- Published on
VMware vCenter
- Authors
- Name
- Jackson Chen
vCenter Server
https://www.vmware.com/au/products/vcenter-server.html
VMware vCenter Server is an advanced server management software that provides a centralized platform for controlling vSphere environments for visibility across hybrid clouds.
vCenter Installation Guide
vCenter Server 7.02 Installation and Setup Guide
vCenter Server 7.02 Installation and Setup Guide
vCenter Server 7.0 Installation and Setup Guide
vCenter Server 7.0 Installation and Setup Guide
vCenter Server 6.7 Installation and Setup Guide
vCenter Server 6.7 Installation and Setup Guide
vCenter Server Configuration Guide
vCenter Server 7.02 Configuration Guide
vSphere and vCenter 7.0 Update 2 Configuration Guide
vCenter Server and Host management Guide
vCenter Server 7 and Host Management Guide
vCenter Server 7 and Host Management Guide
vCenter Server Upgrade Guide
vCenter Server 7.0 Update 2 Upgrade Guide
VMware Adapter for SAP Landscape Management
vCenter Architecture Overview
A vCenter HA cluster consists of three vCenter Server instances. The first instance, initially used as the Active node, is cloned twice to a Passive node and to a Witness node. Together, the three nodes provide an active-passive failover solution.
Deploying each of the nodes on a different ESXi instance protects against hardware failure. Adding the three ESXi hosts to a DRS cluster can further protect your environment.
When vCenter HA configuration is complete, only the Active node has an active management interface (public IP). The three nodes communicate over a private network called vCenter HA network that is set up as part of configuration. The Active node is continuously replicating data to the Passive node.
All three nodes are necessary for the functioning of this feature. Compare the node responsibilities.
# vCenter HA Nodes
Node Description
------------------------------------------------------
Active Runs the active vCenter Server instance
Uses a public IP address for the management interface
Uses the vCenter HA network for replication of data to the Passive node.
Uses the vCenter HA network to communicate with the Witness node.
Passive Is initially a clone of the Active node
Constantly receives updates from and synchronizes state with the Active node over the vCenter HA network
Automatically takes over the role of the Active node if a failure occurs
Witness Is a lightweight clone of the Active node
Provides a quorum to protect against a split-brain situations
vCenter Server Appliance
vCenter Server Appliance is a preconfigured Linux-based virtual machine that is optimized for running vCenter Server and the vCenter Server components.It provides advanced features, such as vSphere DRS, vSphere HA, vSphere Fault Tolerance, vSphere vMotion, and vSphere Storage vMotion.
# The vCenter Server Appliance package contains the following software
1. Photon
2. PostgreSQL database
3. vCenter Server services
During deployment, you can select the vCenter Server Appliance size for your vSphere environment and the storage size for your database requirements.
vCenter Server is a service that runs in vCenter Server Appliance. vCenter Server acts as a central administrator for ESXi hosts that are connected in a network.
vCenter Server Services
# vCenter Server services include:
1. vCenter Server
2. vSphere Client
3. vCenter Single Sign-On
4. License service
5. vCenter Lookup Service
6. VMware Certificate Authority
7. Content Library
8. vSphere ESXi Dump Collector
9. vSphere Auto Deploy
10. VMware vCenter LifeCycle Manager
vCenter Single Sign On - SSO
Understand vCenter Single Sing On
vSphere and vCenter Authentication Guide vSphere ESXi and vCenter Server Authentication Guide
Other references https://nakivo.medium.com/vmware-vsphere-vcenter-single-sign-on-sso-6c4c7bcfb357
vCenter Single Sign-On Components
vCenter Single Sign-On includes the Security Token Service (STS), an administration server, the vCenter Lookup Service, and the VMware Directory Service (vmdir). The VMware Directory Service is also used for certificate management.
During installation, the following components are deployed as part of a vCenter Server deployment.
1. STS (Security Token Service)
The STS service issues Security Assertion Markup Language (SAML) tokens.
2. Administration server
It allows users with administrator privileges to configure the vCenter Single Sign-On server and manage users and groups from the vSphere Client.
3. VMware Directory Service (vmdir)
It is associated with the domain you specify during installation and is included in each vCenter Server deployment.
This service is a multi-tenanted, peer-replicating directory service.
4. Identity Management Service
Handles identity sources and STS authentication requests.
vCenter Single Sign-On provides authentication across multiple vSphere components through a secure token mechanism:
1. User logs in to the vSphere Client.
2. vCenter Single Sign-On authenticates credentials against a directory service, such as Active Directory
3. A SAML token is sent back to the user's browser.
4. The SAML token is sent to vCenter Server, and the user is granted acces
vCenter Enhanced Linked Mode
https://www.myvirtualjourney.com/what-is-vmware-vcenter-enhanced-linked-mode-and-how-it-works/
https://www.vkernel.ro/blog/vmware-vcenter-enhanced-linked-mode-configuration
With Enhanced Linked Mode, you can log in to a single instance of vCenter Server and manage the inventories of all the vCenter Server systems in the group:
1. Up to 15 vCenter Server instances can be linked in one vCenter Single Sign-On domain.
2. An Enhanced Linked Mode group can be created only during the deployment of vCenter Server Appliance.
To join vCenter Server instances in Enhanced Linked Mode, connect the vCenter Server instances to the same vCenter Single Sign-On domain.
