This one post condenses everything (and more) from the previous 10 posts. If you only have time to read one post as part of your exam preparation, this is the one to read!
Virtual machine power user …
… provides
users restricted access to perform the following tasks:
- Create
and consolidate VM snapshots
-
Add/Remove virtual disks
-
Snapshot Management
The
following two roles can be modified:
- Network Administrator
- Datastore Consumer
Note: Default roles - Administrator, Read-Only,
No Access, and Tagging Admin – cannot be modified.
A custom
role without any assigned privileges, will have these two privileges by
default:
- System.View
- System.Anonymous
In order
for a user to have the ability to manage snapshots for VMs, the privilege –
Datastore.Allocate Space
- is
required.
If an
object has inherited permissions from two parent objects …
… the permissions are combined from both parent
objects.
Data Center Folder …
… is the
highest object level from which a VM can inherit privileges.
3 valid
Authorization types …
- Group Membership in vSphere.local
- Global
- vCenter Server
3
components to select when configuring vSphere permissions …
- Inventory Object
- Role
- User/Group
Avoid
adding members to these vSphere.local groups:
- SolutionUsers
- Administrators
To grant
a user privileges that span vCenter Servers and vRealize Orchestrator within a
PSC domain…
… assign a Global Permission to the user
2
recommended methods to manage the VMware Directory Service:
- Utilize the vmdir command
- Manage through the vSphere Web Client
Sample
roles that are provided with vCenter Server by default:
- Virtual Machine User
- Network Administrator
-
Content Library Administrator
Also: Resource Pool Administrator, VMware
Consolidated Backup User, Datastore Consumer, Virtual Machine Power User
These 3
services can be enabled/disabled in the Security Profile for an ESXi host:
- CIM Server
- Direct Console UI
- Syslog Server
To use
VMCA as an Intermediate Certificate Authority:
-
Replace the Root Certificate (Intermediate CA)
-
Replace Machine SSL Certificates (Intermediate CA)
- Replace Solution User Certificates
(Intermediate CA)
- Replace the VMware Directory Service
Certificate*
- Replace the VMware Directory Service
Certificate in Mixed Mode Environments
3
options for ESXi Certificate Replacement:
- VMware Certificate Authority mode
- Custom Certificate Authority mode
- Thumbprint mode
When
lockdown mode has been enabled on an ESXi 6.x host:
- a user granted administrative privileges in
the Exception User list can login
- a user defined in the DCUI.Access without
administrative privileges can login
When
‘Strict Lockdown Mode’ has been enabled on an ESXi host, to allow ESXi Shell or
SSH access for users with administrative privileges …
… Add the users to Exception Users and enable
the service
To
mitigate security risks associated with having a common root account configured
for a group of ESXi 6.x hosts:
- set a complex password for the root account
and limit its use
- use ESXi Active Directory capabilities to
assign users the administrator role
Considerations
if an AD domain group is configured for “ESX Admins” to allow administrative
access to an ESXi 6.x host:
- if administrative access for “ESX Admins” is
not required (in the future), this setting can be altered
- an ESXi host provisioned with Auto Deploy cannot
store AD credentials
For VMs
that are only hosted on a vSphere system, disable these advanced features:
- isolation.tools.unity.push.update.disable
- isolation.tools.ghi.launchmenu.change
- isolation.bios.bbs.disable
- isolation.tools.hgfsServerSet.disable
- isolation.tools.memSchedFakeSampleStats.disable
- isolation.tools.getCreds.disable
- isolation.tools.ghi.autologon.disable
To
reduce attack vectors for a VM, set these 2 settings to false:
- ideX:Y.present
- serial.present
When
attempting to increase the security of VMs:
- Disable hardware devices
- Disable unexposed features
ESXi 6.0
enforces password requirements for direct access. When you create a password,
include a mix of characters from four character classes: lowercase letters, uppercase
letters, numbers, and special characters.
