Understanding vCenter Single Sign-On

vCenter Single Sign-On (SSO) was introduced with vSphere 5.1, allowing all of the software and components in the vSphere environment to communicate with each other using a secure token exchange mechanism via an identity source such as Active Directory or LDAP. It is critical that vCenter SSO is installed before any other component in a vSphere 5.1+ environment. This does not change a vCenter Server installation – it is just added on top as an additional component.

There are several compatible identity sources that can be used with vCenter SSO:

  • Active Directory over LDAP.
  • OpenLDAP versions 2.4 and later.
  • Local operating system users. (Shown as localos in the vSphere Web Client.)
  • vCenter Single Sign-On system users.
vCenter Single Sign-On dataflow

vCenter SSO changed the way users log into a vCenter Server. Before 5.1, users were authenticated by the specific Active Directory instance configured for the vCenter Server. After 5.1, users now log into a specific security domain that is defined within your vSphere environment and authenticated by the vCenter SSO server in exchange for a security token (SAML 2.0 and WS-Trust 1.4 SAML 2.0), which is then used to log into vCenter Server or another component.

With vCenter SSO, all components within the vSphere environment are able to trust each other, and do not require authentication every time a connection is made to another component. It gives users the ability to see all vCenter Server instances, providing they have the right permissions, and eliminates the need for vCenter Linked Mode for unified views of vCenter Server Instances. vCenter SSO can also be configured in a high availability deployment, which is important as all authentication will be done through it.

Managing your VMware ESXi environment with vCenter Server Appliance or vCenter for Windows

VMware’s vCenter Server Appliance (vCSA) is a virtual machine that comes pre-loaded and pre-configured with the OS, applications, and database required to manage a virtualized datacenter. vCenter Server can be installed on a Windows OS if desired. On the backend, the appliance runs on SUSE Linux Enterprise Server 11 with a vPostgres database, capable of an inventory up to 100 hosts and 3,000 virtual machines (anything more than this can cause problems and will require an Oracle DB). Deploying the appliance saves time compared to installing vCenter separately on a Windows OS because it removes the need to install the OS and database. The appliance is simply imported to an ESXi host as an OVF template and then accessed via the vSphere Web Client.

VMware vCenter Server (image from VMware)
VMware vCenter Server (image from VMware)

vCenter Server requires a dual core x86 processor (2 GHz minimum), 4 GB of RAM, 4GB of disk storage space, an additional 2GB of free space for the installation archive, and a 1Gbit connection. DNS and AD should already be in place prior to vCenter deployment.

The following plug-ins are installed and enabled by default in a vSphere Client installation:

  • VMware vCenter Storage Monitoring Service: Adds the Storage Views tab on the host. Monitors and reports on storage within vCenter Server.
  • vCenter Hardware Status: Adds the Hardware Status tab to the host. Displays host hardware status (Common Imformation Model (CIM) monitoring).
  • vCenter Service Status: Adds the vCenter Service Status icon to the Administration tab in the Home page of vSphere Client.

Single Sign On (SSO) and Ad integration is built into the appliance, however you cannot use vSphere Linked Mode due to it being based on Microsoft Active Directory Application Mode (ADAM) and the vSphere Update Manager is also not available in vCSA. vSCA also doesn’t support IPv6 orMS SQL database, and vCenter Server Heartbeat, VMware Site Recovery Manager, and VMware View Composer must be installed on a separate Windows server.

VMware vCenter Architecture
vCenter Server architecture

When logging into the vSphere Web Client, administrators won’t be able to tell a difference between a vCenter for Windows deployment or the appliance. All versions of the vSphere Web Client look the same regardless of which version vCenter manages it. A management interface is access on the web for any appliance configuration (there is not Remote Desktop Protocol access). To connect to the vCenter, simply type https://fqdn_or_ip_address:5480. The first time you log into vCenter, you will have to accept the EULA, choose default configuration or upload a previous version, or custom configuration. From there, you will Install your vSphere License Keys, Create a vCenter Server Inventory Data Center Object, and add your ESXi host to the vCenter Server Inventory. The Summary tab allows you to manage vCenter settings, and start or stop services such as the Web Client, Log Browser, and the Server itself.

How to create a Virtual Machine in VMware vSphere

You can use either the vSphere Web Client or the vSphere Client to create a new virtual machine using the New Virtual Machine wizard.

  1. In the vSphere Client: Right click on a host in your inventory and select New Virtual Machine.
  2. In the vSphere Web Client: Right click on a host or a data center in your inventory, select Actions > New Virtual Machine.

In a Typical Configuration, you must input:

  • Name of virtual machine and location of inventory
  • Datastore which the virtual machine’s files are stored
  • Guest Operating System and Version (choose from a selection of Unix, Linux, and Windows Operating Sysems. Full list available here at vmware.)
  • Disk Parameters including Disk Size and Thick Provisioned Lazy Zeroed (default), Thick Provisioned Eager Zeroed, or Thin Provision.
  • Number Network Interface Cards (NICs), which network to connect to, and what network adapter type to use.
The New Virtual Machine wizard in vSphere 5.5.
The New Virtual Machine wizard in vSphere 5.5.

