100% found this document useful (1 vote)

821 views1,273 pages

VCP DCV For Vsphere 7.x

radfe

Uploaded by

femi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

821 views1,273 pages

VCP DCV For Vsphere 7.x

radfe

Uploaded by

femi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1273

Telegram Channel : @IRFaraExam

About This eBook

ePUB is an open, industry-standard format for eBooks. However, support
of ePUB and its many features varies across reading devices and
applications. Use your device or app settings to customize the presentation to
your liking. Settings that you can customize often include font, font size,
single or double column, landscape or portrait mode, and figures that you can
click or tap to enlarge. For additional information about the settings and
features on your reading device or app, visit the device manufacturer’s Web
site.
Many titles include programming code or configuration examples. To
optimize the presentation of these elements, view the eBook in single-
column, landscape mode and adjust the font size to the smallest setting. In
addition to presenting code and configurations in the reflowable text format,
we have included images of the code that mimic the presentation found in the
print book; therefore, where the reflowable format may compromise the
presentation of the code listing, you will see a “Click here to view code
image” link. Click the link to view the print-fidelity code image. To return to
the previous page viewed, click the Back button on your device or app.

Telegram Channel : @IRFaraExam

VCP-DCV for vSphere 7.x
(Exam 2V0-21.20)
Official Cert Guide

John A. Davis, Steve Baca, Owen Thomas

Telegram Channel : @IRFaraExam

Special Sales
For information about buying this title in bulk quantities, or for special sales
opportunities (which may include electronic versions; custom cover designs;
and content particular to your business, training goals, marketing focus, or
branding interests), please contact our corporate sales department at
[email protected] or (800) 382-3419.
For government sales inquiries, please contact
[email protected].
For questions about sales outside the U.S., please contact
[email protected].

EDITOR-IN-CHIEF
Mark Taub

DIRECTOR, ITP PRODUCT MANAGEMENT

Brett Bartow

EXECUTIVE EDITOR
Nancy Davis

TECHNICAL EDITOR
Joseph Cooper

DEVELOPMENT EDITOR
Ellie Bru

MANAGING EDITOR
Sandra Schroeder

PROJECT EDITOR
Mandie Frank

COPY EDITOR
Kitty Wilson

PROOFREADER
Betty Pessagno

Telegram Channel : @IRFaraExam

INDEXER
Erika Millen

EDITORIAL ASSISTANT
Cindy Teeters

DESIGNER
Chuti Prasertsith

COMPOSITOR
codeMantra

Telegram Channel : @IRFaraExam

Credits

Figure Attribution/Credit
Line

Chapter Opener Charlie

Edwards/Photodisc/
Getty Images

Figure 3-2, Figure 3-4 vSphere Networking

Guide

“Do I Know This Already?” Quiz

Telegram Channel : @IRFaraExam

Define Key Terms
Review Questions

Chapter 9 Configuring and Managing Virtual Networks

“Do I Know This Already?” Quiz
Foundation Topics
vSphere Standard Switches (vSS)
Creating and Configuring vSphere Standard Switches
Creating and Configuring Standard Port Groups
vSphere Distributed Switches (vDS)
Creating and Configuring vSphere Distributed Switches
Creating and Configuring Distributed Port Groups
VMkernel Networking
Configuring and Managing VMkernel Adapters
Configuring TCP/IP Stacks
Configuring and Managing Networking Features
Configuring Network I/O Control (NIOC)
Creating a Network Resource Pool
Using Private VLANs
Using DirectPath I/O
Single Root I/O Virtualization (SR-IOV)
Configuring and Managing Port Mirroring
Configuring and Managing Link Aggregation Groups (LAGs)
Managing Host Networking with vDS
Adding Hosts to a vDS
Managing Host Physical Network Adapters on a vDS
Migrating VMkernel Network Adapters to a vDS
Removing Hosts from a vDS
Migrating Virtual Machines to a vDS
Monitoring the State of Ports in a Distributed Port Group

Telegram Channel : @IRFaraExam

Using the vDS Health Check
Networking Policies and Advanced Features
Exam Preparation Tasks
Review All the Key Topics
Complete Tables and Lists from Memory
Define Key Terms
Review Questions

“Do I Know This Already?” Quiz
Foundation Topics
Creating and Configuring Virtual Machines
Creating a New Virtual Machine
Powering on a VM
Opening a Console to a VM
Installing and Upgrading VMware Tools
Shutting Down a Guest
Cloning a Virtual Machine
Converting Between a VM and a Template
Deploying a Virtual Machine from a Template
Customizing the Guest OS
Deploying OVF/OVA Templates
Managing Virtual Machines
Configuring Virtual Machine Hardware
Editing Virtual Machine Options
Configuring Guest User Mappings
Editing OVF Details
Creating and Managing Virtual Machine Snapshots

Chapter 15 Final Preparation

Getting Ready
Taking the Exam

Appendix A Answers to the “Do I Know This Already?” Quizzes and

Review Questions

Question type: Multiple choice
Number of questions: 70
Duration: 130 minutes
Passing score: 300

Telegram Channel : @IRFaraExam

Cost: $250 (in the United States)

2V0-21.20 Exam Objectives

The 2V0-21.20 exam blueprint lists the exam objectives, which are
summarized here:
Section 1: Architectures and Technologies

Objective 1.1: Identify the prerequisites and components for a vSphere

implementation
Objective 1.2: Describe vCenter Server topology
Objective 1.3: Identify and differentiate storage access protocols for
vSphere (NFS, iSCSI, SAN, etc.)
1.3.1: Describe storage datastore types for vSphere
1.3.2: Explain the importance of advanced storage configuration
(vSphere Storage APIs for Storage Awareness (VASA), vSphere
Storage APIs Array Integration (VAAI), etc.)
1.3.3: Describe storage policies
1.3.4: Describe basic storage concepts in K8s, vSAN and vSphere
Virtual Volumes (vVols)
Objective 1.4: Differentiate between vSphere Network I/O Control
(NIOC) and vSphere Storage I/O Control (SIOC)
Objective 1.5: Describe instant clone architecture and use cases
Objective 1.6: Describe ESXi cluster concepts
1.6.1: Describe Distributed Resource Scheduler (DRS)
1.6.2: Describe vSphere Enhanced vMotion Compatibility (EVC)
1.6.3: Describe how Distributed Resource Scheduler (DRS) scores
virtual machines
1.6.4: Describe vSphere High Availability
1.6.5: Describe datastore clusters

Telegram Channel : @IRFaraExam

Objective 1.7: Identify vSphere distributed switch and vSphere standard
switch capabilities
1.7.1: Describe VMkernel networking
1.7.2: Manage networking on multiple hosts with vSphere distributed
switch
1.7.3: Describe networking policies
1.7.4: Manage Network I/O Control (NIOC) on a vSphere distributed
switch
Objective 1.8: Describe vSphere Lifecycle Manager concepts (baselines,
cluster images, etc.)
Objective 1.9: Describe the basics of vSAN as primary storage
1.9.1: Identify basic vSAN requirements (networking, disk count +
type)
Objective 1.10: Describe the vSphere Trust Authority architecture
Objective 1.11: Explain Software Guard Extensions (SGX)

Section 2: VMware Products and Solutions

Objective 2.1: Describe the role of vSphere in the software-defined data

center (SDDC)
Objective 2.2: Identify use cases for vCloud Foundation
Objective 2.3: Identify migration options
Objective 2.4: Identify DR use cases
Objective 2.5: Describe vSphere integration with VMware Skyline

The VCP-DCV certification is the most popular certification at VMware;
more than 100,000 professionals around the world hold this certification.
This book is intended for anyone who wants to prepare for the 2V0-21.20
exam, which is a required exam for VCP-DCV 2021 certification. The
audience includes current and prospective IT professionals such as system
administrators, infrastructure administrators, and virtualization engineers.

Telegram Channel : @IRFaraExam

Book Features and Exam Preparation Methods
This book uses several key methodologies to help you discover the exam
topics on which you need more review, to help you fully understand and
remember those details, and to help you prove to yourself that you have
retained your knowledge of those topics. This book does not try to help you
pass the exam only by memorization but by truly learning and understanding
the topics.
The book includes many features that provide different ways to study so you
can be ready for the exam. If you understand a topic when you read it but do
not study it any further, you probably will not be ready to pass the exam with
confidence. The features included in this book give you tools that help you
determine what you know, review what you know, better learn what you
don’t know, and be well prepared for the exam. These tools include:

“Do I Know This Already?” Quizzes: Each chapter begins with a quiz
that helps you determine the amount of time you need to spend studying
that chapter.
Foundation Topics: These are the core sections of each chapter. They
explain the protocols, concepts, and configuration for the topics in that
chapter.
Exam Preparation Tasks: This section of each chapter lists a series of
study activities that should be done after reading the “Foundation
Topics” section. Each chapter includes the activities that make the most
sense for studying the topics in that chapter. The activities include the
following:
Key Topics Review: The Key Topics icon appears next to the most
important items in the “Foundation Topics” section of the chapter.
The “Key Topics Review” section lists the key topics from the
chapter and their page numbers. Although the contents of the entire
chapter could be on the exam, you should definitely know the
information listed for each key topic. Review these topics carefully.
Memory Tables: To help you exercise your memory and memorize
some important facts, memory tables are provided. The memory
tables contain only portions of key tables provided previously in the

Telegram Channel : @IRFaraExam

chapter, enabling you to complete the table or list. Appendix B,
“Memory Tables,” provides the incomplete tables, and Appendix C,
“Memory Tables Answer Key,” includes the completed tables
(answer keys). These appendixes are also provided on the companion
website that is provided with your book.
Define Key Terms: The VCP-DCV exam requires you to learn and
know a lot of related terminology. This section lists some of the most
important terms from the chapter and asks you to write a short
definition and compare your answer to the Glossary.
Practice Exams: The companion website contains an exam engine.

Book Organization
The chapters in this book are organized such that Chapters 1 through 7
provide in-depth material on vSphere concepts, and Chapters 8 through 14
describe procedures for the installation, configuration, and management of
vSphere components and features. The authors recommend that you read the
entire book from cover to cover at least once. As you read about any topic in
Chapters 1 to 7, keep in mind that you can find corresponding “how to” steps
in Chapters 8 to 14. As you read about any specific procedure in Chapters 8
to 14, keep in mind that you can find associated details (concepts) in
Chapters 1 to 7.
Optionally, you can prepare for the exam by studying for the exam objectives
in order, using Table I-1 as your guide. As you prepare for each exam
objective, you can focus on the most appropriate chapter and section. You
can also refer to related chapters and sections. For example, as you prepare
for Objective 1.2 (Describe vCenter Server topology), you should focus on
the “vCenter Server Topology” section in Chapter 1, but you may also want
to review the “Deploying vCenter Server Components” section in Chapter 8
and the “vSphere Managed Inventory Objects” section in Chapter 5.
When preparing for a specific exam objective, you can use Table I-1 to
identify the sections in the book that directly address the objective and the
sections that provide related information.
Table I-1 Mapping of Exam Objectives to Book Chapters and Sections

Infrastructure
Requirements Deploying
vCenter Server
Components
Other
Requirements

1 Describe vCenter Server 1—vSphere 8—vSphere

. topology Overview, Installation
2 Components,
and Deploying
Requirements vCenter Server
Components

5—vCenter
vCenter Server Server
Topology Features and
Virtual
Machines

Telegram Channel : @IRFaraExam

vSphere
Managed
Inventory
Objects

1 Identify and differentiate 2—Storage

. storage access protocols for Infrastructure
3 vSphere (NFS, iSCSI, SAN,
etc.)

Storage
Virtualization—
Traditional Model

1 Describe storage datastore types 2—Storage 11—Managing

. for vSphere Infrastructure Storage
3
.
1
Software-Defined Manage
Storage Models Datastores

Datastore Types

1 Explain the importance of 2—Storage 11—Managing

. advanced storage configuration Infrastructure Storage
3 (VAAI + VASA, multipathing)
.
2

Telegram Channel : @IRFaraExam

VASA VASA: Register
a Storage
Provider
VAAI

VASA: Manage
Storage
Providers

1 Describe storage policies 2—Storage 11—Managing

. Infrastructure Storage
3
.
3
Storage Policies Managing
Storage Policies

1 Describe basic storage concepts 2—Storage 11—Managing

. in K8s, vSAN and vVOLs Infrastructure Storage
3
.
4
Storage Managing
Virtualization— vSAN
Traditional Model

Managing
Software-Defined Datastore
Storage Models

Configuring and
Datastore Types Managing
vVols

Telegram Channel : @IRFaraExam

Storage in
vSphere with
Kubernetes

1 Identify use cases for RDMs, 2—Storage 11—Managing

. PMEMs, VVOLs, and NVMe Infrastructure Storage
3
.
5
Raw Device Managing
Mappings RDMs
(RDMs)

Managing
vVols Storage Policies

VMware NVMe Managing

VMware NVMe

Managing
PMEM

1 Differentiate between NIOC 2—Storage 3—Network

. and SIOC Infrastructure Infrastructure
4

NIOC, SIOC, and Network I/O

SDRS Control

Telegram Channel : @IRFaraExam

9—
Configuring
and Managing
Virtual
Networks

Configuring
Network I/O
Control (NIOC)

11—Managing
Storage

Configuring and
Managing SIOC

1 Describe instant clone 5—vCenter

. architecture and use cases Server Features
5 and Virtual
Machines

Instant Clone

Telegram Channel : @IRFaraExam

1 Describe ESXi cluster concepts 4—Clusters and 10—Managing
. High and
6 Availability Monitoring
Clusters and
Resources

Cluster Concepts
and Overview
Creating and
Configuring a
Distributed vSphere Cluster
Resources
Scheduler (DRS)
Creating and
Configuring a
High Availability vSphere DRS
(HA) Cluster

Creating and
Configuring a
vSphere HA
cluster

1 Describe VMware Distributed 4—Clusters and 10—Managing

. Resource Scheduler (DRS) High and
6 Availability Monitoring
. Clusters and
1 Resources

Cluster Concepts
and Overview
Creating and
Configuring a
Distributed vSphere DRS

Telegram Channel : @IRFaraExam

Distributed vSphere DRS
Resources Cluster
Scheduler (DRS)

1 Describe Enhanced vMotion 4—Clusters and 10—

. Compatibility (EVC) High Managing and
6 Availability Monitoring
. Clusters and
2 Resources

Enhanced
vMotion
Compatibility EVC Mode
(EVC)

. Manager concepts (baselines, vSphere and Installation
8 cluster images, etc) vCenter Server

VMware
Using vSphere vSphere
Lifecycle Lifecyle
Manager Manager
Implementation

1 Describe the basics of vSAN as 2—Storage

. primary storage Infrastructure
9

vSAN Concepts

1 Identify basic vSAN 2—Storage 11—Managing

. requirements (networking, disk Infrastructure Storage
9 count + type)
.
1

Telegram Channel : @IRFaraExam

vSAN Configuring and
Requirements Managing
vSAN

1 Describe the vSphere Trust 7—vSphere 12—Managing

. Authority architecture Security vSphere
1 Security
0

vSphere Trust
Authority (vTA) Configuring and
Managing
vSphere Trust
Authority
(vTA)

1 Explain Virtual SGX— 7—vSphere 12—Managing

. Software Guard Extensions Security vSphere
1 Security
1

Securing Virtual
Machines with Securing
Virtual Intel Virtual
Software Guard Machines with
Extension Intel Software
(vSGX) Guard
Extensions
(SGX)

2 VMware Products and Solutions

Telegram Channel : @IRFaraExam

2 Describe the role of vSphere in 1—vSphere
. the software-defined data center Overview,
1 Components,
and
Requirements

VMware SDDC

2 Identify use cases for vCloud 6—VMware

. Foundation Product
2 Integration

VMware Cloud
Foundation
(VCF)

2 Identify migration options 6—VMware 5—vCenter

. Product Server
3 Integration Features and
Virtual
Machine

Inbound and
Outbound
vSphere Virtual Machine
Migration Migration

Telegram Channel : @IRFaraExam

2 Identify DR use cases 6—VMware
. Product
4 Integration

vSphere
Replication

Site Recovery
Manager (SRM)

2 Describe vSphere integration 6—VMware

. with VMware Skyline Product
5 Integration

VMware Skyline
Integration

3 Planning and Designing

4 Installing, Configuring, and Setup

4 Plan SSO deployment topology 1—vSphere 12—Managing
. Overview, vSphere
1 Components, Security
and
Requirements

Managing SSO

Telegram Channel : @IRFaraExam

Managing SSO
vCenter Server
Topology

4 Configure an SSO domain 8—vSphere 1—vSphere

. Installation Overview,
1 Components,
. and
1 Requirements
Deploying
vCenter Server
Components
vCenter Server
Topology
Configuring
Single Sign-On
(SSO)
12—Managing
vSphere
Security

Managing SSO

4 Join an existing SSO domain 8—vSphere 1—vSphere

. Installation Overview,
1 Components,
. and
2 Requirements
Deploying
vCenter Server

Telegram Channel : @IRFaraExam

vCenter Server
Components vCenter Server
Topology

Configuring
Single Sign-On
(SSO)
12—Managing
vSphere
Security

Managing SSO

4 Configure VSS advanced 9—Configuring 3—Network

. virtual networking options and Managing Infrastructure
2 Virtual
Networks

vSphere
Standard Switch
Creating and (vSS)
Configuring
vSphere Standard
Switches

Creating and
Configuring
Standard Port
Groups

Telegram Channel : @IRFaraExam

4 Set up identity sources 8—vSphere 12—Managing
. Installation vSphere
3 Security

Adding, Editing,
and Removing Managing SSO
SSO Identity
Sources

4 Configure Identity Federation 8—vSphere 12—Managing

. Installation vSphere
3 Security
.
1
Configuring
Identity Managing SSO
Federation

4 Configure LDAP integration 8—vSphere 12—Managing

. Installation vSphere
3 Security
.
2
Adding, Editing,
and Removing Managing SSO
SSO Identity
Sources

Adding an LDAP
Authentication
Source

Telegram Channel : @IRFaraExam

Source

4 Configure Active Directory 8—vSphere 12—Managing

. integration Installation vSphere
3 Security
.
3
Adding an Active
Directory Identity Managing SSO
Source

12—Managing
vSphere Security

Using Active
Directory to
Manage ESXi
Users

4 Deploy and configure vCenter 8—vSphere 1—vSphere

. Server Appliance (VCSA) Installation Overview,
4 Components,
and
Requirements
vCenter Server
Appliance

vCenter Server

Telegram Channel : @IRFaraExam

Topology

13—Managing
vSphere and
vCenter Server

Upgrading to
vSphere 7.0

Repointing a
vCenter Server
to Another
Domain

4 Create and configure VMware 10—Managing 4—Clusters

. HA and DRS advanced options and Monitoring and High
5 (Admission Control, Proactive Clusters and Availability
HA, etc.) Resources

Distributed
Creating and Resource
Configuring a Scheduler
vSphere DRS (DRS)
Cluster

vSphere High
Creating and Availability
Configuring a (HA)

Telegram Channel : @IRFaraExam

vSphere HA
Cluster

4 Deploy and configure vCenter 8—vSphere 1—vSphere

. Server High Availability Installation Overview,
6 Components,
and
Requirements
Implementing
VCSA HA

vCenter Server
Topology

vCenter High
Availability
Requirements

4—Clusters
and High
Availability

vCenter Server
High
Availability

13—Managing

Telegram Channel : @IRFaraExam

13—Managing
vSphere and
vCenter Server

Managing the
vCenter HA
Cluster

4 Set up content library 14—Managing 5—vCenter

. Virtual Server
7 Machines Features and
Virtual
Machine

Content Library

4 Configure vCenter Server file- 13—Managing

. based backup vSphere and
8 vCenter Server

vCenter Server
Backup

4 Analyze basic log output from 10—Managing 10—

. vSphere products and Monitoring Monitoring
9 Clusters and and Managing

Telegram Channel : @IRFaraExam

9 Clusters and and Managing
Resources Clusters and
Resources

Logging in
vSphere Viewing the
System Event
Log

System Logs
Files

4 Configure vSphere Trust 12—Managing 7—vSphere

. Authority vSphere Security Security
1
0

Configuring and vSphere Trust

Managing Authority
vSphere Trust (vTA)
Authority (vTA)

4 Configure vSphere certificates 12—Managing 7—vSphere

. vSphere Security Security
1
1

Configuring and ESXi Host

Managing Certificates
vSphere
Certificates

Telegram Channel : @IRFaraExam

13—Managing
vSphere and
vCenter Server

Verifying SSL
Certificates for
Legacy Hosts

4 Describe enterprise PKIs role 7—vSphere 12—Manage

. for SSL certificates Security vSphere
1 Security
1
.
1
vSphere
Certificates Configure and
Overview Manage
vSphere
Certificates

4 Configure vSphere Lifecycle 8—vSphere 13—Managing

. Manager/VMware Update Installation vSphere and
1 Manager (VUM) vCenter Server
2

vSphere Lifecycle
Manager Using vSphere
Implementation Lifecycle
Manager

Telegram Channel : @IRFaraExam

About VMware
Update
Manager

Update
Manager
Download
Service
(UMDS)

4 Securely Boot ESXi hosts 12—Managing 7—vSphere

. vSphere Security Security
1
3

Configuring ESXi Secure

UEFI Secure Boot and TPM
Boot for ESXi
Hosts
vSphere Trusted
Authority
(vTA)

4 Configure different network 9—Configuring 3—Network

. stacks and Managing Infrastructure
1 Virtual
4 Networks

VMkernel
Networking and
Configuring TCP/IP Stacks

Telegram Channel : @IRFaraExam

TCP/IP Stacks

4 Configure Host Profiles 8—vSphere

. Installation
1
5

Configuring ESXi
Using Host
Profiles

4 Identify boot options 8—vSphere

. Installation
1
6

ESXi Kernel
Options

4 Configure Quick Boot 13—Managing

. vSphere and
1 vCenter Server
6
.
1
ESXi Quick Boot

5 Performance-tuning and Optimization

5 Identify resource pools use 4—Clusters and 10—

Telegram Channel : @IRFaraExam

5 Identify resource pools use 4—Clusters and 10—
. cases High Monitoring
1 Availability and Managing
Clusters and
Resources

Resource Pools

Creating a
Resource Pool

Monitoring and
Managing
Resource Pool
Resources

5 Explain shares, limits and 4—Clusters and 10—

. reservations (resource High Managing and
1 management) Availability Monitoring
. Clusters and
1 Resources

Shares, Limits,
and Reservations
Shares, Limits,
and
Reservations

Creating a
Resource Pool

Monitoring and
Managing

Telegram Channel : @IRFaraExam

Managing
Resource Pool
Resources

5 Monitor resources of vCenter 10—Managing 4—Clusters

. Server Appliance (VCSA) and and Monitoring and High
2 vSphere environment Clusters and Availability
Resources

Cluster
Monitoring and Concepts and
Managing Overview
vSphere
Resources
Distributed
Resource
Monitoring and Scheduler
Managing (DRS)
vCenter Server
Services

13—Managing
vSphere and
vCenter Server

Monitoring and
Managing
vCenter Server

Telegram Channel : @IRFaraExam

5 Identify and use tools for 10—Managing
. performance monitoring and Monitoring
3 Clusters and
Resources

Monitoring and
Managing
vSphere
Resources

5 Configure Network I/O Control 9—Configuring 3—Network

. and Managing Infrastructure
4 Virtual
Networks

Network I/O
Control
Configuring
Network I/O
Control (NIOC)

5 Configure Storage I/O Control 11—Managing 2—Storage

. Storage Infrastructure
5

Configuring and NIOC, SIOC,

Managing SIOC and SDRS

Telegram Channel : @IRFaraExam

5 Explain the performance impact 5—vCenter 14—Managing
. of maintaining VM snapshots. Server Features Virtual
6 and Virtual Machines
Machine

Creating and
Virtual Machine Managing
Snapshots Virtual Machine
Snapshots

5 Plan for upgrading various 13—Managing

. vSphere components vSphere and
7 vCenter Server

Using Lifecycle
Manager

Upgrading to
vSphere 7.0

6 Troubleshooting and Repairing

7 Administrative and Operational Tasks
7 Create and manage VM 14—Managing 5—vCenter
. snapshot (consolidate, delete, Virtual Server
1 etc.) Machines Features and
Virtual
Machine

Telegram Channel : @IRFaraExam

Creating and
Managing Virtual Virtual Machine
Machine Snapshots
Snapshots

7 Create VMs using different 14—Managing 5—vCenter

. methods (OVF templates, Virtual Server
2 content library, and so on) Machines Features and
Virtual
Machine

Managing VMs
Using PowerCLI
Virtual Machine
Cloning
Deploying OVF
and OVA
Templates
14—Managing
Deploying VMs Virtual
Using Content Machines
Library

Managing OVF
Templates

Content Library

7 Manage VMs (modifying VM 14—Managing 5—vCenter

. settings, etc.) Virtual Server

Telegram Channel : @IRFaraExam

. settings, etc.) Virtual Server
3 Machines Features and
Virtual
Machine

Creating and
Configuring
Virtual Machines Virtual Machine
Settings

Managing Virtual
Machines

7 Manage storage (datastores, 11—Managing 2—Storage

. storage policies, etc.) Storage Infrastructure
4

Managing Datastore Types

Datastores

Storage Policies
Managing
Storage Policies
Storage
Multipathing
Managing and Failover
Multipathing

Changing Path
Selection Policy

7 Configure and modify 11—Managing 2—Storage

. datastores (expand/upgrade Storage Infrastructure

Telegram Channel : @IRFaraExam

. datastores (expand/upgrade Storage Infrastructure
4 existing datastore, etc)
.
1
Managing Datastore Types
Datastores

7 Create VM storage policies 11—Managing 2—Storage

. Storage Infrastructure
4
.
2
Managing Storage Policies
Storage Policies

7 Configure storage cluster 11—Managing 2—Storage

. options Storage Infrastructure
4
.
3
Configuring and SDRS
Managing
Storage DRS

Configuring and
Managing VSAN

7 Create DRS affinity and anti- 10—Monitoring 4—Clusters

. affinity rules for common use and Managing and High
5 cases. Clusters and Availability
Resources

Telegram Channel : @IRFaraExam

Resources

DRS Rules

Creating Affinity
and Anti-Affinity
Rules

7 Configure and perform different 14—Managing 5—vCenter

. types of migrations (all types) Virtual Server
6 Machines Features and
Virtual
Machine

Migrating Virtual
Machines
Virtual Machine
Migration

vMotion Details

Storage
vMotion Details

7 Configure role-based user 12—Managing 7—vSphere

. management (custom vSphere Security Security
7 permissions, on datastores,
clusters, vCenter Servers, and
hosts etc)
Configuring and vSphere
Managing Permissions
Authentication

Telegram Channel : @IRFaraExam

Authentication
and Authorization
8—vSphere
Installation

Applying
Permissions to
ESXi Hosts
Using Host
Profiles

7 Configure and manage the 12—Managing 7—vSphere

. options for securing a vSphere vSphere Security Security
8 environment (certificates, VM
encryption, virtual TPM, lock-
down mode, VBS, etc)
Configuring and ESXi and
Managing vCenter Server
Authentication Security
and Authorization

Configuring and
Managing ESXi
Security

Configuring and
Managing
vSphere
Certificates

Telegram Channel : @IRFaraExam

Other Security
Management

7 Configure and manage host 8—vSphere 5—vCenter

. profiles Installation Server
9 Features and
Virtual
Machine
Configuring ESXi
Using Host
Profiles
Host Profiles

7 Utilize VUM (create baselines, 13—Managing 8—vSphere

. applying baselines, vSphere and Installation
1 notifications, download, vCenter Server
0 remediate)

VMware
Using vSphere vSphere
Lifecycle Lifecycle
Manager Manager
Implementation

About VMware
Update Manager

7 Describe vSphere Lifecycle 13—Managing 8—vSphere

. Manager vSphere and Installation
1 vCenter Server
1

Telegram Channel : @IRFaraExam

VMware
vSphere
Using vSphere Lifecycle
Lifecycle Manager
Manager Implementation

14—Managing
Virtual
Machines

Installing and
Upgrading
VMware Tools

7 Describe Firmware upgrades 13—Managing 8—vSphere

. for ESXi vSphere and Installation
1 vCenter Server
1
.
1
VMware
Using vSphere vSphere
Lifecycle Lifecycle
Manager Manager
Implementation

7 Describe ESXi updates 13—Managing 8—vSphere

7 Describe component and driver 13—Managing 8—vSphere

. updates for ESXi vSphere and Installation
1 vCenter Server
1
.
3
VMware
Using vSphere vSphere
Lifecycle Lifecycle
Manager Manager
Implementation

7 Describe hardware 13—Managing 8—vSphere

. compatibility check vSphere and Installation
1 vCenter Server
1
.
4
VMware
Using vSphere vSphere
Lifecycle Lifecycle
Manager Manager
Implementation

Telegram Channel : @IRFaraExam

5—vCenter
Server Features
and Virtual
Machine

VM Hardware
and
Compatibility

14—Managing
Virtual
Machines

Configuring
Virtual Machine
Hardware

7 Describe ESXi cluster image 13—Managing 8—vSphere

. export functionality vSphere and Installation
1 vCenter Server
1
.
5
VMware
Using vSphere vSphere
Lifecycle Lifecycle
Manager Manager
Implementation

Telegram Channel : @IRFaraExam

4—Clusters
and High
Availability

Cluster
Concepts and
Overview

7 Configure alarms 10—Monitoring

. and Managing
1 Clusters and
2 Resources

Advanced Use
Cases for Alarms

Companion Website
Register this book to get access to the Pearson IT Certification test engine
and other study materials plus additional bonus content. Check this site
regularly for new and updated postings written by the authors that provide
further insight into the more troublesome topics on the exam. Be sure to
check the box indicating that you would like to hear from us to receive
updates and exclusive discounts on future editions of this product or related
products.
To access this companion website, follow these steps:

Telegram Channel : @IRFaraExam

Step 1. Go to www.pearsonITcertification.com/register and log in or
create a new account.
Step 2. Enter the ISBN 9780135898192
Step 3. Answer the challenge question as proof of purchase.
Step 4. Click on the Access Bonus Content link in the Registered Products
section of your account page to be taken to the page where your
downloadable content is available.
Please note that many of the companion content files can be very large,
especially image and video files.
If you are unable to locate the files for this title by following these steps,
please visit www.pearsonITcertification.com/contact and select the Site
Problems/Comments option. Our customer service representatives will assist
you.

How to Access the Pearson Test Prep Practice Test

Software
You have two options for installing and using the Pearson Test Prep practice
test software: a web app and a desktop app. To use the Pearson Test Prep
application, start by finding the registration code that comes with the book.
You can find the code in these ways:

Print book: Look in the cardboard sleeve in the back of the book for a
piece of paper with your book’s unique PTP code.
Premium Edition: If you purchase the Premium Edition eBook and
Practice Test directly from the www.pearsonITcertification.com website,
the code will be populated on your account page after purchase. Just log
in to www.pearsonITcertification.com, click Account to see details of
your account, and click the Digital Purchases tab.
Amazon Kindle: For those who purchase a Kindle edition from
Amazon, the access code will be supplied directly from Amazon.
Other bookseller e-books: Note that if you purchase an e-book version
from any other source, the practice test is not included because other

Telegram Channel : @IRFaraExam

vendors to date have not chosen to vend the required unique access code.

Note
Do not lose the activation code because it is the only means with which
you can access the QA content with the book.

Enhanced Linked Mode

You can use Enhanced Linked Mode to link multiple vCenter Server systems.
With Enhanced Linked Mode, you can log in to all linked vCenter Server
systems simultaneously and manage the inventories of the linked systems.
This mode replicates roles, permissions, licenses, and other key data across
the linked systems. To join vCenter Server systems in Enhanced Linked
Mode, connect them to the same vCenter SSO domain, as illustrated in
Figure 1-1. Enhanced Linked Mode requires the vCenter Server Standard
licensing level and is not supported with vCenter Server Foundation or
vCenter Server Essentials. Up to 15 vCenter Server Appliance instances can
be linked together by using Enhanced Linked Mode.

FIGURE 1-1 Enhanced Linked Mode with Two vCenter Server

Appliance 7.0 Instances

vCenter HA
A vCenter HA cluster consists of three vCenter Server instances. The first
instance, initially used as the Active node, is cloned twice to a Passive node
and to a Witness node. Together, the three nodes provide an active/passive
failover solution.
Deploying each of the nodes on a different ESXi instance protects against
hardware failure. Adding the three ESXi hosts to a DRS cluster can further
protect your environment.
When the vCenter HA configuration is complete, only the Active node has an
active management interface (public IP address), as illustrated in Figure 1-2.
The three nodes communicate over a private network called a vCenter HA

Telegram Channel : @IRFaraExam

network that is set up as part of the configuration. The Active node
continuously replicates data to the Passive node.

FIGURE 1-2 vCenter Server HA Nodes

All three nodes are necessary for the functioning of this feature. Table 1-9
provides details for each of the nodes.
Table 1-9 vCenter HA Node Details
Node Description
Type
Active Is the active vCenter Server instance.

Uses a public IP address for the management interface.

Telegram Channel : @IRFaraExam

Replicates data to the Passive node using the vCenter HA
network.

Communicates with the Witness node using the vCenter HA

network.
Passiv Is cloned from the Active node.
e
Uses the vCenter HA network to constantly receive updates from
the Active node.

Automatically takes over the role of the Active node if a failure

occurs.
Witne Is a lightweight clone of the Active node.
ss
Provides a quorum to protect against a split-brain situation.

Infrastructure Requirements
This section describes some of the main infrastructure requirements that you
should address prior to implementing vSphere.

Compute and System Requirements

When preparing to implement a vSphere environment, you should prepare
sufficient supported compute (CPU and memory) resources, as described in
this section.

vCenter Server
vCenter Server Appliance 7.0 can be deployed on ESXi 6.5 hosts or later,
which can be managed by vCenter Server 6.5 or later.
To prepare for deployment of vCenter Server, you should plan to address the
compute specifications listed in Table 1-10.
Table 1-10 Compute Specifications for vCenter Server Appliance

Telegram Channel : @IRFaraExam

Component Number of CPUs Memory
Tiny Environment 2 12 GB

Up to 10 hosts or 100 virtual machines

Small Environment 4 19 GB

Up to 100 hosts or 1000 virtual machines

Medium Environment 8 28 GB

Up to 400 hosts or 4000 virtual machines

Large Environment 16 37 GB

Up to 1000 hosts or 10,000 virtual machines

X-Large Environment 24 56 GB

Up to 2000 hosts or 35,000 virtual machines

Note
If you want to have an ESXi host with more than 512 LUNs and 2048
paths, you should deploy a vCenter Server Appliance instance for a
Large Environment or X-Large Environment component.

ESXi
To install ESXi 7.0, ensure that the hardware system meets the following
requirements:

A supported system platform, as described in the VMware Compatibility

Guide.

Telegram Channel : @IRFaraExam

Two or more CPU cores.
A supported 64-bit x86 processor, as described in the VMware
Compatibility Guide.
The CPU’s NX/XD bit enabled in the BIOS.
4 GB or more of physical RAM. (VMware recommends 8GB or more
for production environments.)
To support 64-bit virtual machines, hardware virtualization (Intel VT-x
or AMD RVI) enabled on the CPUs.
One or more supported Ethernet controllers, Gigabit or faster, as
described in the VMware Compatibility Guide.
A SCSI disk or a local, non-network RAID LUN with unpartitioned
space for the virtual machines.
For Serial ATA (SATA), a disk connected through supported SAS
controllers or supported on-board SATA controllers.
A boot disk of at least 8 GB for USB or SD devices and 32 GB for other
HDD, SSD, NVMe, and other device types. The boot device must not be
shared between ESXi hosts.

Note
SATA disks are considered remote, not local. These disks are not used
as scratch partitions by default because they are considered remote.
You cannot connect a SATA CD-ROM device to a virtual machine on
an ESXi 7.0 host. To use the SATA CD-ROM device, you must use
IDE emulation mode.

For vSphere 7.0, you should ensure that you meet the ESXi booting
considerations:

You can boot using the Unified Extensible Firmware Interface (UEFI),
which enables booting from hard drives, CD-ROM drives, or USB
media.

Telegram Channel : @IRFaraExam

VMware Auto Deploy supports network booting and provisioning of
ESXi hosts with UEFI.
You have boot systems from disks larger than 2 TB if the system
firmware add-in card firmware supports it, according to vendor
documentation.

Note
Changing the host boot type between legacy BIOS and UEFI is not
supported after you install ESXi 7.0.

Storage Requirements
When preparing to implement a vSphere environment, you should ensure that
you have sufficient supported storage resources, as described in this section.

vCenter Server Appliance

As part of preparing for the deployment of vCenter Server Appliance, you
should plan to address storage requirements. Table 1-11 lists the storage
requirements for a vCenter Server Appliance instance. It allows for Lifecycle
Manager, which runs as a service in vCenter Server Appliance.
Table 1-11 Storage Sizes for vCenter Server Appliance
Deployment Default Storage Large Storage X-Large Storage
Size Size Size Size
Tiny 415 GB 1490 GB 3245 GB
Small 480 GB 1535 GB 3295 GB
Medium 700 GB 1700 GB 3460 GB
Large 1065 GB 1765 GB 3525 GB
X-Large 1805 GB 1905 GB 3665 GB

ESXi

Telegram Channel : @IRFaraExam

Installing ESXi 7.0 requires a boot device that is a minimum of 8 GB.
Upgrading to ESXi 7.0 requires a 4 GB minimum boot device. When booting
from a local disk, SAN, or iSCSI LUN, a 32 GB disk is required to allow for
the creation of the boot partition, boot banks, and a VMFS_L ESX=OSData
volume. The ESX-OSData volume replaces the legacy /scratch partition,
VM-tools, and core dump location. If no local disk is found, ESXi 7.0
functions in degraded mode and places the /scratch partition on the ESXi
host’s RAM disk and links it to /tmp/scratch. You can reconfigure /scratch to
use a separate disk or LUN. For best performance and memory optimization,
do not run the ESXi host in degraded mode. Likewise, when installing ESXi
7.0 on USB and SD devices, the installer attempts to allocate a scratch region
on a local disk; otherwise, it places /scratch on the RAM disk.

Note
You cannot roll back to an earlier version of ESXi after upgrading. If
you are concerned about upgrading, create a backup of the boot device
prior to upgrading; if needed, you can restore from this backup after the
upgrade.

The following are recommended for ESXi 7.0 installations:

8 GB USB drive or SD card with a 32 GB local disk: Boot partitions

reside on USB or SD, and ESXi-OSData resides on a local disk.
Local disk with 32 GB minimum: This contains boot and ESX-
OSData.
Local disk with 142 GB or more: This contains boot, ESX-OSData,
and a VMFS datastore.

Network Requirements
This section describes some of the key networking requirements for a
successful vSphere deployment.

Networking Concepts

Telegram Channel : @IRFaraExam

In order to prepare for network virtualization in vSphere, you should
understand some of the following concepts:

Physical network: This is a network of physical machines that are

connected so that they can send data to and receive data from each other.
Virtual network: This is a network of virtual machines running on a
physical machine that are connected logically to each other so that they
can send data to and receive data from each other.
Opaque network: This is a network created and managed by a separate
entity outside vSphere. For example, logical networks that are created
and managed by VMware NSX appear in vCenter Server as opaque
networks of the type nsx.LogicalSwitch. You can choose an opaque
network as the backing for a VM network adapter. To manage an opaque
network, use the management tools associated with the opaque network,
such as VMware NSX Manager or the VMware NSX API management
tools.
vSphere standard switch: This type of switch works much like a
physical Ethernet switch. It detects which virtual machines are logically
connected to each of its virtual ports and uses that information to forward
traffic to the correct virtual machines. A vSphere standard switch can be
connected to physical switches by physical Ethernet adapters, also
referred to as uplink adapters.
VMkernel TCP/IP networking layer: This layer provides connectivity
to hosts and handles the standard infrastructure traffic of vSphere
vMotion, IP Storage, Fault Tolerance, and vSAN.

VMware recommends using network segmentation in vSphere environments

for separating each type of VMkernel traffic and virtual machine traffic. You
can implement network segments by using unique VLANs and IP subnets.
Here is a set of commonly used network segments in vSphere:

AD
In many vSphere environments, vCenter Single Sign-On (SSO) is integrated
with directory services, such as Microsoft Active Directory (AD). SSO can
authenticate users from internal users and groups, and it can connect to
trusted external directory services such as AD. If you plan to leverage AD for
an SSO identity source, you should ensure that the proper network
connectivity, service account credentials, and AD services are available and
ready for use.
If you plan to install vCenter Server for Windows and use AD identity
sources, you should ensure that the Windows server is a member of the AD
domain but is not a domain controller.

Note
If the system you use for your vCenter Server installation belongs to a
workgroup rather than a domain, vCenter Server cannot discover all
domains and systems available on the network when using some
features.

Telegram Channel : @IRFaraExam

DNS
You might want to assign static IP addresses and resolvable fully qualified
domain names (FQDNs) to your vSphere components, such as vCenter
Server and ESXi hosts. Before installing these components, you should
ensure that the proper IP addresses and FQDN entries are registered in your
DNS server. You should configure forward and reverse DNS records.
For example, prior to deploying vCenter Server Appliance, you should assign
a static IP address and host name in DNS. The IP address must have a valid
(internal) domain name system (DNS) registration. During the vCenter Server
installation, you must provide the fully qualified domain name (FQDN)or the
static IP. VMware recommends using the FQDN. You should ensure that
DNS reverse lookup returns the appropriate FQDN when queried with the IP
address of the vCenter appliance. Otherwise, the installation of the Web
Server component that supports the vSphere Web client fails.
When you deploy vCenter Server Appliance, the installation of the web
server component that supports the vSphere Web Client fails if the installer
cannot look up the FQDN for the appliance from its IP address. Reverse
lookup is implemented using PTR records. If you plan to use an FQDN for
the appliance system name, you must verify that the FQDN is resolvable by a
DNS server.
Starting with vSphere 6.5, vCenter Server supports mixed IPv4 and IPv6
environment. If you want to set up vCenter Server Appliance to use an IPv6
address version, use the FQDN or host name of the appliance.
It is important to ensure that each vSphere Web Client instance and each
ESXi host instance can successfully resolve the vCenter Server FQDN. It is
also important to ensure that the ESXi host management interface has a valid
DNS resolution from the vCenter Server and all vSphere Web Client
instances. Finally, It is important to ensure that the vCenter Server has a valid
DNS resolution from all ESXi hosts and all vSphere Web Clients.

NTP
It is important to provide time synchronization between the nodes. All
vCenter Server instances must be time synchronized. ESXi hosts must be
time synchronized to support features such as vSphere HA. In most

Telegram Channel : @IRFaraExam

environments, you should plan to use NTP servers for time synchronization.
Prior to implementing vSphere, verify that the NTP servers are running and
available.
Be prepared to provide the names or IP addresses for the NTP servers when
installing vSphere components such as vCenter Server and ESXi. For
example, during the deployment of vCenter Server Appliance, you can
choose to synchronize time with NTP servers and provide a list of NTP
server names or IP addresses, separated by commas. Alternatively, you can
choose to allow the appliance to synchronize time with the ESXi host.

Note
If a vCenter Server Appliance instance is set for NTP time
synchronization, it ignores its time_tools-sync Boolean parameter.
Otherwise, if the parameter is TRUE, VMware Tools synchronizes the
time in the appliance’s guest OS with the ESXi host.

Other Requirements
This section describes a few additional requirements for some of the optional
components (refer to Table 1-3), available vSphere features (refer to Table 1-
4), and add-on products (refer to Table 1-5).

Additional Requirements
The following sections describe some of the requirements for a variety of
commonly used vSphere features.

User Interfaces
The vSphere Host Client and vSphere Client utilize HTML5. The flash-based
vSphere Web Client is not supported in vSphere 7. For Windows users,
VMware supports Microsoft Edge 38 and later, Microsoft Internet Explorer
11.0.96 and later, Mozilla Firefox 45 and later, Google Chrome 50 and later,
and Safari 5.1 and later. For Mac users, VMware supports Safari 5.1 and
later, Mozilla Firefox 45 and later, and Google Chrome 50 and later.

Telegram Channel : @IRFaraExam

vCenter Server File-Based Backup and Restore
If you plan to schedule file-based backups using the VAMI, you must prepare
an FTP, FTPS, HTTP, HTTPS, or SCP server with sufficient disk space to
store the backups.

GUI Installer
You can use the GUI installer to interactively install vCenter Server
Appliance. To do so, you must run the GUI deployment from a Windows,
Linux, or Mac machine that is in the network on which you want to deploy
the instance.

Distributed Power Management (DPM)

DPM requires the ability to wake a host from standby mode, which means it
needs to be able to send a network command to the host to power on. For this
feature, DPM requires iLO, IPMI, or a Wake-on-LAN (WoL) network
adapter to be present in each participating host in the cluster. DPM must be
supplied with the proper credentials to access the interface and power on the
host.

vSphere Replication Requirements

In order to use vSphere Replication 8.3, you must deploy a vSphere
Replication Management Service (VRMS) appliance. Optionally, you can
add nine additional vSphere Replication Service (VRS) appliances. You
should plan for the compute, storage, and network needs of these appliances.
The VRMS appliance requires two vCPUs and 8 GB memory. Optionally,
you can configure it for 4 vCPUs. Each VRS appliance requires two vCPUs
and 716 MB memory. The amount of CPU and memory resources consumed
by the vSphere Replication agent on each host is negligible.
Each VRMS and VRS appliance contains two virtual disks whose sizes are
13 BG and 9 GB. To thick provision these virtual disks, you must provide 22
GB storage. If you do not reserve the memory, you should provide storage for
the VRMS (8 GB) and VRS (716 MB each) swap files.
Each appliance has at least one network interface and requires at least one IP

Telegram Channel : @IRFaraExam

address. Optionally, you can use separate network connections to allow each
appliance to separate management and replication traffic.
The main storage requirement for vSphere Replication is to support the target
datastore to which the VMs will be replicated. At a minimum in the
replication target datastore, you should provide enough storage to replicate
each virtual disk, to support each replicated VM’s swap file, and to store each
VM’s multiple point-in-time captures (snapshots).

vCenter High Availability Requirements

The minimum software version for the nodes in a vCenter HA cluster is

vCenter Server 6.5. The minimum software versions for the environment
(such as a management cluster) where the vCenter HA nodes live are ESXi
6.0 and vCenter Server 6.0. Although not required, VMware recommends
that you use a minimum of three ESXi hosts with DRS rules to separate the
nodes onto separate hosts. You must use a vCenter Server Appliance Small or
larger deployment size (not Tiny) and a vCenter Server Standard (not
Foundation) license. A single vCenter Server license is adequate for a single
vCenter HA cluster. vCenter HA works with VMFS, NFS, and vSAN
datastores.
You must configure the appropriate virtual switch port groups prior to
configuring vCenter HA. The vCenter HA network connects the Active,
Passive, and Witness nodes, replicates the server state, and monitors
heartbeats. The vCenter HA network must be on a different subnet than the
management network, must provide less than 10 ms latency between nodes,
and must not use a default gateway. The vCenter HA and management
network IP addresses must be static.
You can use the Set Up vCenter HA wizard in the vSphere Client to
configure vCenter HA. You have the option to perform an automatic
configuration or a manual configuration. The automatic configuration
requires a self-managed vCenter Server rather than a vCenter Server that
resides in a management cluster that is managed by another vCenter Server.
The automatic configuration automatically clones the initial (Active node)
vCenter Server to create the Witness and Passive nodes. The manual

Telegram Channel : @IRFaraExam

configuration requires you to clone the Active node yourself but gives you
more control.
When configuration is complete, the vCenter HA cluster has two networks:
the management network on the first virtual NIC and the vCenter HA
network on the second virtual NIC.

SDDC Requirements
To build a software-defined data center (SDDC), you may plan to implement
additional VMware products, such as vSAN, NSX, and vRealize Suite. Here
are some of the requirements you should address.

A hybrid cloud is a cloud that is a combination of a private cloud, public
cloud, and on-premises infrastructure. It is the result of combining any cloud
solution with in-house IT infrastructure.
VMware Cloud Foundation (VCF) is the industry’s most advanced hybrid
cloud platform. It provides a complete set of software-defined services for
compute, storage, networking, security, and cloud management to run
enterprise apps in private or public environments. It delivers a simple path to
the hybrid cloud by leveraging a common infrastructure and consistent
operational model for on-premises and off-premises data centers.

VMC on AWS
VMware Cloud (VMC) on AWS is an integrated cloud offering jointly
developed by AWS and VMware that provides a highly scalable, secure
service that allows organizations to seamlessly migrate and extend their on-
premises vSphere-based environments to the AWS cloud. You can use it to
deliver a seamless hybrid cloud by extending your on-premises vSphere
environment to the AWS cloud.

Telegram Channel : @IRFaraExam

VMware vCloud Director
VMware vCloud Director is a cloud service-delivery platform used by some
cloud providers to operate and manage cloud-based services. Service
providers can use vCloud Director to deliver secure, efficient, and elastic
cloud resources to thousands of customers.

Cloud Automation
VMware Cloud Assembly and VMware Service Broker are software as a
service (SaaS) offerings that address similar use cases to the on-premises
cases that VMware vRealize Automation addresses.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction,
you have some choices for exam preparation: the exercises here, Chapter 15,
“Final Preparation,” and the exam simulation questions on the companion
website.

Review All the Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 1-16 lists these key topics and the
page number on which each is found.

Table 1-16 Key Topics

Key Topic Element Description Page Number
Table 1-7 vSphere editions 10
Paragraph Enhanced Linked Mode 12
List ESXi system hardware requirements 15
Paragraph vCenter HA requirements 24

Telegram Channel : @IRFaraExam

Paragraph VMware SDDC 27

Complete Tables and Lists from Memory

Print a copy of Appendix B, “Memory Tables” (found on the companion
website), or at least the section for this chapter, and complete the tables and
lists from memory. Appendix C, “Memory Tables Answer Key” (also on the
companion website), includes completed tables and lists to check your work.

Define Key Terms

Define the following key terms from this chapter and check your answers in
the glossary:
vCenter Single Sign-On (SSO)
VMware Cloud (VMC)
hybrid cloud
vCenter HA
vSphere HA
Distributed Resource Scheduler (DRS)
Proactive HA

Telegram Channel : @IRFaraExam

Storage Models and Datastore Types
This section explains how virtual machines access storage and describes the
storage models and datastore types available in vSphere.

How Virtual Machines Access Storage

A virtual machine communicates with its virtual disk stored on a datastore by
issuing SCSI commands. The SCSI commands are encapsulated into other
forms, depending on the protocol that the ESXi host uses to connect to a
storage device on which the datastore resides, as illustrated in Figure 2-1.

FIGURE 2-1 Virtual Machine Storage

Storage Virtualization: The Traditional Model

Storage virtualization refers to a logical abstraction of physical storage
resources and capacities from virtual machines. ESXi provides host-level

Telegram Channel : @IRFaraExam

storage virtualization. In vSphere environments, a traditional model is built
around the storage technologies and ESXi virtualization features discussed in
the following sections.

Storage Devices (or LUNs)

In common ESXi vocabulary, the terms storage device and LUN are used
interchangeably. Storage devices or LUNs are storage volumes that are
presented to a host from a block storage system and are available to ESXi for
formatting.

Virtual Disk
Virtual disks are sets of files that reside on a datastore that is deployed on
physical storage. From the standpoint of the virtual machine, each virtual disk
appears as if it were a SCSI drive connected to a SCSI controller. The
physical storage is transparent to the virtual machine guest operating system
and applications.

Local Storage
Local storage can be internal hard disks located inside an ESXi host and
external storage systems connected to the host directly through protocols
such as SAS or SATA. Local storage does not require a storage network to
communicate with the host.

Fibre Channel
Fibre Channel (FC) is a storage protocol that a storage area network (SAN)
uses to transfer data traffic from ESXi host servers to shared storage. It
packages SCSI commands into FC frames. The ESXi host uses Fibre Channel
host bus adapters (HBAs) to connect to the FC SAN, as illustrated in Figure
2-1. Unless you use directly connected Fibre Channel storage, you need Fibre
Channel switches to route storage traffic. If a host contains FCoE (Fibre
Channel over Ethernet) adapters, you can connect to shared Fibre Channel
devices by using an Ethernet network.

iSCSI

Telegram Channel : @IRFaraExam

Internet SCSI (iSCSI) is a SAN transport that can use Ethernet connections
between ESXi hosts and storage systems. To connect to the storage systems,
your hosts use hardware iSCSI adapters or software iSCSI initiators with
standard network adapters.
With hardware iSCSI HBAs, the host connects to the storage through a
hardware adapter that offloads the iSCSI and network processing. Hardware
iSCSI adapters can be dependent and independent. With software iSCSI
adapters, the host uses a software-based iSCSI initiator in the VMkernel and
a standard network adapter to connect to storage. Both the iSCSI HBA and
the software iSCSI initiator are illustrated in Figure 2-1.

FCoE
If an ESXi host contains FCoE adapters, it can connect to shared Fibre
Channel devices by using an Ethernet network.

NAS/NFS
vSphere uses NFS to store virtual machine files on remote file servers
accessed over a standard TCP/IP network. ESXi 7.0 uses Network File
System (NFS) Version 3 and Version 4.1 to communicate with NAS/NFS
servers, as illustrated in Figure 2-1. You can use NFS datastores to store and
manage virtual machines in the same way that you use the VMFS datastores.

VMFS
The datastores that you deploy on block storage devices use the native
vSphere Virtual Machine File System (VMFS) format. VMFS is a special
high-performance file system format that is optimized for storing virtual
machines.

Raw Device Mappings (RDMs)

A raw device mapping (RDM) is a mapping file that contains metadata that
resides in a VMFS datastore and acts as a proxy for a physical storage device
(LUN), allowing a virtual machine to access the storage device directly. It

Telegram Channel : @IRFaraExam

gives you some of the advantages of direct access to a physical device as well
as some of the management advantages of VMFS-based virtual disks. The
components involved with an RDM are illustrated in Figure 2-2.

FIGURE 2-2 RDM Diagram

You can envision an RDM as a symbolic link from a VMFS volume to a

storage device. The mapping makes the storage device appear as a file in a
VMFS volume. The virtual machine configuration references the RDM, not
the storage device. RDMs support two compatibility modes:

Virtual compatibility mode: The RDM acts much like a virtual disk
file, enabling extra virtual disk features, such as the use of virtual
machine snapshot and the use of disk modes (dependent, independent—
persistent, and independent—nonpersistent).
Physical compatibility mode: The RDM offers direct access to the
SCSI device, supporting applications that require lower-level control.

Virtual disk files are preferred over RDMs for manageability. You should
only use RDMs when necessary. Use cases for RDMs include the following.

You plan to install in a virtual machine software that requires features

inherent to the SAN, such as SAN management, storage-based
snapshots, or storage-based replication. The RDM enables the virtual

Telegram Channel : @IRFaraExam

machine to have the required access to the storage device.
You plan to configure a Microsoft Custer Server (MSCS) clustering in a
manner that spans physical hosts, such as virtual-to-virtual clusters and
physical-to-virtual clusters. You should configure the data and quorum
disks as RDMs rather than as virtual disk files.

Benefits of RDMs include the following:

User-friendly persistent names: Much as with naming a VMFS

datastore, you can provide a friendly name to a mapped device rather
than use its device name.
Dynamic name resolution: If physical changes (such as adapter
hardware changes, path changes, or device relocation) occur, the RDM is
updated automatically. The virtual machines do not need to be updated
because they reference the RDM.
Distributed file locking: VMFS distributed locking is used to make it
safe for two virtual machines on different servers to access the same
LUN.
File permissions: Permissions are set on the mapping file to effectively
apply permissions to the mapped file, much as they are applied to virtual
disks.
File system operations: Most file system operations that are valid for an
ordinary file can be applied to the mapping file and redirected to the
mapped device.
Snapshots: Virtual machine snapshots can be applied to the mapped
volume except when the RDM is used in physical compatibility mode.
vMotion: You can migrate the virtual machine with vMotion, as vCenter
Server uses the RDM as a proxy, which enables the use of the same
migration mechanism used for virtual disk files.
SAN management agents: RDM enables the use of SAN management
agents (SCSI target-based software) inside a virtual machine. This
requires hardware-specific SCSI commands as well as physical
compatibility mode for the RDM.

Telegram Channel : @IRFaraExam

N-Port ID Virtualization (NPIV): You can use NPIV technology,
which allows a single Fibre Channel HBA port to register with the fabric
by using multiple worldwide port names (WWPNs). This ability makes
the HBA port appear as multiple virtual ports, each with its own ID and
virtual port name. Virtual machines can claim each of these virtual ports
and use them for all RDM traffic. NPIV requires the use of virtual
machines with RDMs.

Note
To support vMotion involving RDMs, be sure to maintain consistent
LUN IDs for RDMs across all participating ESXi hosts.

Note
To support vMotion for NPIV-enabled virtual machines, place the
RDM files, virtual machine configuration file, and other virtual
machines in the same datastore. You cannot perform Storage vMotion
when NPIV is enabled.

Software-Defined Storage Models

In addition to abstracting underlying storage capacities from VMs, as
traditional storage models do, software-defined storage abstracts storage
capabilities. With software-defined storage, a virtual machine becomes a unit
of storage provisioning and can be managed through a flexible policy-based
mechanism. Software-defined storage involves the vSphere technologies
described in the following sections.

vSAN
vSAN is a layer of distributed software that runs natively on each hypervisor
in a cluster. It aggregates local or direct-attached capacity, creating a single
storage pool shared across all hosts in the vSAN cluster.

Telegram Channel : @IRFaraExam

vVols
Virtual volumes are encapsulations of virtual machine files, virtual disks, and
their derivatives that are stored natively inside a storage system. You do not
provision virtual volumes directly. Instead, they are automatically created
when you create, clone, or snapshot a virtual machine. Each virtual machine
can be associated to one or more virtual volumes.
The Virtual Volumes (vVols) functionality changes the storage management
paradigm from managing space inside datastores to managing abstract
storage objects handled by storage arrays. With vVols, each virtual machine
(rather than a datastore) is a unit of storage management. You can apply
storage policies per virtual machine rather than per LUN or datastore.

Storage Policy Based Management

Storage Policy Based Management (SPBM) is a framework that provides a
single control panel across various data services and storage solutions,
including vSAN and vVols. Using storage policies, the framework aligns
application demands of virtual machines with capabilities provided by
storage entities.

I/O Filters
I/O filters are software components that can be installed on ESXi hosts and
can offer additional data services to virtual machines. Depending on the
implementation, the services might include replication, encryption, caching,
and so on.

Datastore Types
In vSphere 7.0, you can use the datastore types described in the following
sections.

Telegram Channel : @IRFaraExam

You can create a vVols datastore in an environment with a compliant storage
system. A virtual volume, which is created and manipulated out of band by a
vSphere APIs for Storage Awareness (VASA) provider, represents a storage
container in vSphere. The VASA provider maps virtual disk objects and their
derivatives, such as clones, snapshots, and replicas, directly to the virtual
volumes on the storage system. ESXi hosts access virtual volumes through an
intermediate point in the data path called the protocol endpoint. Protocol
endpoints serve as gateways for I/O between ESXi hosts and the storage
system, using Fibre Channel, FCoE, iSCSI, or NFS.

vSAN Datastores
You can create a vSAN datastore in a vSAN cluster. vSAN is a
hyperconverged storage solution, which combines storage, compute, and
virtualization into a single physical server or cluster. The following section
describes the concepts, benefits, and terminology associated with vSAN.

Storage in vSphere with Kubernetes

To support the different types of storage objects in Kubernetes, vSphere with
Kubernetes provides three types of virtual disks: ephemeral, container image,
and persistent volume.
A vSphere pod requires ephemeral storage to store Kubernetes objects, such
as logs, emptyDir volumes, and ConfigMaps. The ephemeral, or transient,
storage exists if the vSphere pod exists.
The vSphere pod mounts images used by its containers as image virtual disks,
enabling the container to use the software contained in the images. When the
vSphere pod life cycle completes, the image virtual disks are detached from
the vSphere pod. You can specify a datastore to use as the container image
cache, such that subsequent pods can pull it from the cache rather than from
the external container registry.
Some Kubernetes workloads require persistent storage to store the data
independently of the pod. Persistent volume objects in vSphere with
Kubernetes are backed by the First Class Disks on a datastore. A First Class
Disk (FCD), which is also called an Improved Virtual Disk, is a named
virtual disk that is not associated with a VM. To provide persistent storage,

Telegram Channel : @IRFaraExam

you can use the Workload Management feature in the vSphere Client to
associate one or more storage policies with the appropriate namespace.

VMware NVMe
NVMe storage is a low-latency, low-CPU-usage, and high-performance
alternative to SCSI storage. It is designed for use with faster storage media
equipped with non-volatile memory, such as flash devices. NVMe storage
can be directly attached to a host using a PCIe interface or indirectly through
different fabric transport (NVMe-oF).
In a NVMe storage array, a namespace represents a storage volume. An
NVMe namespace is analogous to a storage device (LUN) in other storage
arrays. In the vSphere Client, an NVMe namespace appears in the list of
storage devices. You can use a device to create a VMFS datastore.

Requirements for NVMe over PCIe

NVMe over PCIe requires the following:

Local NVMe storage devices

Compatible ESXi host
Hardware NVMe over PCIe adapter

Requirements for NVMe over RDMA (RoCE Version 2)

NVMe over RDMA requires the following:

NVMe storage array with NVMe over RDMA (RoCE Version 2)

transport support
Compatible ESXi host
Ethernet switches supporting a lossless network
Network adapter that supports RDMA over Converged Ethernet (RoCE
Version 2)
Software NVMe over RDMA adapter
NVMe controller

Telegram Channel : @IRFaraExam

Requirements for NVMe over Fibre Channel
NVMe over Fibre Channel requires the following:

Fibre Channel storage array that supports NVMe

Compatible ESXi host
Hardware NVMe adapter (that is, a Fibre Channel HBA that supports
NVMe)
NVMe controller

VMware High-Performance Plug-in (HPP)

VMware provides the High-Performance Plug-in (HPP) to improve the
performance of NVMe devices on an ESXi host. HPP replaces NMP for
high-speed devices, such as NVMe.
HPP is the default plug-in that claims NVMe-oF targets. In ESXi, the NVMe-
oF targets are emulated and presented to users as SCSI targets. The HPP
supports only active/active and implicit ALUA targets.
NMP is the default plug-in for local NVMe devices, but you can replace it
with HPP. NMP cannot be used to claim the NVMe-oF targets. HPP should
be used for NVMe-oF.
Table 2-5 describes vSphere 7.0 support for HPP.
Table 2-5 vSphere 7.0 HPP Support
HPP Support vSphere 7.0
Storage devices Local NVMe PCIe

Shared NVMe-oF (active/active and implicit

ALUA targets only)
Multipathing Yes
Second-level plug-ins No
SCSI-3 persistent No
reservations

Telegram Channel : @IRFaraExam

4Kn devices with No
software emulation
vSAN No
Table 2-6 describes the path selection schemes (PSS) HPP uses when
selecting physical paths for I/O requests.
Table 2-6 HPP Path Selection Schemes
PSS Description
FIXE A designated preferred path is used for I/O requests.
D
LB- After transferring a specified number of bytes or I/Os on a current
RR path, the scheme selects the path using the round robin algorithm.
You can configure the IOPS and Bytes properties to indicate the
(Load criteria for path switching. (This is the default HPP scheme.)
Balan
ce—
Roun
d
Robin
)
LB- After transferring a specified number of I/Os on a current path
IOPS (1000 by default), the scheme selects an optimal path based on
the least number of outstanding bytes.
(Load
Balan
ce—
IOPS
)
LB- After transferring a specified amount of data on a current path (10
BYT MB by default), the scheme selects an optimal path based on the
ES least number of outstanding I/Os.

(Load

Telegram Channel : @IRFaraExam

Balan
ce—
Bytes
)
LB- The scheme selects an optimal path by considering the latency
Laten evaluation time and the sampling I/Os per path.
cy

(Load
Balan
ce—
Laten
cy)
HPP best practices include the following:

Use a vSphere version that supports HPP.

Use HPP for NVMe local and networked devices.
Do not use HPP with HDDs or any flash devices that cannot sustain
200,000 IOPS.
If you use NVMe with Fibre Channel devices, follow your vendor’s
recommendations.
If you use NVMe-oF, do not mix transport types to access the same
namespace.
When using NVMe-oF namespaces, make sure that active paths are
presented to the host.
Configure VMs to use VMware Paravirtual controllers.
Set the latency sensitive threshold for virtual machines.
If a single VM drives a significant share of a device’s I/O workload,
consider spreading the I/O across multiple virtual disks, attached to
separate virtual controllers in the VM. Otherwise, you risk the I/O
saturating a CPU core.

Object-based storage: Data is stored in vSAN by way of objects, which
are flexible data containers. Objects are logical volumes with data and
metadata spread among nodes in the cluster. Virtual disks are objects, as
are snapshots. For object creation and placement, vSAN takes the
following into account:
Virtual disk policy and requirements are verified.
The number of copies (replicas) is verified; the amount of flash read
cache allocated for replicas, number of stripes for replica, and
location are determined.
Policy compliance of virtual disks is ensured.
Mirrors and witnesses are placed on different hosts or fault domains.
vSAN datastores: Like other datastores, a vSAN datastore appears in the
Storage Inventory view in vSphere. A vSAN cluster provides a single
datastore for all the hosts in the cluster, even for hosts that do not
contribute storage to vSAN. An ESXi host can mount VMFS and NFS
datastores in addition to the vSAN datastore. Storage vMotion can be
used to migrate VMs between datastore types.
Objects and components: vSAN includes the following objects and
components:
VM home namespace: The VM home directory where all the VM
files are stored
VMDK: Virtual disks for VMs
VM swap object: An object that allows memory to be swapped to
disk during periods of contention and that is created at VM power on
Snapshot delta VMDKs: Change files created when a snapshot is
taken of a VM
Memory object: An object created when a VM is snapshotted (and
the VM’s memory is retained) or suspended
Virtual machine compliance status: Can be Compliant and
Noncompliant, depending on whether each of the virtual machine’s
objects meets the requirements of the assigned storage policy. The status
is available on the Virtual Disks page on the Physical Disk Placement

Telegram Channel : @IRFaraExam

tab.
Component state: vSAN has two component states:
Degraded: vSAN detects a permanent failure of a component.
Absent: vSAN detects a temporary component failure.
Object state: vSAN has two object states:
Healthy: At least one RAID 1 mirror is available, or enough
segments are available for RAID 5 or 6.
Unhealthy: No full mirror is available, or not enough segments are
available for RAID 5 or 6.
Witness: This is a component consisting of only metadata. It is used as a
tiebreaker. Witnesses consume about 2 MB of space for metadata on a
vSAN datastore when on-disk format Version 1.0 is used and 4 MB
when on-disk format Version 2.0 or later is used.
Storage Policy Based Management (SPBM): VM storage requirements
are defined as a policy, and vSAN ensures that these policies are met
when placing objects. If you do not apply a storage policy when creating
or deploying VMs, the default vSAN policy is used, with Primary Level
of Failures to Tolerate set to 1, a single stripe per object, and a thin
provisioned disk.
Ruby vSphere Console (RVC): This is a command-line interface used
for managing and troubleshooting vSAN. RVC provides a cluster-wide
view and is included with a vCenter Server deployment.
VMware PowerCLI: vSAN cmdlets are included with PowerCLI to
allow administration of vSAN.
vSAN Observer: This is a web-based utility, built on top of RVC, used
for performance analysis and monitoring. It can display performance
statistics on the capacity tier, disk group statistics, CPU load, memory
consumption, and vSAN objects in-memory and their distribution across
the cluster.
vSAN Ready Node: This preconfigured deployment is provided by
VMware partners. It is a validated design using certified hardware.

Telegram Channel : @IRFaraExam

User-defined vSAN cluster: This vSAN deployment makes use of
hardware selected by you.

Note
The capacity disks contribute to the advertised datastore capacity. The
flash cache devices are not included as capacity.

What Is New in vSAN 7.0

The following new features are available in vSAN 7.0:

vSphere Lifecycle Manager: vSphere Lifecycle Manager uses a

desired-state model to enable simple, consistent lifecycle management
for ESXi hosts, including drivers and firmware.
Integrated file services: The native vSAN File Services enables you to
create and present NFS Version 4.1 and Version 3 file shares, effectively
extending vSAN capabilities such as availability, security, storage
efficiency, and operations management to files.
Native support for NVMe Hot-Plug: The Hot-Plug plug-in provides a
consistent way of servicing NVMe devices and provides operational
efficiency.
I/O redirect based on capacity imbalance with stretched clusters:
This feature improves VM uptime by redirecting all virtual machine I/O
from a capacity-strained site to the other site.
Skyline integration with vSphere Health and vSAN Health: Skyline
Health for vSphere and vSAN are available, enabling native, in-product
health monitoring and consistent, proactive analysis.
Removal of EZT for shared disk: vSAN 7.0 eliminates the prerequisite
that shared virtual disks using the multi-writer flag must also use the
eager zero thick format.
Support for vSAN memory as a metric in performance service:
vSAN memory usage is now available in Performance Charts (vSphere
Client) and through the API.