retry=3 min=disabled,disabled,21,7,7 passphrase=2
-
passphrase configuration for minimum of 21 characters, and minimum of 2 words
VimPasswordExpirationInDays
-
advanced setting for the vCenter Server to change the expiration policy of the
vpxuser password
To
secure existing VMs in vCenter Server:
- Restrict Remote Console access
- Prevent use of Independent Non-Persistent
virtual disks
isolation.tools.setinfo.disable = true
can be
used to prevent sensitive data being written to the VMs configuration files
2
correct statements regarding vSphere certificates:
- ESXi host upgrades preserve the existing SSL
certificate
- ESXi hosts have assigned SSL certificates
from the VMCA during install
3
options for replacing vCenter Server Security Certificates:
- Replace with Certificates signed by the VMCA
- Make VMCA an Intermediate Certificate
Authority
- Do not use VMCA, provision your own
Certificates
If users
are getting “Incorrect Username/Password” when trying to log into the vSphere
Web Client…
- Users are typing the password incorrectly
- Users are in a forest that has 1-way trust
CAAdmins …
… group
in vsphere.local domain has administrator privileges for the VMCA
Maximum Lifetime …
… PSC Password
Policy determines the number of days a password can exist before the user must
change it.
Milliseconds …
…
defines the time skew tolerance between a client and the domain controller
clock for an SSO token configuration policy.
VMware Security Token Service (STS) …
… issues
Security Assertion Markup Language (SAML) tokens.
Valid
Identity Sources when configuring vCenter Single Sign-On:
- OpenLDAP
- LocalOS
2
actions to accomplish the creation of an Integrated Windows Authentication
(IWA) Identity Source on a newly deployed VCSA:
- Use a Service Principal Name (SPN) to
configure the Identity source
- Join the VCSA to Active Directory and
configure the Identity Source with a Machine Account
vga.vgaOnly = TRUE
… Reduce
Memory Overhead for Virtual machines with 3D graphics Option
128 …
…
Maximum Virtual CPUs per virtual machine (Virtual SMP)
2
features available for VMs configured with DirectPath I/O:
- Virtual Symmetric Multi-Processing (vSMP)
- Virtual Non-Uniform Memory Access (vNUMA)
A Subscription URL …
… is
required in order to complete subscription when subscribing a Content Library
to another remote Content Library without authentication enabled.
Global …
… is the
lowest level of permission hierarchy for a role, in order to grant a user
access for only creating a Content Library for a single vCenter Server.
Assign the read-only role at the global
permission level …
… for
Content Libraries to be visible to a user.
The files (contained on the backing storage) will be deleted …
… when a
Content Library is deleted.
3
connection types supported between a remote site and vCloud Air:
- Secure Internet Connectivity
- Direct Connect
- Secure VPN
Virtual machines (replicated objects) …
… can be
directly monitored and managed when subscribed to the vCloud Air Disaster
Recovery service.
When
adding an -
Identity
source type: Active Directory as an LDAP Server
-
correct value for
Domain
alias = The domain’s NetBIOS name
When
changing settings on a vSphere Distributed Switch (vDS), if you get “This host
currently has no management network redundancy” due to misconfiguration …
… The host will automatically detect the
communication issue and revert the change
Promiscuous …
…
secondary Private VLAN (PVLAN) type can communicate and send packets to an
isolated PVLAN.
3
traffic types that can be configured for dedicated VMkernel adapters:
- vMotion traffic
- vSphere Replication NFC traffic
- Provisioning traffic
2
limitations of LACP on a vSphere Distributed Switch:
- Software iSCSI multipathing is not compatible
- It does not support configuration through
Host Profiles
2
features deprecated in NIOC3:
- Class of Service (COS) Tagging
- User-defined network resource pools
esxcli
storage core device list
Status: off
- The device is in a Permanent Device Loss
(PDL) state
2 uses
cases for Fibre Channel Zoning in a vSphere Environment:
- Controls and isolates paths in a fabric
- Can be used to separate different environments
Considerations
when booting from Software Fibre Channel over Ethernet (FCoE):
- Multipathing is not supported at pre-boot
- Boot LUN cannot be shared with other hosts
even on shared storage
Spanning Tree Protocol being enabled on the
network ports …
… is a
likely cause of an All Paths Down (APD) event occurring for the Software FCoE
storage.
