VMworld 2013: vCenter Deep Dive

vCenter Deep Dive
Ameet Jani, Vmware
Justin King, Vmware
VSVC4830
#VSVC4830

2
Overview
 vCenter Server – A Technical Deep Dive
• vCenter Installer
• Inventory Service
• vSphere Web Client
• vCenter Database
• vCenter Single Sign-On
 Reference Architecture (Best Practices)
• Single vCenter Environments
• Multi vCenter Environments
 We want to answer all questions… at the end

3
What This Session Is/Target Audience
 Other VMworld sessions of similar interest
• Upgrades
• VSVC5690 vSphere Upgrade Series Part 1: vCenter Server
• Performance
• VSVC5234 Extreme Performance Series: vCenter of the Universe
• vCenter Single Sign-On
• VSVC5635 vSphere vCenter Single Sign-On Best Practices
• vSphere Web Client
• VSVC5436 vSphere Web Client – Technical Walkthrough

5
Simple Install
 Simple Install Changes
• Added Web Client
• Installer Order changes
5.1
Single Sign-On
Inventory Service
vCenter
5.5
Single Sign-On
vSphere WebClient
Inventory Service
vCenter
 Why?
• In the rare case SSO goes wrong, users
can log into Web Client and configure/edit
 Best practice: Simple Install puts all
components in a single server
• VMware’s suggested best practice

6
Custom Install
Why would you run this?
 Distribute services across
multiple servers
 Customize location
 Advanced configurations
• E.g. additional vCenter servers
1 2 3 4

8
What Is the vCenter Server Inventory Service?
 Maintains a cache of the vCenter
Server inventory
• (VMs, Hosts, etc)
 Reduces the load on VPXD by
offloading client requests
 Installs locally to vCenter Server
(although can be separated)
 Enables use of Tags
• Remember to backup Inventory
service data files to provide
recovery of tags
Inventory Service provides a query service into VPXD

10
What Is the vSphere Web Client?
 The NEW virtual infrastructure client
• THE client for vSphere administrators (starting in vSphere 5.1)
• Matched functionality to legacy VI Client (almost – we’ll get to this)
• Additional vCenter 5.1/5.5 functionality, only available thru the vSphere
Web Client
 Browser based
• Internet Explorer / FireFox / Chrome fully supported on Windows and Mac
The new face of
vSphere Administration

11
vCenter Server 5.5
 vSphere Web Client
• Increased Platform Support
• Added support for OS X
• VM Console access
• Deploy OVF Templates
• Attach Client Devices
• Enhanced Usability Experience
• Drag and Drop
• Filters
• Recent Items

12
• But…
• You need your solutions
• And the performance could be better
Web Client
 Last release for VI Client (5.5)
• Why did we keep it around?
• VUM
• Host Client
• After playing with the new client for 2 days,
most admins like the NEW client

13
VMware vSphere Web Client Plugins
vcOps
Infrastructure Nav
Orchistrator
Data Protection
Others:
• vFabric Elastic
Memory for Java
• vSphere Replication
• vSphere Data
Protector

14
Partner Plug-ins for the Web Client

16
Stats and Database Performance Improvements
We have improved each activityStats Operations
Insert stats
Roll up stats into new
granularities
Purge stats when they
get too old
Partitioned database tables
 Faster to insert into smaller partition tables
than in one really large table
No collisions
 No collisions between data that is being
inserted and data that is being rolled up
Faster Purges
 By partitioning we are able to drop tables
and NOT search and drop stale rows.
 Dramatically reduced I/O requirements
 Dramatically faster rollup times
 Predictable rollup procedure
RESULT

19
What About the Appliance
Limitations Today:
 External database is Oracle only
• No SQL Server support planned
 Embedded database scale
• 5 hosts / 50 VMs
• Will change 5.1 U2
 IPv6
 Linked Mode capability
 Availability with vCenter Heartbeat
Future Direction:
 Future direction is with appliance but we have work to do first
 Proven itself with VMware HOL
 Secure the appliance
 Provide better availability
 Add Linked mode functionality
Take a look, get familiar and prepare to adopt

