Exclude Virtual Machine Hard Disk from Snapshot

A virtual machine hard disk in vSphere v.5 or v.6 can be configured in three different modes:

• Dependent: the default disk mode. The disk is included in snapshot.
• Independent – Persistent: Changes to the disk are immediately and permanently written to disk. The disk is not included in snapshot.
• Independent – Nonpersistent: Changes to the disk are discarded when power off. The disk is included in snapshot.

To change a VM hard disk to Independent – Persistent mode in vSphere v.6 Web Client:

• Power off the VM
• Delete any snapshots that currently exist
• Right-click the VM and click Edit Settings
• Under Virtual Hardware tab, expand the hard disk
• In Disk Mode, select Independent – Persistent
• Click OK

To verify a VM hard disk excluded from snapshot:

• Take a snapshot of the VM
• Right-click on the datastore storing the VM and click Browse Files
• Browse to the VM folder
• If the disk is not set to Independent – Persistent mode, a VM-00001.vmdk file is created for the disk
• If the disk is set to Independent – Persistent mode, this file will not be created

ESXi VMkernel Port “Management traffic” Checkbox

Here is the screenshot of the services that can be enabled on an ESXi v.6 VMkernel NIC port.

All these services look very self-explanatory, until I am doing some research on the ESXi management redudancy and discovering this post.

Here is the quick summary of the post, plus others I learned about the VMkernel port.

• The “Management traffic” checkbox does nothing but enabling that VMkernel NIC for HA hearbeat traffic.
• It has nothing to deal with the management of the ESXi host. When the checkbox is not checked, you still can manage the ESXi host via vCenter Server or SSH to the ESXi host via the IP address associated with the VMkernel port.
• Why isn’t there a checkbox for iSCSI or NFS traffic?
• Answer: any VMkernel port can talk to iSCSI or NFS storage. There is no need to enable the service.
• Prior to vSphere 6, only one default gateway is defined for the ESXi host in the GUI (ESXi 5.5 allows to add additional TCP/IP stack, including default gateway & DNS, in CLI). All VMkernel ports use the same default gateway for the traffic that is not local to each VMkernel port subnet.
• Here is the sceenshot in vSphere 5.5, only one Default TCP/IP stack

• Here is the screenshot in vSphere 6, three TCP/IP stacks by default. Each can have different deffault gateway. Additional custom TCP/IP stack still needs to be created by CLI.

Hold Off Upgrading ESXi 5.5 with VSAN to ESXi 6.0

If you are running ESXi 5.5 with VSAN, DO NOT upgrade the ESXi host from 5.5 to 6.0. When mixing ESXi 5.5 and 6.0 in the VSAN cluster during the host upgrade, it can cause permanent data loss. See this VMware KB2139969 for more information. As December 25, 2015, no fix is available yet.

If you have to upgrade to ESXi 6.0 now, the safe approach is to migrate the VMs on the VSAN to other non-VSAN storage prior to the upgrade.

Windows Server Message Block (SMB) Protocol

Versions

There are several different versions of SMB used by Windows operating systems:

SMB Version	Operating System	Note
CIFS	Windows NT	superseded by SMB1
SMB 1.0 (or SMB1)	Windows 2000, XP, Server 2003, Server 2003 R2
SMB 2.0 (or SMB2)	Windows Vista (SP1 or later), Server 2008
SMB 2.1 (or SMB2.1)	Windows 7, Server 2008 R2
SMB 3.0 (or SMB3)	Windows 8, Server 2012
SMB 3.02 (or SMB3)	Windows 8.1, Server 2012 R2	In Windows 8.1 and Server 2012 R2, the option to completely disable CIFS/SMB1 support is introduced. It is not the default configuration.
SMB 3.1.1	Widnows 10, Server 2016

Negotiated Versions

Here’s a table to help you understand what version you will end up using, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server:

OS	Windows 8.1 WS 2012 R2	Windows 8 WS 2012	Windows 7 WS 2008 R2	Windows Vista WS 2008	Previous Version
Windows 8.1 WS 2012 R2	SMB 3.02	SMB 3.0	SMB 2.1	SMB 2.0	SMB 1.0
Windows 8 WS 2012	SMB 3.0	SMB 3.0	SMB 2.1	SMB 2.0	SMB 1.0
Windows 7 WS 2008 R2	SMB 2.1	SMB 2.1	SMB 2.1	SMB 2.0	SMB 1.0
Windows Vista WS 2008	SMB 2.0	SMB 2.0	SMB 2.0	SMB 2.0	SMB 1.0
Previous Version	SMB 1.0	SMB 1.0	SMB 1.0	SMB 1.0	SMB 1.0

* WS = Windows Server

Check SMB Version

In Windows 8 or Windows Server 2012 or later, a new PowerShell cmdlet can easily tell what version of SMB the client has negotiated with the File Server. For Windows version prior to Windows 8, there is not an easy way – need to use Network Monitor, Message Analyzer (recommended) or Wireshark to capture and look into the packets.

To check the negotiated SMB version between the client and file server

1. Access a remote file server (or create a new mapping to it)
2. Use Get-SmbConnection

To check the SMB version on the local computer

1. dir \\localhost\c$
2. Get-SmbConnection –ServerName localhost
   • run the Get-SmbConnection cmdlet within 10 seconds after the dir command
   • the SMB client will tear down the connctions if there is no activity

Recommendation

Microsoft strongly encourage to update to the latest of SMB. However, be aware of compatibility with the older Windows operating systems and third-party application implementation.

• VMware
  • vCenter Server Appliance 5.5.x / 6.0.x and vRealize Automation 6.2.x support SMB1 only (KB2134063)

Source

Microsoft Jose Barroeto’s Blog

• Windows Server 2012 R2
• Windows Server 2016

Recommended Topologies for VMware vSphere 6.0.x

VMware has a KB (KB2108548) that summarizes the recommended topologies for vSphere 6.0.x deployment on the Platform Services Controller (PSC) and vCenter Server. I’s a good read.

My pick will be one of the following topologies in most of the deployment – simple configuration with sufficient redudance.

VMware Released Software Update Before Year End

VMware released a few software update before the end of 2015. They are

Software	Release Date	Note
vRealize Automation 7.0.0	12/17/2015
vRealize Operations Manager 6.1 Patch	12/11/2015	installation guide
vROPs Management Pack for Storage Devices (VSAN) 6.0.3	12/15/2015
vCloud Director 5.6.5	12/10/2015
VMware Remote Console 8.0	12/08/2015

Install VMware Root Certificate Into Your Browser

If you use the default VMware Certificate Authority (VMCA) came with vSphere 6 (see this about VMCA) , you will receive the untrusted certificate warning when connecting to vCenter via vSphere Web Client.

You can download and import the VMCA root certificate into your browser to fix the warning. Here is how.

1. Browser to your VCSA home page

2. Click “Download trusted root CA certificates” on the lower right

3. Rename the file “download” to “download.zip”

4. Unzip “download.zip”
   “filename.r0” is the Certificate Revocation List (CRL) in DER format
   “filename.0” is the root CA certificate in PEM format.

5. Import the .0 file to your browser’s “Trusted Root Certification Authorities” in IE or Advanced, View Certificates, Authorities in Firefox.

vSphere 6 Certificate Authority

VMware Certificate Authority (VMCA) is a component in the Platform Services Controller (PSC) of vSphere 6 vCenter Virtual Server Appliance (VCSA).

What does VMCA do?

• issues certificates for
  • VMware solution users
  • machine certificates for machines on which services are running
  • ESXi host certificates when adding the ESXi host to vCenter Server
• you don’t have to use VMCA as the certificate authority and certificate signer

What does VMware Endpoint Certificate Store (VECS) do?