2 true
statements regarding iSCSI adapters:
- Software iSCSI adapters require VMkernel
networking
- Independent Hardware iSCSI adapters offload
processing from the ESXi host
Configuring
VMs to use WWPNs to access the storage, 2 conditions are required:
- The switches in the fabric must be N-Port ID
Virtualization aware
- The VMs must be using pass-through RDM (RDMp)
2 true
statements regarding VMFS3 volumes in ESXi 6.x:
- Creation of VMFS3 volumes is unsupported
- Upgrading of VMFS3 volumes to VMFS5 is
supported
3
correct statements regarding FCoE:
- The network switch must have Priority-based
Flow Control (PFC) set to AUTO
- Each port on the FCoE card must reside on a
separate vSwitch
- The ESXi host will require a reboot after
moving an FCoE card to a different vSwitch
2 true
statements regarding Virtual SAN Fault Domains:
- They enable Virtual SAN to tolerate the
failure of an entire physical rack
- Virtual SAN ensures that no 2 replicas are
provisioned on the same domain
A 6 node
VSAN cluster, with 3 nodes in a fault domain, if a member of the fault domains
fails …
… the remaining two fault domain members are
treated as failed
VSAN
Fault Domain is configured in the …
… VMware Virtual SAN Cluster configuration
VMW_PSP_MRU
will have no preferred path setting
for the Plug-In
2 tasks
the Pluggable Storage Architecture (PSA) performs:
- Handles I/O queueing to the logical devices
- Handles physical path discovery and removal
2 true
statements regarding Storage Multipathing Plug-Ins:
- The default Path Selection Policy is
VMW_PSP_FIXED for iSCSI or FC devices
- VMW_PSP_MRU is typically selected for ALUA
arrays by default
To list
multi-pathing modules on an ESXi 6.x host …
… esxcli storage core plugin list -plugin-class=MP
2
solutions which require Physical Mode RDM:
- Direct access to the storage array device
- Guest Clustering across ESXi hosts
A
device’s VAAI support status command line output shows –
Status: unsupported
Clone Status: unsupported
Zero Status: unsupported
Delete Status: unsupported
- the
corresponding VAAI support status in the vSphere Web Client is …
… Unknown
vSphere
Web Client > Increase Datastore Capacity > Select Device -
Capacity X GB, Expandable = Yes
- result
…
… Datastore will grow up to X GB using the
remaining free space on the device
VM
activity on an ESXi 6.0 host is negatively affecting a VM on another host using
the same VMFS datastore. To mitigate the issue …
… Enable SIOC
2
conditions which could explain problems configuring SIOC on a datastore:
- A host is running ESXi 4.0
- An ESXi host does not have appropriate
licensing
3
requirements for configuring SIOC:
- The datastore must consist of only one extent
- The datastore is managed by a single vCenter
Server
- Auto-tiered storage must be compatible with
SIOC
To
provide Load Balanced I/O for an EqualLogic Array (SATP = VMW_SATP_EQL), set
the …
… Path Selection Policy = Round Robin (VMware)
After
running –
esxcli storage nmp psp roundrobin deviceconfig set --useano=0 -d naa....
- the
expected effect …
… I/O will rotate on all storage targets that
are Active Optimized state only
Note: useano = Use Active-Non-Optimized, and
the setting 0 turns it off.
If
upgrading an ESXi 5.5 host to ESXi 6.x you get the following error
“MEMORY_SIZE” …
… (there
is) Insufficient memory on the ESXi host
to complete the upgrade
Display
the Installed VIBs and Profiles That
Will Be Active After the Next Host Reboot
For
VIBs: esxcli --server=server_name software vib list --rebooting-image
For Profiles: esxcli
--server=server_name software profile get --rebooting-image
Syntax
for silent automatic upgrade of VMware Tools on a Windows VM:
setup.exe
/s /v "/qn" /l
"c:\Windows\filename.log"
The
installation kickstart script (ks.cfg)
to upgrade an ESXi 6.x host can reside in any of these locations:
- HTTP/HTTPS
- NFS
- USB
- FTP
- CD/DVD
boot.cfg …
…
determines the location of the installation script during a scripted upgrade
3
supported methods to upgrade a host from ESXi 5.x to ESXi 6.x:
- vSphere Update Manager
- esxcli
- vSphere Auto Deploy
2
supported tools to upgrade VM hardware:
- vSphere Web Client
- vSphere Update Manager
3
recommended prerequisites before upgrading VM hardware:
- Create a backup or snapshot of the virtual
machine
- Upgrade VMware Tools to the latest version
- Verify that the virtual machine is stored on
VMFS3, VMFS5 or NFS datastores
Minimum
Recommended Hardware Requirements for Installing vCenter Server on Windows:
Large
Environment (1’000 ESXi hosts and 10’000 VMs) – 16 CPUs and 32 GB RAM
Note: This is 2 ^ 4 CPUs and 4 * 8 GB RAM
Once you
have upgraded a Distributed vCenter Server environment from 5.5 to 6.0, the
next step …
… vCenter Inventory Service must be manually
stopped and removed
If
vCenter Server upgrade fails at the vCenter Single Sign-On installation, to
complete the upgrade:
… Verify that the VMware Directory Service can
stop by manually restarting it
During a
vCenter Server upgrade, if an ESXi 6.x host in a HA cluster fails …
… HA will fail the virtual machines over to an
available host during the vCenter Server upgrade process
Prerequisite
action before upgrading a vCenter Server Appliance …
… Install the Client Integration Plug-in
You may
encounter this error whilst upgrading vCenter Server -
“The DB
User entered does not have the required permissions needed to install and
configure vCenter Server with the selected DB” – if:
- The database is set to an unsupported compatibility
mode
- The permissions for the database are
incorrect
As part
of an upgrade from a Distributed vCenter server running 5.x, the following 2
vCenter Server services are migrated automatically as part of the upgrade:
- vSphere Web Client
- vSphere Inventory Service
Note: Also in the group of services migrated –
vSphere Auto Deploy, vSphere Syslog Collector, vSphere ESXi Dump Collector.
esxcli …
…
command line utility can be used to upgrade an ESXi host
To
identify an issue which occurred during the pre-upgrade phase of a vCenter
Server upgrade process …
… vcdb_req.out (pre-upgrade checks)
3 true
statements regard restoring a Resource Pool Tree:
- Restoring a snapshot can only be done on the
same cluster from which it was taken
- No other resource pools can be present in the
cluster
- Restoring a resource pool tree must be done
in the vSphere Web Client
If you
create a resource pool with a Memory Limit of say 24 GB, and it has 3 VMs, with
16/6/4 GB RAM respectively (26GB) …
… only 2 of the 3 VMs can power on
Example on Memory Reservation:
12GB: DRS Cluster
8GB Expandable: Resource Pool “TestDev”
> 1GB
Expandable: Resource Pool “Test”
(child of “TestDev”)
-- 1GB
on Test-VM1 (ON)
-- 1GB
on Test-VM2 (OFF)
> 4GB
Expandable: Resource Pool “Dev”
(child of “TestDev”)
-- 2GB
on Dev-VM1 (ON)
-- 2GB
on Dev-VM2 (OFF)
A virtual machine can be powered on in the Test
Resource Pool with a 6GB Memory Reservation.
Example on CPU Shares:
DRS Cluster
Resource Pool “Production”: CPU Shares HIGH
-- Prod-VM1:
HIGH
-- Prod-VM2:
NORMAL
Resource Pool “Test”: CPU Shares LOW
-- Test-VM1:
HIGH
-- Test-VM2:
NORMAL
Note: All VMs have 1 vCPU and are powered on.
Under CPU contention, Prod-VM1 receives four
times the CPU resources than Test-VM1
Note: HIGH is 4 x LOW.
vSphere
Replication protects VMs from partial or complete site failures by replicating
the VMs:
- From a source site to a target site
- From within a single site from one cluster to
another
- From multiple source sites to a shared remote
target site
2
capabilities the vSphere Replication Client Plug-in provides:
- Configure connections between vSphere
Replication Sites
- Deploy and register additional vSphere
Replication Servers
VRM remote.Manage VRM …
…
privilege is needed at both sites for a vSphere Replication user to connect a
source site to a target site
3
parameters that should be considered when calculating the bandwidth for vSphere
Replication:
- Data change rate
- Traffic rates
- Link speed
PKCS#12 file format …
… is
required when importing an existing SSL certificate into vSphere Replication
Server
A vSphere
Replication administrator would manually add an additional Certificate
Authority certificate to the …
… hms-truststore.jks keystore
24 …
… is the
maximum number of snapshot instances in vSphere Replication that can be
configured to recover a VM at a specific point in time.
FastLZ …
… is the
compression algorithm used by vSphere Replication to compress data at the
source.
