, and solutions.
In vSphere, you can assign one license to multiple assets of the same type if the license has enough capacity. You
can assign a suite license to all components that belong to the suite product edition. For example, you can assign
one vSphere license to multiple ESXi hosts, but you cannot assign two licenses to one host. If you have a vCloud
Suite license, you can assign the license to ESXi hosts, vCloud Networking and Security, vCenter Site Recovery
Manager, and so on.
Managing Licenses in the vSphere Client

(http://link.brightcove.com/services/player/bcpid2296383276001?
bctid=ref:video_vsphere67_licenses)
Create New Licenses
When you purchase, divide, or combine license keys in My VMware, you must use the new keys to license assets
in your vSphere environment. You must go to the vSphere Client and create a license object for every license key.
A license is a container for a license key of a VMware product. After you create the new licenses, you can assign
them to assets.
Prerequisites
 To view and manage licenses in the vSphere environment, you must have the
Global.Licenses privilege on the vCenter Server system, where the vSphere Client runs.
Procedure
1 Click Menu > Administration.
2 Expand Licensing and click Licenses.
3 On the Licenses tab, click Add New Licenses.
4 On the Enter licenses keys page, enter one license key per line, and click Next.
The license key is a 25-symbol string of letters and digits in the format
XXXXX-XXXXX-XXXXX-XXXXX-XXXXX. You can enter a list of keys in one operation. A new license will be
created for every license key that you enter.
5 On the Edit license names page, rename the new licenses as appropriate and click Next .
VMware, Inc.
48
6 On the Ready to complete page, review the new licenses and click Finish.
VMware, Inc.
49
Results
A new license is created for every license key that you entered.
What to do next
Assign the new licenses to hosts, vCenter Server systems, or other products that you use with vSphere. You must
not keep unassigned licenses in the inventory.
Configuring License Settings for Assets in the vSphere Client

To continue using product functionality, you must assign appropriate licenses to assets in evaluation mode, or assets
with expiring licenses. When you upgrade a license edition, combine, or split licenses in My VMware, you must
assign the new licenses to assets. You can assign licenses that are already available or create licenses and assign
them to the assets in a single workflow. Assets are vCenter Server systems, ESXi hosts, vSAN clusters, Supervisor
Clusters, and other products that integrate with vSphere.
Assign a License to Multiple Assets
To continue using product functionality, you must assign appropriate licenses to assets in evaluation mode, or assets
with expiring licenses. When you upgrade a license edition, combine, or split licenses in My VMware, you must
assign the new licenses to assets. You can assign licenses that are already available, or create licenses and assign
them to the assets in a single workflow. Assets are vCenter Server systems, ESXi hosts, vSAN clusters, Supervisor
Clusters, and other products that integrate with vSphere.
Prerequisites
Procedure
1 Click Menu > Administration.
2 Expand Licensing and click Licenses.
3 Select the Assets tab.
4 On the Assets tab, click the vCenter Server systems, Hosts, vSAN Clusters, Supervisor Clusters, or
Solutions tab.
5 Select the assets to license.
Note Use Shift+click to select multiple assets.
6 Click Assign License.
VMware, Inc.
50
7 In the Assign License dialog box, select the task that you want to perform.
 In the vSphere Client, select an existing license or select a newly created license.
Task Steps
Select an existing license Select an existing license from the list and click OK.
Select a newly created license a Click the New License tab.

b In the Assign License dialog box, type or copy and paste a license key and click
OK.
c Enter a name for the new license and click OK.
Details about the product, product features, capacity, and expiration period appear
on the page.
d Click OK.
e In the Assign License dialog box, select the newly created license, and click OK.
Results
The license is assigned to the assets. Capacity from the license is allocated according to the license use of the
assets. For example, if you assign the license to 3 hosts with 4 CPUs each, the consumed license capacity is 12
CPUs.
Configure License Settings for an ESXi Host
You must assign a license to an ESXi host before its evaluation period expires or its currently assigned license
expires. If you upgrade, combine, or divide vSphere licenses in My VMware, you must assign the new licenses to
ESXi hosts and remove the old licenses.
Prerequisites
Procedure
1 Navigate to the host in the inventory.
2 Select the Configure tab.
3 Under Settings, select Licensing.
VMware, Inc.
51
Task Steps

OK.
on the page.
d Click OK.
Results
The license is assigned to the host. Capacity from the license is allocated according to the license use of the host.
Configure License Settings for vCenter Server
You must assign a license to a vCenter Server system before its evaluation period expires or its currently assigned
license expires. If you upgrade, combine, or divide vCenter Server licenses in My VMware, you must assign the
new licenses to vCenter Server systems and remove the old licenses.
Prerequisites
Procedure
1 Navigate to the vCenter Server system.
2 Select the Configure tab.
3 Under Settings, select Licensing.
VMware, Inc.
52
Task Steps

OK.
on the page.
d Click OK.
Results
The license is assigned to the vCenter Server system, and one instance from the license capacity is allocated for the
vCenter Server system.
Configure License Settings for a vSAN Cluster
You must assign a license to a vSAN cluster before its evaluation period expires or its currently assigned license
expires.
If you upgrade, combine, or divide vSAN licenses, you must assign the new licenses to vSAN clusters. When you
assign a vSAN license to a cluster, the amount of license capacity used equals the total number of CPUs in the
hosts participating in the cluster. The license use of the vSAN cluster is recalculated and updated every time you
add or remove a host from the cluster. For information about managing licenses and licensing terminology and
definitions, see the vCenter Server and Host Management documentation.
When you enable vSAN on a cluster, you can use vSAN in evaluation mode to explore its features. The
evaluation period starts when vSAN is enabled, and expires after 60 days. To use vSAN, you must license the
cluster before the evaluation period expires. Just like vSphere licenses, vSAN licenses have per CPU capacity.
Some advanced features, such as all-flash configuration and stretched clusters, require a license that supports the
feature.
Prerequisites
 To view and manage vSAN licenses, you must have the Global.Licenses privilege on the vCenter Server
systems.
Procedure
1 Navigate to your vSAN cluster.
2 Click the Configure tab.
VMware, Inc.
53
3 Right-click your vSAN cluster, and choose menu Assign License.
VMware, Inc.
54
4 Select an existing license and click OK.
Create a Data Center
A virtual data center is a container for all the inventory objects required to complete a fully functional
environment for operating virtual machines. You can create multiple data centers to organize groups of
environments to meet different user needs. For example, you can create a data center for each organizational unit
in your enterprise or create some data centers for high- performance environments and other data centers for less
demanding environments.
Prerequisites
Required privileges:
 Datacenter.Create datacenter
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
2 Right-click the vCenter Server object and select New Datacenter.
3 (Optional) Enter a name for the data center and click OK.
What to do next
Add hosts, clusters, resource pools, vApps, networking, datastores, and virtual machines to the data center.
Creating and Configuring Clusters
A cluster is a group of hosts. When a host is added to a cluster, the resources of the host become part of the
resources of the cluster. The cluster manages the resources of all hosts that it contains.
Starting with vSphere 6.7, you can create and configure a cluster that is hyper-converged. The hyper-converged
infrastructure collapses compute, storage, and networking on a single software layer that runs on industry standard
x86 servers.
You can create and configure a cluster by using the simplified Quickstart workflow in the vSphere Client. On the
Cluster quickstart page, there are three cards for configuring your new cluster.
Table 2-13. The cards initiating wizards for renaming and configuring a new cluster
Cluster Quickstart
Workflow Description
1. Cluster basics You can edit the cluster name and enable or disable cluster services. The card lists the services you enabled.
2. Add hosts You can add new ESXi hosts. After the hosts are added, the card shows the total number of the hosts present in the
cluster and health check validation for those hosts.
3. Configure cluster You can configure network settings for vMotion traffic, review and customize cluster services. After the cluster is
configured, the card provides details on configuration mismatch and reports cluster health results through the
vSAN Health service.
VMware, Inc.
55
The Skip Quickstart button prompts you to continue configuring the cluster and its hosts manually. To
confirm exiting the simplified configuration workflow, click Continue. After you dismiss the Cluster
quickstart workflow, you cannot restore it for the current cluster.
You must create clusters if you plan to enable vSphere High Availability (HA), vSphere Distributed Resource
Scheduler (DRS), and the VMware vSAN features.
Starting with vSphere 7.0, you can create a cluster that you manage with a single image. By using vSphere
Lifecycle Manager images, you can easily update and upgrade the software and firmware on the hosts in the
cluster. For more information about using images to manage ESXi hosts and clusters, see the Managing Host and
Cluster Lifecycle documentation.
Starting with vSphere 7.0 Update 1, vSphere Cluster Services (vCLS) is enabled by default and runs in all vSphere
clusters. vCLS ensures that if vCenter Server becomes unavailable, cluster services remain available to maintain
the resources and health of the workloads that run in the clusters. For more information about vCLS, see vSphere
Cluster Services (vCLS).
Create a Cluster
You create a new and empty cluster object by using the Quickstart workflow in the vSphere Client.
Starting with vSphere 7.0, the clusters that you create can use vSphere Lifecycle Manager images for host
updates and upgrades.
A vSphere Lifecycle Manager image is a combination of vSphere software, driver software, and desired firmware
with regard to the underlying host hardware. The image that a cluster uses defines the full software set that you
want to run on the ESXi hosts in the cluster: the ESXi version, additional VMware-provided software, and vendor
software, such as firmware and drivers.
The image that you define during cluster creation is not immediately applied to the hosts. If you do not set up an
image for the cluster, the cluster uses baselines and baseline groups. For more information about using images and
baselines to manage hosts in clusters, see the Managing Host and Cluster Lifecycle documentation.
Prerequisites
 Verify that a data center, or a folder within a data center, exists in the inventory.
 Verify that hosts have the same ESXi version and patch level.
 Obtain the user name and password of the root user account for the host.
 Verify that hosts do not have a manual vSAN configuration or a manual networking configuration.
 To create a cluster that you manage with a single image, review the requirements and limitations information
in the Managing Host and Cluster Lifecycle documentation and verify that you have an ESXi image available
in the vSphere Lifecycle Manager depot.
Required privileges:
 Host.Inventory.Create cluster
VMware, Inc.
56
Procedure
1 In the vSphere Client home page, navigate to Home > Hosts and Clusters.
2 Select a data center.
3 Right-click the data center and select New Cluster.
4 Enter a name for the cluster.
5 Select DRS, vSphere HA, or vSAN cluster features.
Option Description
To use DRS with this cluster a Slide the switch to the right to enable the DRS service.
b (Optional) Click the info icon on the left to see the Default Settings for the DRS
service. The default values are:
 Automation Level: Fully Automated Migration
 Threshold: 3
To use vSphere HA with this cluster a Slide the switch to the right to enable the vSphere HA service.
b (Optional) Click the info icon on the left to see the Default Settings for the vSphere
HA service. You are present with the following default values:
Host Monitoring: Enabled
Admission Control: Enabled
VM Monitoring: Disabled
To use vSAN with this cluster  Slide the switch to the right to enable the vSAN service.
For more information on vSAN, see Creating a vSAN Cluster in the vSAN Planning
and Deployment documentation.
You can override the default values later on in the workflow.
6 (Optional) To create a cluster that you manage by a single image, select the Manage all hosts in the cluster
with a single image check box.
Verify you have an ESXi Version 7.0 or later in the vSphere Lifecycle Manager repository. a Select
an ESXi Version from the drop-down menu.
b (Optional) Select a Vendor Addon and a Vendor Addon version from the drop-down menu.
You can edit the image specification later from the Updates tab.
If you do not set up an image for the cluster, you must manage the cluster by using baselines and baseline
groups. You can switch from using baselines to using images at a later time.
7 Click OK.
The cluster appears in the vCenter Server inventory. The Quickstart service appears under the Configure
tab.
VMware, Inc.
57
8 (Optional) To rename your cluster and to enable or disable cluster services, click Edit in the
Cluster basics card.
VMware, Inc.
58
Results
You have created an empty cluster in the vCenter Server inventory.
What to do next
Add hosts to the cluster.