Repoint a Single vCenter Server Node to an Existing Domain without a Replication Partner
https://www.sysadmintutorials.com/join-vcenters-enhanced-linked-mode/
You can repoint a single vCenter Server from one Single Sign-On domain to an existing Single Sign-On domain without a replication partner. Each Single Sign-On domain contains a single vCenter Server.
# Procedure
1. Run the pre-check mode command.
The pre-check mode fetches the tagging (tags and categories) and authorization (roles and privileges) data from the vCenter Server.
Note: The pre-check writes the conflicts to the /storage/domain-data directory.
cmsso-util domain-repoint -m pre-check --src-emb-admin Administrator --replication-partner-fqdn FQDN_of_destination_node
--replication-partner-admin PSC_Admin_of_destination_node --dest-domain-name destination_PSC_domain
2. Review the conflicts and apply resolutions for all conflicts, or apply a separate resolution for each conflict.
The conflict resolutions are:
Copy: Create a duplicate copy of the data in the target domain.
Skip: Skips copying the data in the target domain.
Merge: Merges the conflict without creating duplicates.
The default resolution mode for Tags and Authorization conflicts is Copy, unless overridden in the conflict files generated during pre-check.
3. Run the execute command. In execute mode, the data generated during the pre-check mode is read and imported to the target node.
Then, the vCenter Server is repointed to the target domain.
cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name destination_PSC_domain
ESXi and vCenter Server Communication
vCenter Server provides direct access to the ESXi host through a vCenter Server agent called virtual provisioning X agent (vpxa). The vpxa process is automatically installed on the host and started when the host is added to the vCenter Server inventory. The vCenter Server service (vpxd) communicates with the ESXi host daemon (hostd) through the vCenter Server agent (vpxa).
vCenter Server Appliance Scalability
vCenter server appliance 7.0 scalability as follows:
Metric vCenter Server Appliance 7.0
------------------------------------------------------------------------
Hosts per vCenter Server instance 2,500
Powered-on VMs per vCenter Server instance 40,000
Registered VMs per vCenter Server instance 45,000
Hosts per cluster VMs per cluster 64
VMs per cluster 8,000
vCenter Server Management Interface - VAMI
VAMI is the new web-based management interface to perform basic administrative tasks for the appliance configuration. This interface allows to run some tasks via UI instead of using the command line interface. The interface includes some vla-server dashboard functionality.
VAMI Reference Reading VMware Adapter for SAP Landscape Management
VAMI UI is accessible in a browser by https:/<VAMI_hostname_or_IP>:5480/
Using the vCenter Server Management Interface, you can configure and monitor your vCenter Server Appliance instance.
# Tasks include:
1. Monitoring resource use by the appliance
2. Backing up the appliance
3. Monitoring vCenter Server services
4. Adding additional network adapters
vCenter Server Multi-Homing
https://www.vladan.fr/what-is-vcenter-server-7-multi-homing/
How to configure vCenter Server Appliance (VCSA) multiple network adapters
https://4sysops.com/archives/vmware-vcsa-7-multiple-network-adapters/
With vCenter server appliance 7.0 multihoming, we can configure up to maximum of four NICs to manage network traffic.
vCenter Server Permissions
https://www.altaro.com/vmware/using-permissions-to-secure-vcenter-server/
vCenter server permissions define the user access
1. Privilege An action that can be performed
2. Object The target of the action
3. User or group who can perform the action
4. Role A set of privileges
5. Permission Gives one user or group a role (set of privileges) for the selected objec
Note: all objects have Permissions tab shows which user or group and role are associated with the selected object
Note:
When a user is a member of multiple groups with permissions on the same object, the user is assigned the union of privileges assigned to the groups for that object.
If group1 has administrator access, but group2 has NO ACCESS permission on the same object, the UNION of both groups will be administrator permission.
*** This is different from Windows NTFS permission, where deny override allow.
# Permission lower level override
We can override permission set at higher level object by explicitly setting different permission at lower level object.
Note: The user will have restricter access at lower level due to permission override at lower level.
Permissions defined explicitly for the user on an object take precedence over all group permissions on that same object.
vCenter Server Backup and Restore
Manually Back up vCenter Server by Using the vCenter Server Management Interface
Manually Back up vCenter Server by Using the vCenter Server Management Interface
1. In a Web browser, go to the vCenter Server Management Interface, https://appliance-IP-address-or-FQDN:5480.
2. Log in as root.
3. In the vCenter Server Management Interface, click Backup.
The table under Activity displays the most current backup version taken of the vCenter Server.
4. Click Backup Now.
The Backup Appliance wizard opens.