Via -
vSphere
Web Client > Cluster Actions Menu > Storage
option
- create
a VVOL on an existing VVOL container
Example on New Datastore Wizard:
New Datastore > Partition configuration >
Partition Layout: Capacity = 200GB
Partition Configuration = Use all available
partitions
Datastore Size = 100GB
100GB VMFS5 datastore with free space available
for expansion…
… will
be created upon completion of the steps in the wizard.
“The
host’s CPU hardware does not support the cluster’s current Enhanced vMotion
Compatibility mode. The host CPU lacks features required by that mode” …
… the ESXi host CPU has the Intel No-Execute
feature disabled
Example on VSAN:
If we have 5 HDD, but one is “Not supported”,
so 4 HDD.
And 2 SSD (Flash)
2
combinations of devices which could be used to create Disk Group(s):
- One Disk Group with 1 Flash Drive and 3 HDDs
- Two Disk Groups with 1 Flash Drive and 2 HDDs each
Note: For One Disk Groups need a HDD spare
Note: For Two Disk Groups need sufficient
drives
Unable
to start the vCenter Server service, so check the vpxd.log file and see:
“…
CoreDump: Unable to write minidump … There is not enough space on the disk”
There is
insufficient space on the vCenter
Server!
After
deploying vSphere Platform Services Controller (PSC), you are unable to install
vCenter Server. The error is:
“Could
not contact Lookup Service. Please check VM_ssoreg.log”
2
actions to correct this problem:
- Verify that the clocks on the host machines
running the PSC, vCenter Server, and the vSphere Web Client are synchronized
- Ensure that there is no firewall blocking
port 7444 between the PSC and vCenter Server
vCenter
Server installation will fail if trying to install on …
… Windows Server 2008
3 ports
used by the vSphere Web Client when connecting directly to an ESXi 6.x host:
- 443 TCP
- 902 TCP and UDP
- 903 TCP
vSphere
Web Client connection error -
“Could
not connect to one or more vCenter Server Systems
https…vCenter.corp.com:443/sdk”
-
reasons preventing communication with this vCenter Server:
- The vCenter Server machine is not responding
via the network
- An incorrect entry for this vCenter Server
exists in the Single Sign-On service
- The SSL certificates do not match the FQDN
address for the server
vSphere
Web Client use ‘Windows Session Authentication’ check box requires:
- Install the vSphere Web Client Integration
browser plug-in on each workstation from where a user will sign in
- The users must be signed into Windows using
Active Directory user accounts
- The administrator must create a valid Identity
Source in Single Sign-On for the users’ domain
3 likely
causes contributing to an administrator being unable to see performance
statistics for only the Past Week performance data, with vCenter Server using
Microsoft SQL Database:
- Performance statistics are turned off
- The Past Day rollup job is not present
- The stats_rollup_1_proc is not present
An ESXi
6.x host in vCenter Server Inventory has disconnected due to an APD situation.
After correcting the APD issue on the host, next action …
… Select Restart Management Agents from the
DCUI
Time on
an ESXi 6.x host is incorrect. 2 actions to correct:
- Modify the time for the host using the
vSphere client
- Correct the NTP settings in the /etc/ntp.conf
file
esxcli network nic list …
… shows
the Physical Uplink status for a vmnic
Note: This command will list the Physical NICs
currently installed and loaded on the system.
To
change the root password for an ESXi 6.x host, 2 ways this can be accomplished:
- Use the DCUI to change the password
- Use the passwd command in the ESXi Shell
Press the F12 key …
… to
shutdown the ESXi 6.x host via the DCUI …
If you
can manage an ESXi 6.x host connected to vCenter Server using the vSphere Web
Client, but are unable to connect to the host directly …
… Disable Lockdown Mode on the ESXi host
through vCenter Server
If a new
custom ESXi firewall rule using an XML file has been created, and it does not
appear in the vSphere Web Client …
… Load the new rules using esxcli network
firewall refresh
In order
to see two vCenter Servers within a single vSphere Web Client session, two
vCenter Server and PSC configurations that would accomplish this:
- Install a single PSC with two vCenter Servers
registered to it
- Install two PSCs in the same Single Sign-On
domain with one vCenter Server registered to each PSC
If the vSphere Client is directly connected to
the ESXi host …
… the
Clone option will be missing
To
successfully power on a VM while connected to an ESXi host using SSH …
… vim-cmd vmsvc/power.on {VMID}
If the
.nvram file is deleted from a powered off VM …
… the .nvram file will get created the next
time the VM is powered on.