21
System Requirements (Hardware)
Simple Install (Min)
• 2CPU / 12GB RAM / 100GB Disk / 1Gbps
Custom Install (Min)
 Single Sign-On
• 1CPU / 2GB RAM / 2GB Disk / 1Gbps**
 Inventory Service
 vCenter Server
Simple Install (Recommended)
Custom Install (Recommended)
 Single Sign-On
• 2CPU / 4GB RAM / 8GB Disk / 1Gbps**
 Inventory Service
 vCenter Server
• Based on an Inventory Size of
400 hosts or 4000 virtual machines

22
Deprecated Operating Systems
 vCenter Server 5.5 removes support for
• Windows Server 2003 as a host operating system
• Windows Server 2008 (no SP) as a host operating system
• Windows Server 2008 SP1 as a host operating system
Upgrade Windows Server 2008 SP2 before upgrading vCenter Server
to version 5.5
 vSphere Documentation Center
https://www.vmware.com/support/pubs/
 VMware Compatibility Guide
http://www.vmware.com/resources/compatibility
 Product Interoperability Matrix
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php

23
Upgrade Matrix
 VMware supports in-place upgrades on 64-bit systems from
• vCenter Server 4.x
• vCenter Server 5.0.x
• vCenter Server 5.1.x
*Exception being Windows XP Professional x64
 VMware does not support directly migrating an existing, 5.0.x or
earlier vCenter Server to a new machine during an upgrade to
version 5.5
• You can migrate such an existing vCenter Server to a new machine during an
upgrade to version 5.0.x, and then perform an in-place upgrade from version
5.0.x to version 5.5
 vCenter Server 5.5 can manage
• ESX 4.x/ESXi 4.x, ESXi 5.0.x, and 5.1 x hosts
• In the same cluster with ESXi 5.5 hosts
 vCenter Server 5.5 cannot manage ESX 2.x or 3.x hosts

25
The New vCenter Single Sign-On 5.5
With vSphere 5.5, VMware is delivering a greatly improved Single
Sign-On experience
• vCenter Single Sign-On was introduced in vSphere 5.1 to provide customers
with the ability to log into VMware vCloud Suite products once and then use
each product holistically as one common suite.
• This feature proved challenging to our customers for a variety of reasons.
• As a result VMware improved the vCenter Single Sign-On experience from the
ground-up

26
Challenges with vCenter Single Sign-On 5.1
 Active Directory Integration
• Does not work effectively in multi-forest / trusted
domain environments
• Does not scale in environments with 15K or greater users
• Administration is limited
 Certificates
• SSL communications challenging
• Difficult to change / update
 Installation
• Database requirements / security concerns
• Many installable configurations
• Difficult to change / reconfigure post install
• Complex
 Diagnostics
• Troubleshooting tools – non existent

27
What's New with vCenter Single Sign-On 5.5 (in Short)
 Improved architecture
• Multi-master
• Built-in replication
• Site awareness
• Multi Tenant
 Database
• There is no Database!
 Installation
• One simplified deployment model
• Select vCenter Single Sign-On for the first or an additional vCenter Server
 Diagnostics
• Full suite of diagnostic / Troubleshooting tools
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Web Client
Inventory Svc
vCenter Single Sign-On 5.5
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2

29
vCenter Single Sign-On 5.5 – Installation
 Prerequisites
• Hostname has a FQDN and is DNS resolvable (forward/reverse)
• Joined to an Active Directory domain (most use cases)
• Windows 2008 x64 SP2 or higher (or use vCenter Appliance)
 Installer contains several core components required for vCenter
Single Sign-On (STS, Admin server, Lookup Svcs & VMDir)
 Installer Steps
1. Accept License agreement (EULA)
2. Prerequisite check summary
3. Edit default port number 7444 (if necessary)
4. Select Deployment placement
5. Provide Administrator@vSphere.local password
6. Provide a site name or select a previous site name
7. Edit destination directory (if necessary)
8. Summary
9. Installation Complete
 Upgrading?
admin@system-domain?
Account becomes an alias of
administrator@vsphere.local