Telegram Channel : @IRFaraExam

Visibility of vSphere Replication objects: vSphere Replication objects
are visible in vSAN capacity view.
Support for large-capacity drives: vSAN provides support for 32 TB
physical capacity drives and up to 1 PB logical capacity when
deduplication and compression are enabled.
Immediate repair after new witness is deployed: vSAN immediately
invokes a repair object operation after a witness has been added during a
replace witness operation.
vSphere with Kubernetes integration: Cloud Native Storage (CNS) is
the default storage platform for vSphere with Kubernetes. This
integration enables various stateful containerized workloads to be
deployed on vSphere with Kubernetes Supervisor and Guest clusters on
vSAN, VMFS, and NFS datastores.
File-based persistent volumes: Kubernetes developers can dynamically
create shared (read/write/many) persistent volumes for applications.
Multiple pods can share data. The native vSAN File Services is the
foundation that enables this capability.
vVols support for modern applications: You can deploy modern
Kubernetes applications to external storage arrays on vSphere using the
CNS support added for vVols. vSphere now enables unified management
for persistent volumes across vSAN, NFS, VMFS, and vVols.
vSAN VCG notification service: You can get notified through email
about any changes to vSAN HCL components, such as vSAN
ReadyNode, I/O controller, and drives (NVMe, SSD, HDD), and get
notified through email about any changes.

Note
In vCenter Server 7.0.0a, vSAN File Services and vSphere Lifecycle
Manager can be enabled simultaneously on the same vSAN cluster.

vSAN Deployment Options

Telegram Channel : @IRFaraExam

When deploying vSAN, you have several options for the cluster topology, as
described in the following sections.

Standard Cluster
A standard vSAN cluster, as illustrated in Figure 2-3, consists of a minimum
of three hosts, typically residing at the same location and connected on the
same Layer 2 network. 10 Gbps network connections are required for all-
flash clusters and are recommended for hybrid configurations.

FIGURE 2-3 A Standard vSAN Cluster

Two-Host vSAN Cluster

The main use case for a two-host vSAN cluster is in a remote office/branch
office environment, where workloads require high availability. A two-host
vSAN cluster, as illustrated in Figure 2-4, consists of two hosts at the same
location, connected to the same network switch or directly connected to one
another. You can configure a two-host vSAN cluster that uses a third host as
a witness, and the witness can be located separately from the remote office.

Telegram Channel : @IRFaraExam

Usually the witness resides at the main site, along with vCenter Server. For
more details on the witness host, see the following section.

FIGURE 2-4 A Two-Node vSAN Cluster

Stretched Cluster

You can create a stretched vSAN cluster that spans two geographic sites and
continues to function if a failure or scheduled maintenance occurs at one site.
Stretched clusters, which are typically deployed in metropolitan or campus
environments with short distances between sites, provide a higher level of
availability and inter-site load balancing.
You can use stretched clusters for planned maintenance and disaster
avoidance scenarios, with both data sites active. If either site fails, vSAN uses
the storage on the other site, and vSphere HA can restart virtual machines on
the remaining active site.

Telegram Channel : @IRFaraExam

You should designate one site as the preferred site; it then becomes the only
used site in the event that network connectivity is lost between the two sites.
A vSAN stretched cluster can tolerate one link failure at a time without data
becoming unavailable. During a site failure or loss of network connection,
vSAN automatically switches to fully functional sites.

Note
A link failure is a loss of network connection between two sites or
between one site and the witness host.

Each stretched cluster consists of two data sites and one witness host. The
witness host resides at a third site and contains the witness components of
virtual machine objects. It contains only metadata and does not participate in
storage operations. Figure 2-5 shows an example of a stretched cluster, where
the witness node resides at a third site, along with vCenter Server.

Telegram Channel : @IRFaraExam

FIGURE 2-5 A Stretched vSAN Cluster

The witness host acts as a tiebreaker for decisions regarding availability of

datastore components. The witness host typically forms a vSAN cluster with
the preferred site but forms a cluster with secondary site if the preferred site
becomes isolated. When the preferred site is online again, data is
resynchronized.
A witness host has the following characteristics:

It can use low-bandwidth/high-latency links.

It cannot run VMs.
It can support only one vSAN stretched cluster.
It requires a VMkernel adapter enabled for vSAN traffic with
connections to all hosts in the cluster. It can have only one VMkernel

Telegram Channel : @IRFaraExam

adapter dedicated to vSAN but can have another for management.
It must be a standalone host. It cannot be added to any other cluster or
moved in inventory through vCenter Server.
It can be a physical ESXi host or a VM-based ESXi host.

Note
The witness virtual appliance is an ESXi host in a VM, packaged as an
OVF or OVA, which is available in different options, depending on the
size of the deployment.

Each site in a stretched cluster resides in a separate fault domain. Three

default domains are used: the preferred site, the secondary site, and a witness
host.
Beginning with vSAN Version 6.6, you can provide an extra level of local
fault protection for objects in stretched clusters by using the following policy
rules:

Primary Level of Failures to Tolerate (PFTT): This defines the

number of site failures that a virtual machine object can tolerate. For a
stretched cluster, only a value of 0 or 1 is supported.
Secondary Level of Failures to Tolerate (SFTT): This defines the
number of additional host failures that the object can tolerate after the
number of site failures (PFTT) is reached. For example, if PFTT = 1 and
SFTT = 2, and one site is unavailable, then the cluster can tolerate two
additional host failures. The default value is 0, and the maximum value is
3.
Data Locality: This enables you to restrict virtual machine objects to a
selected site in the stretched cluster. The default value is None, but you
can change it to Preferred or Secondary. Data Locality is available only
if PFTT = 0.

Note

Telegram Channel : @IRFaraExam

If you set SFTT for a stretched cluster, the Fault Tolerance Method rule
applies to the SFTT. The failure tolerance method used for the PFTT is
set to RAID 1.

Consider the following guidelines and best practices for stretched clusters:

DRS must be enabled on a stretched cluster.

You need to create two host groups, two virtual machines groups, and
two VM-Host affinity rules to effectively control the placement of virtual
machines between the preferred and secondary sites.
HA must be enabled on the cluster in a manner such that it respects the
VM-Host affinity rules.
You need to disable HA datastore heartbeats.
On-disk format Version 2.0 or later is required.
You need to set Failures to Tolerate to 1.
Symmetric Multiprocessing Fault Tolerance (SMP-FT) is supported
when PFFT is set to 0 and Data Locality is set to Preferred or Secondary.
SMP-FT is not supported if PFFT is set to 1.
Using esxcli to add or remove hosts is not supported.
If one of the three fault domains (preferred site, secondary site, or
witness host) is inaccessible, new VMs can still be provisioned, but they
are noncompliant until the partitioned site rejoins the cluster. This
implicit forced provisioning is performed only when two of the three
fault domains are available.
If an entire site goes offline due to loss of power or network connection,
you need to restart the site immediately. Bring all hosts online at
approximately the same time to avoid resynchronizing a large amount of
data across the sites.
If a host is permanently unavailable, you need to remove the host from
the cluster before performing any reconfiguration tasks.
To deploy witnesses for multiple clusters, you should not clone a virtual

Telegram Channel : @IRFaraExam

machine that is already configured as a witness. Instead, you can first
deploy a VM from OVF, then clone the VM, and then configure each
clone as a witness host for a different cluster.

The stretched cluster network must meet the following requirements:

The management network requires connectivity across all three sites,

using a Layer 2 stretched network or a Layer 3 network.
The vSAN network requires connectivity across all three sites, using a
Layer 2 stretched network between the two data sites and a Layer 3
network between the data sites and the witness host.
The virtual machine network requires connectivity between the data sites
but not the witness host. You can use a Layer 2 stretched network or
Layer 3 network between the data sites. Virtual machines do not require
a new IP address following failover to the other site.
The vMotion network requires connectivity between the data sites but
not the witness host. You can use a Layer 2 stretched or a Layer 3
network between data sites.

vSAN Limitations

Limitations of vSAN include the following.

No support for hosts participating in multiple vSAN clusters

No support for vSphere DPM and storage I/O control
No support for SE sparse disks
No support for RDM, VMFS, diagnostic partition, and other device
access features

vSAN Space Efficiency

You can use space efficiency techniques in vSAN to reduce the amount of
space used for storing data. These techniques include the use of any or all of
the following:

Telegram Channel : @IRFaraExam

Thin provisioning: Consuming only the space on disk that is used (and
not the total allocated virtual disk space)
Deduplication: Reducing duplicated data blocks by using SHA-1 hashes
for data blocks
Compression: Compressing data using LZ4, which is a lightweight
compression mechanism.
Erasure coding: Creating a strip of data blocks with a parity block (This
is similar to parity with RAID configurations, except it spans ESXi hosts
in the cluster instead of disks in the host.)

SCSI UNMAP
SCSI UNMAP commands, which are supported in vSAN Version 6.7 Update
1 and later, enable you to reclaim storage space that is mapped to deleted
vSAN objects. vSAN supports the SCSI UNMAP commands issued in a
guest operating system to reclaim storage space. vSAN supports offline
unmaps as well as inline unmaps. On Linux, offline unmaps are performed
with the fstrim(8) command, and inline unmaps are performed when the
mount -o discard command is used. On Windows, NTFS performs inline
unmaps by default.

Deduplication and Compression

All-flash vSAN clusters support deduplication and compression.
Deduplication removes redundant data blocks. Compression removes
additional redundant data within each data block. Together, these techniques
reduce the amount of space required to store data. As vSAN moves data from
the cache tier to the capacity tier, it applies deduplication and then applies
compression.
You can enable deduplication and compression as a cluster-wide setting, but
they are applied on a disk group basis, and redundant data is reduced within
each disk group.
When you enable or disable deduplication and compression, vSAN performs
a rolling reformat of every disk group on every host, and this may take a long
time. You should verify that enough physical capacity is available to place
your data. You should also minimize how frequently these operations are

Telegram Channel : @IRFaraExam

performed.

Note
Deduplication and compression might not be effective for encrypted
VMs.

The amount of storage reduction achieved through deduplication and

compression depends on many factors, such as the type of data stored and the
number of duplicate blocks. Larger disk groups tend to provide a higher
deduplication ratio.

RAID 5 and RAID 6 Erasure Coding

In a vSAN cluster, you can use RAID 5 or RAID 6 erasure coding to protect
against data loss while increasing storage efficiency compared with RAID 1
(mirroring). You can configure RAID 5 on all-flash clusters with four or
more fault domains. You can configure RAID 5 or RAID 6 on all-flash
clusters with six or more fault domains.
RAID 5 or RAID 6 erasure coding requires less storage space to protect your
data than RAID 1 mirroring. For example, if you protect a VM by setting
Primary Level of Failures to Tolerate (PFTT) to 1, RAID 1 requires twice the
virtual disk size, and RAID 5 requires 1.33 times the virtual disk size. Table
2-7 compares RAID 1 with RAID 5/6 for a 100 GB virtual disk.
Table 2-7 RAID Configuration Comparison
RAID Configuration PF Data Required Usable
TT Size Capacity Capacity
RAID 1 (mirroring) 1 100 200 GB 50%
GB
RAID 5 or RAID 6 (erasure coding) 1 100 133 GB 75%
with four fault domains GB
RAID 1 (mirroring) 2 100 300 GB 33%
GB

Telegram Channel : @IRFaraExam

RAID 5 or RAID 6 (erasure coding) 2 100 150 GB 67%
with six fault domains GB
RAID 1 (mirroring) 3 100 400 GB 25%
GB
RAID 5 or RAID 6 (erasure coding) 3 N/ N/A N/A
with six fault domains A
Before configuring RAID 5 or RAID 6 erasure coding in a vSAN cluster, you
should consider the following:

All-flash disk groups are required.

On-disk format Version 3.0 or later is required.
A valid license supporting RAID 5/6 is required.
You can enable deduplication and compression on the vSAN cluster to
achieve additional space savings.
PFTT must be set to less than 3.

vSAN Encryption
You can use data at rest encryption in a vSAN cluster, where all data is
encrypted after all other processing, such as deduplication, is performed. All
files are encrypted, so all virtual machines and their data are protected. Only
administrators with encryption privileges can perform encryption and
decryption tasks. Data at rest encryption protects data on storage devices in
the event that a device is removed from the cluster.
vSAN encryption requires an external key management server (KMS), the
vCenter Server system, and ESXi hosts. vCenter Server requests encryption
keys from an external KMS. The KMS generates and stores the keys, and
vCenter Server obtains the key IDs from the KMS and distributes them to the
ESXi hosts. vCenter Server does not store the KMS keys but keeps a list of
key IDs.
vSAN uses encryption keys in the following manner:

vCenter Server requests an AES-256 key encryption key (KEK) from the
KMS.

Telegram Channel : @IRFaraExam

vCenter Server stores only the ID of the KEK (not the key itself.)
The host encrypts disk data using the industry-standard AES-256 XTS
mode.
Each disk has a unique, randomly generated data encryption key (DEK).
A host key is used to encrypt core dumps, not data. All hosts in the same
cluster use the same host key.
When collecting support bundles, a random key is generated to re-
encrypt the core dumps. You can specify a password to encrypt the
random key.

Note
Each ESXi host uses the KEK to encrypt its DEKs and stores the
encrypted DEKs on disk. The host does not store the KEK on disk. If a
host reboots, it requests the KEK with the corresponding ID from the
KMS. The host can then decrypt its DEKs as needed.

vSAN File Services

You can use vSAN File Services to provide vSAN-backed file shares that
virtual machines can access as NFS Version 3 and NFS Version 4.1 file
shares. It uses vSAN Distributed File System (vDFS), resilient file server
endpoints, and a control plane, as illustrated in Figure 2-6. File shares are
integrated into the existing vSAN Storage Policy Based Management and on
a per-share basis. vSAN File Services creates a single vDFS for the cluster
and places a file service virtual machine (FSVM) on each host. The FSVMs
manage file shares and act as NFS file servers using IP addresses from a
static IP address pool.

Telegram Channel : @IRFaraExam

FIGURE 2-6 vSAN File Services Architecture

machine)
storage For an all-flash disk group, at least one SAS or SATA SSD
or at least one PCIe flash device needs to be available.
Storage One SAS or SATA host bus adapter (HBA) or a RAID
controllers controller that is in passthrough mode or RAID 0 mode is
required.

If the same storage controller is backing both vSAN and

non-vSAN disks, you should apply the following VMware
recommendations to avoid issues:

Do not mix the controller mode for vSAN and non-vSAN

disks. If the vSAN disks are in RAID mode, the non-vSAN
disks should also be in RAID mode.

If VMFS is used on the non-vSAN disks, then use the VMFS

datastore only for scratch, logging, and core dumps.

Do not run virtual machines from a disk or RAID group that

shares its controller with vSAN disks or RAID groups.

Do not pass through non-vSAN disks to virtual machine

guests as RDMs.

The memory requirements for vSAN depend on the number of disk groups
and devices that the ESXi hypervisor must manage. According to VMware
Knowledge Base (KB) article 2113954, the following formula can be used to
calculate vSAN memory consumption:

Telegram Channel : @IRFaraExam

vSANFootprint = HOST_FOOTPRINT + NumDiskGroups ×
DiskGroupFootprint

where:

DiskGroupFootprint = DISKGROUP_FIXED_FOOTPRINT +
DISKGROUP_SCALABLE_FOOTPRINT + CacheSize ×
CACHE_DISK_FOOTPRINT + NumCapacityDisks ×
CAPACITY_DISK_FOOTPRINT

The ESXi Installer creates a coredump partition on the boot device, whose
default size is typically adequate. If ESXi host memory is 512 GB or less,
you can boot the host from a USB, SD, or SATADOM device. When you
boot a vSAN host from a USB device or SD card, the size of the boot device
must be at least 4 GB. If ESXi host memory is more than 512 GB, consider
the following guidelines:

You can boot the host from a SATADOM or disk device with a size of at
least 16 GB. When you use a SATADOM device, use a single-level cell
(SLC) device.
If you are using vSAN 6.5 or later, you must resize the coredump
partition on ESXi hosts to boot from USB/SD devices.

Consider using at least 32 GB memory per host for full vSAN operations
based on five disk groups per host and seven capacity devices per disk group.
Plan for 10% CPU overhead for vSAN.

Cluster Requirements
You should verify that a host cluster contains a minimum of three hosts that
contribute capacity to the cluster. A two-host vSAN cluster consists of two
data hosts and an external witness host. It is important to ensure that each
host that resides in a vSAN cluster does not participate in other clusters.

Software Requirements
For full vSAN capabilities, the participating hosts must be version 6.7 Update
3 or later. vSAN 6.7.3 and later software supports all on-disk formats.

Telegram Channel : @IRFaraExam

Network Requirements
You should ensure that the network infrastructure and configuration support
vSAN as described in Table 2-9.
Table 2-9 vSAN Networking Requirements
Comp Requirement
onent
Hos For hybrid configuration, each host requires 1 Gbps (dedicated).
t For all-flash configuration, each host requires 10 Gbps (dedicated
ban or shared).
dwi
dth
Hos Each vSAN cluster member host cluster (even those that do not
t contribute capacity) must have a vSAN-enabled VMkernel network
net adapter connected to a Layer 2 or Layer 3 network.
wor
k
IP vSAN supports IPv4 and IPv6.
vers
ion
Net Maximum round trip time (RTT) between all the member hosts in a
wor standard vSAN clusters is 1 ms.
k
late Maximum RTT between the two main sites in a stretched vSAN
ncy cluster is 5 ms.

Maximum RTT between each main site and the witness host in a
stretched cluster is 200 ms.

License Requirements
You should ensure that you have a valid vSAN license that supports your

Telegram Channel : @IRFaraExam

required features. If you do not need advanced or enterprise features, a
standard license is sufficient. An advanced (or enterprise) license is required
for advanced features such as RAID 5/6 erasure coding, deduplication, and
compression. An enterprise license is required for enterprise features such as
encryption and stretched clusters.
The capacity of the license must cover the total number of CPUs in the
cluster.

Other vSAN Considerations

The following sections outline some other considerations that are important
in planning a vSAN deployment.

vSAN Network Best Practices

Consider the following networking best practices concerning vSAN:

For hybrid configurations, use dedicated network adapters (at least 1

Gbps). For best performance, use dedicated or shared 10 Gbps adapters.
For all-flash configurations, use a dedicated or shared 10 GbE physical
network adapter.
Provision one additional physical NIC as a failover NIC.
If you use a shared 10 GbE network adapter, place the vSAN traffic on a
distributed switch with Network I/O Control (NIOC) configured.

Boot Devices and vSAN

You can boot ESXi from a local VMFS on a disk that is not associated with
vSAN.
You can boot a vSAN host from a USB/SD device, but you must use a high-
quality 4 GB or larger USB or SD flash drive. If the ESXi host memory is
larger than 512 GB, for vSAN 6.5 or later, you must resize the coredump
partition on ESXi hosts to boot from USB/SD devices.
You can boot a vSAN host from a SATADOM device, but you must use a 16
GB or larger single-level cell (SLC) device.

Telegram Channel : @IRFaraExam

Persistent Logging in a vSAN Cluster
When you boot ESXi from a USB or SD device, log information and stack
traces are lost on host reboot because the scratch partition is on a RAM drive.
You should consider using persistent storage other than vSAN for logs, stack
traces, and memory dumps. You could use VMFS or NFS or you could
configure the ESXi Dump Collector and vSphere Syslog Collector to send
system logs to vCenter Server.

vSAN Policies
Storage policies are used in vSAN to define storage requirements for virtual
machines. These policies determine how to provision and allocate storage
objects within the datastore to guarantee the required level of service. You
should assign at least one storage policy to each virtual machine in a vSAN
datastore. Otherwise, vSAN assigns a default policy with Primary Level of
Failures to Tolerate set to 1, a single disk stripe per object, and a thin-
provisioned virtual disks.
Storage policies, including those specific to vSAN, are covered later in this
chapter.

vSphere Storage Integration

In a vSphere 7.0 environment, you have several options for integrating with
supported storage solutions, including Virtual Volumes (vVols), vSphere
APIs for Storage Awareness (VASA), and vSphere APIs for Array
Integration (VAAI).

VASA
Storage vendors or VMware can make use of VASA. Storage providers
(VASA providers) are software components that integrate with vSphere to
provide information about the physical storage capabilities. Storage providers
are utilized by either ESXi hosts or vCenter to gather information about the
storage configuration and status and display it to administrators in the
vSphere Client. There are several types of storage providers:

Persistent storage providers: These storage providers manage storage

Telegram Channel : @IRFaraExam

arrays and handle abstraction of the physical storage. vVols and vSAN
use persistent storage providers.
Data storage providers: This type of provider is used for host-based
caching, compression, and encryption.
Built-in storage providers: These storage providers are offered by
VMware and usually do not require registration. Examples of these are
vSAN and I/O filters included in ESXi installations.
Third-party storage providers: If a third party is offering a storage
provider, it must be registered.

The information that storage providers offer may include the following:

Storage data services and capabilities (which are referenced when

defining a storage policy)
Storage status, including alarms and events
Storage DRS information

Unless the storage provider is VMware, the vendor must provide the policy.
There are other requirements related to implementing storage providers as
well:

Contact your storage vendor for information about deploying the storage
provider and ensure that it is deployed correctly.
Ensure that the storage provider is compatible by verifying it with the
VMware Compatibility Guide.
Do not install the VASA provider on the same system as vCenter.
Upgrade storage providers to new versions to make use of new
functionalities.
Unregister and reregister a storage provider when upgrading.

Storage providers must be registered in the vSphere Client to be able to

establish a connection between vCenter and the storage provider. VASA is
essential when working with vVols, vSAN, vSphere APIs for I/O Filtering
(VAIO), and storage VM policies.

Telegram Channel : @IRFaraExam

Note
If vSAN is being used, service providers are registered automatically
and cannot be manually registered.

VAAI
VAAI, also known as hardware acceleration or hardware offload APIs,
enable ESXi hosts to be able to communicate with storage arrays. They use
functions called storage primitives, which allow offloading of storage
operations to the storage array itself. The goal is to reduce overhead and
increase performance. This allows storage to be responsible for cloning
operations and zeroing out disk files. Without VAAI hardware offloading, the
VMkernel Data Mover service is used to copy data from the source datastore
to the destination datastore, incurring physical network latencies and
increasing overhead. The VMkernel always attempts to offload to the storage
array by way of VAAI, but if the offload fails, it employs its Data Mover
service.
Storage primitives were introduced in vSphere 4.1 and applied to Fibre
Channel, iSCSI, and FCoE storage only. vSphere 5.0 added primitives for
NAS storage and vSphere thin provisioning. The storage primitives discussed
in the following sections are available in vSphere 7.0.

VAAI Block Primitives

The following are the VAAI primitives for block storage:

Atomic Test and Set (ATS): Replaces the use of SCSI reservations on
VMFS datastores when updating metadata. With SCSI reservations, only
one process can establish a lock on the LUN at a time, leading to
contention and SCSI reservation errors. Metadata updates occur
whenever a thin-provisioned disk grows, a VM is provisioned, or a
vSphere administrator manually grows a virtual disk. With ATS, a lock
is placed on a sector of the VMFS datastore when updating metadata.
ATS allows larger datastores to be used without running into such
contention issues. On storage arrays that do not support VAAI, SCSI

Telegram Channel : @IRFaraExam

reservations are still used.
ATS Only Flag: Can be set on VMFS datastores that were created as
VMFS Version 5 but cannot be enabled on VMFS Version 5 datastores
that were upgraded from VMFS Version 3. The ATS Only Flag primitive
forces ATS to be used as opposed to SCSI reservations for all metadata
updates and operations. Manually enabling the ATS only flag is done via
vmkfstools, using the following syntax:
Click here to view code image
vmkfstools –configATSOnly 1 [storage path]

XCOPY (Extended Copy): Allows the VMkernel to offload cloning or

Storage vMotion migrations to the storage array, avoiding use of the
VMkernel Data Mover service.
Write Same (Zero): Used with eager zeroed thick-provisioned virtual
disks, allowing the storage device to write the zeros for the disk. This
reduces overhead on the ESXi host in terms of CPU time, DMA buffers,
and use of the device queue. Write same is used whenever you clone a
virtual machine with eager zeroed thick-provisioned disks, whenever a
thin-provisioned disk expands, or when lazy zeroed thick disks need to
be zeroed out (at first write).

VAAI NAS Primitives

The following are the VAAI primitives for NAS:

Config-vVol: Metadata
Data-vVol: VMDKs
Mem-vVol: Snapshots
Swap-vVol: Swap files
Other-vVol: Vendor solution specific

Limitations of vVols include the following:

You cannot use vVols with a standalone ESXi host.

vVols does not support RDMs.
A vVols storage container cannot span different physical arrays.
Host profiles that contain virtual datastores are vCenter Server specific.
A profile created by one vCenter Server instance cannot be applied by
another vCenter Server instance.

Storage Multipathing and Failover

vSphere provides multipathing and failover as described in this section.

Multipathing Overview

Telegram Channel : @IRFaraExam

Multipathing is used for performance and failover. ESXi hosts can balance
the storage workload across multiple paths for improved performance. In the
event of a path, adapter, or storage processor failure, the ESXi host fails over
to an alternate path.
During path failover, virtual machine I/O can be delayed for a maximum of
60 seconds. Active/passive type arrays can experience longer delays than
active/active arrays. vSphere supports several types of failover:

Fibre Channel failover: For multipathing, hosts should have at least

two HBAs in addition to redundant Fibre Channel switches (the switch
fabric) and redundant storage processors. If a host has two HBAs,
attached to two Fibre Channel switches, connected to two storage
processors, then the datastores attached to the SAN can withstand the
loss of any single storage processor, Fibre Channel switch, or HBA.
Host-based failover with iSCSI: As with Fibre Channel failover, with
host-based failover with iSCSI, hosts should have at least two hardware
iSCSI initiators or two NIC ports used with the software iSCSI initiator.
This is in addition to at least two physical switches and at least two
storage processors.
Array-based failover with iSCSI: On some storage systems, the storage
device abstracts the physical ports from the ESXi hosts, and the ESXi
hosts see only a single virtual port. The storage system uses this
abstraction for load balancing and path failover. If the physical port
where the ESXi host is attached should be disconnected, the ESXi host
automatically attempts to reconnect to the virtual port, and the storage
device redirects it to an available port.
Path failover and virtual machines: When a path failover occurs, disk
I/O could pause for 30 to 60 seconds. During this time, viewing storage
in the vSphere client or virtual machines may appear stalled until the I/O
fails over to the new path. In some cases, Windows VMs could fail if the
failover is taking too long. VMware recommends increasing the disk
timeout inside the guest OS registry to 60 seconds at least to prevent this.

Pluggable Storage Architecture (PSA)

PSA was introduced in vSphere 4 as a way for storage vendors to provide

Telegram Channel : @IRFaraExam

their own multipathing policies, which users can install on ESXi hosts. PSA
is based on a modular framework that can make use of third-party
multipathing plug-ins (MPPs) or the VMware-provided Native Multipathing
Plug-in (NMP), as illustrated in Figure 2-8.

FIGURE 2-8 Pluggable Storage Architecture

VMware provides generic native multipathing modules, called VMware

NMP and VMware HPP. In addition, the PSA offers a collection of
VMkernel APIs that third-party developers can use. Software developers can
create their own load-balancing and failover modules for a particular storage
array. These third-party MPPs can be installed on the ESXi host and run in
addition to the VMware native modules or as their replacement. When
installed, the third-party MPPs can replace the behavior of the native modules
and can take control of the path failover and the load-balancing operations for
the specified storage devices.

VMware NMP

VMware NMP supports all storage arrays listed on the VMware storage HCL
and provides a default path selection algorithm based on the array type. It

Telegram Channel : @IRFaraExam

associates a set of physical paths with a specific storage device (LUN). NMP
uses submodules, called Storage Array Type Plug-ins (SATPs) and Path
Selection Plug-ins (PSPs).
NMP performs the following operations.

Manages physical path claiming and unclaiming

Registers and unregisters logical devices
Maps physical paths with logical devices
Supports path failure detection and remediation
Processes I/O requests to logical devices:
Selects an optimal physical path
Performs actions necessary to handle path failures and I/O command
retries
Supports management tasks, such as resetting logical devices

Storage Array Type Plug-ins (SATPs)

SATPs are submodules of the VMware NMP and are responsible for array-
specific operations. The SATP handles path failover for a device. ESXi offers
an SATP for every type of array that VMware supports. ESXi also provides
default SATPs that support non-specific active/active, active/passive, ALUA,
and local devices.
Each SATP performs the array-specific operations required to detect path
state and to activate an inactive path. This allows the NMP module to work
with multiple storage arrays without being aware of the storage device
specifics.
NMP determines which SATP to use for a specific storage device and maps
the SATP with the storage device’s physical paths. The SATP implements
the following tasks:

Monitors the health of each physical path

Reports changes in the state of each physical path

Telegram Channel : @IRFaraExam

Performs array-specific actions necessary for storage failover (For
example, for active/passive devices, it activates passive paths.)

Table 2-10 provides details on the native SATP modules.

Table 2-10 SATP Module Details
SATP Module Description
VMW_SATP SATP for local direct-attached devices. Supports
_LOCAL VMW_PSP_MRU and VMW_PSP_FIXED but not
VMW_PSP_RR.
VMW_SATP Generic SATP for active/active arrays.
_DEFAULT_
AA
VMW_SATP Generic SATP for active/passive arrays.
_DEFAULT_
AP
VMW_SATP SATP for ALUA-compliant arrays.
_ALUA

Provides logical device and physical path I/O statistics

The following process occurs when VMware NMP receives an I/O request
for one of its managed storage devices:
Step 1. The NMP calls the appropriate PSP.
Step 2. The PSP selects an appropriate physical path.
Step 3. The NMP issues the I/O request on the selected path.
Step 4. If the I/O operation is successful, the NMP reports its completion.
Step 5. If the I/O operation reports an error, the NMP calls the appropriate
SATP.
Step 6. The SATP interprets the errors and, when appropriate, activates the
inactive paths.
Step 7. The PSP selects a new path for the I/O.
When coordinating the VMware native modules and any installed third-party
MPPs, the PSA performs the following tasks:

Loads and unloads MPPs

Hides virtual machine specifics from MPPs
Routes I/O requests for a specific logical device to the appropriate MPP
Handles I/O queuing to the logical devices
Shares logical device bandwidth between virtual machines
Handles I/O queuing to the physical storage HBAs

Storage Policies
Storage policies can be used to define which datastores to use when placing
virtual machines disk. The following storage policies can be created:

VM storage policies for host-based data services: These policies are

rules for services that are offered by the ESXi hosts, such as encryption.
VM storage policies for vVols: These policies allow you to set rules for

Telegram Channel : @IRFaraExam

VMs that apply to vVols datastores. This can include storage devices that
are replicated for disaster recovery purposes or have specific
performance characteristics.
VM storage policies for tag-based placement: You can create custom
policies for VMs and custom tags for storage devices. This is helpful for
storage arrays that do not support VASA and whose storage
characteristics are not visible to the vSphere client. For example, you
could create a tag named Gold and use it to identify your best-
performing storage.

Storage Policy Based Management (SPBM)

You can define a required policy for a VM, such as requiring it to reside on
fast storage. You can then use VASA or define storage tags manually. Then a
VM can only be placed on a storage device matching the requirements.

Virtual Disk Types

When creating a virtual disk, you need to determine how you are going to
allocate space to that virtual disk. The way space is allocated to a virtual disk
is through writing zeros; this process is typically referred to as zeroing out the
file. For example, if you wanted to create a 20 GB virtual disk and allocate all
of the space up front, a VMDK file is created, and 20 GB worth of zeros are
written to that file. You can determine when the zeros get written:

Eager zeroed thick: The disk space for the virtual disk files is allocated
and erased (zeroed out) at the time of creation. If the storage device
supports VAAI, this operation can be offloaded to the storage array.
Otherwise, the VMkernel writes the zeros, and this process could be
slow. This method is the slowest for virtual disk creation, but it is the
best for guest performance.
Lazy zeroed thick: The disk space for the virtual disk files is allocated
at the time of creation but not zeroed. Each block is zeroed, on demand
at runtime, prior to being presented to the guest OS for the first time.
This increases the time required for disk format operations and software
installations in the guest OS.
Thin provisioned: The disk space for the virtual disk files is not

Telegram Channel : @IRFaraExam

allocated or zeroed at the time of creation. The space is allocated and
zeroed on demand. This method is the fastest for virtual disk creation but
the worst for guest performance.

vSAN-Specific Storage Policies

vSAN storage policies define how VM objects are placed and allocated on
vSAN to meet performance and redundancy requirements. Table 2-12
describes the vSAN storage policies.
Table 2-12 vSAN Storage Policies
Polic Description
y
Pri This policy defines how many host and device failures a VM object
ma can withstand. For n failures tolerated, data is stored in n+1
ry location. (This includes parity copies with RAID 5 or 6.) If no
Le storage policy is selected at the time of provisioning a VM, this
vel policy is assigned by default. Where fault domains are used, 2n+1
of fault domains, each with hosts adding to the capacity, are required.
Fai If an ESXi host isn’t in a fault domain, it is considered to be in a
lur single-host fault domain. The default setting for this policy is 1, and
es the maximum is 3.
to
Tol
erat
e
(PF
TT
)
Sec In stretched clusters, this policy defines how many additional host
ond failures can be tolerated after a site failure’s PFTT has been
ary reached. If PFTT = 1, SFTT = 2, and one site is inaccessible, two
Le more host failures can be tolerated. The default setting for this
vel policy is 1, and the maximum is 3.
of
Fai

Telegram Channel : @IRFaraExam

lur
es
to
Tol
erat
e
(SF
TT
)
Dat If PFTT=0, this option is available. The options for this policy are
a None, Preferred, and Secondary. This allows objects to be limited to
Lo one site or one host in stretched clusters. The default setting for this
cali policy is None.
ty
Fai This policy defines whether the data replication mechanism is
lur optimized for performance or capacity. If RAID-1 (Mirroring)—
e Performance is selected, there will be more space consumed in the
Tol object placement but better performance for accessing the space. If
era RAID-5/6 (Erasure Coding)—Capacity is selected, there will be less
nce disk utilization, but performance will be reduced.
Me
tho
d
Nu This policy determines the number of capacity devices where each
mb VM object replica is striped. Setting this above 1 can improve
er performance but consumes more resources. The default setting for
of this policy is 1, and the maximum is 12.
Dis
k
Stri
pes
per
Obj
ect
Fla This policy defines the amount of flash capacity that is reserved for
sh read caching of VM objects. This is defined as a percentage of the

Telegram Channel : @IRFaraExam

Re size of the VMDK. This is supported only in hybrid vSAN clusters.
ad The default setting for this policy is 0%, and the maximum is 100%.
Ca
che
Res
erv
atio
n

For If set to yes, this policy forces provisioning of objects, even when
ce policies cannot be met. The default setting for this policy is no.
Pro
visi
oni
ng
Obj This policy defines the percentage of VMDK objects that must be
ect thick provisioned on deployment. The options are as follows:
Spa
ce
Res
erv
Thin provisioning (default value)
atio
n
25% reservation

50% reservation

75% reservation

Thick provisioning

Dis A checksum is used end-to-end in validating the integrity of the data

Telegram Channel : @IRFaraExam

abl to ensure that data copies are the same as the original. In the event
e of a mismatch, incorrect data is overwritten. If this policy is set to
Obj yes, a checksum is not calculated. The default setting for this policy
ect is no.
Ch
eck
su
m
IO This policy sets a limit for IOPS of an object. If set to 0, there is no
PS limit.
Li
mit
for
Obj
ect

Storage DRS (SDRS)

You can use vSphere Storage DRS (SDRS) to manage the storage resources
of a datastore cluster. A datastore cluster is a collection of datastores with
shared resources and a shared management interface. SDRS provides a
number of capabilities for a datastore cluster, as discussed in the following
sections.

Initial Placement and Ongoing Balancing

SDRS provides recommendations for initial virtual machine placement and
ongoing balancing operations in a datastore cluster. Optionally, SDRS can
automatically perform the recommended placements and balancing
operations. Initial placements occur when the virtual machine is being created
or cloned, when a virtual machine disk is being migrated to another datastore
cluster, and when you add a disk to an existing virtual machine. SDRS makes
initial placement recommendations (or automatically performs the placement)
based on space constraints and SDRS settings (such as space and I/O
thresholds).

Space Utilization Load Balancing

Telegram Channel : @IRFaraExam

You can set a threshold for space usage to avoid filling a datastore to its full
capacity. When space usage on a datastore exceeds the threshold, SDRS
generates recommendations or automatically performs Storage vMotion
migrations to balance space usage across the datastore cluster.

I/O Latency Load Balancing

You can set an I/O latency threshold to avoid bottlenecks. When I/O latency
on a datastore exceeds the threshold, SDRS generates recommendations or
automatically performs Storage vMotion migrations to balance I/O across the
datastore cluster.
SDRS is invoked at the configured frequency (every eight hours by default)
or when one or more datastores in a datastore cluster exceeds the user-
configurable space utilization thresholds. When Storage DRS is invoked, it
checks each datastore’s space utilization and I/O latency values against the
threshold. For I/O latency, Storage DRS uses the 90th percentile I/O latency
measured over the course of a day to compare against the threshold.

SDRS Automation Level

Table 2-13 describes the available SDRS automation levels.
Table 2-13 SDRS Automation Levels
Option Description
No Placement and migration recommendations are displayed but
Automatio do not run until you manually apply the recommendation.
n (manual
mode)
Partially Placement recommendations run automatically, and
Automate migration recommendations are displayed but do not run
d until you manually apply the recommendation.
Fully Placement and migration recommendations run
Automate automatically.
d

Telegram Channel : @IRFaraExam

SDRS Thresholds and Behavior

You can control the behavior of SDRS by specifying thresholds. You can use
the following standard thresholds to set the aggressiveness level for SDRS:

Space Utilization: SDRS generates recommendations or performs

migrations when the percentage of space utilization on the datastore is
greater than the threshold you set in the vSphere Client.
I/O Latency: SDRS generates recommendations or performs migrations
when the 90th percentile I/O latency measured over a day for the
datastore is greater than the threshold.
Space Utilization Difference: SDRS can use this threshold to ensure
that there is some minimum difference between the space utilization of
the source and the destination prior to making a recommendation. For
example, if the space used on datastore A is 82% and on datastore B is
79%, the difference is 3. If the threshold is 5, Storage DRS does not
make migration recommendations from datastore A to datastore B.
I/O Load Balancing Invocation Interval: After this interval, SDRS
runs to balance I/O load.
I/O Imbalance Threshold: Lowering this value makes I/O load
balancing less aggressive. Storage DRS computes an I/O fairness metric
between 0 and 1, with 1 being the fairest distribution. I/O load balancing
runs only if the computed metric is less than 1 – (I/O Imbalance
Threshold / 100).

SDRS Recommendations
For datastore clusters, where SDRS automation is set to No Automation
(manual mode), SDRS makes as many recommendations as necessary to
enforce SDRS rules, balance the space, and balance the I/O resources of the
datastore cluster. Each recommendation includes the virtual machine name,
the virtual disk name, the data-store cluster name, the source datastore, the
destination datastore, and a reason for the recommendation.
SDRS makes mandatory recommendations when the datastore is out of space,

Telegram Channel : @IRFaraExam

when anti-affinity or affinity rules are being violated, or when the datastore is
entering maintenance mode. SDRS makes optional recommendations when a
datastore is close to running out of space or when adjustments should be
made for space and I/O load balancing.
SDRS considers moving powered-on and powered-off virtual machines for
space balancing. Storage DRS considers moving powered-off virtual
machines with snapshots for space balancing.

Anti-affinity Rules
To ensure that a set of virtual machines are stored on separate datastores, you
can create anti-affinity rules for the virtual machines. Alternatively, you can
use an affinity rule to place a group of virtual machines on the same
datastore.
By default, all virtual disks belonging to the same virtual machine are placed
on the same datastore. If you want to separate the virtual disks of a specific
virtual machine on separate datastores, you can do so with an anti-affinity
rule.

Datastore Cluster Requirements

Datastore clusters can contain a mix of datastores having different sizes, I/O
capacities, and storage array backing. However, the following types of
datastores cannot coexist in a datastore cluster:

NFS and VMFS datastores cannot be combined in the same datastore

cluster.
Replicated datastores cannot be combined with non-replicated datastores
in the same SDRS-enabled datastore cluster.
All hosts attached to the datastores in a datastore cluster must be ESXi
5.0 and later. If datastores in the datastore cluster are connected to
ESX/ESXi 4.x and earlier hosts, SDRS does not run.
Datastores shared across multiple data centers cannot be included in a
data-store cluster.
As a best practice, all datastores in a datastore cluster should have

Telegram Channel : @IRFaraExam

identical hardware acceleration (enabled or disabled) settings.

NIOC, SIOC, and SDRS

In vSphere, you can use Network I/O Control (NIOC), Storage I/O Control
(SIOC), and SDRS to manage I/O. These features are often confused by
people in the VMware community. Table 2-14 provides a brief description of
each feature along with the chapter in this book where you can find more
detail.
Table 2-14 Comparing NIOC, SIOC, and SDRS
F Description C
e h
a a
t p
u te
r r
e
N Allows you to allocate network bandwidth to business-critical 9
I applications and to resolve situations where several types of
O traffic compete for common resources.
C
S Allows you to control the amount of storage I/O that is allocated 1
I to virtual machines during periods of I/O congestion by 1
O implementing shares and limits.
C
S Allows you to control and balance the use of storage space and 1
D I/O resources across the datastores in a datastore cluster. 1
R
S

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction,
you have some choices for exam preparation: the exercises here, Chapter 15,

Telegram Channel : @IRFaraExam

“Final Preparation,” and the exam simulation questions on the companion
website.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 2-15 lists these key topics and the
page number on which each is found.

Table 2-15 Key Topics

Key Topic Element Description Page Number
Paragraph Raw device mapping 38
Figure 2-4 A two-node vSAN cluster 55
Paragraph vSAN stretched clusters 56
List vSAN limitations 59
Paragraph Native multipathing plug-in 75
Paragraph SDRS thresholds and behavior 82

Complete Tables and Lists from Memory

Define Key Terms

Define the following key terms from this chapter and check your answers in
the glossary:
raw device mapping (RDM)
I/O filter

Telegram Channel : @IRFaraExam

disk group
witness host
vSAN File Services
virtual volume
Virtual Volumes (vVols)

Review Questions
1. You are deploying datastores in a vSphere environment and want to
use the latest VMFS version that supports ESXi 6.5 and ESXi 7.0.
Which version should you use?
a. VMFS Version 3
b. VMFS Version 4
c. VMFS Version 5
d. VMFS Version 6
2. You are preparing to manage and troubleshoot a vSAN
environment. Which of the following is a command-line interface
that provides a cluster-wide view and is included with the vCenter
Server deployment?
a. VMware PowerCLI
b. vSAN Observer
c. Ruby vSphere Console
d. esxcli
3. You want to integrate vSphere with your storage system. Which of
the following provides software components that integrate with
vSphere to provide information about the physical storage
capabilities?
a. VASA
b. VAAI
c. SATP
d. NMP

Telegram Channel : @IRFaraExam

4. Which of the following is the default path selection policy for most
active/passive storage devices?
a. VMW_PSP_MRU
b. VMW_PSP_FIXED
c. VMW_PSP_RR
d. VMW_PSP_AP
5. You are deploying virtual machines in a vSphere environment.
Which virtual disk configuration provides the best performance for
the guest OS?
a. Thin provisioned
b. Thick eager zeroed
c. Thick lazy zeroed
d. Thin eager zeroed

Telegram Channel : @IRFaraExam

Chapter 3

Network Infrastructure
This chapter covers the following topics:

Networking Terms and Concepts

vSphere Standard Switch (vSS)
vSphere Distributed Switch (vDS)
vDS Settings and Features
Other vSphere Networking Features

This chapter contains information related to Professional VMware vSphere

7.x (2V0-21.20) exam objectives 1.4, 1.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 4.2, 4.14,
and 5.4.

Networking Terms and Concepts

Computer networking is built on the TCP/IP protocol suite, which enables all
types of computers, from many different vendors, to communicate with one
another. This section introduces essential network terminology and concepts
for a vSphere environment.

Traditional Networking Terminology

It is important to be familiar with the following commonly used networking
terminology:

Telegram Channel : @IRFaraExam

TCP/IP: Transmission Control Protocol/Internet Protocol (TCP/IP) is a
model used in the Internet that allows computers to communicate over
long distances. It was developed by the U.S. Department of Defense
(DOD) in the 1970s and is defined in RFC documents. It includes
components that break data into packets, deliver the packets to the proper
destination, and reassemble data from the packets.
RFC: Requests for Comments (RFCs) are the rules of the Internet and
are managed by the Internet Engineering Task Force (IETF). Anyone can
register to attend an IETF meeting and help draft and define the
standards of communication for the Internet.
Physical network: A physical network consists of physical network
devices and cabling that allows physical machines, such as ESXi servers,
to connect and communicate with other physical machines. A key
component of a physical network is the physical Ethernet switch.
MAC address: Each network-connected device has a media access
control (MAC) address. You can think of a MAC address as the physical
network address of a device. Each server on a network has one or more
network interface cards (NICs) that it uses to connect to the network.
Each NIC has a unique MAC address. The MAC address is used to
identify devices in an Ethernet network.
IP address: In addition to having a MAC address, a device is likely
assigned a unique IP address. IP addresses are used to identify devices in
an IP network such as the Internet and private subnets.
Physical Ethernet switch: A physical Ethernet switch manages network
traffic between devices that are directly connected to its ports. A switch
has multiple ports, each of which can be connected to a single device or
to another switch. The switch learns the MAC address of each connected
device and uses it to build a MAC address table that maps the address to
its port number. An Ethernet switch (also called a Layer 2 switch) acts as
a traffic cop, directing each received network packet to the proper port,
based on the data in the MAC address table. Layer 3 switches use IP
routing tables to route traffic between subnets.
Opaque network: An opaque network is a network created and
managed by a separate entity outside vSphere, such as a logical segment

Telegram Channel : @IRFaraExam

created by VMware NSX-T. The opaque network appears as an object in
the vSphere Client, but the vCenter Server cannot manage it. You can
use the NSX Manager in NSX-T to manage an opaque network.
EtherChannel: An EtherChannel is a logical channel formed by
bundling together two or more links to aggregate bandwidth and provide
redundancy. Other acceptable names for EtherChannel (an IOS term) are
port channel (an NX-OS term) and link aggregation group (LAG).
LACP: Link Aggregation Control Protocol (LACP) is a standards-based
negotiation protocol used to dynamically build an EtherChannel. It is
also known as IEEE 802.1ax (or IEEE 802.3ad). LACP is used to build
EtherChannels (LAGs) dynamically. EtherChannels can also be built
statically without the use of LACP.
IEEE 802.1ax: This is the IEEE working group that defines port
channel, EtherChannel, and link aggregation. Originally, the working
IEEE group was 802.3ad, but in 2008 it was replaced by 802.1ax.
IEEE 802.3ad: This is the original IEEE working group for port
channel, EtherChannel, and link aggregation. Although it has been
replaced with 802.1ax, it is still referred to as IEEE 802.3ad.

Virtual NICs
Much as a physical server may have multiple NICs to connect to physical
networks, a virtual machine may have multiple virtual NICs (vNICs) to
connect to virtual networks. Much like a physical NIC, each vNIC has a
unique MAC address. The vNIC appears as a traditional NIC to a virtual
machine’s guest OS. The guest OS can assign IP addresses to vNICs.
In addition to requiring network connectivity for virtual machine networking,
ESXi requires network connectivity for host management activities and other
purposes. To accommodate this need, you should configure one or more
VMkernel virtual network adapters on each host. For example, when
connecting the vCenter Server or the vSphere Host Client to an ESXi host,
you provide the address (IP address or fully qualified host name) of a
VMkernel virtual network adapter that is enabled for management traffic.
Much as a virtual machine can use multiple virtual network adapters, each
ESXi host may use multiple VMkernel network adapters.

Telegram Channel : @IRFaraExam

Virtual Switch Concepts
A virtual switch is a software construct that acts much like a physical switch
to provide networking connectivity for virtual devices within an ESXi host.
Each virtual machine may use vNICs to connect to virtual ports on virtual
switches. To gain access to the physical network, one or more of the host’s
physical NICs should be connected to the virtual switch as uplinks. The
virtual switch, which resides in the VMkernel, provides traffic management
for all vNICs in the host and all the uplink’s incoming and outgoing Ethernet
frames.
A virtual switch works at Layer 2 of the OSI model. It can send and receive
data, provide VLAN tagging, and provide other networking features. A
virtual switch maintains a MAC address table that contains only the MAC
addresses for the vNICs that are directly attached to the virtual switch. When
an Ethernet frame is received by the virtual switch, it passes the frame to the
appropriate port, based on its internal MAC address table. The virtual switch
updates the physical switch with its internal MAC address table using ARP.
With vSphere 4.0, VMware renamed the original virtual switch vSphere
Standard Switch (vSS) and introduced the vSphere Distributed Switch (vDS).
A vSS and a vDS behave similarly but are managed and controlled
differently. Each vSS is configured and managed by a specific ESXi host. A
vDS is configured and managed by the vCenter Server, which pushes the
switch’s configuration to each participating host. The vDS has many more
features than the vSS. All new features are built into the new vDS, while the
vSS capabilities are limited.
Each virtual switch has many virtual ports. You can configure port groups
(standard port groups) on a vSS. You can configure ports (distributed ports)
and port groups (distributed port groups) on a vDS.

VLANs
A virtual LAN (VLAN) is a logical partition of a physical network at the data
link layer (Layer 2). A VLAN is typically associated with a broadcast domain
and is used to isolate the traffic from other networks. A broadcast domain is a
collection of network devices that can receive traffic destined to a broadcast
address. A physical switch, by default, adheres to this behavior. With VLAN

Telegram Channel : @IRFaraExam

technology, the switch allows a single physical network to be divided into
multiple network segments. This is achieved by modifying a unique header of
the Ethernet frame and adding a tag to identify the membership within a
specific VLAN. A VLAN can be used to subdivide a broadcast domain to
limit the number of network devices that can communicate when a broadcast
packet is sent.

Table 3-2 lists some advantages and disadvantages for selecting Route Based
on IP Hash.
Table 3-2 Advantages and Disadvantages of IP Hash NIC Teaming
Advantages Disadvantages
A more even distribution of the load Highest resource
compared to Route Based on Originating consumption compared to
Virtual Port and Route Based on Source the other load-balancing
MAC Hash algorithms

Requires changes on the

A potentially higher throughput for virtual
physical network.
machines that communicate with multiple IP
addresses
Complex to troubleshoot

Network Security Policies

As an administrator, you can define network security policies to protect
network traffic against MAC address impersonation and unwanted port
scanning. The security policies of the virtual switches are implemented in
Layer 2 of the TCP/IP stack. You can use the network security policies to
secure traffic against Layer 2 attacks.
It is important to understand how the virtual machine MAC addresses are
defined, since they play a part in the security policies. Each vNIC in a virtual
machine has an initial MAC address and an effective MAC address. The
initial MAC address is assigned when the adapter is created. It can be

Telegram Channel : @IRFaraExam

modified from outside the guest operating system, but it cannot be changed
by the guest operating system. The effective MAC address is typically
assigned the same value as the initial MAC address when the adapter is
created. The effective MAC address can be changed by the guest OS. The
effective MAC address is used when filtering incoming packets. When the
guest OS changes the effective MAC address, the adapter receives packets
destined for the new effective MAC address. When sending a packet, the
guest OS typically places its effective MAC address in the source MAC
address field of the Ethernet frame.
A guest OS can send frames with an impersonated source MAC address,
which facilitates impersonation and malicious attacks. To guard against this
risk, you can leverage security policies on vSS port groups and vDS
distributed port groups. There are three available options for the network
security policies:

Promiscuous Mode: For a vSS port group, the default value is Reject.
By default, the vNIC receives only those frames that match the effective
MAC address. If this option is set to Accept, the virtual switch sends all
frames on the wire to the vNIC, allowing virtual machines to receive
packets that are not destined for them. This setting allows the use of tools
such as tcpdump and Wireshark inside a guest operating system.
MAC Address Changes: For a vSS port group, the default value is
Accept. By default, ESXi accepts the effective MAC address change. If
this option is set to Reject, the behavior changes such that ESXi does not
honor requests to change the effective MAC address to an address that is
different from the initial MAC address. Instead, it disables the virtual
switch port until the effective MAC address matches the initial MAC
address. The guest OS is unaware that the request was not honored.
Forged Transmits: For a vSS port group, the default value is Accept.
By default, ESXi does not compare source and effective MAC addresses
and does not drop the packet due to a mismatch. If this option is set to
Reject, ESXi compares the source and effective MAC addresses and
drops the packet if the addresses do not match.

Note

Telegram Channel : @IRFaraExam

In a vDS, the default value for each of these three security options is
Reject.

Traffic Shaping Policy

A virtual machine’s network bandwidth can be controlled by enabling traffic
shaping. Traffic shaping is defined by average bandwidth, peak bandwidth,
and burst size. Network traffic shaping can be configured on standard
switches or distributed switches, but by default, traffic shaping is disabled.
You can apply a traffic shaping policy to each vSS port group, each vDS
distributed port, or each vDS distributed port group. On a standard switch,
traffic shaping can be configured only for outbound traffic. On a vDS, it can
be configured for both outbound and inbound traffic. When you enable traffic
shaping for a standard switch or port group, you can configure the following
options:

Average Bandwidth: This is the allowed average load for a port. It is

Teaming and Failover

Security
Traffic Shaping
VLAN

As mentioned earlier, you can apply these policies at the distributed port
group and distributed port levels.

Telegram Channel : @IRFaraExam

A physical adapter is available that can supply the guaranteed bandwidth

to the VM network adapters.
The virtual network adapter’s reservation is less than the free quota in
the network resource pool.

With NIOC Version 3, a vSphere DRS cluster places the virtual machine on a
host that can fulfill the reserved bandwidth for the virtual machine, according
to the active teaming policy. In the following situations, vSphere DRS
migrates a virtual machine to another host to satisfy the virtual machine’s
bandwidth reservation:

The reservation is changed to a value that the initial host can no longer
satisfy.
A physical adapter that carries traffic from the virtual machine is offline.

In the event of a host failure or isolation, vSphere HA powers on a virtual

machine on another host in the cluster, according to the bandwidth
reservation and teaming policy. To use network admission control in a
vSphere DRS or vSphere HA cluster, you should perform the following
tasks:

Allocate bandwidth for the virtual machine system traffic.

Configure the bandwidth requirements of virtual machines connected to
the distributed switch.

NetFlow and Monitoring Policy

Telegram Channel : @IRFaraExam

Cisco introduced the NetFlow feature in the mid-1990s, and eventually it
became an open source feature controlled by the IETF. VMware added
NetFlow Version 5 to the vSphere 5.0 release. NetFlow is a switch feature
that collects IP network traffic as it enters or exits an interface. NetFlow data
provides an overview of traffic flows, based on the network source and
destination. The main purpose is to collect IP network traffic that is flowing
through a vDS. The current supported version for the vDS is NetFlow
Version 10, which is identified as IPFIX.
NetFlow allows administrators to forward network flows to a centralized
NetFlow collector. These flows can include virtual machine-to-virtual
machine flows, virtual machine-to-physical device flows, and physical
device-to-virtual machine flows. The collector can be a physical device on
the network or a virtual machine. The collector gathers the flows to enable
network analysis and troubleshooting. You can set a sampling rate to collect
network flows. For example, if you set the sampling rate to 4, NetFlow
samples one packet and then drops (skips) the next four packets. If the
sampling rate is zero, NetFlow samples every packet (that is, skips zero
packets).
By default, NetFlow is turned off on a vDS. If you enable it, you can set the
Collector IP Address, Collector Port, and other settings. To collect data from
only the virtual machines on the same host, you can enable Process Internal
Flows Only.
After configuring NetFlow on a vDS, you can configure monitoring policies
on vDS port groups and ports.

Traffic Filtering and Marking Policy

With a vDS, you can implement a traffic filtering and marking policy to
protect the virtual network from unwanted traffic and security attacks. The
traffic filtering in a vDS uses simple filtering rules, much like the filtering in
many physical switches. As an example, you could create a simple Permit
rule that allows the specified traffic while blocking everything else. Or you
could create a Deny rule that blocks the specified traffic while allowing
everything else.
A marking policy allows you to mark traffic with a priority tag that is used
during times of contention on a physical switch. In essence, it allows you to

Telegram Channel : @IRFaraExam

Distributed Port Monitoring: Mirrors packets from a set of distributed

ports to other distributed port groups.
Remote Mirroring Source: Mirrors packets from a set of distributed
ports to specific uplinks.
Remote Mirroring Destination: Mirrors packets from a set of VLANs
to distributed ports.
Encapsulated Remote Mirroring (L3) Source: Mirrors packets from a
set of distributed ports to the IP address of a remote agent.

The session properties are dependent on the session type and include the
following settings:

Name: Uniquely identifies the session.

Status: Enables or disables the session.
Description: Describes the session.
Sampling Rate: Sets the rate at which packets are sampled.
Normal I/O on Destination Ports: Available only for distributed port
and uplink destinations. You can disable this option to allow mirrored
traffic out on destination ports but disallow mirrored traffic in on

Telegram Channel : @IRFaraExam

TCP Segmentation Offload (TSO, which is referred to as large segment
offload or large send offload [LSO] in VMXNET3’s latest attributes) allows
the segmentation of traffic to be offloaded from the virtual machine and from
the VMkernel to the physical NIC. The network adapter separates large
frames (up to 64 KB) into MTU-sized frames. One of the jobs of the TCP
layer is to segment the data stream to the size of the Ethernet frame. If the
frame size is 1500 bytes and an application is transmitting 8 Kbps, it is the
job of the TCP layer to segment it down to 1500-byte packets. This occurs in
the guest operating system. However, if a physical NIC supports TSO, the
adapter can do the work instead, resulting in less overhead and better
performance. To use TSO, it must be enabled along the data path, including
the physical NIC, vNIC, VMkernel, and guest OS. By default, it is enabled in
the VMkernel, the VMXNET2 vNIC, and the VMXNET 3 vNIC.

DirectPath I/O
DirectPath I/O allows a virtual machine to access physical PCI functions on
platforms that have an I/O memory management unit (IOMMU). You can
enable DirectPath I/O passthrough for a physical NIC on an ESXi host to
enable efficient resource usage and to improve performance. After enabling
DirectPath I/O on the physical NIC on a host, you can assign it to a virtual
machine, allowing the guest OS to use the NIC directly and bypassing the
virtual switches.

Note
Do not enable DirectPath I/O passthrough for the USB controller for an
ESXi host that is configured to boot from a USB device or an SD card
attached to a USB channel.

Telegram Channel : @IRFaraExam

The following features are not available for DirectPath-enabled virtual
machines:

Hot addition and removal of virtual devices

Suspend and resume
Record and replay
Fault tolerance
High availability
DRS (The virtual machine can be part of a cluster but cannot migrate
across hosts.)
Snapshots

Single Root I/O Virtualization (SR-IOV)

Single Root I/O Virtualization (SR-IOV) is a feature that allows a single
Peripheral Component Interconnect Express (PCIe) device to appear as
multiple devices to the hypervisor (ESXi) or to a virtual machine’s guest
operating system. SR-IOV is useful for supporting an application in a guest
OS that is sensitive to network latency.
SR-IOV-enabled devices provide virtual functions (VFs) to the hypervisor or
guest operating system. VFs are lightweight PCIe functions that support data
exchange with limited support for configuration changes. The virtual
machine can take advantage of SR-IOV by exchanging Ethernet frames
directly with the physical network adapter, bypassing the VMkernel. This
improves network performance by reducing latency and improves CPU
efficiency. The downside of this approach is that the environment must meet
certain requirements, and several features are not supported.
Although a virtual switch (vSS or vDS) does not handle the network traffic of
an SR-IOV-enabled virtual machine, you can control the assigned VFs by
using switch configuration policies at the port group level or port level. For
example, the VF driver (guest OS) cannot modify the MAC address if it is
not allowed in the security policy for the port group or port.
To use SR-IOV in vSphere 7.0, your environment must meet the
requirements described in Table 3-5.

Telegram Channel : @IRFaraExam

Table 3-5 SR-IOV Requirements
Component Requirements
Physical host Must use an Intel or AMD processor.

Must support IOMMU and SR-IOV.

IOMMU and SR-IOV must be enabled in the BIOS.

Physical network Must be supported by the server vendor for use with
adapter the host system and SR-IOV for the specific ESXi
release.

SR-IOV must be enabled in the firmware.

Must use MSI-X interrupts.

Physical function Must be certified by VMware.
(PF) driver in
ESXi Must be installed on the ESXi host, which may
require custom installation.
Guest OS Must be supported by the NIC vendor for the specific
ESXi release.
Virtual function Must be compatible with the NIC and supported on
(VF) driver in the guest OS release.
guest OS
Must be Microsoft WLK or WHCK certified for
Windows virtual machines.

Must be installed on the operating system and may

require custom installation.
The following features are not available for SR-IOV-enabled virtual
machines, and attempts to configure these features may result in unexpected
behavior:

The following NICs are supported for virtual machines configured with SR-
IOV:

Products based on the Intel 82599ES 10 Gigabit Ethernet Controller

Family (Niantic)
Products based on the Intel Ethernet Controller X540 Family (Twinville)
Products based on the Intel Ethernet Controller X710 Family (Fortville)
Products based on the Intel Ethernet Controller XL170 Family (Fortville)
Emulex OneConnect (BE3)

Each NIC must have SR-IOV-supported drivers and may require SR-IOV to

Telegram Channel : @IRFaraExam

be enabled on the firmware.
An SR-IOV NIC can operate in one of three modes in ESXi:

Non SR-IOV Mode: The NIC is not used to provide VFs to virtual
machines.
SR-IOV Only Mode: The NIC provides VFs to virtual machines but
does not back other virtual machine traffic. In the vSphere Client, the
NIC appears in a separate list (External SR-IOV Adapters) in the switch
topology page.
Mixed Mode. The NIC services virtual machines with and without SR-
IOV.

DirectPath I/O and SR-IOV offer similar performance benefits and trade-offs,
but you use them to accomplish different goals. You can use SR-IOV in
workloads with extremely high packet rates or very low latency requirements,
where you want multiple virtual machines to share the same physical NIC
(with the same physical function). With DirectPath I/O, you can map only
one physical NIC to one virtual machine.

VMkernel Networking and TCP/IP Stacks

The VMkernel networking layer provides connectivity for the hypervisor and
handles system services traffic, such as management, vMotion, IP-based
storage, provisioning, Fault Tolerance logging, vSphere Replication, vSphere
Replication NFC, and vSAN. You can create multiple VMkernel virtual
network adapters to support these services. For each VMkernel adapter, you
can select which system service it supports. Each VMkernel adapter requires
IP configuration and virtual switch configuration. You can choose to
configure multiple system services to share networks, or you can configure a
separate network for each system service. In addition to using separate virtual
and physical network infrastructure to support each system service, you can
use separate VMkernel TCP/IP stacks.
The VMkernel provides multiple TCP/IP stacks that you can use to isolate
the system services traffic. You can use the preexisting stacks (default,
vMotion, and Provisioning) and create custom stacks, as described here:

Telegram Channel : @IRFaraExam

Default TCP/IP stack: This stack provides networking support for
management traffic and for all VMkernel traffic types. You can choose
to use just this stack and ignore the other available stacks.
vMotion TCP/IP stack: This stack supports the traffic for vMotion. You
can use this stack to improve the isolation for the vMotion traffic. After
you create a VMkernel adapter on this stack, you can no longer use the
default stack for vMotion. (vMotion is automatically disabled on
VMkernel adapters on the default stack.)
Provisioning TCP/IP stack: This stack supports the traffic for virtual
machine cold migration, cloning, and snapshot migration. It also
supports the Network File Copy (NFC) traffic used for cloning virtual
disks with long-distance vMotion. You can use this stack to isolate
provisioning traffic and place it on a separate gateway. After you create a
VMkernel adapter on this stack, you can no longer use the default stack
for provisioning. (Provisioning is automatically disabled on VMkernel
adapters on the default stack.)
Custom TCP/IP stack: You can create custom stacks to isolate the
networking of custom applications.

When you create a VMkernel virtual network adapter, you should configure
the settings described in Table 3-6.
Table 3-6 VMkernel Adapter Settings
Setting Description
IP Settings Provide IPv4 or IPv6 configuration details, such as IPv4
address, mask, and gateway.
MTU Set this option as described in the “MTU” section in this
chapter.
TCP/IP Select a standard or custom stack, as described in this
Stack section.
Available Select which of the following system services to enable for
Services the adapter:

Complete Tables and Lists from Memory

Define Key Terms

Telegram Channel : @IRFaraExam

Distributed Resource Scheduler (DRS) 2–4
vSphere High Availability (HA) 5–7
Other Resource Management and Availability Features 8–10

1. You are configuring EVC Mode in a vSphere cluster that uses Intel
hardware. Which of the following values should you choose to set
the EVC Mode to the lowest level that includes the SSE4.2
instruction set?
a. Merom
b. Penryn
c. Nehalem
d. Westmere
2. In vSphere 7.0, you want to configure the DRS migration threshold
such that it is at the minimum level at which the virtual machine
happiness is considered. Which of the following values should you
choose?
a. Level 1
b. Level 2
c. Level 3
d. Level 4
e. Level 5
3. Which of the following is not a good use for resource pools in
DRS?
a. To delegate control and management
b. To impact the use of network resources
c. To impact the use of CPU resources
d. To impact the use of memory resources
4. You need your resource pool to use a two-pass algorithm to
allocate reservations. In the second pass, excess pool reservation is

Telegram Channel : @IRFaraExam

allocated proportionally to virtual machines (limited by virtual
machine size). Which step should you take?
a. Ensure that vSphere 6.7 or higher is used.
b. Ensure that vSphere 7.0 or higher is used.
c. Enable scalable shares.
d. Enable expandable reservations.
5. You are configuring vSphere HA in a cluster. You want to
configure the cluster to use a specific host as a target for failovers.
Which setting should you use?
a. Host Failures Cluster Tolerates
b. Define Host Failover Capacity By set to Cluster Resource
Percentage
c. Define Host Failover Capacity By set to Slot Policy
(Powered-on VMs)
d. Define Host Failover Capacity By set to Dedicated Failover
Hosts
e. Define Host Failover Capacity By set to Disabled
6. You are enabling VM Monitoring in a vSphere HA cluster. You
want to set the monitoring level such that its failure interval is 60
seconds. Which of the following options should you choose?
a. High
b. Medium
c. Low
d. Normal
7. You are configuring Virtual Machine Component Protection
(VMCP) in a vSphere HA cluster. Which of the following
statements is true?
a. For PDL and APD failures, you can control the restart policy
for virtual machines by setting it to Conservative or

Telegram Channel : @IRFaraExam

It only makes recommendations.
Partially Automated: DRS automatically places virtual machines as
they power on. It makes recommendations for virtual machine
migrations.
Fully Automated: DRS automatically places and migrates virtual
machines.

You can override Automation Mode at the virtual machine level.

Recent DRS Enhancements

VMware added many improvements to DRS beginning in vSphere 6.5. For
example, in vSphere 7.0, DRS runs once every minute rather than every 5
minutes, as in older DRS versions. The newer DRS versions tend to
recommend smaller (in terms of memory) virtual machines for migration to
facilitate faster vMotion migrations, whereas older versions tend to
recommend large virtual machines to minimize the number of migrations.
Older DRS versions use an imbalance metric that is derived from the
standard deviation of load across the hosts in the cluster. Newer DRS
versions focus on virtual machine happiness. Newer DRS versions are much
lighter and faster than the older versions.

Telegram Channel : @IRFaraExam

Newer DRS versions recognize that vMotion is an expensive operation and
account for it in their recommendations. In a cluster where virtual machines
are frequently powered on and the workload is volatile, it is not necessary to
continuously migrate virtual machines. DRS calculates the gain duration for
live migrating a virtual machine and considers the gain duration when
making recommendations.
The following sections provide details on other recent DRS enhancements.