Add а Host to a Cluster
You can add new and existing ESXi hosts to the vCenter Server inventory.
You can also add hosts to a DRS cluster. For more information, see vSphere Resource Management.
When you add the first three hosts to the cluster, vSphere Cluster Services (vCLS) agent virtual machines are
added by default to the cluster. A quorum of up to three vCLS agent virual machines are required to run in a
cluster, one agent virtual machine per host. For more information about vCLS, see vSphere Cluster Services
(vCLS).
Prerequisites
 Verify that hosts have the same ESXi version and patch level.
 Obtain the user name and password of the root user account for the host.
 Verify that hosts do not have a manual vSAN configuration or a manual networking configuration.
 Verify that you have the proper privileges. Different sets of privileges apply when you add multiple hosts to
a cluster and a single host to a cluster or a data center. For more information, see Required Privileges for
Common Tasks in the vSphere Security documentation.
 To add a host to a cluster that you manage with a single image, review the requirements andlimitations
information in the Managing Host and Cluster Lifecycle documentation.
Procedure
1 In the vSphere Client, navigate to a cluster within a data center.
2 On the Configure tab, select Configuration > Quickstart.
3 Click Add in the Add hosts card.
4 On the Add hosts page, under the New hosts tab, add hosts that are not part of the vCenter Server inventory
by populating the IP Address and credentials text boxes for those hosts.
5 (Optional) Select the Use the same credentials for all hosts option to reuse the
credentials for all added hosts.
6 On the Add hosts page, click the Existing hosts tab, and add hosts that are managed by the vCenter Server
and are in the same data center as your cluster.
VMware, Inc.
59
7 Click Next.
The Host summary page lists all hosts that will be added to the cluster and related warnings.
Note If a host cannot be validated automatically by the system, you are prompted to manually validate
its certificate and accept its thumbprint in the Security Alert pop-up.
8 On the Host summary page, review the details of the added hosts and click Next.
9 On the Ready to complete page, review the IP addresses or FQDN of the added hosts and click Finish.
Review the number of added hosts and the health check validation, performed by the vSAN Health service, in
the Add hosts card.
10 (Optional) Click Re-validate to retrigger the validation of the hosts.
Note If an error occurs, it is visible in the Recent Tasks tab only.
Results
All hosts are placed in maintenance mode and added to your cluster. You can manually exit the maintenance
mode.
What to do next
Configure your cluster default settings through the Quickstart workflow.
Managing Certificates with the vSphere Client
You can view and manage certificates by using the vSphere Client. You also can perform many certificate
management tasks with the vSphere Certificate Manager utility.
The vSphere Client enables you to perform these management tasks.
 View the trusted root certificates and machine SSL certificates.
 Renew existing certificates or replace certificates.
 Generate a custom Certificate Signing Request (CSR) for a machine SSL certificate and replace the
certificate when the Certificate Authority returns it.
Most parts of the certificate replacement workflows are supported fully from the vSphere Client. For generating
CSRs for machine SSL certificates, you can use either the vSphere Client or the Certificate Manage utility.
Supported Workflows
After you install a vCenter Server, the VMware Certificate Authority on that node provisions all other nodes in the
environment with certificates by default. See vSphere Security Certificates for the current recommendations for
managing certificates.
You can use one of the following workflows to renew or replace certificates.
VMware, Inc.
60
Renew Certificates
VMware, Inc.
61
You can have VMCA renew SSL certificates and solution user certificates in your environment from the
vSphere Client.
Make VMCA an Intermediate CA
You can generate a CSR using the vSphere Certificate Manager utility. You can then edit the certificate you
receive from the CSR to add VMCA to the chain, and then add the certificate chain and private key to your
environment. When you then renew all certificates, VMCA provisions all machines and solution users with
certificates that the full chain has signed.
Replace Certificates with Custom Certificates
If you do not want to use VMCA, you can generate CSRs for the certificates that you want to replace. The CA
returns a root certificate and a signed certificate for each CSR. You can upload the root certificate and the
custom certificates from the vCenter Server.
Note If you use VMCA as an intermediate CA, or use custom certificates, you might encounter significant
complexity and the potential for a negative impact to your security, and an unnecessary increase in your
operational risk. For more information about managing certificates within a vSphere environment, see the blog
post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at
http://vmware.com/go/hybridvmca.
Set the Threshold for vCenter Certificate Expiration Warnings

vCenter Server monitors all certificates in the VMware Endpoint Certificate Store (VECS) and issues an alarm
when a certificate is 30 days or less from its expiration. You can change how soon you are warned with the
vpxd.cert.threshold advanced option.
Procedure
1 Log in to the vSphere Client.
2 Select the vCenter Server object and click Configure.
3 Click Advanced Settings.
4 Click Edit Settings and filter for threshold.
5 Change the setting of vpxd.cert.threshold to the desired value and click Save.
Renew VMCA Certificates with New VMCA-Signed Certificates from the vSphere Client
You can replace all VMCA-signed certificates with new VMCA-signed certificates. This process is called
renewing certificates. You can renew selected certificates or all certificates in your environment from the vSphere
Client.
Prerequisites
For certificate management, you have to supply the password of the administrator of the local domain
(administrator@vsphere.local by default). If you are renewing certificates for a vCenter Server system, you also
VMware, Inc.
62
have to supply the vCenter Single Sign-On credentials for a user with administrator privileges on the vCenter
Server system.
VMware, Inc.
63
Procedure
1 Log in with the vSphere Client to the vCenter Server.
2 Specify the user name and password for administrator@vsphere.local or another member of the vCenter
Single Sign-On Administrators group.
If you specified a different domain during installation, log in as administrator@mydomain.
3 Navigate to the Certificate Management UI.
a From the Home menu, select Administration.
b Under Certificates, click Certificate Management.
4 If the system prompts you, enter the credentials of your vCenter Server.
5 Renew the VMCA-signed machine SSL certificate for the local system. a
Select Machine SSL Certificate.
b Click Actions > Renew. c
Click Renew.
vCenter Server services restart automatically. You must log back in because restarting the services ends the
UI session.
Set Up Your System to Use Custom Certificates

You can set up your environment to use custom certificates.
You can generate Certificate Signing Requests (CSRs) for each machine and for each solution user using the
Certificate Manager utility. You can also generate CSRs for each machine, and replace certificates when you
receive them from the third-party CA, using the vSphere Client. When you submit the CSRs to your internal or
third-party CA, the CA returns signed certificates and the root certificate. You can upload both the root certificate
and the signed certificates from the vCenter Server UI.
Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom
Certificates)
The machine SSL certificate is used by the reverse proxy service on every vCenter Server node. Each machine must
have a machine SSL certificate for secure communication with other services. You can use the vSphere Client to
generate a Certificate Signing Request (CSR) for the machine SSL certificate and to replace the certificate once it is
ready.
Prerequisites
The certificate must meet the following requirements:
 Key size: 2048 bits (minimum) to 16384 bits (maximum) (PEM encoded)
 CRT format
VMware, Inc.
64
 x509 version 3
 SubjectAltName must contain DNS Name=<machine_FQDN>.
VMware, Inc.
65
 Contains the following Key Usages: Digital Signature, Non-Repudiation, Key Encipherment
Note Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any
custom certificates.
Procedure
4 Enter the credentials of your vCenter Server.
5 Generate the CSR.
a Under Machine SSL Certificate, for the certificate you want to replace, click Actions > Generate
Certificate Signing Request (CSR).
b Enter your certificate information and click Next.
Note When you use vCenter Server to generate a CSR with a key size of 16384 bits, the generation takes a
few minutes to complete because of the CPU-intensive nature of the operation.
c Copy or download the CSR. d
Click Finish.
e Provide the CSR to your Certificate Authority.
What to do next
When the Certificate Authority returns the certificate, replace the existing certificate in the certificate store.
See Add Custom Certificates.
Generate Certificate Signing Requests with vSphere Certificate Manager (Custom Certificates) You can use
vSphere Certificate Manager to generate Certificate Signing Requests (CSRs) that you can then use with your
enterprise CA or send to an external certificate authority. You can use the certificates with the different
supported certificate replacement processes.
You can run the Certificate Manager tool from the command line as follows:
/usr/lib/vmware-vmca/bin/certificate-manager
VMware, Inc.
66
Prerequisites
vSphere Certificate Manager prompts you for information. The prompts depend on your environment and
on the type of certificate you want to replace.
 For any CSR generation, you are prompted for the password of the administrator@vsphere.local user, or
for the administrator of the vCenter Single Sign-On domain that you are connecting to.
 You are prompted for the host name or IP address of the vCenter Server.
 To generate a CSR for a machine SSL certificate, you are prompted for certificate properties, which are stored
in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The
FQDN of the machine is required.
Procedure
1 On each machine in your environment, start vSphere Certificate Manager and select option 1.
2 Supply the password and the vCenter Server IP address or host name if prompted.
3 Select option 1 to generate the CSR, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
4 If you also want to replace all solution user certificates, restart Certificate Manager.
5 Select option 5.
6 Supply the password and the vCenter Server IP address or host name if prompted.
7 Select option 1 to generate the CSRs, answer the prompts and exit Certificate Manager.
As part of the process, you have to provide a directory. Certificate Manager places the certificate and
key files in the directory.
What to do next
Perform certificate replacement.
Add a Trusted Root Certificate to the Certificate Store

If you want to use third-party certificates in your environment, you must add a trusted root certificate to the
certificate store.
Prerequisites
Obtain the custom root certificate from your third-party or in-house CA.
Procedure
VMware, Inc.
67
VMware, Inc.
68
5 Under Trusted Root Certificates, click Add.
6 Click Browse and select the location of the certificate chain.
You can use a file of type CER, PEM, or CRT.
7 Click Add.
The certificate is added to the store.
Add Custom Certificates

You can add custom Machine SSL certificates to the certificate store.
Usually, replacing the machine SSL certificate for each component is sufficient.
Prerequisites
Generate certificate signing requests (CSRs) for each certificate that you want to replace. You can generate the
CSRs with the Certificate Manager utility. You can also generate a CSR for a machine SSL certificate using the
vSphere Client. Place the certificate and private key in a location that the vCenter Server can access.
Procedure
5 Under Machine SSL Certificate, for the certificate that you want to replace, click Actions > Import and
Replace Certificate.
VMware, Inc.
69
6 Click the appropriate certificate replacement option and click Next.
Option Description
Replace with VMCA Creates a VMCA-generated CSR to replace the current certificate.
Replace with certificate generated from Use a certificate signed using a vCenter Server generated CSR to replace the current
vCenter Server certificate.
Replace with external CA certificate Use a certificate signed by an external CA to replace the current certificate.
(requires private key)
7 Enter the CSR information, or upload the appropriate certificates.
8 Click Replace.
vCenter Server services restart automatically.
Configuring vCenter Single Sign-On Identity Sources
When a user logs in with just a user name, vCenter Single Sign-On checks in the default identity source whether
that user can authenticate. When a user logs in and includes the domain name in the login screen, vCenter Single
Sign-On checks the specified domain if that domain has been added as an identity source. You can add identity
sources, remove identity sources, and change the default.
You configure vCenter Single Sign-On from the vSphere Client. To configure vCenter Single Sign- On, you must
have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign- On administrator privileges is
different from having the Administrator role on vCenter Server or ESXi. In a new installation, only the vCenter
Single Sign-On administrator (administrator@vsphere.local by default) can authenticate to vCenter Single Sign-On.
Identity Sources for vCenter Server with vCenter Single Sign-On
You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for
users and groups that the vCenter Single Sign-On server can use for user authentication.
Starting in vSphere 7.0, vCenter Server supports federated authentication to sign in to vCenter Server. VMware
encourages you to use federated authentication as vSphere moves towards token-based authentication. See
Understanding vCenter Server Identity Provider Federation.
An administrator can add identity sources, set the default identity source, and create users and groups in the
vsphere.local identity source.
The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine
where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the
identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single
Sign-On.
Note At any time, only one default domain exists. If a user from a non-default domain logs in, that user must
add the domain name (DOMAIN\user) to authenticate successfully.
VMware, Inc.
70
The following identity sources are available.
 Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity
sources.
 Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On
allows you to specify a single Active Directory domain as an identity source. The domain can have child
domains or be a forest root domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts
supported with vCenter Single Sign-On.
 OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity
sources.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require strong
authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If
you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more
information about this Microsoft security update, see
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and
https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding- signing-adv190023.html.
For more information about vCenter Single Sign-On, see vSphere Authentication.
Set the Default Domain for vCenter Single Sign-On
Each vCenter Single Sign-On identity source is associated with a domain. vCenter Single Sign-On uses the default
domain to authenticate a user who logs in without a domain name. Users who belong to a domain that is not the
default domain must include the domain name when they log in.
When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on
whether the user is in the domain that is set as the default identity source.
 Users who are in the default domain can log in with their user name and password.
 Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the
default domain can log in to vCenter Server but must specify the domain in one of the following ways.
 Including a domain name prefix, for example, MYDOMAIN\user1
 Including the domain, for example, user1@mydomain.com
 Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter
Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory
determines whether users of other domains in the hierarchy are authenticated or not.
Procedure
VMware, Inc.
71
3 Navigate to the Configuration UI.
a From the Home menu, select Administration. b
Under Single Sign On, click Configuration.
4 Under the Identity Provider tab, click Identity Sources, select an identity source, and click
Set as Default.
5 Click OK.
In the domain display, the default domain shows (default) in the Type column.
Add or Edit a vCenter Single Sign-On Identity Source

Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On
identity source. vCenter Single Sign-On administrator users can add identity sources, or change the settings for
identity sources that they added.
An identity source can be an Active Directory over LDAP, a native Active Directory (Integrated Windows
Authentication) domain, or an OpenLDAP directory service. See Identity Sources for vCenter Server with
vCenter Single Sign-On.
Immediately after installation, the vsphere.local domain (or the domain you specified during installation)
with the vCenter Single Sign-On internal users is available.
Prerequisites
If you are adding an Active Directory (Integrated Windows Authentication) identity source, the vCenter Server
must be in the Active Directory domain. See Add Platform Services Controller to an Active Directory Domain.
Procedure
3 Navigate to the Configuration UI.
a From the Home menu, select Administration. b
Under Single Sign On, click Configuration.
4 Under the Identity Provider tab, click Identity Sources, and click Add.
VMware, Inc.
72
5 Select the identity source and enter the identity source settings.
Option Description
Active Directory (Integrated Use this option for native Active Directory implementations. The machine on which the
Windows Authentication) vCenter Single Sign-On service is running must be in an Active Directory domain if you
want to use this option.
See Active Directory Identity Source Settings.
Active Directory over LDAP This option requires that you specify the domain controller and other information. See
Active Directory over LDAP and OpenLDAP Server Identity Source Settings.
OpenLDAP Use this option for an OpenLDAP identity source. See Active Directory over LDAP and
OpenLDAP Server Identity Source Settings.
Note If the user account is locked or disabled, authentications and group and user searches in the Active
Directory domain fail. The user account must have read-only access over the User and Group OU, and must
be able to read user and group attributes. Active Directory provides this access by default. Use a special
service user for improved security.
6 Click Add.
What to do next
Initially, each user is assigned the No Access role. A vCenter Server administrator must assign the user at least to the
Read Only role before the user can log in. See the vSphere Security documentation.
Active Directory Identity Source Settings

If you select the Active Directory (Integrated Windows Authentication) identity source type, you can use the local
machine account as your SPN (Service Principal Name) or specify an SPN explicitly. You can use this option only
if the vCenter Single Sign-On server is joined to an Active Directory domain.
Prerequisites for Using an Active Directory (Integrated Windows Authentication) Identity Source
You can set up vCenter Single Sign-On to use an Active Directory (Integrated Windows Authentication) identity
source only if that identity source is available. Follow the instructions in the vCenter Server Configuration
documentation.
Note Active Directory (Integrated Windows Authentication) always uses the root of the Active Directory domain
forest. To configure your Integrated Windows Authentication identity source with a child domain within your
Active Directory forest, see the VMware knowledge base article at http://kb.vmware.com/kb/2070433.
Select Use machine account to speed up configuration. If you expect to rename the local machine on
which vCenter Single Sign-On runs, specifying an SPN explicitly is preferable.
VMware, Inc.
73
If you have enabled diagnostic event logging in your Active Directory to identify where hardening might be
needed, you might see a log event with Event ID 2889 on that directory server. Event ID 2889 is generated as an
anomaly rather than a security risk when using Integrated Windows Authentication. For more information about
Event ID 2889, see the VMware knowledge base article at https://kb.vmware.com/s/article/78644.
Table 2-14. Add Identity Source Settings

Text Box Description
Domain name FQDN of the domain name, for example, mydomain.com. Do not
provide an IP address. This domain name must be DNS-resolvable
by the vCenter Server system.
Use machine account Select this option to use the local machine account as the SPN.
When you select this option, you specify only the domain name. Do
not select this option if you expect to rename this machine.
Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You
must specify an SPN, a user who can authenticate with the identity
source, and a password for the user.
Service Principal Name (SPN) SPN that helps Kerberos to identify the Active Directory service.
Include the domain in the name, for example, STS/ example.com.
The SPN must be unique across the domain. Running the setspn
-S command checks that no duplicate is created. See the Microsoft
documentation for information on
setspn.
User Principal Name (UPN) Name and password of a user who can authenticate with this identity
Password source. Use the email address format, for example,

jchin@mydomain.com. You can verify the User Principal Name
with the Active Directory Service Interfaces Editor (ADSI Edit).
Active Directory over LDAP and OpenLDAP Server Identity Source Settings
The Active Directory over LDAP identity source is preferred over the Active Directory (Integrated Windows
Authentication) option. The OpenLDAP Server identity source is available for environments that use OpenLDAP.
If you are configuring an OpenLDAP identity source, see the VMware knowledge base article at
http://kb.vmware.com/kb/2064977 for additional requirements.
Note A future update to Microsoft Windows will change the default behavior of Active Directory to require strong
authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If
you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more
information about this Microsoft security update, see
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and
https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding- signing-adv190023.html.
VMware, Inc.
74
Table 2-15. Active Directory over LDAP and OpenLDAP Server Settings
Option Description
Name Name of the identity source.
Base DN for users Base Distinguished Name for users. Enter the DN from which to
start user searches. For example, cn=Users,dc=myCorp,dc=com.
Base DN for groups The Base Distinguished Name for groups. Enter the DN from
which to start group searches. For example,
cn=Groups,dc=myCorp,dc=com.
Domain name The FQDN of the domain.
Domain alias For Active Directory identity sources, the domain's NetBIOS name.
Add the NetBIOS name of the Active Directory domain as an alias
of the identity source if you are using SSPI authentications.
For OpenLDAP identity sources, the domain name in capital
letters is added if you do not specify an alias.
User name ID of a user in the domain who has a minimum of read-only access to
Base DN for users and groups.
Password Password of the user who is specified by Username.
Connect to Domain controller to connect to. Can be any domain controller

in the domain, or specific controllers.
Primary Server URL Primary domain controller LDAP server for the domain. Use the
format ldap://hostname:port or
ldaps://hostname:port. The port is typically 389 for LDAP
connections and 636 for LDAPS connections. For Active Directory
multi-domain controller deployments, the port is typically 3268 for
LDAP and 3269 for LDAPS.
A certificate that establishes trust for the LDAPS endpoint of the
Active Directory server is required when you use
ldaps:// in the primary or secondary LDAP URL.
Secondary server URL Address of a secondary domain controller LDAP server that is
used for failover.
SSL certificates If you want to use LDAPS with your Active Directory LDAP Server
or OpenLDAP Server identity source, click Browse to select a
certificate. To export the root CA certificate from Active Directory,
consult the Microsoft documentation.
Managing Permissions for vCenter Components
A permission is set on an object in the vCenter object hierarchy. Each permission associates the object with a group
or user and the group's or user's access roles. For example, you can select a virtual machine object, add one
permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role
to User 2.
VMware, Inc.
75
By assigning a different role to a group of users on different objects, you control the tasks that those users can
perform in your vSphere environment. For example, to allow a group to configure memory for the host, select
that host and add a permission that grants a role to that group that includes the Host.Configuration.Memory
Configuration privilege.
To manage permissions from the vSphere Client, you need to understand the following concepts:
Permissions
Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies
for one group or user which privileges that group or user has on the object.
Users and Groups
On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated
users. Users are authenticated through vCenter Single Sign-On. Users and groups must be defined in the
identity source that vCenter Single Sign-On uses to authenticate. Define users and groups using the tools in
your identity source, for example, Active Directory.
Privileges
Privileges are fine-grained access controls. You can group those privileges into roles, which you can then
map to users or groups.
Roles
Roles are sets of privileges. Roles allow you to assign permissions on an object based on a typical set of tasks
that users perform. Default roles, such as Administrator, are predefined on vCenter Server and cannot be
changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. You can create custom
roles either from scratch or by cloning and modifying sample roles. See Create a Custom Role.
You can assign permissions to objects at different levels of the hierarchy, for example, you can assign permissions
to a host object or to a folder object that includes all host objects. See Hierarchical Inheritance of Permissions. You
can also assign permissions to a global root object to apply the permissions to all object in all solutions. See Global
Permissions.
Add a Permission to an Inventory Object
After you create users and groups and define roles, you must assign the users and groups and their roles to the
relevant inventory objects. You can assign the same permissions to multiple objects simultaneously by moving
the objects into a folder and setting the permissions on the folder.
When you assign permissions, user and group names must match Active Directory precisely, including case. If you
upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.
VMware, Inc.
76
Prerequisites
On the object whose permissions you want to modify, you must have a role that includes the
Permissions.Modify permission privilege.
Procedure
1 Browse to the object for which you want to assign permissions in the vSphere Client object navigator.
2 Click the Permissions tab.
3 Click the Add Permission icon.
4 Select the user or group that will have the privileges defined by the selected role. a From
the User drop-down menu, select the domain for the user or group.
b Type a name in the Search box.
The system searches user names and group names. c
Select the user or group.
5 Select a role from the Role drop-down menu.
6 (Optional) To propagate the permissions, select the Propagate to children check box.
The role is applied to the selected object and propagates to the child objects.
7 Click OK to add the permission.
Synchronizing Clocks on the vSphere Network
Verify that all components on the vSphere network have their clocks synchronized. If the clocks on the physical
machines in your vSphere network are not synchronized, SSL certificates and SAML Tokens, which are time-
sensitive, might not be recognized as valid in communications between network machines.
Unsynchronized clocks can result in authentication problems, which can cause the installation to fail or prevent the
vCenter Server vmware-vpxd service from starting.
Time inconsistencies in vSphere can cause firstboot to fail at different services depending on where in the
environment time is not accurate and when the time is synchronized. Problems most commonly occur when the
target ESXi host for the destination vCenter Server is not synchronized with NTP or PTP. Similarly, issues can arise
if the destination vCenter Server migrates to an ESXi host set to a different time due to fully automated DRS.
To avoid time synchronization issues, ensure that the following is correct before installing, migrating, or
upgrading a vCenter Server.
 The target ESXi host where the destination vCenter Server is to be deployed is synchronized to NTP or PTP.
 The ESXi host running the source vCenter Server is synchronized to NTP or PTP.
VMware, Inc.
77
 When upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, if the vCenter Server appliance is
connected to an external Platform Services Controller, ensure the ESXi host running the external Platform
Services Controller is synchronized to NTP or PTP.
 If you are upgrading or migrating from vSphere 6.5 or 6.7 to vSphere 7.0, verify that the source vCenter
Server or vCenter Server appliance and external Platform Services Controller have the correct time.
 When you upgrade a vCenter Server 6.5 or 6.7 instance with an external Platform Services Controller to
vSphere 7.0, the upgrade process converts to a vCenter Server instance with an embedded Platform Services
Controller.
Verify that any Windows host machine on which vCenter Server runs is synchronized with the Network Time
Server (NTP) server. See the VMware knowledge base article at https:// kb.vmware.com/s/article/1318.
To synchronize ESXi clocks with an NTP server or a PTP server, you can use the VMware Host Client. For
information about editing the time configuration of an ESXi host, see vSphere Single Host Management -
VMware Host Client.
To learn how to change time synchronization settings for vCenter Server, see "Configure the System Time
Zone and Time Synchronization Settings" in vCenter Server Configuration.
To learn how to edit time configuration for a host by using the vSphere Client, see "Editing Time Configuration
for a Host" in vCenter Server and Host Management.
Synchronize ESXi Clocks with a Network Time Server
Before you install vCenter Server, make sure all machines on your vSphere network have their clocks
synchronized.
This task explains how to set up NTP from the VMware Host Client.
Procedure
1 Start the VMware Host Client, and connect to the ESXi host.
2 Click Manage.
3 Under System, click Time & date, and click Edit settings.
4 Select Use Network Time Protocol (enable NTP client).
5 In the NTP servers text box, enter the IP address or fully qualified domain name of one or more NTP
servers to synchronize with.
6 From the NTP Service Start-up Policy drop-down menu, select Start and stop with host.
7 Click Save.
The host synchronizes with the NTP server.
Configuring Time Synchronization Settings in vCenter Server

