Virtual machine power user

provides users restricted access to perform the following tasks:

- Create and consolidate VM snapshots
- Add/Remove virtual disks
- Snapshot Management

The following two roles can be modified:

- Network Administrator
- Datastore Consumer
Note: Default roles - Administrator, Read-Only, No Access, and Tagging Admin cannot be
modified.

A custom role without any assigned privileges, will have these two privileges by default:
- System.View
- System.Anonymous

In order for a user to have the ability to manage snapshots for VMs, the privilege
Datastore.Allocate Space
- is required.

If an object has inherited permissions from two parent objects

the permissions are combined from both parent objects.

Data Center Folder

is the highest object level from which a VM can inherit privileges.

3 valid Authorization types

- Group Membership in vSphere.local
- Global
- vCenter Server

3 components to select when configuring vSphere permissions

- Inventory Object
- Role
- User/Group

Avoid adding members to these vSphere.local groups:

- SolutionUsers
- Administrators

To grant a user privileges that span vCenter Servers and vRealize Orchestrator within a PSC
domain
assign a Global Permission to the user

2 recommended methods to manage the VMware Directory Service:

- Utilize the vmdir command
- Manage through the vSphere Web Client

Sample roles that are provided with vCenter Server by default:

- Virtual Machine User
- Network Administrator
- Content Library Administrator
Also: Resource Pool Administrator, VMware Consolidated Backup User, Datastore Consumer,
Virtual Machine Power User

These 3 services can be enabled/disabled in the Security Profile for an ESXi host:
- CIM Server
- Direct Console UI
- Syslog Server

To use VMCA as an Intermediate Certificate Authority:

- Replace the Root Certificate (Intermediate CA)
- Replace Machine SSL Certificates (Intermediate CA)
- Replace Solution User Certificates (Intermediate CA)
- Replace the VMware Directory Service Certificate*
- Replace the VMware Directory Service Certificate in Mixed Mode Environments

3 options for ESXi Certificate Replacement:

- VMware Certificate Authority mode
- Custom Certificate Authority mode
- Thumbprint mode

When lockdown mode has been enabled on an ESXi 6.x host:

- a user granted administrative privileges in the Exception User list can login
- a user defined in the DCUI.Access without administrative privileges can login

When Strict Lockdown Mode has been enabled on an ESXi host, to allow ESXi Shell or SSH
access for users with administrative privileges
Add the users to Exception Users and enable the service

To mitigate security risks associated with having a common root account configured for a group
of ESXi 6.x hosts:
- set a complex password for the root account and limit its use
- use ESXi Active Directory capabilities to assign users the administrator role

Considerations if an AD domain group is configured for ESX Admins to allow administrative

access to an ESXi 6.x host:
- if administrative access for ESX Admins is not required (in the future), this setting can
be altered
- an ESXi host provisioned with Auto Deploy cannot store AD credentials

For VMs that are only hosted on a vSphere system, disable these advanced features:
- isolation.tools.unity.push.update.disable
- isolation.tools.ghi.launchmenu.change
- isolation.bios.bbs.disable
- isolation.tools.hgfsServerSet.disable
- isolation.tools.memSchedFakeSampleStats.disable
- isolation.tools.getCreds.disable
- isolation.tools.ghi.autologon.disable

To reduce attack vectors for a VM, set these 2 settings to false:

- ideX:Y.present
- serial.present

When attempting to increase the security of VMs:

- Disable hardware devices
- Disable unexposed features

ESXi 6.0 enforces password requirements for direct access. When you create a password, include
a mix of characters from four character classes: lowercase letters, uppercase letters, numbers,
and special characters.

retry=3 min=disabled,disabled,21,7,7 passphrase=2

- passphrase configuration for minimum of 21 characters, and minimum of 2 words

VimPasswordExpirationInDays
- advanced setting for the vCenter Server to change the expiration policy of the vpxuser
password

To secure existing VMs in vCenter Server:

- Restrict Remote Console access
- Prevent use of Independent Non-Persistent virtual disks

isolation.tools.setinfo.disable = true
can be used to prevent sensitive data being written to the VMs configuration files

2 correct statements regarding vSphere certificates:

- ESXi host upgrades preserve the existing SSL certificate
- ESXi hosts have assigned SSL certificates from the VMCA during install

3 options for replacing vCenter Server Security Certificates:

- Replace with Certificates signed by the VMCA
- Make VMCA an Intermediate Certificate Authority
- Do not use VMCA, provision your own Certificates

If users are getting Incorrect Username/Password when trying to log into the vSphere Web
Client
- Users are typing the password incorrectly
- Users are in a forest that has 1-way trust

CAAdmins
group in vsphere.local domain has administrator privileges for the VMCA

Maximum Lifetime
PSC Password Policy determines the number of days a password can exist before the user
must change it.

