Module 4: Deploying and

Configuring vCenter

© 2023 VMware, Inc.

1
Importance
vCenter helps you centrally manage multiple ESXi hosts and their virtual machines. If you do not properly
deploy, configure, and manage vCenter, your environment might experience reduced administrative
manageability of the ESXi hosts and virtual machines.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4-2

2
Module Lessons
1. Centralized Management with vCenter
2. Deploying vCenter Server Appliance
3. vSphere Licenses
4. Managing vCenter Inventory

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4-3

3
Lesson 1: Centralized Management with
vCenter

© 2019 VMware Inc. All rights reserved.

4
Learner Objectives
• Describe the vCenter architecture
• Recognize ESXi hosts communication with vCenter
• Identify vCenter services

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4-5

5
 About the vCenter Management Platform
vCenter acts as a central
administration point for ESXi hosts
and virtual machines. The ESXi
hosts and virtual machines
connected in a network:
• Directs the actions of VMs and
hosts
• Runs on a Linux-based
appliance

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4-6

With vCenter, you can pool and manage the resources of multiple hosts. vCenter provides advanced
features, such as vSphere DRS, vSphere HA, vSphere Fault Tolerance, vSphere vMotion, and vSphere
Storage vMotion.
vCenter is deployed as a virtual appliance. You deploy vCenter Server Appliance on an ESXi host in your
infrastructure. vCenter Server Appliance is a preconfigured Linux-based virtual machine, which is optimized
for running vCenter and the vCenter components.

6
 About vCenter Server Appliance
vCenter Server Appliance is a prepackaged Linux-based VM, optimized for running vCenter and
associated services.
The vCenter Server Appliance package contains the following software:
• Photon OS
• PostgreSQL database
• vCenter services
During deployment, you can select the vCenter Server Appliance size for your vSphere environment and
the storage size for your database requirements.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4-7

vCenter consists of a collection of services that run in vCenter Server Appliance. vCenter acts as a central
administration point for ESXi hosts that are connected to a network.

7
 vCenter Services
vCenter services include:
• vCenter Server
• vSphere Client
• License service
• Content Library
• vSphere Lifecycle Manager
When you deploy vCenter Server
Appliance, all these services are
included.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4-8

All vCenter services are installed on a single VM.

8
 vCenter Architecture
The vCenter database ensures the integrity and availability of essential data, supporting the smooth
operation of vCenter.
The vSphere Client serves as the central user interface for managing vSphere environments.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4-9

The vCenter architecture relies on the following components:

•vSphere Client: You use this client to connect to vCenter and manage your ESXi hosts
centrally. When vCenter manages an ESXi host, you should always use vCenter and the
vSphere Client to manage that host.
•vCenter database: The vCenter database is a critical component. The database stores
inventory items, security roles, performance data, and other critical information for vCenter.
•Managed hosts: You can use vCenter to manage ESXi hosts and the VMs running on
ESXi hosts.

9
 About vCenter Single Sign-On
vCenter Single Sign-On allows vSphere components to communicate with each other through a secure
token mechanism.
vCenter Single Sign-On can authenticate users using built-in or external identity providers.
Built-in identity providers:
• By default, vCenter uses the vsphere.local domain as the identity source.
• You can configure vCenter to use Active Directory as the identity source using LDAP, LDAPS,
OpenLDAP, or OpenLDAPS.
External identity provider using federated authentication:
• vSphere supports Active Directory Federation Services (AD FS).

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 10

Although you can still configure Integrated Windows Authentication (IWA), VMware recommends using
Active Directory over LDAP or Federated Identity with AD FS for authentication for vCenter Server and
ESXi. For more details, see VMware knowledge base article 78506 at https://kb.vmware.com/kb/78506.
For details about configuring vCenter Single Sign-On and identity providers, see vSphere Authentication at
https://docs.vmware.com/en/VMware-vSphere/index.html.