Network-Aware DRS

In vSphere 6.5, DRS considers the utilization of host network adapters during
initial placement and load balancing, but it does not balance the network
load. Instead, its goal is to ensure that the target host has sufficient available
network resources. It works by eliminating hosts with saturated networks
from the list of possible migration hosts. The threshold used by DRS for
network saturation is 80% by default. When DRS cannot migrate VMs due to
network saturation, the result may be an imbalanced cluster.
In vSphere 7.0, DRS uses a new cost modeling algorithm that is flexible and
balances network bandwidth along with CPU and memory usage.

Virtual Machine Distribution

Starting in vSphere 6.5, you can enable an option to distribute a more even
number of virtual machines across hosts. The main use case for this is to
improve availability. The primary goal of DRS—to ensure that all VMs are
getting the resources they need and that the load is balanced in the cluster—
remains unchanged. But with this new option enabled, DRS also tries to
ensure that the number of virtual machines per host is balanced in the cluster.

Memory Metric for Load Balancing

Historically, vSphere has used the Active Memory metric for load-balancing
decisions. In vSphere 6.5 and 6.7, you have the option to set DRS to balance
the load based on the Consumed Memory metric. In vSphere 7.0, the Granted
Memory metric is used for load balancing, and no cluster option is available

Telegram Channel : @IRFaraExam

to change the behavior.

Virtual Machine Initial Placement

Starting with vSphere 6.5, DRS uses a new initial placement algorithm that is
faster, lighter, and more effective than the previous algorithm. In earlier
versions, DRS takes a snapshot of the cluster state when making virtual
machine placement recommendations. In the algorithm, DRS does not
snapshot the cluster state, which allows for faster and more accurate
recommendations. With the new algorithm, DRS powers on virtual machines
much more quickly. In vSphere 6.5, the new placement feature is not
supported for the following configurations:

Clusters where DPM, Proactive HA, or HA Admission Control is

enabled
Clusters with DRS configured in Manual Mode
Virtual machines with the Manual DRS Override setting enabled
Virtual machines that are FT enabled
Virtual machines that are part of a vApp

In vSphere 6.7, the new placement is available for all configurations.

Enhancements to the Evacuation Workflow

Prior to vSphere 6.5, when evacuating a host entering Maintenance Mode,
DRS waited to migrate templates and powered off virtual machines until after
the completion of vMotion migrations, leaving those objects unavailable for
use for a long time. Starting in vSphere 6.5, DRS prioritizes the migration of
virtual machine templates and powered-off virtual machines over powered-on
virtual machines, making those objects available for use without waiting on
vMotion migrations.
Prior to vSphere 6.5, the evacuation of powered-off virtual machines was
inefficient. Starting in vSphere 6.5, these evacuations occur in parallel,
making use of up to 100 re-register threads per vCenter Server. This means
that you may see only a small difference when evacuating up to 100 virtual
machines.

Telegram Channel : @IRFaraExam

Starting in vSphere 6.7, DRS is more efficient in evacuating powered-on
virtual machines from a host that is entering Maintenance Mode. Instead of
simultaneously initiating vMotion for all the powered-on VMs on the host, as
in previous versions, DRS initiates vMotion migrations in batches of eight at
a time. Each vMotion batch is issued after the previous batch completes. The
vMotion batching makes the entire workflow more controlled and
predictable.

DRS Support for NVM

Starting in vSphere 6.7, DRS supports virtual machines running on next-
generation persistent memory devices, known as non-volatile memory
(NVM) devices. NVM is exposed as a datastore that is local to the host.
Virtual machines can use the datastore as an NVM device exposed to the
guest (Virtual Persistent Memory [vPMem]) or as a location for a virtual
machine disk (Virtual Persistent Memory Disk [vPMemDisk]). DRS is aware
of the NVM devices used by virtual machines and guarantees that the
destination ESXi host has enough free persistent memory to accommodate
placements and migrations.

How DRS Scores VMs

Historically, DRS balanced the workload in a cluster based on host compute

resource usage. In vSphere 7.0, DRS balances the workload based on virtual
machine happiness. A virtual machine’s DRS score is a measure of its
happiness, which, in turn, is a measure of the resources available for
consumption by the virtual machine. The higher the DRS score for a VM, the
better its resource availability. DRS moves virtual machines to improve their
DRS scores. DRS also calculates a DRS score for a cluster, which is a
weighted sum of the DRS scores of all the virtual machines in the cluster.
In Sphere 7.0, DRS calculates the core for each virtual machine on each ESXi
host in the cluster every minute. Simply put, DRS logic computes an ideal
throughput (demand) and an actual throughput (goodness) for each resource
(CPU, memory, and network) for each virtual machine. The virtual machine’s
efficiency for a particular resource is a ratio of the goodness over the demand.

Telegram Channel : @IRFaraExam

A virtual machine’s DRS score (total efficiency) is the product of its CPU,
memory, and network efficiencies.
When calculating the efficiency, DRS applies resource costs. For CPU
resources, DRS includes costs for CPU cache, CPU ready, and CPU tax. For
memory resources, DRS includes costs for memory burstiness, memory
reclamation, and memory tax. For network resources, DRS includes a
network utilization cost.
DRS compares a virtual machine’s DRS score for the host on which it
currently runs. DRS determines whether another host can provide a better
DRS score for the virtual machine. If so, DRS calculates the cost for
migrating the virtual machine to the host and factors that score into its load-
balancing decision.

DRS Rules
You can configure rules to control the behavior of DRS.
A VM–host affinity rule specifies whether the members of a selected virtual
machine DRS group can run on the members of a specific host DRS group.
Unlike a virtual machine–to–virtual machine (VM–VM) affinity rule, which
specifies affinity (or anti-affinity) between individual virtual machines, a
VM–host affinity rule specifies an affinity relationship between a group of
virtual machines and a group of hosts. There are required rules (designated
by “must”) and preferential rules (designated by “should”).
A VM–host affinity rule includes the following components:

One virtual machine DRS group

One host DRS group
A designation of whether the rule is a requirement (“must”) or a
preference (“should”) and whether it is affinity (“run on”) or anti-affinity
(“not run on”)

A VM–VM affinity rule specifies whether selected individual virtual

machines should run on the same host or be kept on separate hosts. This type
of rule is used to create affinity or anti-affinity between individual virtual
machines. When an affinity rule is created, DRS tries to keep the specified

Telegram Channel : @IRFaraExam

virtual machines together on the same host. You might want to do this, for
example, for performance reasons.
With an anti-affinity rule, DRS tries to keep the specified virtual machines
apart. You can use such a rule if you want to guarantee that certain virtual
machines are always on different physical hosts. In that case, if a problem
occurs with one host, not all virtual machines are at risk. You can create
VM–VM affinity rules to specify whether selected individual virtual
machines should run on the same host or be kept on separate hosts.
VM–VM affinity rule conflicts can occur when you use multiple VM–VM
affinity and VM–VM anti-affinity rules. If two VM–VM affinity rules are in
conflict, you cannot enable both of them. For example, if one rule keeps two
virtual machines together and another rule keeps the same two virtual
machines apart, you cannot enable both rules. Select one of the rules to apply
and disable or remove the conflicting rule. When two VM–VM affinity rules
conflict, the older one takes precedence, and the newer rule is disabled. DRS
tries to satisfy only enabled rules and ignores disabled rules. DRS gives
higher precedence to preventing violations of anti-affinity rules than
violations of affinity rules.

Shares are typically set to High, Normal, or Low, and these values
specify share values with a 4:2:1 ratio. You can also select Custom
and assign a specific number of shares (to express a proportional
weight).

A resource pool uses its shares to compete for the parent’s resources
and is allocated a portion based on the ratio of the pool’s shares
compared with its siblings. Siblings share the parent’s resources
according to their relative share values, bounded by the reservation
and limit.

For example, consider a scenario where a cluster has two child

resource pools with normal CPU shares, another child resource pool
with high CPU shares, and no other child objects. During periods of
contention, each of the pools with normal shares would get access to
25% of the cluster’s CPU resources, and the pool with high shares
would get access to 50%.
R A reservation specifies the guaranteed minimum allocation for a
e virtual machine or a resource pool. A CPU reservation is expressed in
s megahertz, and a memory reservation is expressed in megabytes. You
er can power on a virtual machine only if there are enough unreserved
v resources to satisfy the reservation of the virtual machine. If the
at virtual machine starts, then it is guaranteed that amount, even when
io the physical server is heavily loaded.
n
s
For example, if you configure the CPU reservation for each virtual
machine as 1 GHz, you can start eight VMs in a resource pool where
the CPU reservation is set for 8 GHz and expandable reservations are
disabled. But you cannot start additional virtual machines in the pool.

You can use reservations to guarantee a specific amount of resources

for a resource pool. The default value for a resource pool’s CPU or
memory reservation is 0. If you change this value, it is subtracted

Telegram Channel : @IRFaraExam

from the unreserved resources of the parent. The resources are
considered reserved, regardless of whether virtual machines are
associated with the resource pool.
E You can enable expandable reservations to effectively allow a child
x resource pool to borrow from its parent. Expandable reservations,
p which are enabled by default, are considered during admission
a control. When powering on a virtual machine, if the resource pool
n does not have sufficient unreserved resources, the resource pool can
d use resources from its parent or ancestors.
a
bl
e For example, say that in a resource pool where 8 GHz is reserved and
re expandable reservations is disabled, you try to start nine virtual
s machines each with 1 GHz, but the last virtual machine does not start.
er If you enable expandable reservation in the resource pool, and its
v parent pool (or cluster) has sufficient unreserved CPU resources, you
at can start the ninth virtual machine.
io
n
s
L A limit specifies an upper bound for CPU or memory resources that
i can be allocated to a virtual machine or a resource pool.
m
it
s You can set a limit on the amount of CPU and memory allocated to a
resource pool. The default is unlimited. For example, if you power on
multiple CPU-intensive virtual machines in a resource pool, where
the CPU limit is 10 GHz, then, collectively, the virtual machines
cannot use more than 10 GHz CPU resources, regardless of the pool’s
reservation settings, the pool’s share settings, or the amount of
available resources in the parent.
Table 4-6 provides the CPU and memory share values for virtual machines
when using the High, Normal, and Low settings. The corresponding share
values for a resource pool are equivalent to those of a virtual machine with
four vCPUs and 16 GB memory.

Telegram Channel : @IRFaraExam

Table 4-6 Virtual Machine Shares
Setting CPU Share Value Memory Share Value
High 2000 per vCPU 20 per MB
Normal 1000 per vCPU 10 per MB
Low 500 per vCPU 5 per MB
For example, the share values for a resource pool configured with normal
CPU shares and high memory shares are 4000 (that is, 4 × 1000) CPU shares
and 327,680 (that is, 16 × 1024 × 20) memory shares

Note
The relative priority represented by each share changes with the
addition and removal of virtual machines in a resource pool or cluster.
It also changes as you increase or decrease the shares on a specific
virtual machine or resource pool.

Enhanced Resource Pool Reservation

Starting in vSphere 6.7, DRS uses a new two-pass algorithm to allocate
resource reservations to children. The old allocation model does not reserve
more resources than the current demand, even when the resource pool is
configured with a higher reservation. When a spike in virtual machine
demand occurs after resource allocation is complete, DRS does not make the
remaining pool reservation available to the virtual machine until the next
allocation operation occurs. As a result, a virtual machine’s performance may
be temporarily impacted. In the new allocation model, each allocation
operation uses two passes. In the first pass, the resource pool reservation is
allocated based on virtual machine demand. In the second pass, excess pool
reservation is allocated proportionally, limited by the virtual machine’s
configured size, which reduces the performance impact due to virtual
machine spikes.

Scalable Shares

Telegram Channel : @IRFaraExam

Another new DRS feature in vSphere 7.0 is scalable shares. The main use
case for scalable shares is a scenario in which you want to use shares to give
high-priority resource access to a set of virtual machines in a resource pool,
without concern for the relative number of objects in the pool compared to
other pools. With standard shares, each pool in a cluster competes for
resource allocation with its siblings, based on the share ratio. With scalable
shares, the allocation for each pool factors in the number of objects in the
pool.
For example, consider a scenario in which a cluster with 100 GHz CPU
capacity has a high-priority resource pool with CPU Shares set to High and a
low-priority resource pool with CPU Shares set to Normal, as shown in
Figure 4-1. This means that the share ratio between the pools is 2:1, so the
high-priority pool is effectively allocated twice the CPU resources as the low-
priority pool whenever CPU contention exists in the cluster. The high-priority
pool is allocated 66.7 GHz, and the low-priority pool is effectively allocated
33.3 GHz. In this cluster, 40 virtual machines of equal size are running, with
32 in the high-priority pool and 8 in the low-priority pool. The virtual
machines are all demanding CPU resources, causing CPU contention in the
cluster. In the high-priority pool, each virtual machine is allocated 2.1 GHz.
In the low-priority pool, each virtual machine is allocated 4.2 GHz.

FIGURE 4-1 Scalable Shares Example

If you want to change the resource allocation such that each virtual machine

Telegram Channel : @IRFaraExam

in the high-priority pool is effectively allocated more resources than the
virtual machines in the low-priority pool, you can use scalable shares. If you
enable scalable shares in the cluster, DRS effectively allocates resources to
the pools based on the Shares settings and the number of virtual machines in
the pool. In this example, the CPU shares for the pools provide a 2:1 ratio.
Factoring this with the number of virtual machines in each pool, the
allocation ratio between the high-priority pool and the low-priority pool is 2
times 32 to 1 times 8, or simply 8:1. The high-priority pool is allocated 88.9
GHz, and the low-priority pool is allocated 11.1 GHz. Each virtual machine
in the high-priority pool is allocated 2.8 GHz. Each virtual machine in the
low-priority pool is allocated 1.4 GHz.

vSphere High Availability (HA)

vSphere HA is a cluster service that provides high availability for the virtual
machines running in the cluster. You can enable vSphere High Availability
(HA) on a vSphere cluster to provide rapid recovery from outages and cost-
effective high availability for applications running in virtual machines.
vSphere HA provides application availability in the following ways:

It protects against server failure by restarting the virtual machines on

other hosts in the cluster when a host failure is detected, as illustrated in
Figure 4-2.

FIGURE 4-2 vSphere HA Host Failover

It protects against application failure by continuously monitoring a

Telegram Channel : @IRFaraExam

virtual machine and resetting it if a failure is detected.
It protects against datastore accessibility failures by restarting affected
virtual machines on other hosts that still have access to their datastores.
It protects virtual machines against network isolation by restarting them
if their host becomes isolated on the management or vSAN network.
This protection is provided even if the network has become partitioned.

Benefits of vSphere HA over traditional failover solutions include the

following:

Minimal configuration
Reduced hardware cost
Increased application availability
DRS and vMotion integration

vSphere HA can detect the following types of host issues:

Failure: A host stops functioning.

Isolation: A host cannot communicate with any other hosts in the
cluster.
Partition: A host loses network connectivity with the primary host.

When you enable vSphere HA on a cluster, the cluster elects one of the hosts
to act as the primary host. The primary host communicates with vCenter
Server to report cluster health. It monitors the state of all protected virtual
machines and secondary hosts. It uses network and datastore heartbeating to
detect failed hosts, isolation, and network partitions. vSphere HA takes
appropriate actions to respond to host failures, host isolation, and network
partitions. For host failures, the typical reaction is to restart the failed virtual
machines on surviving hosts in the cluster. If a network partition occurs, a
primary host is elected in each partition. If a specific host is isolated, vSphere
HA takes the predefined host isolation action, which may be to shut down or
power down the host’s virtual machines. If the primary host fails, the
surviving hosts elect a new primary host. You can configure vSphere to
monitor and respond to virtual machine failures, such as guest OS failures, by

Telegram Channel : @IRFaraExam

monitoring heartbeats from VMware Tools.

Note
Although vCenter Server is required to implement vSphere HA, the
health of an HA cluster is not dependent on vCenter Server. If vCenter
Server fails, vSphere HA still functions. If vCenter Server is offline
when a host fails, vSphere HA can fail over the affected virtual
machines.

vSphere HA Requirements
When planning a vSphere HA cluster, you need to address the following
requirements:

The cluster must have at least two hosts, licensed for vSphere HA.
Hosts must use static IP addresses or guarantee that IP addresses
assigned by DHCP persist across host reboots.
Each host must have at least one—and preferably two—management
networks in common.
To ensure that virtual machines can run any host in the cluster, the hosts
must access the networks and datastores.
To use VM Monitoring, you need to install VMware Tools in each
virtual machine.
IPv4 or IPv6 can be used.

Note
The Virtual Machine Startup and Shutdown (automatic startup) feature
is disabled and unsupported for all virtual machines residing in a
vSphere HA cluster.

Telegram Channel : @IRFaraExam

vSphere HA Response to Failures
You can configure how a vSphere HA cluster should respond to different
types of failures, as described in Table 4-7.

Table 4-7 vSphere HA Response to Failure Settings

Option Description
Host Failure If Enabled, the cluster responds to host failures by
Response > restarting virtual machines. If Disabled, host
Failure monitoring is turned off, and the cluster does not
Response respond to host failures.
Host Failure You can indicate the order in which virtual machines
Response > are restarted when the host fails (higher priority
Default VM machines first).
Restart Priority
Host Failure This condition must be met before HA restarts the next
Response > VM priority group.
Restart Priority
Condition
Response for You can indicate the action that you want to occur if a
Host Isolation host becomes isolated. You can choose Disabled,
Shutdown and Restart VMs, or Power Off and Restart
VMs.
VM Monitoring You can indicate the sensitivity (Low, High, or
Custom) with which vSphere HA responds to lost
VMware Tools heartbeats.
Application You can indicate the sensitivity (Low, High, or
Monitoring Custom) with which vSphere HA responds to lost
application heartbeats.

Note

Telegram Channel : @IRFaraExam

If multiple hosts fail, the virtual machines on the failed host migrate
first in order of priority, and then the virtual machines from the next
host.

Telegram Channel : @IRFaraExam

Automation Level to Manual.
The vendor-provided health providers read sensor data in the server and
provide the health state to vCenter Server. The health states are Healthy,
Moderate Degradation, Severe Degradation, and Unknown.

Other Resource Management and Availability

Features
This section describes other vSphere features related to resource management
and availability.

Predictive DRS
Predictive DRS is a feature in vSphere 6.5 and later that leverages the
predictive analytics of vRealize Operations (vROps) Manager and vSphere
DRS. Together, these two products can provide workload balancing prior to
the occurrence of resource utilization spikes and resource contention. Every
night, vROps calculates dynamic thresholds, which are used to create
forecasted metrics for the future utilization of virtual machines. vROps passes
the predictive metrics to vSphere DRS to determine the best placement and
balance of virtual machines before resource utilization spikes occur.
Predictive DRS helps prevent resource contention on hosts that run virtual
machines with predictable utilization patterns.
The following prerequisites are needed to run Predictive DRS:

vCenter Server 6.5 or later is required.

Predictive DRS must be configured and enabled in both vCenter Server
and vROps.
The vCenter Server and vROps clocks must be synchronized.

Distributed Power Management (DPM)

The vSphere Distributed Power Management (DPM) feature enables a DRS
cluster to reduce its power consumption by powering hosts on and off, as
needed, based on cluster resource utilization. DPM monitors the cumulative
virtual machine demand for memory and CPU resources in the cluster and

Telegram Channel : @IRFaraExam

compares this to the available resources in the cluster. If sufficient excess
capacity is found, vSphere DPM directs the host to enter Standby Mode.
When DRS detects that a host is entering Standby Mode, it evacuates the
virtual machines. Once the host is evacuated, DPM powers if off, and the
host is in Standby Mode. When DPM determines that capacity is inadequate
to meet the resource demand, DPM brings a host out of Standby Mode by
powering it on. Once the host exits Standby Mode, DRS migrates virtual
machines to it.
To power on a host, DPM can use one of three power management protocols:
Intelligent Platform Management Interface (IPMI), Hewlett-Packard
Integrated Lights-Out (iLO), or Wake-on-LAN (WoL). If a host supports
multiple protocols, they are used in the following order: IPMI, iLO, WOL. If
a host does not support one of these protocols, DPM cannot automatically
bring a host out of Standby Mode.
DPM is very configurable. As with DRS, you can set DPM’s automation to
be manual or automatic.

Note
Do not disconnect a host that is in Standby Mode or remove it from a
DRS cluster without first powering it on. Otherwise, vCenter Server is
not able to power the host back on.

APIs for Data Protection [VADP] backups are supported for FT but not
for legacy FT.)
Storage vMotion
Linked clones
Virtual Volumes datastores
Storage-based policy management (However, vSAN storage policies are
supported.)
I/O filters
Disk encryption
Trusted Platform Module (TPM)
Virtual Based Security (VBS)–enabled VMs
Universal Point in Time snapshots (a NextGen vSAN feature)
Physical raw device mappings (RDMs) (However, virtual RDMs are
supported for legacy FT.)
Virtual CD-ROMs for floppy drives backed by physical devices
USB devices, sound devices, serial ports, and parallel ports
N_Port ID Virtualization (NPIV)
Network adapter passthrough
Hot plugging devices (Note that the hot plug feature is automatically
disabled when you enable FT on a virtual machine.)
Changing the network where a virtual NIC is connected
Virtual Machine Communication Interface (VMCI)

Telegram Channel : @IRFaraExam

Virtual disk files larger than 2 TB
Video devices with 3D enabled

You should apply the following best practices for FT:

Use similar CPU frequencies in the hosts.

Use active/standby NIC teaming settings.
Ensure that the FT Logging network is secure (that is, FT data is not
encrypted).
Enable jumbo frames and 10 Gbps for the FT network. Optionally,
configure multiple NICs for FT Logging.
Place ISO files on shared storage.
If vSAN is used for primary or secondary VMs, do not also connect
those virtual machines to other storage types. Also, place the primary and
secondary VMs in separate vSAN fault domains.
Keep vSAN and FT Logging on separate networks.

In vSphere 6.5, FT is supported with DRS only when EVC is enabled. You
can assign a DRS automation to the primary VM and let the secondary VM
assume the same setting. If you enable FT for a virtual machine in a cluster
where EVC is disabled, the virtual machine DRS automation level is
automatically disabled. Starting in vSphere 6.7, EVC is not required for FT to
support DRS.
To enable FT, you first create a VMkernel virtual network adapter on each
host and connect to the FT Logging network. You should enable vMotion on
a separate VMkernel adapter and network.
When you enable FT protection for a virtual machine, the following events
occur:

If the primary VM is powered on, validation tests occur. If validation is

passed, then the entire state of the primary VM is copied and used to
create the secondary VM on a separate host. The secondary VM is
powered on. The virtual machine’s FT status is Protected.

Telegram Channel : @IRFaraExam

If the primary VM is powered off, the secondary VM is created and
registered to a host in the cluster but not powered on. The virtual
machine FT Status setting is Not Protected, VM not Running. When you
power on the primary VM, the validation checks occur, and the
secondary VM is powered on. Then FT Status changes to Protected.

Legacy FT VMs can exist only on ESXi hosts running on vSphere versions
earlier than 6.5. If you require legacy FT, you should configure a separate
vSphere 6.0 cluster.

vCenter Server High Availability

vCenter Server High Availability (vCenter HA) is described in Chapter 1,
“vSphere Overview, Components, and Requirements.” vCenter HA
implementation is covered in Chapter 8, “vSphere Installation.” vCenter HA
management is covered in Chapter 13, “Managing vSphere and vCenter
Server.”

VMware Service Lifecyle Manager

If a vCenter service fails, VMware Service Lifecycle Manager (vmon)
restarts it. VMware Service Lifecycle Manager is a service running in a
vCenter server that monitors the health of services and takes preconfigured
remediation action when it detects a failure. If multiple attempts to restart a
service fail, the service is considered failed.

Note
Do not confuse VMware Service Lifecyle Manager with VMware
vSphere Lifecycle Manager, which provides simple, centralized
lifecycle management for ESXi hosts through the use of images and
baselines.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction,

Telegram Channel : @IRFaraExam

you have some choices for exam preparation: the exercises here, Chapter 15,
“Final Preparation,” and the exam simulation questions on the companion
website.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 4-11 lists these key topics and the
page number on which each is found.

Table 4-11 Key Topics for Chapter 4

Key Topic Description Page
Element Number
Section Network-aware DRS 135
Section How DRS scores VMs 136
List DRS migration sensitivity 138
Section Scalable shares 142
List vSphere HA requirements 145
Table 4-7 vSphere HA response to failure 145
settings
List vSphere FT requirements 154

Complete Tables and Lists from Memory

Define Key Terms

Telegram Channel : @IRFaraExam

Define the following key terms from this chapter and check your answers in
the glossary:
VMware Service Lifecycle Manager
vSphere Fault Tolerance (FT)
Predictive DRS
Proactive High Availability (Proactive HA)
Virtual Machine Component Protection (VMCP)

Review Questions
1. You are configuring EVC. Which of the following is not a
requirement?
a. A vSphere cluster
b. A DRS cluster
c. CPUs in the same family
d. CPUs with the same base instruction set
2. In vSphere 7.0, you want to configure the DRS Migration
Threshold such that it is at the maximum level at which resource
contention is considered, but virtual machine happiness is not.
Which of the following values should you choose?
a. Level 1
b. Level 2
c. Level 3
d. Level 4
e. Level 5
3. In a vSphere cluster, which of the following statements is true if the
primary host detects datastore heartbeats for a secondary host but
no network heartbeats or ping responses?
a. The primary host declares that the secondary host is isolated.
b. The primary host assumes that the secondary host is isolated
or in a network partition.

Telegram Channel : @IRFaraExam

c. The primary host takes the host isolation response action.
d. The primary host restarts the virtual machines on the failed
secondary host.
4. You want to configure vSphere HA. Which of the following is a
requirement?
a. IPv4 must be used for all host management interfaces.
b. vMotion must be enabled on each host.
c. The Virtual Machine Startup and Shutdown (automatic
startup) feature must be enabled on each virtual machine.
d. Host IP addresses must persist across reboots.
5. You are configuring vSphere Distributed Power Management
(DPM) in your vSphere 7.0 environment. Which of the following is
not a requirement for using Wake-on-LAN (WoL) in DPM?
a. The management NIC must support WOL.
b. vMotion is configured.
c. The vMotion NIC must support WOL.
d. The physical switch port must be set to auto negotiate the link
speed.

Telegram Channel : @IRFaraExam

Chapter 5

vCenter Server Features and

Virtual Machines
This chapter covers the following topics:

vCenter Server and vSphere

Virtual Machine File Structure
Virtual Machine Snapshots
Virtual Machine Settings
Virtual Machine Migration
Virtual Machine Cloning

This chapter contains information related to Professional VMware vSphere

7.x (2V0-21.20) exam objectives 1.2, 1.5, 2.3, 5.6, 7.1, 7.2, 7.3, 7.6, 7.9, and
7.11.4.

This chapter provides details on vCenter Server features that have not been
covered in previous chapters. It covers virtual machine features such as file
structure, migrations, and cloning. Chapters 13, “Managing vSphere and
vCenter Server,” and 14, “Virtual Machine Management/Provision, Migrate,
and Replication,” provide details on managing vCenter Server, vSphere, and
virtual machines.

“Do I Know This Already?” Quiz

Telegram Channel : @IRFaraExam

chapter at least once. Table 5-1 outlines the major headings in this chapter
and the corresponding “Do I Know This Already?” quiz questions. You can
find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’
Quizzes and Review Questions.”
Table 5-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section Questions
vCenter Server and vSphere 1, 2
Virtual Machine File Structure 3
Virtual Machine Snapshots 4
Virtual Machine Settings 5, 6
Virtual Machine Migration 7– 9
Virtual Machine Cloning 10

1. You just installed a new vCenter Server. Using the vSphere Client,
which of the following objects can be the first object that you
create in the inventory pane?
a. A cluster
b. A host
c. A virtual machine
d. A data center
e. A datastore
f. A virtual machine folder
2. You want to create a content library for your vCenter Server.
Which type of content library cannot be modified directly?
a. A library backed by vSAN
b. A local library
c. A published library
d. A subscribed library

Telegram Channel : @IRFaraExam

3. You are providing support for a virtual machine named Server01 in
a vSphere 7.0 environment. Which of the following is the virtual
disk data file?
a. Server01.vmdk
b. Server01-flat.vmdk
c. Server01.vmx
d. Server01-data.vmdk
4. You have taken multiple snapshots for a virtual machine. In the
vSphere Client Snapshot Manager, where is the You Are Here icon
located?
a. Under the parent snapshot
b. Under the child snapshot
c. Under the latest snapshot
d. Under the associate delta file
5. You are configuring a virtual machine in vSphere 7.0. Which of the
following devices cannot be configured or removed?
a. SIO controller
b. SCSI controller
c. Parallel port
d. PCI device
6. You are using the vSphere Client to edit a virtual machine in
vSphere 7.0. Which of the following is not available on the VM
Options tab?
a. General Options
b. Encryption Options
c. Snapshot Options
d. vApp Options
7. You want to perform a cross-vCenter Server migration in vSphere

Telegram Channel : @IRFaraExam

7.0. Which of the following statements is true?
a. If separate SSO domains are used, you must use the APIs to
perform the migration.
b. If separate SSO domains are used, you can use the vSphere
Client to perform the migration.
c. If separate SSO domains are used, you cannot perform the
migration.
d. The vSphere and vCenter Server Enterprise licenses are
required.
8. You want to perform multiple simultaneous virtual machine
migrations for a four-node DRS cluster with a 10 GigE vMotion
network and multiple data-stores. Which of the following
operations are allowed without any queuing?
a. Nine simultaneous vMotion migrations
b. Nine simultaneous vMotion migrations without Shared
Storage
c. One Storage vMotion operation and four vMotion operations
d. Four simultaneous vMotion and five provisioning operations
involving the same host
9. You are optimizing your vSphere environment. Which of the
following is not helpful for improving vMotion performance?
a. Using NIOC to increase shares for vMotion traffic
b. Using traffic shaping to limit the bandwidth that is available to
vMotion traffic
c. Using multiple-NIC vMotion
d. Using jumbo frames
10. You want to use instant clones in vSphere. Which of the following
statements is true?
a. You can use the vSphere Host Client to perform an instant
clone.

Telegram Channel : @IRFaraExam

b. You can use the vSphere Client to perform an instant clone.
c. A sample major use case for instant clones is a large-scale
deployment in a VMware Horizon VDI.
d. vSphere 6.5 supports instant clones.

Foundation Topics

vCenter Server and vSphere

Previous chapters provide details about the vSphere topology, storage
infrastructure, network infrastructure, and vSphere clusters. This section
provides details about other features, such as the vSphere inventory, host
profiles, and content libraries.

vSphere Managed Inventory Objects

This section describes the vSphere inventory and object types, which should
be planned prior to implementing vSphere. It provides information on
creating and configuring inventory objects during vSphere implementation.
In vSphere, the inventory is a collection of managed virtual and physical
objects. Depending on the object type, you can configure each object and
perform operations such as setting permissions, monitoring tasks, monitoring
events, and setting alarms. You can organize many of these objects by
placing them into folders, which makes managing them easier.
All inventory objects except for hosts can be renamed to represent their
purposes. For example, they can be named after company departments,
locations, or functions.

Note
Many systems that rely on vCenter Server, such as VMware Horizon,
also refer to vCenter objects according to their names. Take care when
renaming vCenter inventory objects such as data centers, folders, and
datastores if you have deployed any external systems that rely on
vCenter Server.

In the vSphere inventory, networks are objects that are used to connect a set
of virtual network adapters. Each ESXi host may have multiple VMkernel
virtual network adapters. Each virtual machine may have multiple virtual
network adapters. Each virtual network adapter may be connected to a port
group (on a standard virtual switch) or a distributed port group (on a vSphere
distributed switch). All virtual machines that connect to the same port group
belong to the same network in the virtual environment, even if they are on
different physical servers. You can manage networks by monitoring, setting
permissions, and setting alarms on port groups and distributed port groups.
Chapter 3, “Network Infrastructure,” provides details on networks.

Datastores
In the vSphere inventory, datastores are objects that represent physical
storage resources in the data center. A datastore is the storage location for
virtual machine files. The physical storage resources can come from local
SCSI disks of the ESXi host, Fibre Channel SAN disk arrays, iSCSI SAN
disk arrays, or network attached storage (NAS) arrays. VMFS datastores can
be backed by local SCSI, Fibre Channel, or iSCSI. NFS datastores can be
backed by NAS. vSAN datastores can be built in VSAN clusters.
Chapter 2, “Storage Infrastructure,” provides details on datastores.

Virtual Machines
In the vSphere inventory, virtual machines are represented in a manner that
reflects the current inventory view. For example, in the Hosts and Clusters
view, each virtual machine is a descendant of the ESXi host on which it runs.
In the Networks view, each virtual machine is a descendant of the network to
which it connects.

Templates
In the vSphere inventory, templates are objects that are effectively non-
executable virtual machines. A template is a master copy of a virtual machine
that can be used to create and provision new virtual machines. A template can
have a guest operating system and application software installed. Templates
are often customized during deployment to ensure that each new virtual

Telegram Channel : @IRFaraExam

machine has a unique name and network settings.
For more details on templates, see the “Virtual Machine Cloning” section,
later in this chapter.

vApps
A vApp is a container object in vSphere that provides a format for packaging
and managing applications. Typically, a vApp is a set of virtual machines that
runs a single application and allows you to manage the application as a single
unit. You can specify a unique boot order for the virtual machines in a vApp,
which allows you to gracefully start an application that spans multiple virtual
machines. You can apply resource management settings to a vApp in a
similar manner as you would to a resource pool.

Host Profiles
A host profile is a feature that enables you to encapsulate the configuration of
one host and apply it to other hosts. A host profile is especially helpful in
environments where administrators manage multiple hosts and clusters with
vCenter Server. The following are characteristics of host profiles:

Host profiles are an automated and centrally managed mechanism.

Host profiles are used for host configuration and configuration
compliance.
Host profiles can improve efficiency by reducing the use of repetitive
manual tasks.
Host profiles capture the configuration of a reference host and store the
configuration as a managed object.
Host profiles provide parameters for configuring networking, storage,
security, and other host-level settings.
Host profiles can be applied to individual hosts, a cluster, or a set of
hosts and clusters.
Host profiles make it easy to ensure that all hosts in a cluster have a
consistent configuration.

Telegram Channel : @IRFaraExam

You can use the following workflow to leverage a host profile to apply a
consistent host configuration in your vSphere environment:

Step 1. Set up and configure a reference host.

Step 2. Create a host profile from the reference host.
Step 3. Attach hosts or clusters to the host profile.
Step 4. Check the compliance of the hosts with the host profile. If all hosts
are compliant with the reference host, you do not need to take
additional steps.
Step 5. If the hosts are not fully compliant, apply (remediate) the hosts with
the host profile.

Note
If you want a host profile to use directory services for authentication,
the reference host must be configured to use a directory service.

In previous releases, vSphere requires that the reference host be available for
certain tasks, such as editing, importing, and exporting the host profile.
Starting with vSphere 6.0, a dedicated reference host is no longer required for
these tasks.
Auto Deploy uses host profiles to configure ESXi.

Content Libraries
A content library is a repository that can be used to share files such as virtual
machine templates, vApps, and image files among a set of vCenter Servers.
Content libraries, which were introduced in vSphere 6.0, address the fact that
multiple vCenter Servers do not directly share associated files such as Open
Virtualization Format (OVF) and image (ISO) files. A great use case is
companies having multiple sites, each managed by a dedicated vCenter
Server, where the OVF files and ISO files that are used at one site are not

Telegram Channel : @IRFaraExam

directly available for use at other sites. In such a case, you can create a
content library at one site and publish it to serve the other sites. At the other
sites, you can create subscribed libraries that automatically synchronize with
the published library. For example, you can create a local content library
using the main office vCenter Server, publish it, and subscribe to it from
branch office vCenter Servers.
A subscribed content library can be configured to download metadata only
whenever it receives notification of a change. In such a case, the subscribing
library reflects the most recent changes, but it is not burdened with supplying
the storage space for every published file. Instead, the administrator can
choose whether to download the data for the entire item or per item.
Three types of content libraries can be used: local, published, and subscribed.
A local content library is the simplest form. You can allow, modify, and
delete content in a content library. A published library is a local library where
content is published for subscription. A subscribed library is a library whose
content you cannot change or publish. It receives its content from a published
library.
Each content library is built on a single storage entity, which may be a VMFS
datastore, an NFS datastore, a CIFS share, a local disk, or a vSAN datastore.
In vSphere 7.0, the following maximum limitations apply:

1000 libraries per vCenter Server

1000 items per library
16 concurrent synchronization operations per published library
9 virtual disk files per OVA/OVF template

After one library is set to subscribe to another library, synchronization

occurs. Automatic synchronization occurs every 24 hours by default and can
be modified using an API. The content library service, which is named
vmware-vdcs, is installed as part of the vCenter Server installation and uses
the same database as vCenter Server.
Simple versioning is used to keep libraries synchronized. Version numbers

Telegram Channel : @IRFaraExam

are assigned to the libraries and to each item in the library. These numbers
are incremented whenever content is added or modified. The library does not
store previous versions or provide rollback.
The following sequence occurs between a subscribed library and a published
library:
Step 1. The library service on the subscriber connects to the library services
on the publisher by using the VMware Content Subscription
Protocol (VCSP) and checks for updates.
Step 2. The subscriber pulls the lib.json file from the publisher, and each
library’s lib.json files are examined to determine if discrepancies
exist between the publisher and the subscriber.
Step 3. The library service uses VCSP to determine what data has changed
and sends a request to the transfer serviced to copy the required
files.
Step 4. The subscriber updates the versioning information in the database.
Beginning with vSphere 6.5, you can mount an ISO file directly from the
content library, apply a guest OS customization specification during VM
deployment, and update existing templates. The content library’s
performance is then improved. The Optimized HTTP Sync option stores
content in a compressed format, which reduces the synchronization time. The
content library leverages new features in vCenter Server 6.5, including
vCenter HA and backup/restoration.
In previous versions of vSphere, content libraries supported only OVF
templates. As a result, virtual machine templates and vApp templates were
converted to OVF files when you uploaded them to a content library. Starting
with vSphere 6.7 Update 1, content libraries support virtual machine
templates. Therefore, templates in the content library can be either the OVF
template type or the VM template type. vApp templates are still converted to
OVF files when you upload them to a content library. The distribution of VM
templates requires that the respective vCenter Server instances be in
Enhanced Linked Mode or Hybrid Linked Mode and that the respective hosts
be connected through a network.
To allow a user to manage a content library and its items, you can assign the

Telegram Channel : @IRFaraExam

Content Library administrator role, which is a sample role, to that user as a
global permission. Users who are assigned the administrator role at a vCenter
Server level cannot see the libraries unless they have a read-only global
permission.

vSphere with Tanzu

By using vSphere with Tanzu, you can use a vSphere cluster as a platform for
running Kubernetes workloads in dedicated resource pools. Once enabled on
a vSphere cluster, vSphere with Tanzu creates a Kubernetes control plane
directly in the hypervisor layer, enabling you to deploy vSphere pods and run
your applications inside these clusters.
A vSphere pod, which is the equivalent of a Kubernetes pod, is a small
virtual machine that runs one or more Linux containers. The storage and
compute for each vSphere pod is sized precisely for its workload, with
explicit resource reservations.
To use vSphere with Tanzu, you must use the VMware vSphere 7 Enterprise
Plus license with an add-on for Kubernetes for all ESXi hosts that you want
to use in a supervisor cluster. You must assign an NSX-T Data Center
Advanced or higher license to NSX Manager.

Virtual Machine File Structure

A virtual machine consists of several files that are stored in a datastore. The
key files are the configuration file, virtual disk file, NVRAM setting file, and
log file. Table 5-2 provides details for virtual machine files. You can
configure virtual machine settings through the vSphere Client, esxcli, or the
vSphere Web Services SDK.

Note
Do not directly change, move, or delete virtual machine files without
guidance from a VMware Technical Support representative.

Table 5-2 Virtual Machine Files

Telegram Channel : @IRFaraExam

File Description
vmname.vmx Virtual machine configuration file
vmname.vmxf Additional virtual machine configuration file
vmname.vmdk Virtual disk characteristics (metadata) file
vmname-flat.vmdk Virtual disk data file (commonly called a flat file)
vmname.nvram or Virtual machine BIOS or UEFI configuration file
nvram
vmname.vmsd Virtual machine snapshot file
vmname.vmsn Virtual machine snapshot data file
vmname.vswp Virtual machine swap file
vmname.vmss Virtual machine suspend file
vmware.log Current virtual machine log file
vmware-#.log Old virtual machine log file, where # is a number
starting with 1
Additional files can be created when you perform specific operations, such as
creating snapshots. If you convert a virtual machine to a template, the .vmtx
file replaces the virtual machine configuration file (.vmx file).
By default, when you create a virtual machine, the system creates a folder in
the datastore and assigns a folder name that is similar to the virtual machine
name. In cases where the default folder name is already in use, the system
appends a number to the new folder to make it unique.

Configuration File
A virtual machine’s configuration file is a text file that contains all of the
virtual machine’s settings, including a description of the virtual hardware.
For example, a portion of the contents of a VMX file for a CentOS virtual
machine named server1 could include the following text:
Click here to view code image
displayName = "server1"
guestOS = "centos-64"
nvram = "server1.nvram"

Telegram Channel : @IRFaraExam

scsi0:0.fileName = "server1.vmdk"

If this virtual machine is sized with two virtual CPUs and 1024 GB memory,
the contents of the VMX file may also include the following text:
numvcpus = "2"
memSize = "1024"

Virtual Disk Files

The name of the VMDK file that contains metadata for a virtual disk is
included in the VMX file as shown in the previous example
(scsi0:0.fileName = "server1.vmdk"). The VMDK metadata file is a text
file that contains details about the virtual disk, such as the numbers of
cylinders, heads, and sectors, as shown in the following sample content:
Click here to view code image
ddb.geometry.cylinders = "1305"
ddb.geometry.heads = "255"
ddb.geometry.sectors = "63"

The VMDK metadata file also contains the names of other files associated
with the virtual disk, such as data (extent) files, as shown in the following
sample content:
# Extent description
RW 20971520 VMFS "server1-flat.vmdk"

Snapshot Files
When you take a snapshot of a virtual machine, the system creates a few
files. For example, if you take a snapshot for a powered-off virtual machine
named server1 that has only one virtual disk and no previous snapshots, the
following files may be created:

server1-000001-sesparse.vmdk: A delta data disk that stores changes

made since the creation of the snapshot
server1-000001.vmdk: A VMDK metadata file for the delta disk
server1-Snapshot1.vmsn: Snapshot data

Telegram Channel : @IRFaraExam

The following section provides more details on virtual machine snapshots.

Virtual Machine Snapshots

A virtual machine snapshot captures the state of a virtual machine and the
data in the virtual machine at a specific point in time. Snapshots are useful
when you want to return the state of a virtual machine to a point that was
previously captured. For example, you can create a snapshot of a virtual
machine just prior to installing and testing software in the virtual machine.
This enables you to revert the virtual machine back to its original state when
you finish testing.
You can take multiple snapshots of a virtual machine. If you take multiple
snapshots without reverting the virtual machine, the snapshots are created in
a linear fashion, as shown in Figure 5-1. The vSphere Client represents the
snapshot hierarchy of a virtual machine as a tree with the root node being the
virtual machine and nodes being each snapshot. If you revert the virtual
machine to a snapshot, the state of your virtual machine is associated with
that snapshot, as shown in Figure 5-2. If you create another snapshot, you add
branches to the snapshot tree, as shown in Figure 5-3.

Telegram Channel : @IRFaraExam

FIGURE 5-1 Linear Snapshots

FIGURE 5-2 Post-Revert Snapshot Tree

Telegram Channel : @IRFaraExam

FIGURE 5-3 New Branch in Snapshot Tree

Each branch in a snapshot tree can have up to 32 snapshots.

In the vSphere Client, you can perform several snapshot operations, including
taking a snapshot, reverting to a snapshot, and deleting a snapshot. When
taking a snapshot, you can choose whether to snap the memory and whether
to quiesce the guest OS. In cases where no snapshot exists but delta files
exist, you can choose to consolidate the disks.

Snapshot Use Cases

The following are some common use cases for snapshots:

Telegram Channel : @IRFaraExam

Rollback changes: Prior to upgrading or making a configuration change
to an application, you can take a virtual machine snapshot to provide a
rollback option.
Rollback guest OS upgrade: Prior to upgrading the guest OS, you can
take a virtual machine snapshot to provide a rollback option.
Training and development labs: You can take snapshots of a set of
virtual machines used in a lab environment prior to allowing user access.
When the user finishes experimenting, you can revert the state of the
environment back to the original state for the next user.
Backups: A backup utility may first trigger a virtual machine snapshot
and then copy the virtual machine files without needing to deal with
open files. Following the backup, the utility deletes the snapshot.
Troubleshooting and triage: Taking a snapshot of a troubled virtual
machine enables you to later choose to return the virtual machine to the
exact state when it experienced an issue.
Linked clones: Automation and virtual desktop software, such as
vRealize Automation and Horizon, may leverage virtual machine
snapshots to allow you to use fast provisioning (linked clone) methods
by which new virtual machines share a base virtual disk. For example, to
use a linked clone in a vRealize Automation blueprint, you need to
identify a virtual machine snapshot.

What a Snapshot Preserves

A snapshot preserves the following information:

Virtual machine settings: The virtual machine directory, which includes

the disks added or changed after you take the snapshot
Disk state: The state of each virtual disk
Memory state: (Optional) The contents of the virtual machine’s memory
Power state: Whether the virtual machine is powered on, powered off,
or suspended when you take the snapshot (If you revert to a snapshot that

Telegram Channel : @IRFaraExam

includes the memory state, the virtual machine is returned to its
preserved power state.)

Parent Snapshots
The first virtual machine snapshot that you create is the base snapshot.
Taking a snapshot creates a delta disk file for each disk attached to the virtual
machine and, optionally, a memory file. The delta disk files and memory file
are stored with the base VMDK file. The parent (current) snapshot is always
the snapshot that appears immediately above the You Are Here icon in the
Snapshot Manager. If you revert to a snapshot, that snapshot becomes the
parent of the You Are Here current state. When you have multiple snapshots,
each child snapshot has a parent snapshot.

Note
The parent snapshot is not always the snapshot that you took most
recently.

Snapshot Behavior
Taking a snapshot preserves the disk state by creating a series of delta disks
for each attached virtual disk or virtual raw device mapping (RDM). Taking a
snapshot creates a snapshot object in the Snapshot Manager that represents
the virtual machine state and settings. Each snapshot creates a delta disk for
each virtual disk. When you take a snapshot, the system prevents the virtual
machine from writing to the current data (VMDK) file and instead directs all
writes to the delta disk. The delta disk represents the difference between the
current state of the virtual disk and the state that existed at the time that you
took the parent snapshot. Delta disk files can expand quickly and can become
as large as the configured size of the virtual disk if the guest operating system
writes to every block of the virtual disk.
When you take a snapshot, the state of the virtual machine, virtual disks, and
(optionally) virtual memory is captured in a set of files, such as the delta,
database, and memory files. By default, the delta disks are stored with the
corresponding virtual disk files, and the memory and database files are stored

Telegram Channel : @IRFaraExam

in the virtual machine directory.

Flat File
A virtual disk involves a metadata file and a data file, each with the .vmdk
extension. The metadata VMDK file contains information about the virtual
disk, such as geometry and child–parent relationship information. The data
VMDK file is called the flat file, and its name contains the word flat. Only
the names of the metadata files appear in the vSphere Client Datastore
Browser. In normal circumstances, the virtual machine’s guest OS and
applications write to the flat file.

Delta Disk Files

When you create a snapshot, you create a delta disk for each virtual disk. The
delta (child) disk represents the difference between the current state of the
virtual disk and the state that existed at the time that you took the parent
snapshot. A delta disk has two VMDK files. One is a small metadata file, and
the other is a data file. Delta disk data files are also called redo logs.

Database File
The database file is a file with the .vmsd extension that contains snapshot
details required by the Snapshot Manager. It contains details on the
relationships between snapshots and child disks.

Memory File
The memory file is a file with the .vmsn extension that includes the active
state of the virtual machine’s memory. Capturing the memory state of the
virtual machine lets you revert to a powered-on state. Memory snapshots take
longer to create than nonmemory snapshots. The size of the memory impacts
the amount of time required to create the snapshot.

Limitations
The use of snapshots can impact a virtual machine’s performance and can be
limited in some scenarios, as summarized in the following list:

Telegram Channel : @IRFaraExam

Snapshots are not supported for RDM physical mode disks or for iSCSI
initiators in a guest OS.
Snapshots of powered-on or suspended virtual machines with
independent disks are not supported.
A quiesced snapshot requires a supported guest operating system and
active VMware Tools services.
Snapshots are not supported with PCI vSphere DirectPath I/O devices.
Snapshots are not supported for virtual machines configured for bus
sharing.
Although snapshots may be a useful step for a backup utility, a snapshot
is not a backup by itself. A snapshot does not provide a redundant copy
of data. If the base flat file is lost or corrupted, you cannot restore the
virtual machine by reverting to a snapshot.
Snapshots can negatively affect the performance of a virtual machine.
The performance degradation is impacted by factors such as the age of
the snapshot, the depth of the snapshot tree, and the amount of data in the
delta files.
Snapshot operations can take much longer to finish when they involve
virtual disks larger than 2 TB.
Deleting a large snapshot that is part of the current path (as indicated by
You Are Here in the Snapshot Manager) can negatively impact the
performance and the health of the virtual machine. To minimize risk, you
can shut down the virtual machine prior to deleting the snapshot.

Virtual Machine Settings

This section provides information on virtual machine settings in vSphere 7.0.

VM Hardware/Compatibility
You can configure a virtual machine’s compatibility setting to control which
ESXi host versions can be used to run the virtual machine. In the vSphere
Client, you can set the Compatible With option for a virtual machine to a
compatible ESXi version, such as ESXi 7.0 and later or ESXi 6.7 Update 2

Telegram Channel : @IRFaraExam

and later. The compatibility setting determines which ESXi host versions the
virtual machine can run on and the hardware features available to the virtual
machine. At the host, cluster, or data center level, you can set the Default VM
Compatibility setting. (See Chapter 14 for details.)
Virtual hardware devices perform the same function for the virtual machines
as physical hardware devices do for traditional servers. Each virtual machine
has CPU, memory, and disk resources. All modern operating systems provide
support for virtual memory, allowing software to use more memory than is
present in the server hardware. Similarly, ESXi can provide to its virtual
machines VM memory totaling more than the capacity of the host’s physical
memory.
You can add virtual hardware devices to a virtual machine by editing the
virtual machine’s settings in the vSphere Client. Not all devices are
configurable. For example, the PCI and SIO virtual hardware devices are part
of the virtual motherboard but cannot be configured or removed. You can
enable the Memory Hotplug or CPU Hotplug settings in order to add memory
or CPU resources to a running virtual machine. Memory Hotplug is
supported on all 64-bit operating systems, but some guest operating systems
may not be able to make use of the added memory without restarting. The
ESXi license and other factors for the host where the virtual machine runs
may impact the available devices for the virtual machine. For a list of
hardware devices and their functions, see Table 5-3.
Table 5-3 Virtual Machine Hardware Devices
Device Description
CPU At least one vCPU but not more than the number of logical CPUs
in the host.

You can set advanced CPU features, such as the CPU

identification mask and hyperthreaded core sharing.
Chip The virtual motherboard consists of VMware-proprietary virtual
set devices, based on the following chips:

Telegram Channel : @IRFaraExam

Intel 440BX AGPset 82443BX host bridge/controller

Intel 82371AB (PIIX4) PCI ISA IDE Xcelerator

With thin provisioning, storage blocks are not allocated during disk
creation, which allows fast provisioning but requires allocation and
zeroing during runtime.
With thick eager zeroed, storage blocks are allocated and zeroed during
provisioning, which allows fast runtime.
With thick lazy zeroed provisioning, storage blocks are pre-allocated but
not pre-zeroed.

Your choice for the provisioning type depends on each virtual machine’s use
case. For example, if you want to minimize the virtual machine startup time
and minimize its risk, you may choose thick provision lazy zeroed.

Server migration, you must meet the following requirements:

The associated vCenter Servers and ESXi hosts must be 6.0 or later.
The cross-vCenter Server and long-distance vMotion features require an
Enterprise Plus license.
The vCenter Server instances must be time-synchronized with each other
for correct vCenter Single Sign-On token verification.
For migration of compute resources only, both vCenter Server instances
must be connected to the shared virtual machine storage.
When using the vSphere Client, both vCenter Server instances must be in
Enhanced Linked Mode, and they must be in the same vCenter Single
Sign-On domain.

Note
If the vCenter Server instances exist in separate vCenter Single Sign-
On domains, you can use vSphere APIs/SDK to migrate virtual
machines.

Virtual Machine Migration Limitations

vCenter Server limits the number of simultaneous virtual machine migration

and provisioning operations that occur per host, network, and datastore. Each
of the network, datastore, and host limits must be satisfied for the operation
to proceed. vCenter Server uses a costing method by which each migration
and provisioning operation is assigned a cost per resource. Operations whose
costs cause resources to exceed their limits are queued until other operations
complete.
Limits depend on the resource type, ESXi version, migration type, and other
factors, such as network type. ESXi Versions 5.0 to 7.0 have consistent

Telegram Channel : @IRFaraExam

limits:

Network limits: Network limits apply only to vMotion migrations. Each

vMotion migration has a network resource cost of 1. The network limit
depends on the network bandwidth for the VMkernel adapter enabled for
vMotion migration. For 1 GigE the limit is 4, and for 10 GigE it is 8.
Datastore limits: Datastore limits apply to vMotion and Storage
vMotion migrations. Each vMotion migration has a resource cost of 1
against the shared datastore. Each Storage vMotion migration has a
resource cost of 16 against both the source and destination datastores.
The datastore limit per datastore is 128.
Host limits: Host limits apply to vMotion, Storage vMotion, and cold
migrations. They also apply to virtual machine provisioning operations,
including new deployments, and cloning. Provisioning and vMotion
operations have a host cost of 1. Storage vMotion operations have a host
cost of 4. The host limit per host is 8.

For costing purposes, a hot migration that is both a cross-host and cross-
datastore migration (vMotion migration without shared storage) is considered
to be a combination of a vMotion and Storage vMotion migration and applies
the associated network, host, and datastore costs. vMotion migration without
shared storage is equivalent to Storage vMotion migration with a network
cost of 1.
Consider the following examples for a four-node DRS cluster with a 10 GigE
vMotion network:

If you perform nine simultaneous vMotion migrations, the ninth

migration is queued due to the network limit, even if different hosts are
involved.
If you perform nine simultaneous hot cross-host and cross-datastore
migrations involving the same datastore, the ninth migration is queued
due to the datastore limit, even if the migrations are split as to whether
the datastore is the source or the target.
You can simultaneously perform one Storage vMotion and four vMotion
operations involving a specific host.

Telegram Channel : @IRFaraExam

TCP/IP Stacks
You can use the vMotion TCP/IP stack to isolate vMotion traffic and assign it
to a dedicated default gateway, routing table, and DNS configuration. To use
the vMotion TCP/IP stack, select vMotion from the TCP/IP Stack drop-down
menu when configuring the associated VMkernel virtual network adapter.
When you assign a VMkernel virtual network adapter to the vMotion stack,
you cannot use the adapter for purposes other than vMotion. Likewise, you
can use the provisioning TCP/IP stack to isolate traffic for cold migration,
cloning, and snapshots. To use the provisioning TCP/IP stack, select
Provisioning from the TCP/IP Stack drop-down menu when configuring the
associated VMkernel virtual network adapter. When you assign a VMkernel
virtual network adapter to the provisioning stack, you cannot use the adapter
for purposes other than provisioning.

vMotion Details
This section provides details on the vMotion feature in vSphere.

vMotion Overview
A hot cross-host migration is called a vMotion migration. A hot migration
across hosts and datastores is often called a vMotion migration without
shared storage. A hot cross-vCenter Server migration is often called a cross-
vCenter Server vMotion migration. Although the term vMotion migration
may be used to describe any hot cross-host migration, this section provides
details on just the traditional vMotion migration, in which shared storage is
used and cross-datastore migration does not occur.
During a vMotion migration, the entire state of the virtual machine is moved
to the new host. The state includes the current memory content and all the
information that defines and identifies the virtual machine. The memory
content includes the components of the operating system, applications, and
transaction data that are in the memory. The state includes all the data that
maps to the virtual machine hardware elements, such as BIOS, devices, CPU,
MAC addresses for the Ethernet cards, chipset states, and registers. The
associated virtual disk remains in the original location on storage that is
shared between the source and destination hosts. After the virtual machine
state is migrated to the destination host, the virtual machine continues

Telegram Channel : @IRFaraExam

execution on the destination host.

vMotion Requirements

As explained in the section “Enhanced vMotion Compatibility (EVC)” in

Chapter 4, vMotion requires that the destination host’s processors be
compatible with the source host’s processors to support live migration.
Specifically, the destination processors must come from the same family and
provide the same instruction set as the source processors. You can enable
EVC in the cluster to broaden the vMotion compatibility.
Before using vMotion, you must address its host configuration requirements.
Each host must meet the licensing, shared storage, and networking
requirements for vMotion.
For standard vMotion migration, you must configure the source and
destination hosts with shared storage to enable the migrated virtual machines
to remain in the same datastore throughout the migration. Shared storage may
be implemented with Fibre Channel, iSCSI, or NAS storage. The datastore
may be VMFS or NFS. You can also leverage a vSAN datastore to meet the
shared storage requirement for vMotion migrations between cluster members.

Note
Hot migrations that are cross-host and cross-datastore migrations,
which are often called vMotion migrations without shared storage, do
not required shared storage.

For vMotion migration, you must configure each host with a VMkernel
virtual network interface connected to a virtual switch with an uplink that
uses at least one physical network interface card (NIC). VMware
recommends that the network connection be made to a secured network. The
vMotion network must provide at least 250 Mbps of dedicated bandwidth per
concurrent vMotion session. For long-distance migrations, the maximum
supported network round-trip time for vMotion migrations is 150

Telegram Channel : @IRFaraExam

milliseconds. For faster vMotion migrations, consider using 10 Gbps NICs
instead of 1 Gbps NICs.
To improve vMotion migration times even further, consider implementing
multi-NIC vMotion. With multi-NIC vMotion, multiple paths are used
simultaneously to carry the vMotion workload. To configure multi-NIC
vMotion, you can enable vMotion traffic for two VMkernel virtual network
adapters that are configured to use separate paths. For example, you can
apply the following steps to enable multi-NIC vMotion, as illustrated in
Figure 5-5:

FIGURE 5-5 Multi-NIC vMotion

Step 1. On a virtual switch, attach two uplink adapters connected to the

vMotion network.
Step 2. Connect two VMkernel adapters enabled for vMotion.
Step 3. For the first VMkernel adapter, set the first uplink path to Active
and the second uplink path to Standby.
Step 4. For the second VMkernel adapter, set the first uplink path to
Standby and the second uplink path to Active.
For more vMotion performance improvements, you can use Network I/O
Control (NIOC) to guarantee network bandwidth to vMotion traffic. You can
also use jumbo frames. To avoid network saturation, you can use traffic
shaping to limit the average and peak bandwidth available to vMotion traffic.

Telegram Channel : @IRFaraExam

By default, you cannot use vMotion to migrate a virtual machine that is
attached to a standard switch with no physical uplinks. To change this
behavior, you can set the
config.migrate.test.CompatibleNetworks.VMOnVirtualIntranet advanced
settings of vCenter Server to False.

Note
During a vMotion migration without shared storage, the virtual disk
data is transferred over the vMotion network.

vMotion Migration and Data Flow Details

During a vMotion migration, the state of the running virtual machines is
copied to the destination host over the designated vMotion network, the
virtual machine is stopped on the source ESXi host, and the VM is resumed
on the target ESXi host. The process involves the following phases:

Compatibility check: Intended to ensure that requirements are met and

that the destination host can run the virtual machine.
Pre-copy: Briefly stuns the source memory and starts memory trackers.
Copies memory page from source to target. Tracks which source pages
are modified after the pre-copy so these pages (dirty pages) can be re-
sent later.
Iterations of Pre-copy: If dirty pages exist, repeats the pre-copy of just
the dirty pages and scans for new dirtied pages. Continue iteration until
no dirty pages exist or until vMotion determines that the final page copy
can be completed in less than 500 ms.
Switchover: Quiesces and suspends the virtual machine execution on the
source host, transfers checkpoint data, and starts the execution of the
virtual machine using the checkpoint data on the target host.

The stun time (the time at which the virtual machine is not running
anywhere) is typically between 100 ms and 200 ms.

Telegram Channel : @IRFaraExam

Encrypted vMotion
When migrating encrypted virtual machines, vSphere vMotion always uses
encryption. For non-encrypted virtual machines, you can select one of the
following encrypted vMotion options:

Disabled: Do not use encryption.

Opportunistic: Use encryption if the source and destination hosts
support it.
Required: If the source or destination host does not support encrypted
vMotion, do not allow the migration.

Note
Only ESXi Versions 6.5 and later use encrypted vSphere vMotion. To
use vMotion to migrate encrypted virtual machines across vCenter
Server instances, you must use the vSphere API.

Storage vMotion Details

This section provides details on the Storage vMotion feature in vSphere.

Storage vMotion Overview

Storage vMotion migration is a hot cross-datastore migration. Storage
vMotion enables you to migrate a virtual machine and its disk files from one
datastore to another while the virtual machine is running. Use cases for
Storage vMotion include preparing for datastore maintenance (such as
upgrading the underlying storage array), optimizing performance
(redistribution of storage load), and transforming the virtual disk provisioning
type. When you use Storage vMotion on a virtual machine, you can migrate
all the virtual machine files to a single location, migrate individual virtual
disks, or separate virtual disks from other virtual machine files.

Note

Telegram Channel : @IRFaraExam

Migration with Storage vMotion changes virtual machine files on the
destination datastore to match the inventory name of the virtual
machine. The migration renames all virtual disk, configuration,
snapshot, and NVRAM files. If the new names exceed the maximum
filename length, the migration fails.

Storage vMotion Requirements and Limitations

The following are the major requirements and limitations for Storage
vMotion in vSphere 7.0:

Virtual disks in nonpersistent mode are not supported for Storage

vMotion. For virtual compatibility mode RDMs, you can migrate just the
mapping file or include the migration of the data to a virtual disk file. For
physical compatibility mode RDMs, you can only migrate the mapping
file.
Storage vMotion migration is not supported during VMware Tools
installation.
You cannot use Storage vMotion to migrate virtual disks larger than 2
TB from a VMFS Version 5 datastore to a VMFS Version 3 datastore.
The source host that is running must have a license that includes Storage
vMotion.
ESXi 4.0 and later hosts do not require vMotion configuration to perform
Storage vMotion migrations.
The host on which the virtual machine is running must have access to
both the source and target datastores.

Storage vMotion Data Flow Details

The following major steps are automatically performed by Storage vMotion
in vSphere 7.0:
Step 1. The virtual machine’s home directory is copied to the destination
datastore.
Step 2. A hidden (shadow) virtual machine starts using the copied files. The

Telegram Channel : @IRFaraExam

underlying processes (worlds) are visible to the esxtop utility. The
virtual machine continues to run in preexisting worlds.
Step 3. An initial copy of the source virtual disk is made to the destination
data-store, and change block tracking (CBT) is leveraged to track
blocks that are changed after they are copied.
Step 4. Step 4 is repeated until the number of changed blocks is small
enough to support a fast switchover.
Step 5. The system invokes a fast suspend and resume operation that
transfers the running virtual machine to the idling hidden virtual
machine. The virtual machine now runs in the new worlds. The
preexisting worlds that were associated with the virtual machine are
removed.

Virtual Machine Cloning

vSphere provides many cloning options, as described in this section.

Clones
When you clone a virtual machine, vCenter Server creates a virtual machine
that is a copy of the original virtual machine. The virtual disk files,
configuration file, and other files are copied from the original virtual machine
to the new virtual machine. The new virtual machine is commonly referred to
as a clone. The new virtual machine files are named and stored based on
parameters you provide during the deployment. You can choose to make
some configuration changes and customizations during the cloning process.
The contents of some of the files, such as the configuration file, are modified.
At the end of the operation, you can manage both the original virtual machine
and the new virtual machine as inventory objects in vCenter Server.

Cold Clones
A cold clone occurs when the source virtual machine is powered down prior
to starting the clone operation. In this case, vCenter Server does not have to
worry about interrupting the execution of the source virtual machine.

Telegram Channel : @IRFaraExam

Hot Clones
A hot clone occurs when the source virtual machine is running during a clone
operation. In this case, the vCenter Server must avoid disrupting the
execution of the source virtual machine. To do so, it takes a virtual machine
snapshot prior to copying data and removes the snapshot at the end of the
operation.

Linked Clones
A linked clone is a virtual machine that is cloned in such a manner that it
shares its virtual disk files with the original virtual machine (parent). The
shared files are static. Much like a virtual machine that has a snapshot, a
linked clone writes its virtual disk changes to separate data files. Compared to
a full clone, a linked clone operation is faster and conserves disk space. You
cannot use the vSphere Client to directly create linked clones. You can use
PowerCLI (via the -LinkedClone parameter with the New-VM command) or
other VMware products to create linked clones. For example, in VMware
Horizon you can create desktop pools based on linked clones, and in vCloud
Director you can use fast provisioning.

Rapid Provisioning with Templates

As stated previously, templates are objects in the vSphere inventory that are
effectively non-executable virtual machines.
You can convert a virtual machine to a template and vice versa. But the main
use case for templates is for rapid deployment of new similar virtual
machines from a single template. In such a case, you are effectively cloning
the template again and again, allowing the template to remain unchanged and
ready for future use. To update a template, such as to install the most recent
guest OS updates, you can temporarily convert the template to a virtual
machine, apply the updates, and convert back to a template.
When you deploy a virtual machine from a template, vCenter Server creates a
virtual machine that is a copy of the original template. The virtual disk files,
configuration file, and other files are copied from the template to the new
virtual machine. The new virtual machine files are named and stored based
on parameters you provide during the deployment. You can choose to make

Telegram Channel : @IRFaraExam

some configuration changes and customizations during the cloning process.
The contents of some of the files, such as the configuration file, are modified.
At the end of the operation, you can manage both the original template and
the new virtual machine as inventory objects in vCenter Server.
Deploying a virtual machine from a template is a lot like cloning a virtual
machine. In either case, you create a new virtual machine by copying a
source object. For template deployments, the source object is a template. For
virtual machine cloning, the source object is a virtual machine.

Instant Clones

Starting with vSphere 6.7, you can use the instant clone technology to hot
clone a running virtual machine in a manner that is like a combination of
vMotion and linked clone technology. The result of an instant clone operation
is a new virtual machine (destination virtual machine) that is identical to the
source virtual machine. The processor state, virtual device state, memory
state, and disk state of the destination virtual machine match those of the
source virtual machine. To avoid network conflicts, you can customize the
MAC addresses of the virtual NICs, but the guest customization feature is not
supported for instant clones. You cannot use the vSphere Client to perform an
instant clone operation.
A common use case for instant clones is just-in-time deployment in a
VMware Horizon virtual desktop infrastructure (VDI). Instant clones enable
you to perform large-scale deployments by creating virtual machines from a
controlled point in time. For example, VMware Horizon uses Instant Clone to
improve the provisioning process for virtual desktops. Compared to View
Composer, which uses linked clones, instant clones eliminate some steps
(such as reconfiguration and checkpoints) and replace other steps to greatly
reduce the provisioning time. Other use cases are large deployments of
identical virtual servers in the cloud and situations where you want to reduce
boot storms and provisioning times.
During an instant clone (vmFork) operation, the system quiesces and stuns
the source virtual machine, creates and transfers a checkpoint, customizes the
destination MAC address and UUID, and forks the memory and disk. The

Telegram Channel : @IRFaraExam

destination virtual machine shares the parent virtual machine’s disk and
memory for reads. For writes, the destination machine uses copy on write
(COW) to direct disk and memory changes to delta files and private memory
space.
The requirements for instant clones may depend on the software applications
that use the API to perform the cloning operations. For example, VMware
Horizon 7.1 requires static port binding, ESXi 6.0 Update 1 or later, and a
distributed virtual switch.
Instant cloned virtual machines are fully independent vCenter Server
inventory objects. You can manage instant clone destination virtual machines
as you would regular virtual machines, without any restrictions.