You can change the time synchronization settings in vCenter Server after deployment.
VMware, Inc.
78
When you deploy vCenter Server, you can choose the time synchronization method to be either by using an NTP
server or by using VMware Tools. In case the time settings in your vSphere network change, you can edit the
vCenter Server and configure the time synchronization settings by using the commands in the appliance shell.
When you enable periodic time synchronization, VMware Tools sets the time of the guest operating
system to be the same as the time of the host.
After time synchronization occurs, VMware Tools checks once every minute to determine whether the clocks on the
guest operating system and the host still match. If not, the clock on the guest operating system is synchronized to
match the clock on the host.
Native time synchronization software, such as Network Time Protocol (NTP), is typically more accurate than
VMware Tools periodic time synchronization and is therefore preferred. You can use only one form of periodic
time synchronization in vCenter Server. If you decide to use native time synchronization software, vCenter Server
VMware Tools periodic time synchronization is disabled, and the reverse.
Add or Replace NTP Servers in the vCenter Server Configuration
To set up the vCenter Server to use NTP-based time synchronization, you must add the NTP servers to the
vCenter Server configuration.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
The default user with super administrator role is root.
2 Add NTP servers to the vCenter Server configuration by running the ntp.server.add
command.
For example, run the following command:
Here IP-addresses-or-host-names
ntp.server.add is a comma-separated list of IP addresses or host names of the NTP servers.
--servers IP-addresses-or-host-names
This command adds NTP servers to the configuration. If the time synchronization is based on an NTP server,
then the NTP daemon is restarted to reload the new NTP servers. Otherwise, this command adds the new NTP
servers to the existing NTP configuration.
3 (Optional) To delete old NTP servers and add new ones to the vCenter Server configuration, run the
ntp.server.set command.
For example, run the following command:
Here IP-addresses-or-host-names
ntp.server.set is a comma-separated list of IP addresses or host names of the NTP servers.
--servers IP-addresses-or-host-names
VMware, Inc.
79
This command deletes old NTP servers from the configuration and sets the input NTP servers in the
configuration. If the time synchronization is based on an NTP server, the NTP daemon is restarted to reload the
new NTP configuration. Otherwise, this command replaces the servers in NTP configuration with the servers
that you provide as input.
4 (Optional) Run the command to verify that you successfully applied the new NTP configuration
settings.
The command returns a space-separated list of the servers configured for NTP synchronization. If the NTP
ntp.get
synchronization is enabled, the command returns that the NTP configuration is in Up status. If the NTP
synchronization is disabled, the command returns that the NTP configuration is in Down status.
What to do next
If the NTP synchronization is disabled, you can configure the time synchronization settings in the vCenter Server to
be based on an NTP server. See Synchronize the Time in vCenter Server with an NTP Server.
Synchronize the Time in vCenter Server with an NTP Server

You can configure the time synchronization settings in the vCenter Server to be based on an NTP server.
Prerequisites
Set up one or more Network Time Protocol (NTP) servers in the vCenter Server configuration. See Add or
Replace NTP Servers in the vCenter Server Configuration.
Procedure
1 Access the appliance shell and log in as a user who has the administrator or super administrator
role.
The default user with super administrator role is root.
2 Run the command to enable NTP-based time synchronization.
3 (Optional) Run the--mode

timesync.set command
NTPto verify that you successfully applied the NTP synchronization.
The command returns that the time synchronization is in NTP mode.

timesync.get
vSphere Network Infrastructure Deployment and Configuration

This section describes how to deploy a basic vSphere Network Infrastructure.
VMware, Inc.
80
These steps in addition to additional service steps, for example when VMware NSX is used, are required for this
design.
Create a vSphere Distributed Switch

Create a vSphere distributed switch on a data center to handle the networking configuration of multiple hosts at a time
from a central place.
Procedure
1 In the vSphere Client, right-click a data center from the inventory tree.
2 Select Distributed Switch > New Distributed Switch.
3 On the Name and location page, enter a name for the new distributed switch, or accept the generated name,
and click Next.
4 On the Select version page, select a distributed switch version and click Next.
Option Description
Distributed Switch: 7.0.0 Compatible with ESXi 7.0 and later.
Distributed Switch: 6.6.0 Compatible with ESXi 6.7 and later. Features released with later vSphere distributed
switch versions are not supported.
Distributed Switch: 6.5.0 Compatible with ESXi 6.5 and later. Features released with later vSphere distributed
switch versions are not supported.
5 On the Configure settings page, configure the distributed switch settings. a Use
the arrow buttons to select the Number of uplinks.
Uplink ports connect the distributed switch to physical NICs on associated hosts. The number of uplink
ports is the maximum number of allowed physical connections to the distributed switch per host.
b Use the drop-down menu to enable or disable Network I/O Control.
By using Network I/O Control you can prioritize the access to network resources for certain types of
infrastructure and workload traffic according to the requirements of your deployment. Network I/O
Control continuously monitors the I/O load over the network and dynamically allocates available
resources.
c (Optional) Select the Create a default port group check box to create a new distributed port group with
default settings for this switch. Enter a Port group name, or accept the generated name.
If your system has custom port group requirements, create distributed port groups that meet those
requirements after you add the distributed switch.
d Click Next.
6 On the Ready to complete page, review the settings you selected and click Finish.
VMware, Inc.
81
Use the Back button to edit any settings.
VMware, Inc.
82
Results
A distributed switch is created in the data center. You can view the features supported on the distributed switch as
well as other details by navigating to the new distributed switch and clicking the Summary tab.
What to do next
Add hosts to the distributed switch and configure their network adapters on the switch.
Add a Distributed Port Group

To create a distributed switch network for your virtual machines, and to associate VMkernel adapters, you
can add a distributed port group to a vSphere Distributed Switch .
Related to adding a port group, is applying VLAN tagging globally on all distributed ports. Using the VLAN
options you can select VLAN tags. To learn more, see Configure VLAN Tagging on a Distributed Port Group or
Port
Procedure
1 On the vSphere Client Home page, click Networking and navigate to the distributed switch.
2 Right-click the distributed switch and select Distributed port group > New distributed port group.
3 On the Name and location page, enter the name of the new distributed port group, or accept the generated
name, and click Next.
4 On the Configure settings page, set the general properties for the new distributed port group and click Next.
Setting Description
Port binding Select when ports are assigned to virtual machines connected to this distributed
port group.
 Static binding: Assign a port to a virtual machine when the virtual machine
connects to the distributed port group.
 Ephemeral - no binding: No port binding. You can assign a virtual machine to a
distributed port group with ephemeral port binding also
when connected to the host.
Port allocation  Elastic: The default number of ports is eight. When all ports are assigned, a
new set of eight ports is created.
 Fixed: The default number of ports is set to eight. No additional ports are created
when all ports are assigned.
Number of ports Enter the number of ports on the distributed port group.
Network resource pool Use the drop-down menu to assign the new distributed port group to a user-defined
network resource pool. If you have not created a network resource pool, this menu is
empty.
VMware, Inc.
83
SettingDescription
VLAN Use the VLAN type drop-down menu to specify the type of VLAN traffic filtering and
marking:
 None: Do not use VLAN. Select this if you are using External Switch Tagging.
 VLAN: In the VLAN ID text box, enter a number between 1 and 4094 for Virtual
Switch Tagging.
 VLAN trunking: Enter a VLAN trunk range.
Pass VLAN traffic with an ID to the guest OS. You can set multiple ranges and
individual VLANs by using a comma-separated list. For example: 1702-
1705, 1848-1849
Use this option for Virtual Guest Tagging.

 Private VLAN: Associate the traffic with a private VLAN created on the distributed
switch. If you did not create any private VLANs, this menu is empty.
Advanced To customize the policy configurations for the new distributed port group, select this
check box.
5 (Optional) On the Security page, edit the security exceptions and click Next.
Setting Description
Promiscuous mode  Reject. Placing an adapter in promiscuous mode from the guest operating system
does not result in receiving frames for other virtual machines.
 Accept. If an adapter is placed in promiscuous mode from the guest operating
system, the switch allows the guest adapter to receive all frames passed on the switch
in compliance with the active VLAN policy for the port where the adapter is
connected.
Firewalls, port scanners, intrusion detection systems, and so on, must run in
promiscuous mode.
MAC address changes  Reject. If you set this option to Reject and the guest OS changes the MAC address
of the adapter to a value different from the address in the .vmx configuration file,
the switch drops all inbound frames to the virtual machine adapter.
If the guest OS changes the MAC address back, the virtual machine receives
frames again.
 Accept. If the guest OS changes the MAC address of a network adapter,
the adapter receives frames to its new address.
Forged transmits  Reject. The switch drops any outbound frame with a source MAC address that
is different from the one in the .vmx configuration file.
 Accept. The switch does not perform filtering and permits all outbound
frames.
VMware, Inc.
84
6 (Optional) On the Traffic shaping page, enable or disable Ingress or Egress traffic shaping and click Next.
Setting Description
Status If you enable either Ingress traffic shaping or Egress traffic shaping, you are setting
limits on the amount of networking bandwidth allocated for each virtual adapter associated
with this particular port group. If you disable the policy, services have a free, clear
connection to the physical network by default.
Average bandwidth Establishes the number of bits per second to allow across a port, averaged over time. This
is the allowed average load.
Peak bandwidth The maximum number of bits per second to allow across a port when it is sending and
receiving a burst of traffic. This tops the bandwidth used by a port whenever it is using
its burst bonus.
Burst size The maximum number of bytes to allow in a burst. If this parameter is set, a port might gain
a burst bonus when it does not use all its allocated bandwidth. Whenever the port needs
more bandwidth than specified by Average bandwidth, it might temporarily transmit data
at a faster speed if a burst bonus is available. This parameter tops the number of bytes that
might be accumulated in the burst bonus and as a result transferred at a faster speed.
VMware, Inc.
85
7 (Optional) On the Teaming and failover page, edit the settings and click Next.
Setting Description
Load balancing Specify how to choose an uplink.