10
 vCenter Single Sign-On with Built-In Identity Provider
The following is the user login flow when vCenter
acts as the identity provider:
1. User logs in to the vSphere Client.
2. vCenter Single Sign-On authenticates credentials
against a directory service (for example, Active
Directory).
3. A SAML token is sent back to the user's
browser.
4. The SAML token is sent to vCenter, and the user
is granted access.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 11

For more details about user login flow, see vSphere Authentication at https://docs.vmware.com/en/VMware-
vSphere/index.html.

11
 About Enhanced Linked Mode
With Enhanced linked mode, you can log in to the vSphere Client and manage the inventories of all the
vCenter instances in the group:
• You can link up to 15 vCenter instances in one vCenter Single Sign-On domain.
• You can create an enhanced linked mode group during or after the deployment of vCenter Server
Appliance.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 12

You can also join an enhanced linked mode group by moving, or repointing, a vCenter from one vSphere
domain to another existing domain.

Enhanced linked mode provides the following features:

•You can log in to all linked vCenter instances simultaneously with a single username and
password.
•You can view and search the inventories of all linked vCenter instances in the vSphere
Client.
•You can replicate roles, permission, licenses, tags, and policies (such as storage policies)
across linked vCenter instances.
To join vCenter instances in Enhanced Linked Mode, connect the vCenter instances to the same vCenter
Single Sign-On domain.
You can create a vCenter enhanced linked mode group during the deployment of vCenter Server
Appliance. You can also join a vCenter enhanced linked mode group by moving, or repointing, a vCenter
instance from one vSphere domain to another existing domain. For more information on repointing
vCenter instances, see vCenter Server Installation and Setup at https://docs.vmware.com/en/VMware-
vSphere/index.html.
Enhanced linked mode requires the vCenter Standard licensing level. Enhanced linked mode is not
supported with vCenter Foundation or vCenter for Essentials.

12
 ESXi and vCenter Communication
The vSphere Client is the primary method to manage ESXi hosts. vSphere Client communicates directly
with vCenter.

If vCenter is not available, you use VMware Host Client to communicate directly with the ESXi host.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 13

vCenter provides direct access to the ESXi host through a vCenter agent called virtual provisioning X
agent (vpxa). The vpxa process is automatically installed on the host and started when the host is added to
the vCenter inventory. The vCenter service (vpxd) communicates with the ESXi host daemon (hostd)
through the vCenter agent (vpxa).
Clients that communicate directly with the host, and bypass vCenter, converse with hostd. The hostd
process runs directly on the ESXi host and manages most of the operations on the ESXi host. The hostd
process is aware of all VMs that are registered on the ESXi host, the storage volumes visible to the ESXi
host, and the status of all VMs.
Most commands or operations come from vCenter through vpxa. Examples include creating, migrating,
and powering on virtual machines. Acting as an intermediary between the vpxd process, which runs on
vCenter, and the hostd process, vpxa relays the tasks to perform on the host.
When you are logged in to the vCenter system through the vSphere Client, vCenter passes commands to
the ESXi host through the vpxa.
The vCenter database is also updated. If you use VMware Host Client to communicate directly with an
ESXi host, communications go directly to the hostd process and the vCenter database is not updated.

13
 vCenter Scalability

Metric vCenter 8.0

Hosts per vCenter instance 2,500
Powered-on VMs per vCenter instance 40,000
Registered VMs per vCenter instance 45,000
Hosts per cluster 96
VMs per cluster 8,000

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 14

You can scale vCenter to support large, enterprise environments. For the recommended configuration
limits, see VMware Configuration Maximums at https://configmax.vmware.com.

14
Review of Learner Objectives
• Describe the vCenter architecture
• Recognize ESXi hosts communication with vCenter
• Identify vCenter services

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 15

15
Lab 3: Adding vSphere Licenses
Use the vSphere Client to add vSphere licenses to vCenter and assign a license to vCenter:
1. Add vSphere Licenses to vCenter
2. Assign a License to the vCenter Instance

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 37

16
Lesson 2: Managing vCenter Inventory

© 2019 VMware Inc. All rights reserved.

