vSphere

Configure Identity Sources for Single Sign-On

Manish Jha

VMware introduced SSO with vSphere 5.1 and over the release SSO has matured very much. SSO can now be connected to multiple authentication domains, like active directory and ldap, so that it can exchange authentication for tokens which are used to access multiple vSphere services.

ids-00

An Identity Source is a collection of user and group data, which is stored in either Active Directory, OpenLDAP or locally in the OS.

At the time of PSC/vCenter deployment we create one identity source (SSO domain) and after vCenter installation is completed, only the users defined under this SSO domain or localos can login to vCenter. This identity source is internal to vCenter SSO.

A SSO administrator can add additional identity sources for centralized authentication, can define the default identity source, and create users and groups in the default identity source.

In this post we will focus on below tasks:

  • Define Identity sources for single sign-on.
Read More

Remove PSC from SSO Domain

Manish Jha

In this post we will learn how to decommision/remove a PSC from SSO domain. I am covering steps needed for VCSA in this post. Steps for a Windows based vCenter server are very similar and is explained in VMware KB-2106736.

Why I need to do so?

In my lab I was doing a lot of new things with PSC deployments and repointing my vCenter server from one PSC to other. If you are new to how to repoint a vCenter server amongst PSC’s, please read below 2 articles:

1: How to repoint vCenter Server 6.x between External PSC within a site

2: Repointing vCenter Server 6.0 to External PSC’s across sites

At present I have 3 PSC’s namely psc02.alex.local,psc03.alex.local and psc03.alex.local. I have one vCenter server which was originally deployed with psc02 as external psc. First I moved my vCenter server from psc02 to psc03 (they were in same domain/site) and then I moved VC from psc03 to psc04 (they were in same domain but different site)

You can see in output of below command that which PSC is replicating to which other PSC

Read More

Repointing vCenter Server 6.0 to External PSC’s across sites

Manish Jha

In my last post I have demonstrated how to move a vCenter server from one PSC to another. In this article we will learn to repoint vCenter Server 6.0 between Platform Service Controllers (PSC) which are in same domain but different sites.

Before vSphere 6.0 U1, it was not possible to repoint vCenter server amongst PSC’s which were not in same site (but being in same domain). With vSphere 6.0 U1, VMware made this possible by introducing a new utility called cmsso-util. 

VMware KB-2131191 article outline the steps for achieving this goal.The steps outlined in the KB are for vCenter server with external PSC deployment architecture.

Note: If you have an embedded vCenter 6.0, then you can use cmsso-util to change embedded deployment model to an external PSC model. The old PSC will be decommissioned during this process. Go ahead with this configuration only if  you have no plans for using your old PSC again.Read More

How to repoint vCenter Server 6.x between External PSC within a site

Manish Jha

In this post we will learn how to repoint a vcenter server with extenal psc to a new psc. Before doing that lets first understand about PSC high availability.

As we know with vSphere 6.0, VMware introduced the concept of PSC. PSC deals with identity management for administrators and applications that interact with the vSphere platform. PSC contains common infrastructure services such as vCenter Single Sign-On (SSO), VMware Certificate Authority (VMCA) and licensing etc.

To know more about PSC please read VMware KB-2113115

Since these important features lies within PSC, it is an very important to make sure PSC 100% availability of PSC server. PSC can be made highly available by deploying 2 nodes and then configuring a load balancer for the 2 nodes so that in case of failure, connections can be switched to other node.

Now what if you don’t have a load balancer with you to configure failover.Read More

System Swap / Scratch Configuration in vSphere 6

Manish Jha

When a host boots from Auto Deploy, it is very common to see following alarms triggered on Esxi host

These alarms are triggered because host booted in a diskless environment and there are no place where system can store logs etc. 

In this post we will focus on how to fix these issues. This article is majorly focused on configuring/changing Esxi host swap and scratch partition configuration. We will start with system swap.