Milliseconds
defines the time skew tolerance between a client and the domain controller clock for an SSO
token configuration policy.

VMware Security Token Service (STS)

issues Security Assertion Markup Language (SAML) tokens.

Valid Identity Sources when configuring vCenter Single Sign-On:

- OpenLDAP
- LocalOS

2 actions to accomplish the creation of an Integrated Windows Authentication (IWA) Identity

Source on a newly deployed VCSA:
- Use a Service Principal Name (SPN) to configure the Identity source
- Join the VCSA to Active Directory and configure the Identity Source with a Machine
Account

vga.vgaOnly = TRUE
Reduce Memory Overhead for Virtual machines with 3D graphics Option

128
Maximum Virtual CPUs per virtual machine (Virtual SMP)

2 features available for VMs configured with DirectPath I/O:

- Virtual Symmetric Multi-Processing (vSMP)
- Virtual Non-Uniform Memory Access (vNUMA)

A Subscription URL
is required in order to complete subscription when subscribing a Content Library to another
remote Content Library without authentication enabled.

Global
is the lowest level of permission hierarchy for a role, in order to grant a user access for only
creating a Content Library for a single vCenter Server.

Assign the read-only role at the global permission level

for Content Libraries to be visible to a user.
The files (contained on the backing storage) will be deleted
when a Content Library is deleted.

3 connection types supported between a remote site and vCloud Air:

- Secure Internet Connectivity
- Direct Connect
- Secure VPN

Virtual machines (replicated objects)

can be directly monitored and managed when subscribed to the vCloud Air Disaster Recovery
service.

When adding an -
Identity source type: Active Directory as an LDAP Server
- correct value for
Domain alias = The domains NetBIOS name

When changing settings on a vSphere Distributed Switch (vDS), if you get This host currently
has no management network redundancy due to misconfiguration
The host will automatically detect the communication issue and revert the change

Promiscuous
secondary Private VLAN (PVLAN) type can communicate and send packets to an isolated
PVLAN.

3 traffic types that can be configured for dedicated VMkernel adapters:

- vMotion traffic
- vSphere Replication NFC traffic
- Provisioning traffic

2 limitations of LACP on a vSphere Distributed Switch:

- Software iSCSI multipathing is not compatible
- It does not support configuration through Host Profiles

2 features deprecated in NIOC3:

- Class of Service (COS) Tagging
- User-defined network resource pools

esxcli storage core device list

Status: off
- The device is in a Permanent Device Loss (PDL) state

2 uses cases for Fibre Channel Zoning in a vSphere Environment:

- Controls and isolates paths in a fabric
- Can be used to separate different environments
Considerations when booting from Software Fibre Channel over Ethernet (FCoE):
- Multipathing is not supported at pre-boot
- Boot LUN cannot be shared with other hosts even on shared storage

Spanning Tree Protocol being enabled on the network ports

is a likely cause of an All Paths Down (APD) event occurring for the Software FCoE storage.

2 true statements regarding iSCSI adapters:

- Software iSCSI adapters require VMkernel networking
- Independent Hardware iSCSI adapters offload processing from the ESXi host

Configuring VMs to use WWPNs to access the storage, 2 conditions are required:
- The switches in the fabric must be N-Port ID Virtualization aware
- The VMs must be using pass-through RDM (RDMp)

2 true statements regarding VMFS3 volumes in ESXi 6.x:

- Creation of VMFS3 volumes is unsupported
- Upgrading of VMFS3 volumes to VMFS5 is supported

3 correct statements regarding FCoE:

- The network switch must have Priority-based Flow Control (PFC) set to AUTO
- Each port on the FCoE card must reside on a separate vSwitch
- The ESXi host will require a reboot after moving an FCoE card to a different vSwitch

2 true statements regarding Virtual SAN Fault Domains:

- They enable Virtual SAN to tolerate the failure of an entire physical rack
- Virtual SAN ensures that no 2 replicas are provisioned on the same domain

A 6 node VSAN cluster, with 3 nodes in a fault domain, if a member of the fault domains fails
the remaining two fault domain members are treated as failed

VSAN Fault Domain is configured in the

VMware Virtual SAN Cluster configuration

VMW_PSP_MRU will have no preferred path setting for the Plug-In

2 tasks the Pluggable Storage Architecture (PSA) performs:

- Handles I/O queueing to the logical devices
- Handles physical path discovery and removal

2 true statements regarding Storage Multipathing Plug-Ins:

- The default Path Selection Policy is VMW_PSP_FIXED for iSCSI or FC devices
- VMW_PSP_MRU is typically selected for ALUA arrays by default

To list multi-pathing modules on an ESXi 6.x host

 esxcli storage core plugin list -plugin-class=MP

2 solutions which require Physical Mode RDM:

- Direct access to the storage array device
- Guest Clustering across ESXi hosts

A devices VAAI support status command line output shows

Status: unsupported
Clone Status: unsupported
Zero Status: unsupported
Delete Status: unsupported
- the corresponding VAAI support status in the vSphere Web Client is
Unknown

vSphere Web Client > Increase Datastore Capacity > Select Device -
Capacity X GB, Expandable = Yes
- result
Datastore will grow up to X GB using the remaining free space on the device

VM activity on an ESXi 6.0 host is negatively affecting a VM on another host using the same
VMFS datastore. To mitigate the issue
Enable SIOC

2 conditions which could explain problems configuring SIOC on a datastore:

- A host is running ESXi 4.0
- An ESXi host does not have appropriate licensing

3 requirements for configuring SIOC:

- The datastore must consist of only one extent
- The datastore is managed by a single vCenter Server
- Auto-tiered storage must be compatible with SIOC

To provide Load Balanced I/O for an EqualLogic Array (SATP = VMW_SATP_EQL), set the
Path Selection Policy = Round Robin (VMware)

After running
esxcli storage nmp psp roundrobin deviceconfig set --useano=0 -d
naa....
- the expected effect
I/O will rotate on all storage targets that are Active Optimized state only
Note: useano = Use Active-Non-Optimized, and the setting 0 turns it off.

If upgrading an ESXi 5.5 host to ESXi 6.x you get the following error MEMORY_SIZE
(there is) Insufficient memory on the ESXi host to complete the upgrade

Display the Installed VIBs and Profiles That Will Be Active After the Next Host Reboot
For VIBs: esxcli --server=server_name software vib list
--rebooting-image
For Profiles: esxcli --server=server_name software profile get
--rebooting-image

Syntax for silent automatic upgrade of VMware Tools on a Windows VM:

setup.exe /s /v "/qn" /l "c:\Windows\filename.log"

The installation kickstart script (ks.cfg) to upgrade an ESXi 6.x host can reside in any of these
locations:
- HTTP/HTTPS
- NFS
- USB
- FTP
- CD/DVD

boot.cfg
determines the location of the installation script during a scripted upgrade

3 supported methods to upgrade a host from ESXi 5.x to ESXi 6.x:

- vSphere Update Manager
- esxcli
- vSphere Auto Deploy

2 supported tools to upgrade VM hardware:

- vSphere Web Client
- vSphere Update Manager

3 recommended prerequisites before upgrading VM hardware:

- Create a backup or snapshot of the virtual machine
- Upgrade VMware Tools to the latest version
- Verify that the virtual machine is stored on VMFS3, VMFS5 or NFS datastores

Minimum Recommended Hardware Requirements for Installing vCenter Server on Windows:

Large Environment (1000 ESXi hosts and 10000 VMs) 16 CPUs and 32 GB RAM
Note: This is 2 ^ 4 CPUs and 4 * 8 GB RAM

Once you have upgraded a Distributed vCenter Server environment from 5.5 to 6.0, the next step

vCenter Inventory Service must be manually stopped and removed

If vCenter Server upgrade fails at the vCenter Single Sign-On installation, to complete the
upgrade:
Verify that the VMware Directory Service can stop by manually restarting it

During a vCenter Server upgrade, if an ESXi 6.x host in a HA cluster fails

 HA will fail the virtual machines over to an available host during the vCenter Server
upgrade process

Prerequisite action before upgrading a vCenter Server Appliance

Install the Client Integration Plug-in

You may encounter this error whilst upgrading vCenter Server -

The DB User entered does not have the required permissions needed to install and configure
vCenter Server with the selected DB if:
- The database is set to an unsupported compatibility mode
- The permissions for the database are incorrect

As part of an upgrade from a Distributed vCenter server running 5.x, the following 2 vCenter
Server services are migrated automatically as part of the upgrade:
- vSphere Web Client
- vSphere Inventory Service
Note: Also in the group of services migrated vSphere Auto Deploy, vSphere Syslog Collector,
vSphere ESXi Dump Collector.

esxcli
command line utility can be used to upgrade an ESXi host

To identify an issue which occurred during the pre-upgrade phase of a vCenter Server upgrade
process
vcdb_req.out (pre-upgrade checks)

3 true statements regard restoring a Resource Pool Tree:

- Restoring a snapshot can only be done on the same cluster from which it was taken
- No other resource pools can be present in the cluster
- Restoring a resource pool tree must be done in the vSphere Web Client

If you create a resource pool with a Memory Limit of say 24 GB, and it has 3 VMs, with 16/6/4
GB RAM respectively (26GB)
only 2 of the 3 VMs can power on

Example on Memory Reservation:

12GB: DRS Cluster
8GB Expandable: Resource Pool TestDev
> 1GB Expandable: Resource Pool Test (child of TestDev)
-- 1GB on Test-VM1 (ON)
-- 1GB on Test-VM2 (OFF)
> 4GB Expandable: Resource Pool Dev (child of TestDev)
-- 2GB on Dev-VM1 (ON)
-- 2GB on Dev-VM2 (OFF)
A virtual machine can be powered on in the Test Resource Pool with a 6GB Memory
Reservation.
Example on CPU Shares:
DRS Cluster
Resource Pool Production: CPU Shares HIGH
-- Prod-VM1: HIGH
-- Prod-VM2: NORMAL
Resource Pool Test: CPU Shares LOW
-- Test-VM1: HIGH
-- Test-VM2: NORMAL
Note: All VMs have 1 vCPU and are powered on.
Under CPU contention, Prod-VM1 receives four times the CPU resources than Test-VM1
Note: HIGH is 4 x LOW.

vSphere Replication protects VMs from partial or complete site failures by replicating the VMs:
- From a source site to a target site
- From within a single site from one cluster to another
- From multiple source sites to a shared remote target site

2 capabilities the vSphere Replication Client Plug-in provides:

- Configure connections between vSphere Replication Sites
- Deploy and register additional vSphere Replication Servers

VRM remote.Manage VRM

privilege is needed at both sites for a vSphere Replication user to connect a source site to a
target site

3 parameters that should be considered when calculating the bandwidth for vSphere Replication:
- Data change rate
- Traffic rates
- Link speed

PKCS#12 file format

is required when importing an existing SSL certificate into vSphere Replication Server

A vSphere Replication administrator would manually add an additional Certificate Authority

certificate to the
hms-truststore.jks keystore

24
is the maximum number of snapshot instances in vSphere Replication that can be configured
to recover a VM at a specific point in time.

FastLZ
is the compression algorithm used by vSphere Replication to compress data at the source.

Via -
vSphere Web Client > Cluster Actions Menu > Storage option
- create a VVOL on an existing VVOL container

Example on New Datastore Wizard:

New Datastore > Partition configuration >
Partition Layout: Capacity = 200GB
Partition Configuration = Use all available partitions
Datastore Size = 100GB
100GB VMFS5 datastore with free space available for expansion
will be created upon completion of the steps in the wizard.

The hosts CPU hardware does not support the clusters current Enhanced vMotion
Compatibility mode. The host CPU lacks features required by that mode
the ESXi host CPU has the Intel No-Execute feature disabled

Example on VSAN:
If we have 5 HDD, but one is Not supported, so 4 HDD.
And 2 SSD (Flash)
2 combinations of devices which could be used to create Disk Group(s):
- One Disk Group with 1 Flash Drive and 3 HDDs
- Two Disk Groups with 1 Flash Drive and 2 HDDs each
Note: For One Disk Groups need a HDD spare
Note: For Two Disk Groups need sufficient drives

Unable to start the vCenter Server service, so check the vpxd.log file and see:
CoreDump: Unable to write minidump There is not enough space on the disk
There is insufficient space on the vCenter Server!

After deploying vSphere Platform Services Controller (PSC), you are unable to install vCenter
Server. The error is:
Could not contact Lookup Service. Please check VM_ssoreg.log
2 actions to correct this problem:
- Verify that the clocks on the host machines running the PSC, vCenter Server, and the
vSphere Web Client are synchronized
- Ensure that there is no firewall blocking port 7444 between the PSC and vCenter Server

vCenter Server installation will fail if trying to install on

Windows Server 2008

3 ports used by the vSphere Web Client when connecting directly to an ESXi 6.x host:
- 443 TCP
- 902 TCP and UDP
- 903 TCP

vSphere Web Client connection error -

Could not connect to one or more vCenter Server Systems httpsvCenter.corp.com:443/sdk
- reasons preventing communication with this vCenter Server:
- The vCenter Server machine is not responding via the network
- An incorrect entry for this vCenter Server exists in the Single Sign-On service
- The SSL certificates do not match the FQDN address for the server

vSphere Web Client use Windows Session Authentication check box requires:
- Install the vSphere Web Client Integration browser plug-in on each workstation from
where a user will sign in
- The users must be signed into Windows using Active Directory user accounts
- The administrator must create a valid Identity Source in Single Sign-On for the users
domain

3 likely causes contributing to an administrator being unable to see performance statistics for
only the Past Week performance data, with vCenter Server using Microsoft SQL Database:
- Performance statistics are turned off
- The Past Day rollup job is not present
- The stats_rollup_1_proc is not present

An ESXi 6.x host in vCenter Server Inventory has disconnected due to an APD situation. After
correcting the APD issue on the host, next action
Select Restart Management Agents from the DCUI

Time on an ESXi 6.x host is incorrect. 2 actions to correct:

- Modify the time for the host using the vSphere client
- Correct the NTP settings in the /etc/ntp.conf file

esxcli network nic list

shows the Physical Uplink status for a vmnic
Note: This command will list the Physical NICs currently installed and loaded on the system.