5. (Optional) Select Use backup location and user name from backup schedule to use the information from a scheduled backup.
6. Enter the backup location details.
a. Backup location
Enter the backup location, including the protocol to use to connect to your backup server, the port, the server address,
and backup folder to store the backup files.
Use one of the following protocols: FTP, FTPS, HTTP, HTTPS, SFTP, NFS, or SMB.
For FTP, FTPS, HTTP, or HTTPS the path is relative to the home directory configured for the service.
b. Backup server credentials
Enter a user name and password of a user with write privileges on the backup server.
7. (Optional) Enter an Encryption Password if you want to encrypt your backup file.
If you select to encrypt the backup data, you must use the encryption password for the restore procedure.
8. (Optional) Select Stats, Events, and Tasks to back up additional historical data from the database.
9. (Optional) In the Description text box, enter a description of the backup.
10. Click Start to begin the backup process.
vCenter restore process
https://www.driftar.ch/2020/04/21/backup-and-restore-vcenter-server-appliance/
Restore vCenter Server from a File-Based Backup
You can use the vCenter Server appliance GUI installer to restore a vCenter Server to an ESXi host or a vCenter Server instance. The restore procedure has two stages. The first stage deploys a new vCenter Server appliance. The second stage populates the newly deployed vCenter Server appliance with the data stored in the file-based backup.
# Prerequisites
If the vCenter Server instance is part of a vCenter High Availability cluster,
you must power off the active, passive, and witness nodes of the cluster before restoring the vCenter Server.
# Procedure
Stage 1 - Deploy a New Appliance
In stage 1 of the restore process, you deploy the OVA file, which is included in the vCenter Server GUI installer.
Important: After launching the UI installer, click "Restore"
Stage 2 - Transfer Data to the Newly Deployed Appliance
After the OVA deployment finishes, you are redirected to stage 2 of the restore process in which the data from the backup location
is copied to the newly deployed vCenter Server appliance.
The vCenter Server Appliance GUI installer does not support restore from a backup with the NFS or SMB protocol.
To perform a restore from an NFS or SMB protocol, you use the vCenter Server Management Interface.
Considerations and Limitations for Image-Based Backup and Restore
vCenter Upgrade Process
When upgrading a vCenter Server appliance with two or more network interface cards, the upgrade transfers the IP addresses from each network interface from the source vCenter Server to the target vCenter Server.
During the upgrade process, the Upgrade installer performs a pre-check of the source vCenter Server and records the network settings. When this information is transferred to the target vCenter Server appliance, the network settings are transferred as part of the configuration. When the upgrade process finishes, you can log in to the vCenter Server appliance using the vSphere Client, and verify that the IP addresses have been successfully transferred to the newly upgraded vCenter Server appliance.
With two or more NICs per vCenter Server appliance, you can better manage network traffic in your environment. For example, with multiple network interfaces you can:
- Configure backup traffic to use a different network than management traffic.
- Keep ESXi hosts on a physically different LAN segment from your management traffic. You can connect one network interface to the network with your ESXi hosts, and connect the other to a network from which administrative clients connect to vCenter Server.
When upgrade to vCenter 7.0 and later, need to upgrade all distributed switches to v6.5 or above
Note:
If the ESXi host can not be upgraded to vSphere v7.0 or later, it will be removed from vCenter.
These ESXi hosts will need to be managed by login to the ESXi host URL directly to manage the VMs.
vCenter upgrade process as follows:
1. Take snapshot of existing vcenter server.
2. Disable DRS on the cluster or change it to manual mode.
Set both the source cluster and destination cluster to Manual mode
3. Ensure TCP port 22 and 443 is open on the source vCenter Server Appliance that you want to upgrade.
The upgrade process establishes an inbound SSH connection to download the exported data from the source vCenter Server appliance.
4. A temporary IP address will be required in same IP range as the existing vCenter server
5. Download and mount vCenter installation ISO file.
6. Run installer.exe file
7. Choose Upgrade and follow the prompts.
8. Put in the temporary IP address noted in step 3.
9. Click finish and wait for Stage 1 to complete. A new vCenter Appliance will be deployed with temporary IP address.
10. Once finished click Continue to initiate Stage 2.
In this stage all configuration will be copied across to new appliance and source vCenter will be powered off.
11. Follow the prompts.
12. Click close when finished.
13. Login to new vCenter and carry out verificaton.
14. Enable DRS and set it to automatic.
Verify the success of thevCenter Server upgrade or migration
You must be logged into the upgraded or migrated vCenter Server instance. If you created a reference of required information based or a CLI template, you can use it to validate the upgrade or migration success.
# Procedure
1. Verify that the IP address is correct.
2. Verify that the Active Directory registration has not changed.
3. Verify the Network registration is correct.
4. Verify the Domain is correct.
5. Verify the certificates are valid.
6. Verify the inventory data is correctly migrated.
a. Review the events history
b. Review the performance charts
c. Review the users, permissions, and roles
Upgrade vCenter Appliance using CLI
You can use the CLI installer to perform an unattended upgrade of a vCenter Server appliance or Platform Services Controller appliance. You must run the CLI upgrade from a Windows, Linux, or Mac machine that is in the same network as the appliance that you want to upgrade.