About System Swap

System swap is a memory reclamation process that can take advantage of unused memory resources across an entire system. In case of memory contention situation, system swap allows Esxi to reclaim certain parts of memory that is not used for virtual machines. The reclaimed memory is written to a storage location.

When swap is enabled, you have a tradeoff between the impact of reclaiming the memory from another process and the ability to assign the memory to a virtual machine that can use it.Read More

Troubleshooting You must be a member of SystemConfiguration.Administrators group issue

Manish Jha

Today while working in lab came a situation where I had to enable/start a service and when I logged into Web Client with a user that has Administrative privileges I was seeing the error

This error was not new as I have encountered this several times in lab I was skipping this by logging into Web Client via administrator@vsphere.local user. I never tried to know why I was getting this error when my other user was part of the administrator group.

But today I was frustrated because of this and decided to get rid of this error. A simple google search and I landed to this page which helped me in troubleshooting the issue.Read More

Configure Core Dump Settings On vSphere 6 Hosts

Manish Jha

In this post we will look into how to configure Core Dump settings on Esxi hosts. But before doing that lets talk a bit about what is core dump.

What is Core Dump?

A core dump is the state of working memory of an Esxi host in the event of host failure like Purple Screen Of Death aka PSOD. In the event of PSOD the state of the VMkernel Memory is sent to the server where where dump collector service is running. This server is typically your vCenter server.

Core dumps information are very important when it comes to identifying and troubleshooting the issue which made the ESXi host to show a purple screen.

By default, a core dump is saved to the local disk. You can use ESXi Dump Collector to keep core dumps on a network server for use during debugging. The core Dump resides in a Diagnostic partition and in-order to create a partition we require atleast 100 MB of free space either locally or remotely available disks.Read More

Configure Centralized Logging on ESXi 6 Hosts

Manish Jha

In this post we will learn how to configure Esxi-6 hosts to send the logs to a centralized syslog server.

Purpose of configuring syslog server?

As per VMware KB-2003322

ESXi 5.0 and higher hosts run a syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk.

To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk and to send the logs across the network to a syslog server.

Retention, rotation, and splitting of logs received and managed by a syslog server are fully controlled by that syslog server. ESXi cannot configure or control log management on a remote syslog server.

How to configure Esxi hosts for centralized logging?

There are various ways to configure syslog settings on Esxi hosts.Read More

Using Host Profile With Auto Deploy

Manish Jha

Last week I wrote a post on Auto deploy configuration in vSphere 6 and deployed on Esxi host using Auto Deploy. In this post we will learn about using host profiles with Auto Deploy for customizing Esxi hosts that will be installed via Auto Deploy.

But before we begin with creating Host Profiles let’s have a brief introduction of what is Host Profile and what challenges we are solving by using it.

What is Host Profile and why to use it?

Host profile is nothing but a configuration templates designed to ensure that VMware hosts are configured in a consistent manner across your infrastructure. When an Esxi host is deployed in an infrastructure, there are dozens of configurations that an administrator has to configure. These configurations include (but not limited to):

1: Configuring host networking: This includes creating VMKernel/VM port groups, assigning IP’s to VMkernel portgroups, deciding which portgroup will have which kind of functionality etc.Read More

Host Profile Issue – Cluster Non Compliant – FT logging is not enabled

Manish Jha

Recently while working with Host profiles in my lab, I faced too many issues and was getting frustrated and decided to pen down my frustration. Using Host profile was not new for me but I guess I have not used it in last 2 years and so forgot a bit about it.

The issue was I got 2 of my host deployed via Auto Deploy and customized via Host Profile and both hosts were showing compliant with the attached profile. Its the cluster which was unhappy and was complaining about “FT is not supported” and “FT logging not enabled”.

hp-11

I had no intentions of using FT in my lab and was looking for getting rid of this issue. A simple google search and I came across VMware KB-1017714 which explains how to get rid of this error.

We need to add a line “das.includeFTcomplianceChecks” to HA advance settings and set the value to false.Read More