To change the root password for an ESXi 6.x host, 2 ways this can be accomplished:
- Use the DCUI to change the password
- Use the passwd command in the ESXi Shell

Press the F12 key

to shutdown the ESXi 6.x host via the DCUI

If you can manage an ESXi 6.x host connected to vCenter Server using the vSphere Web Client,
but are unable to connect to the host directly
Disable Lockdown Mode on the ESXi host through vCenter Server

If a new custom ESXi firewall rule using an XML file has been created, and it does not appear in
the vSphere Web Client
Load the new rules using esxcli network firewall refresh
In order to see two vCenter Servers within a single vSphere Web Client session, two vCenter
Server and PSC configurations that would accomplish this:
- Install a single PSC with two vCenter Servers registered to it
- Install two PSCs in the same Single Sign-On domain with one vCenter Server registered
to each PSC

If the vSphere Client is directly connected to the ESXi host

the Clone option will be missing

To successfully power on a VM while connected to an ESXi host using SSH

vim-cmd vmsvc/power.on {VMID}

If the .nvram file is deleted from a powered off VM

the .nvram file will get created the next time the VM is powered on.

If an administrator tries to connect the vSphere 5.5 Client to an ESXi 6.x host
The operation will prompt the administrator to run a script to upgrade the vSphere
Client

If a new ESXi 6.x host is Not Responding in the vSphere Web Client, this can be caused by a
network firewall blocking traffic to port
902 (UDP)

Troubleshooting network communications between the vCenter Server and the ESXi 6.x host,
review this log:
/var/log/vpxa.log

Slow performance of the vCenter Inventory Service.

In the wrapper.log file we have an error Exception . Java.lang.OutOfMemoryError Java
heap space.
Increase the memory resources of the vCenter Server

If a VM has unexpectedly powered off - to troubleshoot - review these logs:

- vmware.log
- hostd.log

2 reasons why a VM can appear as orphaned:

- A VMware High Availability host failure has occurred
- The virtual machine was unregistered directly on the host

The minimum VM Hardware version required for vFlash Read Cache is:
Version 10

3 reasons why a VM might fail to power on:

- The VM is running on an ESXi host which has an expired license
- The VM is running on a datastore which has insufficient disk space for the .vswp file
- The VM is in a cluster with vSphere HA Admission control enabled

voma
is the command line utility that checks for VMFS5 metadata corruption

2 reasons why a local flash device would be unavailable for use with VSAN:
- it has a VMFS datastore present
- it is in use by the vFlash Read Cache feature

3 troubleshooting actions an administrator should take to address slow performance when

deploying a VM template:
- Increase network throughput by adding additional uplinks to the vSwitch
- Change the destination datastore or volume for the VM template
- Configure a Provisioning Traffic VMkernel port to perform the deployment operation

When attempting to remove a host from a vSphere Distributed Switch (vDS), you receive this
error -
The resource is in use
- 2 reasons why this error might be displayed:
- VMkernel network adapters on the vDS are in use
- VM network adapters are connected to the vDS

If you suspect the MTU value for a vSphere Standard Switch is misconfigured, 2 commands to
determine the value:
- esxcfg-vswitch -l
- esxcli network vswitch standard list

Attempted deletion of an NFS datastore generates the error:

Sysinfo error on operation returned the following status: Busy
To complete the deletion
Storage vMotion any VMs on the datastore to another location

If the df -h command shows an NFS datastore reporting a capacity of 0 bytes

The NFS server on which the datastore resides is down

The command esxcli network vm list shows 4 VMs connected to a Production vSwitch, but the
vSphere Web Client shows 5 VMs, this is because
The 5th VM is currently powered off.

An administrator is experiencing network connectivity issues between VMs. 3 settings the

administrator should investigate:
- VLANs of the physical NICs
- Failover order of the uplinks
- Virtual NIC connectivity to the dvSwitch
A task to create a VMFS5 datastore fails. The datastore was previously used by a Linux server,
and not erased. To resolve the issue
Delete the partitions on the disk manually with partedUtil first
Note: Same if the disk was formatted with Master Boot Record (MBR) partition table (Windows).