- Check and prepare the rrerequisites for upgrading the vCenter Server Appliance.
- Prepare the JSON Configuration File for CLI Upgrade (Check vCenter upgrade guide)
# Procedure
1. Navigate to the vcsa-cli-installer subdirectory for your operating system.
vcsa-cli-installer\win32 directory # Running upgrade on Windows
vcsa-cli-installer/lin64 directory # Running upgrade on Linux
2. Verify that you prepared the upgrade template correctly by running a basic template verification
vcsa-deploy upgrade --verify-template-only path_to_the_json_file
3. Gather and validate the upgrade requirements by running a pre-upgrade check
vcsa-deploy upgrade --precheck-only path_to_the_json_file
The Upgrade Runner validates the configurations such as ESXi, network settings, and NTP servers.
The Upgrade Runner also checks the suitable deployment size and storage size for the new appliance against the compute resources required for the upgrade.
4. Perform the upgrade by running the following command.
vcsa-deploy upgrade --accept-eula optional_arguments path_to_the_json_file
vcsa-deploy upgrade --accept-eula --log-dir=path_to_the_location path_to_the_json_file
Upgrade ESXi Hosts
After successfully upgrade vCenter to v7.0, then upgrade the ESXi hosts
1. Download ESXi ISO from vendor’s website.
2. Create a base line.
3. Upgrade all hosts to ESXi 7.0 U2a (or later) version
Upgrade vSAN
After successfully upgrade ESXi hosts, then upgrade vSAN
1. In vCenter go to Host and Clusters > Click on a Cluster > Configure > Disk Management
2. Click Pre-check upgrade
3. Wait until you see message “All n disks are on version 11.0” where n is number of disks.
4. Repeat steps for all other clusters.
vCenter Inventory Keyboard Shortcuts
Keyboard Combination on a Windows Action
Ctrl+Alt+Home Home
Ctrl+Alt+1 Shortcuts
Ctrl+Alt+2 Hosts and Clusters
Ctrl+Alt+3 VMs and Templates
Ctrl+Alt+4 Storage
Ctrl+Alt+5 Networking
Ctrl+Alt+6 Content Libraries
Ctrl+Alt+7 Workload Management
Ctrl+Alt+8 Global Inventory Lists
Ctrl+Alt+R Refresh
Ctrl+Alt+S repeat twice Search
How to create VAMI local user
To create VAMI local user, use console window or SSH session.
sudo -s # get root access
vlan_user -S -LOCAL_USER -a vami-server -u <vami-new-user-name>
When prompted, enter the password.
vCenter Server and vSphere Monitoring
The vCenter Server events and audit trails allow selectable retention periods in increments of 30 days:
- User-action information includes the user’s account and specific event details.
- All actions are reported, including file ID, file path, source of operation, operation name, and date and time of operation.
- Events and alarms are displayed to alert the user to changes in the vCenter Server service health or when a service fails.
Configuring logging options
# Procedure
1. In the vSphere Client, navigate to the vCenter Server instance.
2. Select the Configure tab.
3. Under Settings, select General.
4. Click Edit.
5. Select Logging settings.
6. Select the logging options.
Option Description
--------------------------------------------
None Turns off logging
Error Displays only error log entries # Error only
Warning Displays warning and error log entries
Info Displays information, error, and warning log entries # Normal logging
Verbose Displays information, error, warning, and verbose log entries
Trivia Displays information, error, warning, verbose, and trivia log entries # extended verbose
7. Click Save
Note: Changes to the logging settings take effect immediately. You do not need to restart the vCenter Server system.
We can analyze vCenter Server Appliance log files with vRealize Log Insight, forward log files to remote log host.
# Monitor vCenter server appliance
a. CPU & Memory
b. Disks
c. Network
d. Database
Patching vCenter Server
VMware regularly releases patches for the vCenter Server. You can use the Appliance Management Interface or the appliance shell to apply patches to a vCenter Server.
VMware makes patches available on a monthly basis.
You can download the patch ISO images from https://my.vmware.com/group/vmware/patch
### Procedure
# Prerequisites
Backup vCenter Server
# Download vCenter patches
Download vCenter server appliance patching ISO
# Staging the patches ISO image that you previously downloaded
1. Login to VAMI as root
2. click Update
3. Click Check Update and select a source
a. Check URL Scans the configured repository URL for available patches
b. Check CDROM Scans the ISO image that you attached to the CD/DVD drive of the appliance for available patches
# Mount the ISO to vCenter server VM, or copy to vCenter VM location directory
4. Run pre-check of the update to verify that it is compatible with your current deployment.
5. Click the staging option you would like to use.
a. Stage
b. Stage and Install
c. Unstage
d. Resume
# Install vCenter Server patches
Important:
The services running in the vCenter Server appliance become unavailable during the installation of the patches.
