So your trying to import a signed certificate that was created with the certificate signing request (CSR) you get an error in vCenter Orchestrator Configuration about the cert not being the correct format. If your using Microsoft Active Directory Certificate Services here are the exact steps:

1. Export a certificate signing request from the VMware vCenter Orchestrator Configuration: Server Certificate area (goto http://vco-server:8282 then click Server Certificate on the left).  If this option isn’t displayed select the option to install a self signed certificate and then you will get the option to export a certificate signing request.
2. Copy and paste the contents of the CSR file you downloaded from vCO Config area to your Cert Server web interface (http://CERTSERVER/certsrv).
3. Select Web Server from the drop down and submit.
4. Now ensure DER encoded is selected and download the certificate chain.
5. Change the file extension on the file you just downloaded from .p7b to .csr
6. You should now be able to upload it immediately using the “Import certificate signing request signed by CA” option inside the VMware vCenter Orchestrator Configuration: Server Certificate area (again goto http://vco-server:8282 and select Server Certificate on the left)
7. You get a green bubble by Server Certificate and everything is happy.

VMware posts security advisories to notify users of any vulnerabilities or other security issues that effect their products.  You can subscribe to be notified via email whenever they post a new advisory.  Keeping on top of these security advisories so you can evaluate each one and understand any risks is important as a VMware Administrator.

These advisories are posted in a couple of places:

• http://www.vmware.com/security/advisories/
• http://lists.vmware.com/mailman/listinfo/security-announce

So a user account is getting locked out from your vCenter server?  Check the windows security event logs, they typically clearly point out the culprit.  If they are not much help you can start with the common things that are applicable for any server causing account lockouts:

Services

These can be running under the locked out user account

Persistent Drive Mappings

Using the locked out user account credentials

Disconnected TS/RDS Sessions

A process can be running that is using the locked out user credentials

ODBC Connections

Ensure you did not use the user account that is being locked out for an ODBC connection for the vCenter database

Scheduled Tasks

Scheduled task(s) can be setup to run as the locked out user

Once you’ve exhausted all of that…

VMware Specific Areas to Check

vSphere Client

Can be running with out of date credentials and caused the lockout, you can use the sessions area in vCenter to check for active sessions

vCenter Plugins

Guided Consolidation

Uses a specified user account to poll servers to see if they are good candidates for virtualization

Update Manager

Has a proxy configuration area you can define a user account to login to the proxy with

VMware Data Recovery

Data Recovery uses stored credentials to connect to vCenter, ensure the specified user isn’t the one being locked out

NetApp’s Vitual Storage Console

I don’t think there is specifically a place you can have cached credentials in here, but I registered this to my vCenter using my account and it ultimately ended up locking me out about a month later when I changed my password due to expiration

Still Stumped?

Look at any Monitoring Tools (especially trials and free utilities you may have forgotten about) you ever installed on the box that might be running with the locked out user account: Veeam tools, vKernel tools, Vizioncore tools, Quest vFoglight Quick View, etc.  You can always disable services and wait to see if the lockouts continue if you really get stumped.

First please know that vCenter being down does not take your whole vSphere environment down.  It limits you on creating new tasks (like deploying a new VM from template) until vCenter is back up.  When vCenter is down HA/FT continue to function.

Physical or Virtual

vCenter is the heart of VMware’s virtualized infrastructure, but many folks are reluctant to virtualize their vCenter.   Running vCenter as a VM is completely supported by VMware.  You get all kinds of benefits from running vCenter as a Virtual Machine:

• HA will also protect vCenter in the event the host it is running on goes down
• You can vMotion vCenter from one host to another for maintenance and other things
• Prior to upgrading vCenter to a newer version you can snapshot to help with rolling back more easily
• Best of all–You gain the benefit of virtualizing yet another system and move towards virtualizing 100% of your data center.

If you are thinking about Virtualizing vCenter glance over this page out of the VMware Library:
VMware Online Library: Install vCenter Server in a Virtual Machine

High Availability

First the biggest thing is that you should remember  HA/FT will continue to operate without vCenter–all decisions will be made using a snapshot of what the extra resources were in the cluster prior to vCenter going down.

Lets look at the major things vCenter does:

• VMware Distributed Resource Scheduler (DRS)
• VMware High Availability (HA)/Fault Tolerance (FT) – Configuration
• VMware VMotion + Storage VMotion
• VMware Update Manager (Guest and Host)

After reviewing those items–does anything stick out that makes you think vCenter needs to be up 24/7?  Would HA be sufficient protection so you only have a small amount of downtime in the event the host running your vCenter VM went down?  I think yes.

Clustered?