30
Supports Upgrade of All vCenter 5.1 Configurations
Previous vCenter Single Sign-On 5.1 deployment models
• Fully Maintained via Upgrade
• Basic (Stand-alone or shared server)
• Single Sign-On High Availability
• Single Sign-On Multisite
New recommendations with vSphere 5.5
• Better use of new technology
• Single virtual machine for all vCenter components**
• Distributed virtual machines add complexity
• Availability
• Backup & Restore
• Easily migrate to new recommendations during upgrade
** Enterprise customers with 6 or more local vCenter servers can use a centralized instance

31
Upgrading What about 5.1 Configurations?
SSO
Architecture is unchanged
Supports
• Up to maximum scale
• All identity source types
No SSO database
SSO Basic Mode

32
vCenter Single Sign-On High Availability (SSO HA)
Shared
Database
Host or VM
SSO Server
(Primary)
Load Balancer
Host or VM
SSO Server
(HABackup)
Host or VM
Load Balancer
Host or VM
SSO Server
SSO HA
Now supports active / active
• No loss of admin service
• vCenter restarts possible
More than two instances supported
Requires:
• Third Party Network Load Balancer
• Updating of certificates
• Reregistration of solutions
vSphere 5.1 vSphere 5.5

33
vCenter Single Sign-On Multisite (Linked Mode)
Web Client
Inventory Svc
Web Client
Inventory Svc
Web Client
Inventory Svc
Local
Databases
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
Multi Site
SSO Server
Multi Site
SSO Server
Primary
SSO Server
Web Client
Inventory Svc
Web Client
Inventory Svc
Web Client
Inventory Svc
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
SSO Server
SSO Server
SSO Server
Automatic Replication
Identity Sources
SSO Users/Groups/Policies
Solutions
NOTE: When Upgrading/Deploying, only one first server selection is required to setup
authentication domain otherwise you will have multiple duplicate vsphere.local domains

34
Types of Identity Sources
What is an identity source?
An external domain or repository of users and groups
Identity Sources supported with 5.5
1. Native Active Directory (Recommended)
• Uses kerberos via machine account or SPN
2. Active Directory as an LDAP server
• This was done for backward compatibility to 5.1
• Not likely to be supported post 5.5
• Same limitations as in 5.1
3. OpenLDAP
4. LocalOS
• For Windows
Configuring your VC Server
When you configure your VC Server,
make sure to set the VC Administrator as
administrator@vsphere.local. DO NOT
SET THE VC Administrator to be a Local
OS account.

35
Backup / Restore / Availability
 Backup / Restore
• Virtual Machine**
• Snapshot
• Tape / Disk
• vDP (now supports host level restore)
• Application (KB with GA)
• Registry Keys
• SSL Certificates (tcserver)
• Certificate server
• KDC
• VMDir (vdcbackup)
 Availability of vCenter Single Sign-On server
• No different to vCenter
• Why? vCenter is the primary resident of the Single Sign-On server
• vSphere HA, vCenter Heartbeat
**Additional step required when multiple SSO instances are configured

36
Diagnostics
 vCenter Single Sign-On 5.5 Diagnostic Tools
 Perform all administration and reconfiguration from MMC Snap in
• vCenter Single Sign-On services need to be running
 KB to troubleshoot startup issues
 Separate download
• So we can update independently and add exciting new features

37
Replication
 Builtin Replication
• Between each Single Sign-On server deployed in the same vSphere
authentication domain
 Replication Partners
• Review / Add / Remove / Edit
 Geographically Separated Single Sign-On sites
• Reduce overhead
• Provide Redundancy Links

38
Certificates
 SSL Automation tool
• Updated to support vSphere 5.5
• Command Line
 Ability to Add / Remove certificates
• (MMC Snap-in)