You must perform this procedure during a maintenance period. As a precaution if there is a failure, you can back up the vCenter Server.
For information on backing up and restoring vCenter Server, see vCenter Server Installation and Setup.
1. Lgoin to VAMI as root
2. In vCenter Server Management Interface, click Update
3. Select the staged patches to apply, and click Install
4. A system pre-check verifies that the patches can be successfully installed with the provided information.
If the pre-check discovers missing or incorrect information, or other problems preventing a successful installation,
you are prompted to correct the problem and resume the installation.
5. After the installation finishes, click OK.
6. If the patch installation requires the appliance to reboot, click Summary, and click Reboot to reset the appliance.
Patching the vCenter Server Appliance by Using the Appliance Shell
You can use the software-packages utility in the appliance shell of a vCenter Server appliance to see the installed patches, stage new patches, and install new patches.
# Procedure
1. Access the appliance shell and log in as a user who has a super administrator role.
The default user with a super administrator role is root.
2. Install the patches
software-packages install --staged # To stage the patches
software-packages install --iso # Install patches from an attached ISO image
software-packages install --url URL_of_the_repository --acceptEulas # To install patches directly from a repository URL
shutdown reboot -r "patch reboot" # If the patch installation requires a reboot
Patch a vCenter High Availability Environment
This procedure describes how to patch the Active, Passive, and Witness node if your vCenter Server appliance is configured in a vCenter High Availability (HA) cluster.
You patch the three nodes in a sequence and use a manual failover so that you always patch a non-Active node.
# Procedure
1. Place the vCenter HA cluster in maintenance mode.
a. In the vCenter Server inventory, click the Configure tab.
b. Under Settings, select vCenter HA and click Edit.
c. Select Maintenance Mode and click OK.
2. Log in as root to the appliance shell of the Active node by using the public IP address.
3. Patch the Witness node
a. From the appliance shell of the Active node, establish an SSH session to the Witness node.
ssh root@Witness_node_IP_address
b. From the appliance shell of the Witness node, patch the Witness node.
Use the software-packages utility.
c. Exit the SSH session to the Witness node.
exit
4. Patch the Passive node.
a. From the appliance shell of the Active node, establish an SSH session to the Passive node.
ssh root@Passve_node_IP_address
b. From the appliance shell of the Passive node, patch the Passive node.
Use the software-packages utility.
c. Exit the SSH session to the Passive node.
exit
5. Log out from the appliance shell of the Active node.
6. Initiate a vCenter HA failover manually.
a. Log in to the Active node with the vSphere Client and click Configure.
b. Under Settings, select vCenter HA and click Initiate Failover.
c. Click Yes to start the failover.
A dialog offers you the option to force a failover without synchronization. In most cases, performing synchronization first is best.
You can see in the vSphere Client that the Passive node has become the Active node and the Active node has become the Passive node.
7. Log in as root to the appliance shell of the new Active node by using the public IP address.
8. Patch the new Passive node.
a. From the appliance shell of the Active node, establish an SSH session to the Passive node.
ssh root@Passve_node_IP_address
b. From the appliance shell of the Passive node, patch the Passive node.
Use the software-packages utility.
c. Exit the SSH session to the Passive node.
exit
9. Log out from the appliance shell of the Active node.
10. Exit the maintenance mode.
a. In the vSphere Client inventory, click the Configure tab.
b. Under Settings, select vCenter HA and click Edit.
c. Select Turn On vCenter HA and click OK.
vCenter Server Configuration
vCenter Serve High Availability
vCenter Server High Availability protects vCenter Server Appliance against both hardware and software failures.
vCenter Server High Availability forms a cluster of nodes:
1. Active node Runs the active vCenter Server Appliance instance
2. Passive node Automatically takes over the role of the Active node if a failure occurs
3. Witness node Provides a quorum to protect against a split-brain situation
vCenter HA Nodes
Node Description
--------------------------------
Active
Runs the active vCenter Server instance
Uses a public IP address for the management interface
Uses the vCenter HA network for replication of data to the Passive node.
Uses the vCenter HA network to communicate with the Witness node.
Passive
Is initially a clone of the Active node
Constantly receives updates from and synchronizes state with the Active node over the vCenter HA network
Automatically takes over the role of the Active node if a failure occurs
Witness
Is a lightweight clone of the Active node
Provides a quorum to protect against a split-brain situations
You can use the Set Up vCenter HA wizard in the vSphere Client to configure the Passive and Witness nodes. The Set Up vCenter HA wizard automatically creates the Passive and Witness nodes as part of vCenter HA configuration. With the manual option, you are responsible for manually cloning the Active node to create the Passive and Witness nodes.
Automatic Configuration with the vSphere Client
You must meet the following requirements to perform automatic configuration.
The vCenter Server that will become the Active node is managing its own ESXi host and its own virtual machine. This configuration is sometimes called a self-managed vCenter Server.
If you meet the requirements the automatic workflow is as follows.