If an
administrator tries to connect the vSphere 5.5 Client to an ESXi 6.x host …
… The operation will prompt the administrator
to run a script to upgrade the vSphere Client
If a new
ESXi 6.x host is “Not Responding” in the vSphere Web Client, this can be caused
by a network firewall blocking traffic to port …
… 902 (UDP)
Troubleshooting
network communications between the vCenter Server and the ESXi 6.x host, review
this log:
/var/log/vpxa.log
Slow
performance of the vCenter Inventory Service.
In the
wrapper.log file we have an error “Exception …. Java.lang.OutOfMemoryError …
Java heap space”.
Increase the memory resources of the vCenter
Server
If a VM
has unexpectedly powered off - to troubleshoot - review these logs:
- vmware.log
- hostd.log
2
reasons why a VM can appear as orphaned:
- A VMware High Availability host failure has
occurred
- The virtual machine was unregistered directly
on the host
The
minimum VM Hardware version required for vFlash Read Cache is:
Version 10
3
reasons why a VM might fail to power on:
- The VM is running on an ESXi host which has
an expired license
- The VM is running on a datastore which has
insufficient disk space for the .vswp file
- The VM is in a cluster with vSphere HA
Admission control enabled
voma …
… is the
command line utility that checks for VMFS5 metadata corruption
2
reasons why a local flash device would be unavailable for use with VSAN:
- it has a VMFS datastore present
- it is in use by the vFlash Read Cache feature
3
troubleshooting actions an administrator should take to address slow
performance when deploying a VM template:
- Increase network throughput by adding
additional uplinks to the vSwitch
- Change the destination datastore or volume
for the VM template
- Configure a Provisioning Traffic VMkernel
port to perform the deployment operation
When
attempting to remove a host from a vSphere Distributed Switch (vDS), you
receive this error -
“The
resource … is in use”
- 2 reasons why this error might be displayed:
- VMkernel network adapters on the vDS are in
use
- VM network adapters are connected to the vDS
If you
suspect the MTU value for a vSphere Standard Switch is misconfigured, 2
commands to determine the value:
- esxcfg-vswitch -l
- esxcli network vswitch standard list
Attempted
deletion of an NFS datastore generates the error:
“Sysinfo
error on operation returned the following status: Busy”
To
complete the deletion …
… Storage vMotion any VMs on the datastore to
another location
If the
df -h command shows an NFS datastore reporting a capacity of 0 bytes …
… The NFS server on which the datastore resides
is down
The
command “esxcli network vm list” shows 4 VMs connected to a Production vSwitch,
but the vSphere Web Client shows 5 VMs, this is because …
… The 5th VM is currently powered
off.
An
administrator is experiencing network connectivity issues between VMs. 3
settings the administrator should investigate:
- VLANs of the physical NICs
- Failover order of the uplinks
- Virtual NIC connectivity to the dvSwitch
A task
to create a VMFS5 datastore fails. The datastore was previously used by a Linux
server, and not erased. To resolve the issue …
… Delete the partitions on the disk manually
with partedUtil first
Note: Same if the disk was formatted with
Master Boot Record (MBR) partition table (Windows).
2
reasons that would prevent SDRS from operating on a datastore:
- The datastore has SIOC disabled
- The datastore is connected to an unsupported
host
2 ways
to view the DNS settings for an ESXi 6.x host:
- Use the vicfg-dns command from the vSphere
Management Appliance
- View the /etc/resolv.conf file on the ESXi
host
If after
configuring a VSAN cluster, you notice the VSAN datastore is smaller than
expected (i.e. 100GB instead of 300GB) …
… There is a network problem with the VSAN
vmkernel ports
vCenter Server Appliance 6.0 does not support
upgrades from 5.1 U2
After
upgrading a VCSA from version 5.5 to 6.x, using DHCP to obtain hostname, and then
configuring static IP and hostname. Immediately after the change, to prevent
service failures …
… Regenerate the SSL certificates
An
administrator is unable to patch an ESXi 6.x host using VMware Update Manager,
an alternative option for patching the host …
… Upload the offline bundle to a datastore and
execute the command “esxcli software vib install -d” to apply it manually
3 logs
to review to troubleshoot vCenter Server upgrade failure:
- vminst.log
- vim-vcs-msi.log
- pkgmgr.log
Trying
to update an ESXi 6.x host using –
esxcli software vib update -d update.zip
- does
not work with error “Could not download …”
… add the full file path to the command
Failed
upgrade from vCenter Server 5.x to 6.0 –
“00800
error … Database version … is incompatible with this release of VirtualCenter”
- the
problem is …
… there was a database schema upgrade failure
during the installation
3 ESXTOP
counters that may demonstrate CPU contention:
- %RDY
- %MLMTD
- %CSTP
Note:
%RDY = The percentage of time the world (VM)
was ready to run, but has not yet been scheduled for CPU time due to contention
with other worlds (VMs).