 Route based on originating virtual port. Choose an uplink based on the virtual port
where the traffic entered the distributed switch.
 Route based on IP hash. Choose an uplink based on a hash of the source and
destination IP addresses of each packet. For non-IP packets, whatever is at those offsets
is used to compute the hash.
 Route based on source MAC hash. Choose an uplink based on a hash of the source
Ethernet.
 Route based on physical NIC load. Choose an uplink based on the current
loads of physical NICs.
 Use explicit failover order. Always use the highest order uplink from the list of
Active adapters which passes failover detection criteria.
Note IP-based teaming requires that the physical switch is configured with
EtherChannel. For all other options, disable EtherChannel.
Network failure detection Specify the method to use for failover detection.
 Link status only. Relies solely on the link status that the network adapter provides.
This option detects failures, such as cable pulls and physical switch power failures, but
not configuration errors, such as a physical switch port being blocked by spanning tree
or that is misconfigured to the wrong VLAN or cable pulls on the other side of a
physical switch.
 Beacon probing. Sends out and listens for beacon probes on all NICs in the team
and uses this information, in addition to link status, to determine link failure. This
detects many of the failures previously mentioned that are not detected by link status
alone.
Note Do not use beacon probing with IP-hash load-balancing.
Notify switches Select Yes or No to notify switches in case of failover. If you select Yes, whenever a
virtual NIC is connected to the distributed switch or whenever that virtual NIC’s traffic
might be routed over a different physical NIC in the team because of a failover event, a
notification is sent out over the network to update the lookup tables on physical switches.
In almost all cases, this process is desirable for the lowest latency of failover occurrences
and migrations with vMotion.
Note Do not use this option when the virtual machines using the port group
are using Microsoft Network Load Balancing in unicast mode. No such issue exists with
NLB running in multicast mode.
VMware, Inc.
86
SettingDescription
Failback Select Yes or No to disable or enable failback.

This option determines how a physical adapter is returned to active duty after recovering
from a failure. If failback is set to Yes (default), the adapter is returned to active duty
immediately upon recovery, displacing the standby adapter that took over its slot, if any. If
failback is set to No, a failed adapter is left inactive even after recovery until another
currently active adapter fails, requiring its replacement.
Failover order Specify how to distribute the workload for uplinks. To use some uplinks but reserve others
for emergencies if the uplinks in use fail, set this condition by moving them into different
groups:
 Active uplinks. Continue to use the uplink when the network adapter
connectivity is up and active.
 Standby uplinks . Use this uplink if one of the active adapters'
connectivity is down.
 Unused uplinks . Do not use this uplink.
Note When using IP-hash load-balancing, do not configure standby uplinks.
8 (Optional) On the Monitoring page, enable or disable NetFlow and click Next.
Setting Description
Disabled NetFlow is disabled on the distributed port group.
Enabled NetFlow is enabled on the distributed port group. NetFlow settings can be configured at
the vSphere Distributed Switch level.
9 (Optional) On the Miscellaneous page, select Yes or No and click Next.
Selecting Yes shuts down all ports in the port group. This action might disrupt the normal network
operations of the hosts or virtual machines using the ports.
10 On the Ready to complete page, review your settings and click Finish.
To change any settings, click the Back button.
Create a VMkernel Adapter on a Host Associated with a vSphere Distributed Switch

Create a VMkernel adapter on a host that is associated with a distributed switch to provide network connectivity to
the host and to handle the traffic for vSphere vMotion, IP storage, Fault Tolerance logging, vSAN, and others. You
can set up VMkernel adapters for the standard system traffic on vSphere standard switches and on vSphere
distributed switches.
You should dedicate a single distributed port group per VMkernel adapter. For better isolation, you should
configure one VMkernel adapter with one traffic type.
Procedure
1 In the vSphere Client, navigate to the host.
VMware, Inc.
87
2 On the Configure tab, expand Networking and select VMkernel adapters.
VMware, Inc.
88
3 Click Add networking.
4 On the Select connection type page, select VMkernel Network Adapter and click Next.
5 From the Select an existing network option, select a distributed port group and click Next.
6 On the Port properties page, configure the settings for the VMkernel adapter.
Option Description
Network label The network label is inherited from the label of the distributed port group.
IP settings Select IPv4, IPv6, or both.
Note The IPv6 option does not appear on hosts that do not have IPv6 enabled.
MTU Choose whether to get MTU for the network adapter from the switch or to set a custom
size. You cannot set the MTU size to a value greater than 9000 bytes.
TCP/IP stack Select a TCP/IP stack from the list. Once you set a TCP/IP stack for the VMkernel adapter,
you cannot change it later. If you select the vMotion or the Provisioning TCP/IP stack, you
will be able to use only these stacks to handle vMotion or Provisioning traffic on the host.
All VMkernel adapters for vMotion on the default TCP/IP stack are disabled for future
vMotion sessions. If you set the Provisioning TCP/IP stack, VMkernel adapters on the
default TCP/IP stack are disabled for operations that include Provisioning traffic, such as
virtual machine cold migration, cloning, and snapshot migration.
Available services You can enable services for the default TCP/IP stack on the host. Select from the available
services:
 vMotion. Enables the VMkernel adapter to advertise itself to another host as the
network connection where vMotion traffic is sent. The migration with vMotion to the
selected host is not possible if the vMotion service is not enabled for any VMkernel
adapter on the default TCP/IP stack, or there are no adapters using the vMotion
TCP/IP stack.
 Provisioning. Handles the data transferred for virtual machine cold migration,
cloning, and snapshot migration.
 Fault Tolerance logging. Enables Fault Tolerance logging on the host. You can
use only one VMkernel adapter for FT traffic per host.
 Management. Enables the management traffic for the host and vCenter Server.
Typically, hosts have such a VMkernel adapter created when the ESXi software is
installed. You can create another VMkernel adapter for management traffic on the
host to provide redundancy.
 vSphere Replication. Handles the outgoing replication data that is sent from the
source ESXi host to the vSphere Replication server.
 vSphere Replication NFC. Handles the incoming replication data on the target
replication site.
 vSAN. Enables thevSAN traffic on the host. Every host that is part of a
vSAN cluster must have such a VMkernel adapter.
VMware, Inc.
89
7 (Optional) On the IPv4 settings page, select an option for obtaining IP addresses.
Option Description
Obtain IPv4 settings automatically Use DHCP to obtain IP settings. A DHCP server must be present on the network.
Use static IPv4 settings Enter the IPv4 IP address and subnet mask for the VMkernel adapter.
The VMkernel Default Gateway and DNS server addresses for IPv4 are obtained
from the selected TCP/IP stack.
Select the Override default gateway for this adapter check box and enter a gateway
address, if you want to specify a different gateway for the
VMkernel adapter.
8 (Optional) On the IPv6 settings page, select an option for obtaining IPv6 addresses.
Option Description
Obtain IPv6 addresses automatically Use DHCP to obtain IPv6 addresses. A DHCPv6 server must be present on the network.
through DHCP
Obtain IPv6 addresses automatically Use router advertisement to obtain IPv6 addresses.
through Router Advertisement In ESXi 6.5 and later router advertisement is enabled by default and supports the
M and O flags in accordance with RFC 4861.
Static IPv6 addresses a Click Add IPv6 address to add a new IPv6 address.
b Enter the IPv6 address and subnet prefix length, and click OK.
c To change the VMkernel default gateway, click Override default gateway
for this adapter.
The VMkernel Default Gateway address for IPv6 is obtained from the
selected TCP/IP stack.
9 Review your settings selections on the Ready to complete page and click Finish.
Add Hosts to a vSphere Distributed Switch

To manage the networking of your vSphere environment by using a vSphere Distributed Switch, you must associate
hosts with the switch. You connect the physical NICs, VMkernel adapters, and virtual machine network adapters of
the hosts to the distributed switch.
Prerequisites
 Verify that enough uplinks are available on the distributed switch to assign to the physical NICs that you
want to connect to the switch.
 Verify that there is at least one distributed port group on the distributed switch.
 Verify that the distributed port group have active uplinks configured in its teaming and failover policy.
If you migrate or create VMkernel adapters for iSCSI, verify that the teaming and failover policy of the target
distributed port group meets the requirements for iSCSI:
 Verify that only one uplink is active, the standby list is empty, and the rest of the uplinks are unused.
VMware, Inc.
90
 Verify that only one physical NIC per host is assigned to the active uplink.
Procedure
2 From the Actions menu, select Add and Manage Hosts.
3 On the Select task page, select Add hosts, and click Next.
4 On the Select hosts page, click New hosts, select from the hosts in your data center, click OK, and then click
Next.
5 On the Select network adapter tasks page, select the tasks for configuring network adapters to the distributed
switch and click Next.
6 On the Manage physical network adapters page, configure physical NICs on the distributed switch.
a From the On other switches/unclaimed list, select a physical NIC.
If you select physical NICs that are already connected to other switches, they are migrated to the
current distributed switch.
b Click Assign uplink.
c Select an uplink and click OK.

For consistent network configuration, you can connect one and the same physical NIC on every host to the
same uplink on the distributed switch.
For example, if you are adding two hosts connect vmnic1 on each host to Uplink1 on the distributed
switch.
7 Click Next.
8 On the Manage VMkernel adapters page, configure VMkernel adapters. a
Select a VMkernel adapter and click Assign port group.
b Select a distributed port group and click OK.
9 Click Next.
10 (Optional) On the Migrate VM networking page, select the check box Migrate virtual machine networking to
configure virtual machine networking.
a To connect all network adapters of a virtual machine to a distributed port group, select the virtual
machine, or select an individual network adapter to connect only that adapter.
b Click Assign port group.
c Select a distributed port group from the list and click OK, and click Next.
11 Click Finish
VMware, Inc.
91
What to do next
Having hosts associated with the distributed switch, you can manage physical NICs, VMkernel adapters, and
virtual machine network adapters.
vSphere Network I/O Control

Use vSphere Network I/O Control to allocate network bandwidth to business-critical applications and to resolve
situations where several types of traffic compete for common resources.
About vSphere Network I/O Control Version 3
vSphere Network I/O Control version 3 introduces a mechanism to reserve bandwidth for system traffic based on
the capacity of the physical adapters on a host. It enables fine-grained resource control at the VM network adapter
level similar to the model that you use for allocating CPU and memory resources..
Version 3 of the Network I/O Control feature offers improved network resource reservation and allocation across
the entire switch.
Models for Bandwidth Resource Reservation
Network I/O Control version 3 supports separate models for resource management of system traffic related to
infrastructure services, such as vSphere Fault Tolerance, and of virtual machines.
The two traffic categories have different nature. System traffic is strictly associated with an ESXi host. The network
traffic routes change when you migrate a virtual machine across the environment. To provide network resources to
a virtual machine regardless of its host, in Network I/O Control you can configure resource allocation for virtual
machines that is valid in the scope of the entire distributed switch.
Bandwidth Guarantee to Virtual Machines
Network I/O Control version 3 provisions bandwidth to the network adapters of virtual machines by using
constructs of shares, reservation and limit. Based on these constructs, to receive sufficient bandwidth, virtualized
workloads can rely on admission control in vSphere Distributed Switch, vSphere DRS and vSphere HA. See
Admission Control on Virtual Machine Traffic.
Availability of Features
SR-IOV is not available for virtual machines configured to use Network I/O Control version 3.
Enable Network I/O Control on a vSphere Distributed Switch
Enable network resource management on a vSphere Distributed Switch to guarantee minimum bandwidth to
system traffic for vSphere features and to virtual machine traffic.
Procedure
2 From the Actions menu, select Settings > Edit Settings.
VMware, Inc.
92
3 From the Network I/O Control drop-down menu, select Enable.
4 Click OK.
VMware, Inc.
93
Results
When enabled, the model that Network I/O Control uses to handle bandwidth allocation for system traffic
and virtual machine traffic is based on the Network I/O Control version that is active on the distributed
switch. See About vSphere Network I/O Control Version 3.
vSphere Storage Infrastructure Deployment and Configuration

This section describes how to deploy the vSphere Storage Infrastructure.
<Consultant Note>: Remove all Sections which do not apply to the engagement. Storage is dependent on
the customer in most cases. More details can be found here: https:// docs.vmware.com/en/VMware-
vSphere/7.0/com.vmware.vsphere.storage.doc/
GUID-8AE88758-20C1-4873-99C7-181EF9ACFA70.html
Configuring iSCSI for vSphere