17
Learner Objectives
• Use the vSphere Client to manage the vCenter inventory
• Create and organize vCenter inventory objects
• Add data center and organizational objects to vCenter
• Add ESXi hosts to the inventory
• Create custom inventory tags for inventory objects

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 40

18
 vSphere Client Main Menu
From the vSphere Client main menu, you can manage your vCenter system inventory, manage your
infrastructure environment, and complete system administration tasks.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 41

The vSphere Client main menu is indicated by a three-lined icon, located in the upper left corner of the
vSphere Client window.

19
Navigating the Inventory
You can use the navigation pane to browse and select objects in the vCenter inventory.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 42

20
 Views for Hosts, Clusters, VMs, and Templates
Host and cluster objects appear in
one view, and VM and template
objects are displayed in another
view.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 43

The Hosts and Clusters inventory view shows all host and cluster objects in a data center. You can further
organize the hosts and clusters into folders.
The VMs and Templates inventory view shows all VM and template objects in a data center. You can also
organize the VMs and templates into folders.

21
 Views for Storage and Networks
The storage inventory view
shows all the details for
datastores in the data center.
The networking inventory view
shows all the port groups on
standard switches and distributed
switches.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 44

As with the other inventory views, you can organize your datastore and network objects into folders.

22
Viewing Object Information
Because you can view object information and access related objects, monitoring and managing object
properties is easy.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 45

23
 About Data Center Objects
A virtual data center is a logical organization of all the inventory objects. Those inventory objects are
required to complete a fully functional environment for operating VMs:
• You can create multiple data centers to organize sets of environments.
• Each data center has its own hosts, VMs, templates, datastores, and networks.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 46

You might create a data center object for each data center geographical location. Or, you might create a
data center object for each organizational unit in your enterprise.

24
 Organizing Inventory Objects into Folders
You can place Objects in a data center in folders. You can create folders and subfolders to better
organize systems.

Each of the four inventory views has its own folder structure.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 47

You plan the setup of your virtual environment depending on your requirements.
A large vSphere implementation might contain several virtual data centers with a complex arrangement of
hosts, clusters, resource pools, and networks. vSphere implementation might include multiple vCenter
systems.
Smaller implementations might require a single virtual data center with a less complex topology.
Regardless of the scale of your virtual environment, consider how the VMs that it supports are used and
administered.

Populating and organizing your inventory involves the following tasks:

•Creating data centers
•Creating clusters to consolidate the resources of multiple hosts and VMs
•Adding hosts to the clusters or to the data centers
•Organizing inventory objects in folders
•Setting up networking by using vSphere standard switches or vSphere distributed switches
•Configuring storage systems and creating datastore inventory objects to provide logical
containers for storage devices in your inventory

25
Adding a Data Center and Organizational Objects to vCenter
You can add a data center, a host, a cluster, and folders to vCenter.
You can use folders to group objects of the same type for easier management.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 48

26
Adding ESXi Hosts to vCenter
You can add ESXi hosts to vCenter using the vSphere Client.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 49

27
Creating Custom Tags for Inventory Objects
You can use tags to attach metadata to objects in
the vCenter inventory. Tags help make these
objects more sortable.
You can associate a set of objects of the same type
by searching for objects by a given tag.
You can use tags to group and manage VMs,
clusters, and datastores, for example:
• Tag VMs that run production workloads.
• Tag VMs based on their guest operating system.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 50

28
Lab 4: Creating and Managing the vCenter Inventory
Use the vSphere Client to create and configure objects in the vCenter inventory:
1. Create a Data Center Object
2. Add Two ESXi Hosts to the Inventory
3. View Information About the ESXi Hosts
4. Configure an ESXi Host as an NTP Client
5. Create a Folder for the ESXi Hosts
6. Create Folders for VMs and VM Templates

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 51

29
Review of Learner Objectives
• Use the vSphere Client to manage the vCenter inventory
• Create and organize vCenter inventory objects
• Add data center and organizational objects to vCenter
• Add ESXi hosts to the inventory
• Create custom inventory tags for inventory objects

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 52

30
Lesson 3: vCenter Roles and Permissions

© 2019 VMware Inc. All rights reserved.