1. The user deploys the first vCenter Server, which will become the Active node.
2. The user adds a second network (port group) for vCenter HA traffic on each ESXi host.
3. The user starts the vCenter HA configuration and supplies the IP addresses, the target ESXi host or cluster, and the datastore for each clone.
4. The system clones the Active node and creates a Passive node with precisely the same settings, including the same host name.
5. The system clones the Active node again and creates a more light-weight Witness node.
6. The system sets up the vCenter HA network on which the three nodes communicate, for example, by exchanging heartbeats and other information.
When you use the vSphere Client, the Set Up vCenter HA wizard creates and configures a second network adapter on the vCenter Server, clones the Active node, and configures the vCenter HA network.
# Prerequisites
1. Deploy vCenter Server that you want to use as the initial Active node.
a. The vCenter Server must have a static IP address.
b. SSH must be enabled on the vCenter Server.
2. Verify that your environment meets the following requirements.
a. The vCenter Server that will become the Active node is managing its own ESXi host and its own virtual machine.
This configuration is sometimes called a self-managed vCenter Server.
3. Set up the infrastructure for the vCenter HA network. See Configure the Network.
4. Determine which static IP addresses to use for the two vCenter Server nodes that will become the Passive node and Witness node.
# Procedure
1. Log in to the Active node with the vSphere Client.
2. Select the vCenter Server object in the inventory and select the Configure tab.
3. Select vCenter HA under settings.
4. Click on the Set Up vCenter HA button to start the setup wizard.
a. If the vCenter server is self-managed, the Resource settings page is displayed. Proceed to step 7.
b. If your vCenter server is managed by another vCenter server in the same SSO domain, proceed to step 7.
c. If your vCenter server is managed by another vCenter server in a different SSO domain,
input the location and credential details of that management vCenter server.
5. Click Management vCenter Server credentials. Specify the Management vCenter server FQDN or IP address,
Single Sign-On user name and password and click Next.
If you do not have the Single Sign-On administrator credentials, select the second bullet and click Next.
6. You may see a Certificate warning displayed. Review the SHA1 thumbprint and select Yes to continue.
7. In the Resource settings section, first select the vCenter HA network for the active node from the drop-down menu.
8. Click on the checkbox if you want to automatically create clones for Passive and Witness nodes.
Note:
If you do not select the checkbox, you must manually create clones for Passive and Witness nodes after you click Finish.
9. For the Passive node, click Edit.
a. Specify a unique name and target location.
b. Select the destination compute resource for the operation.
c. Select the datastore in which to store the configuration and disk files.
d. Select virtual machine Management (NIC 0) and vCenter HA (NIC 1) networks.
e. If there are issues with your selections, errors or compatibility warnings are displayed.
f. Review your selections and click Finish.
10. For the Witness node, click Edit.
a. Specify a unique name and target location.
b. Select the destination compute resource for the operation.
c. Select the datastore in which to store the configuration and disk files.
d. Select vCenter HA (NIC 1) network.
e. If there are issues with your selections, errors or compatibility warnings are displayed.
f. Review your selections and click Finish.
11. Click Next.
12. In the IP settings section, select the IP version from the drop-down menu.
13. Enter the IPv4 address (NIC 1) and Subnet mask or prefix length information for the Active, Passive and Witness nodes.
You can Edit management network settings for the Passive Node. Customizing these settings are optional.
By default, the management network settings of the Active node are applied.
14. Click Finish.
# Results
The Passive and Witness nodes are created. When Set Up vCenter HA is complete, vCenter Server has high availability protection.
After vCenter HA is enabled, you can click Edit to enter Maintenance Mode, Enable or Disable vCenter HA.
There are separate buttons to remove vCenter HA or initiate vCenter HA failover.
Manual Configuration with the vSphere Client
If you want more control over your deployment, you can perform a manual configuration. With this option, you are responsible for cloning the Active node yourself as part of vCenter HA setup. If you select this option and remove the vCenter HA configuration later, you are responsible for deleting the nodes that you created.
For the manual option, the workflow is as follows.
1. The user deploys the first vCenter Server, which will become the Active node.
2. The user adds a second network (port group) for vCenter HA traffic on each ESXi host.
3. The user must add a second network adapter (NIC) to the Active node if the credentials of the Active management vCenter Server are unknown.
4. The user logs in to the vCenter Server (Active node) with the vSphere Client.
5. The user starts the vCenter HA configuration, selects the checkbox to manually configure and
supplies IP address and subnet information for the Passive and Witness nodes.
Optionally, the user can override the failover management IP addresses.
6. The user logs in to the management vCenter Server and creates two clones of the vCenter Server (Active node).
7. The system sets up the vCenter HA network on which the three nodes exchange heartbeats and replication information.
8. The vCenter Server is protected by vCenter HA.
Configure vCenter HA Network
Regardless of the deployment option and inventory hierarchy that you select, you have to set up your network before you can start configuration. To set the foundation for the vCenter HA network, you add a port group to each ESXi host.
