Wednesday, January 20, 2016

vSphere 6 - Add an ESXi host to vCenter

In a previous blog post, we installed vCenter so we would have a single point from which we could manage our ESXi hosts (rather than connecting to each one individually, with, for example, the vSphere Client).

In this blog post, I'll demonstrate how we can add an ESXi host to the vCenter Web Client management interface.

***

First, we connect to the vSphere Web Client as we did in previous blog posts, either with local credentials or Active Directory (etc.) credentials. On the Home tab, we highlight "Hosts and Clusters".


Then we have to create a datacenter in which we will place the ESXi hosts. There are a number of methods to accomplish this task. We can right-click on the instance of vCenter in the navigator pane and select "New Datacenter" or select "New Datacenter" under "Actions" (option shown below): 



We provide a name for the Datacenter. I'll call mine "HQ":



Now we have a datacenter named "HQ":




Next, we add an ESXi host to the datacenter (Actions - Add Host):




We can enter the IP address or the name of the ESXi host (if DNS is configured):





We need to enter the username and password for an administrator account on the ESXi host to connect. Here I simply use "root":




This security alert will display:



How can I tell if I am adding the correct ESXi host to vCenter and not some other device? If our security requirements are strict, we can double-check by comparing the thumbprint shown above and the thumbprint in the settings of the ESXi host. In this case, we can see that they are identical:




Next, we see a summary of the host settings:



We assign a license to the host (in my case, an evaluation license):



We can configure "lockdown mode" (see the description below - click to enlarge). In my case, I will leave it disabled:



I select the datacenter. In my case, the choice is easy since I only have one datacenter: HQ.




The following overview displays:



If we highlight the host, we can see, under the Summary tab, details about the resources of the host:



Sunday, January 17, 2016

vSphere 6 - Single Sign-On with Active Directory

In my previous blog post, I explained how we can access the two vCenter management interfaces: the "WebClient" or the legacy client.

Once logged on, we can, in the Administration section, create other vCenter user accounts with various permissions.

However, many organizations will choose to manage vCenter with groups already existing in Active Directory (or another directory service). It seems more efficient, especially in the case of numerous users, to use existing accounts rather than recreating another username/password combination for all those accessing vCenter.

There is a pre-requisite: we have to configure vCenter so it will allow access to Active Directory users or, better yet, Active Directory groups matching the vCenter roles to which the members of those Active Directory groups will be assigned.

Such a configuration is the subject of this blog post.


***


First, we access the vCenter Web Client with the credentials entered during the installation process and go to the Administration section:




We want to configure Single Sign-On with Active Directory so we go to the Configuration section designated by the red arrow (below) and then click on the green plus sign:




As the name of the tab suggests, we are going to add another "Identity Source":



We could select individual users from Active Directory but it is usually more efficient to create an Active Directory group and add users designated as vSphere administrators to that group. We then add that Active Directory group to the vSphere administrators group (in vCenter).

***


So here, I briefly pause the action on the vCenter side and go to Active Directory where I will create a group for vSphere administrators and add a user to that group:



Note: please consult other sources if you need step-by-step directions for creating Active Directory users and groups.

***


Now I return to vCenter where I enter the following information. You would enter values appropriate for your organization:


Some comments:
  • I select the option "Active Directory as an LDAP Server". You could consider Integrated Windows Authentication also.
  • Some settings are optional (those left blank).
  • I created an Active Directory service account named "vcenter" that vCenter will use to access Active Directory and in particular, perform LDAP queries.

I then click on "Test Connection". If everything is properly configured, we should see this:




Optionally, we can make myvmlab.lan (adjust accordingly for your domain) the default identity source (or default domain):






Now that we can access Active Directory, we will add the vSphere_Admins Active Directory group to the vCenter Administrators group shown below. We go to the "Users and Groups" section of the Administration area, select "Administrators" and then click on the add group members icon (blue arrow):




We then select the domain from which we want to add users (blue arrow below), opt to show groups first and then select (in my example) vSphere_Admins. Lastly, we click on the Add button (red arrow):



Now the vSphere_Admins Active Directory group (and indirectly, any members) is part of the vCenter Administrators group:



If we consult the Roles section, we can observe that the vCenter Administrators group (of which vSphere_Admins is now a member) holds the Administrator role which essentially grants full control over the vSphere environment:



When we logon again, we can now do so as (in my case) "vadmin" which is a member of the vSphere_Admins group:




We can verify that we are connected with our Active Directory credentials by observing the user indicated in the upper right-hand corner of the Web Client interface:




Wednesday, January 13, 2016

vSphere 6 - "WebClient" and legacy client

Now that we have installed vCenter Server, we can use it to manage our vSphere environment. In particular, we can use it to manage ESXi hosts, something that I will examine in a later blog post.

For now, I want to demonstrate how we can access vCenter.



WebClient

The primary management interface for vCenter 6 is the "VMware vSphere WebClient" that we can access by clicking on the Start Menu icon in the location shown below:


This takes us to the URL that we can see in the shortcut properties:



As with the legacy interface, we will encounter warnings about the default self-signed certificate not being trusted:



Since this is our server, it is safe to continue...

But there are still obstacles to overcome:



This message is preceded by another that disappears almost instantly but informs us that the VMware web client cannot function without Flash (11.5 or above).

Note: this requirement has inspired many negative comments from numerous vSphere administrators:

https://blogs.vmware.com/vsphere/2015/02/vsphere-6-web-client.html


So I install Flash (for IE 11 - the browser used above) but... it still does not work (same error message).

So... I install Google Chrome...

OK, now I make some progress:



Strangely, I made this attempt (using the URL in the shortcut properties above), before installing Flash for Chrome (and I even uninstalled the Flash version for Windows "just to be sure"). In fact, I was successful because Chrome has included Flash as part of the browser rather than a separate component we need to add in "Programs". 

Regardless, I can logon using the username in the format below (followed by the password entered for the administrator during the installation of vCenter):

vsphere.local\administrator

or

administrator@vsphere.local


That does allow me to login. You'll see the web interface in a later blog post when I demonstrate how to configure Single Sign-On.





Legacy client

We can also connect to vCenter using what I will call the "legacy" client. There is a file included in the vCenter 6 .iso that we can extract (with the rest) and execute:



The installation process is very simple (Next, Next, Next, etc.) so I will not present the step-by-step instructions here. I will note that, when logging in, you may have certificate errors that can be eliminated by indicating you are willing to trust the built-in certificate, for example:




Otherwise, when we open the client to logon, we see a warning that the legacy client only allows us to manage features that existed with vSphere 5. If we want to manage newer features, we have to use the web client.




For your information, this is what the legacy client looks like once we are connected:




In the following blog posts, I will use the "WebClient" because we have no other choice if we want to manage features introduced since vSphere 5.0 (unless we are proficient at the command line).