You can look into vCenter Server Heartbeat, this is licensed as an addon to vCenter.  vCenter Server Heartbeat is basically an Active/Passive cluster for vCenter that can be setup to run locally or across your WAN.  vCenter Server Heartbeat also has the advantage that it can protect more then just the vCenter, it also protects the addons like vCenter Converter and vCenter Update Manager–even Guided Consolidation can be protected.  It is more costly then just running vCenter as a VM and protecting it with HA but the benefit of having an Active/Passive clustered vCenter + addons across the LAN/WAN may be beneficial for your organization.

Microsoft Cluster Services / Veritas Cluster Services

vCenter can be protected via “third party solutions” such as MSCS or VCS and VMware will support you to some degree but they do not certify these configurations.  If you have an issue VMware may determine the cause to be the third party software and not be of much assistance beyond that…  If you are thinking of going this route read over this VMware KB: Supported vCenter Server high availability options

Disable Screensavers

Disabling the screensaver saves valuable resources, also note that VMware KB 9275881 recommends disabling the Logon Screensaver as well.

You can disable the login screensaver via the registry: “HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive” should be set to 0

Set Visual Effects for Performance

These are unnecessary effects that waste CPU cycles, things like the fades transitions for windows and shadows under windows.  You can change this setting under Control Panel -> System -> Advanced -> Performance Settings

Disable Indexing

If you don’t need it disable it–you can stop the service to kill it entirely across the whole VM, or on a drive by drive basis by right-clicking and selecting properties.  There is an option to index or not to index the drive.

Make sure VMware Tools is installed/running

This is more for remote control performance, VMware Tools improves the mouse greatly–also make sure you set the Hardware Acceleration to full

Use VMXNET Network Adapters

VMware Tools is a requirement for VMXNET Adapters, they are the best performing network adapters

Uninstall Unnecessary Hardware/Software

If the VM was P2V’d chances are it has things like OpenManage and Broadcom/Intel related software for the old physical NICs.  You should remove this extra software that is no longer necessary.

Also the old network card is likely still installed, you can remove these by running “set devmgr_show_nonpresent_devices=1” at the command-line then going into device manager, select View -> Hidden Devices and you will now see all that old hardware and can right-click and uninstall.

VMware vCenter Mobile Access (vCMA) is a cool fling from VMware Labs. It allows mobile access to your vSphere environment via your vCenter(s).  Setting up vCMA takes very little effort as it is packaged as a virtual appliance.  You simply download vCMA as an OVF, deploy the OVF Template, and power on vCMA.  Once powered on, config the network and your ready to go.  Note that vCMA does not use a service account or static connector to vCenter, each user will login to vCenter via vCMA with their own credentials–think of vCMA as a web-based version of the vSphere  Client.

Read the rest of this entry »

With how many hits my 2008 R2 walkthrough got, I figured it was about time I do one for 2003 R2.

Remember to setup vCenter for Guest Customizations by placing the sysprep files for all the various versions of Windows in the proper locations, refer to this VMware KB Article for locations and instructions: VMware KB:1005593

Give your feedback, if you don’t agree with something let me know!

Read the rest of this entry »

Checkout this awesome new Fling from VMware Labs, it’s called InventorySnapshot.   Basically what it does is allows you to snapshot your vCenter and reproduce it on another vCenter.  Say you were doing an out of place migration and didn’t want to bring your old database along for some reason, or just in your lab trying to replicate your production config.  You don’t have to reproduce all the objects though, you can specifically restore just Resource Pool settings, DRS settings, Roles & Permissions, or again the whole damn inventory.

InventorySnapshot supports reproducing the following vCenter objects:

• Datacenter Folders
• Datacenters
• Clusters
• Resource Pools
• vApps
• Hierarchy
• Roles & Permissions
• Configuration Settings
• Custom Fields

As you can see the only major item they are missing is Alarms, which they are working to support. The developers Balaji Parimi and Ravi Soundararajan did an excellent job documenting their Fling with a 17 page doc, they took the time to write a large troubleshooting and layout a few caveats/known bugs. Read the rest of this entry »

Slow Clones?  Deploying from Template Slow?

Before we dive into the tips do yourself a favor checkout these VMware KB Articles first:

• VMware KB 1004002 – Diagnosing slow deployment of templates or clones from vCenter Server
• VMware KB 1004028 – Deploying a single template is slow
• VMware KB 1003469 – Tuning ESX for better storage performance by modifying the maximum I/O block size

Read the rest of this entry »

VMware has an blog area dedicated to publishing Resolution Maps to assist you in problem resolution.  Now they are interactive Flash-embedded PDFs that you can drill down through to find resolutions for problems you are having.

Two new ones recently posted:

Troubleshooting vSphere Network Issues which covers:

• Performance
• Host Connectivity
• Guest (VM) Connectivity
• vSwitch

Troubleshooting vSphere Management Issues which covers:

• Performance
• High Availability
• Templates
• vMotion
• Host Disconnects/Hosts Won’t Connect
• VMs Won’t Start/Stop

Browse around and find more Resolution Maps covering: Update Manager, Fusion