Exam Preparation Tasks

VMware Product Integration

This chapter covers the following topics:

vSphere with Tanzu: A vSphere edition that natively provides support
for containers in the hypervisor
vCenter Converter: A product that facilitates the conversion of physical
and other servers into virtual machines running in vSphere
vSphere Replication: A virtual machine replication feature that is
included with specific vSphere editions
VMware Skyline: A proactive support offering for many VMware
products, including vSphere

vSphere with Tanzu

By using vSphere with Tanzu, you can implement vSphere as a platform for
natively running Kubernetes workloads. When enabled on a vSphere cluster,
vSphere with Tanzu enables you to run Kubernetes workloads directly in the
ESXi hypervisor and create Kubernetes clusters using dedicated resource
pools. This works by creating a Kubernetes control plane directly in the
hypervisor. A vSphere cluster that is enabled with vSphere for Kubernetes is
called a supervisor cluster. The supervisor cluster runs on top of ESXi for
compute, NSX-T Data Center for networking, and vSAN (or another shared
storage solution) for storage.
With a Kubernetes control plane, you can create namespaces on the
supervisor cluster, run containers in vSphere pods, and manage Kubernetes
clusters using Tanzu Kubernetes Grid Service. A vSphere pod is a specialized
virtual machine for running containers. In vSphere, you can manage and
monitor vSphere pods and Tanzu Kubernetes clusters running in different
namespaces.

vSphere with Tanzu Use Cases

vSphere with Tanzu is commonly used to provide a familiar single stack

for containers and virtual machines and to streamline development of
modern applications.

vSphere with Tanzu Integration

Telegram Channel : @IRFaraExam

To use vSphere with Tanzu, the main step is to install vSphere 7 with
Kubernetes instead of installing vSphere 7. To run Kubernetes workloads on
a vSphere cluster, you must enable the cluster with vSphere with Tanzu. In
the vSphere Client, select Workload Management, select a vCenter Server,
select Enable, select a cluster, and complete the wizard. In the wizard, you
need to configure the cluster, network, and storage settings.

vCenter Converter
VMware vCenter Converter (also called Converter Standalone) is a free
solution that automates the process of converting existing Windows and
Linux machines into virtual machines running in a vSphere environment. The
source machines can be physical servers or virtual machines in non-ESXi
environments. You can use Converter to convert virtual machines running in
VMware Workstation, VMware Fusion, Hyper-V, and Amazon EC2
Windows to virtual machines running in vSphere.
With Converter, you can hot clone Windows servers without disrupting users
of the source Windows Server. With hot cloning, you can minimize
downtime when converting existing Windows and Linux servers to virtual
machines running in vSphere.
Converter offers a centralized management console that allows users to queue
and monitor multiple simultaneous remote and local conversions.

vCenter Converter Use Cases

The following list identifies common use cases for vCenter Converter.

Creation of virtual machine templates based on existing servers

Physical-to-virtual server conversions
Virtual machine migrations from non-vSphere environments

vCenter Converter Integration

Converter is a standalone product that you can install on a Windows system.
You can install it locally on a Windows desktop or on a server instance. To
enable remote creation and management of tasks, you can install Converter’s
server and worker components on a Windows server in your data center and

Telegram Channel : @IRFaraExam

install the client component on multiple desktops. The server component
installs an agent component on each Windows source machine prior to hot
cloning.
In the Converter user interface, you can specify a vCenter Server as the
destination for a conversion operation. You must provide credentials with
sufficient privileges to create the virtual machine in the vSphere environment.

VMware vSphere Replication

VMware vSphere Replication is included in multiple editions of vSphere. See
the section “Replication and Disaster Recovery,” later in this chapter, for
details.

VMware SkyLine
VMware Skyline is a proactive support technology, developed by VMware
Global Services, that is available to customers with an active Production
Support or Premier Services agreement. Skyline helps you avoid problems
before they occur and reduces the amount of time spent on support requests.
The Skyline architecture includes a standalone on-premises virtual appliance
(Skyline Collector) for secure, automatic data collection. It also includes a
self-service web portal (Skyline Advisor) for accessing your VMware
inventory, proactive findings, recommendations, and risks. You can segment
data by factors, such as region and lines of business. You can use VMware
Cloud Services Console to control user access and permissions. With a
Premier Services agreement, you can access executive summary reports and
view more powerful recommendations.
You can use Skyline Advisor to access Skyline Log Assist, which
automatically (with your permission) uploads support log bundles to VMware
Technical Support and eliminates manual procedures for log gathering and
uploading. If you approve the request in Skyline Advisor, the requested logs
are automatically uploaded to VMware Support. Likewise, you can choose to
proactively push log files to VMware Support by using Log Assist within
Skyline Advisor.

VMware SkyLine Use Cases

Telegram Channel : @IRFaraExam

Skyline is commonly used to avoid issues and streamline resolution in a
vSphere environment.

VMware SkyLine Integration

See Chapter 10, “Managing and Monitoring Clusters and Resources,” for
instructions on configuring vCenter Server integration with Skyline Health.

vRealize Suite
This section covers the vRealize Suite, which is a set of products that
provides a layer for operations, automation, and analysis for software-defined
data centers and hybrid clouds.

vRealize Operations Manager (vROps)

vRA Use Cases

The following list identifies common use cases for vRA.

Self-service private and hybrid clouds: vRA provides a self-service

catalog for delivering IaaS in your on-premises vSphere environment,
private clouds built on VMware Cloud Foundation, and VMware Cloud
Foundation on AWS.
Multi-cloud automation with governance: An organization that uses

Telegram Channel : @IRFaraExam

vRA can extend self-service automation to multiple public clouds,
including Amazon Web Services, Microsoft Azure, and Google Cloud
Platform.
DevOps: vRA provides automation for continuous
integration/continuous development (CI/CD) pipelines.
Kubernetes automation: vRA can be used to automate Kubernetes
cluster and namespace provisioning management and support.

vRA Integration
To begin using vRA, you need to deploy a vRA instance to a management
vSphere cluster. A vRA 8.x deployment typically involves three vRA virtual
appliances and three VMware Identity Manager (vIDM) appliances. To
facilitate the deployment of these appliances, you can deploy and use the
vRealize Lifecycle Manager (LCM) appliance.
To provide vSphere automation using vRA 8.x, you need to add at least one
vCenter cloud account. (In vRA 7.x, you create a vSphere endpoint.) The
vCenter Server that you use for a cloud account manages the user workload
vSphere clusters. The cloud account provides the credentials that vRA uses to
connect to vCenter Server. Table 6-2 lists the required permissions for the
vCenter cloud account.
Table 6-2 Required Permissions for the vCenter Cloud Account
Object Permissions
Datastore

Allocate space

Browse datastore

Low level file operations

Telegram Channel : @IRFaraExam

Datastore cluster

Configure a datastore cluster

Folder
Create folder

Delete folder

Global
Manage custom attributes

Set custom attribute

Network
Assign network

Permissions
Modify permission

Resource
Assign VM to resource pool

Migrate powered-off virtual machine

Migrate powered-on virtual machine

Telegram Channel : @IRFaraExam

Content library
Add library item

Create local library

Create subscribed library

Delete library item

Delete local library

Delete subscribed library

Download files

Evict library item

Evict subscribed library

Probe subscription information

Read storage

Sync library item

Telegram Channel : @IRFaraExam

Sync subscribed library

Type introspection

Update configuration settings

Update files

Update library

Update library item

Update local library

Update subscribed library

View configuration settings

Tags
Assign or unassign vSphere tag

Create a vSphere tag

Create a vSphere tag category

Telegram Channel : @IRFaraExam

Delete vSphere tag

Delete vSphere tag category

Edit vSphere tag

Edit vSphere tag category

Modify UsedBy field for category

Modify UsedBy field for tag

vApp
Import

vApp application configuration.

Virtual machine inventory

Create from existing

Create new

Move

Telegram Channel : @IRFaraExam

Remove

Virtual machine interaction

Configure CD media

Console interaction

Device connection

Power off

Power on

Reset

Suspend

Tools install

Virtual machine configuration

Add existing disk

Add new disk

Add or remove

Telegram Channel : @IRFaraExam

Remove disk

Advanced

Change CPU count

Change resource

Extend virtual disk

Disk change tracking

Memory

Modify device settings

Rename

Set annotation

Settings

Swapfile placement

Telegram Channel : @IRFaraExam

Virtual machine provisioning
Customize

Clone template

Clone virtual machine

Deploy template

Read customization specs

Virtual machine state

Create snapshot

Remove snapshot

Revert to snapshot

vRealize Orchestrator (vRO)

vRO is a modern workflow automation platform that simplifies complex
infrastructure processes. It is a key component of vRA for providing custom
workflows within on-demand services and providing anything as a service
(XaaS). It can be used independently to run prebuilt workflows and to create
custom workflows. It automates management and operational tasks of
VMware and third-party systems, such as ticketing systems, change
management systems, and IT asset management systems.
In a vSphere environment, you may frequently perform some operational

Telegram Channel : @IRFaraExam

tasks. For example, say that you frequently receive requests to support the
update procedure for a complex application involving multiple virtual
machines. For each update, you are required to take the following actions:

Shut down the virtual machines, one by one, in a specific order, ensuring
that each shutdown operation completes prior to beginning the next
shutdown.
Create a snapshot of each virtual machine.
Power on the virtual machines, one by one, in a specific order, ensuring
that the guest OS and application services for each one are running prior
to beginning the next power on.
Inform the application team that the application is ready for update.
Following a successful update, delete the snapshots.

With vRO, you can build workflows to automate all or portions of such an
operation. For example, vRO provides out-of-the-box workflows for virtual
machine power and snapshot operations. You can build a custom workflow
that leverages the existing workflows as nested workflows. In the custom
workflow, you can add data input, conditional paths, looping, and
monitoring.

vRO Use Cases

vRO is commonly used to orchestrate common vSphere operations tasks,

orchestrate common data center infrastructure and application tasks, and
provide XaaS for a vRA environment.

vRO Integration
You can configure vRO 8.x to use vRA authentication or vSphere
authentication. To use vSphere authentication, in the vRO Control Center, set
Configure Authentication Provider > Authentication Mode to vSphere and
configure it to use the credentials of the local administrator account of the
vCenter Single Sign-On (SSO) domain ([email protected] by

Telegram Channel : @IRFaraExam

default). With vRO 8.x, you must use vCenter Server 6.0 or later. To add a
vCenter Server instance, you run the provided Add a vCenter Server Instance
workflow.

vRealize Network Insight (vRNi)

vRNi helps you build an optimized, highly available and secure network
infrastructure for hybrid clouds and multi-clouds. It accelerates
microsegmentation planning and implementation. It provides auditing for
changes to the security posture and helps you ensure compliance. It facilitates
troubleshooting across network infrastructure (virtual and physical) and
security infrastructure.
vRNi provides network visibility and analytics to accelerate
microsegmentation security, minimize risk during application migration,
optimize network performance, and manage NSX, SD-WAN VeloCloud, and
Kubernetes deployments.

vRNI Use Cases

The following list identifies common uses cases for vRNi.

Plan application security and migration: vRNi accelerates

microsegmentation deployment for private clouds and public clouds.
Optimize and troubleshoot virtual and physical networks: vRNi
enables you to reduce the mean time to resolution for application
connectivity issues, eliminate network bottlenecks, and audit network
and security changes.
Manage and scale NSX: vRNi covers multiple NSX Manager instances
and increases your availability by proactively detecting configuration
issues.

vRNI Integration
You can add VMware managers, such as vCenter Server, VMware NSX
Manager, and VMware NSX-T Manager, to vRNI for data collection. To add
a vCenter Server to vRNI as a data source, you need to have the following
privileges applied and propagated at the root level:

Telegram Channel : @IRFaraExam

System.Anonymous
System.Read
System.View
Global.Settings

To support IPFIX, you also need the Modify and Port Configuration
Operation privilege on the distributed switches and Modify and Policy
Operation on the distributed port groups.
To identify VM-to-VM paths, you must install VMware Tools in the virtual
machines.

Desktop and Application Virtualization

This section addresses VMware products for desktop and application
virtualization.

VMware Horizon
VMware Horizon is a platform for securely delivering virtual desktops and
applications in private clouds and hybrid clouds. It enables provisioning and
management of desktop pools that have thousands of virtual desktops each. It
streamlines the management of images, applications, profiles, and policies for
desktops and their users. It integrates with VMware Workspace ONE Access,
which establishes and verifies end-user identity with multifactor
authentication and serves as the basis for conditional access and network
microsegmentation policies for Horizon virtual desktops and applications.
Horizon includes instant clones which work with VMware Dynamic
Environment Manager and VMware App Volumes to dynamically provide
just-in-time (JIT) delivery of user profile data and applications to stateless
desktops.
Horizon provisions large pools of virtual desktops from a small set of base
virtual desktops by integrating with vCenter Server. Horizon makes the
provisioning requests, which are carried out by vCenter Server in the
appropriate vSphere clusters. vSphere provides the environment, including
the compute, storage, and network resources for running the virtual desktops.

Telegram Channel : @IRFaraExam

With vSphere DRS and vSphere HA, it provides load balancing and high
availability.

VMware Horizon Use Cases

The following list identifies common use cases for VMware Horizon.

Remote users
Kiosk and task users
Call center
Bring-your-own-device (BYOD) deployments
Graphics-intensive applications

VMware Horizon Integration

To get started with Horizon, in the vSphere environment, you need to prepare
vSphere clusters to be used as resources for virtual desktop provisioning. You
must add vCenter Server instances using the Horizon console. When adding
the vCenter Server instance, you need to provide the vCenter Server address
and appropriate user credentials. You can use the administrator account in the
SSO domain ([email protected] by default) or, preferably, an
account that is assigned the minimum privileges. Table 6-3 provides the
required privileges when you are not using instant clones. The use of instant
clones requires additional privileges, such as all virtual machine
configuration and inventory privileges.
Table 6-3 Required vCenter Server Privileges for Horizon (without instant
clones)
Privilege Group Privileges to Enable
Folder
Create Folder

Telegram Channel : @IRFaraExam

Delete Folder

Datastore
Allocate space

Virtual Machine In Configuration:

Add or remove device

Advanced

Modify device settings

In Interaction:

Power off

Power on

Reset

Suspend

Telegram Channel : @IRFaraExam

Perform wipe or shrink
operations

In Inventory:

Create new

Create from existing

Remove

In Provisioning:

Customize

Deploy template

Read customization
specifications

Clone template

Telegram Channel : @IRFaraExam

Clone virtual machine

Resource Assign virtual machine to

resource pool
Global Act as vCenter Server
Host (for Storage Accelerator) Advanced settings (in
Configuration)
Profile Driven Storage (for vSAN or All privileges
Virtual Volumes)

App Volumes
VMware App Volumes is a set of application and user management solutions
for VMware Horizon, Citrix Virtual Apps and Desktops, and Remote
Desktop Services Host (RDSH) virtual environments. It streamlines your
ability to deliver, update, assign, and manage applications and users across
virtual desktop infrastructure (VDI) and published application environments.
With App Volumes, you install an application once, using a provisioning
computer, collect the application components in AppStacks, and centrally
control the mapping of AppStacks to desktops.
AppStacks and companion writable volumes are stored in virtual disk files
and attached to virtual machines to deliver applications. Updates to
applications involve updating or replacing AppStacks or their mappings to
desktops.
In RDSH environments, applications are installed on servers and delivered
via Remote Desktop. Using App Volumes with RDSH simplifies the
installation and management of the application on the server. Instead of
attaching AppStacks to desktops, you attach AppStacks to RDSH servers and
allow RDSH to deliver the application to the user.

App Volumes Use Cases

Telegram Channel : @IRFaraExam

The following list identifies common use cases for App Volumes.

Application virtualization in VMware Horizon VDI environments

Application virtualization in Citrix XenDesktop and XenApp
environments
Virtualization for RDSH-delivered applications

App Volumes Integration

In the App Volumes management console, you can add and register a vCenter
Server as a machine manager. To register vCenter Server and to allow App
Volumes Manager to function, you must allow the privileges listed in Table
6-4.
Table 6-4 Required vCenter Server Privileges for App Volumes Manager
Privilege Group Privileges to Enable
Datastore
Allocate space

Browse datastore

Low level file operations

Remove file

Update virtual machine files

Global Cancel task

Host (Local Operations) Reconfigure virtual machine

Telegram Channel : @IRFaraExam

Sessions View and stop sessions
Tasks Create task
Virtual machine In Configuration:

Add existing disk

Add new disk

Add or remove device

Query unowned files

Change resource

Remove disk

Settings

Advanced

In Inventory:

Telegram Channel : @IRFaraExam

Create new

Move

Remove

Unregister

In Provisioning:

Promote disks

Replication and Disaster Recovery

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 6-6 lists these key topics and the
page number on which each is found.

Table 6-6 Key Topics for Chapter 6

Key Topic Element Description Page Number
List Use cases for vSphere with Tanzu 204
List Use cases for vROps 207
List Use cases for vRA 210
List Use cases for vRO 214
List Use cases for Horizon 216
List Use cases for App Volumes 218
List Use cases for AppDefense 227
List Use cases for NSX 229

Complete Tables and Lists from Memory

Define Key Terms

Define the following key terms from this chapter and check your answers in

Review Questions
1. You want to build custom workflows to support XaaS. Which
product should you use?
a. vRLI
b. vRO
c. vROps
d. App Volumes
2. You need to provide virtual desktops and applications to remote
users and call centers. Which product should you implement?
a. VCF
b. vRealize Suite
c. AppDefense
d. Horizon
3. You want to configure vSphere Replication using the vSphere
Client. Which of the following is the correct navigation path?
a. Home > vCenter Server > vSphere Replication
b. Home > Site Recovery > Open Site Recovery
c. Home > Host and Clusters > Replications
d. Home > Administration > Replication

Telegram Channel : @IRFaraExam

Chapter 7

vSphere Security
This chapter covers the following subjects:

vSphere Certificates
vSphere Permissions
ESXi and vCenter Server Security
vSphere Network Security
Virtual Machine Security
Available Add-on Security

This chapter contains information related to Professional VMware vSphere

7.x (2V0-21.20) exam objectives 1.10, 1.11, 4.10, 4.11, 4.11.1, 4.13, 7.7, and
7.8.

This chapter covers topics related to hardening a vSphere environment.

FIGURE 7-1 VMCA as an Intermediate CA

You can replace the existing VMCA-signed certificates with custom

certificates. If you do so, you bypass VMCA and become responsible for all
certificate provisioning and monitoring.
VMware recommends that you replace only the SSL certificate that provides

Telegram Channel : @IRFaraExam

encryption between nodes. VMware does not recommend replacing either
solution user certificates or STS certificates. VMware does not recommend
using a subordinate CA in place of VMCA. If you fail to follow these
recommendations, you might encounter significant complexity and an
increase in your operational risk. Table 7-3 summarizes VMware’s
recommended modes for managing certificates.
Table 7-3 Recommended Modes for Managing Certificates
Mode Description Advantages
VMCA VMCA provides all the certificates for Lowest-overhead
Default vCenter Server and ESXi hosts. option. VMCA
Certificate manages the
s certificate life
cycle for vCenter
Server and ESXi
hosts.
VMCA You replace the vCenter Server SSL VMCA manages
Default certificates and allow VMCA to internal
Certificate manage certificates for solution users certificates, but
s with and ESXi hosts. Optionally, for high- you get the benefit
External security-conscious deployments, you of using your
SSL can replace the ESXi host SSL corporate-
Certificate certificates as well. approved trusted
s (hybrid SSL certificates.
mode)

Certificate Requirements
The following requirements apply to all imported certificates:

The key size is 2048 bits to 16,384 bits.

VMware supports PKCS8 and PKCS1 (RSA key) PEM formats. When
you add keys to VECS, they are converted to PKCS8.
x509 Version 3 is required.
SubjectAltName must contain DNS Name=machine_FQDN.

Telegram Channel : @IRFaraExam

CRT format is required.
The digital signature and key encipherment keys are available.
Enhanced Key Usage can either be empty or contain Server
Authentication.

VMCA does not support the following certificates:

Certificates with wildcards

The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2,
md5With-RSAEncryption 1.2.840.113549.1.1.4, and
sha1WithRSAEncryption 1.2.840.113549.1.1.5
The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10

If you do not generate certificate signing requests (CSRs) using Certificate

Manager, you need to ensure that a CSR includes the fields listed in Table 7-
4.
Table 7-4 Required Fields for a CSR
String X.500 Attribute Type
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid
If you use VMCA as an intermediate CA, you can use the vSphere Certificate
Manager to create a CSR or you can create a CSR manually. When you
create a CSR manually, in addition to the previously stated requirements, you

Telegram Channel : @IRFaraExam

should consider the requirements in Table 7-5, which are based on the
specific certificate types.
Table 7-5 Requirements for Certificates When VMCA Is an Intermediate CA
Certificate Additional Requirements
Type
Root Set CA extension to true and include CertSign. For
certificate example, use the following in the CSR:

basicConstraints = critical, CA:true

keyUsage = critical, digitalSignature,keyCertSign

Machine No additional requirements
SSL
certificate
Solution Use a different Name value for each solution user, which
user may appear as CN under Subject, depending on the tool
certificate

Note
Do not use CRL distribution points, authority information access, or
certificate template information in any custom certificates.

VMCA provisions an environment with certificates, including machine SSL

certificates for secure connections, solution user certificates for service
authentication with vCenter Single Sign-On, and ESXi host certificates (see
Table 7-6).
Table 7-6 Certificates in vSphere
Certificate Provis Details
ioned

Telegram Channel : @IRFaraExam

ESXi certificate VM Stored locally on an ESXi host in the
CA /etc/vmware/ssl directory when the host is first
(def added to vCenter Server and when it reconnects.
ault)
Machine SSL VM Stored in VECS.
certificate CA
(def
ault) Used to create SSL sockets for SSL client
connections, for server verification, and for
secure communication such as HTTPS and
LDAPS.

Used by the reverse proxy service, the vCenter

Telegram Channel : @IRFaraExam

FIGURE 7-2 vSphere Inventory Hierarchy

An object might have multiple permissions but only one permission for each
user or group. In other words, you cannot assign to an object two permissions
that specify the same group. If multiple permissions are applied to a specific
object using multiple groups and if a specific user belongs to more than one

Telegram Channel : @IRFaraExam

of these groups, then the effective permission for that user on that object is
the union of the privileges in applicable roles.
Privileged users can define permissions on managed objects including the
following:

Clusters
Data centers
Datastores
Datastore clusters
Folders
Hosts
Networks (except vSphere Distributed Switches)
Distributed port groups
Resource pools
Templates
Virtual machines
vSphere vApps

Privileges and Roles

Privileges are the lowest-level access controls, and they can be used to define
the actions that a user can take on an object in the vSphere inventory. Table
7-8 lists some of the available privilege categories and a few sample
privileges in each category.
Table 7-8 Sample Privileges
Category Sample Privileges
Virtual machine Virtual Machine.Configuration.Add Existing
configuration Disk
Virtual Machine.Configuration.Add New Disk
Virtual Machine.Configuration.Change CPU

Telegram Channel : @IRFaraExam

Count
Datastore Datastore.Allocate Space
Datastore.Browse Datastore
Datastore.Remove File
Virtual machine Virtual Machine.Snapshot Management.Create
snapshot Snapshot
Virtual Machine.Snapshot
Management.Rename Snapshot
Virtual Machine.Snapshot Management.Revert
to Snapshot
A role is composed of a set of privileges. Out of the box, the vCenter Server
provides many roles. You cannot modify the vCenter Server system roles,
which are described in Table 7-9. You can modify the sample roles, but
VMware recommends that you not modify these roles directly but instead
clone the roles and modify the clones to suit your case.

Note
Changes to roles take effect immediately, even for users who are
currently logged in to vCenter Server. One exception is with searches,
where a change is not realized until the next time the user logs in to
vCenter Server.

Table 7-9 System Roles in vCenter Server 7.0

Telegram Channel : @IRFaraExam

Ad Includes all privileges of the read-only role and allows the user to
mi view and perform all actions on the object. If you have the
nis administrator role in an object, you can assign privileges to
trat individual users and groups. If you have the administrator role in
or vCenter Server, you can assign privileges to users and groups in the
default SSO identity source. By default, the
[email protected] user has the administrator role in both
vCenter Single Sign-On and vCenter Server.
No Prevents users from viewing or interacting with the object. New
acc users and groups are effectively assigned this role by default.
ess
No Includes all privileges of the administrator role, except for
cry cryptographic operations privileges. This role allows administrators
pto to designate users who can perform all administrative tasks except
gra encrypting or decrypting virtual machines or accessing encrypted
ph data.
y
ad
mi
nis
trat
or
Tr Allows users to perform VMware vSphere Trust Authority
ust operations on some objects. Membership in the TrustedAdmins
ed group is required for full vSphere Trust Authority capabilities.
inf
ras
tru
ctu
re
ad
mi
nis
trat
or
rol

Telegram Channel : @IRFaraExam

e
These are the sample roles in vCenter Server 7.0:

Resource pool administrator (sample)

Virtual machine user (sample)
VMware consolidated backup user (sample)
Datastore consumer (sample)
Network administrator (sample)
Virtual machine power user (sample)
Content library administrator (sample)
Content library registry administrator (sample)

To get familiar with the privileges in a sample role, you can edit the role and
explore the privileges that are included in the role. For example, if you edit
the virtual machine console user role, you see that it only includes some
privileges in the Virtual Machine > Interaction category and no other
privileges. Specifically, it includes only these privileges:

Answer Question
Configure CD media
Configure floppy media
Connect devices
Console interaction
Install VMware tools
Power off
Power on
Reset
Suspend

Telegram Channel : @IRFaraExam

Note
If you create a role, it does not inherit privileges from any of the
system roles.

Permissions
The permissions model for vCenter Server systems relies on assigning
permissions to objects in the object hierarchy. A permission is the assignment
of a user (or group) and a role to an inventory object. A permission is set on
an object in the vCenter object inventory. Each permission associates the
object with a group (or user) and a role, as illustrated in Figure 7-3. For
example, you can select a virtual machine object, add one permission that
gives the read-only role to Group 1, and add a second permission that gives
the administrator role to User 2.

FIGURE 7-3 vSphere Permission Diagram

Global Permissions
Most entities that appear in the vCenter Server inventory are managed objects
whose access can be controlled using permissions. You cannot modify

Telegram Channel : @IRFaraExam

permissions on entities that derive permissions from the root vCenter Server
system, such as the following:

Custom fields
Licenses
Roles
Statistics intervals
Sessions

The global root object is used to assign permissions across solutions. The
vCenter Server is an example of a solution, and it is attached as a child to the
global root object in the hierarchy. The content library and tag category
objects are also attached as children to the global root object. Global
permissions are permissions that are applied to the global root object and
span solutions. For example, a global permission can be applied to both
vCenter Server and vRealize Orchestrator. Each solution has its own root
object in the hierarchy, whose parent is the global root object. You can give a
group of users read permissions to all objects in both object hierarchies.

Best Practices for Roles and Permissions

VMware recommends the following best practices when configuring roles
and permissions in a vCenter Server environment:

Where possible, assign roles to groups rather than to individual users.

Grant permissions to users (groups) only on the objects where they are
required. Use the minimum permissions to meet the required
functionality.
If you assign a restrictive role to a group, check to ensure that the group
does not contain the administrator user or other users who require
administrative privileges.
Use folders to group objects. For example, to grant modify permission
on one set of hosts and view permission on another set of hosts, place
each set of hosts in a folder.

Telegram Channel : @IRFaraExam

Use caution when adding a permission to the root vCenter Server
objects. Users with privileges at the root level have access to global data
on vCenter Server, such as roles, custom attributes, and vCenter Server
settings.
Consider enabling propagation when you assign permissions to an
object. Propagation ensures that new objects in the object hierarchy
inherit permissions. For example, you can assign a permission to a
virtual machine folder and enable propagation to ensure that the
permission applies to all VMs in the folder.
Use the no access role to mask or hide specific areas of the hierarchy.
The no access role restricts access for the users or groups with that role.

Note
Changes to licenses propagate to all linked vCenter Server systems in
the same vCenter Single Sign-On domain.

Required Privileges for Common Tasks

Many tasks require permissions on multiple objects in the inventory.
Consider the following:

To perform any operation that consumes storage space, such as taking a

snapshot, you must have the Datastore.Allocate Space privilege on the
target datastore in addition to having the directly required privileges on
the major object.
Moving an object in the inventory hierarchy requires appropriate
privileges on the object itself, the source parent object (such as a folder
or cluster), and the destination parent object.
Deploying a virtual machine directly to a host or cluster requires the
Resource.Assign Virtual Machine to Resource Pool privilege because
each host or cluster has its own implicit resource pool.

Table 7-10 shows the required privileges for a few common tasks.

Telegram Channel : @IRFaraExam

Table 7-10 Required Permissions for Common Tasks
Task Required Privileges
Create a virtual machine On the destination folder or in the data
center:

Virtual Machine.Inventory.Create New

Virtual Machine.Configuration.Add New

Disk

Virtual Machine.Configuration.Add
Existing Disk

Virtual Machine.Configuration.Raw
Device

On the destination host or cluster or in

the resource pool:

Resource.Assign Virtual Machine to

Resource Pool

On the destination datastore or in the

datastore folder:

Telegram Channel : @IRFaraExam

Datastore.Allocate Space

On the network:

Network.Assign Network

Deploy a virtual machine On the destination folder or in the data

from a template center:

Virtual Machine.Inventory.Create from

Existing

Virtual Machine.Configuration.Add New

Disk

On a template or in a template folder:

Virtual Machine.Provisioning.Deploy
Template

On the destination host or cluster or in

the resource pool:

Telegram Channel : @IRFaraExam

Resource.Assign Virtual Machine to
Resource Pool

On the destination datastore or in a

datastore folder:

Datastore.Allocate Space

On the network that the virtual machine

will be assigned to:

Network.Assign Network

Take a virtual machine On the virtual machine or in a virtual

snapshot machine folder:

Virtual Machine.Snapshot
Management.Create Snapshot

On the destination datastore or in a

datastore folder:

Datastore.Allocate Space

Telegram Channel : @IRFaraExam

Move a virtual machine into a On the virtual machine or in a virtual
resource pool machine folder:

Resource.Assign Virtual Machine to

Resource Pool

Virtual Machine.Inventory.Move

In the destination resource pool:

Resource.Assign Virtual Machine to

Resource Pool

Install a guest operating On the virtual machine or in a virtual

system on a virtual machine machine folder:

Virtual Machine.Interaction.Answer
Question

Virtual Machine.Interaction.Console
Interaction

Virtual Machine.Interaction.Device
Connection

Telegram Channel : @IRFaraExam

Virtual Machine.Interaction.Power Off

Virtual Machine.Interaction.Power On

Virtual Machine.Interaction.Reset

Virtual Machine.Interaction.Configure CD
Media

Virtual Machine.Interaction.Configure
Floppy Media

Virtual Machine.Interaction.Tools Install

On a datastore containing the installation

media ISO image:

Datastore.Browse Datastore

On the datastore to which you upload the

installation media ISO image:

Datastore.Browse Datastore

Datastore.Low Level File Operations

One cluster exists in the inventory, and it contains host-01 and host-02.
The user account User-A is a member of groups Group-01 and Group-
02.
The user account User-B is a member of group Group-01.
The user account User-C is a member of group Group-02.
The user account User-D is a member of groups Group-01 and Group-
03.
The user account User-E is a member of groups Group-02 and Group-04.

Propagate to Child Objects is enabled for each of the following permissions:

Telegram Channel : @IRFaraExam

A permission assigns Group-01 the administrator role on the cluster.
A permission assigns Group-02 the administrator role on host-01.
A permission assigns Group-02 the read-only role on host-02.
A permission assigns User-D the read-only role on the cluster.
A permission assigns Group-03 the no access role on host-02.
A permission assigns Group-04 the read-only role on host-01.
A permission assigns Group-04 the no access role on host-02.

In this scenario, the following effective permissions apply:

User-A:
Can perform all tasks on the cluster object
Can perform all tasks on the host-01 object
Can only view the host-02 object

User-B:
Can perform all tasks on the cluster object
Can perform all tasks on the host-01 object
Can perform all tasks on the host-02 object

User-C:
Cannot view or perform any task on the cluster object
Can perform all tasks on the host-01 object
Can only view the host-02 object

User-D
Can only view the cluster object
Can only view the host-01 object
Cannot view or perform any task on the host-02 object

Telegram Channel : @IRFaraExam

User-E
Cannot view or perform any task on the cluster object
Can perform all tasks on the host-01 object
Cannot view or perform any task on the host-02 object

ESXi and vCenter Server Security

ESXi has many built-in security features, such as CPU isolation, memory
isolation, and device isolation. An ESXi host is protected with a firewall that
is intended to permit only required network traffic. Starting with vSphere 6.0,
ESXi hosts participate in the certificate infrastructure and, by default, are
provisioned with certificates that are signed by VMCA.
Optionally, you can further harden ESXi by configuring features such as
lockdown mode, certificate replacement, and smart card authentication for
enhanced security. You should consider limiting direct access to ESXi hosts,
using security profiles, using host profiles, and managing certificates. In
addition, you can take other security measures, such as using multiple
networks to segregate ESXi network functions and implementing UEFI
Secure Boot for ESXi hosts

Built-in Security Features

The following list identifies some vSphere built-in security features.

ESXi Shell and SSH are disabled by default.

By default, ESXi runs only services that are essential to managing its
functions.
By default, all ports that are not required for management access to the
host are closed.
By default, weak ciphers are disabled and communications from clients
are secured by SSL. Default certificates created on ESXi use PKCS#1
SHA-256 with RSA encryption as the signature algorithm.

Telegram Channel : @IRFaraExam

A Tomcat web service is used internally by ESXi to support access by
web clients. ESXi is not vulnerable to the Tomcat security issues
reported in other use cases because the service has been modified to run
only functions that a web client requires for administration and
monitoring.
VMware monitors all security alerts that can affect ESXi security and
issues security patches when needed.
Secure services such as SSH and SFTP are available and should be used
instead of insecure counterparts, such as Telnet and FTP.
ESXi provides the option of using UEFI Secure Boot.
When a TPM 2.0 chip is available in the hardware and configured in the
system BIOS, ESXi works with Secure Boot to enhance security and
trust assurance rooted in hardware.

Security Profiles
You can customize many of the essential security settings for a host through
the Security Profile panel in the vSphere Client. You can use security profiles
to customize services and configure the ESXi firewall. Table 7-11 describes
the services that are available to you to view and manage using the vSphere
Client for a default vSphere installation, along with the default state for each
of them. You can use the vSphere Client to start, stop, and restart individual
services.
Table 7-11 ESXi Security Profile Services
Service Defau Description
lt
State
Direct Console Run Allows you to interact with an ESXi host
User Interface ning from the local console host using text-based
(DCUI) menus
ESXi Shell Sto Is available from the DCUI or from SSH
ppe
d

vSphere Trust Authority (vTA)

Telegram Channel : @IRFaraExam

In an environment where TPM attestation is used, you can implement the
vSphere Trust Authority (vTA), which uses its own management cluster to
serve as a hardware root of trust. Ideally the vTA trusted hosts cluster is small
and separate from all other clusters and has very few administrators. In
vSphere 6.7, you can leverage TPM and vCenter Server to identify hosts that
failed attestation, but you cannot automatically prevent secured/encrypted
workloads from migrating to those hosts. Also, you cannot encrypt vCenter
Server. In vSphere 7.0 with vTA, you can enable the trusted hosts cluster to
handle the attestation of other hosts and to take over the distribution of the
encryption keys from the key management servers (KMSs). This removes
vCenter Server from the critical path for key distribution and enables you to
encrypt vCenter Server. A trusted infrastructure consists of at least one
vSphere Trust Authority cluster, at least one Trusted cluster, and at least one
external KMIP-compliant KMS, as illustrated in Figure 7-5, which is a
diagram from the VMware vSphere 7.0 Security Guide.

FIGURE 7-5 vSphere Trusted Authority Architecture

Telegram Channel : @IRFaraExam

access to the network where vMotion operates.

Firewalls
You can use traditional (physical) firewalls, virtual machine–based firewalls,
and hypervisor-based firewalls (such as NSX Distributed Firewall) to protect
traffic to and from the vCenter Server, ESXi hosts, virtual machines, and
other vSphere components. Ideally, you could use firewalls to allow only the
required traffic between specific vSphere components, virtual machines, and
network segments.

Segmentation and Isolation

You should keep different virtual machine zones within a host on different
network segments to reduce the risk of data leakage and threats. Such threats
include Address Resolution Protocol (ARP) spoofing, in which an attacker
manipulates the ARP table to remap MAC and IP addresses and gains access
to network traffic to and from a host. Attackers use ARP spoofing to generate
MITM attacks, perform denial of service (DoS) attacks, and hijack the
systems. You can implement segmentation by using one of two approaches:

Use separate physical network adapters for virtual machine zones:

isolation.tools.unity.push.update.disable
isolation.tools.ghi.launchmenu.change
isolation.tools.memSchedFakeSampleStats.disable
isolation.tools.getCreds.disable
isolation.tools.ghi.autologon.disable
isolation.bios.bbs.disable
isolation.tools.hgfsServerSet.disable

Other Common Settings

You should consider the following settings, which are commonly set to
address specific potential security threats:

Disk shrinking: Because disk shrinking, which involves reclaiming

unused disk space from a virtual machine, can take considerable time to
complete and its invocation can result in a temporary denial of service,
you should disable disk shrinking by using the following lines in the
VMX file:
Click here to view code image

Telegram Channel : @IRFaraExam

isolation.tools.diskWiper.disable = "TRUE"

isolation.tools.diskShrink.disable = "TRUE"

Copying and pasting: Copy and paste operations are disabled by default
in new virtual machines. In most cases, you should retain this default to
ensure that one user of the virtual machine console cannot paste data that
was originally copied from a previous user. Ensure that the following
lines remain in the VMX files:
Click here to view code image
isolation.tools.copy.disable = "TRUE"

isolation.tools.paste.disable = "TRUE"

Connecting devices: By default, the ability to connect and disconnect

devices is disabled. One reason is to prevent one user from accessing a
sensitive CD-ROM device that was left in the drive. Another reason is to
prevent users from disconnecting the network adapter, which could lead
to denial of service. Ensure that the following lines remain in the VMX
file:
Click here to view code image
isolation.device.connectable.disable = "TRUE"

isolation.device.edit.disable = "TRUE"

Logging: Uncontrolled virtual machine logging could lead to denial of

service if the associated datastore runs out of disk space. VMware
recommends keeping 10 log files. To set this on a virtual machine, set
the following in the VMX file:
vmx.log.keepOld = "10"

Alternatively, to limit the number of log files for virtual machines on an ESXi
host, add the previous line to the host’s /etc/vmware/config file. A more
aggressive measure is to disable virtual machine logging with the following
statement in the VMX file:
logging = "FALSE"

Telegram Channel : @IRFaraExam

VMX file size: By default, the size of each VMX file is 1 MB because
uncontrolled file sizes can lead to denial of service if the datastore runs
out of disk space. Occasionally, setinfo messages that define virtual
machine characteristics or identifiers are sent as name/value pairs from
the virtual machine to the VMX file. If needed, you can increase the size
of the VMX file limit by using the following statement in the VMX file
and replacing the numeric value with a larger value:
Click here to view code image
tools.setInfo.sizeLimit = "1048576"

If tools.setInfo.sizeLimit is not set in the virtual machine’s advanced options,

the default size applies. In most cases, you can keep the default setting as a
security measure.

Performance counters: VMware Tools provides performance counters

on CPU and memory from the ESXi host into the virtual machine for use
by PerfMon. This feature is disabled by default because an adversary
could potentially make use of this information to attack the host. Ensure
that the following line remains in the VMX files, as it blocks some (but
not all) performance metrics:
Click here to view code image
tools.guestlib.enableHostInfo = "FALSE"

Virtual Machine Risk Profiles

VMware’s vSphere 6.0 Hardening Guide provides guidelines for addressing
vulnerabilities based on risk profiles. When you can apply this hardening
guide to your environment, the first step is to apply the appropriate risk
profile, based on the sensitivity of your environment and data. The hardening
guide offers three risk profiles:

Risk Profile 1: Intended to be implemented in just the most secure

environments, such as top-secret government environments.
Risk Profile 2: Intended to be implemented in sensitive environments to
protect sensitive data such as data that must adhere to strict compliance

Telegram Channel : @IRFaraExam

rules.
Risk Profile 3: Intended to be implemented in all production
environments.

virtual machine, the following events occur:

The vCenter Server requests a new key from the default KMS to use as
the KEK.
The vCenter Server stores the key ID and passes the key to the ESXi
host. If the host is part of a cluster, vCenter Server sends the KEK to
each host in the cluster.
The key itself is not stored on the vCenter Server system. Only the key
ID is known.
The ESXi host generates internal keys (DEKs) for the virtual machine
and its disks. It uses the KEKs to encrypt internal keys and keeps the
internal keys in memory only (never on disk). Only encrypted data is
stored on disk.
The ESXi host uses the encrypted internal keys to encrypt the virtual
machine.
Any hosts that can access the encrypted key file and the KEK can
perform operations on the encrypted virtual machine or disk.

Encrypted vSphere vMotion

Encrypted vSphere vMotion provides confidentiality, integrity, and
authenticity of the data that is transferred with vSphere vMotion. Starting
with vSphere 6.5, vSphere vMotion uses encryption when migrating
encrypted virtual machines. You cannot turn off encrypted vSphere vMotion
for encrypted virtual machines. For virtual machines that are not encrypted,
you can set Encrypted vMotion to one of the following states:

Disabled: Do not use encrypted vSphere vMotion.

Opportunistic: Use encrypted vSphere vMotion if the source and target
hosts support it. (This is the default.)
Required: If the source or destination host does not support encrypted
vSphere vMotion, do not allow migration with vSphere vMotion.

Telegram Channel : @IRFaraExam

The following rules concerning encrypted vMotion across vCenter Server
instances apply:

You must use the vSphere APIs.

Encrypted vMotion of unencrypted and encrypted virtual machines is
supported.
The source and destination vCenter Server instances must share the KMS
cluster that was used to encrypt the virtual machine.
The name of the shared KMS cluster must be the same on each vCenter
Server instance.
You must have the Cryptographic Operations.Migrate privilege on the
virtual machine.
You must have the Cryptographic Operations.EncryptNew privilege on
the destination vCenter Server.
If the destination ESXi host is not in safe mode, then you also need the
Cryptographic Operations.RegisterHost privilege on the destination
vCenter Server.
You cannot change the virtual machine storage policy or perform a key
change.

Note
Only ESXi Versions 6.5 and later use encrypted vSphere vMotion.

When using vTA, the following requirements apply:

Health Insurance Portability and Accountability Act (HIPAA)

Payment Card Industry Data Security Standard (PCI DSS)
CIS security standards
Defense Information Systems Agency (DISA) security standards
Federal Information Security Management Act (FISMA) security
standards
International Organization for Standardization (ISO) security standards

vROps collects compliance data from vSphere objects, generates compliance

alerts, and creates reports based on the compliance results.

vSphere 7.0 environment.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you
should study this entire chapter or move quickly to the “Exam Preparation
Tasks” section. In any case, the authors recommend that you read the entire
chapter at least once. Table 8-1 outlines the major headings in this chapter
and the corresponding “Do I Know This Already?” quiz questions. You can
find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’
Quizzes and Review Questions.”
Table 8-1 “Do I Know This Already?” Foundation Topics Section-to-
Question Mapping
Foundations Topics Section Questions Covered in This
Section

Telegram Channel : @IRFaraExam

Installing ESXi hosts 1, 2
Deploying vCenter Server 3, 4
Components
Configuring Single Sign-On (SSO) 5–7
Initial vSphere Configuration 8–10

1. You are preparing to deploy vSphere 7.0. Which of the following is

a prerequisite for installing ESXi interactively?
a. Download the ESXi installer ISO.
b. Download the ESXi installer OVF.
c. Download the GUI installer for Windows or Mac.
d. Download the ESXi MSI.
2. You are preparing to do a scripted installation of ESXi 7.0. Where
is the default installation script located?
a. /etc/vmware/weasel/ks.py
b. /etc/vmware/weasel/ks.cfg
c. /etc/vmware//ks.cfg
d. /etc/vmware/ks.py
3. You are preparing to install vCenter Server 7.0 using a deployment
command. To perform a pre-deployment check, which command
should you use?
a. vcsa-deploy-precheck path-to-JSON-file
b. vcsa-deploy install --precheck path-to-JSON-file
c. vcsa-deploy install --verify-only path-to-JSON-file
d. vcsa-deploy precheck path-to-JSON-file
4. You are installing vSphere 7.0 and want to document the location
of certificates. Where are the ESXi certificates stored?
a. Locally on the ESXi hosts

Telegram Channel : @IRFaraExam

b. In the VECS
c. In the vCenter Server database
d. In the VMCA
5. You are adding an OpenLDAP authentication source for your
recently deployed vCenter Server. Which of the following is not a
requirement?
a. All users must have the object of class inetOrgPerson.
b. All groups must have the object of class groupOfUniqueNames.
c. All groups must have the group membership attribute
uniqueMember.

d. All users must be members of the OpenLDAP group.

6. You are deploying a new vSphere environment and need to control
which users can manage certificates. Which vCenter Server Single
Sign-On domain group membership should you manipulate?
a. DCAdmins
b. SolutionUsers
c. CAAdmins
d. SystemConfiguration_Administrators
7. You are adding an Active Directory (integrated Windows
authentication) identity source and want to ensure that future
machine name changes do not cause issues. Which of the following
allows you to do this?
a. Select Use Service Principal Name (SPN) and provide a UPN.
b. Select Use Machine Account and provide a UPN.
c. Select Use Service Principal Name (SPN) and provide a base
DN for users.
d. Select Use Machine Account and provide a base DN for users.
8. You are deploying vCenter Server in a secured network that has no
Internet access. What do you need to install in order to download

Telegram Channel : @IRFaraExam

updates?
a. Update Manager Download Service
b. Update Manager Proxy Service
c. Lifecycle Manager Download Service
d. Lifecycle Manager Proxy Service
9. You are implementing vCenter HA. How will you connect the
nodes to the vCenter HA network?
a. Connect NIC 1 on the Active and Passive nodes and NIC 0 to
the vCenter HA network. Do not connect the Witness node to
the vCenter HA network.
b. Connect NIC 1 on the Active and Passive nodes and NIC 0 on
the Witness node to the vCenter HA network.
c. Connect NIC 0 on the Active, Passive, and Witness nodes to
the vCenter HA network.
d. Connect NIC 1 on the Active, Passive, and Witness nodes to
the vCenter HA network.
10. You are installing new ESXi hosts and want to configure boot
options. Which of the following kernelopt options has been
deprecated in ESXi 7.0?
a. autoCreateDumpFile
b. autoPartitionCreateUSBCoreDumpPartition
c. skipPartitioningSsds
d. autoPartitionOnlyOnceAndSkipSsd

Foundation Topics

Installing ESXi Hosts

To begin a vSphere deployment, you should install and configure at least one
ESXi host using the information in this section. Optionally, you can apply the

Telegram Channel : @IRFaraExam

information here to install and configure additional ESXi hosts. In many
cases, administrators choose to deploy the first ESXi host and then deploy
vCenter Server and use vCenter Server along with other tools, such as host
profiles, to facilitate the deployment and configuration of the remaining ESXi
hosts.
You have several choices for installing ESXi, such as using the interactive
wizard, using scripts, and using Auto Deploy. These choices are covered in
this section. Using host profiles to configure ESXi hosts after installation is
discussed later in this chapter.

Installing ESXi Interactively

You can use the following procedure—which is very useful in small
environments with fewer than five ESXi hosts—to install ESXi interactively:

Step 1. Verify that all the target machine hardware is supported and meets
minimum requirements.
Step 2. Gather and record the information that will be required during the
installation (see Table 8-2).
Table 8-2 Information Required for ESXi Installation
Information Required or Optional Details
Keyboard layout Required Default: US English
VLAN ID Optional Range: 0–4094

Default: None
IP address Optional Default: DHCP
Subnet mask Optional Default: Based on the
configured IP address
Gateway Optional Default: Based on the
configured IP address
and subnet mask

Telegram Channel : @IRFaraExam

Primary DNS Optional Default: Based on the
configured IP address
and subnet mask
Secondary DNS Optional Default: None
Host name Required for static IP Default: None
settings
Install location Required At least 5 GB if you
install on a single disk

Default: None
Migrate existing Required if you are Default: None
ESXi settings; installing ESXi on a drive
preserve VMFS with an existing ESXi
datastore installation
Root password Required Must contain at least 8
to 40 characters and
meet other
requirements

Default: None

Step 3. Verify that the server hardware clock is set to UTC. This setting is
in the system BIOS.
Step 4. Download the ESXi installer ISO and prepare the hardware system
to boot from it.
Step 5. Start the machine so that it boots from the ESXi installer.
Step 6. On the Select a Disk page, select the drive on which to install ESXi
and press Enter.
Step 7. Select the keyboard type and language for the host.
Step 8. Enter a password to be used by the root account.
Step 9. When prompted to do so, remove the bootable media and press
Enter to reboot the host.

Telegram Channel : @IRFaraExam

The default behavior is to configure the ESXi management network using
DHCP. You can override the default behavior and use static IP settings for
the management network after the installation is completed. If your host is
not yet assigned an IP address or if you want to change it, you can use the
following procedure to select the appropriate network adapter, configure the
VLAN, and configure the IP configuration for the host’s management
network interface:
Step 1. Log on to the Direct Console User Interface (DCUI), which appears
on the host’s monitor.
Step 2. If needed, use the DCUI to change the network adapter used for
management:
a. Select Configure Management Network and press Enter.
b. Select Network Adapters and press Enter.
c. Select a network adapter and press Enter.
Step 3. If needed, use the DCUI to change the VLAN used for
management:
a. Select Configure Management Network and press Enter.
b. Select VLAN and press Enter.
c. Enter the appropriate VLAN ID for the network connection.
Step 4. If needed, use the DCUI to change the IP configuration used for
management:
a. Select Configure Management Network and press Enter.
b. Select IPv4 Configuration and press Enter.
c. Select Set Static IPv4 Address and Network Configuration.
d. Enter the IP address, subnet mask, and default gateway and
press Enter.

Note
It is important for the IP address of the management network to remain

Telegram Channel : @IRFaraExam

consistent. If you do not select a static IP address, make sure that you
create a DHCP reservation for the MAC address of your first physical
NIC, which ESXi calls VMNIC0.

You can use the DCUI to configure DNS by following this procedure:
Step 1. Select Configure Management Network and press Enter.
Step 2. Select DNS Configuration and press Enter.
Step 3. Select Use the Following DNS server Addresses and Hostname.
Step 4. Enter the primary server, an alternative server (optional), and the
host name.
After ESXi is installed and the management network is configured, you can
manage the host and make other configuration changes by using the vSphere
Host Client.

Scripted ESXi Installation

Installation scripts provide an efficient way to deploy multiple hosts and/or to
deploy hosts remotely.
You can use an installation script that includes the settings for installing
ESXi. The script can be applied to all of the hosts that need to have the same
configuration. Only supported commands can be used in the installation
script. This can be modified for settings that need to be unique for each host.
The installation script can be in any of the following locations:

FTP server
HTTP/HTTPS server
NFS server
USB flash drive
CD-ROM drive

Telegram Channel : @IRFaraExam

the vSphere Web Client logged in to the vCenter Server that manages the
ESXi host can be used to change any of the default settings.
Example 8-1 shows the contents of the default script.
Example 8-1 Default Installation Script
Click here to view code image
#
# Sample scripted installation file
#
# Accept the VMware End User License Agreement
vmaccepteula
# Set the root password for the DCUI and Tech Support Mode
rootpw myp@ssw0rd
# Install on the first local disk available on machine
install --firstdisk --overwritevmfs
# Set the network to DHCP on the first network adapter
network --bootproto=dhcp --device=vmnic0
# A sample post-install script
%post --interpreter=python --ignorefailure=true
import time
stampFile = open('/finished.stamp',

You can see that this default script sets the root password to myp@ssw0rd,
installs on the first disk, overwrites any existing VMFS datastore, and sets the
network interface to use DHCP. When creating your own script, you can
specify many options, a few of which are shown in Table 8-4.
Table 8-4 Sample Options for ESXi Installation Script
Comma Optio Descript
nd ns
clear -- Removes partitions on all drives except those specified.
part igno
(optio redr
nal) ives
=
-- Allows overwriting of VMFS partitions on the specified

Telegram Channel : @IRFaraExam

over drives.
writ
evm
fs
dryru N/A Parses and checks the installation script but does not
n perform the installation.
instal -- Specifies the disk to partition. Acceptable values can use
l disk various forms, as in these examples:
=
Path:

--disk=/vmfs/devices/disks/mpx.vmhba1:C0:T0:L0

MPX name:

--disk=mpx.vmhba1:C0:T0:L0

VML name:

--disk=vml.000000034211234

vmkLUN UID:

Partner Supported

CommunitySupported

Telegram Channel : @IRFaraExam

FIGURE 8-2 Auto Deploy Architecture

You control the behavior of the vSphere Auto Deploy server by using rules.
The rules engine checks the rule set for matching host patterns to decide
which items (image profile, host profile, vCenter Server location, or script
object) to use to provision each host. Rules can assign image profiles and
host profiles to a set of hosts. A rule can identify target hosts by boot MAC
address, Basic Input/Output System (BIOS), universally unique identifier
(UUID), System Management BIOS (SMBIOS) information, vendor, model,
or fixed DHCP IP address. You can create rules by using the vSphere Web
Client or vSphere Auto Deploy cmdlets with the PowerCLI. For example, to
create a new deployment rule named Rule-01 that places all hosts in a folder
named Auto-deployed Hosts, you can use the following PowerCLI command:
Click here to view code image
New-DeployRule -Name Rule-01 -Item "Auto-deployed Hosts" -allhosts

To modify the rule so that it applies only to a set of hosts in a specific IP

range, you can use the Set-DeployRule cmdletL
Click here to view code image
Set-DeployRule -DeployRule Rule-01 -Pattern
"ipv4=192.168.100.101-192.168.100.112"

Table 8-6 describes some of the common Auto Deploy PowerCLI cmdlets.
Table 8-6 Common Auto Deploy PowerCLI cmdlets
cmdlet Description
Get- Returns a list of Auto Deploy cmdlets.
Depl
oyCo
mma
nd
New- Creates a new rule with the specified items and patterns.
Depl
oyRu

Telegram Channel : @IRFaraExam

le
Set- Updates an existing rule with the specified items and patterns.
Depl You cannot update a rule that is part of a rule set.
oyRu
le
Get- Retrieves the rules with the specified names.
Depl
oyRu
le
Copy Clones and updates an existing rule.
-
Depl
oyRu
le
Add- Adds one or more rules to the working rule set and, by default,
Depl also to the active rule set. Use the NoActivate parameter to add a
oyRu rule only to the working rule set.
le
Rem Removes one or more rules from the working rule set and from
ove- the active rule set. Run this command with the -Delete parameter
Depl to completely delete the rule.
oyRu
le
Set- Explicitly sets the list of rules in the working rule set.
Depl
oyRu
leSet
Get- Retrieves the current working rule set or the current active rule
Depl set.
oyRu
leSet
Switc Activates a rule set so that any new requests are evaluated
h- through the rule set.
Activ

Telegram Channel : @IRFaraExam

eDep
loyR
uleSe
t

Get- Retrieves rules that match a pattern. For example, you can
VM retrieve all rules that apply to a host or hosts. Use this cmdlet
Host primarily for debugging.
Matc
hing
Rule
s
Test- Checks whether the items associated with a specified host are in
Depl compliance with the active rule set.
oyRu
leset
Com
plian
ce
Repa Given the output of Test-DeployRulesetCompliance, this cmdlet
ir- updates the image profile, host profile, and location for each host
Depl in the vCenter Server inventory. The cmdlet might apply image
oyRu profiles, apply host profiles, or move hosts to the prespecified
leset folders or clusters on the vCenter Server system.
Com
plian
ce
Appl Associates the specified image profile with the specified host.
y-
EsxI
mage
Profi
le
Get- Retrieves the image profile in use by a specified host. This cmdlet
VM differs from the Get-EsxImageProfile cmdlet in the Image
Host Builder PowerCLI.

Telegram Channel : @IRFaraExam

Imag
eProf
ile

Repa Deploys a new image cache. Use this cmdlet only if the Auto
ir- Deploy image cache is accidentally deleted.
Depl
oyIm
ageC
ache
Get- Retrieves the attributes for a host that are used when the Auto
VM Deploy server evaluates the rules.
Host
Attri
butes
Get- Returns a string value that Auto Deploy uses to logically link an
Depl ESXi Host in vCenter to a physical machine.
oyM
achin
eIde
ntity
Set- Logically links a host object in the vCenter Server database to a
Depl physical machine. Use this cmdlet to add hosts without specifying
oyM rules.
achin
eIde
ntity
Get- Retrieves the Auto Deploy global configuration options. This
Depl cmdlet currently supports the vlan-id option, which specifies the
oyOp default VLAN ID for the ESXi Management Network of a host
tion provisioned with Auto Deploy. Auto Deploy uses the value only
if the host boots without a host profile.
Set- Sets the value of a global configuration option. Currently supports
Depl the vlan-id option for setting the default VLAN ID for the ESXi
oyOp Management Network.

Telegram Channel : @IRFaraExam

tion
The first time a host boots using Auto Deploy, the following sequence of
events occurs:

1. The host starts a PXE boot sequence. The DHCP server assigns an IP
address and redirects the host to the TFTP server.
2. The host downloads and executes the iPXE file (configured by the
DHCP server) and applies the associated configuration file.
3. The host makes an HTTP boot request to the vSphere Auto Deploy
server. The HTTP request includes hardware and network information.
4. The vSphere Auto Deploy server queries the rules engine and streams
data (the ESXi image) from the image profile and the host profile.
5. The host boots using the image profile. If the vSphere Auto Deploy
server provided a host profile, the host profile is applied to the host.
6. vSphere Auto Deploy adds the host to the proper inventory location and
cluster in the vCenter Server system.
7. If the host is part of a DRS cluster, virtual machines from other hosts
might be migrated to the host.

Note
If a host profile requires a user to specify certain information, such as a
static IP address, the host is placed in maintenance mode when the host
is added to the vCenter Server system. You must reapply the host
profile and update the host customization to have the host exit
maintenance mode.

Deploying vCenter Server Components

VMware vCenter 7.0 is only available as a prebuilt Linux-based virtual
appliance. It is no longer available to be installed on Windows systems. This
section provides information for deploying vCenter Server components.

Telegram Channel : @IRFaraExam

vCenter Server Database
As of vCenter 7.0, only one database can be used: an included version of the
VMware-specific distribution of PostgreSQL.

Note
The vCenter installation program allows migration from a Windows-
based vCenter Server to the vCenter Server Appliance, including
migration from Oracle or Microsoft SQL to the embedded PostgreSQL
database.

Platform Services Controller (PSC)

In vSphere 6.x, the Platform Services Controller (PSC) component could be
deployed externally to vCenter Server. Beginning with vSphere 7.0, the
services that the PSC provided in vSphere 6.x, such as SSO, VMCA and
License Service, are consolidated into vCenter Server. These services cannot
be deployed as a separate virtual appliance. Because the services are now part
of vCenter, they are no longer listed as part of the PSC. For example, in
vSphere 7.0, the vSphere Authentication publication replaces the Platform
Services Controller Administration publication.

vCenter Server Appliance

As of vSphere 7.0, the vCenter Server is only available as a prebuilt virtual
appliance that consists of the following:

Photon OS 3.0
vSphere Authentication Services
PostgreSQL
The VMware vSphere Lifecycle Manager extension for the vSphere
Client
VMware vCenter Lifecycle Manager

Telegram Channel : @IRFaraExam

vCenter Version 7.0 deploys with VM hardware Version 10, supporting up to
64 virtual CPUs per VM. The deployment wizard helps you to determine the
resource allocation for the virtual appliance, based on the size of your
environment.
To prepare for a vCenter Server Appliance deployment, you should download
the vCenter Server Appliance installer ISO file and mount it to a virtual
machine or physical machine from which you want to perform the
deployment. To use the vCenter Server Appliance GUI (or CLI) installer, you
can use a machine that is running a supported version of a Windows, Linux,
or Mac operating system, as shown in Table 8-7.
Table 8-7 Requirements for GUI/CLI Installers
Operatin Supported Versions Minimum Hardware Configuration
g System
Windo 4 GB RAM, 2 CPUs having 4 cores with
ws Windows 8, 8.1, 10 2.3 GHz, 32 GB hard disk, 1 NIC

Windows 2012 x86-

64 bit

Windows 2012 R2
x86-64 bit

Windows 2016 x86-

64 bit

Linux 4 GB RAM, 1 CPU having 2 cores with

SUSE 15 2.3 GHz, 16 GB hard disk, 1 NIC

With the CLI installer, 64-bit OS

Ubuntu 16.04 and
18.04

Telegram Channel : @IRFaraExam

Mac
macOS 10.13, 10.14,
10.15

macOS High Sierra,

Mojave, Catalina

You can use the GUI or CLI installers to do the following:

Step 17. Optionally, choose the option to join the VMware Customer
Experience Improvement Program (CEIP).
Step 18. On the Ready to Complete page, click Finish and then click OK.

Deploying VCSA Using the CLI

You can use the CLI installer to perform a silent VCSA deployment. The CLI
deployment process includes downloading the installer, preparing a JSON
configuration file with the deployment information, and running the
deployment command. The VCSA installer contains JSON templates for all
deployment types. This enables you to deploy an appliance with minimum
effort by copying the appropriate JSON template, changing a few values, and
using it with the CLI installer. The steps are as follows:
Step 1. In the vCenter Server Appliance installer, navigate to one of the
following directories:
In Windows, /vcsa-cli-installer/win32
In Linux, /vcsa-cli-installer/lin64
In macOS, /vcsa-cli-installer/mac

Step 2. Copy the templates from the install subfolder to your desktop.
Step 3. Use a text editor to modify the JSON template for your use case.
Modify the default parameter values with your appropriate values
and add additional parameters, as necessary. For example, to use an
IPv4 DHCP assignment, in the network subsection of the template,
change the value of the mode parameter to dhcp and remove the
default configuration parameters that are used for a static
assignment, as shown here:

Telegram Channel : @IRFaraExam

"network": {
"ip_family": "ipv4",
"mode": "dhcp"
},

Step 4. Save the file in UTF-8 format.

Table 8-8 shows some of the available JSON templates.
Table 8-8 JSON Templates
Template Description
PSC_repl Contains the minimum configuration parameters that are
ication_o required for deployment of a PSC appliance joining an
n_ESXi.j existing vCenter SSO domain on an ESXi host.
son
PSC_repl Contains the minimum configuration parameters that are
ication_o required for deployment of a PSC appliance joining an
n_VC.jso existing vCenter SSO domain on a vCenter Server instance.
n
vCSA_on Contains the minimum configuration parameters that are
_ESXi.js required for deployment of a vCenter Server Appliance with
on an external PSC on an ESXi host.
vCSA_on Contains the minimum configuration parameters that are
_VC.json required for deployment of a vCenter Server Appliance with
an external PSC on a vCenter Server instance.

Note
When using the CLI installer, you must strictly use only ASCII
characters for the command-line and JSON configuration file values,
including usernames and passwords.

Prior to running the deployment command, you can run a pre-deployment

check by using this command:
Click here to view code image

Telegram Channel : @IRFaraExam

vcsa-deploy install --verify-only path-to-JSON-file

When ready, you can run the deployment command:

Click here to view code image
vcsa-deploy install --accept-eula --acknowledge-ceip
optional_arguments path-to-JSON-file

vCenter Server Post-Installation

After installing vCenter Server, you should be able to access the vSphere
Client at https://vcenter_server_ip_address_or_fqdn/ui and the vSphere Web
Client at https://vcenter_server_ip_address_or_fqdn/vsphere-client.
The VMware Enhanced Authentication Plug-in provides integrated
Windows authentication and Windows-based smart card functionality. In the
vSphere 6.5 release, the VMware Enhanced Authentication Plug-in replaced
the Client Integration Plug-in.
To install the VMware Enhance Authentication Plug-in, you can use the
following procedure:
Step 1. In a web browser, open the vSphere Web Client.
Step 2. At the bottom of the vSphere Web Client login page, click
Download Enhanced Authentication Plug-in.
Step 3. Save the plug-in to your computer and run the executable.
Step 4. Follow the wizard for both the VMware Enhanced Authentication
Plug-in and the VMware Plug-in Service, which are run in
succession.
Step 5. When the installations are complete, refresh the browser.
Step 6. In the External Protocol Request dialog box, click Launch
Application.
If you install the plug-in from an Internet Explorer browser, you must first
disable Protected Mode and enable pop-up windows on your web browser.

Configuring and Managing VMware Certificate Authority

Telegram Channel : @IRFaraExam

(VMCA)
VMware Certificate Authority (VMCA), which runs in the vCenter Server
Appliance, is responsible for issuing certificates for VMware solution users,
certificates for machines running required services, and certificates for ESXi
hosts. VMware Endpoint Certificate Service (VECS) is a local repository for
certificates and private keys. VECS is a mandatory component that is used
when VMCA is not signing certificates. VECS includes a set of keystores,
including machine SSL certificates, trusted roots, certificate revocation lists
(CRLs), and solution users (including machine, vpxd, vpx-extension, and
vSphere-webclient). VECS does not store ESXi certificates. ESXi certificates
are stored locally on the ESXi hosts in the /etc/vmware/ssl directory. Table 8-
9 describes the stores included in VECS.
Table 8-9 VECS Stores
Store Description
Machine SSL store Used by the reverse proxy service on each
(MACHINE_SSL_CERT) ESXi host and by the vmdir service.
Trusted root store Contains all trusted root certificates.
(TRUSTED_ROOTS)
Solution user stores: VECS includes one store for each solution
user.

Machine

vpxd

vpxd-extension

vsphere-webclient

Telegram Channel : @IRFaraExam

vSphere Certificate Used by VMCA to support certificate
Manager utility backup reversion.
store (BACKUP_STORE)
Other stores Other stores might be added by solutions.
For example, the Virtual Volumes solution
adds an SMS store.
With VMCA, you can deal with certificates in three different manners:

identity source, you need to provide information for the following
parameters:

Domain Name: Enter the FDQN of the domain.

Use Machine Account: Select this option to use the local machine
account as the Server Principal Name (SPN). Do not use this option if
you plan to rename the machine.
Use Service Principal Name (SPN): Select this option, instead of Use
Machine Account, if you prefer to specify a unique SPN instead of
using the machine name as the SPN. If you choose this option, you
must also provide the SPN, UPN, and password, as follows:
Service Principal Name (SPN): If you selected the Use Service
Principal Name option, you need to provide a unique name that
includes the domain name, such as STS/domain.com.
User Principal Name (UPN): If you selected the Use Service
Principal Name option, you need to provide a username that can
authenticate the Active Directory domain.
Password: If you selected the Use Service Principal Name option,
you need to provide a password that is associated with the UPN.

Telegram Channel : @IRFaraExam

Note
The user account must have read access to the organizational units
containing users and group. If a user’s account does not have sufficient
permission or is locked or disabled, then authentications and searches
in the Active Directory domain fail.

When adding an Active Directory over LDAP identity source, you need to
provide information for the following parameters:

Name: Specify the logical name for the identify source.

Telegram Channel : @IRFaraExam

Click Next.
Step 8. Enter the user and group information for Active Directory over
LDAP to search for users and groups and click Next.
Step 9. Review the configuration information and click Finish.
Step 10. Go to Home > Administration > Single Sign On > Users and
Groups.
Step 11. On the Groups tab, click Administrators (group) and click Add
Members.
Step 12. From the drop-down, select Microsoft ADFS, and in the text box
under the drop-down menu, enter vcenter and wait for the drop-
down to show a selection. Then select vCenter Admins and add it
to the group.
Step 13. Click Save.
Step 14. Log in to vCenter with an AD user’s credentials to verify
functionality.

Initial vSphere Configuration

This section covers some of the vSphere settings, components, and features
that are typically configured in conjunction with a new vSphere deployment.

Implementing vSphere Client

The vSphere Client, which is the primary vSphere GUI, is HTML5 based and
uses the Clarity style user interface. The vSphere Client is a service that is
installed automatically when you install vCenter Server.

Implementing VMware vSphere Lifecycle Manager

In vSphere 7.0, vSphere Lifecycle Manager replaces VMware Update
Manager from prior versions. Lifecycle Manager adds to the functionality of
Update Manager to include features and capabilities for ESXi lifecycle
management at the cluster level. Lifecycle Manager operates as a service that
runs on the vCenter Server. This service is available via the vSphere Client

Telegram Channel : @IRFaraExam

immediately after the vCenter Server deployment; no special steps are
required to install vSphere Lifecyle Manager unless you need to install the
optional module VMware vSphere Update Manager Download Service
(UMDS).
In scenarios where vCenter Server is installed in a secured network with no
Internet access, you can install UMDS and use it to download updates. You
can use UMDS to export the updates to a portable media drive that you then
present to vSphere Lifecycle Manager. Or, if network connectivity exists
between the vCenter Server and UMDS, you can automate the export process
by leveraging the web server on the UMDS machine.

Note
See Chapter 13, "Managing vSphere and vCenter Server," for more
details on vSphere Lifecycle Manager.