2 reasons that would prevent SDRS from operating on a datastore:

- The datastore has SIOC disabled
- The datastore is connected to an unsupported host

2 ways to view the DNS settings for an ESXi 6.x host:

- Use the vicfg-dns command from the vSphere Management Appliance
- View the /etc/resolv.conf file on the ESXi host

If after configuring a VSAN cluster, you notice the VSAN datastore is smaller than expected (i.e.
100GB instead of 300GB)
There is a network problem with the VSAN vmkernel ports

vCenter Server Appliance 6.0 does not support upgrades from 5.1 U2

After upgrading a VCSA from version 5.5 to 6.x, using DHCP to obtain hostname, and then
configuring static IP and hostname. Immediately after the change, to prevent service failures
Regenerate the SSL certificates

An administrator is unable to patch an ESXi 6.x host using VMware Update Manager, an
alternative option for patching the host
Upload the offline bundle to a datastore and execute the command esxcli software vib
install -d to apply it manually

3 logs to review to troubleshoot vCenter Server upgrade failure:

- vminst.log
- vim-vcs-msi.log
- pkgmgr.log

Trying to update an ESXi 6.x host using

esxcli software vib update -d update.zip
- does not work with error Could not download
add the full file path to the command

Failed upgrade from vCenter Server 5.x to 6.0

00800 error Database version is incompatible with this release of VirtualCenter
- the problem is
there was a database schema upgrade failure during the installation

3 ESXTOP counters that may demonstrate CPU contention:

- %RDY
- %MLMTD
- %CSTP
Note:
%RDY = The percentage of time the world (VM) was ready to run, but has not yet been
scheduled for CPU time due to contention with other worlds (VMs).
%MLMTD = The percentage of time the world was ready to run but deliberately wasn't
scheduled because that would violate the "CPU limit" settings.
%CSTP = The percentage of time the world spent in ready, co-deschedule state.

If - for a VM the CPU usage is consistently > 90%, and CPU ready value is consistently > 20
%, and application performance is impacted; to improve the performance of the VM:
- Verify the VMware Tools is installed on every virtual machine on the host
- Increase the CPU shares assigned to the virtual machine

A VM CPU issue seen in ESXTOP:

- CPU0 is at 100% usage
- other CPUs close to 0%
- %RDY value is consistently above 10%
=> The VM has CPU affinity configured

8 out of 10 VMs have memory ballooning and swapping.

VM 9 is not ballooning or swapping.
VM 10 is not ballooning but is swapping.
=> VM 9 has a 100% memory reservation
=> VM 10 does not have VMware Tools

2 badges in vRealize Operations which would help identify possible VM resource contention
concerns:
- Health > Workload
- Risk > Stress

A VM is exhibiting symptoms:
- Memory usage: constantly high (94% +) or constantly low (24% -)
- Free Memory: consistently 6% or less
- swapping frequently occurs
3 solutions to correct:
- Verify that VMware Tools is installed on each VM
- Decrease the memory reservation setting, if much higher than active memory
- Add physical memory to the host
Note: See https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.monitoring.doc%2FGUID-115861E6-810A-43BB-
8CDB-EE99CF8F3250.html

If concerned about possible vCPU over-commitment for an ESXi 6.x host, review these 2
Performance Counters in vSphere Web Client Performance Charts to confirm if there is
contention on the host:
- Ready
- Co-Stop
To use ESXTOP to troubleshoot CPU performance issues
in esxtop, press f and place an asterisk next to each field that should be displayed

In ESXTOP - SlowVM has:

NWLD %USED %RUN %SYS %WAIT %VMWAIT %RDY %IDLE %OVRLP %CSTP %MLMTD %SWPWT
10 202 203 0 589 0 163 0 0 61 0 0
3 actions to improve CPU performance for SlowVM
- Decrease the number of vCPUs assigned to SlowVM
- Power off other VMs running on the same ESXi host
- Move SlowVM to another ESXi host with more physical CPU resources available

In ESXTOP - SlowVM has:

NWLD %USED %RUN %SYS %WAIT %VMWAIT %RDY %IDLE %OVRLP %CSTP %MLMTD %SWPWT
7 4 4 0 616 0 97 0 0 0 97 0
Option to improve application performance for SlowVM virtual machine:
- Increase the CPU limit assigned to SlowVM

An administrator notices that a Windows VM is using 95% CPU in Task Manager. Two actions
to resolve:
- Increase the CPU Shares on the resource pool where the VM resides
- Increase the CPU limit on the resource pool where the VM resides

High Performance
is a Host Power Management Policy for an ESXi 6.x host that will disable most hardware
power management features.