• a local (client-side) repository for certificates, private keys, and other certificate information
• you must use VECS to store all vCenter certificates and keys
• ESXi certificates are stored locally on each host and not in VECS

Certificate Management

• vSphere 6 ships with a new Certificate Manager tool for vCenter for Windows and VCSA

ESXi Inbox and Async Driver

Definition

• An inbox driver is one that is delivered and installed with ESXi software.
• An async driver is the third-party vendor driver certified by VMware. It does not come bundled with ESXi software and is usually downloaded from VMware.

Why we care

• When inbox and async drivers are present, they are both displayed as installed. However, only one is loaded
• The inbox driver is not removed when an async driver is installed, which results in multiple drivers for the same device being installed
• Multiple drivers can be installed but one is loaded and used.

Determine which drivers are installed

• esxcli software vib list | less
• esxcli software vib list | egrep <driver_string>
  • If the system has an inbox and async driver installed, the above egrep command displays more than one output

Determine which driver is actively being used

• esxcfg-info | less
  • Look at the Version under the module
• The name and the version of the storage driver corresponds with the second drive in the output of the esxupdate query command
• For network drivers
  • ethtool -i vmnicX
• Identify the vmnic # of the associated NIC
  • esxcfg-nics -l
  • esxcli network nic get -n vmnicX

Install ESXi Host Update from Command Line

The easiest way to install ESXi host update is via Update Manager. However, if you don’t have Update Manager installed in the environment (e.g. the lab), or Update Manager does not have the access to the Internet, installing the update via the command line is quiet handy.

Follow the instruction on this VMware KB. The following is a short summary.

1. Find the needed update by comparing the build number on the host with this site web or this VMware KB
2. Download the ESXi update for the VMware patch portal. Normally it’s a ZIP file.
3. Upload the ZIP file to the local storage on the host
4. Power off the VMs on the host or migrate to another host
5. Put the host in the maintenance mode
6. Enable SSH on the host
7. SSH to the host
8. Run esxcli software vib update -d /vmfs/volumes/DataStore/DirectoryName/PatchName.zip
   if it’s a VIB file, run esxcli software vib update -v /vmfs/volumes/DataStore/DirectoryName/PatchName.vib
9. Verify the update is installed, esxcli software vib list
10. Run reboot
11. Exit the maintenance mode

vSphere 6 Lockdown Mode Access Summary

The Lockdown mode in vSphere v.6 is different comparing with the previous version (v.5).
vSphere 6 introduces a couple of new concepts:

·         Normal Lockdown Mode

·         Strict Lockdown Mode

·         Exception Users

The following table summarizes the access method in each Lockdown Mode.

Access Method	Lockdown Mode Disabled	Normal Lockdown Mode	Strict Lockdown Mode
vCenter	Yes	Yes	Yes
Direct Console access (DCUI) with root	Yes	Yes	No
Direct Console access (DCUI) with account (local account only) defined in DCUI.Access advanced option for the host	Yes	Yes	No
Direct Console access (DCUI) with accounts in Exception User for lockdown mode & administrative privilege on the host (if the ESXi host is joined an AD domain, only AD account; if the ESXi host is not joined an AD domain, local account)	N/A	Yes	No
vSphere Client directly to ESXi with root	Yes	No	No
vSphere Client directly to ESXi with account (local account only) defined in DCUI.Access advanced option for the host	No	No	No
vSphere Client directly to ESXi with accounts in Exception User for lockdown mode & administrative privilege on the host (if the ESXi host is joined an AD domain, only AD account; if the ESXi host is not joined an AD domain, local account)	N/A	Yes	Yes
PowerCLI / CLI to ESXi with root	Yes	No	No
PowerCLI / CLI to ESXi with account (local account only) defined in DCUI.Access advanced option for the host	No	No	No
PowerCLI / CLI to ESXi with accounts in Exception User for lockdown mode & administrative privilege on the host (if the ESXi host is joined an AD domain, only AD account; if the ESXi host is not joined an AD domain, local account)	N/A	Yes	Yes