Configuring the vCenter Server Inventory

This section describes the procedures you use to create an inventory
hierarchy that includes data centers, folders, clusters, and resource pools.
To create a data center, you can follow these steps:
Step 1. Log on to the vSphere Client as a user with the Datacenter. Create
datacenter privilege.
Step 2. Right-click the vCenter Server in the inventory and select New
Datacenter.
Step 3. Provide a name for the data center and click OK.

To create a folder, you can follow these steps:

Step 1. In the vSphere Client, right-click the appropriate parent object (a
data center or another folder).
Step 2. Select New Folder. If the parent object is a folder, the new folder
type is automatically set to match the parent; otherwise, specify the
folder type as Host and Cluster folder, Storage folder, or VM and

Telegram Channel : @IRFaraExam

Template folder.
Step 3. Provide a name for the folder and click OK.
To add an ESXi host, you must address the following prerequisites:

Ensure that the appropriate data center and (optionally) folder objects are
created in the vCenter Server inventory.
Obtain the root account credentials for the host.
Verify that the host and vCenter Server can communicate via port 902 or
a custom port.
Verify that any NFS mounts on the host are active.
For a host with more than 512 LUNs and 2048 paths, verify that the
vCenter Server instance is set to support a Large or X-Large
environment.

To add an ESXi host, you can follow these steps:

Step 1. Log on to the vSphere Client as a user with the Host.Inventory.Add
standalone host privilege.
Step 2. Right-click the data center or folder in the inventory and select Add
Host.
Step 3. Provide the host’s FQDN (or IP address) and credentials.
Step 4. Provide licensing information (using a new or existing license).
Step 5. Optionally, set the lockdown mode, remote access, and virtual
machine folder information and continue navigating to the final
wizard page.
Step 6. Click OK.

Implementing vCenter HA

You can use the following procedure to configure vCenter HA:

Telegram Channel : @IRFaraExam

In the vSphere Client, select the vCenter Server in the inventory
Step 1. pane.
Step 2. Select Configure > Select vCenter HA > Set Up vCenter HA.
Step 3. If your vCenter Server is managed by another vCenter Server in a
different SSO domain, complete the following steps:
a. Click Management vCenter Server Credentials. Provide the
FQDN and Single Sign-On credentials and click Next.
b. If you see a certificate warning displayed, review the SHA1
thumbprint and click Yes to continue.
Step 4. In the Resource Settings section, select the vCenter HA network for
the active node from the drop-down menu.
Step 5. Click the checkbox if you want to automatically create clones for
Passive and Witness nodes.
Step 6. For the Passive node, follow these steps:
Click Edit and provide details for the Passive node virtual
machine, such as the name, compute resources, and datastore.
Select the Management (NIC 0) and vCenter HA (NIC 1)
networks.
Complete the settings and click Finish.

Step 7. For the Witness node, follow these steps:

Click Edit and provide details for the passive node virtual machine,
such as the name, compute resources, and datastore.
Select the vCenter HA (NIC 1) networks.
Complete the settings and click Finish.

Step 8. Click Next.

Step 9. In the IP Settings section, provide the IP address details.
Step 10. Click Finish.

Telegram Channel : @IRFaraExam

Using Host Profiles
This section provides details on using host profiles to configure ESXi hosts.

Configuring ESXi Using Host Profiles

During the implementation of vSphere, you can use host profiles to
efficiently deploy a standard configuration to a set of ESXi hosts. To do so,
you can configure a single ESXi host, create a host profile from that host, and
apply the profile to other recently deployed hosts. This process reduces the
time required to configure ESXi hosts and minimizes the risk of
misconfigured hosts. The host profile contains all the networking, storage,
security, and other host-level settings. The host from which the profile is
created is known as the reference host. You can attach a host profile to
individual hosts, a cluster, or all the hosts and clusters managed by a vCenter
Server.

Applying a Host Profile

After attaching a host profile, you can check compliance of the associated
hosts and remediate as necessary.
You can use this procedure to create a host profile from a reference host:
Step 1. Navigate to the host profiles main view and click Extract Host
Profile.
Step 2. Select the host that acts as the reference host and click Next.
Step 3. Enter the name and description for the new profile and click Next.
Step 4. Review the summary information for the new profile and click
Finish.

You can use this procedure to attach a profile to ESXi hosts and clusters:
Step 1. From the host profiles main view, select the host profile to be
applied to the host or cluster.
Step 2. Click Attach/Detach Hosts and Clusters, select the host or cluster
from the expanded list, and click Attach.

Telegram Channel : @IRFaraExam

Optionally, click Attach All to attach all listed hosts and clusters to
Step 3. the profile.

Step 4. Optionally, enable Skip Host Customization; if you do, you do not
need to customize hosts during this process.
Step 6. Click Next.
Step 7. Optionally, update or change the user input parameters for the host
profiles policies by customizing the host.
Step 8. Click Finish to finish attaching the host or cluster to the profile.

You can use this procedure to remediate an ESXi host:

Step 1. Navigate to the host profiles main view.
Step 2. Right-click a host profile and select Remediate.
Step 3. Select the host or hosts you want to remediate with the host profile.
Step 4. Optionally, enter the host customizations to specify host properties
or browse to import a host customization file.
Step 5. Click Pre-check Remediation to check whether the selected hosts
are ready for remediation.
Step 6. Select the checkbox to reboot the host if a reboot is required in
order to complete the remediation process. To manually reboot the
host after the process, do not select the checkbox.
Step 7. Review the tasks that are necessary to remediate the host profile and
click Finish.

Editing Host Profiles

To edit a host profile, you can use this procedure:
Step 1. Navigate to the host profiles main view.
Step 2. Select the host profile that you want to edit and click the Configure
tab.
Step 3. Click Edit Host Profile.

Telegram Channel : @IRFaraExam

Step 4. Optionally, click the Name and Description tab to change the
profile name and description.
Step 5. In the Edit Host Profile page, expand each category to view or edit a
specific policy or setting.
Step 6. Select All to view all host profile configurations or select Favorites
to view only those configurations.
Step 7. Optionally, in the search field, filter the configuration names and
values you want to view. For example, enter SNMP, and all
configurations that relate to SNMP are displayed.
Step 8. Optionally, customize the hosts. Make any changes to the available
configuration values for this profile and click Save.

Applying Permissions to ESXi Hosts by Using Host Profiles

You can use host profiles to apply ESXi host permissions to be used when
users access a host directly. To configure the host profile with the appropriate
permissions, you can use the vSphere Client (not the vSphere Web Client)
and follow this procedure:
Step 1. Select View > Management > Host Profiles.
Step 2. Select an existing profile and click Edit Profile.
Step 3. In the profile tree, locate and expand Security Configuration.
Step 4. Right-click on the Permission Rules folder and click Add Profile.
Step 5. Expand Permissions Rules and select Permission.
Step 6. On the Configuration Details tab, click the Configure Permission
drop-down menu and select Require a Permission Rule.
Step 7. Enter the name of a user or group, in the format domain\name,
where domain is the domain name, and name is the user or group
name.
Step 8. If a group name is used, select the Name Refers to a Group of
Users checkbox.
Step 9. Enter the assigned role name, which is case sensitive. This can be

Telegram Channel : @IRFaraExam

the name of a built-in role on the host or a custom role that you have
created on the host. For system roles, use the non-localized role
name, such as Admin for the administrator role or ReadOnly for the
read-only role.
Step 10. Optionally, select Propagate Permission.
Step 11. Click OK.
After configuring the host profile, you can use it to apply the permissions to
new or existing ESXi hosts.

VMware Tools
Ideally, you should install VMware Tools in all your virtual machines. When
deploying a new vSphere environment, you should install VMware Tools in
any virtual machines deployed as part of the virtual infrastructure and
management. For example, if you use virtual machines to run Active
Directory domain controllers, DNS servers, or DHCP servers, consider
installing VMware Tools.
VMware Tools is a suite of utilities that you install in the operating system of
a virtual machine. VMware Tools enhances the performance and
management of the virtual machine. You can use the following procedure to
install VMware Tools in a virtual machine using the VMware Host Client:
Step 1. Click Virtual Machines in the VMware Host Client inventory.
Step 2. Select a powered-on virtual machine from the list. (The virtual
machine must be powered on to install VMware Tools.)
Step 3. Open a console to the virtual machine and log in with administrator
or root privileges.
Step 4. Click Actions, select Guest OS from the drop-down menu, and
select Install VMware Tools.
Step 5. Use the guest OS to complete the installation.
This procedure is useful for installing VMware Tools in a DNS, Active
Directory domain controller, database server, or other virtual machine that
you may deploy prior to deploying vCenter Server.

Telegram Channel : @IRFaraExam

Advanced ESXi Host Options
This section describes how to configure some advanced options for ESXi
hosts.

ESXi Advanced System Settings

You can use the vSphere Host Client or the vSphere Client to set advanced
attributes on ESXi hosts. You should change the advanced options only when
you get specific instructions to do so from VMware technical support or a
knowledge base article.
To change a host’s advanced settings using the vSphere Host Client, you can
navigate to Manage > System > Advanced Settings. To change a host’s
advanced settings using the vSphere Client, you can select the host and
navigate to Configure > System > Advanced System Settings.

Exam Preparation Tasks

Review All the Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 8-12 lists these key topics and the
page number on which each is found.

Table 8-12 Key Topics for Chapter 8

Key Topic Description Page
Element Number
List Installing ESXi interactively 286
List First-time boot sequence using Auto Deploy 296
List Deploying VCSA using the GUI installer 299
List Using VMCA in a subordinate CA manner 305

Telegram Channel : @IRFaraExam

List Adding an Active Directory over LDAP 308
identity source
List Enabling Identity Federation 313
List Implementing vCenter HA 316

Complete Tables and Lists from Memory

Define Key Terms

configure traffic distribution across the physical adapters and the
failover order.
Step 8. Click OK.
To remove a port group from a standard switch, navigate to the switch’s
topology, select the port group, and click the Remove Selected Port Group
icon.

vSphere Distributed Switches (vDS)

This section addresses the creation and configuration of vSphere Distributed
Switches (vDS) and distributed port groups.

Creating and Configuring vSphere Distributed Switches

You can use the vSphere Client to create a vDS:
Step 1. In the vSphere Client, right-click a data center in the inventory pane
and select Distributed Switch > New Distributed Switch.
Step 2. On the Name and Location page, enter a name for the new
distributed switch or accept the generated name and click Next.
Step 3. On the Select Version page, select a distributed switch version (7.0,
6.6, or 6.5) and click Next. Features released with vSphere versions
later than the version selected are not supported for the distributed
switch.
Step 4. On the Configure Settings page, provide the following vDS settings:
Select the number of uplinks. The number of uplink ports
determines how many physical NICs are connected per ESXi host.
Enable or disable Network I/O Control. If it is enabled, it
prioritizes network traffic.
(Optional) Select the Create a Default Port Group checkbox to
create a new distributed port group with default settings for this
switch. Enter a port group name or accept the generated name.
If your system has custom port group requirements, create
distributed port groups that meet those requirements after you add

Telegram Channel : @IRFaraExam

the distributed switch.

Click Next.
Step 5. On the Ready to Complete page, review the settings you selected
and click Finish.
If you plan on using NSX-T, set the vDS version to 7.0 and use NSX-T 3.0 or
later.

Upgrading a vDS
You can upgrade a vDS from Version 6.x to a later version, but you cannot
revert a vDS to an earlier version. As a rollback plan, you should export the
distributed switch configuration prior to upgrading. In the export wizard,
choose the option to include the distributed port groups. If an issue emerges,
you can re-create the vDS by importing the switch configuration file and
choosing the Preserve Original Distributed Switch and Port Group Identifiers
option.
The following list provides information for exporting and importing vDS
configuration.:

Exporting a vDS configuration: To export a vDS configuration, select

it in the inventory pane, select Settings > Export Configuration, and use
the wizard. In the wizard, select whether you want to include the
configuration of the distributed port groups in the export. Optionally, you
can provide a description for the export. The file is saved to your local
system.
Importing a vDS configuration: To import a vDS configuration, right-
click a data center in the inventory pane, select Distributed Switch >
Import Distributed Switch, and use the wizard. In the wizard, to assign
the keys from the configuration file to the switch and its port groups,
select the Preserve Original Distributed Switch and Port Group
Identifiers checkbox.

Upgrading a distributed switch causes the hosts and virtual machines attached
to the switch to experience brief downtime. VMware recommends
performing the upgrade during a maintenance window and changing the DRS

Telegram Channel : @IRFaraExam

Step 6. On the Routing page, edit the VMkernel gateway settings.

Step 7. ON the Name page, edit the name of the stack.
Step 8. On the Advanced page, edit the maximum number of connections
and the congestion control algorithm.
Step 9. Click OK.

To create a custom TCP/IP stack, you can use the following command in the

Telegram Channel : @IRFaraExam

ESXi Shell:
Click here to view code image
esxcli network ip netstack add -N="stack_name"

After creating a custom stack, you can use the previous procedure to
configure the stack. When creating a VMkernel virtual network adapter, you
can select any existing custom stack or predefined stack (default, vMotion, or
provisioning).

Configuring and Managing Networking Features

This section describes the procedures for implementing networking features
supported by vSphere.

Configuring Network I/O Control (NIOC)

To guarantee minimum bandwidth for system traffic and for virtual

machines, you can enable and configure NIOC. You can enable NIOC on a
distributed switch by using the following procedure:
Step 1. In the vSphere Client, select the distributed switch in the inventory
pane and navigate to Actions > Settings > Edit Settings.
Step 2. From the Network I/O Control drop-down menu, select Enable.
Step 3. Click OK.

By default, NIOC applies shares to each network traffic type as shown in the
following list:

Management traffic: 50 shares

Fault Tolerance (FT) traffic: 50 shares
NFS traffic: 50 shares
vSAN traffic: 50 shares
vMotion traffic: 50 shares

Telegram Channel : @IRFaraExam

vSphere Replication (VR) traffic: 50 shares
vSphere Data Protection backup traffic: 50 shares
Virtual machine traffic: 100 shares

To configure resource allocation for system traffic, you can use the following
procedure:
Step 1. In the vSphere Client, select the distributed switch in the inventory
pane.
Step 2. On the Configure tab, expand Resource Allocation.
Step 3. Click System Traffic.
Step 4. Select the appropriate traffic type and click Edit.
Step 5. Set the desired values for Shares, Reservation, and Limit.
Step 6. In the Reservation text box, enter a value for the minimum
bandwidth that must be available for the traffic type.
Step 7. In the Limit text box, set the maximum bandwidth that system
traffic of the selected type can use.
Step 8. Click OK to apply the allocation settings.

Creating a Network Resource Pool

If you enabled NIOC on a distributed switch and reserved bandwidth for the
virtual machine feature, then you can create a set of network resource pools
and allocate the reserved bandwidth among the pools. The total reservation
from the virtual network adapters of the powered-on associated VMs must
not exceed the quota of the pool. You can create a network pool by using the
following procedure:
Step 1. In the vSphere Client, select the distributed switch in the inventory
pane.
Step 2. On the Configure tab, expand Resource Allocation.
Step 3. Click Network Resource Pools.

Telegram Channel : @IRFaraExam

Step 4. Click the Add button.
Step 5. Provide a name and a description for the pool.
Step 6. Set the reservation quota (in Mbps).
Step 7. Click OK.

Note
The maximum quota that you can assign to the pool is equal to the
aggregated reservation for virtual machine system traffic minus the
quotas of the other network resource pools.

After creating a network resource pool, you can assign a distributed port
group to the resource pool by using the following procedure:
Step 1. In the vSphere Client, right-click a distributed port group in the
inventory pane and select Edit Settings.
Step 2. In the settings, click General.
Step 3. In the Network Resource Pool drop-down menu, select the network
resource pool and click OK.
Finally, you can set the network shares, reservation, and limit settings for
individual virtual machines that are connected to the distributed port group in
a network resource pool by using the following procedure:
Step 1. In the vSphere Client, select a virtual machine in the inventory pane
and navigate to Actions > Edit Settings.
Step 2. Expand the Network Adapter section of the VM network adapter.
Step 3. Either add and configure a new network adapter or select an
existing network adapter.
Step 4. Configure the network adapter’s Shares, Reservation, and Limit
settings.
Step 5. Click OK.

Telegram Channel : @IRFaraExam

Using Private VLANs
To use private VLANs (PVLANs), you must first define the PVLANs on a
vDS. You can use the following procedure to do so:
Step 1. In the vSphere Client, select a distributed switch in the inventory
pane and navigate to Configure > Settings > Private VLAN.
Step 2. Click Edit.
Step 3. To add a primary VLAN, above Primary VLAN ID click the plus
sign (+) button.
Step 4. To add a secondary VLAN, in the right pane click the plus sign (+)
button.
Step 5. For Secondary VLAN type, select either Isolated or Community.
Step 6. Click OK.
After creating the PVLANs, you can use them when assigning the VLAN
network policies for distributed port groups and distributed ports, just as you
do with standard VLANs.

Using DirectPath I/O

The number of ports in each port channel must match the number of
physical NICs that will be aggregated on the host (a minimum of two).
The same hashing algorithm must be used for the port channel and the
associated LAG on the vDS.
All the NICs in a LAG must be configured with the same speed and
duplexing.

Before creating the LAG on a vDS in vSphere 7.0, you should address the
following requirements:

An LACP port channel must be available on a physical switch and is

configured to support the host, including the appropriate number of
ports, speed, duplexing, and hashing (load balancing) algorithm.
The vDS must be Version 6.5 or later.
Enhanced LACP must be supported on the distributed switch, so use the
vSphere Client to select the vDS in the inventory pane, navigate to
Summary > Features, and verify that Link Aggregation Control Protocol
is set to Enhanced Support.

Enhanced LACP support for vDS supports the following load-balancing

modes (hashing algorithms):

Destination IP address
Destination IP address and TCP/UDP port

Telegram Channel : @IRFaraExam

Destination IP address and VLAN
Destination IP address, TCP/UDP port, and VLAN
Destination MAC address
Destination TCP/UDP port
Source IP address
Source IP address and TCP/UDP port
Source IP address and VLAN
Source IP address, TCP/UDP port, and VLAN
Source MAC address
Source TCP/UDP port
Source and destination IP address
Source and destination IP address and TCP/UDP port
Source and destination IP address and VLAN
Source and destination IP address, TCP/UDP port, and VLAN
Source and destination MAC address
Source and destination TCP/UDP port
Source port ID
VLAN

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 9-3 lists these key topics and the
page number on which each is found.

Table 9-3 Key Topics for Chapter 9

Key Topic Description Page
Element Number
List Creating a vSphere Standard Switch 330
List Creating and configuring distributed port 337
groups
List Configuring TCP/IP stacks 339
List Configuring Network I/O Control 340
List Configuring and managing port mirroring 345

Telegram Channel : @IRFaraExam

Section Adding hosts to a vDS 350

Complete Tables and Lists from Memory

Define Key Terms

No new terms are defined in this chapter.

Review Questions
1. You want to use VLAN guest tagging with your vSphere Standard
Switch. What setting should you make on the standard port group?
a. Set VLAN ID to 0.
b. Set VLAN ID to 4095.
c. Set VLAN Type to Trunking.
d. Set VLAN Type to Guest Tagging.
2. You are preparing to upgrade a vDS from Version 6.x to 7.0. What
step should you take prior to upgrading?
a. Copy the vDS.
b. Back up vCenter Server.
c. Export the vDS configuration, including the distributed port
group configuration.
d. Export the vDS configuration, excluding the distributed port
group configuration.
3. You enabled NIOC, reserved virtual machine system traffic, and
created a network resource pool. Which of the following steps do
you need to take to allow a virtual machine to use the network

Telegram Channel : @IRFaraExam

resource pool?
a. Edit the virtual machine and set the network resources
allocation policy.
b. Add the virtual machine to the resource pool.
c. Assign the network resource pool to the distributed port group
where the virtual machines are connected.
d. In the inventory pane, drag and drop the virtual machine onto
the network resource pool.
4. You are creating a VMkernel virtual adapter for vMotion traffic.
Which of the following is not a valid option?
a. In a standard switch, assign the adapter to the vMotion stack.
b. In a distributed switch, assign the adapter to the vMotion
stack.
c. In a standard switch, assign the adapter to the default stack.
d. In a distributed switch, assign the adapter to the provisioning
stack.
5. You want to enable NetFlow in a distributed port group. Which of
the following steps should you take?
a. Change the distributed port group’s monitoring policy.
b. Change the distributed port group’s security policy.
c. In the distributed port group’s Advanced settings, set NetFlow
to Enable.
d. Enable port mirroring on the distributed port group.

Telegram Channel : @IRFaraExam

Part III

vSphere Management and

Optimization

Telegram Channel : @IRFaraExam

Chapter 10

c. Migrate the virtual machine to a host that has plenty of free
memory.
d. Reserve all of the virtual machine’s memory.
7. You are configuring virtual disks for the virtual machines in your
vSphere environment. Which provisioning type is the best choice
when you care more about optimizing the space usage than about
performance or availability risk?
a. Thin
b. Thick eager zeroed
c. Thick lazy zeroed
d. Sparse
8. You are using ESXTOP to analyze vSphere performance. Which of
the following statistics is the best indicator of some resource
contention?
a. %USED
b. %DRPTX
c. OVHD
d. READ/s
9. You are configuring alarms in your vSphere environment. Which of
the following is not a valid event type?
a. Error
b. Warning
c. Information
d. Audit
10. You are examining vSphere logs. Which of the following logs
contains data about the agent that manages and configures the ESXi
host?
a. /var/log/vmkernel.log

Telegram Channel : @IRFaraExam

b. /var/log/vpxa.log
c. /var/log/hostd.log
d. /var/log/vmksummary.log

Foundation Topics

Creating and Configuring a vSphere Cluster

By using the vSphere Client, you can create a vSphere cluster and use its
Quickstart feature to configure the cluster. You can configure DRS, vSphere
HA, and EVC on the cluster, as described in this chapter. You can also
configure vSAN on the cluster, as described in Chapter 11, “Managing
Storage.”

Creating a Cluster
To create a vSphere cluster that you plan to configure using Quickstart, you
should ensure that the hosts have the same ESXi version and patch level. If
you are adding hosts to the vCenter Server inventory, you need the
credentials for the root user account for the hosts. You must have the
Host.Inventory.Create Cluster privilege. To create a cluster that you manage
with a single image, verify that you have a supported ESXi 7.0 or later image
available in the vSphere Lifecycle Manager depot. You can use the following
procedure to create the cluster:
Step 1. In the vSphere Client, right-click a data center in the inventory pane
and select New Cluster.
Step 2. Enter a name for the cluster.
Step 3. Optionally, for each of the following services, slide the switch to the
right to enable the service:
DRSv
Sphere HA
vSAN

Telegram Channel : @IRFaraExam

If you enable DRS, you can optionally change its automation setting
(default is Fully Automated using Threshold Level 3).
Step 4. Optionally, to create a cluster that you manage with a single image,
select Manage All Hosts in the Cluster with a Single Image. and
then do the following:
Select an ESXi version (image) from the drop-down menu.
Optionally, select options from the Vendor Addon and Vendor
Addon Version drop-down menus.

Step 5. Click OK.

Configuring a Cluster with Quickstart

To modify an existing cluster, you can select the cluster in the inventory pane
and click Configure > Configuration > Quickstart. On the Quickstart page are
three cards: Cluster Basics, Add Hosts, and Configure Cluster. To change the
name and the enabled cluster services, click Cluster Basics > Edit. To add a
host to a cluster, you can use the following procedure:

Step 1. In the vSphere Client, select a cluster in the inventory pane and
navigate to Configure > Configuration > Quickstart > Add Hosts
> Add.
Step 2. Click New Hosts > Add and provide the name (or IP address) and
credentials for each host that you want to add that is not already in
the vCenter Server inventory.
Step 3. Optionally, select the Use the Same Credentials for All Hosts
option.
Step 4. Click Existing Hosts > Add and select each host that you want to
add that is already in the vCenter Server inventory.
Step 5. Click Next.
Step 6. On the Host Summary page, click Next.

Telegram Channel : @IRFaraExam

Step 7. On the Ready to Complete page, click Finish.
Step 8. Monitor the progress under Recent Tasks, where you can see any
errors.
Step 9. When the task is complete, you can view the number of hosts and
the health on the Add Hosts card. Optionally, select Re-validate.
Step 10. Use the inventory pane to verify that the hosts are attached to the
cluster and are in maintenance mode.
To configure cluster settings and host networking in a cluster, you can use the
following procedure:
Step 1. In the vSphere Client, select a cluster in the inventory pane and
navigate to Configure > Configuration > Quickstart.
Step 2. Optionally, if you want to configure the cluster manually, click
Skip Quickstart, which is irreversible. Otherwise, continue with
the following steps to use Quickstart to configure the cluster.
Step 3. Click Configure Cluster > Configure.
Step 4. On the Distributed Switches page, you can either select the
irreversible option Configure Networking Settings Later or use
the following steps to configure the cluster networking:
a. Specify the number of distributed switches to create (up to
three).
b. Enter a unique name for each distributed switch. Alternatively,
click Use Existing and select an existing compatible distributed
switch and distributed port group.
c. To set up the vMotion network, select a distributed switch and
assign a new port group to it.
d. In the Physical Adapters section, for each physical network
adapter, assign a distributed switch name from the drop-down
menu. Ensure that each new distributed switch is assigned to at
least one physical adapter. For any existing distributed switch, to
avoid an error, select the physical adapter that is currently
mapped to the switch.

Telegram Channel : @IRFaraExam

e. Click Next.
f. If you enabled the vSphere DRS feature during cluster creation,
in the vMotion Traffic page that appears, provide the VLAN ID,
protocol type, and IP configuration.
Step 5. Click Next.
Step 6. In the Advanced Options page, configure the following options:
a. If you enabled vSphere HA during cluster creation, use the
options in the High Availability section to enable or disable host
failure monitoring, virtual machine monitoring, and admission
control. For admission control, you can specify the number of
hosts for failover capacity.
b. If you enabled vSphere DRS during cluster creation, use the
options in the Distributed Resource Scheduler section to set the
automation level and migration threshold.
c. In the Host Options section, set the lockdown mode and enter an
NTP server address.
d. Optionally, in the Enhanced vMotion Capability section, use the
options to enable EVC and select a mode.
Step 7. Click Next.
Step 8. On the Ready to Complete page that appears, review the settings
and click Finish.
You can extend a cluster by adding more hosts. If you initially selected the
Skip Quickstart option, then you should add hosts manually. If you
previously used Quickstart but selected Configure Networking Settings Later,
you can add hosts by using Quickstart but must manually configure the host
networking. To extend a cluster, you can use the following procedure:
Step 1. In the vSphere Client, right-click a configured cluster in the
inventory pane and select Add Hosts.
Step 2. In the wizard, select hosts from the vCenter Server inventory and
add new hosts (by providing names and credentials) to include in
the cluster.

Telegram Channel : @IRFaraExam

Step 3. On the Ready to Complete page, click Finish.
Step 5. On the Configure Hosts card of the Extend Cluster Guide page that
appears, select Configure. If you previously used Quickstart to
configure the host networking, the vMotion Traffic page appears.
Provide the VLAN ID, protocol type, and IP configuration. Then a
pop-up window appears, informing you that the configuration for
the hosts that exist in the cluster is applied to the newly added hosts.
Step 6. Click Continue.
After successful validation, the Configure button in the Configure Hosts card
becomes inactive, and the Re-validate button is available.
If you enable DRS, the default Automation Level setting is Fully Automated
and the default Threshold setting is 3. If you enable HA, the default values
are Host Monitoring and Admission Control Are Enabled and VM
Monitoring Is Disabled. You can override the default values later in the
workflow.
If you select an image for managing all the hosts in the cluster, you can later
edit the image specification on the Updates tab. If you do not choose an
image to manage hosts, you must manage the cluster by using baselines and
baseline groups. You can switch from using baselines to using images later.
Starting with vSphere 7.0, you can use vSphere Lifecycle Manager to
upgrade and update the hosts in a cluster. A vSphere Lifecycle Manager
image is a combination of vSphere software, driver software, and firmware
for specific host hardware. You can assign an image to a cluster used to
control the software set to be installed on the hosts, including the ESXi
version, additional VMware-provided software, and vendor software, such as
firmware and drivers.
The image that you define during cluster creation is not immediately applied
to the hosts. If you do not set up an image for a cluster, the cluster uses
baselines and baseline groups. For more information about using images and
baselines to manage hosts in clusters, see the Managing Host and Cluster
Lifecycle documentation.

EVC Mode

Telegram Channel : @IRFaraExam

As previously described, you can configure EVC by using Quickstart >
Configure Cluster. You can also configure EVC directly in the cluster
settings. You can set VMware EVC to Disable EVC, Enable EVC for AMD
Hosts, or Enable EVC for Intel Hosts.
If you choose Enable EVC for AMD Hosts, you can set the mode to one of
the options listed in Table 4-3 in Chapter 4, “Clusters and High Availability.”
If you choose Enable EVC for Intel Hosts, you can set the mode to one of the
options listed in Table 4-2 in Chapter 4.
To view the EVC modes for all of a cluster’s virtual machines in the vSphere
Client, you can select a cluster, navigate to its VMs tab, and select
Show/Hide Columns > EVC Mode.

Creating and Configuring a vSphere DRS Cluster

This section describes how to create and configure a vSphere DRS cluster.

Creating a vSphere DRS Cluster

To create a vSphere DRS cluster, follow the procedure in the section
“Creating a Cluster,” earlier in this chapter, and ensure that you choose to
enable the DRS service. Use the information in the rest of this section to
configure the DRS cluster.

Creating a Resource Pool

You can use the following procedure to create a child resource pool in a DRS
cluster:
Step 1. In the vSphere Client, navigate to Hosts and Clusters, right-click a
DRS cluster in the inventory, and select New Resource Pool.
Step 2. Provide a name for the resource pool.
Step 3. Optionally, select the Scale Descendant’s Shares checkbox to
enable scalable shares. (Enabling this option causes any child
resource pools to use scalable shares, which scale dynamically
when virtual machines are added and removed.)
Step 4. Optionally, set CPU and Memory Shares to Low, Normal, High, or

Telegram Channel : @IRFaraExam

Step 4. Optionally, set Performance Degradation VMs Tolerate to a

percentage.
Step 5. Click OK.

Configuring VMCP
To configure Virtual Machine Component Protection (VMCP) in a vSphere
HA cluster, you can use the following procedure:
Step 1. In the vSphere Client, select the cluster in the inventory pane and
navigate to Configure > vSphere Availability > Edit.
Step 2. Select Failures and Responses > Datastore with PDL and choose
one of the following:
Issue Events
Power Off and Restart VMs

Step 3. Select Failures and Responses > Datastore with APD and choose
one of the following:
Issue Events
Power Off and Restart VMs–Conservative Restart Policy
Power Off and Restart VMs–Aggressive Restart Policy

Configuring Virtual Machine and Application Monitoring

Telegram Channel : @IRFaraExam

You can use the following procedure to turn on and configure virtual
machine and application monitoring in a vSphere HA cluster:
Step 1. In the vSphere Client, select the vSphere HA cluster in the
inventory pane and navigate to Configure > vSphere Availability
> Edit.
Step 2. Select Failures and Responses > VM Monitoring.
Step 3. Select VM Monitoring to turn on VMware Tools heartbeats.
Step 4. Select Application Monitoring to turn on application heartbeats.
Step 5. To set the heartbeat monitoring sensitivity, move the slider between
Low and High or select Custom and provide a custom value.
Step 6. Click OK.

Configuring Proactive HA

To get started with implementing Proactive HA, you need to install a

supported vendor-supplied vSphere Client plug-in and register the proactive
HA provider. When you turn on proactive HA in a cluster, you can select
from the list of providers for installed plug-ins that are monitoring every host
in the cluster. You can use the following procedure to configure proactive
HA in a cluster:
Step 1. Ensure that the following prerequisites are met:
vSphere HA and DRS are enabled.
To allow remediation actions, ensure that you have the
Host.Config.Quarantine and Host.Config.Maintenance privileges.

Step 2. In the vSphere Client, select the cluster in the inventory pane and
navigate to Configure > vSphere Availability > Edit.
Step 3. Select Turn on Proactive HA.
Step 4. Click Proactive HA Failures and Responses.

Telegram Channel : @IRFaraExam

Step 5. Set Automation Level to Manual or Automated.
Step 6. Set Remediation to one of the following:
Quarantine Mode for All Failures
Quarantine Mode for Moderate and Maintenance Mode for
Severe Failure (Mixed)
Maintenance Mode for All Failures

Configuring vSphere Fault Tolerance

Before enabling vSphere Fault Tolerance (FT) for a virtual machine, you
must prepare the hosts and cluster by doing the following:
Step 1. Configure vSphere HA on the cluster.
Step 2. On each participating host, configure a vMotion port group, a
VMkernel adapter enabled for vMotion, a Fault Tolerance logging
network, and a VMkernel adapter enabled for FT Logging.
To turn on FT for a virtual machine, you can use the following procedure:
Step 1. In the vSphere Client, right-click the virtual machine in the
inventory pane and select Fault Tolerance > Turn On Fault
Tolerance.
Step 2. Click Yes.
Step 3. Select a datastore on which to place the secondary VM
configuration files and click Next.
Step 4. Select a host on which to place the secondary VM and click Next.
Step 5. Review your selections and then click Finish.
Before FT is turned on for a virtual machine, FT performs several validation
steps related to the FT requirements listed in Chapter 4. The virtual machine
datastores and memory are replicated as FT is turned on. This may take
several minutes, during which the virtual machine status does not appear as
protected. When the replication completes and the state of the secondary VM
is synchronized with that of the primary VM, the status changes to Protected.
To test FT failover for a virtual machine, right-click the virtual machine and

Telegram Channel : @IRFaraExam

select Fault Tolerance > Test Failover. Likewise, you can select Fault
Tolerance > Test Restart Secondary to restart the Secondary VM.

Monitoring and Managing vSphere Resources

You can use the vSphere client performance charts to view compute,
storage, and network resource usage for virtual machines, hosts, and clusters.
For a more granular look from the host perspective, you can use the ESXTOP
utility. You can use vCenter Server alarms to bring attention to conditions
and events that may call for human intervention, such as low resource
availability on a cluster, host, or data-store. To bring multi-vCenter Server
monitoring, predictive analysis, and intelligent operations to an environment,
you can consider integrating vRealize Operations (vROps).

Overview Performance Charts

You can use the vSphere Client to examine the overview performance charts
for data centers, clusters, datastores (and datastore clusters), hosts, resource
pools, vApps, and virtual machines.
To view a performance chart, you can use the following procedure:
Step 1. In the vSphere Client, select an appropriate object in the inventory
pane and navigate to Monitor > Performance.
Step 2. Select a view.
Step 3. Select a predefined or custom time range.
Table 10-5 lists the available performance chart views by object type.
Table 10-5 Views by Object Type
Object View List Items
Type
Data Clusters: Thumbnail CPU and memory charts for each cluster
center and stacked charts for total data center CPU and memory.

Telegram Channel : @IRFaraExam

Storage: Space utilization charts for each datastore by file type.
Datasto Space: Space utilization charts by datastore, by file type, and
re and by virtual machine.
datastor
e
cluster Performance: Disk performance (latency, throughput, and
queuing) charts for the datastore (or datastore cluster, when
Storage DRS is enabled) by virtual machine, by virtual disk,
and by file type.
Cluster Home: CPU and memory charts for the cluster.

Resource pools and virtual machines: Thumbnail charts for

resource pools and virtual machines and stacked charts for total
cluster CPU and memory usage.

Hosts: Thumbnail charts for each host and stacked charts for
total cluster CPU, memory, disk usage, and network usage.
Host Home: CPU, memory, disk, and network charts for the host.

Virtual machines: Thumbnail charts for virtual machines, and

stacked charts for total CPU usage and total host memory
usage.
Resourc Home: CPU and memory charts for the resource pool.
e Pool
Resource pools and virtual machines: Thumbnail charts for
resource pools and virtual machines and stacked charts for total
resource CPU and memory usage.
vApps Home: CPU and memory charts for the resource pool.

Resource pools and virtual machines: Thumbnail charts for

resource pools and virtual machines and stacked charts for total
vApp CPU and memory usage.

Telegram Channel : @IRFaraExam

Virtual Storage: Space utilization charts for the virtual machine by file
Machin type and by datastore.
e
Fault tolerance: CPU and memory charts that display metrics
for the fault-tolerant primary and secondary virtual machines.

Home: CPU, memory, network, and host thumbnail charts and

disk performance charts for the virtual machine.

hosts. You can click on a counter’s description name to display details,
such as whether the selected metric can be stacked for each virtual
machine.

After you create a custom chart, the chart is added to the View drop-down
list. You can then use the chart in the same manner that you would any
prebuilt view.
You can use the following procedure to delete a custom chart:
Step 1. In the vSphere Client, select an appropriate object in the inventory
pane and navigate to Monitor > Performance.
Step 2. Select Advanced > Chart Options.
Step 3. Select the chart and click Delete Options.
You can use the following procedure to save data from an advanced
performance chart to a file either in a graphic format or in a comma-separated
values (CSV) format:
Step 1. In the vSphere Client, select an object in the inventory pane and
navigate to Monitor > Performance.
Step 2. Click Advanced.
Step 3. Optionally, select a view or change chart options until you are
satisfied with the chart.
Step 4. Click the Export icon.
Step 5. Select one of the following options:
To PNG: Exports a bitmap image to PNG format.
To JPEG: Exports a bitmap image to JPEG format.
To CSV: Exports text data to CSV format.
To SVG: Exports a vector image to SVG format.

Step 6. Provide a filename and location.

Step 7. Click Save.

Telegram Channel : @IRFaraExam

Troubleshooting and Optimizing Performance
Table 10-6 provides the likely causes and potential solutions for some sample
symptoms, based on vSphere performance metrics.
Table 10-6 CPU Performance Analysis
Symptoms Likely Causes Potential Solutions
Host: CPU The host has insufficient CPU Add the host to a
usage is resources to meet the demand. DRS cluster.
consistentl
y high.
Too many virtual CPUs are running on Increase the
the host. number of hosts
Virtual in the DRS
machine: cluster.
CPU usage Storage or network operations are
is above placing the CPU in a wait state.
90%. CPU Migrate one or
ready is more virtual
The guest OS generates too much load machines to other
above for the CPU.
20%. hosts.
Applicatio
n Upgrade the
performan physical CPUs of
ce is poor. the host.

Upgrade ESXi to
the latest version.

Enable CPU-
saving features
such as TCP
segmentation
offload, large
memory pages,

Telegram Channel : @IRFaraExam

and jumbo
frames.

Increase the
amount of
memory allocated
to the virtual
machines, which
may improve
cached I/O and
reduce CPU
utilization.

Reduce the
number of virtual
CPUs assigned to
virtual machines.

Ensure that
VMware Tools is
installed.

Compare the
CPU usage of
troubled virtual
machines with
that of other
virtual machines
on the host or in
the resource pool.
(Hint: Use a
stacked graph.)

Increase the CPU

Add the host to a

DRS cluster.

Telegram Channel : @IRFaraExam

Increase the
number of hosts
in the DRS
cluster.

Migrate one or
more virtual
machines to other
hosts.

Add physical
memory to the
host.
Virtual The guest OS is not provided sufficient Increase the
machine: memory by the virtual machine. memory size of
Memory the virtual
usage is machine.
high.

Guest OS:
Memory
usage is
high.
Paging is
occurring.
Virtual The guest OS is not provided sufficient Increase the
machine: CPU resources by the virtual machine. number of CPUs
CPU ready for the virtual
is low. machine.

Guest OS: Migrate the

CPU virtual machine to
utilization a host with faster
is high. CPUs.

Migrate one or
more virtual
machines (or
virtual disks) to
other datastores.

Add the datastore

to a Storage DRS
datastore cluster.

Add datastores
with available
space to the
datastore cluster.

Add more storage

space to the
datastore.

Disk: Problems are occurring with the Migrate the

Device storage array. virtual machines
latency is to datastores
greater backed by other
than 15 storage arrays.
ms.

Add more disks

(spindles) to the
storage device
backing the
datastore.

Configure the
queue depth and
cache settings on
the RAID
controllers.
Adjust the
Disk.SchedNumR
eqOutstanding
parameter.

Configure
multipathing.

Ensure that no
virtual machine
swapping or
ballooning is
occurring.

Defragment guest
file systems.

Use eager zeroed

thick provisioned
virtual disks.

Network: The maximum throughput of a Install VMware

Telegram Channel : @IRFaraExam

results in high network latency. Use Migrate virtual
the VMware AppSpeed performance machines to other
monitoring application or a third-party hosts or to other
application to check network latency. physical network
adapters.
Network packet size is too small,
which increases the demand for the Verify that all
CPU resources needed for processing NICs are running
each packet. Host CPU, or possibly in full duplex
virtual machine CPU, resources are not mode.
enough to handle the load.
Implement TCP
Segmentation
Offload (TSO)
and jumbo
frames.

Assign additional
physical adapters
as uplinks for the
associated port
groups.

Replace physical
network adapters
with high-
bandwidth
adapters.

Place sets of
virtual machines
that communicate
with each other
regularly on the

Telegram Channel : @IRFaraExam

same ESXi host.

Performan Some metrics are not available for pre- Upgrade hosts to
ce charts ESXi 5.0 hosts. a later version of
are empty. ESXi.
Data is deleted when you remove
objects to vCenter Server or remove Allow time for
them. data collection on
objects that were
recently added,
Performance chart data for inventory migrated, or
objects that were moved to a new site recovered to the
by VMware vCenter Site Recovery vCenter Server.
Manager is deleted from the old site
and not copied to the new site.
Power on all
hosts and allow
Performance charts data is deleted time for real-time
when you use VMware vMotion across statistics to
vCenter Server instances. collect.

Real-time statistics are not available Allow time for

for disconnected hosts or powered-off the required roll-
virtual machines. ups for non-real-
time statistics.
Non-real-time statistics are rolled up at
specific intervals. For example, 1-day
statistics might not be available for 30
minutes after the current time,
depending on when the sample period
began.

The 1-day statistics are rolled up to

create one data point every 30 minutes.
If a delay occurs in the roll-up

Telegram Channel : @IRFaraExam

operation, the 1-week statistics might
not be available for 1 hour after the
current time. It takes 30 minutes for the
1-week collection interval, plus 30
minutes for the 1-day collection
interval.

The 1-week statistics are rolled up to

create one data point every two hours.
If a delay occurs in the roll-up
operations, the 1-month statistics might
not be available for 3 hours. It takes 2
hours for the 1-month collection
interval, plus 1 hour for the 1-week
collection interval.

Note
You can also set alarms to trigger when the host health status changes.

If you participate in the Customer Experience Improvement Program (CEIP),

you can configure Skyline Health to perform online health checks. If CEIP is
not enabled, the Internet connectivity check is unavailable. You can use the
following procedure to configure Skyline Health:

Step 1. In the vSphere client, select a vCenter Server or a host in the

inventory pane and navigate to Monitor > Skyline Health.
Step 2. Expand the Online Health Connectivity category and select one of
the following options:
CEIP: Verifies whether CEIP is enabled for the vCenter Server.
Online Health Connectivity (Internet check): Verifies vCenter
Server to vmware.com connectivity via HTTPS/443.
Advisor: Provides additional features, such as automatic support

Telegram Channel : @IRFaraExam

Latency Sensitivity
If you have a latency-sensitive application, such as voice over IP (VOIP) or a
media player application, you can edit the virtual machine’s settings and set
VM Options > Advanced >Latency Sensitivity to High. With this setting, you
should ensure that all the virtual machine’s configured CPU and memory are
reserved. With this setting, the system effectively gives exclusive physical

Telegram Channel : @IRFaraExam

CPU access to each virtual CPU. If the virtual machine is in a DRS cluster,
DRS automatically creates a VM-Host soft affinity rule.

The Impact of Virtual Machine Configurations

The specific settings you make for a virtual machine can impact its
performance, as summarized in Table 10-8.
Table 10-8 The Impact of Virtual Machine Configurations
Configur Impact
ation
Compu An oversized compute size for a virtual machine may result in
te wasted resources. With an undersized compute size, the virtual
oversiz machine may experience poor performance.
e/under
size
Virtual An oversized virtual disk may result in wasted resources. With
disk an undersized virtual disk, the virtual machine may experience
oversiz denial of service.
e/under
size
VMDK If a virtual disk is thin provisioned, then you may be
provisi maximizing the use of your storage space while decreasing the
oning virtual machine’s performance and increasing its risk of denial
types of service.
Resour If a resource is reserved, you may be improving and
ce guaranteeing the guest OS performance while reducing the
reserva density of virtual machines on the resource.
tions
Indepe If a virtual disk is set to independent mode, then you are
ndent prevented from taking snapshots of it. If it is set to
disks Independent–Nonpersistent, all changes are discarded when you
power off or reset the virtual machine.

Telegram Channel : @IRFaraExam

Guest The choice for the guest OS type during virtual machine
OS creation directly impacts the type of virtual devices that are
type used in the virtual machine.
VMwa The VMware Tools version impacts the set of device drivers it
re provides to the guest OS.
Tools
version
Permis The permissions set on a virtual machine impacts who can use
sions (power on, open a console), who can modify (change virtual
hardware settings), and who can manage (set permissions,
migrate) the virtual machine.

Other Virtual Machine Resource Management Features

You can configure virtual machines to support SRIOV, VGPU, RDMA, and
DirectPath I/O passthrough, as discussed in Chapter 14, “Managing Virtual
Machines.”

ESXTOP
ESXTOP is a utility that provides a detailed real-time look at resource usage
from the ESXi Shell. You can run ESXTOP in Interactive, Batch, or Replay
mode. You must have root user privileges. RESXTOP is a similar tool that
can be installed and run from a Linux server and connected to ESXi hosts.
By default, when you issue the command esxtop, the utility opens in
interactive mode to show the CPU panel, where statistics for each virtual
machine and other groups are displayed in separate rows. To see just virtual
machines statistics, you can press Shift+V. Each column provides CPU
statistics, such as %USED, %WAIT, %RDY, %CSTP, and %SWPWT. To
see statistics for the multiple worlds (processes) that comprise a virtual
machine, you can press the E key and enter the virtual machine’s ID. Figure
10-4 shows an example of an ESXTOP CPU panel, displaying virtual
machine statistics with one virtual machine (GID 33791) expanded.

Telegram Channel : @IRFaraExam

FIGURE 10-4 Sample ESXTOP CPU Panel

(yellow) to alert (red), depending on changing conditions. Triggered alarms
can automatically launch alarm actions.

Events
Events are simply recorded incidents, such as user actions or system actions,
that occurred involving a host or any object managed by vCenter Server. The
following are a few examples:

A license key expires.

Telegram Channel : @IRFaraExam

(Extended information, warning, and error entries in its log files.
Verbose)
Although setting the logging level to Verbose or Trivia may be beneficial for
troubleshooting, doing so for long durations may cause noticeable vCenter
Server performance degradation. VMware recommends that you use these
levels in rare cases, such as while actively troubleshooting, and that you reset
the logging level immediately afterward. Changes to the logging level are
saved in the vCenter Server configuration file /etc/vmware-vpx/vpxd.cfg.
You can make additional changes to logging behavior by editing the
advanced settings of a vCenter Server. For example, you can use the vSphere
Client to edit the following settings, which impact log size, retention,
rotation, and compression:

config.log.level
config.log.maxFileNum
config.log.maxFileSize
config.log.compressOnRoll

Note
By default, vCenter Server vpxd log files are rolled up and compressed
into .gz files. You can turn off compression for vpxd log files by
adding the log.compressOnRoll key with the value false to the vCenter
Server advanced settings.

Configuring Syslog on ESXi Hosts

You can use the following procedure to configure the syslog service for a
host:
Step 1. In the vSphere Client, select a host in the inventory pane and
navigate to Configure > System > Advanced System Settings.
Step 2. Click Edit.
Step 3. Filter for syslog.

Telegram Channel : @IRFaraExam

Step 4. To set up logging globally for the following options, select the
appropriate option and enter the appropriate value:
Syslog.global.defaultRotate: Maximum number of logs to keep
when rotating logs.
Syslog.global.defaultSize: Size of log (in KB) before triggering a
log rotation.
Syslog.global.LogDir: Directory in a VMFS or NFS datastore to
store logs specified in the format [datastore] /path. For example, to
store logs in the /vmfs/volumes/VMFS-01/systemlogs folder,
specify [VMFS-01] /systemlogs.
Syslog.global.logDirUnique: A subdirectory for the host at the
specified path, which is useful when multiple hosts use the same
shared datastore for logging.
Syslog.global.LogHost: Remote syslog host and port to which
messages are forwarded. For example, to forward to a server
named syslogsvr-1 using port 1514, specify ssl://syslogsvr-1:1514.

Step 5. Optionally, select specific log names and change the number of
rotations and log size for just that specific log.
Step 6. Click OK.
You can control how log files are maintained for virtual machines. A new log
file is created each time you power on or resume a virtual machine or
whenever the file size exceeds the vmx.log.rotateSize value, unless the value
is 0 (default). VMware recommends saving 10-log files, each one limited to
no less than 2 MB. If you need logs for a longer time span, you can set
vmx.log.keepOld to 20.
You can use the following procedure to change the number of log files for a
single virtual machine:
Step 1. In the vSphere Client, right-click a host or a virtual machine in the
inventory pane and click Edit Settings.
Step 2. Select VM Options > Advanced.
Step 3. Click Edit Configuration.

Telegram Channel : @IRFaraExam

Step 4. Add or edit the vmx.log.keepOld parameter, set to the appropriate
number.
Step 5. Click OK.

Note
To set the vmx.log.keepOld value for all virtual machines on a specific
host, edit the /etc/vmware/config file and add or edit a line like the
following:
vmx.log.keepOld = "10"

You can modify the /etc/vmware/logfilters file on a host to change its logging
behavior. In this file you can add an entry specifying the following options:

Add numLogs to specify the maximum number of log entries before the
specified log messages are filtered and ignored. Use 0 to filter and ignore
all the specified log messages.
Add Ident to specify one or more system components to apply the filter.
Add logRegexp to specify a case-sensitive phrase to filter the log
messages by their content.
Add the following line to the /etc/vmsyslog.conf file: enable_logfilters =
true.
Run the command esxcli system syslog reload.

vRealize Log Insight (vRLI)

To collect and analyze vSphere data using vRLI, after you deploy vRLI,
follow these steps:
Step 1. In the vRLI web interface, navigate to the Administration tab.
Step 2. Click Integration > vSphere.
Step 3. Provide the hostname and credentials to connect to a vCenter
Server.

Telegram Channel : @IRFaraExam

Step 4. Click Test Connection.
Step 5. If you use an untrusted SSL certificate, click Accept in the dialog.
Step 6. Click Save.
Step 7. Use the vRLI web interface to configure the data collection from
vCenter.

Exam Preparation Tasks

Review All the Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 10-15 lists these key topics and
the page number on which each is found.

Table 10-15 Key Topics for Chapter 10

Key Topic Description Page
Element Number
List Add a host using Quickstart 365
Table 10-2 Use cases for VM-to-VM rules 369
List Configuring vSphere HA admission 371
control
Section Configuring proactive HA 372
Section Performance graph overview 375
List Configuring Skyline Health 387

Telegram Channel : @IRFaraExam

Section The impact of virtual machine 392
configuration

Complete Tables and Lists from Memory

Define Key Terms

Define the following key terms from this chapter and check your answers in
the glossary:
CPU Ready Time
ESXTOP
VIMTOP
client performance charts

Review Questions
1. You are creating a resource pool in a vSphere DRS cluster. Which
of the following is a default setting?
a. The Memory Limit is disabled.
b. CPU Shares is 0.
c. Memory Reservation is 0.
d. The CPU Reservation is normal.
2. You want to configure predictive DRS in your vSphere cluster.
Which of the following is a requirement?
a. Set DRS to Fully Automated.
b. In the cluster, set Provide Data to vSphere Predictive DRS to
True.
c. In the vRealize Operations, set Provide Data to vSphere

Telegram Channel : @IRFaraExam

Predictive DRS to True.
d. In the vRealize Automation, set Provide Data to vSphere
Predictive DRS to True.
3. You are configuring a vSphere HA cluster and do not want it to
automatically reserve resources for failure. What setting should you
use?
a. Set Cluster Resource Percentage to 0.
b. Set Cluster Resource Percentage to 100.
c. Set Define Host Failover Capacity to Dedicated Host Failures.
d. Set Define Host Failover Capacity to Disabled.
4. You want to use a command-line tool that shows real-time CPU
statistics for the services running in the vCenter Server. Which
should you choose?
a. VIMTOP
b. ESXTOP
c. Performance charts
d. vCenter Server Management Interface
5. You are examining vSphere logs. Which of the following logs is in
the same folder as the virtual machine configuration file?
a. vpxa.log
b. vmksummary.log
c. auth.log
d. vmware.log

Telegram Channel : @IRFaraExam

Step 4. Click Apply.

Licensing vSAN
You need a vSAN license to use it beyond the evaluation period. The license
capacity is based on the total number of CPUs in the hosts participating in the
cluster. The vSAN license is recalculated whenever ESXi hosts are added to
or removed from the vSAN cluster.
The Global.Licenses privilege is required on the vCenter Server. You can use
the following procedure to assign a vSAN license to a cluster:
Step 1. In the vSphere Client, select the vSAN cluster in the inventory pane.
Step 2. On the Configure tab, right-click the vSAN cluster and choose
Assign License.
Step 3. Select an existing license and click OK.

Note

Telegram Channel : @IRFaraExam

You can use vSAN in Evaluation Mode to explore its features for 60
days. To continue using vSAN beyond the evaluation period, you must
license the cluster. Some advanced features, such as all-flash
configuration and stretched clusters, require a license that supports the
feature.

Viewing a vSAN Datastore

When you enable vSAN on a cluster, a vSAN datastore is created. You can
use the following procedure to review the capacity and other details of a
vSAN datastore:
Step 1. In the vSphere Client, navigate to Home > Storage.
Step 2. Select the vSAN datastore.
Step 3. On the Configure tab, review the following:
Capacity (total capacity, provisioned space, and free space)
Datastore capabilities
Policies

A vSAN datastore’s capacity depends on the capacity devices per host and
the number of hosts in the cluster. For example, if a cluster includes eight
hosts, each having seven capacity drives, where each capacity drive is 2 TB,
then the approximate storage capacity is 8 × 7 × 2 TB = 112 TB.
Some capacity is allocated for metadata, depending on the on-disk format
version:

On-disk format Version 1.0 adds approximately 1 GB overhead per

capacity device.
On-disk format Version 2.0 adds overhead that is approximately 1% to
2% of the total capacity.
On-disk format Version 3.0 and later adds overhead that is
approximately 1% to 2% of the total capacity plus overhead for
checksums used by deduplication and compression (approximately 6.2%

Telegram Channel : @IRFaraExam

of the total capacity).

Configuring vSAN and vSphere HA

You can enable vSphere HA and vSAN on the same cluster but with some
restrictions. The following ESXi requirements apply when using vSAN and
vSphere HA together:

ESXi Version 5.5 Update 1 or later must be used on all participating

hosts.
The cluster must have a minimum of three ESXi hosts.

The following networking differences apply when using vSAN and vSphere
HA together:

The vSphere HA traffic flows over the vSAN network rather than the
management network.
vSphere HA uses the management network only when vSAN is disabled.

Before you enable vSAN on an existing vSphere HA cluster, you must first
disable vSphere HA. After vSAN is enabled, you can re-enable vSphere HA.
Table 11-2 describes the vSphere HA networking differences between
clusters where vSAN is enabled and is not enabled.
Table 11-2 Network Differences in vSAN and non-vSAN Clusters
Factor vSAN Is Enabled vSAN Is Not Enabled
Network vSAN network Management network
used by
vSphere
HA
Heartbeat Any datastore, other than a Any datastore that is
datastore vSAN datastore, that is mounted mounted to multiple
s to multiple hosts in the cluster hosts in the cluster
Host Isolation addresses not pingable Isolation addresses not
isolation and vSAN storage network pingable and

Telegram Channel : @IRFaraExam

criteria inaccessible management network
inaccessible
You must account for the vSAN’s rule set’s Primary Level of Failures to
Tolerate setting when configuring the vSphere HA admission control policy.
The vSAN primary level of failures must not be lower than the capacity
reserved by the vSphere HA admission control setting. If vSphere HA
reserves less capacity, failover activity might be unpredictable. For example,
for an eight-host cluster, if you set the vSphere HA admission control to more
than 25% of the cluster resources, then you should not set the vSAN rule’s
Primary Level of Failures to Tolerate setting higher than two hosts.
In response to events involving the failure of multiple hosts in a cluster where
vSphere HA and vSAN are enabled, vSphere HA may not be able to restart
some virtual machines where the most recent copy of an object is
inaccessible. For example, consider the following scenario:

In a three-host cluster with vSAN and vSphere HA enabled, two hosts

fail.
A VM continues to run on the third host.
The final host fails.
The first two hosts are recovered.
vSphere HA cannot restart the VM because the most recent copy of its
object is on the third host, which is still unavailable.

Setting the HA Capacity Reservation Setting

Capacity can be reserved for failover in the vSphere HA admission control
policies. Such a reservation must be coordinated with the vSAN policy
Primary Level of Failures to Tolerate. The HA reserved capacity cannot be
higher than the vSAN Primary Level of Failures to Tolerate setting.
For example, if you set vSAN Primary Level of Failures to Tolerate to 1, the
HA admission control policy must reserve resources equal to those of one
host. If you set the vSAN Primary Level of Failures to Tolerate to 2, the HA
admission control policy must reserve resources equal to those of two ESXi
hosts.

Telegram Channel : @IRFaraExam

Disabling vSAN
You can use the following procedure to disable vSAN for a host cluster,
which causes all virtual machines located on the vSAN datastore to become
inaccessible:
Step 1. In the vSphere Client, select the cluster in the inventory pane.
Step 2. Verify that the host in the cluster is in Maintenance Mode.
Step 3. Select Configure > vSAN > Services.
Step 4. Click Turn Off vSAN.
Step 5. In the dialog box that appears, confirm your selection.

Note
If you intend to use virtual machines while vSAN is disabled, make
sure you migrate the virtual machines from a vSAN datastore to
another datastore before disabling the vSAN cluster.

Shutting Down and Restarting vSAN

To shut down an entire vSAN cluster prior to performing some maintenance
activities, vSAN does not have to be disabled. The following procedure
details how you can shut down a vSAN cluster:

Step 1. Power off all virtual machines in the vSAN cluster except for the
vCenter Server, if it is running in the cluster.
Step 2. In the vSphere Client, select the cluster and navigate to Monitor >
vSAN > Resyncing Objects.
Step 3. When all resynchronization tasks are complete, on the Configure
tab, turn off DRS and HA.
Step 4. On each host, use the following command to disable cluster member
updates:

Telegram Channel : @IRFaraExam

Click here to view code image
esxcfg-advcfg -s 1 /VSAN/IgnoreClusterMemberListUpdates

Step 5. If vCenter Server runs in the vSAN cluster, shut it down. (This
makes the vSphere Client unavailable.)
Step 6. On each host, use the following command to place the hosts in
Maintenance Mode with no data migration:
Click here to view code image
esxcli system maintenanceMode set -e true -m noAction

Step 7. Shut down each host.

Note
When you plan to shut down a vSAN cluster, you do not need to
disable vSAN on the cluster.

After you perform maintenance activities, you can restart a vSAN cluster by
using the following procedure:
Step 1. Power on the hosts.
Step 2. Use the hosts’ consoles to monitor the ESXi startup
Step 3. Optionally, use a web browser to connect directly to the ESXi host
client to monitor the host’s status, events, and logs. You can ignore
misconfiguration status messages that appear temporarily when
fewer than three hosts have come online and joined the cluster.
Step 4. On each host, use the following commands to exit Maintenance
Mode and to ensure that each host is available in the cluster:
Click here to view code image
esxcli system maintenanceMode set -e false
esxcli vsan cluster get

Step 5. Restart the vCenter Server VM.

Step 6. On each host, use the following command to re-enable updates:

Telegram Channel : @IRFaraExam

Click here to view code image
esxcfg-advcfg -s 0 /VSAN/IgnoreClusterMemberListUpdates

Step 7. In the vSphere Client, select the vSAN cluster in the inventory pane.
Step 8. On the Configure tab, re-enable DRS and HA.
You can now start virtual machines in the cluster and monitor the vSAN
health service.

Deploying vSAN with vCenter Server

You can simultaneously deploy a VCSA and create a vSAN cluster by using
the vCenter Server installer and following these steps:
Step 1. Create a single-host vSAN cluster.
Step 2. Place the vCenter Server on the host in the cluster.
Step 3. Choose Install on a new vSAN cluster containing the target host.
This process deploys a one-host vSAN cluster. After the deployment, you can
use the vSphere Client to configure the vSAN cluster and add additional
nodes to the cluster.

Expanding a vSAN Cluster

You can expand a vSAN cluster by adding to the cluster ESXi hosts with
storage. Keep in mind that ESXi hosts without local storage can also be
added to a vSAN cluster. You can use the following procedure to expand a
vSAN cluster by adding hosts:
Step 1. In the vSphere Client, right-click a cluster in the inventory pane and
select Add Hosts
Step 2. Using the wizard, add hosts using one of the following options:
New Hosts: Provide the host name and credentials.
Existing Hosts: Select a host in the inventory that is not yet in the
cluster.

Step 3. Complete the wizard and click Finish on the final page.

Telegram Channel : @IRFaraExam

You can also use the following procedure to move multiple existing ESXi
hosts into a vSAN cluster by using host profiles:
Step 1. In the vSphere Client, navigate to Host Profiles.
Step 2. Click the Extract Profile from a Host icon.
Step 3. Select a host in the vSAN cluster that you want to use as the
reference host and click Next.
Step 4. Provide a name for the new profile and click Next.
Step 5. On the next wizard page, click Finish.
Step 6. In the Host Profiles list, select the new host profile and attach
multiple hosts to the profile.
Step 7. Click the Attach/Detach Hosts and Clusters to a Host Profile
icon.
Step 8. Detach the reference vSAN host from the host profile.
Step 9. In the Host Profiles list, select the new host profile and click the
Check Host Profile Compliance icon.
Step 10. Select the Monitor > Compliance.
Step 11. Right-click the host and select All vCenter Actions > Host Profiles
> Remediate.
Step 12. When prompted, provide appropriate input parameters for each host
and click Next.
Step 13. Review the remediation tasks and click Finish.
The hosts and their resources are now part of the vSAN cluster.
You can use the following procedure to add hosts to a vSAN cluster by using
Quickstart:
Step 1. Verify that no network configuration that was previously performed
through the Quickstart workflow has been modified from outside
the Quickstart workflow.
Step 1. In the vSphere Client, select the vSAN cluster in the inventory and

Telegram Channel : @IRFaraExam

click Configure > Configuration > Quickstart.
Step 2. Click Add hosts > Launch.
Step 3. Use the wizard to provide information for new hosts or to select
existing hosts from the inventory.
Step 4. Complete the wizard and click Finish on the last page.
Step 5. Click Cluster Configuration > Launch.
Step 6. Provide networking settings for the new hosts.
Step 7. On the Claim Disks page, select disks on each new host.
Step 8. On the Create Fault Domains page, move the new hosts into their
corresponding fault domains.
Step 9. Complete the wizard and click Finish.

Note
When adding a host to a vSAN cluster by using Quickstart, the vCenter
Server must not be running on the host.

Working with Maintenance Mode

Before shutting down, rebooting, or disconnecting a host that is a member of
a vSAN cluster, you must put the ESXi host in Maintenance Mode. Consider
the following guidelines for using Maintenance Mode for vSAN cluster
member hosts:

When entering host Maintenance Mode, you must select a data

evacuation mode, such as Ensure Accessibility or Full Data Migration.
When a vSAN cluster member host enters Maintenance Mode, the
cluster capacity is automatically reduced.
Each impacted virtual machine may have compute resources, storage
resources, or both on the host entering Maintenance Mode.
Ensure Accessibility Mode, which is faster than Full Data Migration

Telegram Channel : @IRFaraExam

Mode, migrates only the components from the host that are essential for
running the virtual machines. It does not reprotect your data. When in
this mode, if you encounter a failure, the availability of your virtual
machine is affected, and you might experience unexpected data loss.
When you select Full Data Migration Mode, your data is automatically
reprotected against a failure (if the resources are available and Primary
Level of Failures to Tolerate is set to 1 or more). In this mode, your
virtual machines can tolerate failures, even during planned maintenance.
When working with a three-host cluster, you cannot place a server in
Maintenance Mode with Full Data Migration Mode.

Prior to placing a vSAN cluster member host in Maintenance Mode, you

must do the following:

If using Full Data Migration Mode, ensure that the cluster has enough
hosts and available capacity to meet the requirements of the Primary
Level of Failures to Tolerate policy.
Verify that remaining hosts have enough flash capacity to meet any flash
read cache reservations. To analyze this, you can run the following
VMware Ruby vSphere Console (RVC) command:
vsan.whatif_host_failures

Verify that the remaining hosts have devices with sufficient capacity to
handle stripe width policy requirements, if selected.
Make sure that you have enough free capacity on the remaining hosts to
handle the data that must be migrated from the host entering
Maintenance Mode.

You can use the Confirm Maintenance Mode dialog box to determine how
much data will be moved, the number of objects that will become
noncompliant or inaccessible, and whether sufficient capacity is available to
perform the operation. You can use the Data Migration Pre-check button to
determine the impact of data migration options when placing a host into
Maintenance Mode or removing it from the cluster.
To place a vSAN cluster member host in Maintenance Mode, you can use the

Telegram Channel : @IRFaraExam

following procedure:
Step 1. In the vSphere Client, select the cluster in the inventory pane.
Step 2. Optionally, use the following steps to run Data Migration Pre-
check:
Click Data Migration Pre-check.
Select a host and a data migration option and click Pre-check.
View the test results and decide whether to proceed.

Step 3. Right-click the host and select Maintenance Mode > Enter
Maintenance Mode.
Step 4. Select one of the following data evacuation modes:
Ensure Accessibility: If hosts are powered off or removed from a
vSAN cluster, vSAN makes sure the virtual machines on the ESXi
host that is removed can still run those virtual machines. This
moves some of the virtual machine data off the vSAN cluster, but
replica data remains. If you have a three-host cluster, this is the
only evacuation mode available.
Full Data Migration: As its name implies, this mode moves all
the VM data to other ESXi hosts in the cluster. This option makes
sense if you are removing the host from the cluster permanently. If
a virtual machine has data on the host and that data is not migrated
off, the host cannot enter this mode.
No Data Migration: If this option is selected, vSAN does not
move any data from this ESXi host.

Click OK.

Managing vSAN Fault Domains

Fault domains provide additional protection against outage in the event of a
rack or blade chassis failure. A vSAN fault domain contains at least one
vSAN host, depending on the physical location of the host. With fault
domains, vSAN can withstand rack, blade chassis, host, disk, or network

Telegram Channel : @IRFaraExam

failure within one fault domain, as the replica and witness data are stored in a
different fault domain.
You can use the following procedure to create a new fault domain in a vSAN
cluster:
Step 1. In the vSphere Client, examine each host in a vSAN cluster.
Step 2. Verify that each host is running ESXi 6.0 or later (to support fault
domains) and is online.
Step 3. Select the vSAN cluster in the inventory pane and click Configure
> vSAN > Fault Domains.
Step 4. Click the Add (plus sign) icon.
Step 5. In the wizard, provide a name for the fault domain.
Step 6. Select one or more hosts to add to the fault domain.
Step 7. Click Create.
You can use the vSphere Client to add hosts to an existing fault domain by
selecting Configure > vSAN > Fault Domains and dragging the host to the
appropriate fault domain. Likewise, you can drag a host out of a fault domain
to remove the host from the fault domain and create a single-host fault
domain.

Extending a vSAN Datastore Across Two Sites

A vSAN stretched cluster extends across two physical data center locations to
provide availability in the event of site failure as well as provide load
balancing between sites. With a stretched vSAN cluster, both sites are active,
and if either site fails, vSAN uses storage on the site that is still up. One site
must be designated as the preferred site, which makes the other site the
secondary, or nonpreferred, site.
You can use the following procedure to leverage Quickstart to create a
stretched cluster across two sites:

Step 1. Ensure that the following prerequisites are met:

Telegram Channel : @IRFaraExam

A host is deployed outside any cluster for the witness host.
ESXi 6.0 Update 2 or later is used on each host.
The hosts in the cluster do not have any existing vSAN or
networking configuration.

Step 2. Click Configure > Configuration > Quickstart.