To monitor VMs on a host and send notifications when memory usage reaches 80%, create in
vCenter
a vCenter Server alarm that will monitor VM memory usage and set an action to email
the notification

fdm.log
is the name of the High Availability agent log

vSphere Standard
is the minimum licensed edition that supports VM Fault Tolerance

For VM Fault Tolerance:

vSphere Standard and Enterprise allows up to 2 vCPUs
vSphere Enterprise Plus allows up to 4 vCPUs

A datastore in a datastore cluster cannot enter maintenance mode. The Entering Maintenance
Mode status remains at 1%. Cause: One or more disks on the datastore cannot be migrated with
Storage vMotion. This condition can occur in the following instances.
- Storage DRS is disabled on the disk.
- Storage DRS rules prevent Storage DRS from making migration recommendations for the
disk.
2 likely causes for a DRS cluster to become unbalanced:
- Affinity rules are preventing VMs from being moved
- A device is mounted to a VM preventing vMotion

2 scenarios that would cause an FT enabled VM to fail to power the Secondary VM:
- The host has entered a Network Partitioned state
- vSphere HA is disabled on the host cluster

An administrator notices vSphere DRS indicates Imbalanced. vMotions are working Total
vMotion Migrations > 100, and there is plenty of resource availability on the cluster (10% CPU
utilization, 60% memory utilization). 3 potential causes of the cluster imbalance:
- A local device is mounted to one or more of the VMs
- DRS rules prevent VMs from being moved
- DRS has been configured for a conservative migration threshold

In vRealize Operations, a VM has a Workload is highest by CPU alert, and in the Risk pane it
effectively says:
Increase the number of vCPUs for the VM

A vSphere Auto Deploy rule can identify target hosts by:

- SMBIOS information
- BIOS UUID
- boot MAC address
- Vendor
- Model
- fixed DHCP IP address

Auto Deploy hosts have been configured to obtain their networking configuration via DHCP.
To renew the DHCP lease for the hosts via the DCUI
Restart Management Network

Export-EsxImageProfile
can be used to ensure Auto Deploy image profiles are preserved (exported and available)
across PowerCLI sessions.

2 valid (Auto Deploy) compliance results that indicate the need to apply a Host Profile:
- Non-compliant
- Unknown

After Auto Deploying ESXi hosts connected to a vSphere Distributed Switch, it is noticed that
LACP packets are not being sent between them. This is because
The LACP support settings do not exist in the host profile

Using VMware converter against a Windows Server that Contains one NTFS formatted
volume, the number of virtual disks that can be added to the destination VM = 0
Using VMware converter to create a VM with smaller virtual disks than the original physical
server
use VMware Converter hot cloning with volume-based cloning at the file level

To recover disk space on a previously-used thin provisioned virtual disk, and disk blocks are on a
VAAI-compliant storage array, two actions to accomplish this:
- Use VMware Converter to migrate the VM to a new datastore
- execute the esxcli storage vmfs unmap command

Example on CPU Reservation:

16 GHz: DRS Cluster
6 GHz Fixed: Resource Pool Production
> 2 GHz Fixed: Resource Pool Web (child of Production)
-- 1 GHz on Web-VM1 (ON)
> 2 GHz Expandable: Resource Pool DB (child of Production)
-- 1 GHz on DB-VM1 (ON)
A VM can be powered on in the DB Resource Pool with a 3 GHz CPU Reservation

To set a non-default isolation address of 192.168.1.2 for HA, the advanced setting to accomplish
this is:
Das.isolationaddress0=192.168.1.2

vSphere HA calculates the memory slot size of a VM:

Virtual machine memory reservation + overhead of largest virtual machine

The number of vSphere HA heartbeat datastores for this host is 1, which is less than required:
2. 2 actions to clear:
- Set the advanced High Availability parameter Das.ignoreInsufficientHbDatastore to true
- Add a shared datastore and reconfigure High Availability

120 seconds
is the VM Monitoring I/O stats interval default value in a vSphere HA cluster.

An administrator enables HA on a Virtual SAN cluster. We have four VMkernel port groups for:
Management, vMotion, Virtual SAN, and Fault Tolerance
the Virtual SAN IP address is used for (VSAN) HA traffic.

To configure a HA cluster to allow VMs a 10-minute window to shut down in the event of a Host
isolation incident:
- Set the advanced option das.isolationshutdowntimeout = 600
- Configure Host Isolation Response to Shut Down and Restart VMs

A vSphere 6 HA cluster with default settings, and 4 VMs with these restart priorities: High,
High, Medium, Low. The number of VM Overrides to be defined at cluster level to meet the
restart priorities is
2
Two settings required for VMCP to protect from APD and PDL:
- Host Monitoring

- VM Restart Priority

at 01:53 No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

Tuesday, 16 August 2016

VCP6-DCV Exam Cram Notes: Section 10 of 10

Section 10: Administer and Manage vSphere Virtual Machines

When deploying multiple Windows 2003 virtual machines from the same template, to avoid
network conflicts...
... Customize the guest operating system
... Copy the Microsoft Sysprep tools onto the vCenter Server system

Objective 10.1 - Configure Advanced vSphere Virtual Machine Settings

Identify available virtual machine configuration settings:

- VM Hardware (pure vSphere 6 environment, upgrade to version 11)
- Guest Operating System
- VMware Tools: upgrade automatically or not
- Virtual CPU
-- up to 128 cores
-- specify hot-add or not
-- set Hyperthreading Sharing Mode (Any, None or Internal)
-- set limits, reservations and shares
- Virtual Memory
-- up to 4TB of RAM
-- specify hot-add or not
-- specify memory allocation with a NUMA node
-- set limits, reservations and shares
- Swap file location (Default, Virtual machine directory, Datastore specified by host)
- Network Adapters
- Parallel and Serial Port devices
- Fibre Channel NPIV settings
- Hard Disks
-- different types of SCSI controllers
-- 3 provisioning types (thin, lazy zeroed and eager zeroed)
-- Raw Device Mappings (RDMs)
-- Disk shares
- CD/DVD drives
- Floppy drives

Two options for changing the virtual machine swap file location...
... Store in the hosts swapfile datastore
... Always store with the virtual machine

Interpret virtual machine configuration files:

.vmx - Virtual machine configuration file
.vmxf - Additional configuration file
.nvram - Stores the BIOS state
.log - Log file for the VM
.vmdk - Descriptor file for a virtual disk
-flat.vmdk - Data disk file
-delta.vmdk - Snapshot data disk files
.vswp - Memory swap file
.vmss - Stores state when the vm is suspended
.vmsd - Snapshot file; stores metadata
.vmsn - Stores state of the vm during snapshot
.ctk - used for changed block tracking

Identify virtual machine DirectPath I/O feature:

DirectPath I/O allows a VM to access the physical PCI functions
- you can have up to 6 PCI devices that a VM can access
- DirectPath I/O does not support:
-- cant hot-add to the VM
-- no HA support
-- no FT support
-- snapshots are not supported
-- no vMotion
- DirectPath I/O is enabled on the VM by selecting the PCI device that you want to pass through

Objective 10.2 - Create and Manage a Multi-Site Content Library

Configure Content Library to work across sites:

vCenter Inventory lists -> Content Libraries
Content Library -> Actions -> Edit Settings... -> Tick Publish this library externally

Content Library authentication:

vCenter Inventory lists -> Content Libraries
Content Library -> Actions -> Edit Settings... -> Tick Enable user authentication for access
to this library -> Enter password
Note: Error - The Sync Library operation failed ... Any sites subscribed to this content prior
to enabling authentication, will need to be re-configured.

Set/Configure Content Library roles:

- To control permissions/roles on a content library you need to set the permission on the root
level
Administration -> Global permissions -> + -> Add...
Assigned Role: Content Library Administrator

Content Library Administrator can:

- Create, edit and delete local or subscribed libraries
- Synchronize a subscribed library and synchronize items in a subscribed library
- View the item types supported by the library
- Configure the global settings for the library
- Import items to a library
- Export library items

Types of Content Library:

- Local content library
- Subscribed content library

Storage for your content library can be:

- local system path
- location to an NFS share
- an existing datastore

Objective 10.3 - Configure and Maintain a vCloud Air Connection

Identify vCenter Server and vCloud Air connection requirements:

- To connect vCenter Server and vCloud Air youll need vCloud Connector (VCC)
- VCC provides you with a single interface to manage many public and private clouds
- VCC lets you sync your content library to vCloud Air
- VCC provides offline data transfer from your private datacenter to vCloud Air
- VCC allows for datacenter extension
- VCC user interface comes in the form of a vCenter plugin and is available in the Web Client
- VCC server is an appliance deployed in the private datacenter and handles communication to
vCloud Air
- VCC nodes are responsible for data transfer between private datacenter and vCloud Air
instance

Requirements before you can install VCC in your private datacenter:

Note: VCC is already in your vCloud Air instance (taken care of by VMware)
- vSphere and vSphere Client 4.0 U3 or higher
- For datacenter extension with VCC, need vShield Manager 5.1.2 or higher
- IE 8 or 9, or Chrome 22 or 23
- Ports: 80, 443, 8190, 5480

Configure vCenter Server connection to vCloud air:

- Deploy the VCC OVA
- Navigate to https://VCC_NAME_or_IP:5480
- Default login is admin / vmware
- via vCenter tab configure vSphere Web Client extension*
*registers VCC extension in vSphere Web client
- deploy VCC node in your vSphere environment (same OVA as for VCC)
- via Nodes tab configure connection to the deployed Nodes

Connection types to vCloud Air network:

- Standard Connection: over internet and IPsec VPN, point-to-point
- Dedicated Connection: secure private link, point-to-point or multi-point

Configure replicated objects in vCloud Air Disaster Recovery services:

- requires vSphere Replication
- need to connect vSphere Replication to a Cloud provider*
*requires the address for your cloud provider
Note: Ensure the Cloud Connection State shows Connected
- complete configuration in the vSphere Web Client -> Replicate to a cloud provider