After configuration is complete, the vCenter HA cluster has two networks, the management network on the first virtual NIC and the vCenter HA network on the second virtual NIC.
Management network
The management network serves client requests (public IP). The management network IP addresses must be static.
vCenter HA network
The vCenter HA network connects the Active, Passive, and Witness nodes and replicates the server state. It also monitors heartbeats.
1. The vCenter HA network IP addresses for the Active, Passive, and Witness nodes must be static.
2. The vCenter HA network must be on a different subnet than the management network. The three nodes can be on the same subnet or on different subnets.
3. Network latency between the Active, Passive, and Witness nodes must be less than 10 milliseconds.
4. You must not add a default gateway entry for the cluster network.
# Prerequisites
1. The vCenter Server that later becomes the Active node, is deployed.
2. You can access and have privileges to modify that vCenter Server and the ESXi host on which it runs.
3. During network setup, you need static IP addresses for the management network.
The management and cluster network addresses must be IPv4 or IPv6. They cannot be mixed mode IP addresses.
# Procedure
1. Log in to the management vCenter Server and find the ESXi host on which the Active node is running.
2. Add a port group to the ESXi host.
This port group can be on an existing virtual switch or, for improved network isolation,
you can create a new virtual switch. It must be different from the management network.
3. If your environment includes the recommended three ESXi hosts, add the port group to each of the hosts.
Manage the vCenter HA Configuration
Set Up Your Environment to Use Custom Certificates
The machine SSL certificate on each node is used for cluster management communication and for encryption of replication traffic. If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.
If possible, replace certificates in the vCenter Server that will become the Active node before you clone the node.
# Procedure
1. Edit the cluster configuration and select Remove.
2. Delete the Passive node and the Witness node.
3. On the Active node, which is now a standalone vCenter Server, replace the machine SSL Certificate with a custom certificate.
4. Reconfigure the cluster.
Manage vCenter HA SSH Keys
vCenter HA uses SSH keys for password-less authentication between the Active, Passive, and Witness nodes. The authentication is used for heartbeat exchange and file and data replication. To replace the SSH keys in the nodes of a vCenter HA cluster, you disable the cluster, generate new SSH keys on the Active node, transfer the keys to the passive node, and enable the cluster.
# Procedure
1. Edit the cluster and change the mode to Disabled.
2. Log in to the Active node by using the Virtual Machine Console or SSH.
3. Enable the bash shell.
bash
4. Run the following command to generate new SSH keys on the Active node.
/usr/lib/vmware-vcha/scripts/resetSshKeys.py
5. Use SCP to copy the keys to the Passive node and Witness node.
scp /vcha/.ssh/*
6. Edit the cluster configuration and set the vCenter HA cluster to Enabled.
Initiate a vCenter HA Failover
You can manually initiate a failover and have the Passive node become the Active node.
A vCenter HA cluster supports two types of failover.
- Automatic failover: The Passive node attempts to take over the active role in case of an Active node failure.
- Manual failover: The user can force a Passive node to take over the active role by using the Initiate Failover action.
# Procedure
1. Log in to the Active node vCenter Server with the vSphere Client and click Configure for the vCenter Server where you need to initiate failover.
2. Under Settings select vCenter HA and click Initiate Failover.
3. Click Yes to start the failover.
A dialog offers you the option to force a failover without synchronization. In most cases, performing synchronization first is best.
4. After the failover, you can verify that the Passive node has the role of the Active node in the vSphere Client.
Reboot All vCenter HA Nodes
If you have to shut down and reboot all nodes in the cluster, you must follow a specific shutdown order to prevent the Passive node from assuming the role of Active node.
# Procedure
a. Shut down the nodes in this order.
1. Passive node
2. Active node
3. Witness node
b. Restart each node.
You can restart nodes in any order.
c. Verify that all nodes join the cluster successfully, and that the previous Active node resumes that role.
Change the Server Environment
When you deploy a vCenter Server, you select an environment. For vCenter HA, Small, Medium, Large, and X-Large are supported for production environments.
Important:
If you need more space and want to change the environment, you have to delete the Passive node virtual machine before you change the configuration.
# Procedure
1. Log in to the Active node with the vSphere Client, edit the cluster configuration, and select Disable.
2. Delete the Passive node virtual machine.
3. Change the vCenter Server configuration for the Active node, for example, from a Small environment to a Medium environment.
4. Reconfigure vCenter HA.
How to shutdown the all VMs, ESXi hosts and vCenter gracefully
Important to shutdown VMs, ESXi hosts and vCenter in correct order and gracefully.