Step 3. Click Cluster Configuration > Edit.
Step 4. In the wizard, provide a cluster name, enable vSAN, and optionally
enable other features, such as DRS or vSphere HA.
Step 5. Click Finish.
Step 6. Click Add Hosts > Add.
Step 7. In the wizard, provide information for new hosts or select existing
hosts from the inventory. Click Finish.
Step 8. Click Cluster Configuration > Configure.
Step 9. In the wizard, configure the following:
Configure settings for distributed switch port groups, physical
adapters, and the IP configuration associated with vMotion and
storage.
Set vSAN Deployment Type to Stretched Cluster.
On the Claim Disk page, select disks on each host for cache and
capacity.
On the Create Fault Domains page, define fault domains for the
hosts in the preferred site and the secondary site.
On the Select Witness Host page, select a host to use as a witness
host. This host cannot be part of the cluster and can have only one
VMkernel adapter configured for vSAN data traffic.
On the Claim Disks for Witness Host page, select disks on the
witness host for cache and capacity.
On the Ready to Complete page, verify the cluster settings and
click Finish.

Telegram Channel : @IRFaraExam

When creating a vSAN stretched cluster, DRS must be enabled on the cluster.
There are also several DRS requirements for stretched vSAN clusters:

Two host groups must be created: one for the preferred site and another
for the secondary site.
Two VM groups must be created: one for the preferred site VMs and one
for the VMs on the secondary site.
Two VM-to-host affinity rules must be created for the VMs on the
preferred site and VMs on the secondary site.
VM-to-host affinity rules must be used to define the initial placement of
virtual machines on ESXi hosts in the cluster.

In addition to the DRS requirements, there are also HA requirements for

stretched vSAN clusters:

To increase space efficiency in a vSAN cluster, you can use SCSI Unmap,
deduplication, compression, RAID5 erasure coding, and RAID 6 erasure
encoding.
Unmap capability is disabled by default. To enable SCSI Unmap on a vSAN
cluster, use the RVC command vsan.unmap_support --enable.

Note
Unmap capability is disabled by default. When you enable Unmap on a
vSAN cluster, you must power off and then power on all VMs. VMs
must use virtual hardware Version 13 or above to perform Unmap
operations.

When you enable or disable deduplication and compression, vSAN performs

a rolling reformat of every disk group on every host. Depending on the data
stored on the vSAN datastore, this process might take a long time. Do not
perform such operations frequently. If you plan to disable deduplication and
compression, you must first verify that enough physical capacity is available
to place your data.
You should consider the following when managing disks in a vSAN cluster
where deduplication and compression are enabled:

Telegram Channel : @IRFaraExam

For efficiency, consider adding a disk group to cluster capacity instead of
incrementally adding disks to an existing disk group.
When you add a disk group manually, add all the capacity disks at the
same time.
You cannot remove a single disk from a disk group. You must remove
the entire disk group in order to make modifications.
A single disk failure causes an entire disk group to fail.

To enable deduplication and compression for an existing vSAN cluster, you

can use the following procedure:
Step 1. Verify that the cluster is all-flash.
Step 2. In the vSphere Client, select the cluster in the inventory pane and
navigate to Configure > vSAN > Services.
Step 3. Click Edit.
Step 4. Enable Deduplication and Compression.
Step 5. Optionally, select Allow Reduced Redundancy.
Step 6. Click Apply or OK.
When you enable deduplication and compression, vSAN updates the on-disk
format of each disk group of the cluster by evacuating data from the disk
group, removing the disk group, and re-creating it with a new format. This
operation does not require virtual machine migration or DRS. If you choose
the Allow Reduced Redundancy option, the virtual machines may continue to
keep running even if the cluster does not have enough resources for the disk
group to be fully evacuated. In this case, your virtual machines might be at
risk of experiencing data loss during the operation.
You can use the vSphere Client to check the storage savings provided by
deduplication and compression. To do so, select a cluster, navigate to
Monitor > Capacity, and examine Capacity Overview.
To use RAID 5 erasure coding in a vSAN cluster, set the following options:

Set Failure Tolerance Method to RAID-5/6 (Erasure Coding)–Capacity.

Telegram Channel : @IRFaraExam

Set Primary Level of Failures to Tolerate to 1.

To use RAID 6 erasure coding in a vSAN cluster, set the following options:

Set Failure Tolerance Method to RAID-5/6 (Erasure Coding)–Capacity.

Set Primary Level of Failures to Tolerate to 2.

To use RAID 1, set Failure Tolerance Method to RAID-1 (Mirroring)–

Performance.

Note
RAID 5 and RAID 6 erasure coding do not support Primary Level of
Failures set to a value higher than 2.

Using Encryption in a vSAN Cluster

When planning to implement vSAN encryption, you should consider the
following:

To provide the encryption keys for the vSAN datastore, you must
implement a key management server (KMS) cluster server that is KMIP
1.1 compliant and is in the vSphere compatibility matrices.
You should not deploy the KMS server on the same vSAN datastore that
it will help encrypt.
Encryption is CPU intensive. Enable AES-NI in your BIOS.
In a stretched vSAN cluster, the Witness host only stores metadata and
does not participate in encryption.
You should establish a policy regarding the encryption of coredumps
because they contain sensitive information such as keys for hosts. In the
policy, consider the following:
You can use a password when you collect a vm-support bundle.
The password re-encrypts coredumps that use internal keys based on
the password.

Telegram Channel : @IRFaraExam

You can later use the password to decrypt the coredumps in the
bundle.
You are responsible for keeping track of the password. It is not saved
anywhere in vSphere.

To use encryption in a vSAN datastore, you must add a KMS to the vCenter
Server and establish trust with the KMS. You can use the following
procedure to add a KMS to vCenter Server:
Step 1. Ensure that the user has the Cryptographer.ManageKeyServers
privilege.
Step 2. In the vSphere Client, select the vCenter Server in the inventory
pane and navigate to Configure > Key Management Servers.
Step 3. Click Add and specify the following KMS information in the
wizard:
For KMS Cluster, select Create New Cluster.
Specify the cluster name, alias, and address (FQDN or IP address).
Specify the port, proxy, and proxy port.

Step 4. Click Add.

Note
Connecting to a KMS through a proxy server that requires a username
or password is not supported. Connecting to a KMS by using only an
IPv6 address is not supported.

You can use the following procedure to establish a trusted connection for a
KMS:
Step 1. In the vSphere Client, select the vCenter Server in the inventory
pane and navigate to Configure > Key Management Servers.
Step 2. Select the KMS instance and click Establish Trust with KMS.

Telegram Channel : @IRFaraExam

Select one of the following options, as appropriate for the selected
Step 3. KMS instance:

Root CA Certificate
Certificate
New Certificate Signing Request
Upload Certificate and Private Key

When multiple KMS clusters are used, you can use the following procedure
to identify a default KMS cluster:
Step 1. In the vSphere Client, select the vCenter Server in the inventory
pane and navigate to Configure > Key Management Servers.
Step 2. Select the KMS cluster and click Set KMS Cluster as Default.
Step 3. Click Yes.
Step 4. Verify that the word default appears next to the cluster name.
You can make vCenter Server trust the KMS by using the following
procedure:
Step 1. In the vSphere Client, select the vCenter Server in the inventory
pane and navigate to Configure > Key Management Servers.
Step 2. Select the KMS instance and do one of the following:
Select All Actions > Refresh KMS Certificate > Trust.
Select All Actions > Upload KMS Certificate > Upload File.

If you want to enable encryption on a vSAN cluster, you need the following
privileges:

provide similar settings.

Step 2. In the vSphere Client, select the vSAN cluster and select Configure
> vSAN > Services.
Step 3. In the File Service row, click Enable.
Step 4. In the wizard, click Next.
Step 5. On the next page, select either of the following options:
Automatic: Automatically searches for and downloads the OVF
Manual: Allows you to manually select an OVF and associated
files (CERT, VMDK, and so on)

Step 6. Continue the wizard to provide file service domain, DNS, and
networking information.
Step 7. On the IP Pool page, enter the set of available IPv4 addresses and
assign one as the primary IP address. To simplify this process, you
can use the Auto Fill or Look Up DNS options.

Note
vSAN stretched clusters do not support the file service.

You can use the following procedure to create a vSAN file service:
Step 1. In the vSphere Client, select the vSAN cluster in the inventory pane
and navigate to Configure > vSAN > File Service Shares.
Step 2. Click Add.
Step 3. In the wizard, enter the following general information:
Protocol: Select either NFS Version 3 or NFS Version 4.1.
Name: Specify a name.
Storage Policy: Select the vSAN default storage policy.
Storage space quotas: Set the share warning threshold and the

Telegram Channel : @IRFaraExam

share hard quota.
Labels: Specify up to 50 labels (key-value pairs) per share, a label
key (up to 250 characters), and a label value (fewer than 1000
characters).

Click Next.
Step 4. In the Net Access Control page, select one of the following options:
No Access: Use this option to prevent access to the file share.
Allow Access from Any IP: Use this to allow access from any IP
address.
Customize Net Access: Use this to control whether specific IP
addresses can access, read, or modify the file share. You can
configure Root Squash based on IP address.

Click Next.
Step 5. In the Review page, click Finish.

Managing Datastores
This section provides information on managing datastores in a vSphere 7.0
environment.

Managing VMFS Datastores

You can set up VMFS datastores on any SCSI-based storage device that is
discovered by a host, such as a Fibre Channel device, an iSCSI device, or a
local device. To view a host’s SCSI devices, you can use the following
procedure:
Step 1. In the vSphere Client, select an ESXi host in the inventory pane and
navigate to Configure > Storage > Storage Adapters.
Step 2. Select a storage adapter.
Step 3. Optionally, click the Rescan Adapter or Rescan Storage button.
Step 4. In the details pane, select the Devices tab and examine the details

Telegram Channel : @IRFaraExam

for each discovered SCSI device, including type, capacity, and
assigned datastores.
Step 5. Optionally, to manipulate a specific device, select the device and
click the Refresh, Attach, or Detach button.
To create a VMFS 6 datastore on a SCSI device, you can use the following
procedure:
Step 1. In the vSphere Client, right-click a host in the inventory pane and
select Storage > New Datastore.
Step 2. For datastore type, select VMFS and click Next.
Step 3. Provide a name for the datastore, select an available SCSI device,
and click Next.
Step 4. Select VMFS 6 and click Next.
Step 5. Keep the default Partition Configuration setting Use All Available
Partitions. Alternatively, set the datastore size, block size, space
reclamation granularity, and space reclamation priority.
Step 6. Click Next.
Step 7. On the Ready to Complete page, click Finish.
You can increase the size of a VMFS datastore by adding an extent or by
expanding the datastore within its own extent. A VMFS datastore can span
multiple devices. Adding an extent to a VMFS datastore means adding a
storage device (LUN) to the datastore. A spanned VMFS datastore can use
any extent at any time. It does not require filling up a specific extent before
using the next one.
A datastore is expandable when the backing storage device has free space
immediately after the datastore extent. You can use the following procedure
to increase the size of a datastore:

Step 1. In the vSphere Client, right-click the datastore in the inventory pane
and select Increase Datastore Capacity.
Step 2. Select a device from the list of storage devices, based on the

Telegram Channel : @IRFaraExam

following.
To expand the datastore, select a storage device whose Expandable
column contains YES.
To add an extent to the datastore, select a storage device whose
Expandable column contains NO.

Step 3. Review the available configurations in the partition layout.

Step 4. In the menu, select one of the following available configuration
options, depending on your previous selections:
Use Free Space to Expand the Datastore: Select this option to
expand the existing datastore and disk partition to use the adjacent
disk space.
Use Free Space: Select this option to deploy an extent in the
remaining free space.
Use All Available Partitions: Select this option to reformat a disk
and deploy an extent using the entire disk. (This option is available
only for non-blank disks.)

Step 5. Set the capacity. (The minimum extent size is 1.3 GB.) Click Next.
Step 6. Click Finish.

Note
If a shared datastore becomes 100% full and has powered-on virtual
machines, you can increase the datastore capacity—but only from the
host where the powered-on virtual machines are registered.

Each VMFS datastore is assigned a universally unique ID (UUID). A storage

device operation, such as a LUN snapshot, LUN replication, or a LUN ID
change, might produce a copy of the original datastore such that both the
original and a copy device contain a VMFS datastore with identical
signatures (UUID). When ESXi detects a VMFS datastore copy, it allows you
to mount it with the original UUID or mount it with a new UUID. The

Telegram Channel : @IRFaraExam

process of changing the UUID is called resignaturing.
To allow a host to use the original datastore and the copy, you can choose to
resignature the copy. If the host will only access the copy, you could choose
to mount the copy without resignaturing.
You should consider the following:

When resignaturing a datastore, ESXi assigns a new UUID to the copy,

mounts the copy as a datastore that is distinct from the original, and
updates all corresponding UUID references in the virtual machine
configuration files.
Datastore resignaturing is irreversible.
After resignaturing, the storage device is no longer treated as a replica.
A spanned datastore can be resignatured only if all its extents are online.
The resignaturing process is fault tolerant. If the process is interrupted,
you can resume it later.
You can mount the new VMFS datastore without risk of its UUID
conflicting with UUIDs of any other datastore from the hierarchy of
device snapshots.

config. Hides storage devices (LUNs) that are ineligible for use as
vpxd.fi VMFS datastore extents because of incompatibility with the
lter.sa selected datastore. Hides LUNs that are not exposed to all hosts
meHos that share the original datastore. Hides LUNs that use a storage
tsAndT type (such as Fibre Channel, iSCSI, or local) that is different
ranspor from the original datastore.
tsFilter

(Same
Hosts
and
Transp
orts
filter)
config. Automatically rescans and updates VMFS datastores following
vpxd.fi datastore management operations. If you present a new LUN to
lter.hos a host or a cluster, the hosts automatically perform a rescan,
tResca regardless of this setting.
nFilter

Step 3. Select the correct NFS version (Version 3 or Version 4.1). Be sure
to use the same version on all ESXi hosts that are going to mount
this datastore.
Step 4. Define the datastore name (with a maximum of 42 characters).
Step 5. Provide the appropriate path for the folder to mount, which should
start with a forward slash (/).
Step 6. Set Server to the appropriate IPv4 address, IPv6 address, or server
name.
Step 7. Optionally, select the Mount NFS Read Only checkbox. (This can
only be set when mounting an NFS device. To change it later, you
must unmount and remount the datastore from the hosts.)
Step 8. If using Kerberos, select Kerberos and define the Kerberos model
as one of the following:
a. Use Kerberos for Authentication Only (krb5): This method
supports identity verification only.
b. Use Kerberos for Authentication and Data Integrity (krb5i):
This method supports identity verification and also ensures that
data packets have not been modified or tampered with.
Step 9. If you selected a cluster or a data center object in step 1, then select
the ESXi hosts to mount this datastore.
Step 10. Verify the configuration and click Finish.
To rename or unmount an NFS datastore, you can use the same procedure as
described for VMFS datastores in Table 11-3. To remove an NFS datastore
from the vSphere inventory, you should unmount it from every host.

Storage DRS and SIOC

This section provides details on configuring and managing Storage DRS and
Storage I/O Control (SIOC).

Configuring and Managing Storage DRS

To create a datastore cluster using the vSphere Client, you can right-click on

Telegram Channel : @IRFaraExam

a data center in the inventory pane, select New Datastore Cluster, and
complete the wizard. You can use the following procedure to enable Storage
DRS (SDRS) in a data-store cluster:
Step 1. In the vSphere Client, select the datastore cluster in the inventory
pane and navigate to Configure > Services > Storage DRS.
Step 2. Click Edit.
Step 3. Select Turn ON vSphere DRS and click OK.
You can use similar steps to set the SDRS Automation Mode to No
Automation, Partially Automated, or Fully Automated. You can set Space
Utilization I/O (SDRS Thresholds) Latency. You can select or deselect
Enable I/O Metric for SDRS Recommendations. You can configure the
advanced options, which are Space Utilization Difference, I/O Load
Balancing Invocation Interval, and I/O Imbalance Threshold.
You can add datastores to a datastore cluster by using drag and drop in the
vSphere Client. Each datastore can only be attached to hosts with ESXi 5.0 or
later. The datastores must not be associated with multiple data centers.
If you want to perform a maintenance activity on an SDRS cluster member
data-store or its underlying storage devices, you can place it in Maintenance
Mode. (Standalone datastores can be placed in Maintenance Mode.) SDRS
has recommendations for migrating the impacted virtual machine files,
including virtual disk files. You can let SDRS automatically apply the
recommendations, or you can manually make recommendations. To place a
datastore in Maintenance Mode using the vSphere Client, right-click the
datastore in the inventory pane, select Enter SDRS Maintenance Mode, and
optionally apply any recommendations.
The Faults tab displays a list of the disks that cannot be migrated and the
reasons.
If SDRS affinity or anti-affinity rules prevent a datastore from entering
Maintenance Mode, you can select an option to ignore the rules. To do so,
edit the settings of the datastore cluster by selecting SDRS Automation >
Advanced Options and setting IgnoreAffinityRulesForMaintenance to 1.
When reviewing each SDRS recommendation on the Storage SDRS tab in the
vSphere Client, you can examine the information described in Table 11-6 and

Telegram Channel : @IRFaraExam

use it when deciding which recommendations to apply.
Table 11-6 SDRS Recommendations
Recommendations Details
Priority Priority level (1–5) of the recommendation.
(This is hidden by default.)
Recommendation Recommended action.
Reason Why the action is needed.
Space Utilization % Before Percentage of space used on the source and
(source) and (destination) destination datastores before migration.
Space Utilization % After Percentage of space used on the source and
(source) and (destination) destination datastores after migration.
I/O Latency Before Value of I/O latency on the source datastore
(source) before migration.
I/O Latency Before Value of I/O latency on the destination
(destination) datastore before migration.
You can use the following procedure to override the SDRS datastore cluster
automation level per virtual machine:
Step 1. In the vSphere Client, right-click a datastore cluster in the inventory
pane and select Edit Settings.
Step 2. Select Virtual Machine Settings.
Step 3. Select one of the following automation levels:
Default (Manual)
Fully Automated
Disabled

Step 4. Optionally select or deselect the Keep VMDKs Together option.

Step 5. Click OK.
You can use the following procedure to create an inter-VM anti-affinity rule

Telegram Channel : @IRFaraExam

(that is, a rule specifying that two or more virtual machines are placed on
separate datastores):
Step 1. In the vSphere Client, right-click a datastore cluster in the inventory
pane and select Edit Settings.
Step 2. Select Rules > Add.
Step 3. Provide a name and set Type to VM Anti-affinity.
Step 4. Click Add.
Step 5. Click Select Virtual Machine.
Step 6. Select at least two virtual machines and click OK.
Step 7. Click OK to save the rule.
To create an intra-VM anti-affinity rule (that is, a rule which says that virtual
disks for a specific virtual machine are placed on separate datastores), you
use a similar procedure but set Type to VMDK-Affinity and select the
appropriate virtual machine and virtual disks.

Configuring and Managing SIOC

Storage I/O Control (SIOC) allows you to prioritize storage access during
periods of contention, ensuring that the more critical virtual machines obtain
more I/O than less critical VMs. Once SIOC has been enabled on a datastore,
ESXi hosts monitor the storage device latency. If the latency exceeds a
predetermined threshold, the datastore is determined to be under contention,
and the virtual machines that reside on that datastore are assigned I/O
resources based on their individual share values. You can enable SIOC as
follows:
Step 1. In the vSphere Client, select a datastore in the Storage inventory
view and select Configuration > Properties.
Step 2. Click the Enabled checkbox under Storage I/O Control and click
Close.

Note

Telegram Channel : @IRFaraExam

SIOC is enabled automatically on Storage DRS–enabled datastore
clusters.

In addition to share values, which are similar to shares defined for CPU and
memory, storage I/O limits can be defined on individual virtual machines to
limit the number of I/O operations per second (IOPS). By default, just as with
CPU and memory resources, there are no limits set for virtual machines. In a
virtual machine with more than one virtual disk, limits must be set on all of
the virtual disks for that VM. If you do not set a limit on all the virtual disks,
the limit won’t be enforced. To view the shares and limits assigned to virtual
machines, you can use the vSphere Client. To select a datastore, select the
Virtual Machines tab and examine the associated virtual machines. The
details for each virtual machine include its respective shares, the IOPS limit,
and the percentage of shares for that datastore.

Setting SIOC Shares and Limits

As with CPU and memory shares, SIOC shares establish a relative priority in
the event of contention. In the event of storage contention, virtual machines
with more shares will observe more disk I/O than will a virtual machine with
fewer shares. The following procedure outlines how you configure SIOC
shares and limits for virtual machines:

Step 1. In the vSphere Client, right-click a virtual machine in the inventory

pane and select Edit Settings.
Step 2. Expand one of the hard disks (for example, Hard disk 1).
Step 3. From the Shares drop-down menu, select High, Normal, Low, or
Custom to define the share value.
Step 4. Set the Limit–IOPS drop-down to Low (500), Normal (1000),
High (2000), or Custom (and enter a custom value for the IOPS
limit).
Step 5. Click OK to save your changes.

Telegram Channel : @IRFaraExam

Monitoring SIOC Shares
To view the impact of shares on individual datastores, in the vSphere Client,
select a datastore in the inventory pane, select the Performance tab, and select
View > Performance. Here, you can observe the following data:

Average latency and aggregated IOPS

Host latency
Host queue depth
Host read/write IOPS
Virtual machine disk read/write latency
Virtual machine disk read/write IOPS

SIOC Threshold
The default threshold for SIOC to begin prioritizing I/O based on shares is 30
ms and typically does not need to be modified. However, you can modify this
threshold if you need to. Be aware that SIOC will not function properly
unless all the data-stores that share drive spindles have the same threshold
defined. If you set the value too low, shares will enforce priority of resources
sooner but could decrease aggregated throughput, and if you set it too high,
the result might be higher aggregated throughput but less prioritization of
disk I/O.
The following procedure allows you to modify the threshold:
Step 1. In the vSphere Client Storage Inventory view, select a datastore and
select the Configuration tab.
Step 2. Select Properties and under Storage I/O Control, select Enabled if
it is not already.
Step 3. Click Advanced to modify the threshold for contention; this value
must be between 10 ms and 100 ms.
Step 4. Click OK and then click Close.

The procedure to reset the threshold to the default is similar:

Telegram Channel : @IRFaraExam

Step 1. In the vSphere Client Storage Inventory view, select a datastore and
select the Configuration tab.
Step 2. Select Properties and under Storage I/O Control, select Advanced.
Step 3. Click Reset.
Step 4. Click OK and then click Close.

NVMe and PMem

This section provides details on configuring and managing Non-Volatile
Memory Express (NVMe).

Managing VMware NVMe

As described in Chapter 2, Non-Volatile Memory Express (NVMe) devices
are a high-performance alternative to SCSI storage. There are three
mechanisms for NVMe:

NVMe over PCIe: NVMe over PCIe is for local storage, and NVMe
over fabrics (NVMe-oF) is for connected storage.
NVMe over Remote Direct Memory Access (RDMA): NVMe over
RDMA is shared NVMe-oF storage using RDMA over Converged
Ethernet (RoCE) Version 2 transport.
NVMe over Fibre Channel (FC-NVMe): FC-NVMe is shared NVMe-
oF storage using Fibre Channel transport.

Configuring HPP
As described in Chapter 2, High-Performance Plug-in (HPP) is the default
plug-in that claims NVMe-oF targets. NVMe over PCIe targets default to the
VMware Native Multipathing Plug-in (NMP). You can use the esxcli storage
core claimrule add command to change the claiming plug-in in your
environment. For example, to set a local device to be claimed by HPP, use
the --pci-vendor-id parameter and set the --plugin parameter to HPP. To
change the claim rule based on an NVMe controller model, use the --nvme-
controller-model parameter.
To assign a specific HPP Path Selection Scheme (PSS) to a specific device,
you can use the esxcli storage hpp device set command with -pss parameter
to specify the scheme and the --device parameter to specify the device. The
available HPP PSS options are explained in Table 2-6 in Chapter 2. To create
a claim rule that assigns the HPP PSS by vendor and model, you can use
esxcli storage core claimrule add with the -V (vendor), -M (model), -P
(plug-in), and --config-string parameters. In the value for --config-string,
specify the PSS name and other settings, such as “pss=LB-Latency,latency-
eval-time=40000.”

Note
Enabling HPP on PXE-booted ESXi hosts is not supported.

After using these commands, you should reboot the hosts to apply the
changes.

Managing PMem
PMem devices are non-volatile dual in-line memory modules (NVDIMMs)
on the ESXi host that reside in normal memory slots. They are non-volatile
and combine the performance of volatile memory with the persistence of

Telegram Channel : @IRFaraExam

storage. PMem devices are supported on ESXi 6.7 and later.
ESXi hosts detect local PMem devices and expose the devices as host-local
PMem datastores to virtual machines. Virtual machines can directly access
and utilize them as either memory (virtual NVDIMM) or storage (PMem hard
disks). An ESXi host can have only one PMem datastore, but it can be made
up of multiple PMem modules.

Virtual PMem (vPMem)

In vPMem mode, a virtual machine can directly access PMem resources and
use the resources as regular memory. The virtual machine uses NVDIMMs
that represent physical PMem regions. Each virtual machine can have up to
64 virtual NVDIMM devices, and each NVDIMM device is stored in the
host-local PMem datastore. Virtual machines must be at hardware Version
14, and the guest OS must be PMem aware.

Virtual PMem Disks (vPMemDisk)

In vPMemDisk mode, a virtual machine cannot directly access the PMem
resources. You must add a virtual PMem disk to the virtual machine. A
virtual PMem disk is a regular virtual disk that is assigned a PMem storage
policy, forcing it to be placed on a host-local PMem datastore. This mode has
no virtual machine hardware or operating system requirements.

PMem Datastore Structure

The following are components of the PMem structure on an ESXi host:

Modules: These are the physical NVDIMMs that reside on the

-g | --cfgfile

-d | --device=<device>

-I | --iops=
<max_iops_on_path>

-T | --latency-eval-time=
<interval_in_ms>

To collect storage entities and data services information from a VASA
storage provider, you can use the following procedure:
Step 1. In the vSphere Client, select vCenter in the inventory pane and
navigate to Configure > Storage Providers.
Step 2. Click the Add icon.
Step 3. Provide the connection information for the provider, including the
name, URL, and credentials.
Step 4. Select one of the following security methods:
a. Select the Use Storage Provider Certificate option and define
the location of the certificate.
b. Review and accept the displayed certificate thumbprint that is
displayed.
Step 5. Storage provider adds the vCenter certificate to the truststore when
the vCenter server initially connects to the storage device.
Step 6. Click OK.

VASA: Managing Storage Providers

To perform management operations involving a storage provider, such as
rescanning, you can use the following procedure:

Telegram Channel : @IRFaraExam

In the vSphere Client, select vCenter in the inventory pane and
Step 1. navigate to Configure > Storage Providers.

Step 2. Select a storage provider and choose one of the following options:
Synchronize Storage Providers: Synchronizes vCenter Server
with information for all storage providers.
Rescan: Synchronizes vCenter Server with information from a
specific storage provider.
Remove: Unregisters a specific storage provider, which is useful
whenever upgrading a storage provider to a later VASA version
requires you to unregister and reregister.
Refresh Certificate: Refreshes a certificate before it retires.

Applying Storage Policies to VMs

When performing a provisioning, cloning, or migration operation for a virtual
machine, you can assign a storage policy. For example, when using the New
Virtual Machine wizard, on the Select Storage page, you can select a policy
in the VM Storage Policy drop-down menu to assign a storage policy to the
entire virtual machine. After selecting the policy, you should choose a
datastore from the list of compatible datastores. If you use the replication
service provided with vVols, you should either specify a preconfigured
replication group or choose to have vVols create an automatic replication
group.
Optionally, you can set different storage policies for each virtual disk. For
example, on the Customize Hardware page, you can select New Hard Disk
and set a VM storage policy for that disk.
To change the storage policy assigned to a virtual machine, you can use the
following procedure:
Step 1. In the vSphere Client, navigate to Menu > Policies and Profiles >
VM Storage Policies.
Step 2. Select a storage policy and click VM Compliance.
Step 3. Select a virtual machine that is currently assigned the selected
policy.

Telegram Channel : @IRFaraExam

Step 4. Click Configure > Policies.
Step 5. Click Edit VM Storage Policies.
Step 6. Assign the appropriate policy to the virtual machine or assign
separate policies to different virtual disks.
Step 7. If you use the replication service provided with vVols, configure the
replication group.
Step 8. Click OK.

Configuring and Managing vVols

To use vVols, you must ensure that your storage and vSphere environment
are properly configured.
To work with vVols, the storage system must support vVols and must
integrate with vSphere using VASA. You should consider the following
guidelines:

The storage system must support thin provisioning and snapshotting.

You need to deploy the VASA storage provider.
You need to configure the following components on the storage side:
Protocol endpoints
Storage containers
Storage profiles
Replication configurations if you plan to use vVols with replication
You need to follow appropriate setup guidelines for the type of storage
you use (Fibre Channel, FCoE, iSCSI, or NFS). If necessary, you should
install and configure storage adapters on your ESXi hosts
You need to use NTP to ensure time synchronization among the storage
system components and vSphere.

To configure vVols, you can use the following procedure:

Step 1. Register the storage providers for vVols, as described previously.

Telegram Channel : @IRFaraExam

Step 2. Create a vVols datastore by using the following steps:
a. In the vSphere Client, right-click a host, cluster, or data center in
the inventory pane and select Storage > New Datastore.
b. Select vVol as the datastore type
c. Select the hosts that will access the datastore.
d. Click Finish.
Step 3. Navigate to Storage > Protocol Endpoints to examine and manage
the protocol endpoints. Optionally, you can take the following
steps:
a. Use the Properties tab to modify the multipathing policy.
b. Use the Paths tab to change the path selection policy, disable
paths, and enable paths.

Exam Preparation Tasks

Review All the Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 11-12 lists these key topics and
the page number on which each is found.

Table 11-12 Key Topics for Chapter 11

Key Topic Element Description Page Number
List vSAN characteristics 414

Telegram Channel : @IRFaraExam

List Shutting down a vSAN cluster 421
List Creating a stretched vSAN cluster 427
List Increasing the size of a datastore 439
List Creating an NFS datastore 446
List Setting SIOC shares and limits 450
Table 11-10 Sample claim rules commands 458
List Implementing storage policies 459

Complete Tables and Lists from Memory

Define Key Terms

Managing SSO
As explained in previous chapters, you can use the built-in identity provider
vCenter SSO and external identity providers for vSphere authentication. SSO
includes the Security Token Service (STS), an administration server, the
vCenter Lookup Service, and the VMware Directory Service (vmdir). The
VMware Directory Service is also used for certificate management.
Chapter 8, “vSphere Installation,” discusses the following procedures:

Adding and editing identity sources

Adding the vCenter Appliance to an Active Directory domain
Configuring SSO password, lockout, and token policies

This section describes the procedures for enabling Windows session

authentication (SSPI) and managing STS. This section also describes how to
implement and use Enhanced Linked Mode.

Note
The lockout policy applies only to user accounts and not to system
accounts such as [email protected].

Enabling SSO with Windows Session Authentication

To enable Windows session authentication (SSPI), you can use the following

Telegram Channel : @IRFaraExam

procedure:
Step 1. Prepare an Active Directory domain and its trusts in an SSO-trusted
manner, as described at https://kb.vmware.com/s/article/2064250.
Step 2. Join the vCenter Server to the Active Directory domain, as
described in Chapter 8.
Step 3. Install the Enhanced Authentication Plug-In.
Step 4. Instruct vSphere Client users to select the Use Windows Session
Authentication checkbox during login.

Note
If you use federated authentication with Active Directory Federation
Services, the Enhanced Authentication Plug-in applies only if vCenter
Server is the identity provider.

Managing Service Token Service (STS)

The vCenter Single Sign-On Security Token Service (STS) is a web service
that issues, validates, and renews security tokens. It uses a private key to sign
tokens and publishes the public certificates. SSO manages the certificates that
are used by STS for signing and stores the certificates (the signing
certificates) in VMware Directory Service (vmdir). You can use the
following procedure to generate a new STS signing certificate:
Step 1. Create a top-level directory.
Step 2. Copy the certool.cfg file into the new directory.
Step 3. Modify the certool.cfg file to use the local vCenter Server IP
address and host name.
Step 4. Generate the key by running /usr/lib/vmware-vmca/bin/certool --
genkey.
Step 5. Generate the certificate by running /usr/lib/vmware-
vmca/bin/certool --gencert.

Telegram Channel : @IRFaraExam

Step 6. Create a PEM file with the certificate chain and private key.

Note
The certificate is not external facing, and it is valid for 10 years. You
should replace this certificate only if required by your company’s
security policy.

To use a company-required certificate or to refresh a certificate that is near

expiration, you can use the PEM file from the previous procedure and the
sso-config utility command to refresh the STS certificate, as in the following
example:
Click here to view code image
/opt/vmware/bin/sso-config.sh -set_signing_cert -t vsphere.local
~/newsts/newsts.pem

Enhanced Linked Mode

To join vCenter Server systems in Enhanced Linked Mode, you need to
connect them to the same SSO domain. For example, during the deployment
of a vCenter Server, you can choose to join the SSO domain of a previously
deployed vCenter Server.
When implementing Enhanced Linked Mode, you should ensure that you
properly synchronize the time settings of the new appliance to match those of
the previously deployed appliance. For example, if you are using the vCenter
Server GUI installer to deploy two new vCenter Server systems joined in
Enhanced Linked Mode to the same ESXi host, you can configure them to
synchronize the time settings with the host.
You can use a single vSphere Client window to manage multiple vCenter
Server systems that are joined with Enhanced Linked Mode. Enhanced
Linked Mode provides the following features for vCenter Server:

You can log in to all linked vCenter Server systems simultaneously.

You can view and search the inventories of all linked vCenter Server

Telegram Channel : @IRFaraExam

systems.
Roles, permission, licenses, tags, and policies are replicated across linked
vCenter Server systems.

Note
Enhanced Linked Mode requires the vCenter Server Standard licensing
level.

Users and Groups

By default, immediately following installation, only the localos and the SSO
domain (which is sphere.local by default) identity sources are available.
Chapter 8 describes how to add identity sources, such as a native Active
Directory (integrated Windows authentication) domain, an OpenLDAP
directory service, or Active Directory as an LDAP server. It also describes
how to create users and groups in the SSO domain.

Note
After creating a user or group, you cannot change its name.

When using the procedure in Chapter 8 to add members to a group in the

SSO domain, you can add users from identity sources.
In some cases, you might want to manage multiple independent vSphere
environments that have similar but separate SSO domains and users. In such
scenarios, you can export SSO users by using this procedure:
Step 1. Log on to the vSphere Web Client.
Step 2. Select Home > Administration.
Step 3. Select Single Sign On > Users and Groups.
Step 4. Click the Users tab.

Telegram Channel : @IRFaraExam

Step 5. Click the Export List icon in lower-right corner.
You can use a similar procedure to export SSO groups except that you choose
the Groups tab in step 4 instead of the Users tab.

Privileges and Roles

To create a role in vCenter Server using the vSphere Client, you can use this
procedure:
Step 1. Click Menu >Administration > Roles.
Step 2. Click the Create Role Action (+) button.
Step 3. Provide a name for the role.
Step 4. Select the desired privileges.
Step 5. Click OK.
After you create custom roles, you can use these roles when assigning
permissions in the same manner as you use the vCenter Server system roles
and sample roles.
To clone a sample role or custom role in the vSphere Client, navigate to
Administration > Roles and select the role, click the Clone role action icon,
and provide a name for the new role. To edit a sample role or custom role in
the vSphere Client, navigate to Administration > Roles and select the role,
click the Edit Role Action icon, and modify the set of privileges in the role.

Permissions
To set a permission using the vSphere Client, you can use the following
steps:
Step 1. Select the object in the inventory.
Step 2. Click the Permissions tab.
Step 3. Click the Add Permission icon.
Step 4. Select a user or group from the User drop-down menu.
Step 5. Select a role from the Role drop-down menu.

Telegram Channel : @IRFaraExam

Step 6. Optionally, select Propagate to Children.
Step 7. Click OK.
By assigning a different role to a group of users on different objects, you
control the tasks that those users can perform in your vSphere environment.
For example, to allow a group to configure memory for the host, select that
host and add a permission that grants a role to that group that includes the
Host.Configuration.Memory Configuration privilege.

Global Permissions
In some cases, you might assign a global permission and choose not to
propagate to child objects. This may be useful for providing a global
functionality, such as creating roles. To assign a global permission, you
should use the vSphere Client with a user account that has the
Permissions.Modify privilege on the root object of all inventory hierarchies.
Select Administration > Global Permissions > Manage and use the Add
Permission icon (plus sign). Then use the dialog that appears to select the
desired user group (or user) and role.

Note
By default, the administrator account in the SSO domain, such as
[email protected], can modify global permissions, but the
vCenter Server Appliance root account cannot.

Note
Be careful when applying global permission. Decide whether you
genuinely want a permission to apply to all solutions and to all objects
in all inventory hierarchies.

Editing Permissions
To modify an existing permission, you can edit the permission and change

Telegram Channel : @IRFaraExam

role assignment. You cannot change the object, user, or user group in the
permission, but you can change the role. If this is not adequate, you need to
remove the permission and create a new permission with the correct settings.
You must do this work as a user with sufficient privileges to change
permissions on the associated object.
The biggest challenge in editing permissions may be locating the permission
in order to modify it. If you know the object on which a permission was
created, then you can select the object in the vSphere Client inventory, select
Configure > Permissions, right-click the permission, and choose Change
Role. Then you select the appropriate role and click OK.
If you do not already know which permission to modify or on which object
the permission is assigned, you may need to investigate. Begin by selecting
an object in the inventory on which you know the applied user permissions
are incorrect. Select Manage > Permissions to discover all the permissions
that apply to the object. Use the Defined In column to identify where each
applied permission is defined. Some of the permissions may be assigned
directly on the object, and some may be assigned to ancestor objects.
Determine which permissions are related to the issue and where they are
assigned.

Configuring and Managing vSphere Certificates

You can use the vSphere Client and vSphere Certificate Manager to view
and manage certificates. With the vSphere Client, you can perform the
following tasks:

View trusted root certificates and machine SSL certificates.

Renew or replace existing certificates.
Generate a custom certificate signing request (CSR) for a machine SSL
certificate.

For each certificate management task, you should use the administrator
account in the SSO domain (which is vsphere.local by default).

Managing vSphere Client Certificates

Telegram Channel : @IRFaraExam

You can use the following procedure to explore and take actions on the
certificate stored in a VMware Endpoint Certificate Service (VECS) instance:
Step 1. In the vSphere Client, navigate to Home > Administration >
Certificates > Certificate Management.
Step 2. If the system prompts you to do so, enter the credentials for your
vCenter Server. The Certificate Management page shows the
certificate types in the VECS. By default, the types are
machine SSL Certificates and Trusted Root certificates.

Step 3. For more details, click View Details for the certificate type.
Step 4. For the machine SSL certificates, optionally choose from the
following actions:
Renew
Import and Replace Certificate
Generate CSR

Step 5. For trusted root certificates, optionally choose Add.

Note
To replace all VMCA-signed certificates with new VMCA-signed
certificates, choose the Renew action for the machine SSL certificates.

If you replace an existing certificate, you can remove the old root certificate
(as long as you are sure it is no longer in use).
By default, vCenter Server monitors all certificates in VECS and raises an
alarm for any certificate that will expire in 30 days or less. You can change
the 30-day threshold by modifying vCenter Server’s advanced setting
vpxd.cert.threshold.

Using Custom Certificates

Telegram Channel : @IRFaraExam

To set up your environment to use custom certificates, you need to generate a
CSR for each machine and each solution user and replace certificates when
you receive them. You can generate the CSRs by using the vSphere Client or
Certificate Manager. You can use the vSphere Client to upload both the root
certificate and the signed certificates that are returned from the CA.
You can use the following procedure to generate a CSR for custom
certificates:
Step 1. Verify that you meet the certificate requirements described in
Chapter 7, “vSphere Security.”
Step 2. In the vSphere Client, navigate to Home > Administration >
Certificates > Certificate Management.
Step 3. If prompted to do so, enter the credentials for your vCenter Server.
Step 4. In the Machine SSL Certificate section, for the certificate you want
to replace, click Actions > Generate Certificate Signing Request
(CSR).
Step 5. Enter your certificate information and click Next.
Step 6. Copy or download the CSR.
Step 7. Click Finish.
Step 8. Provide the CSR to your certificate authority.
Alternatively, you can use the vSphere Certificate Manager utility from the
vCenter Server shell to generate the CSR, by using the following command,
selecting option 1, and providing the certificate information:
Click here to view code image
/usr/lib/vmware-vmca/bin/certificate-manager

After your CA processes the CSR, you can use the following procedure to
add the custom certificates:
Step 1. In the vSphere Client, navigate to Home > Administration >
Certificates > Certificate Management.
Step 2. If the system prompts you to do so, enter the credentials for your

Telegram Channel : @IRFaraExam

vCenter Server.
Step 3. In the Machine SSL Certificate section, for the certificate you want
to replace, click Actions > Import and Replace Certificate.
Step 4. Select the Replace with External CA Certificate (requires
private key) option and click Next.
Step 5. Upload the certificates and click Replace.
Step 6. Wait for the vCenter Server services to restart.

Managing ESXi Certificates

In vSphere 6.0 and later, ESXi hosts initially boot with an autogenerated
certificate. When a host is added to a vCenter Server system, it is provisioned
with a certificate signed by the VMware Certificate Authority (VMCA). You
can view and manage ESXi certificates by using the vSphere Client or the
vim.CertificateManager API in the vSphere Web Services SDK. You cannot
use the vCenter Server certificate management CLIs to view or manage ESXi
certificates.

Changing the Certificate Mode

You can change the ESXi certificate mode from VMCA Mode to Custom
Certificate Authority Mode or to Thumbprint Mode. In most cases, mode
switches are disruptive and not necessary. If you require a mode switch, be
sure to review the potential impact before you start. You should use
Thumbprint Mode only for debugging.

Note
Thumbprint Mode was used in vSphere 5.5 and should not be used in
later versions unless it is necessary because some services may not
work. Also, in Thumbprint Mode, vCenter Server checks only the
certificate format and not its validity. Even expired certificates are
accepted.

Telegram Channel : @IRFaraExam

To perform certificate management for ESXi, you must have the
Certificates.Manage Certificates privilege.
For example, if you want to use custom certificates instead of using VMCA
to provision ESXi hosts, you need to edit the vCenter Server
vpxd.certmgmt.mode advanced option. In the vSphere client, you can use this
procedure to change the certificate mode:
Step 1. Select the vCenter Server and click Configure.
Step 2. Click Advanced Settings and then click Edit.
Step 3. In the Filter box, enter certmgmt to display only certificate
management keys.
Step 4. Change the value of vpxd.certmgmt.mode to custom and click OK.
Step 5. Restart the vCenter Server service.

Using Custom ESXi Certificates

You can switch the certificate mode from VMCA to a different root CA by
using these steps:
Step 1. Obtain the certificates from the trusted CA.
Step 2. Place the host or hosts into Maintenance Mode and disconnect them
from vCenter Server.
Step 3. Add the custom CA’s root certificate to VECS.
Step 4. Deploy the custom CA certificates to each host and restart services
on that host.
Step 5. Change Certificate Mode to Custom CA Mode (as described in the
previous section).
Step 6. Connect the host or hosts to the vCenter Server system.

Switching Back to VMCA Mode

If you are using the Custom CA Mode, you can switch back to VMCA Mode

Telegram Channel : @IRFaraExam

by using this procedure:
Step 1. Remove all hosts from the vCenter Server system.
Step 2. On the vCenter Server system, remove the third-party CA’s root
certificate from VECS.
Step 3. Change Certificate Mode to VMCA Mode. (See the “Changing the
Certificate Mode” section.)
Step 4. Add the hosts to the vCenter Server system.

Certificate Expiration
For ESXi 6.0 and later, you can use the vSphere Client to view information,
including expiration, for all certificates that are signed by VMCA or a third-
party CA. In the vSphere Client, select the host and navigate to Configure >
System > Certificate. Here you can examine the Issuer, Subject, Valid From,
Valid To, and Status fields. The value of the Status field may be Good,
Expiring, Expiring Shortly, Expiration Imminent, or Expired.
A yellow alarm is raised if a certificate’s status is Expiring Shortly (that is, if
it expires in less than eight months). A red alarm is raised if the certificate’s
status is Expiration Imminent (that is, if it expires in less than two months).
By default, each time a host reconnects to vCenter Server, it renews any host
certificates whose status is Expired, Expiring Immediately, or Expiring. If a
certificate is already expired, you must disconnect the host and reconnect it.
To renew or fresh the certificates, you can use the following procedure:
Step 1. In the vSphere Client, select the host in the navigation pane.
Step 2. Navigate to Configure > System > Certificate.
Step 3. Click one of the following options:
Renew: Retrieves a fresh signed certificate for the host from
VMCA.
Refresh CA Certificates: Pushes all certificates in the VECS
TRUSTED_ROOTS store to the host.

Step 4. Click Yes.

Telegram Channel : @IRFaraExam

General ESXi Security Recommendations
In Chapter 7, you learned that vSphere has built-in security features and that
you can take additional steps to harden ESXi. The following items are
additional security measures recommended by Vmware:

Limit access to the Direct Console User Interface (DCUI), the ESXi
Shell, and Secure Shell (SSH). If you allow access to these items, which
have privileged access to certain ESXi components, you need to ensure
that only trusted users have access and that timeouts are set.
Do not directly access ESXi hosts that are managed by vCenter Server.
Although it may be possible to access a host via DCUI, SSH, ESXi
Shell, API, or vSphere Host Client, you should not normally do so.
Instead, you should use the vSphere Client (or vSphere Web Client) or
API connected to vCenter Server to manage the ESXi host.
Use the DCUI only for troubleshooting. Likewise, use root access to the
ESXi Shell only for troubleshooting.
When upgrading ESXi components, use only VMware sources. Although
a host runs several third-party packages, VMware supports upgrades to
those packages only from VMware sources. Check third-party vendor
sites and the VMware knowledge base for security alerts.
You should follow the VMware security advisories at
http://www.vmware.com/security/.
Configure ESXi hosts with host profiles, scripts, or some other
automation.

Configuring ESXi Using Host Profiles

You can use host profiles to set up standard secured configurations for your
ESXi hosts and automate compliance.
You can consider any setting that is applied by a host profile to be important
to ensuring that your hosts are secured. Some settings, such as direct ESXi
permissions, may be obvious. Other settings, such as NTP settings, may not
be obvious, but time synchronization issues impact integration with Active
Directory, which impacts user authentication. Network settings, such as

Telegram Channel : @IRFaraExam

physical NIC speed, could impact the ability of a host to connect to the
proper management network.
As discussed in Chapter 8, host profiles can be used to apply many host
configuration settings, including security measures, such as ESXi-level
permissions. You can use the vSphere Client to configure a host profile for a
reference host and apply the host profile to a set of hosts. You can also use
host profiles to monitor hosts for host configuration changes. You can attach
a host profile to a cluster to apply it to all hosts in the cluster. These are the
high-level steps:
Step 1. Set up the reference host to specification and create a host profile.
Step 2. Attach the profile to a host or cluster.
Step 3. Apply the host profile from the reference host to other hosts or
clusters.
To ensure that an ESXi host is properly configured according to your
standards, you can check for its compliance to its attached host profile. You
can use the results to identify noncompliant settings on the host and
remediate with the host profiles settings. You can use these steps to check
compliance:
Step 1. Navigate to the Host Profiles main view.
Step 2. Right-click a host profile.
Step 3. Click Check Host Profile Compliance
The compliance status for each ESXi host is Compliant, Unknown, or
Noncompliant. Noncompliant status indicates a specific inconsistency
between the profile and the host, which you should remediate. Unknown
status indicates that the compliance of the host is not known because it could
not be verified. A common root cause is that the host is disconnected. You
should resolve the issue and recheck compliance.

The values in this parameter are as follows:

Telegram Channel : @IRFaraExam

Step 2. Click Configure.
Step 3. Under System, select Advanced System Settings.
Step 4. Select UserVars.ESXiShellInteractiveTimeOut, click the Edit
icon, and enter the timeout setting.
Step 5. Restart the ESXi Shell service and the SSH service so that the
timeout takes effect. Now, if the session is idle, users are logged out
after the timeout period elapses.
An SSH key can allow a trusted user or script to log in to a host without
specifying a password. You can upload the authorized keys file for the root
user, an RSA key, or an RSA public key to a host. To upload an RSA public
key to a host, you can use the following vifs command:
Click here to view code image
vifs --server hostname --username username --put filename /host/
ssh_host_dsa_key_pub

To upload an RSA key or root user authorized key files, use the same
command but change the target to /host/ssh_host_rsa_key or
/host/ssh_root_authorize_keys, respectively.

PCI and PCIe Devices and ESXi

You can use the VMware DirectPath I/O feature to pass through a PCI or a
PCIe device to a virtual machine, but this results in a potential security
vulnerability that could be triggered when buggy or malicious code, such as a
device driver, is running in Privileged Mode in the guest OS. Therefore, you
should use PCI or PCIe passthrough to a virtual machine only if a trusted
entity owns and administers the virtual machine. Otherwise, you risk the host
being compromised in several ways:

The guest OS might generate an unrecoverable PCI or PCIe error.

The guest OS might generate a Direct Memory Access (DMA) operation
that causes an IOMMU page fault on the ESXi host.
If the operating system on the ESXi host is not using interrupt
remapping, the guest OS might inject a spurious interrupt into the ESXi

Telegram Channel : @IRFaraExam

host on any vector.

To enable passthrough for a network device on a host, you can use the
following procedure:
Step 1. In the vSphere Client, select the host in the navigation pane.
Step 2. Navigate to Configure > Hardware > PCI Devices and click Edit.
Step 3. Select a device with a green icon and click OK.

Note
An orange icon indicates that the status of the device has changed, and
you must reboot the host before you can use the device.

Disabling the Managed Object Browser

The managed object browser (MOB) provides a means to explore the
VMkernel object model. Starting with vSphere 6.0, the MOB is disabled by
default to avoid malicious configuration changes or actions. You can enable
and disable the MOB manually. VMware recommends that you not enable
MOB in production systems.
To enable the MOB by using the vSphere Client, you can use the following
procedure:
Step 1. In the vSphere Client, select the host in the inventory.
Step 2. In the right pane, click the Configuration tab.
Step 3. Select System > Advanced Settings and click Edit.
Step 4. Select Config.HostAgent.plugins.solo.enableMob and set its value
to true.

ESXi Networking Security Recommendations

Chapter 7 provides VMware general network security recommendations for
vSphere. Concerning each ESXi host, you can summarize the network

Telegram Channel : @IRFaraExam

isolation into the following categories.

vSphere infrastructure networks: Isolate these networks for their

specific functions, such as vMotion vSphere Fault Tolerance, storage,
and vSAN. In many cases, you may not need to route these networks
outside a single rack.
Management network: This network carries client API and third-party
software traffic. Isolate this network such that it is accessible only by the
appropriate administrators and systems. Consider using a jump box or a
virtual private network (VPN).
Virtual machine networks: This network may involve many networks,
each with unique isolation requirements. Consider using virtual firewall
solutions, such as NSX.

ESXi Web Proxy Settings

If you configure a web proxy, consider the following:

Do not use certificates that use passwords or passphrases. ESXi does not
support web proxies with passwords or passphrases, also known as
encrypted keys.
If you want to disable SSL for vSphere Web Services SDK connections,
you can change the connection from HTTPS to HTTP. You should
consider doing this only if you have a fully trusted environment, where
firewalls are in place and transmissions to and from the host are fully
isolated.
Most internal ESXi services are accessible only through port 443. Port
443 acts as a reverse proxy for ESXi. You can change the configuration
to allow direct HTTP connections but should consider this only for a
fully trusted environment.
During upgrades, the certificate remains in place.

vSphere Auto Deploy Security Considerations

If you use vSphere Auto Deploy, consider the networking security, boot
image security, and potential password exposure through host profiles.

If the nfsClient rule set is disabled, ESXi enables the rule set, sets
allowedAll to FALSE, and adds the NFS server IP address to the list of
allowed IP addresses.
If the nfsClient rule set is enabled, ESXi adds the NFS server IP address
to the list of allowed IP addresses but does not change the state of the
rule set or allowedAll.
When you mount an NFS Version 4.1 datastore, ESXi enables the
nfs41client rule set and sets allowedAll to TRUE.

available) available)
CIM Users with administrator vCenter vCenter
provi privileges on the host (vpxuser) (vpxuser)
ders
Exception Exception
users, based on users, based on
permissions permissions

vCloud vCloud
Director Director
(vslauser, if (vslauser, if
available) available)
DCUI Users with administrator Users defined DCUI service
privileges on the host and in the is stopped
users defined in the DCUI.Access
DCUI.Access advanced advanced
option option

Exception
users with
administrator
privileges on
the host
ESXi Users with administrator Users defined Users defined
Shell privileges on the host in the in the
(if DCUI.Access DCUI.Access
enabl advanced advanced
ed) option option

Exception Exception
users with users with
administrator administrator
privileges on privileges on

Telegram Channel : @IRFaraExam

the host the host
SSH Users with administrator Users defined Users defined
(if privileges on the host in the in the
enabl DCUI.Access DCUI.Access
ed) advanced advanced
option option

Exception Exception
users with users with
administrator administrator
privileges on privileges on
the host the host

Managing the Acceptance Levels of Hosts and VIBs

A vSphere Installation Bundle (VIB) is a software package that includes a
signature from VMware or a VMware partner. To protect the integrity of the
ESXi host, do not allow users to install unsigned (community-supported)
VIBs. An unsigned VIB contains code that is not certified by, accepted by, or
supported by VMware or its partners. Community-supported VIBs do not
have digital signatures. The host’s acceptance level must be the same or less
restrictive than the acceptance level of any VIB you want to add to the host.
For example, if the host acceptance level is VMwareAccepted, you cannot
install VIBs at the PartnerSupported level. You should use extreme caution
when allowing community-supported VIBs. The following list provides
details on defined VIB acceptance levels:

VMwareCertified: These VIBs go through thorough testing equivalent

to VMware in-house quality assurance testing for the same technology.
Only I/O Vendor Partner (IOVP) program drivers are published at this
level. VMware takes support calls for VIBs with this acceptance level.
VMwareAccepted: These VIBs go through testing that is run by a
partner and verified by VMware. CIM providers and PSA plug-ins are
among the VIBs published at this level. VMware directs support calls for

Telegram Channel : @IRFaraExam

VIBs with this acceptance level to the partner’s support organization.
PartnerSupported: These VIBs are published by a partner that VMware
trusts. The partner performs all testing, but VMware does not verify it.
VMware directs support calls for VIBs with this acceptance level to the
partner’s support organization.
CommunitySupported: These VIBs have not gone through any
VMware-approved testing program and are not supported by VMware
Technical Support or by a VMware partner.

To change the host acceptance level, you can use the following command:
Click here to view code image
esxcli --server=<server_name> software acceptance set

Assigning Privileges for ESXi Hosts

Typically, users should access vSphere via vCenter Server, where privileges
are managed centrally. For use cases where some users access ESXi hosts
directly, you can manage privileges directly on the host. The following roles
are predefined in ESXi:

Read Only: Ability to view but not change assigned objects

Administrator: Ability to change assigned objects
No Access: No access to assigned objects (This role is the default role,
and you can override it.)

In vSphere 6.0 and later, you can use ESXCLI to manage local user accounts
and to configure permissions on local accounts and on Active Directory
accounts. You can connect directly to an ESXi host by using the vSphere
Host Client and navigate to Manage > Security & Users > Users to create,
edit, and remove local user accounts.
The following user accounts exist on an ESXi host that is not added to a
vCenter System:

root: A user account that is created and assigned the administrator role
by default on each ESXi host.

Telegram Channel : @IRFaraExam

vpxuser: A local ESXi user account that is created, managed, and used
for management activities by vCenter Server.
dcui: A user account that acts as an agent for the DCUI and cannot be
modified or used by interactive users.

Note
You can remove the access privileges for the root user. But you should
first create another user account at the root level and assign it the
administrator role.

Much as with vCenter Server, each ESXi host uses role-based permissions
for users who log on directly to the ESXi host rather than accessing the host
through vCenter Server. ESXi allows the creation of custom roles, but these
roles are applied only when a user directly logs on to the host, such as when
the user uses the vSphere Host Client to connect to the host directly. In most
cases, managing roles and permissions at the host level should be avoided or
minimized. To create, edit, and remove roles, you can connect directly to an
ESXi host by using the vSphere Host Client and navigate to Manage >
Security & Users > Roles.

Using Active Directory to Manage ESXi Users

In scenarios where multiple users need to access multiple ESXi hosts directly
(rather than accessing vCenter Server), you face challenges in synchronizing
usernames and passwords. To address the challenges, consider joining the
hosts to Active Directory and assigning roles to specific Active Directory
users and groups. Then require users to provide their Active Directory
credentials when logging in directly to the host.
In scenarios where Active Directory users need to access an ESXi host
directly, you need to add the host to a directory service and apply permissions
to those users. You can use the following steps to add an ESXi host to an
Active Directory domain:
Step 1. Verify that an Active Directory domain is available.

Telegram Channel : @IRFaraExam

In addition, you should ensure that the TPM chip is configured in the ESXi
host’s BIOS to use the SHA-256 hashing algorithm and the TIS/FIFO (first-
in, first-out) interface and not CRB (Command Response Buffer).
During the boot of an ESXi host with an installed TPM 2.0 chip, vCenter
Server monitors the host’s attestation status. The vSphere Client displays the
hardware trust status in the vCenter Server’s Summary tab under Security
with the following alarms:

Green: Normal status, indicating full trust

Red: Attestation failed

If the “Host secure boot was disabled” message appears in the vSphere
Client, you must re-enable Secure Boot to resolve the problem. If the “No
cached identity key loading from DB” message appears, you must disconnect

Telegram Channel : @IRFaraExam

and reconnect the host.

Securing ESXi Log Files

To increase the security of a host, you can take the following measures:

Configure persistent logging to a datastore. By default, ESXi logs are

stored in an in-memory file system that keeps only 24 hours’ worth of
data and loses data during host reboot.
Configure syslog to use remote logging from ESXi hosts to a central
host, where you can monitor, search, and analyze logs from all hosts with
a single tool.
Query the syslog configuration to ensure that the syslog server and port
are valid.

For details see Chapter 10, “Managing and Monitoring Clusters and
Resources.”

Additional Security Management

Managing vSphere security can involve other tasks, such as those described
in this section.

Key Management Server

In order to use encryption in vSphere, you must be running a key

management server (KMS) that has a trust relationship with vCenter Server.
To add a KMS to vCenter Server, you can use the following procedure:
Step 1. In the vSphere Client, select the vCenter Server in the inventory
pane and navigate to Configuration > Key Management Servers.
Step 2. Click Add.
Step 3. Provide the server name, server address (FQDN), and server port.
Step 4. Optionally, provide other appropriate details, such as proxy details

Telegram Channel : @IRFaraExam

and user credentials.
Step 5. If you are adding the first KMS in a cluster, provide a cluster name.
Step 6. Click the radius button next to the KMS name.
Step 7. In the Make vCenter Trust KMS window, click TRUST.
Step 8. Click Make KMS Trust vCenter.
Step 9. Select KMS Certificate and Private Key and click Next.
Step 10. In the next window, next to KMS Certificate, click Upload File and
open an available certificate PEM file.
Step 11. In the same window, next to KMS Private Key, click Upload File
and open an available certificate PEM file.
Step 12. Click the Establish Trust button.

Changing Permission Validation Settings

Periodically, vCenter Server validates its user and group lists against the
users and groups in the Windows Active Directory domain. It removes users
and groups that no longer exist in the domain. You can change the behavior
of this validation by using the vSphere Client to edit the general settings of
the vCenter Server and change the Validation and Validation Period options.
If you want to disable the validation, deselect the Enable checkbox under
Validation. If you want to adjust the frequency at which this validation is
performed, enter a value in the Validation Period text box to specify a time,
in minutes, between validations.

Configuring and Managing vSphere Trust Authority (vTA)

With vSphere Trust Authority (vTA), you can do the following.

Provide a hardware root of trust and remote attestation to ESXi hosts.

Restrict the release of encryption keys to only attested ESXi hosts.
Centralize and secure the management of multiple key servers.
Enhance the level of encryption key management that is used to perform

Telegram Channel : @IRFaraExam

cryptographic operations on virtual machines.

With vTA, you can run workloads in a secure environment where you detect
tampering, disallow unauthorized changes, prevent malware, and verify the
hardware and software stacks.
When you configure vTA, you enable the Attestation service and the Key
Provider service on the ESXi host in the Trust Authority cluster. The
Attestation service attests to the state of the trusted ESXi hosts, using a TPM
2.0 chip as the basis for software measurement and reporting. The Attestation
service verifies that the software measurement signature can be attributed to a
previously configured trusted TPM endorsement key (EK). The Key Provider
service removes the need for the vCenter Server and the ESXi hosts to
require direct key server credentials. The Key Provider service acts as a
gatekeeper for the key servers, releasing keys only to trusted ESXi hosts.
A trusted ESXi host must contain a TPM chip. A TPM chip is manufactured
with an EK, which is a public/private key pair that is built into the hardware.
You can configure the Attestation service to trust all CA certificates where
the manufacturer signed the TPM chip (the EK public key) or to trust the
host’s TOM CA certificate and EK public key.

Note
If you want to trust individual ESXi hosts, the TPM chip must include
an EK certificate. Some TPM chips do not.

You can use VMware PowerCLI to configure and manage vSphere Trust
Authority. Alternatively, you can use vSphere APIs or the vSphere Client for
at least some of the activities. To configure vTA, you can perform the
following high-level tasks:
Step 1. On a Windows system with access to the vTA environment, install
PowerCLI 12.0.0 and Microsoft .NET Framework 4.8 or greater,
and create a local folder.
Step 2. Add your user account to the TrustedAdmins groups on the vCenter
Server managing the Trust Authority cluster and on the vCenter

Telegram Channel : @IRFaraExam

Server of the trusted cluster.
Step 3. Enable Trust Authority State.
Step 4. Collect information about the trusted hosts in the trusted cluster
(using Export-Tpm2CACertificate).
Step 5. Import the trusted host data to the trust authority cluster (New-
TrustAuthorityPrincipal).
Step 6. Create the trusted key provider on the Trust Authority cluster (using
New-TrustAuthorityKeyProvider).
Step 7. Export the Trust Authority cluster information from the Trust
Authority cluster (using Export-TrustAuthorityServicesInfo).
Step 8. Import the Trust Authority cluster data to the trusted cluster (using
Import-TrustAuthorityServicesInfo).
Step 9. Configure the trusted key provider for the trusted hosts on the
trusted cluster (using Register-KeyProvider and Set-
KeyProvider).
After configuring vTA, you can perform management operations, including
those summarized in Table 12-5.
Table 12-5 vTA Operations
Operation Key Steps
Start, stop, and In the vSphere Client, select the host, navigate to
restart vTA Configure > Services > System, and select Restart, Start,
services or Stop.
View Trust In the vSphere Client, select the trusted cluster’s
Authority vCenter Server and select Configure > Security > Trust
hosts Authority.
View vTA In the vSphere Client, select the Trust Authority
cluster state cluster’s vCenter Server and select Configure > Trust
Authority > Trust Authority Cluster.
Restart the In an SSH session, enter /etc/init.d/kmxa restart.
Trusted Host

Telegram Channel : @IRFaraExam

service
Add a Trust Use PowerCLI to run Add-TrustAuthorityVMHost.
Authority host
Add a trusted Use PowerCLI to run Add-TrustedVMHost.
host
Change the Use PowerCLI to run Set-
master key of a TrustAuthorityKeyProvider.
key provider
Most of the vTA configuration and state information is stored on the ESXi
hosts in the ConfigStore database. Backups of vCenter Server do not include
vTA configuration. You can leverage the files that you exported during the
configuration of vTA vSphere as your backup. If you need to restore vTA,
use the exported files to reconfigure vTA.

Securing Virtual Machines with Intel Software Guard

Extensions (SGX)
You can enable vSGX on a virtual machine on an ESXi host that has
compatible CPUs and SGX enabled in the BIOS. The virtual machine must
use hardware version 17 or later (with Compatibility set to ESXi 7.0 and
Later) and a supported guest OS (Linux, 64-bit Windows 10 or later, or 64-bit
Windows Server 2016 or later). To enable vSGX, configure the following
hardware settings:

Select the Security Devices > SGX > Enable checkbox.

Set VM Options > Boot Options > Firmware to EFI.
Set the Enter Enclave Page Cache (EPC) size and select Flexible Launch
Control (FLC) Mode.

To enable vSGX, the virtual machine must be powered off. You can enable
vSGX as you provision a new virtual machine. To remove vSGX from a
virtual machine, uncheck the Security Devices > SGX > Enable checkbox.

Encrypting a Virtual Machine

Telegram Channel : @IRFaraExam

You can use the following procedure to create a new encrypted virtual
machine:
Step 1. Establish a trusted connection with the KMS and select a default
KMS.
Step 2. Create an encryption storage policy or plan to use the bundled
sample, VM Encryption Policy.
Step 3. Ensure that you have the Cryptographic Operations.Encrypt New
privileges.
Step 4. If the host encryption mode is not enabled, ensure that you have the
Cryptographic Operations.Register Host privilege.
Step 5. In the vSphere Client, launch the New Virtual Machine wizard.
Step 6. In the wizard, provide the following settings to encrypt the virtual
machine:
Compute Resource Settings: Select a compatible cluster or host.
ESXi 6.5 or later is required.
Select Storage: Select Encrypt This Virtual Machine, select the
storage policy (from step 2), and select an appropriate datastore.
Virtual Machine Hardware Compatibility: Select ESXi 6.5 and
Later.
Customize Hardware Settings: Optionally, select VM Options >
Encryption and select virtual disks to exclude from encryption.

Step 7. Complete the wizard and click Finish.

To encrypt an existing virtual machine, you can use the following procedure:
Step 1. Establish a trusted connection with the KMS and select a default
KMS.
Step 2. Create an encryption storage policy or plan to use the bundled
sample, VM Encryption Policy.
Step 3. Ensure that you have the Cryptographic Operations.Encrypt New
privileges.

Telegram Channel : @IRFaraExam

Step 4. If the host encryption mode is not enabled, ensure that you have the
Cryptographic Operations.Register Host privilege.
Step 5. Ensure the virtual machine is powered off.
Step 6. In the vSphere Client, right-click the virtual machine and select VM
Policies > Edit VM Storage Policies.
Step 7. Select the storage policy (from step 2).
Step 8. Optionally, select Configure per Disk and set encryption as needed
for each virtual disk.
Step 9. Click OK.

Exam Preparation Tasks

Review All the Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 12-6 lists these key topics and the
page number on which each is found.

Table 12-6 Key Topics for Chapter 12

Key Topic Element Description Page Number
List Change the certificate mode 480
Paragraph Harden the ESXi password 485
List Modifying an ESXi firewall rule set 492
List VIB acceptance levels 496

Telegram Channel : @IRFaraExam

List Configure smart card authentication 499
List Adding a KMS to vCenter Server 502

Complete Tables and Lists from Memory

Define Key Terms

Define the following key terms from this chapter and check your answers in
the glossary:
vCenter Single Sign-On Security Token Service (STS)
Certificate Manager
managed object browser (MOB)
Common Information Model (CIM)
vSphere Installation Bundle (VIB)

Review Questions
1. You want to add a global permission. Which of the following
privileges do you need?
a. Permissions.Modify Permission privilege on the vCenter root
object
b. Permissions.Modify Permission privilege on the global root
object
c. Permissions.Add Permission privilege on the vCenter root
object
d. Permissions.Add Permission privilege on the global root
object
2. A yellow alarm is raised due to a host’s certificate expiration date.
Which of the following is a true statement concerning the state of

Telegram Channel : @IRFaraExam

the certificate?
a. The certificate is expired.
b. The certificate will expire in less than two months.
c. The certificate will expire in more than two and in less than
six months.
d. The certificate will expire in more than two and in less than
eight months.
3. You set the Security.PasswordQualityControl parameter to retry=3
min=disabled,disabled,disabled,7,7. With this setting, which of the
following statements is true?
a. You cannot use passphrases.
b. Your password can use just a single character class.
c. Your password must include at least two character classes and
seven letters.
d. Vmware1 is an acceptable password.
4. You configured an ESXi host with a TPM 2.0 chip and enabled
UEFI Secure Boot. During the boot, you get the message “No
cached identity key, loading from DB.” What should you do?
a. Reinstall ESXi.
b. Reboot ESXi.
c. Re-enable Secure Boot.
d. Disconnect the host from the vCenter Server and reconnect.
5. You want to have a backup in case you ever need to restore
vSphere Trusted Authority. What should you do?
a. Keep a copy of the files that you exported while configuring
vTA.
b. In the vSphere Client, choose Backup vTA Configuration.
c. Clone the vCenter Server.
d. Use the vCenter Server File Backup feature.