If iSCSI is being used for storage this section describes general steps to configure the storage to be presented to the
ESXi hosts.
Configure the Software iSCSI Adapter
With the software-based iSCSI implementation, you can use standard NICs to connect your host to a remote iSCSI
target on the IP network. The software iSCSI adapter that is built into ESXi facilitates this connection by
communicating with the physical NICs through the network stack.
When you use the software iSCSI adapters, consider the following:
 Designate a separate network adapter for iSCSI. Do not use iSCSI on 100 Mbps or slower adapters.
 Avoid hard coding the name of the software adapter, vmhbaXX, in the scripts. It is possible for the name to
change from one ESXi release to another. The change might cause failures of your existing scripts if they use
the hardcoded old name. The name change does not affect the behavior of the iSCSI software adapter.
The process of configuring the software iSCSI adapter involves several steps.
Step Description
Activate or Disable the Software Activate your software iSCSI adapter so that your host can use it to access iSCSI storage.
iSCSI Adapter
Modify General Properties for iSCSI or If needed, change the default iSCSI name and alias assigned to your adapter.
iSER Adapters
Configure Port Binding for iSCSI or Configure connections for the traffic between the iSCSI component and the physical network
iSER adapters. The process of configuring these connections is called port binding.
VMware, Inc.
94
Configure Dynamic or Static Set up dynamic discovery. With dynamic discovery, each time the initiator contacts a specified
Discovery for iSCSI and iSER on iSCSI storage system, it sends the SendTargets request to the system. The iSCSI system responds
by supplying a list of available targets to the initiator. In addition to the dynamic discovery method,
ESXi Host
you can use static discovery and manually enter information for the targets.
VMware, Inc.
95
StepDescription
Set Up CHAP for iSCSI or iSER If your iSCSI environment uses the Challenge Handshake Authentication Protocol
Storage Adapter (CHAP), configure it for your adapter.
Set Up CHAP for iSCSI Target You can also configure different CHAP credentials for each discovery address or static target.
Enable Jumbo Frames for iSCSI If your iSCSI environment supports Jumbo Frames, enable them for the adapter.
Activate or Disable the Software iSCSI Adapter
You must activate your software iSCSI adapter so that your ESXi host can use it to access iSCSI storage. If you
do not need the software iSCSI adapter after activation, you can disable it.
You can activate only one software iSCSI adapter.
Prerequisites
Required privilege: Host.Configuration.Storage Partition Configuration
Note If you boot from iSCSI using the software iSCSI adapter, the adapter is enabled and the network
configuration is created at the first boot. If you disable the adapter, it is reenabled each time you boot the host.
Procedure
1 In the vSphere Client, navigate to the ESXi host.
3 Enable or disable the adapter.
Option Description
Enable the software iSCSI adapter a Under Storage, click Storage Adapters, and click the Add icon.
b Select Software iSCSI Adapter and confirm that you want to add the adapter.
The software iSCSI adapter (vmhba#) is enabled and appears on the list of storage
adapters. After enabling the adapter, the host assigns the default iSCSI name to it.
You can now complete the adapter configuration.
Disable the software iSCSI adapter a Under Storage, click Storage Adapters, and select the adapter (vmhba#)
to disable.
b Click the Properties tab.
c Click Disable and confirm that you want to disable the adapter.
The status indicates that the adapter is disabled. d Reboot
the host.
After the reboot, the adapter no longer appears on the list of storage adapters. The
storage devices associated with the adapter become inaccessible. You can later
activate the adapter.
VMware, Inc.
96
Modify General Properties for iSCSI or iSER Adapters

You can change default name and alias assigned to your iSCSI or iSER storage adapters by the ESXi host. For
the independent hardware iSCSI adapters, you can also change the default IP settings.
Important When you modify any default properties for your adapters, make sure to use correct formats for their
names and IP addresses.
Prerequisites
Required privilege: Host .Configuration.Storage Partition Configuration
Procedure
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
4 Click the Properties tab, and click Edit in the General panel.
5 (Optional) Modify the following general properties.
Option Description
iSCSI Name Unique name formed according to iSCSI standards that identifies the iSCSI adapter. If
you change the name, make sure that the name you enter is worldwide unique and
properly formatted. Otherwise, certain storage devices might not recognize the iSCSI
adapter.
iSCSI Alias A friendly name you use instead of the iSCSI name.
Results
If you change the iSCSI name, it is used for new iSCSI sessions. For existing sessions, the new settings are not
used until you log out and log in again.
What to do next
For other configuration steps you can perform for the iSCSI or iSER storage adapters, see the following topics:
 Set Up Independent Hardware iSCSI Adapters
 Configure Dependent Hardware iSCSI Adapters
 Configure the Software iSCSI Adapter
 Configure the iSER Adapter
Setting Up Network for iSCSI and iSER

Certain types of iSCSI adapters depend on the VMkernel networking. These adapters include the software or
dependent hardware iSCSI adapters, and the VMware iSCSI over RDMA (iSER)
VMware, Inc.
97
adapter. If your environment includes any of these adapters, you must configure connections for the traffic between
the iSCSI or iSER component and the physical network adapters.
Configuring the network connection involves creating a virtual VMkernel adapter for each physical network
adapter. You use 1:1 mapping between each virtual and physical network adapter. You then associate the
VMkernel adapter with an appropriate iSCSI or iSER adapter. This process is called port binding.
Follow these rules when configuring the port binding:
 You can connect the software iSCSI adapter with any physical NICs available on your host.
 The dependent iSCSI adapters must be connected only to their own physical NICs.
 You must connect the iSER adapter only to the RDMA-capable network adapter.
For specific considerations on when and how to use network connections with software iSCSI, see the VMware
knowledge base article at http://kb.vmware.com/kb/2038869.
Multiple Network Adapters in iSCSI or iSER Configuration
If your host has more than one physical network adapter for iSCSI or iSER, you can use the adapters for
multipathing.
You can use multiple physical adapters in a single or multiple switch configurations.
In the multiple switch configuration, you designate a separate vSphere switch for each virtual-to- physical adapter
pair.
VMware, Inc.
98
Figure 2-4. 1:1 Adapter Mapping on Separate vSphere Standard Switches
An alternative is to add all NICs and VMkernel adapters to the single vSphere switch. The number of VMkernel
adapters must correspond to the number of physical adapters on the vSphere Standard switch. The single switch
configuration is not appropriate for iSER because iSER does not support NIC teaming.
Figure 2-5. 1:1 Adapter Mapping on a Single vSphere Standard Switch
For that type of configuration, you must override the default network setup and make sure that each VMkernel
adapter maps to only one corresponding active physical adapter, as the table indicates.
VMkernel Adapter (vmk#) Physical Network Adapter (vmnic#)
vmk1 (iSCSI1) Active Adapters

vmnic1
Unused Adapters
vmnic2
vmk2 (iSCSI2) Active Adapters
vmnic2
Unused Adapters
vmnic1
VMware, Inc.
99
You can also use distributed switches. For more information about vSphere distributed switches and how to
change the default network policy, see the vSphere Networking documentation.
The following considerations apply when you use multiple physical adapters:
 Physical network adapters must be on the same subnet as the storage system they connect to.
 (Applies only to iSCSI and not to iSER) If you use separate vSphere switches, you must connect them
to different IP subnets. Otherwise, VMkernel adapters might experience connectivity problems and the
host fails to discover the LUNs.
 The single switch configuration is not appropriate for iSER because iSER does not support NIC teaming.
Do not use port binding when any of the following conditions exist:
 Array target iSCSI ports are in a different broadcast domain and IP subnet.
 VMkernel adapters used for iSCSI connectivity exist in different broadcast domains, IP subnets, or use
different virtual switches.
Note In iSER configurations, the VMkernel adapters used for iSER connectivity cannot be used for
converged traffic. The VMkernel adapters that you created to enable connectivity between the ESXi host
with iSER and the iSER target must be used only for iSER traffic.
Configure Port Binding for iSCSI or iSER

The port binding creates connections for the traffic between certain types of iSCSI and iSER adapters and the
physical network adapters.
The following types of adapters require the port binding:
 Software iSCSI adapter
 Dependent hardware iSCSI adapter
 VMware iSCSI over RDMA (iSER) adapter
The following tasks discuss the network configuration with a vSphere Standard switch and a single physical
network adapter. If you have multiple network adapters, see Multiple Network Adapters in iSCSI or iSER
Configuration.
Note iSER does not support NIC teaming. When configuring port binding for iSER, use only one RDMA-enabled
physical adapter (vmnic#) and one VMkernel adapter (vmk#) per vSwitch.
® ®
You can also use the VMware vSphere Distributed Switch™ and VMware NSX Virtual Switch™ in the port biding
configuration. For information about NSX virtual switches, see the VMware NSX Data Center for vSphere
documentation.
If you use a vSphere distributed switch with multiple uplink ports, for port binding, create a separate distributed
port group per each physical NIC. Then set the team policy so that each distributed port group has only one
active uplink port. For detailed information on distributed switches, see the vSphere Networking
VMware, Inc.
10
documentation.
VMware, Inc.
10
What to do next
Create a Singe VMkernel Adapter for iSCSI or iSER

Connect the VMkernel, which runs services for iSCSI storage, to a physical network adapter on your ESXi host.
You then use the created VMkernel adapter in the port binding configuration with the iSCSI or iSER adapters.
The following types of adapters require the port binding:
Prerequisites
 If you are creating a VMkernel adapter for dependent hardware iSCSI, you must use the physical network
adapter (vmnic#) that corresponds to the iSCSI component. See Determine Association Between iSCSI and
Network Adapters.
 With the iSER adapter, make sure to use an appropriate RDMA-capable vmnic#. See View RDMA Capable
Network Adapter.
Procedure
2 Select Add Networking from the right-click menu.
3 Select VMkernel Network Adapter, and click Next.
4 Select New standard switch to create a vSphere Standard switch.
5 Click the Add adapters icon, and select an appropriate network adapter (vmnic#) to use for iSCSI.
Make sure to assign the adapter to Active Adapters.
6 Enter a network label.
A network label is a friendly name that identifies the VMkernel adapter that you are creating, for example,
iSCSI or iSER.
7 Specify the IP settings.
VMware, Inc.
10
8 Review the information and click Finish.
You created the virtual VMkernel adapter (vmk#) for a physical network adapter (vmnic#) on your host.
9 Verify your configuration.
a Under Networking, select VMkernel Adapters, and select the VMkernel adapter (vmk#) from the list.
b Click the Policies tab, and verify that the corresponding physical network adapter (vmnic#)
appears as an active adapter under Teaming and failover.
What to do next
If your host has one physical network adapter for iSCSI traffic, bind the VMkernel adapter that you created to
the iSCSI or iSER vmhba adapter.
If you have multiple network adapters, you can create additional VMkernel adapters and then perform iSCSI
binding. The number of virtual adapters must correspond to the number of physical adapters on the host. For
information, see Multiple Network Adapters in iSCSI or iSER Configuration.
Bind iSCSI or iSER Adapters to VMkernel Adapters