%MLMTD = The percentage of time the world was
ready to run but deliberately wasn't scheduled because that would violate the
"CPU limit" settings.
%CSTP = The percentage of time the world spent
in ready, co-deschedule state.
If - for
a VM – the CPU usage is consistently > 90%, and CPU ready value is
consistently > 20 %, and application performance is impacted; to improve the
performance of the VM:
- Verify the VMware Tools is installed on every
virtual machine on the host
- Increase the CPU shares assigned to the
virtual machine
A VM CPU
issue seen in ESXTOP:
- CPU0
is at 100% usage
- other
CPUs close to 0%
- %RDY value
is consistently above 10%
=> The VM has CPU affinity configured
8 out of
10 VMs have memory ballooning and swapping.
VM 9 is
not ballooning or swapping.
VM 10 is
not ballooning but is swapping.
=> VM 9 has a 100% memory reservation
=> VM 10 does not have VMware Tools
2 badges
in vRealize Operations which would help identify possible VM resource
contention concerns:
- Health > Workload
- Risk > Stress
A VM is
exhibiting symptoms:
- Memory
usage: constantly high (94% +) or constantly low (24% -)
- Free
Memory: consistently 6% or less
- swapping
frequently occurs
3
solutions to correct:
- Verify that VMware Tools is installed on each
VM
- Decrease the memory reservation setting, if
much higher than active memory
- Add physical memory to the host
If
concerned about possible vCPU over-commitment for an ESXi 6.x host, review
these 2 Performance Counters in vSphere Web Client Performance Charts to
confirm if there is contention on the host:
- Ready
- Co-Stop
To use ESXTOP
to troubleshoot CPU performance issues …
… in esxtop, press f and place an asterisk next
to each field that should be displayed
In
ESXTOP - SlowVM has:
NWLD %USED %RUN %SYS %WAIT %VMWAIT %RDY %IDLE %OVRLP %CSTP %MLMTD %SWPWT
10 202 203 0 589 0
163 0 0 61 0 0
3
actions to improve CPU performance for SlowVM…
- Decrease the number of vCPUs assigned to
SlowVM
- Power off other VMs running on the same ESXi
host
- Move SlowVM to another ESXi host with more
physical CPU resources available
In ESXTOP - SlowVM has:
NWLD %USED %RUN %SYS %WAIT %VMWAIT %RDY %IDLE %OVRLP %CSTP %MLMTD %SWPWT
7 4 4
0 616 0
97 0
0 0 97 0
Option
to improve application performance for SlowVM virtual machine:
- Increase the CPU limit assigned to SlowVM
An
administrator notices that a Windows VM is using 95% CPU in Task Manager. Two
actions to resolve:
- Increase the CPU Shares on the resource pool
where the VM resides
- Increase the CPU limit on the resource pool
where the VM resides
High Performance …
… is a
Host Power Management Policy for an ESXi 6.x host that will disable most
hardware power management features.
To
monitor VMs on a host and send notifications when memory usage reaches 80%,
create in vCenter …
… a vCenter Server alarm that will
monitor VM memory usage and set an action to email the notification
fdm.log …
… is the
name of the High Availability agent log
vSphere Standard …
… is the
minimum licensed edition that supports VM Fault Tolerance
For VM Fault Tolerance:
vSphere Standard and Enterprise – allows up to 2
vCPUs
vSphere Enterprise Plus – allows up to 4 vCPUs
A
datastore in a datastore cluster cannot enter maintenance mode. The ‘Entering
Maintenance Mode’ status remains at 1%. Cause: One or more disks on the
datastore cannot be migrated with Storage vMotion. This condition can occur in
the following instances.