Telegram Channel : @IRFaraExam

Chapter 13

Managing vSphere and vCenter

Server
This chapter covers the following topics:

vCenter Server Backup

Upgrading to vSphere 7.0
Using vSphere Lifecycle Manager
Managing ESXi Hosts
Monitoring and Managing vCenter Server

This chapter contains information related to Professional VMware vSphere

7.x (2V0-21.20) exam objectives 1.8, 4.4, 4.6, 4.8, 4.11, 4.12, 4.16.1, 5.2, 5.7,
7.10, 7.11, 7.11.1, 7.11.2, 7.11.3, 7.11.4, and 7.11.5.

vCenter Server Backup

To provide backup and recovery protection for your vCenter Server, you can
use the integrated file-based backup feature. Alternatively, you can perform
image-based backups using the vSphere API.
The vCenter Server Appliance Management Interface (VAMI) provides a

Telegram Channel : @IRFaraExam

file-based backup feature for the vCenter Server. If you need to restore the
vCenter Server, you can use the vCenter Server installer to deploy a new
vCenter Server Appliance and to restore the database and configuration from
the file-based backup. You can configure the backup to stream the data to a
target using FTP, FTPS, HTTP, HTTPS, SFTP, NFS, or SMB.
When planning a vCenter Server backup, you should consider the following
details:

When a vCenter Server high-availability cluster is involved in a backup,

only the primary vCenter Server is backed up.
Also consider the following protocol considerations:
FTP and HTTP are not secure protocols.
Backup servers must support at least 10 simultaneous connections
for each vCenter Server.
You must have read and write permissions on the backup target.
FTPS supports only Explicit Mode.
HTTP or HTTPS requires WebDAV on the backup web server.
To support an HTTP proxy server, you can use only FTP, FTPS,
HTTP, or HTTPS.
You can use IPv4 or IPv6 URLs for the vCenter Server and file
backup, but mixing IP versions between the backup server and the
vCenter Server is unsupported.
The vCenter Server Appliance Management API is required to
restore from NFS- or SMB-based backups.
After a restore completes, the following configurations are restored:
Virtual machine resource settings
Resource pool hierarchy and setting
Cluster-host membership
DRS configuration and rules
The state of various vSphere components may change following a

Telegram Channel : @IRFaraExam

restore, depending on the changes made since the backup. For example,
the following items may be impacted:
Storage DRS datastore cluster configuration and membership.
Standby Mode for some ESXi hosts where DPM is used.
Distributed switch configuration. (Consider exporting the switch
configuration prior to restoring vCenter Server.)
Content libraries and library items.
The registration of virtual machines on ESXi hosts. (Some virtual
machines may be orphaned or missing from the vCenter Server
inventory.)
The host membership of a vSphere HA cluster. (The vCenter Server
may be out of sync with the actual current membership.)
Security patches, which may be missing following a restore. (You
should re-apply the missing patches.)

If you have prepared a supported target server, you can use the following
procedure to schedule a file-based backup of the vCenter Server:
Step 1. Log on to the VAMI (https://vCenterFQDN:5480) as root.
Step 2. Click Backup > Configure.
Step 3. Enter the backup location details:
Backup Location: Provide the protocol, port, server address, and
folder.
Backup Server Credentials: Provide the username and password
with write privileges.

Step 4. Configure the schedule and time.

Step 5. Optionally, provide an encryption password.
Step 6. Provide a number of backups to retain or select Retain All
Backups.
Step 7. Optionally, select Stats, Events, and Tasks to back up historical

Telegram Channel : @IRFaraExam

data.
Step 8. Click Create.
You can use the VAMI to manually back up a vCenter Server by selecting
Backup > Backup Now.

To restore a vCenter Server, launch the vCenter Server installer (described in

Chapter 8, “vSphere Installation”) on your desktop (Windows, Linux, or
Mac) and use the following procedure:
Step 1. On the Home page, click Restore.
Step 2. On the next page, click Next.
Step 3. Accept the license agreement and click Next.
Step 4. Provide the backup location and credentials for the backup file to be
restored and click Next.
Step 5. Review the backup information and click Next.
Step 6. Continue using the wizard to provide connection details (FQDN,
credentials, and certificate information) for the ESXi host or
vCenter Server to which the appliance will be restored.
Step 7. When prompted in the wizard, provide a name and a root password
for the vCenter Server Appliance.
Step 8. Select a deployment size (from Tiny to X-Large).
Step 9. Select the storage size (from Default to X-Large).
Step 10. Select a datastore and provide virtual disk and network settings for
the appliance.
Step 11. On the Ready to Complete Stage 1 page, click Finish.
Step 12. When the OVA deployment finishes, click Continue to proceed to
Stage 2.
Step 13. Continue navigating the wizard, and when it prompts you for Single
Sign-On credentials, provide the credentials and click Validate and

Telegram Channel : @IRFaraExam

Recover.
Step 14. On the Ready to Complete page, review the details, click Finish,
and click OK.

Note
If a restore fails, power off and delete the partially restored VM. Then
try to restore the VM again.

Upgrading a vCenter Server Appliance is a two-stage process. The first stage

is to deploy the OVA. The second phase is to transfer the data and configure
the vCenter Server Appliance. For a vCenter Server with an external PSC,
you can use the following procedure for the first stage:
Step 1. Launch the vCenter Server (GUI) installer and select Upgrade.
Step 2. Review the upgrade process on the first wizard page and click Next.

Telegram Channel : @IRFaraExam

Step 3. Accept the license agreement and click Next.
Step 4. Provide the following information for the source vCenter Server:
Provide the address, HTTPS port, SSO credentials, and root
password for the source vCenter Server.
Provide the address, HTTPS port, and credentials for a user with
administrative privileges for the ESXi host (or vCenter Server) that
is hosting the source vCenter Server.
Click Connect.

Step 5. Follow the wizard prompts to accept the certificate and accept the
plan to converge the source vCenter Server and external PSC into a
single vCenter Server Appliance.
Step 6. Follow the wizard prompts to provide the following information for
the target environment that will host the new vCenter Server
Appliance.
If you are connecting to a vCenter Server, provide the address,
HTTPS port, SSO credentials, and root password for the vCenter
Server. Select a data center and an ESXi host (or cluster).
If you are connecting to an ESXi host, provide the address, HTTPS
port, and credentials for a user with administrative privileges for
the ESXi host.

Step 7. Follow the wizard to configure the new vCenter Server Appliance
with the following information:
Virtual machine name
Root user password
Deployment size (Tiny to X-Large, as described in Table 1-10 in
Chapter 1, “vSphere Overview, Components, and Requirements”)
Storage size (defaults to X-Large, as described in Table 1-11)
Datastore
Temporary network used to transfer data from the source vCenter

Telegram Channel : @IRFaraExam

Server to the new vCenter Server

Step 8. Click Finish.

Step 9. Click Continue to proceed to Stage 2.

Note
The identical Stage 1 procedure can be used when upgrading a vCenter
Server Appliance with an embedded PSC, except the wizard does not
prompt you to accept the plan to converge an external PSC.

For a vCenter Server with an external PSC, you can use the following
procedure for Stage 2:
Step 1. Review the Stage 2 details and click Next.
Step 2. Wait for the pre-upgrade check to finish and respond to any of the
following messages:
Errors: Read the message, click Logs to obtain a support bundle,
and troubleshoot. You cannot proceed with the upgrade until errors
are corrected.
Warnings: Read the messages and click Close.

Step 3. Specify the replication technology by choosing one of the following

options:
This Is the First vCenter Server in the Topology That I Want
to Converge
This Is a Subsequent vCenter Server (and also provide the IP
address and HTTPS port of the partner vCenter Server)

Step 4. On the Select Upgrade Data page, choose the type of data transfer,
as described in the section “vCenter Server Data Transfer,” earlier
in this chapter.
Step 5. Complete the wizard and wait for the transfer and setup operations

Telegram Channel : @IRFaraExam

Sufficient storage space in the source server
Validity and compatibility of SSL certificates and system names
Network connectivity, ports, and DNS resolution
Database connectivity
Proper credentials and privileges for the Single Sign-On and Windows
administrator accounts
NTP server validation

The following limitations apply when you migrate vCenter Server for
Windows to vCenter Server Appliance 7.0:

Local Windows OS users and groups are not migrated to the guest OS
(Photon OS) of the new appliance. You should remove any vCenter
Server permissions to local Windows users prior to the migration.
At the end of the migration, the source vCenter Server is turned off, and
any solutions that are not migrated become unavailable. You should
leave the source vCenter Server powered off to avoid network ID
conflicts with the target vCenter Server Appliance.
The migration of Windows-based vCenter Server instances that use
custom ports for services other than Auto Deploy, Update Manager,
vSphere ESXi Dump Collector, or HTTP reverse proxy is not supported.
Only one network adapter setting is migrated to the target vCenter Server
Appliance. If the source uses multiple IP addresses, you can select which
IP address and network adapter settings to migrate.

To migrate a Windows-based vCenter Server with an embedded PSC to

vCenter 7.0, you can use the following procedure:
Step 1. Run the VMware Migration Assistant on the Windows server that
runs vCenter Server and follow these steps:
a. Download and mount the vCenter Server installer.
b. Log on to Windows as an administrator.
c. Double-click on VMware-Migration-Assistant.exe.

Telegram Channel : @IRFaraExam

d. Leave the Migration Assistant running until the migration is
complete.
Step 2. Migrate the vCenter Server instance to an appliance by following
these steps:
a. Using the Stage 1 procedure for upgrading a vCenter Server
Appliance as a guide, launch the vCenter Server GUI installer
but choose Migrate rather than Upgrade.
b. Provide connection information for the source Windows-based
vCenter Server.
c. Provide information on the target server (vCenter Server or
ESXi host) to deploy the vCenter Server Appliance.
d. Provide appliance information, such as root password, compute
deployment size, storage deployment size, and datastore.
e. Configure the temporary network used to transfer data from the
source vCenter Server to the new vCenter Server and select
Continue to Stage 2.
f. In Stage 2, provide credentials for the Single Sign-On
administrator and for the Windows system. If the Windows
system is connected to an Active Directory domain, provide
credentials for an appropriate domain user.
g. Complete the wizard and click Finish on the Ready to Complete
page.
h. Click OK to confirm the shutdown of the source Center Server.
i. Monitor the data transfer and configuration process.

Patch ESXi 6.5, 6.7, and 7.0 hosts
Install and update third-party software on ESXi hosts

Starting with vSphere 7.0, you can use vSphere Lifecycle Manager images to
perform the following tasks on a set of hosts at the cluster level:

Install a desired ESXi version on each host

Install and update third-party software on each ESXi host
Update the firmware of each ESXi host
Update and upgrade each ESXi host in a cluster
Check the hardware compatibility of each host against hardware
compatibility lists, such as the VMware Compatibility Guide and the
vSAN Hardware Compatibility List

Lifecycle Manager instances with Internet access.
Custom baselines are baselines that you create. Patch baselines can be
dynamic or fixed. With dynamic baselines, you specify the criteria for
patches to be automatically included in the baseline. You can manually
include or exclude patches from dynamic baselines. With fixed baselines, you
manually select the patches to include.
If you have the VMware vSphere Lifecycle Manager.Manage Baselines
privilege, you can use the following procedure to create a dynamic baseline:

Step 1. In the vSphere Client, select Menu > Lifecycle Manager.

Step 2. If necessary, select the vCenter Server system in the Lifecycle
Manager menu.
Step 3. Select Baselines > New > Baseline.
Step 4. In the wizard, provide the following baseline information:
a. Name and (optionally) description
b. Type: Upgrade, Patch, or Extension
Click Next.
Step 5. On the Select Patches Automatically page, set the criteria for adding
patches to the baseline:
a. Select the Automatic Update checkbox.
b. On the Criteria tab, specify the values for the following options
to restrict which patches are included in the baseline:
Patch Vendor
Product (You can use an asterisk at the end to allow any
version number.)
Severity
Category
Release Date (You can specify a date range.)

Telegram Channel : @IRFaraExam

Click Next.
c. On the Matched tab, optionally deselect patches that matched
the criteria but that you want to permanently exclude.
d. On the Excluded and Select tabs, view which patches are
excluded and which patches are included.
Step 6. On the Select Patches Manually page, optionally select specific
patches from the set of patches that do not meet the criteria for
automatic inclusion to include in the baseline.
Step 7. On the Summary page, click Finish
Extensions baselines contain additional (VMware or third-party) software
modules for hosts, such as device drivers. You can install additional modules
by using extension baselines and update the modules using patch baselines.

Note
In vSphere 7.0, the vendor name of VMware for inbox components has
changed from VMware, Inc to VMware. If you filter the components
by VMware, the results contain both VMware, Inc for 6.x patches and
VMware for 7.0 patches.

If a user has the View Compliance Status privilege, you can use the Updates
tab for a selected object to view the object’s compliance with baselines or
images. You can select a host or cluster that is managed with baselines and
click on Updates > Baselines. From there, you can do the following tasks:

Check the compliance of hosts or clusters against baselines and baseline

groups.
Attach and detach baselines and baseline groups to hosts or clusters.
Perform a remediation precheck.
Stage patches or extensions to prepare for remediation.
Check the compliance of ESXi hosts against an image.

Telegram Channel : @IRFaraExam

Remediate hosts against baselines and baseline groups.
Remediate hosts that are part of a vSAN cluster against system-managed
baselines.

You can select a cluster that is managed with an image and click on Updates
> Images. From there, you can do the following tasks:

Export, import, and edit the image used by the cluster.

Upgrade the firmware of the ESXi hosts in the cluster.
Check for and examine recommended images for the cluster.
Check for hardware compatibility for a selected ESXi version against the
vSAN HCL.
Check the compliance of the ESXi hosts against the image.
Run a remediation precheck.
Remediate the ESXi hosts against the cluster’s image.

You can select a host and then select Updates > Hosts > Hardware
Compatibility to check the host hardware against the VMware Compatibility
Guide. You can select a host and then select Updates > Hosts and then select
VMware Tools or VM Hardware to check and upgrade the VMware Tools
version and virtual hardware version of the virtual machines.
Table 13-4 provides definitions of vSphere Lifecycle Manager terms.
Table 13-4 Lifecycle Manager Definitions
Term Definition
Update A software release that makes small changes to the current
version, such as vSphere 7.0 Update 1, 7.0 Update 2, and so
on.
Upgrade A software release that introduces major changes to the
software. For example, you can upgrade from vSphere 6.5 to
6.7 and 7.0.
Patch A small software update that provides bug fixes or

Telegram Channel : @IRFaraExam

enhancements to the current version of the software, such as
7.0a, 7.0 Update 1a, and so on.
VIB The smallest installable software package (metadata and
(vSphere binary payload) for ESXi.
Installation
Bundle)
VIB An XML file that describes the contents of the VIB,
metadata including dependency information, textual descriptions,
system requirements, and information about bulletins.
Standalone A VIB that is not included in a component.
VIB
Depot The hosted version of updates provided by VMware, OEMs,
and third-party software vendors, containing the metadata
and the actual VIBs.
Offline An archive (ZIP file) that contains VIBs and metadata that
bundle/offl you use for offline patching and updates. A single offline
ine depot bundle might contain multiple base images, vendor add-ons,
or components.
OEM A VMware partner, such as Dell, HPE, or VMware Cloud
(original on AWS.
equipment
manufactu
rer)
Third- A provider of I/O filters, device drivers, CIM modules, and
party so on.
software
provider

Note
During the synchronization of a depot, vSphere Lifecycle Manager
downloads only the VIB metadata.

Telegram Channel : @IRFaraExam

In earlier vSphere releases, VIBs are packaged into bulletins. In vSphere 7.0,
VIBs are packaged into components, which are created by VMware, OEMs,
and third-party software providers. A component is much like a bulletin with
extra metadata containing the component name and version. VMware
bundles components together into fully functional ESXi images. OEMs
bundle components into add-ons that are delivered via the VMware online
depot as offline bundles. Third-party vendors create and ship drivers
packaged as components.
vSphere Lifecycle Manager can consume bulletins and components. It lists
the available components as bulletins when baselines are used to manage a
host or cluster. When images are used, vSphere Lifecycle Manager works
only with components.
The ESXi base image, which is the ESXi image that VMware provides with
each release of ESXi, is a complete set of components that can boot up a
server. A base image has a friendly name, has a unique version that
corresponds to the ESXi release, and is hosted in the VMware online depot.
Alternatively, you can download an ESXi installer ISO file and an offline
bundle (ZIP file) that contains the ESXi version from my.vmware.com.
A vendor add-on is a collection of components that you can use to customize
an ESXi image with OEM content and drivers. You cannot use vendor add-
ons on their own. You can use a vendor add-on to add, update, or remove
components that are part of the ESXi base image. You can use the vSphere
Client to view the list of components that a vendor add-on adds to or removes
from an ESXi base image.
Prior to vSphere 7.0, OEMs create custom images by merging their content
with the stock VMware-provided image. OEMs release custom images in
accordance with the major and update releases of vSphere. Starting with
vSphere 7.0, in addition to releasing custom ISO images and offline bundles,
OEMs can release ZIP files that contain only the vendor add-on. This
approach decouples the release cycle of OEMs from the release cycle of
VMware.
vSphere Lifecycle Manager can consume software updates delivered as an
online depot, as an offline depot, or as an installable ISO image. An online
depot is a hosted version of the software updates. Starting with vSphere 7.0,
the default, the VMware online depot provides vendor add-ons to hosts. The

Telegram Channel : @IRFaraExam

default depot also contains VMware-certified, ESXi-compatible I/O device
drivers. You can use the vSphere Client to access third-party online depots
containing additional components.
Offline bundles are ZIP files that contain the software metadata and the
respective VIBs. Starting with vSphere 7.0, an OEM can distribute an add-on
ZIP files that contains the delta between the OEM custom image and the base
image that VMware provides.
A baseline is a set of bulletins. Patch baselines, extension baselines, and
upgrade baselines contain patch bulletins, extension bulletins, and ESXi
images, respectively. You can attach baselines to hosts, check compliance of
a host with its associated baseline, and remediate (update) hosts by using the
baseline.
You can classify baselines based on the following:

Update type (such as patch baselines, extension baselines, and upgrade

baselines)
Content (such as fixed or dynamic)
Predefined, recommendation, or custom baselines
Predefined host patches (such as host security patches, critical host
patches, and non-critical host patches)

You cannot modify or delete the predefined baselines. You can use the
predefined baselines to create custom patch, extension, and upgrade
baselines. Recommendation baselines are baselines generated automatically
by vSAN. You can use recommendation baselines only with vSAN clusters.
A baseline group is a set of non-conflicting baselines that you can apply as a
single entity. A host baseline group can contain a single upgrade baseline
plus patch and extension baselines. For efficiency, you can attach and apply
baselines and baseline groups to container objects (such as folders, vApps,
and clusters) rather than to the individual underlying objects (virtual
machines and hosts).
To check a cluster’s compliance against an image, you can select the cluster,
select Updates > Hosts > Image, and click the Check Compliance button.
When you check a cluster’s compliance with a Lifecycle Manager image, one

Telegram Channel : @IRFaraExam

of the following four compliance states is identified for each member host:

You can use the vSphere Host Client interface to manage the host’s services.
To get started, log on to the vSphere Host Client as the root user or as another
user with local administrator privileges and navigate to Manage > Services.
Here you can examine the state of each ESXi service. To change the state of a
service, right-click on the service and select Start, Stop, or Reset. You can
also change a service’s startup policy such that it automatically starts with the

Telegram Channel : @IRFaraExam

host or associated firewall ports or is only started manually, as illustrated in
Figure 13-1. You can perform similar operations using the vSphere Client by
selecting the host and navigating to Configure > System > Services.

FIGURE 13-1 Managing Host Services in the vSphere Host Client

To manage firewall rules on an ESXi host, you can select the host in the
vSphere Client and navigate to Configure > System > Firewall, as illustrated
in Figure 13-2. Here you can view the currently allowed incoming and
outgoing firewall services. The details for each service include the service
name, the associated TCP ports, the associated UDP ports, and the allowed IP

Telegram Channel : @IRFaraExam

addresses. To make changes, you can use the Edit button to view all the
currently defined services, select the services you want to allow, and
optionally restrict the available IP addresses for the service. To perform
similar operations in the vSphere Host Client, navigate to Networking >
Firewall Rules.
In the vSphere Client, you can right-click on a specific host and choose from
a set of available actions. For example, to address a vCenter Server
connection to a host, you can choose Connection > Disconnect, wait for the
task to complete, and choose Connection > Connect. To remove a host from
the vCenter Server inventory, you can first choose Enter Maintenance mode,
then choose Remove from Inventory.
If you want to perform maintenance activities on a host, such as upgrading its
hardware, you can choose Maintenance Mode > Enter Maintenance Mode.
Following the completion of a maintenance activity, you can select
Maintenance Mode > Exit Maintenance Mode. To test a host’s ability to be
used with Distributed Power Management (DPM), you can choose Power >
Enter Standby Mode.

Telegram Channel : @IRFaraExam

FIGURE 13-2 Firewall Rules in the vSphere Client

The following are some of the other options you can select for a host in the
vSphere client:

Certificates (for example, renewing certificates or refreshing CA

certificates)
Host Profiles (including Attach, Detach, Extract, Change Host Profile, or
Remediate)
Export System Logs

Telegram Channel : @IRFaraExam

Assign License
Settings
Move To
Add Permission

Details on these tasks are provided elsewhere in this book.

Monitoring and Managing vCenter Server

You can use the vSphere Client and the vCenter Server Appliance
Management Interface (commonly called the VAMI) to configure, monitor,
and manage components and resource usage of the vCenter Server Appliance.
The “VIMTOP” and “vCenter Server Appliance Management Interface
(VAMI)” sections in Chapter 10, “Managing and Monitoring Clusters and
Resources,” provide information about monitoring the resource usage of the
services and database running in the vCenter Server Appliance. If database
resources are low, you can consider adjusting the statistics interval, statistics
level, task retention, and event retention settings. If you determine that the
appliance is low on disk space, you can add more space. To increase the disk
space for a vCenter Server Appliance 7.0, you can use the following
procedure:
Step 1. Use the vSphere Client (or Host Client) to navigate the vSphere
environment that is hosting the vCenter Server Appliance.
Step 2. Select the vCenter Server Appliance (virtual machine), edit its
settings, and increase the virtual disk size.
Step 3. Use SSH to connect to the vCenter Server as the root user.
Step 4. Run the following command:
Click here to view code image
com.vmware.appliance.system.storage.resize

Optionally, to see the impact of the command, you can use the following
command to examine the total and used storage (in kilobytes) before and
after step 4:

Telegram Channel : @IRFaraExam

Click here to view code image
com.vmware.appliance.version1.resources.storage.stats.list

Note
If you want to keep a complete history of tasks and events for your
vCenter Server, do not use the database retention options.

Monitoring and Managing vCenter Server with the VAMI

You can use the VAMI to monitor and manage specific components of your
vCenter Server.
To access the VAMI, use a web browser to connect to https://vCenter-
FQDN:5480. By default, you can log on using the root account and the
password that was set during the vCenter Server deployment.

Note
If you are using Internet Explorer, verify that TLS 1.0, TLS 1.1, and
TLS 1.2 are enabled in the security settings.

After logging in to the VAMI as root, you can perform any of the tasks
described in Table 13-5.
Table 13-5 Tasks in vCenter Server Appliance Management Interface

Task Steps/Details
View vCenter
Server health
status 1. Click Summary.

Telegram Channel : @IRFaraExam

2. Examine the color of the Overall Health badge.

Reboot
vCenter
Server 1. Click Summary

2. Click Actions > Reboot and click Yes.

Shut down
vCenter
Server 1. Click Summary

2. Click Actions > Shutdown and click Yes.

Create a
support
bundle 1. Click Summary

2. Click Actions > Create Support Bundle and save the

bundle to your desktop.

Monitor CPU
and memory
use of 1. Click Monitor
vCenter
Server
2. Click the CPU & Memory tab and use the date range
drop-down menu to specify a timeframe.

Monitor disk

Telegram Channel : @IRFaraExam

use of 1. Click Monitor
vCenter
Server
2. Click the Disks tab.

Monitor
network use
of vCenter 1. Click Monitor
Server
2. Click the Network tab and use the date range drop-
down menu to specify a timeframe.

3. Examine the graph grid and use the provided table to

select a packet or transmit byte rate to monitor.

Monitor
database use
of vCenter 1. Click Monitor
Server
2. Click the Database tab and use the date range drop-
down menu to specify a timeframe.

3. At the base of the graph, select specific database

components to include in the graph.
Enable or
disable each
type of 1. Click Access
vCenter
Server access
2. Configure each of the following options:

Telegram Channel : @IRFaraExam

Enable SSH Login.

Enable DCUI

Enable Console CLI

Enable Bash Shell

Configure
network
settings for 1. Click Networking
vCenter
Server
2. Click Edit and fill in the following networking details:

DNS settings

IPv4 settings

IPv6 settings

Proxy server settings

Telegram Channel : @IRFaraExam

When configuring a proxy server, you can enable
HTTPS, FTP, and HTTP options. You should provide the
proxy server’s IP address or host name, user credentials,
and a port number.
Configure the
firewall rules
for the 1. Click Firewall
vCenter
Server
2. Examine the existing set of rules and choose from the
following commands to change the rule set.

Add

Edit

Delete

Reorder

3. For each rule, include the appropriate NIC, IP address,

subnet, and action (Accept, Ignore, Reject, or Return).

Configure the
time settings
for the 1. Click Time
vCenter
Server
2. Click Time Zone > Edit and select the appropriate time
zone.

Telegram Channel : @IRFaraExam

3. Click Time Synchronization > Edit and select Mode to
Disable, Host, or NTP.

Start, stop,
and restart a
service in the 1. Click Services
vCenter
Server
2. Select a service and click Start, Stop, or Restart.

Configure
settings for
updating 1. Click Update
vCenter
Server
2. Click Settings, set the options for automatic update
checking, and set the repository to the default or to a
custom (HTTPS or FTPS) URL. Optionally provide
credentials if a custom repository is used.

3. Click Check Updates to manually check for updates.

Change the
root user
password in 1. Click Administration
vCenter
Server
2. Click Password > Change. Set the password and the
password expiration details. If you set the password to
expire, provide the number of days and an address for
the email warning.

Telegram Channel : @IRFaraExam

Configure log
forwarding 1. Click Syslog
on the
vCenter
Server 2. Click Configure (or Edit, if you previously configured
syslog hosts), enter up to three destination hosts in the
Create Forward Configuration pane, and set the
Protocol and Port.

3. Select one of the following protocol options:

TLS: Transport Layer Security

TCP: Transmission Control Protocol

RELP: Reliable Event Logging Protocol

View port —
settings for
vCenter 1. Select the Configure tab.
Server
2. Navigate to Settings > General
> Edit > Ports and examine the
ports used by the web service.

Configure This task requires the

timeout Global.Settings
settings for 1. Select the Configure tab. privilege.
vCenter
Server
2. Navigate to Settings > General
> Edit > Timeout Settings and
configure the following:

Normal: Timeout for normal

operations

Telegram Channel : @IRFaraExam

Long: Timeout for long
operations

3. Restart the vCenter Server

system.

Configure This task requires the

logging Global.Settings
settings for 1. Select the Configure tab. privilege.
vCenter
Server
2. Navigate to Settings > General
> Edit > Logging settings and
select one of the following
logging options:

None (disable logging)

Error (errors only)

vCenter Server and ESXi use data counters, organized in metric groups, to
collect data statistics. A data counter is a unit of information that is relevant
to a specific inventory object or device. For example, the disk metric group
includes separate data counters for collecting disk read rate, disk write rate,
and disk usage data. Statistics for each counter are rolled up at specific
collection intervals. Each data counter consists of several attributes that are
used to determine the statistical value collected.
Collection levels determine the number of counters for which data is gathered
during each collection interval. Collection intervals determine the time period
during which statistics are aggregated, calculated, rolled up, and archived in
the vCenter Server database. Together, the collection interval and collection
level determine how much statistical data is collected and stored in a vCenter
Server database.

Telegram Channel : @IRFaraExam

You can configure statistical data collection intervals to set the frequency at
which statistical queries occur, the length of time statistical data is stored in
the database, and the type of statistical data that is collected. To configure a
statistical interval, you can log on to the vSphere Client as a user with
Performance.ModifyIntervals privilege and use the following procedure:
Step 1. In the vSphere Client, select the vCenter Server instance in the
inventory pane and navigate to Configure > Settings.
Step 2. Select General > Edit.
Step 3. To enable a statistics interval, select its checkbox.
Step 4. Set the following interval attributes using the provided drop-down
menus.
Interval Duration: The time interval during which statistical data
is collected.
Save For: The amount of time to keep statistics in the database.
Statistics Level: The level of statistical data to be collected (1 to
4).

Step 5. Optionally, for Database Size, set the following options and
examine the estimated database size and number of rows:
Number of Physical Hosts
Number of Virtual Machines

Step 6. Click Save.

Table 13-8 provides details on the default data collection intervals.
Table 13-8 Collection Intervals
Collection Collecti Default Behavior
Interval on
(Archive Freque
Length) ncy
1 day 5 Real-time (20-second) statistics are rolled up to
minut create one data point every 5 minutes. The result

Telegram Channel : @IRFaraExam

es is 288 data points every day.

You can change the interval duration and archive

length of the 1-day collection interval by
configuring the statistics settings.
1 week 30 1-day statistics are rolled up to create one data
minut point every 30 minutes. The result is 336 data
es points every week.

You cannot change the default settings of the 1-

week collection interval.
1 month 2 1-week statistics are rolled up to create one data
hours point every 2 hours. The result is 360 data points
every month.

You cannot change the default settings of the 1-

month collection interval.
1 year 1 day 1-month statistics are rolled up to create one data
point every day. The result is 365 data points
each year.

You can change the archive length of the 1-year

collection interval by configuring the statistics
settings.
The default statistics level for all statistical intervals is 1. You can set the
statistics level to a value between 1 and 4, inclusive. The lower the level, the
smaller the number of statistics counters used. Level 4 uses all statistics
counters, but it is typically used only for debugging purposes. When setting a
statistics level for a specific statistics interval, you must use a value less than
or equal to the statistics level for the preceding statistics interval. Table 13-9
provides a summary of the metrics that are included for each statistics level.
Table 13-9 Statistics Levels
Le Metrics Best Practice

Telegram Channel : @IRFaraExam

vel
1 Cluster Services: All metrics Use this level for long-term
performance monitoring when
device statistics are not required.
CPU: cpuentitlement, totalmhz,
usage (average), usagemhz

Disk: capacity,
maxTotalLatency, provisioned,
unshared, usage (average), used

Memory: consumed,
mementitlement, overhead,
swapinRate, swapoutRate,
swapused, totalmb, usage
(average), vmmemctl (balloon)

Network: usage (average), IPv6

System: heartbeat, uptime

Virtual Machine Operations:

numChangeDS,
numChangeHost,
numChangeHostDS
2 Level 1 metrics plus the Use this level for long-term
following: performance monitoring when
device statistics are not required
but you want to monitor more than
CPU: idle, reservedCapacity the basic statistics.

Disk: All metrics, excluding

numberRead and numberWrite

Telegram Channel : @IRFaraExam

Memory: All metrics, excluding
memUsed and maximum and
minimum rollup values

Virtual Machine Operations:

All metrics
3 Level 1 and Level 2 metrics Use this level for short-term
plus the following: troubleshooting or when device
statistics are required.
Metrics for all counters,
excluding minimum and Due to the large quantity of data,
maximum rollup values use this level for the shortest (day
or week) collection interval that
suits your use case.
Device metrics
4 All metrics supported by the Same best practice as Level 3,
vCenter Server, including except that Level 4 should be used
minimum and maximum rollup only when you require metric
values rollup values that are not available
in Level 3.

Note
If you increase the collection level, you may need to allocate more
storage and system resources to avoid a decrease in performance.

Verifying SSL Certificates for Legacy Hosts

You can configure vCenter Server and the vSphere Client to check for valid
SSL certificates before connecting to a host for operations such as adding a
host or making a remote console connection to a virtual machine. vCenter
Server 5.1 and vCenter Server 5.5 always connect to ESXi hosts using SSL
thumbprint certificates. Starting with vCenter Server 6.0, VMware Certificate

Telegram Channel : @IRFaraExam

Authority signs the SSL certificates by default. You can instead replace
certificates with certificates from a third-party CA. Thumbprint Mode is
supported only for legacy hosts. To configure SSL certificate validation, you
can use the following procedure:
Step 1. In the vSphere Client, select the vCenter Server object in the
inventory and navigate to Configure > Settings > General.
Step 2. Click Edit and select SSL Settings.
Step 3. Determine the host thumbprint for each legacy host that requires
validation:
a. Log in to the DCUI.
b. Select System Customization > View Support Information
and examine the thumbprint displayed in the right column.
Step 4. Compare each host thumbprint with the thumbprint listed in the
vCenter Server SSL Settings dialog box.
Step 5. If the thumbprints match, select the checkbox for the host.
Step 6. Click Save. Hosts that were not selected in step 5 are disconnected.

Updating the vCenter Server

You can use the VAMI or the vCenter Server Appliance shell to install
patches.

Patching with VAMI

To update a vCenter Server Appliance, you may want to first stage the
patches to the appliance, using the following procedure:
Step 1. Log on as root to the VAMI.
Step 2. Click Update.
Step 3. Click Check Updates and select one of the following:
a. Check URL
b. Check CDROM

Telegram Channel : @IRFaraExam

Step 4. Optionally, choose Run Pre-check.
Step 5. In the Staging Options section, click Stage.

Note
Other staging options include Stage and Install, Unstage, and Resume.

If you choose to use the Check URL option, the vCenter Server uses the
configured VMware repository URL. The default VMware repository URL
requires Internet access. If your vCenter Server is not connected to the
Internet or if required by your security policy, you can configure a custom
repository URL for your vCenter Server patches by using the following
procedure:
Step 1. Download the vCenter Server Appliance patch ZIP file from
VMware’s website
(https://my.vmware.com/web/vmware/downloads).
Step 2. On a local web server, create a repository directory under the root.
Step 3. Extract the ZIP file into the repository directory.
Step 4. Log on as root to the VAMI.
Step 5. Select Update > Settings.
Step 6. Set the Repository settings: Choose use specified repository,
provide the URL and (optionally) the user credentials.
Step 7. Click OK.
After staging the patches to the vCenter Server, you can install the patches by
using the following procedure:
Step 1. Log on as root to the VAMI.
Step 2. Ensure that the patches are staged or use the staging procedure, but
for the staging options, select Stage and Install.
Step 3. Click Update.

Telegram Channel : @IRFaraExam

Step 4. Select the range of patches to apply and click Install.
Step 5. Read and accept the end-user license agreement (EULA).
Step 6. Wait for the installation to complete and then click OK.
Step 7. If a reboot is required, click Summary > Reboot.

Note
You should perform the previous procedure only during a maintenance
period because the services provided by the vCenter Server become
unavailable during the patch installation. As a precaution, you should
also back up the vCenter Server prior to patching.

To configure vCenter Server to schedule automatic checks for available

patches in the configured repository URL, you can use the following
procedure:
Step 1. Log on as root to the VAMI.
Step 2. Verify that the correct repository URL is set and available.
Step 3. Click Update > Settings.
Step 4. Select Check for Updates Automatically and set the day and time
(in UTC) to check for available patches.

Patching with the vCenter Server Appliance Shell

An alternate method for patching vCenter Server is to use its shell. For
patching purposes, you should log on to the shell as a user with the super
administrator role and use the commands in Table 13-10, as needed.
Table 13-10 Commands for Patching
Purpose Command/Utility
View the full list of patches and software-packages list --
software packages installed in the history
vCenter Server Appliance, in

Telegram Channel : @IRFaraExam

chronological order
View details about a specific patch software-packages list --patch
patch_name
Configure the vCenter Server to use a update.set --currentURL
custom repository URL http://webserver /repo [--
username username] [--
password password]
Configure the vCenter Server to use update.set --currentURL
the default VMware repository URL default
Enable automatic checks for vCenter update.set --CheckUpdates
Server Appliance patches in the enabled [--day day] [--time
current repository HH:MM:SS]
Stage the patches from an attached software-packages stage --iso
ISO image
Stage the patches from the current software-packages stage --url
repository URL
Stage the patches from the repository software-packages stage --url
URL that is not currently configured in URL_of_the_repository
the vCenter Server
Install the staged patches software-packages install –
staged
Install patches directly from an software-packages install --iso
attached ISO image
Install patches directly from the software-packages install --url
configured repository URL
Install patches directly from a software-packages install --url
repository URL that is not currently URL_of_the_repository
configured in the vCenter Server
Reboot the vCenter Server following a shutdown reboot -r “patch
patch installation reboot”

Telegram Channel : @IRFaraExam

Note
To stage only third-party patches, include the --thirdParty option with
the software-packages stage command. To directly accept the EULA,
include the --acceptEulas option.

Managing a vCenter HA Cluster

During normal operation, the vCenter HA cluster mode is Enabled, such that
it is protecting vCenter Server from hardware and software failures. When the
cluster detects the failure of the Active node, the Passive node attempts an
automatic failover, and the Passive node becomes the Active node. You can
choose to perform a manual failover by choosing the Initiate Failover option
in the vCenter HA settings in the vSphere Client. When performing a manual
failover, you can choose to synchronize first or to force the failover without
synchronization.
You can change the vCenter HA cluster mode to Maintenance when
preparing to perform some maintenance activities. If the Passive or Witness
nodes are unavailable (or recovering from a failure), a vCenter HA cluster
mode may be disabled, in which case the Active node continues as a
standalone vCenter Server. When the cluster is operating in either
Maintenance Mode or Disabled Mode, an Active node can continue serving
client requests even if the Passive and Witness nodes are lost or unreachable.
To change the vCenter HA cluster mode, you can select the Active node in
the vSphere Client, select Configure > Settings > vCenter HA > Edit, and
choose Enable vCenter HA, Maintenance Mode, Disable vCenter HA, or
Remove vCenter HA Cluster.
You can use the following procedure to perform backup and restore
operations on a vCenter HA cluster:
Step 1. Use the Active node’s VAMI to obtain a file-based backup of the
Active vCenter Server node. (Do not back up the Passive node or
Witness node.)
Step 2. Before you begin the restore operation, power off and delete all
vCenter HA nodes and remove the cluster configuration.

Telegram Channel : @IRFaraExam

FIGURE 13-4 Repointing vCenter from a Multi-Node Domain

Figure 13-5 illustrates a vCenter Server (Node A) being repointed from a

multi-node domain to a new domain that is created with the repoint
command.

FIGURE 13-5 Repointing vCenter to a New Domain

Telegram Channel : @IRFaraExam

Managing Virtual Machines

This chapter covers the following topics:

Creating and Configuring Virtual Machines

Managing Virtual Machines
Advanced Virtual Machine Management
Content Libraries

This chapter contains information related to Professional VMware vSphere

7.x (2V0-21.20) exam objectives 4.7, 5.6,7.1, 7.2, 7.3, 7.6, and 7.11.4.

This chapter provides details on managing virtual machines.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you
should study this entire chapter or move quickly to the “Exam Preparation
Tasks” section. In any case, the authors recommend that you read the entire
chapter at least once. Table 14-1 outlines the major headings in this chapter
and the corresponding “Do I Know This Already?” quiz questions. You can
find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’
Quizzes and Review Questions.”
Table 14-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section Questions
Creating and Configuring Virtual Machines 1–3
Managing Virtual Machines 4–6

Telegram Channel : @IRFaraExam

Advanced Virtual Machine Management 7, 8
Content Libraries 9, 10

Telegram Channel : @IRFaraExam

resource pool, or vApp), storage type and location, virtual machine
compatibility, guest OS, Windows virtualization-based security (for a
Windows virtual machine), and hardware customization.
When selecting the storage type on a host that has PMem memory, you can
select either the Standard or PMem radio button. If you chose PMem storage
for a virtual machine, its default virtual disk, new virtual disk, and NVDIMM
devices share the same PMem resources. You should adjust the size of newly
added devices. The wizard alerts you if issues exist.

Powering on a VM
To power on a virtual machine, in the vSphere client, you can right-click the
virtual machine and choose Power On. The following are some likely causes
of power-on failures:

The evaluation period (or license) has expired.

Telegram Channel : @IRFaraExam

Virtual Machine.Provisioning.Create Template from Virtual Machine on
the source virtual machine
Virtual Machine.Inventory.Create from Existing on the virtual machine
folder where the template is created
Resource.Assign Virtual Machine to Resource Pool on the destination
host, cluster, or resource pool
Datastore.Allocate Space on all datastores where the template is created

To clone a virtual machine to template, in the vSphere client, right-click the

virtual machine, select Clone > Clone as Template, and complete the wizard.
In the wizard, provide a template name, folder, compute resource, and
datastore.

Note
You cannot change the storage policy if you clone an encrypted virtual
machine.

You can clone a virtual machine to a create a new virtual machine. The
following privileges are required to clone a virtual machine to create a new
virtual machine:

Virtual Machine.Provisioning.Clone Virtual Machine on the virtual

machine you are cloning
Virtual Machine.Inventory.Create from Existing on the data center or
virtual machine folder
Virtual Machine.Configuration.Add New Disk on the data center or
virtual machine folder
Resource.Assign Virtual Machine to Resource Pool on the destination
host, cluster, or resource pool
Datastore.Allocate Space on the destination datastore or datastore folder

Telegram Channel : @IRFaraExam

Network.Assign Network on the network to which you assign the virtual
machine
Virtual Machine.Provisioning.Customize on the virtual machine or
virtual machine folder (when customizing the guest operating system)
Virtual Machine.Provisioning.Read Customization Specifications on the
root vCenter Server (when customizing the guest operating system).

You can clone a virtual machine to create a new virtual machine by right-
clicking the virtual machine and selecting Clone > Clone to Virtual Machine.
In the wizard, you should provide all required information, such as name,
compute resource, compatibility, and storage. The procedure is much like the
procedure in the “Deploying a Virtual Machine from a Template” section,
later in this chapter, including the option to customize the guest OS.

Note
You cannot use the vSphere Client to clone a virtual machine using
linked clones or instant clones. You can do so with API calls.

If the source virtual machine has an NVDIMM device and virtual PMem hard
disks, the destination host or cluster must have an available PMem resource.
If the virtual machine has virtual PMem hard disks but does not have an
NVDIMM device, the destination host or cluster must have an available
PMem resource. Otherwise, all hard disks of the destination virtual machine
use the storage policy and datastore selected for the configuration files of the
source virtual machine.

Converting Between a VM and a Template

You can easily convert a virtual machine to a template. In the vSphere client,
you can right-click a powered-down virtual machine and choose Template >
Convert to Template.
You can convert a template to a virtual machine. This is useful when you
want to install new software and guest OS updates in the template. To do so,
in the vSphere client, right-click the template and select Convert Template to

Telegram Channel : @IRFaraExam

Virtual Machine. You need the following privileges:

Virtual Machine.Provisioning.Mark as Virtual Machine on the source

template
Resource.Assign Virtual Machine to Resource Pool on the target
resource pool

Deploying a Virtual Machine from a Template

The following privileges are required for deploying a virtual machine from a
template:

On the Set Registration Information page, enter the virtual machine
owner’s name and organization and click Next.
On the Windows License page, provide a Windows product key. For a
Windows Server specification, either select the Per Seat option or
configure the maximum concurrent connections for the Per Server
option. Click Next.
On the Set Administrator Password page, configure the password,
optionally select Automatically Logon as Administrator option, and click
Next.
On the Networking page, if you choose the Manually Select Custom
Settings, use the DNS tab to provide DNS server details and click WINS
to provide WINS details.
On the Set Workgroup or Domain page, either provide a workgroup
name or provide user credentials and a domain name and click Next.

Whenever you create a new virtual machine by deploying from template or

by cloning, you can use the wizard to select the Customize the Operating
System checkbox and select the appropriate specification. To customize an
existing virtual machine, in the vSphere client, right-click the virtual machine
in the inventory pane, select Guest OS > Customize Guest OS, and select the
appropriate specification.
As needed, you can manage guest customization specifications by navigating
to Menu > Policies and Profiles > VM Customization Specifications. Here,
you can import guest customization specifications. You can also select a
particular specification and select one of the following actions:

Edit Customization Spec

Duplicate Customization Spec
Export Customization Spec
Delete Customization Spec

Deploying OVF/OVA Templates

Another method for deploying virtual machines is to leverage Open Virtual

Telegram Channel : @IRFaraExam

Format (OVF) templates or Open Virtual Appliance (OVA) templates. You
can use the vSphere Client to deploy an OVF or OVA template. You can
export a virtual machine, virtual appliance, or vApp as an OVF or OVA
template to create virtual appliances that can be imported by other users.
Compared to other methods, using an OVF template to export and import
virtual machines provides the following benefits:

Compressed data (which means faster downloads and uploads)

Validation of the OVF by vCenter Server prior to importing
Encapsulation of multiple virtual machines

OVA is essentially a single-file distribution of an OVF package. Prior to

vSphere 6.5, the Client Integration Plug-In is required to export and import
OVF and OVA templates. Starting in vSphere 6.5, you can only export to
OVF. Deploying a virtual machine from an OVF template is commonly
referred to as deploying an OVF.
To deploy an OVF, you can use the following procedure:
Step 1. In the vSphere Client, right-click on a cluster in the inventory pane
and select Deploy OVF Template.
Step 2. On the Select OVF Template page, specify the path to the OVF file
as a URL or local file and click Next.
Step 3. Use the wizard to provide information for the new virtual machine,
such as name, folder, and compute resource.
Step 4. On the Review Details page, verify the OVF template details, such
as publisher, download size, and size on disk. Click Next.
Step 5. Complete the wizard by providing typical details for a new virtual
machine, such as storage policy, storage location, and network
configuration.
Step 6. Optionally, customize the deployment properties on the Customize
Template page.
Step 7. Optionally, select a binding service provider on the vService
Bindings page.

Telegram Channel : @IRFaraExam

Step 8. On the Ready to Complete page, click Finish.

Managing Virtual Machines

This section covers reoccurring activities that you might perform regarding
virtual machines.

Configuring Virtual Machine Hardware

When creating or upgrading a virtual machine, you can configure the virtual
machine compatibility setting, which controls the ESXi versions on which the
virtual machine can run. The compatibility setting controls which virtual
machine hardware version is used. The main use cases for configuring the
compatibility setting to a version earlier than the default for the host are to
maintain compatibility with older hosts and to standardize virtual machine
deployment in the environment. The main downside of configuring the
compatibility setting to a version earlier than the default for the host is that
the virtual machine may not be able to use virtual hardware features
supported by the host and may not achieve the best performance. Table 14-3
describes virtual machine compatibility options.
Table 14-3 Virtual Machine Compatibility Options
Compatibility Setting Hardware Version
ESXi 7.0 and later Hardware Version 17
ESXi 6.7 Update 2 and later Hardware Version 15
ESXi 6.7 and later Hardware Version 14
ESXi 6.5 and later Hardware Version 13
ESXi 6.0 and later Hardware Version 11
ESXi 5.5 and later Hardware Version 10
ESXi 5.1 and later Hardware Version 9
ESXi 5.0 and later Hardware Version 8
ESX/ESXi 4.0 and later Hardware Version 7
ESX/ESXi 3.5 and later Hardware Version 4

Telegram Channel : @IRFaraExam

Note
ESXi 5.0 allows you to run virtual machines with ESX/ESXi 3.5 and
later compatibility (hardware Version 4) but does not allow you to
create them.

The compatibility setting impacts the supported features for the virtual
machine. Table 14-4 lists some of the feature sets available in recent
hardware versions.
Table 14-4 Features by Recent Virtual Machine Hardware Versions
Feature Versio Versio Versio Versio Versio
n 17 n 15 n 14 n 13 n 11
Maximum memory (GB) 6128 6128 6128 6128 4080
Maximum number of logical 256 256 128 128 128
processors
Maximum number of cores 64 64 64 64 64
(virtual CPUs) per socket
NVMe controllers 4 4 4 4 No
Maximum NICs 10 10 10 10 10
USB 3.1 SuperSpeedPlus Yes No No No No
Maximum video memory (GB) 4 2 2 2 2
Dynamic DirectPath Yes No No No No
PCI hot adding support Yes Yes Yes Yes Yes
Virtual precision clock device Yes No No No No
Virtual watchdog timer device Yes No No No No
Virtual SGX device Yes No No No No
Virtual RDMA Yes Yes Yes Yes No
NVDIMM controller 1 1 1 No No

Telegram Channel : @IRFaraExam

NVDIMM devices 64 64 64 No No
Virtual I/O MMU Yes Yes Yes No No
Virtual TPM Yes Yes Yes No No
Microsoft VBS Yes Yes Yes No No
To control the default hardware compatibility for new virtual machines, you
can set the Default VM Compatibility setting at the host, cluster, or data
center level. The settings on a host override the settings on a cluster, which
override the settings on the data center. To make the settings on a host or
cluster, you must have the Host.Inventory.Modify Cluster privilege. To make
the settings on a data center, you must have the Datacenter.Reconfigure
Datacenter privilege.
You can upgrade the compatibility level of an existing virtual machine but
should first upgrade VMware Tools. For example, you can select a virtual
machine and use the Compatibility > Schedule VM Compatibility Upgrade
option to upgrade the compatibility the next time you restart the virtual
machine. Optionally, you can select Only Upgrade After Normal Guest OS
Shutdown to upgrade compatibility during regularly scheduled guest
maintenance.
You can change the number of virtual CPUs used by a virtual machine.
Specifically, you can set the number of cores and the number of cores per
socket. In ESXi 7.0, the maximum number of virtual CPU sockets is 128. To
configure a virtual machine with more than 128 virtual CPUs, you must use
multicore virtual CPUs.
By default, you cannot add CPU resources to a virtual machine when it is
turned on. To change this behavior, you can enable the virtual machine’s
CPU hot adding option, but the following conditions apply:

For best results, set virtual machine compatibility to ESXi 5.0 or later.
Hot adding multicore virtual CPUs requires compatibility set to ESXi 5.0
or later.
You cannot use hot adding to increase the number of virtual CPUs for a

Telegram Channel : @IRFaraExam

virtual machine with 128 or fewer virtual CPUs.
You can use hot adding to increase the number of virtual CPUs for a
virtual machine that already has more than 128 virtual CPUs.
You can disable hot adding for virtual machines with guest operating
systems that do not support CPU hot adding.
For virtual machines with compatibility set to ESXi 4.x and later, to
support CPU hot adding, set Number of Cores per Socket to 1.
Hot adding CPU resources to a virtual machine disconnects and
reconnects all USB passthrough devices.

To enable CPU hot adding, the following prerequisites apply:

The latest VMware Tools version must be installed.

The guest operating system must support CPU hot adding.
Virtual machine compatibility must be set to a minimum of ESX/ESXi
4.x or later.
The virtual machine must be turned off.
The Virtual Machine.Configuration.Settings privilege is required.

CPU identification (CPU ID) masks control the visibility of CPU features to
the guest OS. Masking CPU features can impact a virtual machine’s
availability for migration using vMotion. For example, if you mask the AMD
No eXecute (NX) or the Intel eXecute Disable (XD) bits, you prevent the
virtual machine from using those features, but you allow the virtual machine
to hot migrate to hosts that do not include this capability.

Note
Changing the CPU compatibility masks can result in an unsupported
configuration. Do not manually change the CPU compatibility masks
unless instructed to do so by VMware Support or a VMware
Knowledge Base article.

Telegram Channel : @IRFaraExam

During specific management operations, such as creating a virtual disk,
cloning a virtual machine to a template, or migrating a virtual machine, you
can set the provisioning policy for the virtual disk file. You can use Storage
vMotion or other cross-datastore migrations to transform virtual disks from
one format to another. The available virtual disk provisioning policies are
described in Table 14-5.
Table 14-5 Virtual Disk Provisioning Policies
Provision Description Sample Use Case
ing
Policy
Thick All the provisioned space is Minimizes the risk of
provisi allocated during creation. Data is exhausting free datastore
oned zeroed on the first demand from space.
lazy the virtual machine.
zeroed
Thick All the provisioned space is Required for some
provisi allocated and zeroed (erased) clustering features, such as
oned during creation. Fault Tolerance. Provides
eager the best performance.
zeroed
Thin Space is allocated and zeroed on Fastest method to
provisi demand, as needed, up to the provision and migrate
oned provisioned space. virtual disks.
You can change a virtual disk from the thin format to thick format by
navigating to Datastore > Files in the vSphere Client and choosing the Inflate
action for the virtual disk file. The vSphere Client does not provide a deflate
option. To change a virtual disk provisioning type from thick to thin, you can
migrate the virtual machine storage and select the appropriate policy.
Creating and growing a virtual disk provisioned for thick provisioned eager
zeroed may take significantly longer than with a virtual disk provisioned for
thick provisioned lazy zeroed.
You can configure virtual machines with virtual disks greater than 2 TB
(large-capacity virtual disks), but you must meet resource and configuration

Telegram Channel : @IRFaraExam

requirements. The maximum size for large-capacity virtual disks is 62 TB.
You should avoid using the maximum size because some operations, such as
those involving snapshots and linked clones, may not finish when the
maximum amount of disk space is allocated to a virtual disk. Operations such
as snapshot quiesce, cloning, Storage vMotion, and vMotion in environments
without shared storage can take significantly longer to finish. The following
conditions and limitations apply to virtual machines with large-capacity
disks:

You must use a guest OS that supports large-capacity virtual hard disks.
Target hosts for migration and cloning operations must use ESXi 6.0 or
later.
NFS, vSAN, and VMFS Version 5 or later datastores are supported.
Fault Tolerance is not supported.
BusLogic Parallel controllers are not supported.

To increase the size of a virtual disk, you need the following privileges:

Virtual Machine.Configuration.Modify Device Settings on the virtual

machine
Virtual Machine.Configuration.Extend Virtual Disk on the virtual
machine
Datastore.Allocate Space on the datastore

To control how a virtual disk is impacted by snapshots, you can set the disk
mode for a virtual disk to the settings described in Table 14-6.
Table 14-6 Virtual Disk Mode Settings
Disk Mode Description
Dependent Included in snapshots.
Independent– Not included in snapshots.
Persistent
All data written is written permanently to disk.

Telegram Channel : @IRFaraExam

Independent– Not included in snapshots.
Nonpersistent
Changes are discarded when you turn off or reset
the virtual machine.
You can set shares for a virtual disk, and they work much like CPU or
memory shares for a virtual machine. The disk shares provide a relative
priority for accessing the disk during periods of disk I/O contention for the
underlying storage. The values Low, Normal, High, and Custom are
compared to the sum of all shares of all virtual machines on the host. To
control the maximum amount of disk I/O for a virtual disk, you can set the
virtual disk’s Limit–IOPS value. By default, the virtual disk is set for normal
shares and unlimited IOPS.
You can add virtual disks to virtual machines, including new virtual disks,
existing virtual disks, and raw device mappings (RDMs). To add an RDM to
a virtual machine, you need to use an account with the Virtual
Machine.Configuration.Configure Raw Device privilege, select a target LUN,
choose where to store the mapping file, choose a compatibility mode
(physical or virtual), and select a disk mode. Disk modes are not available for
RDMs using physical compatibility mode.
A storage controller is included by default when you create a virtual machine.
You can add additional SCSI controllers (BusLogic Parallel, LSI Logic
Parallel, LSI Logic SAS, and VMware Paravirtual SCSI), AHCI, SATA, and
NVM Express (NVMe) controllers. The following limitations apply to
storage controllers:

ESXi 4.x and later compatibility is required for LSI Logic SAS and
VMware Paravirtual SCSI.
ESXi 5.5 and later compatibility is required for AHCI SATA
ESXi 6.5 and later compatibility is required for NVMe
BusLogic Parallel controllers do not support large-capacity disks.
Disks on VMware Paravirtual SCSI controllers may not provide the
expected performance if they have snapshots or if the host’s memory is
overcommitted.

Telegram Channel : @IRFaraExam

Before changing the storage controller type, you should ensure that the guest
OS has the drivers for the target controller type, or the disks will become
inaccessible. Likewise, in the following cases, adding storage controller types
to a virtual machine that uses BIOS firmware may cause boot problems and
require you to fix the issue by entering the BIOS setup:

Select to change the compute resource only.
You are not prompted to select a destination datastore.
Select either Schedule vMotion with High Priority or Schedule Regular
vMotion.

To perform a hot cross-data store (Storage vMotion) migration, you can

apply the previous cold migration procedure, with the following changes:

Start with a powered-on virtual machine.

Select to change storage only.
You are not prompted to select a destination host.

To perform a hot cross-host and cross-data store (vMotion without shared

storage) migration, you can apply the previous cold migration procedure,
with the following changes:

Start with a powered-on virtual machine.

Select to change both the compute resource and storage.
Select either Schedule vMotion with High Priority or Schedule Regular
vMotion.

machines:
Click here to view code image
Connect-VIServer -Server server1.vsphere.local -Protocol http
-User '[email protected]' -Password 'VMware1!'

Get-VM

To start a virtual machine named win-01, you can use the following
commands:
Get-VM win-01 | Start-VM

You can use PowerCLI to create virtual machines from specifications

provided in an XML file. The XML content could provide detailed
specifications for multiple virtual machines. For example, you can use the
following sample XML content, which represents the minimum
specifications for two virtual machines named MyVM1 and MyVM2, each
having a 100 GB virtual disk:
Click here to view code image
<CreateVM>
<VM>
<Name>MyVM1</Name>
<HDDCapacity>100</HDDCapacity>
</VM>
<VM>
<Name>MyVM2</Name>
<HDDCapacity>100</HDDCapacity>
</VM>
</CreateVM>

If you save the sample content to a file named MyVMs.xml, you can use the
following commands to read the file, parse the XML content into a variable,
and create a virtual machine based on each specification:
Click here to view code image
[xml]$s = Get-Content myVM.xml
$s.CreateVM.VM | foreach {New-VM -VMHost $vmHost1 -Name $_.Name
-DiskGB $_.HDDCapacity}

Telegram Channel : @IRFaraExam

Creating a Content Library

To create a content library, you must have one of the following privileges on
the vCenter Server instance:

Content Library.Create Local Library

Content Library.Create Subscribed Library

Telegram Channel : @IRFaraExam

In addition, you must have the Datastore.Allocate Space privilege on the
target datastore.
You can use the following procedure to create a content library:
Step 1. In the vSphere Client, select Menu > Content Libraries and click
the Create a new content library icon.
Step 2. On the Name and Location page, enter a name and select a vCenter
Server instance for the content library. Click Next.
Step 3. On the Configure Content Library page, select the type of content
library that you want to create:
Local Content Library: By default, a local content library is
accessible only in the vCenter Server instance where you create it.
Optionally, you can select Enable Publishing to make the content
of the library available to other vCenter Server instances.
Subscribed Content Library: This option creates a content
library that subscribes to a published content library.

Click Next.
Step 4. On the Add Storage page, select a storage location for the content
library contents and click Next.
Step 5. On the Ready to Complete page, review the details and click Finish.

Publishing a Content Library

You can publish an existing content library. For example, to publish an
existing local, non-subscribed library, you can use the following procedure:
Step 1. Use the vSphere Client to navigate to Content Libraries.
Step 2. Right-click on an existing content library, select Edit Settings.
Step 3. Select the Enable Publishing checkbox.
Step 4. Click the Copy Link button to copy the URL of your library that
you can paste into the settings of a subscribed library.
Step 5. Select Enable User Authentication for access to this content

Telegram Channel : @IRFaraExam

library and set a password for the library.
Step 6. Click OK.

Note
When you enable authentication for the content library, you effectively
set a password on the static username vcsp, which you cannot change.
This is a user account that is not associated with vCenter Single Sign-
On or Active Directory.

Subscribing to a Content Library

When using the previous procedure to create a subscribed content library,
you must provide the following information:

Step 1. In the Subscription URL text box, enter the URL address of the
published library.
Step 2. If authentication is enabled on the published library, select Enable
Authentication and enter the publisher password.
Step 3. Select a download method for the contents of the subscribed library:
Immediately or When Needed.
Step 4. If prompted, accept the SSL certificate thumbprint. The SSL
certificate thumbprint is stored on your system until you delete the
subscribed content library from the inventory.

Note
The transfer service on the vCenter Server is responsible for importing
and exporting content between the subscriber and the publisher, using
HTTP NFC.

Telegram Channel : @IRFaraExam

Content Library Permissions
Content libraries are not direct children of the vCenter Server object in the
vSphere inventory. Instead, content libraries are direct children of the global
root. This means that permissions set on a vCenter Server do not apply to
content libraries, even if they are set to propagate to child objects. To assign a
permission on a content library, an administrator must grant the permission to
the user as a global permission. Global permissions support assigning
privileges across solutions from a global root object.
Consider the following scenarios:

If a user is granted the read-only role as a global permission and the

administrator role at a vCenter Server level, the user can manage the
vCenter Server’s content libraries and content but can only view content
libraries belonging to other vCenter Servers.
If a user is granted the content library administrator role as a global
permission, the user can manage all content libraries and content in all
vCenter Server instances.
If a user is not granted any global permission but is granted the
administrator role at a vCenter Server level, the user cannot view or
manage any libraries or content, including the vCenter Server’s local
content libraries.

vCenter Server provides a predefined sample role, content library

administrator, that allows you to give users or groups the necessary privileges
to manage selected content libraries. You can modify the role or use it as an
example to create custom roles. If a user is assigned the content library
administrator role on a library, that user can perform the following tasks on
that library:

Create, edit, and delete local or subscribed libraries.

Synchronize a subscribed library and synchronize items in a subscribed
library.
View the item types supported by the library.
Configure the global settings for the library.

Telegram Channel : @IRFaraExam

Import items to a library.
Export library items.

Note
You cannot set permissions on a content library directly.

Content Library Synchronization Options

When configuring the subscribing library, you can choose either to download
all libraries’ content immediately or download library content only when
needed. The first option starts the full synchronization process immediately.
It includes the full content, including the metadata and actual data. The latter
option starts the synchronization process for just the metadata immediately.
The metadata contains information about the actual content data, allowing
users to view and select the associated templates and ISOs. In this case, the
actual data is synchronized only as needed when subscribed library objects
are demanded. The impact of the on-demand synchronization is that storage
space may be saved for the subscribing library, but a delay may exist each
time a library item is selected.
To enable automatic synchronization, select the option Enable Automatic
Synchronization with the External Library in the subscribed library settings.
Consider the fact that the automatic synchronization requires a lot of storage
space because you download full copies of all the items in the published
library.
The content library synchronization method has an impact on VM
provisioning time and datastore space usage. If an object is not already
downloaded when you go to use it, you may have to wait while the
subscribed content library downloads it from the published library. To
optimize VM provisioning time, consider setting the download method to
Immediately. To optimize datastore space usage, consider setting the
download method to When Needed.

Adding Items to a Content Library

Telegram Channel : @IRFaraExam

You can import items such as OVA/OVF templates and vApps to a content
library from your local machine or from a web server. You can also import
ISO images, certificates, and other files. You can add to a content library an
item that resides on a web server, or you can add items to a content library by
importing files from your local file system.
You can import an OVF package to use as a template for deploying virtual
machines and vApps. You can also import other types of files, such as scripts
or ISO files. To import a file, in the vSphere client, right-click a content
library, choose Import Item, select a file, and assign the item name.
You can also add content to a library by cloning VMs or templates to the
library, as described in the following steps:
Step 1. In the vSphere Client, navigate to the virtual machine or template
that you want to clone and select one of the following cloning tasks:
Right-click a virtual machine and select Clone > Clone to
Template in Library.
Right-click a VM template and select Clone to Library.

Step 2. Depending on the selection in the previous step, complete the

cloning wizard. For example, if you selected a VM template and
chose Clone to Library, then you can use the following steps to
create a new template in the content library:
a. Select the Clone As option and choose to create a new template.
b. From the Content Libraries list, select the library in which you
want to add the template.
c. Enter a name and description for the template.
d. Optionally, select the configuration data that you want to include
in the template. You can select to preserve the MAC addresses
on the network adapters and include extra configuration.
e. Click OK.

Deploying VMs by Using a Content Library

You can deploy virtual machines from the VM templates in your content

Telegram Channel : @IRFaraExam

library by using this procedure:
Step 1. In the vSphere client, select Home > Content Libraries.
Step 2. Select a content library and click the Templates tab.
Step 3. Right-click a VM template and select New VM from This
Template.
Step 4. On the Select Name and Location page, enter a name and select a
location for the virtual machine.
Step 5. Optionally, to apply a customization specification to your virtual
machine, select the Customize the Operating System checkbox
and click Next.
Step 6. On the Customize Guest OS page, select a customization
specification or create a new one and click Next.
Step 7. On the Select a Resource page, select a host, a cluster, a resource
pool, or a vApp to run the deployed VM template and click Next.
Step 8. On the Review Details page, verify the template details and click
Next.

Exam Preparation Tasks

Review All the Key Topics

Review the most important topics in this chapter, noted with the Key Topics
icon in the outer margin of the page. Table 14-9 lists these key topics and the
page number on which each is found.

Telegram Channel : @IRFaraExam

Table 14-9 Key Topics for Chapter 14
Key Topic Description Page
Element Number
List Permissions to create a virtual machine 568
List Permissions to clone a virtual machine 572
List Creating a Linux guest customization 575
specification
List Creating a Windows guest customization 576
specification
List Conditions for CPU hot adding 580
List Requirements for virtual machine encryption 584
Section Migrating virtual machines 587
Section Configuring VMs to support vGPUs 592
List Subscribing to a content library 596

Complete Tables and Lists from Memory

Note
Currently, you can choose to take the exam at home or in a Pearson
Vue testing center. To take the exam at home, you must meet strict
requirements, such as compatibility for audio, camera, and bandwidth.
Pay careful attention to all the requirements and precheck information
before choosing this option.

Taking the Exam

Here is a list of recommendations for the day of the exam:

Telegram Channel : @IRFaraExam

virtual disk, the required capacity is 150 GB, and the usable
capacity is 67%.
5. a. Explanation: The following are the VAAI primitives for NAS:
Full File Clone, Fast File Clone/Native Snapshot Support,
Extended Statistics, and Reserve Space.
6. d. Explanation: Protocol endpoints (PEs) are logical I/O proxies,
used for communication with virtual volumes and the virtual disk
files.
7. a. Explanation: When the VMware NMP receives an I/O request,
its calls the appropriate PSP, the PSP selects an appropriate
physical path, and the NMP issues the I/O request.
8. c. Explanation: A VM storage policy for tag-based placement is
helpful for storage arrays that do not support VASA and their
storage characteristics are not visible to the vSphere client.
9. a. Explanation: The available vSAN storage policies include PFTT,
SFTT, Data Locality, Failure Tolerance Method, Number of Disk
Stripes per Object, Flash Read Cached Reservation, Force
Provisioning, Object Space Reservation, Disable, Object
Checksum, and IOPS Limit for Object.
10. b. Explanation: If the space used on datastore A is 82% and on
datastore B is 79%, the difference is 3. If the threshold is 5, Storage
DRS will not make migration recommendations from datastore A
to datastore B.

Chapter 3
1. d. Explanation: On a vSS, you can set the following network
policies: Teaming and Failover, Security, Traffic Shaping, and
VLAN.
2. b. Explanation: The following NIC teaming options are available
on vSS and vDS: Route Based on Originating Virtual Port, Route
Based on IP Hash, Route Based on Source MAC Hash, and Use
Explicit Failover Order.

Telegram Channel : @IRFaraExam

3. a. Explanation: Distributed virtual switches can do both inbound
and outbound traffic shaping, whereas standard virtual switches
handle just outbound traffic shaping.
4. c. Explanation: If you reserved 1.0 Gbps for virtual machine system
traffic on a distributed switch with 8 uplinks, then the total
aggregated bandwidth available for virtual machine reservation on
the switch is 8.0 Gbps. Each network resource pool can reserve a
portion of the 8 Gbps capacity.
5. c. Explanation: When marking traffic, you can create a rule to
configure qualifiers to identify the data to be tagged and set Action
to Tag.
6. c. Explanation: A vDS supports up to 64 LAGs.
7. a. Explanation: The required vDS configuration for the virtual
switch teaming policy health check is at least two active physical
NICs and two hosts.
8. c. Explanation: Cisco Discovery Protocol (CDP) support was
introduced with ESX 3.x. CDP is available for standard switches
and distributed switches that are connected to Cisco physical
switches. Link Layer Discovery Protocol (LLDP) is supported in
vSphere 5.0 and later for vDS (5.0.0 and later), but not for vSS.
9. a. Explanation: With DirectPath I/O in a vSphere 7.0 environment,
a virtual machine can be part of a cluster, but it cannot migrate
across hosts.
10. a. Explanation: The available services for a custom stack are
Management, vMotion, IP-based storage, Provisioning, Fault
Tolerance logging, vSphere Replication, vSphere Replication NFC,
and vSAN.