On the ESXi host, bind an iSCSI or iSER adapter with a VMkernel adapter. The
following types of adapters require the port binding:
Prerequisites
Create a virtual VMkernel adapter for each physical network adapter on your host. If you use multiple
VMkernel adapters, set up the correct network policy.
VMware, Inc.
10
Procedure
3 Under Storage, click Storage Adapters, and select the appropriate iSCSI or iSER adapter (vmhba# )
from the list.
4 Click the Network Port Binding tab and click the Add icon.
5 Select a VMkernel adapter to bind with the iSCSI or iSER adapter.
Note Make sure that the network policy for the VMkernel adapter is compliant with the binding
requirements.
You can bind the software iSCSI adapter to one or more VMkernel adapters. For a dependent hardware iSCSI
adapter or the iSER adapter, only one VMkernel adapter associated with the correct physical NIC is available.
6 Click OK.
The network connection appears on the list of network port bindings for the iSCSI or iSER adapter.
Configure Dynamic or Static Discovery for iSCSI and iSER on ESXi Host
You need to set up target discovery addresses, so that the iSCSI or iSER storage adapter can determine which
storage resource on the network is available for access.
The ESXi system supports these discovery methods:
Dynamic Discovery
VMware, Inc.
10
Also known as SendTargets discovery. Each time the initiator contacts a specified iSCSI server, the initiator
sends the SendTargets request to the server. The server responds by supplying a list of available targets to the
initiator. The names and IP addresses of these targets appear on the Static Discovery tab. If you remove a
static target added by dynamic discovery, the target might be returned to the list the next time a rescan
happens, the storage adapter is reset, or the host is rebooted.
Note With software and dependent hardware iSCSI, ESXi filters target addresses based on the IP family of the
iSCSI server address specified. If the address is IPv4, IPv6 addresses that might come in the SendTargets
response from the iSCSI server are filtered out. When DNS names are used to specify an iSCSI server, or when
the SendTargets response from the iSCSI server has DNS names, ESXi relies on the IP family of the first
resolved entry from DNS lookup.
Static Discovery
In addition to the dynamic discovery method, you can use static discovery and manually enter information
for the targets. The iSCSI or iSER adapter uses a list of targets that you provide to contact and
communicate with the iSCSI servers.
When you set up static or dynamic discovery, you can only add new iSCSI targets. You cannot change any
parameters of an existing target. To make changes, remove the existing target and add a new one.
Prerequisites
Procedure
3 Under Storage, click Storage Adapters, and select the adapter (vmhba#) to configure.
4 Configure the discovery method.
Discovery Method Description
Dynamic Discovery a Click Dynamic Discovery and click Add.

b Enter the IP address or DNS name of the storage system and click OK. c Rescan
the iSCSI adapter.
After establishing the SendTargets session with the iSCSI system, your host populates the
Static Discovery list with all newly discovered targets.
Note A dynamically discovered target remains on the list even after it is removed from the
array side.
Static Discovery a Click Static Discovery and click Add.

b Enter the target’s information and click OK
c Rescan the iSCSI adapter.
VMware, Inc.
10
What to do next
 Set Up Independent Hardware iSCSI Adapters
Create an NFS Datastore

You can use the New Datastore wizard to mount an NFS volume.
Prerequisites
 Set up NFS storage environment.
 If you plan to use Kerberos authentication with the NFS 4.1 datastore, make sure to configure the ESXi hosts
for Kerberos authentication.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
2 From the right-click menu, select Storage > New Datastore.
3 Select NFS as the datastore type and specify an NFS version.
 NFS 3
 NFS 4.1
Important If multiple hosts access the same datastore, you must use the same protocol on all hosts.
4 Enter the datastore parameters.
Option Description
Datastore name The system enforces a 42 character limit for the datastore name.
Folder The mount point folder name
Server The server name or IP address. You can use IPv6 or IPv4 formats.
With NFS 4.1, you can add multiple IP addresses or server names if the NFS server
supports trunking. The ESXi host uses these values to achieve multipathing to the NFS
server mount point.
5 Select Mount NFS read only if the volume is exported as read-only by the NFS server.
VMware, Inc.
10
6 To use Kerberos security with NFS 4.1, enable Kerberos and select an appropriate Kerberos model.
Option Description
Use Kerberos for authentication only Supports identity verification
(krb5)
Use Kerberos for authentication and data In addition to identity verification, provides data integrity services. These services help
integrity (krb5i) to protect the NFS traffic from tampering by checking data packets for any potential
modifications.
If you do not enable Kerberos, the datastore uses the default AUTH_SYS security.
7 If you are creating a datastore at the data center or cluster level, select hosts that mount the datastore.
8 Review the configuration options and click Finish.
Create a VMFS Datastore

VMFS datastores serve as repositories for virtual machines. You can set up VMFS datastores on any SCSI-based
storage devices that the host discovers, including Fibre Channel, iSCSI, and local storage devices.
Prerequisites
1 Install and configure any adapters that your storage requires.
2 To discover newly added storage devices, perform a rescan. See Datastore Refresh and Storage Rescan
Operations.
3 Verify that storage devices you are planning to use for your datastores are available. See
Storage Device Characteristics.
Procedure
1 In the vSphere Client object navigator, browse to a host, a cluster, or a data center.
2 From the right-click menu, select Storage > New Datastore.
3 Select VMFS as the datastore type.
4 Enter the datastore name and if necessary, select the placement location for the datastore.
The system enforces a 42 character limit for the datastore name.
5 Select the device to use for your datastore.
Important The device you select must not have any values displayed in the Snapshot Volume column. If
a value is present, the device contains a copy of an existing VMFS datastore. For information on managing
datastore copies, see Managing Duplicate VMFS Datastores.
VMware, Inc.
10
6 Specify the datastore version.
Option Description
VMFS6 Default format on all hosts that support VMFS6. The ESXi hosts of version
6.0 or earlier cannot recognize the VMFS6 datastore.
VMFS5 VMFS5 datastore supports access by the ESXi hosts of version 6.7 or earlier.
7 Define configuration details for the datastore.
Note The required minimum size for a VMFS6 datastore is 2 GB.
a Specify partition configuration.
Option Description
Use all available partitions Dedicates the entire disk to a single VMFS datastore. If you select this option, all
file systems and data currently stored on this device are destroyed.
Use free space Deploys a VMFS datastore in the remaining free space of the disk.
b If the space allocated for the datastore is excessive for your purposes, adjust the capacity values in the
Datastore Size field.
By default, the entire free space on the storage device is allocated.
c For VMFS6, specify the block size and define space reclamation parameters. See VMFS Datastore and
Space Recalmation.
8 In the Ready to Complete page, review the datastore configuration information and click
Finish.
Results
The datastore on the SCSI-based storage device is created. It is available to all hosts that have access to the
device.
What to do next
After you create the VMFS datastore, you can perform the following tasks:
 Change the capacity of the datastore. See IncreaseVMFS Datastore Capacity.
 Edit space reclamation settings. See Change Space Reclamation Priority.
 Enable shared vmdk support. See Enable or Disable Support for Clustered Virtual Disks on the VMFS6
Datastore.
Enable Storage I/O Control

When you enable Storage I/O Control, ESXi monitors datastore latency and throttles the I/O load if the datastore
VMware, Inc.
10
average latency exceeds the threshold.
VMware, Inc.
10
Procedure
1 Browse to the datastore in the vSphere Client.
3 Click Settings and click General.
4 Click Edit for Datastore Capabilities.
5 Select the Enable Storage I/O Control check box.
6 Click OK.
Results
Under Datastore Capabilities, Storage I/O Control is enabled for the datastore.
High Availability Deployment and Configuration

This section describes how to deploy the vSphere high availability configuration.
Creating a vSphere HA Cluster

vSphere HA operates in the context of a cluster of ESXi (or legacy ESX) hosts. You must create a cluster, populate
it with hosts, and configure vSphere HA settings before failover protection can be established.
When you create a vSphere HA cluster, you must configure a number of settings that determine how the feature
works. Before you do this, identify your cluster's nodes. These nodes are the ESXi hosts that will provide the
resources to support virtual machines and that vSphere HA will use for failover protection. You should then
determine how those nodes are to be connected to one another and to the shared storage where your virtual
machine data resides. After that networking architecture is in place, you can add the hosts to the cluster and finish
configuring vSphere HA.
You can enable and configure vSphere HA before you add host nodes to the cluster. However, until the hosts are
added, your cluster is not fully operational and some of the cluster settings are unavailable. For example, the Specify
a Failover Host admission control policy is unavailable until there is a host that can be designated as the failover
host.
Note The Virtual Machine Startup and Shutdown (automatic startup) feature is disabled for all virtual machines
residing on hosts that are in (or moved into) a vSphere HA cluster. Automatic startup is not supported when used with
vSphere HA.
Create a vSphere HA Cluster in the vSphere Client
To enable your cluster for vSphere HA, you must first create an empty cluster. After you plan the resources and
networking architecture of your cluster, use the vSphere Client to add hosts to the cluster and specify the cluster's
vSphere HA settings.
VMware, Inc.
11
A vSphere HA-enabled cluster is a prerequisite for vSphere Fault Tolerance.
VMware, Inc.
11
Prerequisites
 Verify that all virtual machines and their configuration files reside on shared storage.
 Verify that the hosts are configured to access the shared storage so that you can power on the virtual
machines by using different hosts in the cluster.
 Verify that hosts are configured to have access to the virtual machine network.
 Verify that you are using redundant management network connections for vSphere HA. For information
about setting up network redundancy, see Best Practices for Networking.
 Verify that you have configured hosts with at least two datastores to provide redundancy for vSphere HA
datastore heartbeating.
 Connect vSphere Client to vCenter Server by using an account with cluster administrator permissions.
Procedure
1 In the vSphere Client, browse to the data center where you want the cluster to reside and click New
Cluster.
2 Complete the New Cluster wizard.
Do not turn on vSphere HA (or DRS).
3 Click OK to close the wizard and create an empty cluster.
4 Based on your plan for the resources and networking architecture of the cluster, use the vSphere Client to
add hosts to the cluster.
5 Browse to the cluster and enable vSphere HA. a
Click the Configure tab.
b Select vSphere Availability and click Edit. c
Select vSphere HA.
6 Under Failures and Responses select Enable Host Monitoring.
With Host Monitoring enabled, hosts in the cluster can exchange network heartbeats and vSphere HA can
take action when it detects failures. Host Monitoring is required for the vSphere Fault Tolerance recovery
process to work properly.
7 Select a setting for VM Monitoring.
Select VM Monitoring Only to restart individual virtual machines if their heartbeats are not received
within a set time. You can also select VM and Application Monitoring to enable application monitoring.
8 Click OK.
Results
VMware, Inc.
11
You have a vSphere HA cluster, populated with hosts.
VMware, Inc.
11
What to do next
Configure the appropriate vSphere HA settings for your cluster.
 Failures and responses
 Admission Control
 Heartbeat Datastores
 Advanced Options
See Configuring Cluster Settings.
Dynamic Resource Scheduling Deployment and Configuration

This section describes how to deploy the vSphere dynamic resourcing configuration.
Host Configuration for vMotion