- Storage DRS is disabled on the disk.
- Storage DRS rules prevent Storage DRS from
making migration recommendations for the disk.
2 likely
causes for a DRS cluster to become unbalanced:
- Affinity rules are preventing VMs from being
moved
- A device is mounted to a VM preventing
vMotion
2
scenarios that would cause an FT enabled VM to fail to power the Secondary VM:
- The host has entered a Network Partitioned
state
- vSphere HA is disabled on the host cluster
An
administrator notices vSphere DRS indicates “Imbalanced”. vMotions are working
“Total vMotion Migrations > 100”, and there is plenty of resource
availability on the cluster (10% CPU utilization, 60% memory utilization). 3
potential causes of the cluster imbalance:
- A local device is mounted to one or more of
the VMs
- DRS rules prevent VMs from being moved
- DRS has been configured for a conservative
migration threshold
In
vRealize Operations, a VM has a “Workload is highest by CPU” alert, and in the
Risk pane it effectively says:
… Increase the number of vCPUs for the VM
A vSphere
Auto Deploy rule can identify target hosts by:
- SMBIOS information
- BIOS UUID
- boot MAC address
- Vendor
- Model
- fixed DHCP IP address
Auto
Deploy hosts have been configured to obtain their networking configuration via
DHCP.
To renew
the DHCP lease for the hosts via the DCUI …
… Restart Management Network
Export-EsxImageProfile …
… can be
used to ensure Auto Deploy image profiles are preserved (exported and
available) across PowerCLI sessions.
2 valid
(Auto Deploy) compliance results that indicate the need to apply a Host
Profile:
- Non-compliant
- Unknown
After
Auto Deploying ESXi hosts connected to a vSphere Distributed Switch, it is
noticed that LACP packets are not being sent between them. This is because …
… The LACP support settings do not exist in the
host profile
Using
VMware converter against a Windows Server that ‘Contains one NTFS formatted
volume’, the number of virtual disks that can be added to the destination
VM = 0
Using
VMware converter to create a VM with smaller virtual disks than the original
physical server …
… use VMware Converter hot cloning with
volume-based cloning at the file level
To
recover disk space on a previously-used thin provisioned virtual disk, and disk
blocks are on a VAAI-compliant storage array, two actions to accomplish this:
- Use VMware Converter to migrate the VM to a
new datastore…
- execute the esxcli storage vmfs unmap command
Example on CPU Reservation:
16 GHz: DRS Cluster
6 GHz Fixed: Resource Pool “Production”
> 2 GHz
Fixed: Resource Pool “Web” (child of
“Production”)
-- 1 GHz
on Web-VM1 (ON)
> 2 GHz
Expandable: Resource Pool “DB”
(child of “Production”)
-- 1 GHz
on DB-VM1 (ON)
A VM can be powered on in the DB Resource Pool
with a 3 GHz CPU Reservation
To set a
non-default isolation address of 192.168.1.2 for HA, the advanced setting to
accomplish this is:
Das.isolationaddress0=192.168.1.2
vSphere
HA calculates the memory slot size of a VM:
Virtual machine memory reservation + overhead
of largest virtual machine
“The
number of vSphere HA heartbeat datastores for this host is 1, which is less
than required: 2”. 2 actions to clear:
- Set the advanced High Availability parameter
Das.ignoreInsufficientHbDatastore to true
- Add a shared datastore and reconfigure High
Availability
120 seconds …
… is the
VM Monitoring I/O stats interval default value in a vSphere HA cluster.
An
administrator enables HA on a Virtual SAN cluster. We have four VMkernel
port groups for: Management, vMotion, Virtual SAN, and Fault Tolerance …
… the Virtual SAN IP address is used for (VSAN) HA traffic.
To
configure a HA cluster to allow VMs a 10-minute window to shut down in the
event of a Host isolation incident:
- Set the advanced option
das.isolationshutdowntimeout = 600
- Configure Host Isolation Response to Shut
Down and Restart VMs
A
vSphere 6 HA cluster with default settings, and 4 VMs with these restart priorities:
High, High, Medium, Low. The number of VM Overrides to be defined at cluster
level to meet the restart priorities is …
… 2
Two
settings required for VMCP to protect from APD and PDL:
- Host Monitoring
- VM Restart Priority
Comments
Post a Comment