31
Learner Objectives
• Define the term permission in the context of vCenter
• Recognize the rules for applying permissions
• Create a custom role
• Assign global permission to a user

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 54

32
 About vCenter Permissions
Using the access control system, the vCenter administrator can define user privileges to access objects in
the inventory.

The following concepts are important:

• Privilege: An action that can be performed
• Role: A set of privileges
• Object: The target of the action
• User or group: Indication of who can perform the
action. vCenter can be integrated with Active
Directory, Entra ID, Okta, and other identity
sources.
• Permission: Gives one user or group a role (set
of privileges) for the selected object

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 55

The authorization to perform tasks in vCenter is governed by an access control system. Through this
access control system, the vCenter administrator can specify in detail which users or groups can perform
which tasks on which objects.
A permission is set on an object in the vCenter object inventory. Each permission associates the object
with a group or user and the group or user access roles. For example, you can select a VM object, add one
permission that gives the Read-only role to group 1, and add a second permission that gives the
Administrator role to user 2.
By assigning a different role to a group of users on different objects, you control the tasks that those users
can perform in your vSphere environment. For example, to allow a group to configure memory for the
host, select that host and add a permission that grants a role to that group that includes the
Host.Configuration.Memory Configuration privilege.

33
 About Roles
Privileges are grouped into roles:
• A privilege allows access to a
specific task and is grouped
with other privileges related to
it.
• Roles allow users to perform
tasks.
vCenter provides a few system
roles, which you cannot modify.
Sample roles are also provided.
You can clone them to create
custom roles.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 56

A role is a set of one or more privileges. For example, the Virtual Machine Power User sample role consists
of several privileges in categories such as Datastore and Global. A role is assigned to a user or group and
determines the level of access of that user or group.

You cannot change the privileges associated with the system roles:
•Administrator role: Users with this role for an object may view and perform all actions on
the object.
•Read-only role: Users with this role for an object may view the state of the object and
details about the object.
•No access role: Users with this role for an object may not view or change the object in any
way.
•No cryptography administrator role: Users with this role for an object have the same
privileges as users with the Administrator role, except for privileges in the Cryptographic
operations category.
All roles are independent of each other. There is no hierarchy or inheritance between roles.

34
About Objects
Objects are entities on which actions are performed. Objects include data centers, folders, clusters, hosts,
datastores, networks, and virtual machines.
All objects have a Permissions tab. The Permissions tab shows which user or group and role are
associated with the selected object.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 57

35
 Assigning Permissions
To assign a permission:
1. Select an object
2. Select a Domain
3. Select a User/Group
4. Select a Role
5. Propagate the permission to
the child objects

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 58

You can assign permissions to objects at different levels of the hierarchy. For example, you can assign
permissions to a host object or to a folder object that includes all host objects. You can also assign
permissions to the global root object to apply the permissions to all objects in all solutions.
For information about hierarchical inheritance of permissions and global permissions, see vSphere Security
at https://docs.vmware.com/en/VMware-vSphere/index.html

36
 Viewing Roles and User Assignments
The Roles pane shows which users are assigned the selected role on a particular object.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 59

You can view all the objects to which a role is assigned and all the users or groups who are granted the
role.
To view information about a role, click Usage in the Roles pane and select a role from the Roles list. The
information provided to the right shows each object to which the role is assigned and the users and groups
who were granted the role.