Custom Configuration opens up many more options, including:

  • Virtual Machine version
  • RAM, CPU’s, cores per CPU
  • SCSI controller type
  • Select a Disk: allows you to create a new virtual disk, use an existing virtual disk, create a raw device mapping (RDM), or use no disk.
  • I/O adapters, disk capacity, and more advanced options such as the ability to attach an IDO image to the virtual CD/DVD drive.

If you need to install a guest operating system on your new virtual machine, you can interact with the virtual machine the same way that you would on a physical computer. Attach a CD-ROM, DVD, or ISO image to the virtual CD/DVD drive in vSphere Client and install normally.

An OVF template is a virtual appliance that typically contains a preinstalled guest operating system applications. To create a virtual machine from an OVF template, simply select your host or cluster and click Actions > Deploy OVF Template > continue to select your source and destination. You can easily create your own OVF template by powering off your virtual machine you wish to clone to an OVF, selecting your virtual machine and clicking Actions > Clone to Template.

Thick or Thin Provisioning for virtual disks in VMware vSphere

Virtual Machines store their data on Virtual Disks. The data is written into a .vmdk file with the virtual machine name as the prefix (for example – virtualmachine01.vmdk). There are three types of virtual disks: Thick Provision Lazy Zeroed, Thick Provisioned Eager Zeroed, and Thin Provision, each with their own pros and cons.

In short: Thick provisioned disks allocate the required disk space at creation, while thin provisioned disks only allocate the minimum required space initially needed and can expand.

The difference between Eager Zeroed and Lazy Zeroed is how quickly the data on the physical disk is zeroed. Zeroing a disk means that the data on the blocks at the binary level is overwritten with 0’s – it is completely erased. In a Thick Provisioned Eager Zeroed virtual disk, the disk space is allocated during provisioning, meaning that it is unavailable for use by other virtual machines, and any data that was written on the physical device is immediately zeroed out. In a Thick Provisioned Lazy Zeroed virtual disk, the disk space is also allocated during provisioning similar to its Eager Zeroed counterpart, but the data on the physical disk is not zeroed out until the space is required. Thick Provisioned Lazy Zeroed has a faster creation time than Thick Provisioned Eager Zeroed due to not zeroing out all of the data curing creation, but has a lower chance of contiguous file blocks which results in reduced performance time during the initial write. However, blocks on both types of virtual disks are fully preallocated during creation.

thinvthickFor example, if you create a Thin Provisioned 20 GB virtual disk and a Thick Provisioned virtual disk of the same size, the Thin Provisioned will not allocate those 20 GB until something takes up the space (like an operating system) and it will still be usable by other virtual disks whereas the Thick Provisioned virtual disk will immediately allocate the entire 20 GB rendering that space unusable by other virtual disks. The Thick Provisioned virtual disk will also be limited to the 20 GB size allocated, whereas the Thin Provisioned will be able to grow as needed.

When the disk space is needed in a Thin Provisioned virtual disk, the disk will grow. When the data is removed, the .vmdk will shrink but the datastore does not shrink, meaning that the datastore for the virtual disk will always be at the largest size that the virtual disk ever grows to.

Thin Provisioning allows for overprovisioning of disks, which can create issues and is generally bad practice, but can be done if completely necessary. For example, if you have a 100 GB datastore, you can fit you can fit 5 Thick Provisioned 20 GB virtual disks, or upwards of 10 or more Thin Provisioned 20 GB virtual disks since the data will not be written until needed. However, this requires active monitoring and management to avoid issues.

The default virtual disk type for VMware virtual disks is Thick Provision Lazy Zeroed, which offers the middle ground of fast creation time and fast performance, however Thick Provisioned Eager Zeroed is the only virtual disk that allows virtual machines to take advantage of VMware vSphere Fault Tolerance.

One of the benefits of virtualization in the first place is the ability to densify and consolidate assets such as disk space, so many admins consider Thick Provisioning to be a waste of resources. A good rule of thumb to go by is to go with Thin Provisioned unless there are specific use-cases for Thick, such as performance requirements.


Viewing the files that make up a Virtual Machine in VMware vCenter

A VMware Virtual Machine is made up of several different types of files. Each of these files begins with the Virtual Machine’s name, followed by the file extension. (For example, VM1.vmx). They are stored in a VM folder within your virtual machine.

Key files are:

  • .vmx Stores all of the settings chosen during setup or in the virtual machine settings editor.
  • .vmdk and flat.vmdk The virtual disk files which stores the contents of the Virtual Machine’s hard disk drive. VMDK files have a maximum of 2GB each. VMDK files point to the partitions on a physical disk if the virtual machine is installed on a physical disk rather than a virtual disk.
  • .nvram Stores the virtual machine’s BIOS.
  • .log A log of virtual machine activity – useful for troubleshooting.
  • .vmsd Stores snapshots.
  • .vswp Swap files used to reclaim memory
Virtual machine files, as displayed in the Datastore Browser
Virtual machine files, as displayed in the Datastore Browser

You can view the full list of virtual machine files by clicking by clicking Summary Tab > Resources Pane > (right click) Datastore > Browse Datastore, or by selecting the Inventory Pane > Virtual Machine > Storage Views Pane > Show All Virtual Machine Files.