Before using vMotion, you must configure your hosts correctly. Ensure that
you have correctly configured your hosts.
 Each host must be correctly licensed for vMotion.
 Each host must meet shared storage requirements for vMotion.
 Each host must meet the networking requirements for vMotion.
Important The ESXi firewall in ESXi 6.5 and later does not allow per-network filtering of vMotion traffic.
Therefore, you must apply rules on your external firewall to ensure that no incoming connections can be
made to the vMotion socket on TCP port 8000.
vMotion Across Long Distances
You can perform reliable migrations between hosts and sites that are separated by high network round-trip latency
times. vMotion across long distances is enabled when the appropriate license is installed. No user configuration is
necessary.
For long-distance migration, verify the network latency between the hosts and your license.
 The round-trip time between the hosts must be up to 150 milliseconds.
 Your license must cover vMotion across long distances.
 You must place the traffic related to transfer of virtual machine files to the destination host on the provisioning
TCP/IP stack. See Place Cold Migratoin Traffic on the Provisioning TCP/IP Stack.
vMotion Shared Storage Requirements
Configure hosts for vMotion with shared storage to ensure that virtual machines are accessible to both source and
VMware, Inc.
11
target hosts.
VMware, Inc.
11
During a migration with vMotion, the migrating virtual machine must be on storage accessible to both the source
and target hosts. Ensure that the hosts configured for vMotion use shared storage. Shared storage can be on a Fibre
Channel storage area network (SAN), or can be implemented using iSCSI and NAS.
If you use vMotion to migrate virtual machines with raw device mapping (RDM) files, make sure to maintain
consistent LUN IDs for RDMs across all participating hosts.
See the vSphere Storage documentation for information on SANs and RDMs.
vSphere vMotion Networking Requirements
Migration with vMotion requires correctly configured network interfaces on source and target hosts.
Configure each host with at least one network interface for vMotion traffic. To ensure secure data transfer, the
vMotion network must be a secure network, accessible only to trusted parties. Additional bandwidth significantly
improves vMotion performance. When you migrate a virtual machine with vMotion without using shared storage,
the contents of the virtual disk is transferred over the network as well.
vSphere 6.5 and later allow the network traffic with vMotion to be encrypted. Encrypted vMotion depends on host
configuration, or on compatibility between the source and destination hosts.
Requirements for Concurrent vMotion Migrations
You must ensure that the vMotion network has at least 250 Mbps of dedicated bandwidth per concurrent vMotion
session. Greater bandwidth lets migrations complete more quickly. Gains in throughput resulting from WAN
optimization techniques do not count towards the 250-Mbps limit.
To determine the maximum number of concurrent vMotion operations possible, see Limits on Simultaneous
Migrations. These limits vary with a host's link speed to the vMotion network.
Round-Trip Time for Long-Distance vMotion Migration
If you have the proper license applied to your environment, you can perform reliable migrations between hosts
that are separated by high network round-trip latency times. The maximum supported network round-trip time for
vMotion migrations is 150 milliseconds. This round-trip time lets you migrate virtual machines to another
geographical location at a longer distance.
Multiple-NIC vMotion
You can configure multiple NICs for vMotion by adding two or more NICs to the required standard or
distributed switch. For details, see Knowledge Base article KB 2007467.
Network Configuration
Configure the virtual networks on vMotion enabled hosts as follows:
 On each host, configure a VMkernel port group for vMotion.
To have the vMotion traffic routed across IP subnets, enable the vMotion TCP/IP stack on the host. See Place
vMotion on vMotion TCP Stack.
VMware, Inc.
11
 If you are using standard switches for networking, ensure that the network labels used for the virtual machine
port groups are consistent across hosts. During a migration with vMotion, vCenter Server assigns virtual
machines to port groups based on matching network labels.
Note By default, you cannot use vMotion to migrate a virtual machine that is attached to a standard switch
with no physical uplinks configured, even if the destination host also has a no-uplink standard switch with
the same label.
To override the default behavior, set the

config.migrate.test.CompatibleNetworks.VMOnVirtualIntranet advanced settings of
vCenter Server to false. The change takes effect immediately. For details about the setting, see Knowledge
Base article KB 1003832. For information about configuring advanced settings of vCenter Server, see vCenter
Server Configuration.
For information about configuring the vMotion network resources, see Networking Best Practices for vSphere
vMotion.
For more information about vMotion networking requirements, see Knowledge Base article KB 59232.
Using DRS Clusters to Manage Resources

After you create a DRS cluster, you can customize it and use it to manage resources.
To customize your DRS cluster and the resources it contains you can configure affinity rules and you can add and
remove hosts and virtual machines. When a cluster’s settings and resources have been defined, you should ensure
that it is and remains a valid cluster. You can also use a valid DRS cluster to manage power resources and
interoperate with vSphere HA.
Note In this chapter, "Memory" can refer to physical RAM or Persistent Memory.
Creating a DRS Cluster
A cluster is a collection of ESXi hosts and associated virtual machines with shared resources and a shared
management interface. Before you can obtain the benefits of cluster-level resource management you must create a
cluster and enable DRS.
Depending on whether or not Enhanced vMotion Compatibility (EVC) is enabled, DRS behaves differently when
you use vSphere Fault Tolerance (vSphere FT) virtual machines in your cluster.
Table 2-16. DRS Behavior with vSphere FT Virtual Machines and EVC
EVC DRS (Load Balancing) DRS (Initial Placement)
Enabled Enabled (Primary and Secondary VMs) Enabled (Primary and Secondary VMs)
Disabled Disabled (Primary and Secondary VMs) Disabled (Primary VMs)

Fully Automated (Secondary VMs)
VMware, Inc.
11
Edit Cluster Settings

When you add a host to a DRS cluster, the host’s resources become part of the cluster’s resources. In
addition to this aggregation of resources, with a DRS cluster you can support cluster-wide resource pools
and enforce cluster-level resource allocation policies.
The following cluster-level resource management capabilities are also available.
Load Balancing
The distribution and usage of CPU and memory resources for all hosts and virtual machines in the cluster are
continuously monitored. DRS compares these metrics to an ideal resource usage given the attributes of the
cluster’s resource pools and virtual machines, the current demand, and the imbalance target. DRS then provides
recommendations or performs virtual machine migrations accordingly. See Virtual Machine Migration. When
you power on a virtual machine in the cluster, DRS attempts to maintain proper load balancing by either placing
the virtual machine on an appropriate host or making a recommendation. See Admission Control and Initial
Placement.
Power management
When the vSphere Distributed Power Management (DPM) feature is enabled, DRS compares cluster and host-
level capacity to the demands of the cluster’s virtual machines, including recent historical demand. DRS then
recommends you place hosts in standby, or places hosts in standby power mode when sufficient excess
capacity is found. DRS powers-on hosts if capacity is needed. Depending on the resulting host power state
recommendations, virtual machines might need to be migrated to and from the hosts as well. See Managing
Power Resources.
Affinity Rules
You can control the placement of virtual machines on hosts within a cluster, by assigning affinity rules.
See Using DRS Affinity Rules (RMG).
Prerequisites
You can create a cluster without a special license, but you must have a license to enable a cluster for vSphere DRS
or vSphere HA.
Note vSphere DRS is a critical feature of vSphere which is required to maintain the health of the workloads
running inside vSphere Cluster. Starting with vSphere 7.0 Update 1, DRS depends on the availability of vCLS
VMs. See vSphere Cluster Services (vCLS) for more information.
Procedure
1 Browse to a cluster in the vSphere Client.
2 Click the Configure tab and click Services.
3 Under vSphere DRS click Edit.
VMware, Inc.
11
4 Under DRS Automation, select a default automation level for DRS.
Automation Level Action
Manual  Initial placement: Recommended host is displayed.

 Migration: Recommendation is displayed.
Partially Automated  Initial placement: Automatic.

 Migration: Recommendation is displayed.
Fully Automated  Initial placement: Automatic.

 Migration: Recommendation is run automatically.
5 Set the Migration Threshold for DRS.
6 Select the Predictive DRS check box. In addition to real-time metrics, DRS responds to forecasted
metrics provided by vRealize Operations server. You must also configure Predictive DRS in a version
of vRealize Operations that supports this feature.
7 Select Virtual Machine Automation check box to enable individual virtual machine automation
levels.
Override for individual virtual machines can be set from the VM Overrides page.
8 Under Additional Options, select a check box to enforce one of the default policies.
Option Description
VM Distribution For availability, distribute a more even number of virtual machines across hosts. This is
secondary to DRS load balancing.
Memory Metric for Load Balancing Load balance based on consumed memory of virtual machines rather than active
memory. This setting is only recommended for clusters where host memory is not over-
committed.
Note This setting is no longer supported and will not be displayed in vCenter 7.0.
CPU Over-Commitment Control CPU over-commitment in the cluster.
Scalable Shares Enable scalable shares for the resource pools on this cluster.
9 Under Power Management, select Automation Level.
10 If DPM is enabled, set the DPM Threshold.
11 Click OK.
What to do next
Note Under the Cluster Summary page, you can see Cluster Services which displays vSphere Cluster Services
health status.
You can view memory utilization for DRS in the vSphere Client. To find out more, see: Viewing
Distributed Resource Scheduler Memory Utilization
VMware, Inc.
11
(http://link.brightcove.com/services/player/bcpid2296383276001?
bctid=ref:video_vsphere67_drs)
Integrations Deployment and Configuration

The following section contains the integrations applicable to the product configuration.
vSphere Integrations Deployment and Configuration

There are currently no integrations with vSphere because it is a provider that other solution elements are built
upon.
Any integrations applicable to these solutions will be included with the appropriate technology being deployed
and configured.
VMware, Inc.
12
References
The following section lists the documentation resources which were used for this document. This chapter
includes the following topics:
 vSphere References
vSphere References
See the VMware vSphere 7.0 Update 1 Documentation (https://docs.vmware.com/en/VMware-
vSphere/index.html) for product documentation on vSphere components.
The following section lists the documentation resources which were used for this document.
 What’s New Features description and Release Notes
 Compatibility and Configuration Limits
 Configuration Maximums for VMware vSphere
 VMware Product Interoperability Matrix
 VMware Compatibility Guide
 ESXi and vCenter Server Product Documentation
 VMware ESXi Installation and Setup
 VMware ESXi Upgrade
 vCenter Server Installation and Setup
 vCenter Server Upgrade
 vCenter Server and Host Management
 vCenter Server Appliance Configuration
 Platform Services Controller Administration
 vSphere Virtual Machine Administration
 vSphere Host Profiles
 vSphere Networking
VMware, Inc.
12
 vSphere Storage
 vSphere Security
VMware, Inc.
12
 vSphere Resource Management
 vSphere Availability
 vSphere Monitoring and Performance
 vSphere Single Host Management - VMware Host Client
VMware, Inc.
12

PD005 InstallGuide Vsphere 7.0.x

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PD005 InstallGuide Vsphere 7.0.x

Uploaded by

Copyright:

Available Formats

vSphere Installation and Configuration

Purpose and Assumptions

This chapter includes the following topics:

 VMware Products and Versions

VMware Products and Versions

Table 1-1. VMware Products and Versions

VMware vCenter® Server Appliance™ 7.0 Update 1 - Build 16860138

This chapter includes the following topics:

 Deployment and Configuration

 Integrations Deployment and Configuration

ESXi Host Deploy Preparation

ESXi Hardware Requirements

Hardware and System Resources

 ESXi 7.0 requires a host with at least two CPU cores.

ESXi Booting Requirements

Storage Requirements for ESXi7.0 Installation or Upgrade

The recommended ESXi7.0 install options are the following:

The following events occur during the repartitioning process:

Recommendations for Enhanced ESXi Performance

For ESXi system requirements, see ESXi Hardware Requirements.

Table 2-1. Recommendations for Enhanced Performance

Processors Faster processors improve ESXi performance. For certain

Incoming and Outgoing Firewall Ports for ESXi Hosts

Table 2-2. Incoming Firewall Connections

5989 TCP CIM Secure Server Secure server for CIM.

546 DHCPv6 DHCP client for IPv6.

68 UDP DHCP Client DHCP client for IPv4.

53 UDP DNS Client DNS client.

22 TCP SSH Server Required for SSH access.

Table 2-2. Incoming Firewall Connections (continued)

5900 -5964 TCP RFB protocol

80, 9000 TCP vSphere Lifecycle

Table 2-3. Outgoing Firewall Connections

547 TCP, UDP DHCPv6 DHCP client for IPv6.

9 UDP WOL Used by Wake on LAN.

68 UDP DHCP Client DHCP client.

53 TCP, UDP DNS Client DNS client.

3260 TCP Software iSCSI Supports software iSCSI.

Table 2-3. Outgoing Firewall Connections (continued)

902 UDP VMware vCenter vCenter Server agent.

8080 TCP vsanvp Used for vSAN Vendor Provider traffic.

80, 9000 TCP vSphere Lifecycle

Required Free Space for System Logging

 Redirect logs over the network to a remote collector.

 Redirect logs to a NAS or NFS store.

Management Agent 10 MB 10 100 MB

vSphere HA agent (Fault 5 MB 10 50 MB

ESXi Passwords and Account Lockout

 By default, password length is more than 7 and less than 40.

 Passwords cannot contain a dictionary word or part of a dictionary word.

Example ESXi Passwords

With this setting,

With these settings, the following passwords are allowed.

 xQaTEhb!: Contains eight characters from three character classes.

 xQaT3#A: Contains seven characters from four character classes.

The following password candidates do not meet requirements.

ESXi Pass Phrase

For example, you can change the option to the following.

Changing Default Password Restrictions

retry=3 min=disabled,disabled,15,7,7 passphrase=4

See the man page for pam_passwdqc for details.

ESXi Account Lockout Behavior

Configuring Login Behavior