39
The log files provided by Single Sign On includes:
 vminst.log: Single Sign On installer log
 vim-sso-msi.log: MSI installer verbose logs for Single Sign On installation
 vim_ssoreg.log: Single Sign On Lookup Service log
 exported_sso.properties: Endpoint information about each of the Single Sign On Solution Users and
identity sources extracted from previous vCenter Single Sign On 5.1.0 instance
 vim-openssl-msi.log: MSI installer verbose log for OpenSSL installation
 vim-python-msi.log: MSI installer verbose log for Python installation
 vim-kfw-msi.log: MSI installer verbose log for MIT Kerberos installation
Single Sign On logs are grouped by component and purpose:
 vmdirdvdcpromo.log: Promotion and demotion operation information for the Single Sign On instance
when joined or removed from a linked configurations
 vmdirdvdcsetupIdu.log: VMware Directory Service setup post-installation log containing information
about the localhost name
 vmdirdvmdir.log: Health reports for the VMware Directory Service service and the Lotus VMDir
database
 vmkdcdvmkdcd.log: Key Distribution Center (kdc) run-time log, reports ports conflicts preventing the
service from starting
 vmware-ssovmware-sts-idmd.log: VMware Identity Management service run-time logs, time-
stamped records of user attempts when accessing Single Sign On for administrative purposes
 vmware-ssovmware-sts.ldmd-perf.log: VMware Identity Management service performance counter
logs
 vmware-ssoVMwareIdentityMgmtService.<date>.log: Commons Daemon log once the Identity
Management Service has started

40
Additional Information
 Deprecated Functionality
• NIS Identity Source
• More than one default domain per Identity Provider
• SMTP configuration and notification for password expiration by mail
 TCP Ports Used by SSO
• 2012 Control interface RPC for VMDirectory
• 88, 2013 Control interface RPC for the Kerberos
• 2014 RPC port for all VMCA APIs
• 7444 vCenter Single Sign On - HTTPS
• 11711 vCenter Single Sign On - LDAP
• 11712 vCenter Single Sign On - LDAPS
• 12721 VMware Identity Mgmt Service

42
Single vCenter Server 5.5 Design Recommendation
VC Database
vCenter Server Host or VM
vCenter
Server
SSO
Server
Web Client
Inventory Svc
Use Simple Installer
Installs / Upgrades core
components with a single
virtual machine
1. vCenter Single Sign-On
2. vSphere Web Client
3. vCenter Inventory Service
4. vCenter Server
 No change to architecture
 All services are local
• Reduced complexity
 Supports 1-1000 Hosts /
1-10,000 Virtual Machines

43
Multiple Remote vCenter Server Design Recommendation
By Default
 Each site is independent
 Does not provide a single pane of glass view
 SSO automated replication
 SSO Users & Groups
 SSO Policies
 Identity sources
 Site awareness
 Linked Mode
 Maintains single pane of glass
 Replicates Licenses, permissions and roles
 Availability
 vSphere HA
 vCenter Heartbeat
vCenter Server
vCenter
Server
New York
vCenter Server
vCenter
Server
Miami
vCenter Server
vCenter
Server
Web Client
Inventory Svc
SSO Server – vsphere.local
Los Angeles
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2 SSO Site 3
Single SSO Authentication Domain

44
SSO
Server
Web Client
Multiple Local vCenter Server 5.5 Design Recommendations
A Datacenter with more than 5 vCenter Servers
 Centralized SSO authentication
• Same Physical location
 Single Centralized vSphere Web Client
 Availability (Required)
• vSphere HA
• vCenter Heartbeat
• Network Load Balancer
vCenter Server 2
vCenter
Server 5.5
Inventory Svc
SSO
Server
Web Client
Database
Server
VCDB1,VCDB2,VCDB3
vCenter Server 3
vCenter
Server 5.5
Inventory Svc
vCenter Server 1
vCenter
Server 5.1
Inventory Svc
Backwards compatible to vCenter Server 5.1

45
The Possibilities Are Endless…
New York
Los Angeles
Miami

46
Stay up to date with vCenter Server
http://blogs.vmware.com/vsphere/
@vCenterGuy

47
Other VMware Activities Related to This Session
 Group Discussions:
VSVC1000-GD
vCenter Upgrades with Justin King

VMworld 2013: vCenter Deep Dive

More Related Content

What's hot

Viewers also liked

Similar to VMworld 2013: vCenter Deep Dive

More from VMworld

Recently uploaded

VMworld 2013: vCenter Deep Dive