Chapter 4
1. d. Explanation: Intel EVC Mode Nehalem (Level L2) includes the
Intel Penryn feature set and exposes additional CPU features,
including SSE4.2 and POPCOUNT.

Telegram Channel : @IRFaraExam

2. c. Explanation: When the DRS migration threshold is set to Level
3, the default level, DRS expands on Level 2 by making
recommendations to improve VM happiness and cluster load
distribution.
3. b. Explanation: Resource pools are container objects in the vSphere
inventory that are used to compartmentalize the CPU and memory
resources of a host, a cluster, or a parent resource pool. You can
delegate control over each resource pool to specific individuals and
groups.
4. a. Explanation: Starting in vSphere 6.7, DRS uses a new two-pass
algorithm to allocate resource reservations to its children. In the
second pass, excess pool reservation is allocated proportionally,
limited by the virtual machine’s configured size.
5. d. Explanation: Set Define Host Failover Capacity By to Dedicated
Failover Hosts to designate hosts to use for failover actions.
6. b. Explanation: The medium virtual machine monitoring level sets
Failure Interval to 60 seconds and Reset Period to 24 hours.
7. c. Explanation: For PDL and APD failures, you can set VMCP to
either issue event alerts or to power off and restart virtual
machines. For APD failures only, you can additionally control the
restart policy for virtual machines by setting it to Conservative or
Aggressive.
8. b. Explanation: Predictive DRS requires vCenter Server 6.5 or later,
it must be enabled on both vCenter Server and vROps, and the
vCenter Server and vROps clocks must be synchronized.
9. d. Explanation: vSphere Fault Tolerance can accommodate
symmetric multiprocessor (SMP) virtual machines with up to eight
vCPUs.
10. a. Explanation: If a vCenter service fails, VMware Service
Lifecycle Manager restarts it. VMware Service Lifecycle Manager
is a service running in vCenter server.

Chapter 5

Telegram Channel : @IRFaraExam

5. b. Explanation: After selecting Remediate and selecting the hosts,
you need to click Pre-check Remediation to determine whether the
selected hosts are ready for remediation.

Chapter 9
1. b. Explanation: You can set VLAN ID to 0 (external switch
tagging), 1 to 4094 (virtual switch tagging), or 4095 (virtual guest
tagging).
2. c. Explanation: As a rollback plan, you should export the
distributed switch configuration prior to upgrading. In the export
wizard, choose the option to include the distributed port groups.
3. c. Explanation: Edit the distributed port group setting. In the
settings, click General and then, from the Network Resource Pool
drop-down menu, select the network resource pool and click OK.
4. d. Explanation: The provisioning stack supports traffic for virtual
machine cold migration, cloning, and snapshot migration. It also
supports the Network File Copy (NFC) traffic used for cloning
virtual disks during long-distance vMotion. You can use this stack
to isolate provisioning traffic by placing it on a separate gateway.
The default stack provides networking support for management
traffic and for all VMkernel traffic types.
5. a. Explanation: To enable NetFlow in a distributed port group,
select the distributed port group, select Configure > Policies, click
Edit, and then, on the Monitoring page, select Enable NetFlow or
Disable NetFlow.

Chapter 10
1. c. Explanation: Optionally, you can set Memory Reservation to a
numeric value (the default is 0) and a unit of measure (MB, GB,
MHz, or GHz).
2. c. Explanation: In the vRealize Operations (vROps) GUI, locate the
appropriate vCenter Server adapter instance. Select the adapter,
choose Advanced Settings, and set Provide Data to vSphere

Telegram Channel : @IRFaraExam

Predictive DRS to True.
3. d. Explanation: To disable admission control, set Define Host
Failover Capacity to Disabled.
4. a. Explanation: VIMTOP is a tool you can run in vCenter Server
Appliance to see resource usage for services that are running.
5. d. Explanation: vmware.log is in the same folder as the virtual
machine configuration file.

Telegram Channel : @IRFaraExam

guest OS installations on VM, 250, 574–576
guest user mappings, VM, 585
guests, shutting down, 572
GUI (Graphical User Interface)
installers, 298–301
installing, 23

H
HA (High Availability)
Admission Control, 146–148
advanced options, 148–149
benefits of, 144
best practices, 151
configuring
admission control, 371
advanced options, 370
HA clusters, 370–371
detecting host issues, 144
failovers, 144
heartbeats, 146
Proactive HA, 7, 151, 372
requirements, 145
response to failures, 145–146
vCenter HA, 6, 14
active nodes, 14
cluster management, 557–558
implementing, 316–317
passive nodes, 14
requirements, 24–25
witness nodes, 14
vCenter Server HA, 145, 157

Telegram Channel : @IRFaraExam

installing, 286
installing, Auto Deploy installations, 292–297
installing, interative installations, 286–288
installing, scripted installations, 288–292
kernel options, 321–322
managing, 540–542
profiles, applying, 318–319
profiles, applying permissions, 319–320
profiles, configuring ESXi with host profiles, 317–318
profiles, editing, 319
scripts and host configuration management, 483–485
TPM, 500–501
UEFI Secure Boot, 499–500
verifying legacy hosts with SSL certificates, 554
VIB, 496
VMware Tools, 320–321
failovers, iSCSI, 74
hardware, monitoring/managing resources/health, 386–387
host physical network adapters, managing with vDS, 351
issues, detecting with HA, 144
moving into clusters, 251
profiles, 7, 170–171, 482–483
vDS
adding hosts, 350–351
managing host physical network adapters with vDS, 351
removing hosts, 352
hot clones, 194
hot cross-host migrations. See vMotion
hot migrations, 186
Hot-Plug plug-in (NVMe), vSAN, 53
HPP (High Performance Plug-Ins)
esxcli commands, 457

Telegram Channel : @IRFaraExam

NVMe, 454
VMware HPP, 47
best practices, 48
path selection schemes, 47–48
vSphere support, 47
HTML5-based vSphere Client, 8
hybrid clouds. See cloud computing; HCX

I
IDE 0, 181
IDE 1, 181
identification
NPIV, 40
VLAN ID, standard port groups, 333
Identity Federation, 313–314
identity services, 236
VECS, 236–237, 240–241
VMAFD, 236
VMCA, 236–237, 239
custom certificates, 237
as intermediate CA, 237, 239
management modes (recommended), 237–238
unsupported certificates, 238
vmdir, 236
identity sources
AD, 307–309
SSO, 305–307
IEEE 802.1ax, 93
IEEE 802.3ad, 93
images
cluster images, importing/exporting, 538

Telegram Channel : @IRFaraExam

iSCSI, 37
array-based failovers, 74
host-based failovers, 74
isolation
isolated nodes, PVLAN, 110
networks security, 262
IVD (Improved Virtual Disks). See FCD

J
JSON templates, VCSA deployments with CLI installers, 302
jumbo frames, 97–98

K
KEK (Key Encryption Keys), 61–62, 270, 271
kernels, ESXi, 321–322
Key Management Servers, security, 502
keyboards, 181
KMS, vSAN encryption, 61–62
Kubernetes, 45–46, 54

L
LACP (Link Aggregation Control Protocol), 93, 113–115
LAG (Link Aggregation Groups), 346–349
LAN (Local Area Networks). See PVLAN; VLAN
large-capacity drives, vSAN support, 54
latency
sensitivity, 392
troubleshooting
device latency, 382

N
NAI primitives, VAAI, 71
naming conventions, RDM
dynamic name resolution, 39
user-friendly persistent names, 39
NAS/NFS, 38
NetFlow, 108, 336–337

Telegram Channel : @IRFaraExam

over RDMA, 451, 453
over RDMA (RoCE Version 2) requirements, 46
VMware HPP, 47
best practices, 48
path selection schemes, 47–48
vSphere support, 47

Telegram Channel : @IRFaraExam

VM, migrating to vDS, 353
VMkernel network adapters, migrating to vDS, 352
vSphere Client data center-level management, 111
vSS comparison, 103–104
VECS (VMware Endpoint Certificate Store), 236–237, 304
solution user certificate stores, 240–241
stores, 303–304
vendor add-ons, 534
vGPU (Virtual Graphical Processing Units), VM support, 592–594
VIB (vSphere Installation Bundles), 258, 496
viewing
events
System Event Log, 397
in vSphere Client, 397
System Event Log, 397
triggered alarms, 399–400
vSAN
datastores, 418–419
storage providers, 436
VIMTOP, monitoring/managing resources, 396
virtual compatibility mode, RDM, 38–39
virtual disks, 37
anti-affinity rules, 83
configuring, 581–582
database files, 179
delta disk files, 179
eager zeroed thick virtual disks, 79
files, 175
flat files, 178
increasing size, 582
lazy zeroed thick virtual disks, 79
memory files, 179

W
warning events, 397
web proxies, ESXi security settings, 490–491
Windows Perfmon, 391–392
Windows Session Authentication, enabling SSO, 472–473
witness nodes, vCenter HA, 14
witnesses, vSAN, 52, 54
workflows, evacuation, 136
Write Same (Zero), 71

Telegram Channel : @IRFaraExam

X-Y-Z
XCOPY (Extended Copy), 70
zeroing out files, 79

Telegram Channel : @IRFaraExam

Telegram Channel : @IRFaraExam
Telegram Channel : @IRFaraExam
Telegram Channel : @IRFaraExam
Telegram Channel : @IRFaraExam
Appendix B

Memory Tables
Chapter 1
Table 1-4 Available vSphere Features
Availab Description
le
vSpher
e
Feature
s
A feature introduced in vSphere 7.0 that enables you to back up
and restore the vCenter Server Appliance instances.
A feature that provides live virtual machine migrations with
negligible disruption from a source ESXi host to a target ESXi
host.
A feature that provides automated failover protection for VMs
against host, hardware, network, and guest OS issues. In the event
of host system failure, it performs cold migrations and restarts
failed VMs on surviving hosts.
A feature that places and starts VMs on appropriate ESXi hosts
and hot-migrates VMs using vMotion when there is contention
for compute resources.
A feature that performs live migrations with negligible disruption
of VMs from a source datastore to a target datastore.
A feature that provides automated live failover protection for
VMs against host, hardware, network, and guest OS issues.

Telegram Channel : @IRFaraExam

A feature that optimizes power consumption in an ESXi cluster.
A feature that minimizes VM downtime by proactively detecting
hardware failures and placing the host in Quarantine Mode or
Maintenance Mode.
A centralized repository used to manage and distribute templates,
ISO files, scripts, vApps, and other files associated with VMs.
A feature that provides a means to apply a standard configuration
to a set of ESXi hosts.

Table 1-6 vCenter Server Editions

Feature Essentials Essentials Fo Standard
Plus un
da
tio
n
Number of ESXi hosts 3 (2 CPU 3 (2 CPU 2000
max) max)
vCenter License Packaged Packaged Sold
with with separatel
vSphere vSphere y from
license in license in vSphere
Essentials Essentials license
Plus
Basic vCenter features, like Supported Supported Supporte
single pane of glass d
management, Lifecycle
Manager, and VMware
Converter
Common vCenter features Not Supported Supporte
like vMotion, vSphere HA, supported d
and vSphere Replication
Advanced features like N/A N/A Supporte
vCenter Server High d

Telegram Channel : @IRFaraExam

Availability (VCHA) and
vCenter Server Backup and
Restore

Table 1-10 Compute Specifications for vCenter Server Appliance

Component Number of CPUs Memory
Tiny Environment

Up to 10 hosts or 100 virtual machines

Small Environment

Po Description
lic
y
This policy defines how many host and device failures a VM object
can withstand. For n failures tolerated, data is stored in n+1 location.
(This includes parity copies with RAID 5 or 6.) If no storage policy is
selected at the time of provisioning a VM, this policy is assigned by
default. Where fault domains are used, 2n+1 fault domains, each with
hosts adding to the capacity, are required. If an ESXi host isn’t in a
fault domain, it is considered to be in a single-host fault domain. The
default setting for this policy is 1, and the maximum is 3.
In stretched clusters, this policy defines how many additional host
failures can be tolerated after a site failure’s PFTT has been reached. If
PFTT = 1, SFTT = 2, and one site is inaccessible, two more host
failures can be tolerated. The default setting for this policy is 1, and the
maximum is 3.
If PFTT = 0, this option is available. The options for this policy are
None, Preferred, and Secondary. This allows objects to be limited to
one site or one host in stretched clusters. The default setting for this
policy is None.
This policy defines whether the data replication mechanism is
optimized for performance or capacity. If RAID-1 (Mirroring)—
Performance is selected, there will be more space consumed in the
object placement but better performance for accessing the space. If
RAID-5/6 (Erasure Coding)—Capacity is selected, there will be less
disk utilization, but performance will be reduced.
This policy determines the number of capacity devices where each VM
object replica is striped. Setting this above 1 can improve performance
but consumes more resources. The default setting for this policy is 1,
and the maximum is 12.
This policy defines the amount of flash capacity that is reserved for

Telegram Channel : @IRFaraExam

read caching of VM objects. This is defined as a percentage of the size
of the VMDK. This is supported only in hybrid vSAN clusters. The
default setting for this policy is 0%, and the maximum is 100%.
If set to yes, this policy forces provisioning of objects, even when
policies cannot be met. The default setting for this policy is no.
This policy defines the percentage of VMDK objects that must be thick
provisioned on deployment. The options are as follows:

Thin provisioning (default value)

25% reservation

50% reservation

75% reservation

Thick provisioning

A checksum is used end-to-end in validating the integrity of the data to

ensure that data copies are the same as the original. In the event of a
mismatch, incorrect data is overwritten. If this policy is set to yes, a
checksum is not calculated. The default setting for this policy is no.
This policy sets a limit for IOPS of an object. If set to 0, there is no
limit.

Chapter 3
Table 3-2 Advantages and Disadvantages of IP Hash NIC Teaming

Telegram Channel : @IRFaraExam

Advantages Disadv
antage
s
A more even distribution of the load compared to Route Based on
Originating Virtual Port and Route Based on Source MAC Hash

A potentially higher throughput for virtual machines that

communicate with multiple IP addresses

Table 3-3 Comparison of vSS and vDS Features

Feature vSS vDS
Layer 2 switch
VLAN segmentation (802.1q tagging)
IPv6 support
NIC teaming
Outbound traffic shaping
Cisco Discovery Protocol (CDP)
Inbound traffic shaping
VM network port block
Private VLANs
Load-based NIC teaming
Data center–level management
Network vMotion
Per-port policy settings
Port state monitoring
NetFlow
Port mirroring

Fibre Settings allow the virtual machine to use N_Port ID
Channel Virtualization (NPIV), including whether to generate new
NPIV worldwide names (WWNs).
vApp Settings allow you to control vApp functionality for the virtual
Options machine, such as enable/disable and IP allocation policy.
vApp settings that are made directly to a virtual machine
override settings made on the vApp.

Chapter 6
Table 6-2 Required Permissions for the vCenter Cloud Account
Object Permissions
Datastore

Datastore cluster
Folder

Global

Network

Telegram Channel : @IRFaraExam

Permissions
Resource

Content library
Add library item

Create local library

Create subscribed library

Delete library item

Delete local library

Delete subscribed library

Download files

Evict library item

Evict subscribed library

Telegram Channel : @IRFaraExam

Probe subscription information

Read storage

Sync library item

Sync subscribed library

Type introspection

Update configuration settings

Update files

Update library

Update library item

Update local library

Update subscribed library

View configuration settings

Telegram Channel : @IRFaraExam

Tags
Assign or unassign vSphere tag

Create a vSphere tag

Create a vSphere tag category

Delete vSphere tag

Delete vSphere tag category

Edit vSphere tag

Edit vSphere tag category

Modify UsedBy field for category

Modify UsedBy field for tag

vApp
Import

vApp application configuration.

Virtual machine inventory

Telegram Channel : @IRFaraExam

Virtual machine interaction

Virtual machine configuration

Add existing disk

Add new disk

Add or remove

Remove disk

Advanced

Change CPU count

Change resource

Telegram Channel : @IRFaraExam

Extend virtual disk

Disk change tracking

Memory

Modify device settings

Rename

Set annotation

Settings

Swapfile placement

Virtual machine provisioning

Virtual machine state

Create snapshot

Telegram Channel : @IRFaraExam

Remove snapshot

Revert to snapshot

Table 6-3 Required vCenter Server Privileges for Horizon (without instant
clones)
Privilege Group Privileges to
Enable
Folder

Datastore
Virtual Machine

Telegram Channel : @IRFaraExam

Resource
Global
Host (for Storage Accelerator)

Profile Driven Storage (for vSAN or Virtual

Used by the reverse proxy service, the vCenter

Server service (vpxd), and the VMware Directory
service (vmdir).

Uses X.509 Version 3 certificates to encrypt

session information.
Solution user Stored in VECS.
certificate
Used by solution users to authenticate to vCenter
Single Sign-On through SAML token exchange.
vCenter Single Used throughout vSphere for authentication,

Telegram Channel : @IRFaraExam

Sign-On SSL where a SAML token represents the user’s
signing identity and contains group membership
certificate information.

You can manage this certificate from the

command line. Changing this certificate in the file
system leads to unpredictable behavior.
VMware Starting with vSphere 6.5, the machine SSL
Directory certificate is used as the vmdir certificate.
Service (vmdir)
SSL certificate
vSphere Virtual Used for virtual machine encryption, which relies
Machine on an external key management server (KMS).
Encryption
Certificates
Depending on how the solution authenticates to
the KMS, it might generate certificates and store
them in VECS.

datastore folder:

Datastore.Allocate Space

On the network that the virtual machine

will be assigned to:

Network.Assign Network

Take a virtual machine On the virtual machine or in a virtual

snapshot machine folder:

Virtual Machine.Snapshot
Management.Create Snapshot

Telegram Channel : @IRFaraExam

On the destination datastore or in a
datastore folder:

Datastore.Allocate Space

Move a virtual machine into a On the virtual machine or in a virtual

resource pool machine folder:

Resource.Assign Virtual Machine to

Resource Pool

Virtual Machine.Inventory.Move

In the destination resource pool:

Resource.Assign Virtual Machine to

Resource Pool

Install a guest operating On the virtual machine or in a virtual

system on a virtual machine machine folder:

Virtual Machine.Interaction.Answer
Question

Telegram Channel : @IRFaraExam

Virtual Machine.Interaction.Console
Interaction

Virtual Machine.Interaction.Device
Connection

Virtual Machine.Interaction.Power Off

Virtual Machine.Interaction.Power On

Virtual Machine.Interaction.Reset

Virtual Machine.Interaction.Configure CD
Media

Virtual Machine.Interaction.Configure
Floppy Media

Virtual Machine.Interaction.Tools Install

On a datastore containing the installation

media ISO image:

Datastore.Browse Datastore

Telegram Channel : @IRFaraExam

On the datastore to which you upload the
installation media ISO image:

Datastore.Browse Datastore

Datastore.Low Level File Operations

Migrate a virtual machine

with vMotion

Cold migrate (relocate) a

virtual machine

Migrate a virtual machine On the virtual machine or in a virtual

with Storage vMotion machine folder:

Resource.Migrate Powered On Virtual

Machine

Telegram Channel : @IRFaraExam

On the destination datastore:

Datastore.Allocate Space

Move a host into a cluster On the host:

Host.Inventory.Add Host to Cluster

On the destination cluster:

Host.Inventory.Add Host to Cluster

Host.Inventory.Modify. cluster

Table 7-11 ESXi Security Profile Services

Service Defau Description
lt
State
Direct Console Allows you to interact with an ESXi host
User Interface from the local console host using text-based
(DCUI) menus
ESXi Shell Is available from the DCUI or from SSH
SSH Allows remote connections through Secure
Shell

Telegram Channel : @IRFaraExam

Load-Based Enables load-based teaming
Teaming Daemon
attestd Enables the vSphere Trust Authority
Attestation Service
kmxd Enables the vSphere Trust Authority Key
Provider Service
Active Directory Is started on hosts after you configure ESXi
Service for Active Directory
NTP Daemon Enables the Network Time Protocol daemon
PC/SC Smart Is started on hosts after you enable the host
Card Daemon for smart card authentication
CIM Server Can be used by Common Information Model
(CIM) applications
SNMP Server Enables the SNMP daemon
Syslog Server Enables the syslog daemon
VMware vCenter Connects the host to vCenter Server
Agent (vpxa)
X.Org Server Internally used for virtual machine 3D
graphics

Table 7-12 Incoming and Outgoing Firewall Ports

Table 7-14 Network Security Policies

O Se Description
pti tti
on ng
The virtual switch forwards all frames to the virtual network
adapter.

Store Description
Used by the reverse proxy service on each ESXi host and by
the vmdir service.
Contains all trusted root certificates.

Solution VECS includes one store for each solution user.

user
stores:

Machine

vpxd

vpxd-
extension

vsphere-
webclient

Used by VMCA to support certificate reversion.

Other Other stores might be added by solutions. For example, the

Telegram Channel : @IRFaraExam

cy Number of the user’s previous passwords that cannot
be selected.
Maximum number of characters that are allowed in the
password.
Minimum number of characters that are allowed in the
password, which must be no fewer than the combined
minimum of alphabetic, numeric, and special character
requirements.
Minimum number of different character types that are
required in the password. The types include special,
alphabetic, uppercase, lowercase, and numeric.
Identical The number of identical adjacent characters that are
adjacent supported in a password. The value must be greater
character than 0.
s
Loc Descripti Description of the lockout policy.
kou on
t Maximum number of failed login attempts that are
Poli allowed before the account is locked.
cy
Time period in which failed login attempts must occur
to trigger a lockout.
Unlock The amount of time the account stays locked. The value
time 0 specifies that an administrator must explicitly unlock
the account.
Tok Time difference, in milliseconds, that SSO tolerates
en between a client clock and a domain controller clock. If
Poli the time difference is greater than the specified value,
cy SSO declares the token to be invalid.
Maximum number of times a token may be renewed
before a new security token is required.
Maximum number of times a single holder-of-key

token can be delegated.

Telegram Channel : @IRFaraExam

The lifetime value of a bearer token before the token
must be reissued.
Maximu The lifetime value of a holder-of-key token before the
m token is marked invalid.
holder-
of-key
token
lifetime

Table 8-11 ESXi 7.0 Kernel Options

Kerne Description
l
Optio
n
aut This option, if set to TRUE, defines automatic partitioning of the
oPa unused local storage devices at boot time. The boot disk gets
rtiti partitioned with boot bands, ESXi-OSData, and, if the disk is larger
on= than 128 GB, a VMFS partition. Any new empty device discovered
TR will be auto-partitioned as well. Auto-partitioning can be set for
UE/ only the first unused device with the setting
FA autoPartitionOnlyOnceAndSkipSsd=TRUE. On hosts with USB
LS boot and VMFS-L, ESX-OSData does not exist on other local
E disks.
(def
ault
FA If a storage device has both a scratch partition and a coredump
LS partition, the scratch partition is converted to ESX-OSData;
E) otherwise, the first unused disk identified is partitioned with ESX-
OSData as well.
If this option is set to TRUE, local SSDs are excluded from
automatic partitioning.
If this option is set to TRUE, SSD/NVMe devices are excluded,
and the ESXi host automatically partitions the first unused local
disk if there is no VMFS-L ESX-OSData volume.

Telegram Channel : @IRFaraExam

If this option is set to TRUE, ESXi can write kernel crash
coredumps to the VMFS-L Locker volume on a USB boot device.
This option sets the size of the coredump file (in megabytes)
created on the system VMFS-L volume. This is limited to one-half
of the space available on the VMFS-L volume.
This option, when set to TRUE, automatically creates a coredump
file. This is attempted in the following order:

VMFS-L ESX-OSData

USB VMFS-L

Local VMFS

DRS cluster.

Increase the
number of hosts
in the DRS
cluster.

Migrate one or
more virtual
machines to other
hosts.

Add physical
memory to the
host.

Virtual The guest OS is not provided sufficient Increase the

machine: memory by the virtual machine. memory size of
Memory the virtual
usage is machine.
high.

Guest OS:
Memory
usage is
high.

Telegram Channel : @IRFaraExam

Paging is
occurring.

Virtual
machine:
CPU ready
is low.

Guest OS:
CPU
utilization
is high.

Datastore:
Space
utilization
is high.

Disk:
Device
latency is
greater
than 15
ms.
Disk: The maximum throughput of a storage Migrate the
VMkernel device is not sufficient to meet the virtual machines
latency is demand of the current workload. to datastores
greater backed by storage
than 4 ms. devices (LUNs)

Add more disks

(spindles) to the
storage device
backing the
datastore.

Configure the
queue depth and
cache settings on
the RAID
controllers.
Adjust the
Disk.SchedNumR
eqOutstanding
parameter.

Configure
multipathing.

Increase the
memory size of
the virtual

Telegram Channel : @IRFaraExam

machine to
eliminate any
guest OS paging.
Increase the guest
OS caching of
disk I/O.

Ensure that no
virtual machine
swapping or
ballooning is
occurring.

Defragment guest
file systems.

Use eager zeroed

thick provisioned
virtual disks.

Network: The maximum throughput of a Install VMware

The physical network adapter is not Tools on each
number of sufficient to meet the demand of the virtual machine
packets current workload. and configure the
dropped is guest OS to use
greater the best-
than zero. Virtual machine network resource performing
Latency is shares are too few. network adapter
high. The driver (such as
transfer Network packet size is too large, which vmxnet3).
rate is low. results in high network latency. Use
the VMware AppSpeed performance Migrate virtual
monitoring application or a third-party machines to other
application to check network latency. hosts or to other
physical network

Telegram Channel : @IRFaraExam

Network packet size is too small, adapters.
which increases the demand for the
CPU resources needed for processing
each packet. Host CPU, or possibly Verify that all
virtual machine CPU, resources are not NICs are running
enough to handle the load. in full duplex
mode.

Implement TCP
Segmentation
Offload (TSO)
and jumbo
frames.

Assign additional
physical adapters
as uplinks for the
associated port
groups.

Replace physical
network adapters
with high-
bandwidth
adapters.

Place sets of
virtual machines
that communicate
with each other
regularly on the
same ESXi host.

Performan Some metrics are not available for pre- Upgrade hosts to
ce charts ESXi 5.0 hosts. a later version of

Real-time statistics are not available

for disconnected hosts or powered-off Allow time for
virtual machines. the required roll-
ups for non-real-
time statistics.
Non-real-time statics are rolled up at
specific intervals. For example, 1-day
statistics might not be available for 30
minutes after the current time,
depending on when the sample period
began.

The 1-day statistics are rolled up to

create one data point every 30 minutes.
If a delay occurs in the roll-up
operation, the 1-week statistics might
not be available for 1 hour after the
current time. It takes 30 minutes for the
1-week collection interval, plus 30
minutes for the 1-day collection

Telegram Channel : @IRFaraExam

interval.

The 1-week statistics are rolled up to

The 1-month statistics are rolled up to

Table 10-9 Key ESXTOP Panels and Metrics

Panel St Description
ati
sti
c
CPU Percentage of physical CPU core cycles used by the virtual
machine.
CPU Percentage of total time scheduled for the virtual machine
without accounting for hyperthreading, system time, co-
stopping, and waiting:

%RUN = 100% – %RDY – %CSTP – %WAIT

The vCenter Server collects only error entries in its log files.
The vCenter Server collects warning and error entries in its log
files.

The vCenter Server collects information, warning, and error

entries in its log files.
The vCenter Server collects verbose, information, warning, and
error entries in its log files.

Telegram Channel : @IRFaraExam

The vCenter Server collects trivia, verbose, information,
warning, and error entries in its log files.

Chapter 11
Table 11-2 Network Differences in vSAN and non-vSAN Clusters
Factor vSAN Is vSAN Is Not Enabled
Enabled
Network used by Management network
vSphere HA
Heartbeat Any datastore that is mounted to multiple
datastores hosts in the cluster

Host isolation Isolation addresses not pingable and

criteria management network inaccessible

Table 11-4 Datastore Browser Options

vCloud Director vCloud Director

Memory Tables Answer Key

Chapter 1
Table 1-4 Available vSphere Features
Available Description
vSphere
Features
vCenter A feature introduced in vSphere 7.0 that enables you to
Appliance back up and restore the vCenter Server Appliance
File-Based instances.
Backup and
Restore
vMotion A feature that provides live virtual machine migrations with
negligible disruption from a source ESXi host to a target
ESXi host.
vSphere A feature that provides automated failover protection for
HA VMs against host, hardware, network, and guest OS issues.
In the event of host system failure, it performs cold
migrations and restarts failed VMs on surviving hosts.
Distributed A feature that places and starts VMs on appropriate ESXi
Resource hosts and hot-migrates VMs using vMotion when there is
Scheduler contention for compute resources.
(DRS)
Storage A feature that performs live migrations with negligible
vMotion disruption of VMs from a source datastore to a target
datastore.
Fault A feature that provides automated live failover protection

Telegram Channel : @IRFaraExam

Tolerance for VMs against host, hardware, network, and guest OS
(FT) issues.
Distributed A feature that optimizes power consumption in an ESXi
Power cluster.
Manageme
nt (DPM)
Proactive A feature that minimizes VM downtime by proactively
HA detecting hardware failures and placing the host in
Quarantine Mode or Maintenance Mode.
Content A centralized repository used to manage and distribute
library templates, ISO files, scripts, vApps, and other files
associated with VMs.
Host A feature that provides a means to apply a standard
profiles configuration to a set of ESXi hosts.

Table 1-6 vCenter Server Editions

Feature Essentials Essentials Foundati Standard
Plus on
Number of ESXi hosts 3 (2 CPU 3 (2 CPU 4 2000
max) max)
vCenter License Packaged Packaged Sold Sold
with with separat separat
vSphere vSphere ely ely
license in license in from from
Essential Essentials vSpher vSpher
s Plus e e
license license
Basic vCenter features, Supporte Supported Support Support
like single pane of glass d ed ed
management, Lifecycle
Manager, and VMware
Converter
Common vCenter features Not Supported Support Support

Table 1-10 Compute Specifications for vCenter Server Appliance

Component Number of CPUs Memory
Tiny Environment 2 12 GB

Up to 10 hosts or 100 virtual machines

Small Environment 4 19 GB

Up to 100 hosts or 1000 virtual machines

Medium Environment 8 28 GB

Up to 400 hosts or 4000 virtual machines

Large Environment 16 37 GB

Up to 1000 hosts or 10,000 virtual machines

X-Large Environment 24 56 GB

Up to 2000 hosts or 35,000 virtual machines

Chapter 2
Table 2-2 Comparison of VMFS Version 5 and Version 6
VMFS Features and Version 5 Versio
Functionalities n6
Access for ESXi hosts Version 6.5 Yes Yes
and later
Access for ESXi hosts Version 6.0 Yes No
and earlier
Datastores per host 512 512
512n storage devices Yes Yes
(def
ault)
512e storage devices Yes (Not supported on local Yes
512e devices.) (def
ault)
4Kn storage devices No Yes
Automatic space reclamation No Yes
Manual space reclamation through Yes Yes
the esxcli command.
Space reclamation from guest OS Limited Yes
GPT storage device partitioning Yes Yes
MBR storage device partitioning Yes No

For a VMFS5 datastore that

has been previously

25% reservation

50% reservation

75% reservation

Thick provisioning

Dis A checksum is used end-to-end in validating the integrity of the data

Chapter 3
Table 3-2 Advantages and Disadvantages of IP Hash NIC Teaming
Advantages Disadvantages
A more even distribution of the load Highest resource
compared to Route Based on Originating consumption compared to

Telegram Channel : @IRFaraExam

Virtual Port and Route Based on Source the other load-balancing
MAC Hash algorithms

A potentially higher throughput for virtual Requires changes on the

machines that communicate with multiple IP physical network.
addresses
Complex to troubleshoot

Table 3-3 Comparison of vSS and vDS Features

Feature vSS vDS
Layer 2 switch X X
VLAN segmentation (802.1q tagging) X X
IPv6 support X X
NIC teaming X X
Outbound traffic shaping X X
Cisco Discovery Protocol (CDP) X X
Inbound traffic shaping X
VM network port block X
Private VLANs X
Load-based NIC teaming X
Data center–level management X
Network vMotion X
Per-port policy settings X
Port state monitoring X
NetFlow X
Port mirroring X

Table 3-4 vDS Health Checks

Telegram Channel : @IRFaraExam

Health Check Required vDS
Configuration
Checks whether the VLAN trunk ranges on the At least two
distributed switch match the trunk port configuration active physical
on the connected physical switch ports. NICs
Checks for matching MTU settings on the distributed At least two
switch, the physical network adapter, and the physical active physical
switch ports. NICs
Checks whether the virtual switch teaming policy At least two
matches the physical switch port-channel settings. active physical
NICs and two
hosts

Table 3-5 SR-IOV Requirements

Component Requirements
Physical host Must use an Intel or AMD processor.

Must support IOMMU and SR-IOV.

IOMMU and SR-IOV must be enabled in the BIOS.

Physical network Must be supported by the server vendor for use with
adapter the host system and SR-IOV for the specific ESXi
release.

SR-IOV must be enabled in the firmware.

Must use MSI-X interrupts.

Physical function Must be certified by VMware.
(PF) driver in
ESXi
Must be installed on the ESXi host, which may
require custom installation.

Telegram Channel : @IRFaraExam

Guest OS Must be supported by the NIC vendor for the specific
ESXi release.
Virtual function Must be compatible with the NIC and supported on
(VF) driver in the guest OS release.
guest OS
Must be Microsoft WLK or WHCK certified for
Windows virtual machines.

Must be installed on the operating system and may

require custom installation.

Folder
Create folder

Delete folder

Global
Manage custom attributes

Set custom attribute

Network
Assign network

Permissions
Modify permission

Resource
Assign VM to resource pool

Telegram Channel : @IRFaraExam

Migrate powered-off virtual machine

Migrate powered-on virtual machine

Content library
Add library item

Create local library

Create subscribed library

Delete library item

Delete local library

Delete subscribed library

Download files

Evict library item

Evict subscribed library

Probe subscription information

Telegram Channel : @IRFaraExam

Read storage

Sync library item

Sync subscribed library

Type introspection

Update configuration settings

Update files

Update library

Update library item

Update local library

Update subscribed library

View configuration settings

Tags
Assign or unassign vSphere tag

Create a vSphere tag

Telegram Channel : @IRFaraExam

Create a vSphere tag category

Delete vSphere tag

Delete vSphere tag category

Edit vSphere tag

Edit vSphere tag category

Modify UsedBy field for category

Modify UsedBy field for tag

vApp
Import

vApp application configuration.

Virtual machine inventory

Create from existing

Create new

Move

Telegram Channel : @IRFaraExam

Remove

Virtual machine interaction

Configure CD media

Console interaction

Device connection

Power off

Power on

Reset

Suspend

Tools install

Virtual machine configuration

Add existing disk

Add new disk

Add or remove

Telegram Channel : @IRFaraExam

Virtual machine provisioning
Customize

Clone template

Clone virtual machine

Deploy template

Read customization specs

Virtual machine state

Create snapshot

Remove snapshot

Revert to snapshot

Table 6-3 Required vCenter Server Privileges for Horizon (without instant
clones)
Privilege Group Privileges to Enable
Folder
Create Folder

Delete Folder

Telegram Channel : @IRFaraExam

Datastore
Allocate space

Virtual Machine In Configuration:

Add or remove device

Advanced

Modify device settings

In Interaction:

Power off

Power on

Reset

Suspend

Perform wipe or shrink

operations

Telegram Channel : @IRFaraExam

In Inventory:

Create new

Create from existing

Remove

In Provisioning:

Customize

Deploy template

Read customization
specifications

Clone template

Clone virtual machine

On the destination host or cluster or in

the resource pool:

Resource.Assign Virtual Machine to

Resource Pool

On the destination datastore or in the

datastore folder:

Datastore.Allocate Space

On the network:

Network.Assign Network

Deploy a virtual machine On the destination folder or in the data

from a template center:

Virtual Machine.Inventory.Create from

Telegram Channel : @IRFaraExam

Existing

Virtual Machine.Configuration.Add New

Disk

On a template or in a template folder:

Virtual Machine.Provisioning.Deploy
Template

On the destination host or cluster or in

the resource pool:

Resource.Assign Virtual Machine to

Resource Pool

On the destination datastore or in a

datastore folder:

Datastore.Allocate Space

On the network that the virtual machine

will be assigned to:

Telegram Channel : @IRFaraExam

Network.Assign Network

Take a virtual machine On the virtual machine or in a virtual

snapshot machine folder:

Virtual Machine.Snapshot
Management.Create Snapshot

On the destination datastore or in a

datastore folder:

Datastore.Allocate Space

Move a virtual machine into a On the virtual machine or in a virtual

resource pool machine folder:

Resource.Assign Virtual Machine to

Resource Pool

Virtual Machine.Inventory.Move

In the destination resource pool:

Telegram Channel : @IRFaraExam

Resource.Assign Virtual Machine to
Resource Pool

Install a guest operating On the virtual machine or in a virtual

system on a virtual machine machine folder:

Virtual Machine.Interaction.Answer
Question

Virtual Machine.Interaction.Console
Interaction

Virtual Machine.Interaction.Device
Connection

Virtual Machine.Interaction.Power Off

Virtual Machine.Interaction.Power On

Virtual Machine.Interaction.Reset

Virtual Machine.Interaction.Configure CD
Media

Virtual Machine.Interaction.Configure
Floppy Media

Telegram Channel : @IRFaraExam

Virtual Machine.Interaction.Tools Install

On a datastore containing the installation

media ISO image:

Datastore.Browse Datastore

On the datastore to which you upload the

installation media ISO image:

Datastore.Browse Datastore

resource pool:

Resource.Assign Virtual Machine to

Resource Pool

On the destination datastore:

Telegram Channel : @IRFaraExam

Datastore.Allocate Space

Migrate a virtual machine On the virtual machine or in a virtual

with Storage vMotion machine folder:

Resource.Migrate Powered On Virtual

Machine

On the destination datastore:

Datastore.Allocate Space

Move a host into a cluster On the host:

Host.Inventory.Add Host to Cluster

On the destination cluster:

Telegram Channel : @IRFaraExam

Subnet mask Optional Default: Based on the
configured IP address
Gateway Optional Default: Based on the
configured IP address
and subnet mask
Primary DNS Optional Default: Based on the
configured IP address
and subnet mask
Secondary DNS Optional Default: None
Host name Required for static IP Default: None
settings
Install location Required At least 5 GB if you
install on a single disk

Default: None

Table 8-5 Auto Deploy Components

Compo Description/Purpose
nent
Auto Uses a rules engine, a set of images, a set of host profiles, and
Depl required infrastructure to manage ESXi deployments.
oy

Telegram Channel : @IRFaraExam

serve
r
Rule Assigns image profiles and host profiles to each host.
s
engi
ne
Host Defines host-specific configurations, such as networking, NTP,
profi and host permissions. You can use host customization in
le conjunction with host profiles to provide details that are unique to
each host, such as IP address.
Auto Servers as a command-line engine for driving Auto Deploy.
Depl
oy
Pow
erCL
I
Imag Servers as a command-line engine for building images.
e
Buil
der
Pow
erCL
I
vCen Manages the vSphere inventory and provides host profiles.
ter
Serv
er
DHC Provides IP configuration to the host and redirects the host to the
P PXE server.
serve
r
PXE Boots the host and directs it to the TFTP server.
serve
r

Telegram Channel : @IRFaraExam

TFT Provides the appropriate boot image.
P
serve
r

Soft Holds a collection of VIBs either online (accessible via HTTP) or

ware offline (accessible via a USB drive or CD/DVD).
depo
t
Imag Holds a collection of VIBs used to install the ESXi server and
e saved as ZIP files or ISO images. You can obtain image profiles
profi from VMware and VMware partners, and you can create custom
le image profiles by using ESXi Image Builder.
vSph Packages a collection of files (such as drivers) into an archive
ere similar to a ZIP file. Each VIB is released with an acceptance
Insta level that cannot be changed. The host acceptance level assigned
llatio to each host determines which VIBs can be installed to the host.
n These are the acceptance levels, from highest to lowest:
Bun
dle
(VIB VMwareCertified
)

VMwareAccepted

PartnerSupported

CommunitySupported

Table 8-9 VECS Stores

Store Description
Machine SSL store Used by the reverse proxy service on each

Telegram Channel : @IRFaraExam

(MACHINE_SSL_CERT) ESXi host and by the vmdir service.
Trusted root store Contains all trusted root certificates.
(TRUSTED_ROOTS)
Solution user stores: VECS includes one store for each solution
user.

Machine

vpxd

m token is marked invalid.
holder-
of-key
token
lifetime

Table 8-11 ESXi 7.0 Kernel Options

Kernel Description
Option
autoP This option, if set to TRUE, defines automatic partitioning of the
artitio unused local storage devices at boot time. The boot disk gets
n=TR partitioned with boot bands, ESXi-OSData, and, if the disk is
UE/F larger than 128 GB, a VMFS partition. Any new empty device
ALSE discovered will be auto-partitioned as well. Auto-partitioning
(defau can be set for only the first unused device with the setting
lt autoPartitionOnlyOnceAndSkipSsd=TRUE. On hosts with
FALS USB boot and VMFS-L, ESX-OSData does not exist on other
E) local disks.

If a storage device has both a scratch partition and a coredump

Telegram Channel : @IRFaraExam

FALS
E)
autoP If this option is set to TRUE, SSD/NVMe devices are excluded,
artitio and the ESXi host automatically partitions the first unused local
nOnly disk if there is no VMFS-L ESX-OSData volume.
Once
AndS
kipSsd
=TRU
E/FA
LSE
(defau
lt
FALS
E)
allow If this option is set to TRUE, ESXi can write kernel crash
CoreD coredumps to the VMFS-L Locker volume on a USB boot
umpO device.
nUSB
=TRU
E/FA
LSE
(defau
lt
FALS
E)
dump This option sets the size of the coredump file (in megabytes)
Size created on the system VMFS-L volume. This is limited to one-
(defau half of the space available on the VMFS-L volume.
lt:0
(auto
matica
lly
sized))
autoC This option, when set to TRUE, automatically creates a
reateD coredump file. This is attempted in the following order:

Chapter 9
Table 9-2 VLAN ID Details
VLA VLAN Tagging Description
N ID Mode
0 External switch The virtual switch does not pass traffic
tagging (EST) associated with a VLAN.
1 to Virtual switch The virtual switch tags traffic with the entered
409 tagging (VST) tag.
4
409 Virtual guest Virtual machines handle VLANs. The virtual
5 tagging (VGT) switch passes traffic from any VLAN.
Enhanced LACP support for vDS supports the following load-balancing
modes (hashing algorithms):

Destination IP address
Destination IP address and TCP/UDP port
Destination IP address and VLAN
Destination IP address, TCP/UDP port, and VLAN
Destination MAC address

Telegram Channel : @IRFaraExam

Destination TCP/UDP port
Source IP address
Source IP address and TCP/UDP port
Source IP address and VLAN
Source IP address, TCP/UDP port, and VLAN
Source MAC address
Source TCP/UDP port
Source and destination IP address
Source and destination IP address and TCP/UDP port
Source and destination IP address and VLAN
Source and destination IP address, TCP/UDP port, and VLAN
Source and destination MAC address
Source and destination TCP/UDP port
Source port ID
VLAN

Chapter 10
Table 10-4 Performance Chart Types
Ch Description Example
art
Ty
pe
L Displays metrics for a For example, Aa network chart for a host can
i single inventory contain one line showing the number of
n object, where data for packets received and another line showing
e each metric is the number of packets transmitted.
c represented by a
h separate line.
a

Telegram Channel : @IRFaraExam

rt
B Displays metrics for A bar chart can display metrics for
a objects, where each datastores, where each datastore is
r bar represents metrics represented as a bar. Each bar displays
c for an object. metrics based on the file type, such as virtual
h disk or snapshot.
a
rt
P Displays metrics for a A datastore pie chart can display the amount
i single object, where of storage space occupied by each virtual
e each slice represents machine or by each file type.
c a category or child
h object.
a
rt
S Displays metrics for A host’s stacked CPU usage chart displays
t child objects. metrics for the 10 virtual machines on the
a host that are consuming the most CPU. The
c Other amount displays the total CPU usage
k of the remaining virtual machines.
e
d
C
h
a
rt

Table 10-6 CPU Performance Analysis

Upgrade ESXi to
the latest version.

Enable CPU-
saving features
such as TCP
segmentation
offload, large
memory pages,
and jumbo
frames.

Increase the
amount of
memory allocated
to the virtual
machines, which
may improve
cached I/O and
reduce CPU
utilization.

Telegram Channel : @IRFaraExam

Reduce the
number of virtual
CPUs assigned to
virtual machines.

Ensure that
VMware Tools is
installed.

Compare the
CPU usage of
troubled virtual
machines with
that of other
virtual machines
on the host or in
the resource pool.
(Hint: Use a
stacked graph.)

Increase the CPU

Add the host to a

DRS cluster.

Increase the
number of hosts
in the DRS
cluster.

Migrate one or
more virtual
machines to other
hosts.

Add physical
memory to the
host.
Virtual The guest OS is not provided sufficient Increase the
machine: memory by the virtual machine. memory size of
Memory the virtual
usage is machine.
high.

Telegram Channel : @IRFaraExam

Guest OS:
Memory
usage is
high.
Paging is
occurring.

Virtual The guest OS is not provided sufficient Increase the

machine: CPU resources by the virtual machine. number of CPUs
CPU ready for the virtual
is low. machine.

Guest OS: Migrate the

CPU virtual machine to
utilization a host with faster
is high. CPUs.
Datastore: Snapshot files are consuming a lot of Delete or
Space datastore space. consolidate
utilization virtual machine
is high. snapshots.
Some virtual machines are provisioned
with more storage space than required.
Convert some
virtual disks to
The datastore has insufficient storage thin provisioned.
space to meet the demand.

Migrate one or
more virtual
machines (or
virtual disks) to
other datastores.

Add the datastore

to a Storage DRS
datastore cluster.

Telegram Channel : @IRFaraExam

storage device
backing the
datastore.

Configure the
queue depth and
cache settings on
the RAID
controllers.
Adjust the
Disk.SchedNumR
eqOutstanding
parameter.

Configure
multipathing.

Increase the
memory size of
the virtual
machine to
eliminate any
guest OS paging.
Increase the guest
OS caching of
disk I/O.

Ensure that no
virtual machine
swapping or
ballooning is
occurring.

Defragment guest

Telegram Channel : @IRFaraExam

file systems.

Use eager zeroed

thick provisioned
virtual disks.
Network: The maximum throughput of a Install VMware
The physical network adapter is not Tools on each
number of sufficient to meet the demand of the virtual machine
packets current workload. and configure the
dropped is guest OS to use
greater the best-
than zero. Virtual machine network resource performing
Latency is shares are too few. network adapter
high. The driver (such as
transfer Network packet size is too large, which vmxnet3).
rate is low. results in high network latency. Use
the VMware AppSpeed performance Migrate virtual
monitoring application or a third-party machines to other
application to check network latency. hosts or to other
physical network
Network packet size is too small, adapters.
which increases the demand for the
CPU resources needed for processing Verify that all
each packet. Host CPU, or possibly NICs are running
virtual machine CPU, resources are not in full duplex
enough to handle the load. mode.

Implement TCP
Segmentation
Offload (TSO)
and jumbo
frames.

Assign additional

Telegram Channel : @IRFaraExam

physical adapters
as uplinks for the
associated port
groups.

Replace physical
network adapters
with high-
bandwidth
adapters.

Place sets of
virtual machines
that communicate
with each other
regularly on the
same ESXi host.

Performan Some metrics are not available for pre- Upgrade hosts to
ce charts ESXi 5.0 hosts. a later version of
are empty. ESXi.
Data is deleted when you remove
objects to vCenter Server or remove Allow time for
them. data collection on
objects that were
recently added,
Performance chart data for inventory migrated, or
objects that were moved to a new site recovered to the
by VMware vCenter Site Recovery vCenter Server.
Manager is deleted from the old site
and not copied to the new site.
Power on all
hosts and allow
Performance chart data is deleted when time for real-time
you use VMware vMotion across statistics to
vCenter Server instances. collect.

The 1-day statistics are rolled up to

The 1-week statistics are rolled up to

Logging Option Description
None (Disable No vCenter Server logging occurs.
Logging)
Error (Errors The vCenter Server collects only error entries in its log
Only) files.
Warning The vCenter Server collects warning and error entries
(Warning and in its log files.
Errors)
Info (Normal The vCenter Server collects information, warning, and
Logging) error entries in its log files.
Verbose The vCenter Server collects verbose, information,
(Verbose) warning, and error entries in its log files.
Trivia The vCenter Server collects trivia, verbose,
(Extended information, warning, and error entries in its log files.
Verbose)

Telegram Channel : @IRFaraExam

Chapter 11
Table 11-2 Network Differences in vSAN and non-vSAN Clusters
Factor vSAN Is Enabled vSAN Is Not Enabled
Network vSAN network Management network
used by
vSphere
HA
Heartbeat Any datastore, other than a Any datastore that is
datastore vSAN datastore, that is mounted mounted to multiple
s to multiple hosts in the cluster hosts in the cluster
Host Isolation addresses not pingable Isolation addresses not
isolation and vSAN storage network pingable and
criteria inaccessible management network
inaccessible

Table 11-4 Datastore Browser Options

Table 12-4 ESXi Lockdown Mode Behavior

Service Normal Mode Normal Strict Lockdown
Lockdown Mode
Mode
vSphe All users, based on vCenter vCenter
re permissions (vpxuser) (vpxuser)
Web
Servi
ces Exception Exception
API users, based on users, based on
permissions permissions

vCloud vCloud
Director Director
(vslauser, if (vslauser, if
available) available)
CIM Users with administrator vCenter vCenter

Telegram Channel : @IRFaraExam

provi privileges on the host (vpxuser) (vpxuser)
ders
Exception Exception
users, based on users, based on
permissions permissions

Exception Exception
users with users with
administrator administrator
privileges on privileges on
the host the host
SSH Users with administrator Users defined Users defined

Telegram Channel : @IRFaraExam

(if privileges on the host in the in the
enabl DCUI.Access DCUI.Access
ed) advanced advanced
option option

Exception Exception
users with users with
administrator administrator
privileges on privileges on
the host the host

Chapter 13
Table 13-4 Lifecycle Manager Definitions
Term Definition
Update A software release that makes small changes to the current
version, such as vSphere 7.0 Update 1, 7.0 Update 2, and so
on.
Upgrade A software release that introduces major changes to the
software. For example, you can upgrade from vSphere 6.5 to
6.7 and 7.0.
Patch A small software update that provides bug fixes or
enhancements to the current version of the software, such as
7.0a, 7.0 Update 1a, and so on.
VIB The smallest installable software package (metadata and
(vSphere binary payload) for ESXi.
Installation
Bundle)
VIB An XML file that describes the contents of the VIB,
metadata including dependency information, textual descriptions,
system requirements, and information about bulletins.
Standalone A VIB that is not included in a component.
VIB

Telegram Channel : @IRFaraExam

Depot The hosted version of updates provided by VMware, OEMs,
and third-party software vendors, containing the metadata
and the actual VIBs.
Offline An archive (ZIP file) that contains VIBs and metadata that
bundle/offl you use for offline patching and updates. A single offline
ine depot bundle might contain multiple base images, vendor add-ons,
or components.
OEM A VMware partner, such as Dell, HPE, or VMware Cloud
(original on AWS.
equipment
manufactu
rer)
Third- A provider of I/O filters, device drivers, CIM modules, and
party so on.
software
provider

Table 13-8 Collection Intervals

Collection Collecti Default Behavior
Interval on
(Archive Freque
Length) ncy
1 day 5 Real-time (20-second) statistics are rolled up to
minut create one data point every 5 minutes. The result
es is 288 data points every day.

You can change the interval duration and archive

Telegram Channel : @IRFaraExam

You cannot change the default settings of the 1-
week collection interval.
1 month 2 1-week statistics are rolled up to create one data
hours point every 2 hours. The result is 360 data points
every month.

You cannot change the default settings of the 1-

month collection interval.
1 year 1 day 1-month statistics are rolled up to create one data
point every day. The result is 365 data points
each year.

You can change the archive length of the 1-year

collection interval by configuring the statistics
settings.

Telegram Channel : @IRFaraExam

N
NetFlow: A switch feature that collects IP network traffic as it enters or exits
an interface. NetFlow data provides an overview of traffic flows, based on the
network source and destination.
network resource pool: A mechanism that enables you to apply a part of the
bandwidth that is reserved for virtual machine system traffic to a set of
distributed port groups.
Non-Volatile Memory Express (NVMe) device: A high-performance
alternative to SCSI storage.

O
Open Virtual Appliance (OVA) template: A single-file distribution of an
OVF package.
Open Virtual Format (OVF) template: A set of files with the OVF,
VMDK, and MF file extensions

P-Q
PMem device: A non-volatile dual in-line memory module (NVDIMM) on
the ESXi host that resides in a normal memory slot.
port mirroring: A process that allows administrators to duplicate everything
that is happening on one distributed port to then be visible on another
distributed port.
Predictive DRS: A feature that leverages the predictive analytics of vRealize
Operations (vROps) Manager and vSphere DRS to provide workload
balancing prior to the occurrence of resource utilization spikes and resource
contention.
private VLAN (PVLAN): An extension of the VLAN standard that is not
double encapsulated but that allows a VLAN to effectively be subdivided into
other VLANs
Proactive HA: A vSphere feature that minimizes VM downtime by
proactively detecting hardware failures and placing the host in Quarantine

Telegram Channel : @IRFaraExam

Mode or Maintenance Mode.
Proactive High Availability (Proactive HA): A feature that integrates with
select hardware partners to detect degraded components and evacuate VMs
from affected vSphere hosts before an incident causes a service interruption.

R
raw device mapping (RDM): A mapping file that contains metadata that
resides in a VMFS datastore and acts as a proxy for a physical storage device
(LUN), allowing a virtual machine to access the storage device directly.
resource pool: A container object in the vSphere inventory that is used to
compartmentalize the CPU and memory resources of a host or cluster.

S
Single Root I/O Virtualization (SR-IOV): A feature that allows a single
Peripheral Component Interconnect Express (PCIe) device to appear as
multiple devices to the hypervisor (ESXi) or to a virtual machine’s guest
operating system.
Site Recovery Manager (SRM): A VMware business continuity solution
that you can use to orchestrate planned migrations, test recoveries, and
disaster recoveries.
Skyline: A proactive support technology developed by VMware Global
Services that is available to customers with an active Production Support or
Premier Services agreement.
stateless caching: A type of caching in which Auto Deploy does not store
ESXi configuration or state data within the host. Instead, during subsequent
boots, the host must connect to the Auto Deploy server to retrieve its
configuration.
Storage I/O Control (SIOC): A vSphere feature that allows you to prioritize
storage access during periods of contention, ensuring that the more critical
virtual machines obtain more I/O than less critical VMs.
Storage vMotion: The hot cross-datastore migration of a virtual machine.

Telegram Channel : @IRFaraExam

T-U
template: An object in the vSphere inventory that is effectively a non-
executable virtual machine.
Trusted Platform Module (TPM): A chip that is a secure cryptoprocessor
that enhances host security by providing a trust assurance rooted in hardware
as opposed to software.

V
vApp: A container object in vSphere that provides a format for packaging
and managing applications.
vCenter Converter: A free solution that automates the process of converting
existing Windows and Linux machines into virtual machines running in a
vSphere environment.
vCenter HA: A native high availability solution for vCenter Server
Appliance.
vCenter Single Sign-On (SSO): An authentication broker and security token
exchange infrastructure.
vCenter Single Sign-On Security Token Service (STS): A web service that
issues, validates, and renews security tokens.
VIMTOP: A tool you can run in vCenter Server Appliance to see resource
usage for services that are running.
virtual LAN (VLAN): A logical partition of a physical network at the data
link layer (Layer 2).
Virtual Machine Component Protection (VMCP): A vSphere HA feature
that can detect datastore accessibility issues and provide remediation for
impacted virtual machines.
virtual machine snapshot: A copy that captures the state of a virtual
machine and the data in the virtual machine at a specific point in time.
virtual PMem disk (vPMemDisk): A regular virtual disk that is assigned a
PMem storage policy, which forces it to be placed on a host-local PMem
datastore.

Telegram Channel : @IRFaraExam

Special Offer–Save 80%

This single-use coupon code will allow you to purchase a copy of the Premium Edition at an 80%
discount. Simply go to the URL below, add the Premium Edition to your cart, and apply the coupon
code at checkout.

www.pearsonITcertification.com/title/9780136484264

Coupon Code:

Telegram Channel : @IRFaraExam

DO NOT DISCARD THIS NUMBER
You will need this activation code to activate your practice test in the Pearson Test Prep practice test
software.

To access the online version, go to www.PearsonTestPrep.com. Select Pearson IT Certification as

your product group. Enter your email/password for your account. If you don’t have an account on
PearsonITCertification.com or CiscoPress.com, you will need to establish one by going to
PearsonITCertification.com/join. In the My Products tab, click the Activate New Product button.
Enter the access code printed on this insert card to activate your product. The product will now be listed
in your My Products page.

If you wish to use the Windows desktop offline version of the application, simply register your book at
www.pearsonITcertification.com/register, select the Registered Products tab on your account page,
click the Access Bonus Content link, and download and install the software from the companion
website.

This activation code can be used to register your exam in both the online and the offline versions.

Activation Code:

Telegram Channel : @IRFaraExam

Special Offer

Save 80% on Premium Edition eBook and

Practice Test
The VCP-DCV for vSphere 7.x (Exam 2V0-21.20) Official Cert Guide
provides three eBook files (PDF, EPUB, and MOBI/Kindle) to read on
your preferred device and an enhanced edition of the Pearson Test Prep
practice test software. You also receive two additional practice exams
with links for every question mapped to the PDF eBook.

Vmware NSX-T Data Center: Install, Configure, Manage (V3.2) : Lecture Manual
100% (1)
Vmware NSX-T Data Center: Install, Configure, Manage (V3.2) : Lecture Manual
754 pages
VMware Vsphere: Troubleshooting
100% (3)
VMware Vsphere: Troubleshooting
134 pages
VSICM7 Lecture Manual
No ratings yet
VSICM7 Lecture Manual
697 pages
VMware VSphere Metrics - Jan 2024
No ratings yet
VMware VSphere Metrics - Jan 2024
398 pages
Basic Types of Pastoral Care & Counseling Resources
50% (2)
Basic Types of Pastoral Care & Counseling Resources
2 pages
VCP DCV Vsphere 8 Community Study Guide
No ratings yet
VCP DCV Vsphere 8 Community Study Guide
372 pages
VMware SD WAN Deploy and Manage
No ratings yet
VMware SD WAN Deploy and Manage
78 pages
VCP DCV For VSphere 7.x Exam 2V0 21.20 Official Cert Guide 4th Edition Technet24
No ratings yet
VCP DCV For VSphere 7.x Exam 2V0 21.20 Official Cert Guide 4th Edition Technet24
823 pages
Edu en HDM8 Lab Ie
No ratings yet
Edu en HDM8 Lab Ie
133 pages
Vmware Vsphere: Fast Track: Lab Manual Esxi 7 and Vcenter Server 7
No ratings yet
Vmware Vsphere: Fast Track: Lab Manual Esxi 7 and Vcenter Server 7
174 pages
Vmware Course
No ratings yet
Vmware Course
4 pages
Storage Implementation in VSphere 5
100% (1)
Storage Implementation in VSphere 5
1,606 pages
Vmware Vsphere: Install, Configure, Manage: Lecture Manual Esxi 7 and Vcenter Server 7
No ratings yet
Vmware Vsphere: Install, Configure, Manage: Lecture Manual Esxi 7 and Vcenter Server 7
811 pages
Module 5: Configuring and Managing Virtual Networks: © 2020 Vmware, Inc
100% (1)
Module 5: Configuring and Managing Virtual Networks: © 2020 Vmware, Inc
34 pages
School Uniform (A Position Paper)
87% (31)
School Uniform (A Position Paper)
2 pages
Password
100% (1)
Password
2 pages
VMware vSphere Resource Management Essentials
From Everand
VMware vSphere Resource Management Essentials
Jonathan Frappier
No ratings yet
VMware Horizon 7 Tech Deep Dive - PDF en
100% (2)
VMware Horizon 7 Tech Deep Dive - PDF en
73 pages
NSX-T 2.4-Lab-Ie
No ratings yet
NSX-T 2.4-Lab-Ie
212 pages
Edu en Vskdm7 Lab Ie
100% (1)
Edu en Vskdm7 Lab Ie
104 pages
VCP6.7-DCV Study Guide - VCP-DCV 2019 PDF
0% (1)
VCP6.7-DCV Study Guide - VCP-DCV 2019 PDF
208 pages
Edu en Vsaa8 Lab Ie
No ratings yet
Edu en Vsaa8 Lab Ie
94 pages
Vsphere Esxi Vcenter 802 Vsphere With Tanzu Installation Configuration
No ratings yet
Vsphere Esxi Vcenter 802 Vsphere With Tanzu Installation Configuration
219 pages
VSICM7 M06 Config Manage Virtual Storage
No ratings yet
VSICM7 M06 Config Manage Virtual Storage
79 pages
VSICM7 M09 Vsphere Clusters
100% (1)
VSICM7 M09 Vsphere Clusters
105 pages
Exam Prep Guide 3V0-623 v1.2
No ratings yet
Exam Prep Guide 3V0-623 v1.2
18 pages
Vmware VCP DCV Basics
100% (1)
Vmware VCP DCV Basics
25 pages
VMware Vsphere With Tanzu
No ratings yet
VMware Vsphere With Tanzu
9 pages
VMware VSphere Optimize and Scale 6.5 - Lab
100% (1)
VMware VSphere Optimize and Scale 6.5 - Lab
150 pages
Horizon Administration
No ratings yet
Horizon Administration
302 pages
Vmware Powercli 10 Final
No ratings yet
Vmware Powercli 10 Final
1 page
PowerCLI Scripting For VMware VSphere
No ratings yet
PowerCLI Scripting For VMware VSphere
24 pages
AHV Admin Guide v6 - 0
100% (1)
AHV Admin Guide v6 - 0
142 pages
Vsphere 703 Esxcli Concepts Examples Guide
No ratings yet
Vsphere 703 Esxcli Concepts Examples Guide
157 pages
vSAN POC Guide
No ratings yet
vSAN POC Guide
160 pages
Vsphere Replication 81 Admin
100% (1)
Vsphere Replication 81 Admin
128 pages
Edu en Sdwandm4 Lec Se
0% (1)
Edu en Sdwandm4 Lec Se
253 pages
VCP-NV Study Guide
No ratings yet
VCP-NV Study Guide
132 pages
Vsphere Esxi Vcenter 802 Management Guide
No ratings yet
Vsphere Esxi Vcenter 802 Management Guide
217 pages
VMware VSphere. Install, Configure, Manage. Student Labs. ESXi 5.0 and VCenter Server 5.0 - 2011
100% (1)
VMware VSphere. Install, Configure, Manage. Student Labs. ESXi 5.0 and VCenter Server 5.0 - 2011
132 pages
VMware VSphere Optimize and Scale 6.5 - Labs
100% (1)
VMware VSphere Optimize and Scale 6.5 - Labs
150 pages
Vmware Powercli 124 User Guide
No ratings yet
Vmware Powercli 124 User Guide
146 pages
Edu en Vsicm8 Lab
No ratings yet
Edu en Vsicm8 Lab
167 pages
Azure VMware Solution
No ratings yet
Azure VMware Solution
276 pages
Vmware Horizon Deployment Guide
No ratings yet
Vmware Horizon Deployment Guide
47 pages
Administrator's Guide To VMware Virtual SAN
No ratings yet
Administrator's Guide To VMware Virtual SAN
63 pages
VSICM6 LabManual
No ratings yet
VSICM6 LabManual
170 pages
Lab Manual
No ratings yet
Lab Manual
129 pages
Installing and Configuring VROPS
No ratings yet
Installing and Configuring VROPS
117 pages
Vsan 67 Administration Guide
No ratings yet
Vsan 67 Administration Guide
195 pages
Vsan 801 Planning Deployment Guide
No ratings yet
Vsan 801 Planning Deployment Guide
92 pages
Vmware Logs For Troubleshooting
No ratings yet
Vmware Logs For Troubleshooting
31 pages
Vsphere ICM7 Lab 03
No ratings yet
Vsphere ICM7 Lab 03
42 pages
Vxrail Solutions and Uses Cases Reference Slide Deck
No ratings yet
Vxrail Solutions and Uses Cases Reference Slide Deck
65 pages
VMWARE CLI Commands
No ratings yet
VMWARE CLI Commands
9 pages
VMware Vsphere Troubleshooting Workshop 6.5 Lab Manual
No ratings yet
VMware Vsphere Troubleshooting Workshop 6.5 Lab Manual
64 pages
VMware vSAN 8 Administration Guide
No ratings yet
VMware vSAN 8 Administration Guide
145 pages
Module 2 - Introduction to Troubleshooting
No ratings yet
Module 2 - Introduction to Troubleshooting
19 pages
DELL EMC VxRail Study Notes (Part 1) - InfraPCS
No ratings yet
DELL EMC VxRail Study Notes (Part 1) - InfraPCS
8 pages
NSX 63 Troubleshooting
No ratings yet
NSX 63 Troubleshooting
232 pages
Implementing NetScaler VPX™ - Second Edition
From Everand
Implementing NetScaler VPX™ - Second Edition
Sandbu Marius
No ratings yet
VMware Virtual SAN Cookbook
From Everand
VMware Virtual SAN Cookbook
Jeffrey Taylor
5/5 (1)
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
Chat GPT
No ratings yet
Chat GPT
4 pages
Class Prog. Grade 4
No ratings yet
Class Prog. Grade 4
2 pages
University of Cambridge International Examinations General Certificate of Education Ordinary Level
No ratings yet
University of Cambridge International Examinations General Certificate of Education Ordinary Level
8 pages
Homeopathy & Naturopathy: Foundational Courses
No ratings yet
Homeopathy & Naturopathy: Foundational Courses
3 pages
Quarter 1: Math 7 Summative
No ratings yet
Quarter 1: Math 7 Summative
4 pages
SF5A AND SF5B-Grade-12-ICT-Blk.-06
No ratings yet
SF5A AND SF5B-Grade-12-ICT-Blk.-06
22 pages
TeachingProf SYLLABUS 1 5
No ratings yet
TeachingProf SYLLABUS 1 5
12 pages
Desarrollo y Salud
No ratings yet
Desarrollo y Salud
24 pages
Women Scientists Scheme
No ratings yet
Women Scientists Scheme
4 pages
G456 DLL WEEK 10 REVIEW and PT
No ratings yet
G456 DLL WEEK 10 REVIEW and PT
4 pages
214 Single Best Answer Questions in Gynaecology eBook Edition Double Paged Eranthi Samarakoon 2024 Scribd Download
100% (18)
214 Single Best Answer Questions in Gynaecology eBook Edition Double Paged Eranthi Samarakoon 2024 Scribd Download
65 pages
American
No ratings yet
American
14 pages
Fifth Formative Test Knowledge Aspect - Name: Clyantha Bernice Hevia Grade / Absent: 8A / 08
No ratings yet
Fifth Formative Test Knowledge Aspect - Name: Clyantha Bernice Hevia Grade / Absent: 8A / 08
2 pages
BCPC
100% (3)
BCPC
53 pages
BA (Hons) Interior Design - DMU: Student Name: Formatively Assessed: Formative Assessment By: Student Number
No ratings yet
BA (Hons) Interior Design - DMU: Student Name: Formatively Assessed: Formative Assessment By: Student Number
3 pages
Mock Test ISW9 - Key
No ratings yet
Mock Test ISW9 - Key
7 pages
Goals and Applications of ML
No ratings yet
Goals and Applications of ML
21 pages
Exam Stress 1
No ratings yet
Exam Stress 1
12 pages
Part Test - 3 (Senior) Question Paper 2011-P1 8-6-2020-F
No ratings yet
Part Test - 3 (Senior) Question Paper 2011-P1 8-6-2020-F
15 pages
ASRI 2025
No ratings yet
ASRI 2025
4 pages
Yayasan Al Halim Garut
No ratings yet
Yayasan Al Halim Garut
4 pages
Science9 Q4 SLM6
100% (2)
Science9 Q4 SLM6
15 pages
Lesson Plan 1 5e
No ratings yet
Lesson Plan 1 5e
8 pages
28 ESL Discussion Topics
50% (2)
28 ESL Discussion Topics
21 pages
INFO1003 2024 Sydney City Term 2 On-Site
No ratings yet
INFO1003 2024 Sydney City Term 2 On-Site
24 pages
Grade 3 Lesson 2 Unit 1
No ratings yet
Grade 3 Lesson 2 Unit 1
6 pages
Online Education in Nepal
No ratings yet
Online Education in Nepal
5 pages