37
 Applying Permissions: Scenario 1
A permission can propagate down the object hierarchy to all sub-objects, or a permission can apply only
to a specific object.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 60

In addition to specifying whether permissions propagate downward, you can override permissions to set at
a higher level by explicitly setting different permissions for a lower-level object.
On the slide, user “Greg,” is given Read-only access to the Training data center. This role is propagated to
all child objects except one, the Prod03-2 VM. For this VM, Greg is an administrator.

38
 Applying Permissions: Scenario 2
When a user is a member of multiple groups with permissions on the same object, the user is assigned the
union of privileges assigned to the groups for that object.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 61

On the slide, Group1 is assigned the VM_Power_On role, a custom role that contains only one privilege:
the ability to power on a VM. Group2 is assigned the Take_Snapshots role, another custom role that
contains the privileges to create and remove snapshots. Both roles propagate to the child objects.
Because Greg belongs to both Group1 and Group2, he gets both VM_Power_On and Take_Snapshots
privileges for all objects in the Training data center.

39
Activity: Applying Group Permissions (1)
If Group1 has the Administrator role and Group2 has the No Access role, what permissions does Greg
have?

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 62

40
Activity: Applying Group Permissions (2)
Greg has Administrator privileges.
Greg is assigned the union of privileges assigned to Group1 and Group2.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 63

41
 Applying Permissions: Scenario 3
A user can be a member of multiple groups with permissions on different objects. In this case, the same
permissions apply for each object on which the group has permissions, as though the permissions were
granted directly to the user.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 64

You can override permissions set for a higher-level object by explicitly setting different permissions for a
lower-level object.
On the slide, Group1 is assigned the Administrator role at the Training data center and Group2 is assigned
the Read-only role on the VM object, Prod03-1. The permission granted to Group1 is propagated to child
objects.
Because Greg is a member of both Group1 and Group2, he gets administrator privileges on the entire
Training data center (the higher-level object), except for the VM called Prod03-1 (the lower-level object).
For this VM, Greg gets read-only access.

42
 Applying Permissions: Scenario 4
A user (or group) is given only one role for any given object.
Permissions defined explicitly for the user on an object take precedence over all group permissions on
that same object.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 65

On the slide, three permissions are assigned to the Training data center:
•Group1 is assigned the VM_Power_On role.
•Group2 is assigned the Take_Snapshots role.
•Greg is assigned the No Access role.
Greg is a member of both Group1 and Group2. Assume that propagation to child objects is selected on all
roles. Although Greg is a member of both Group1 and Group2, Greg gets the No Access privilege to the
Training data center and all objects under it. Greg gets the No Access privilege because explicit user
permissions on an object take precedence over all group permissions on that same object.

43
 Creating a Role
Create roles with only the necessary privileges.
For example, you can create a Provision VMs role
that allows a user to deploy VMs from a template.
Use folders to contain the scope of permissions. For
instance, you can assign the Provision VMs role to
user [email protected] and apply it to the
Production VMs folder.

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 66

The Provision VMs role is one of many examples of roles that you can create.
Define a role using the smallest number of privileges possible to maximize security and control over your
environment. Give the roles names that explicitly indicate what each role allows, to make its purpose clear.

44
 About Global Permissions
Global permissions support assigning privileges across solutions from the global root object:
• Span solutions, such as vRealize Orchestrator, and multiple vCenter instances
• Give a user or group privileges for all objects in all vCenter hierarchies

© 2023 VMware, Inc. VMware vSphere Install, Configure, Manage [V8] | 4 - 67

Often, you apply a permission to a vCenter inventory object, such as an ESXi host or a VM. When you
apply a permission, you specify that a user or group has a set of privileges, called a role, on the object.
Global permissions give a user or group privileges to view or manage all objects in each of the inventory
hierarchies in your deployment.
The example shows that the global root object has permissions over all vCenter objects, including content
libraries, vCenter instances, and tags. Global permissions allow access across vCenter instances. vCenter
permissions, however, Global permissions are effective only on objects in a particular vCenter instance.

45