1. Shutdown vRealize suite products gracefully according to their own process and sequence
1. vRA
2. vROPs
3. vRNI
4. vRSLCM
5. vIDM
2. Shutdown NSX-T cluster gracefully if required
3. Shutdown the remaining VMs, ESXi hosts and vCenter gracefully
# In the management server, run PowerCLI
Import-Module VMware.PowerCLI # Import VMware PowerCLI module
$vCenterVM = 'vCenter-FQDN|IP-address'
Connect-VIServer -Server $vCenterVM # Connect to vCenter
# Connect-VIServer -Server <vCenter-FQDN | IP-address> -WarningAction SilentlyContinue -Force # Alternatively
# Shutdown all VMs, except vCenter VM
Get-VM -Server $vCenterVM | ?{$_.Name -ne $vCenterVM} | Shutdown-VMGuest -Confirm:$false
# Wait until all the VMs except vCenter VMs have been shutdown
while((Get-VM -Server $vCenterVM | where{$_.PowerState -ne 'PoweredOff'}).Count -ne 1){
sleep 10
}
#** Place ESXi host in maintenace mode
https://developer.vmware.com/docs/powercli/latest/vmware.vimautomation.core/commands/set-vmhost
# Maintenance mode - No Data Migration
Get-VMHost -Server $vCenterVM | where{(Get-VM -Location $_).Count -eq 0} | `
Set-VMHost -VMhost -State Maintenance -VsandataMigrationMode NoDataMigration
# Maintenance mode - Full
Set-VMHost -VMhost -State Maintenance -VsandataMigrationMode Full
# Maintenance mode - EnsureAccessibility
Set-VMHost -VMhost -State Maintenance -VsandataMigrationMode EnsureAccessibility
# Shut down all ESXi, except the one hosting the vCenter
Get-VMHost -Server $vCenterVM | where{(Get-VM -Location $_).Count -eq 0} | Stop-VMHost -Confirm:$false
While((Get-VMHost | where{(Get-VM -Location $_).Count -eq 0}).Count -ne 0){
sleep 10
}
# Disconnect to vCenter and connect as root
Disconnect-VIServer -Server $vCenterVM -Confirm:$false
Connect-VIServer -Server $vCenterVM.VMHost.Name -User root -Password <root-password>
# Shut down the vCenter and the ESXi, hosting the vCenter
Get-VM -Server $vCenterVM.VMHost.Name | Shutdown-VMGuest -Confirm:$false
while((Get-VM -Server $vCenterVM.VMHost.Name | where{$_.PowerState -ne 'PoweredOff'}).Count -ne 0){
sleep 5
}
Get-VMHost -Name $vCenterVM.VMHost.Name | Stop-VMHost -Confirm:$false
# Close the connection with the vCenter server
Disconnect-VIServer -Server $vCenterVM.VMHost.Name -Confirm:$false -Force
# Resets the state of the <esxi-host> to Disconnected
Set-VMHost -VMHost <esxi-host> -State "Disconnected"
# Place a host in maintenance mode and it has powered on VM running in the host
$cluster = Get-Cluster -VMhost <host-name>
$task = Set-VMHost -VMhost <host-name> -State 'Maintenance' -VsanDataMigrationMode EnsureAccessibility -RunAsync
Get-DrsRecommendation -Cluster $cluster | ?{$_.Reason -eq 'Host is entering maintenance mode'} | Apply-DrsRecommendation
$vmhost = Wait-Task $task
#*** esxcli commands from SSH session
esxcli system maintenanceMode get # Verify host maintenance mode
esxcli system maintenanceMode set -enable true # Enable maintenance mode
esxcli system maintenance set -enable false # Exit maintenance mode
Enable WinSCP file transfer to vCenter server appliance
https://kb.vmware.com/s/article/2107727
# Process
1. ssh to vCenter server appliance, provide root credential
2. enable Bash shell
shell.set --enable True
3. access the Bash shell
shell
4. Change default shell to Bash
chsh -s /bin/bash root
5. To return to the Appliance Shell, run command
chsh -s /bin/appliance root
# Check if root password has expired
chage -l root
# change root password
passwd root
#*** Set root password never expire
shell.set --enable true
shell
chage -I -1 m-m 0 -M 99999 -E -1 root
chage -l root # verify the change
or, change from VAMI (vCenter Server Appliance Management Interface)
1. Login to VAMI
2. Click Administration
3. In the Password section, click Change
4. Enter the current and new password, then click Save
5. In the Password expiratoin setting section, click Edit
a. Root password validity (days)
b. Email for expiration warning
6. In the Password expiration setting pane, click Save
How to enable vCenter Shell access
https://kb.vmware.com/s/article/2100508
Currently, the vCSA is bundled with these supported shells:
- BASH Shell
- Appliance Shell
1. Access vCenter VM from console
2. Press Ctrl + Alt + F3
3. Login as root
4. Enable shell access, by run command
command> shell.set --enabled true
Alternative
1. SSH to vCenter VCSA through SSH
2. Login as root, and run command
shell.set --enabled true
3. Type shell and press Enter
4. The permanently configure the default shell to BASH for root user
chsh -s /bin/bash root
5. Log out from BASH shell, and login again for the change to take effect.
vCenter shell access
1. ssh to vCenter
2. CTRL+Alt+F3
3. Login as root
4. Enter command
command> shell.set --enabled true