Skip navigation

Tag Archives: Install

It seems it becomes sort of tradition for me to apologize delay updates every time I start a new post. The truth is it does happen in recent posts. –_-b

I am currently focus on VCAP-DCA exam and so does that help me to excuse myself little bit? :p

Anyway, welcome to read my post and I will continue to update with my best effort. Today, we are going to talk about migrate ESX3.5 to vSphere with Powercli.


Let me introduce environment first.

The old environment:

We have 7 ESX 3.5 hosts with 100 VMs running on it. It is using SAN base as datastore. 1 physical server is running vCenter 2.5 on it.

New environment:

All ESXs will upgrade to ESXi 4.1U1. vCenter will upgrade to latest version as well. It uses same SAN datastore so that’s a plus in this migration.

Migration Steps

Following is a diagram which give you some brief idea about how I do my migration. It’s little bit big picture, pls be patient when it loads.

upgrade to vsphere diagram

Using Powercli to help you

First of all, Powercli is powerful tool. But I have to mention that sometimes, it’s just much easier to use GUI interface which utilize internal cmelet and scripts to do jobs. However, there are some steps Powercli can fully utilize resource and make job quicker and efficient.

I’m going to describe the “Second week” work from above diagram with powercli power.

Preparation Stage


Of course, you need to download powercli and install first. You can find out the powercli from vmware website. or here

if you want, you can download Vmware Update Manager Powercli snap-in as well from here.

After you install powercli, you need to run it.

You may encounter this error when you run it. Regardless 32bit or 64bit version.


All what you need to do is run command as following:


then, close the powercli and rerun it again.


To do those jobs, you will find following scripts coming very handy.



Those are very good scripts although they are not watch-free scripts. It means it does require some modification or you have manually interfere when it stuck at some place time by time.

What we need to do

Following steps are what we try to do in this week.

1. 20 VMs need to migrate to new vCenter.

Well, there are 20 test vms currently running on the old hosts. Since they are sharing the same datastore(both new environment and old environment), we can just shutdown and register them on new vCenter.

1.1 connect to vCenter

Connect-VIServer your_vCenter

Note: You do can connect to host but we are working on vCenter since VMs are crossing multiple hosts.


1.2 created a new folder so I can operate VMs at same time.

You need to make sure that folder is “blue” folder not yellow folder

In this example, I found there a blue templates folder. so I will create migration folder beneath it.

New-Folder -Name migration -Location templates

1.3 Move all test VMs to this folder

Move-VM -VM yourvmname -Destination migration

You need replace yourvmname with each VM you want to move. If VM has long name, you can use yourvmname* to get rid of rest name part.

Use following command to check all vms in the “migration” folder or not

get-vm -Location migration

1.4 Create old_vmtools folder in the new vCenter

You do same thing as above and create a new folder in the vCenter called “old_vmtools” to accept those VMs.

1.5 stop all test vms

You need stop VMs from old vcenter so you can import them into new vCenter

You will love these with powercli

get-vm -Location migration|Shutdown-VMGuest

You can use stop-vm but that will turn VM off immediately.

1.6 Import vmx into new vCenter

You can do this step with script, but it’s too much trouble. It’s easier to just manually do it on new vCenter via GUI interface. When you import them, pls make sure you import them to “old_vmtools” folder.

1.7 Install VMtools

You must install VMTOOLS before you upgrade vm hardware level.

get-vm –location old_vmtools|start-vm

Here is intersection. You either use script upgrade-vhardware_vm which will install vmtools and upgrade vm hardware or you can manually install Vmtools first. Then, you use script to upgrade Vm hardware.

For safe reason, I did the second idea.

You can just click folder name on vCenter, and choose “Virtual Machine” tab on the right side window. Use “Shift” key to select all vms, and right click to choose


It will upgrade all VMs vmtools automatically. Wait for 30 mins and come back.

You may notice some of VMs failed on upgrade.

You need to open those VM console and go to VM->install Vmtools on the manual. It will automatically load Vmtools installation iso on the vm cd-rom.

go to cmd and go do cd-rom and run

d:\setup /c

This will manually remove old-vmtools. Then, you will install it again.


1.8 upgrade vm hardware

After make sure all VMs got new vmtools, then you can safely use script to upgrade vm hardware.

All what you need to do is to download script. Change extension name from docx to ps1. Copy this script to the server where powercli runs.

In the powercli, you just need to type name of script and run.


This script asks you which vCenter and folder where VMs sit. Answer those questions, the script will stop VMs one by one, check vmhardware version. Upgrade version if it is old. And restart vm.

Note: sometimes, shutdown vm takes too long before script try to convert vm hardware version. so it will stuck. You need manually upgrade hardware version and manually start vm.

1.9 remove old vms from old vCenter

at old vCenter

get-vm –location migration | remove-vm

2.0 move vms to test folder

at new vCenter

get-vm –location old_vmtools|move-vm –destination test_folder

Here it is. It’s pretty easy and simple to do the job with powercli.

Please leave comments as usual. Thanks for reading.


So this is last part of this series. Hopefully, I don’t need to write another post.

From previous post, I discussed about how to install and configure Trend Deep Security 7.5 on vSheild. This post will talk little bit more about configuration and performance review.

In my last post, I have installed vShield Zone on host, Install DS Manager one of my VMs which is also vCenter, and push DS Virtual Appliance on to one of hosts.

Then, I changed the IP and network configuration on the DS VA and activate it with Deep Security Virtual Appliance.

Please be aware that Security Policy is playing an important role in the DS. You need to make sure all protected VMs having correct Security Policy.

Once you finished the VA, we can go back to DS manager and take a quick look.

I would like to list some common issues you may encounter.


If anti-Malware status is not Capable, it means vEndpoint is not installed on this ESX host.


If Anti-Malware is on, but the color is blue. It means you haven’t assigned correct policy on this VM. In default, there is no policy at all. Just right click the VM and follow the instruction.



You better actually create your own policy before you apply. Some default policy(like windows 2k3) doesn’t have all protection on and doesn’t allow certain protocol (e.g: RDP). The best way is to make copy of old policy and customize a new one for yourself.

The next step is to prepare your VMs. All what you need to do is to install vShield Driver agent and DS Agent. Once you finish installation, you must reactivate your vm from DS Manager to let DS Manager to check VM status.


If you have installed both agents and apply right policy, reactivate your vm from DS Manager. You should see something like this in the DS Manager.


It should have all greens and Agent should running. Your VM should be protected at each level from crossing both Appliance(working with vEndpoint) and Agent.

One more thing when you try to install DS Agent, you need to copy the installation on local disk of VM and install. Otherwise, you will encounter this error.


Virus download test

I have a protected VM which has all features turned on. Let’s see how it react when I tried to download a virus sample file from Internet.


It actually worked!

Does Deep Security actually reduce resource consumption?

Here is the big question. The reason we spent so much time to deploy this product is the rumour that it can save the resource comparing with traditional AV solution. Let’s take a look.

I installed OfficeScan on one of test machines. I monitored the resource which has been consumed from CPU, Memory,DISK,Network for both test VM and Host as base line. I will scan a vm with officescan once. And also scan it with DS.

Protected VM CPU

Protected VM CPU with OfficeScan


CPU: 50% of one core. It lasts 10 mins.

Protected VM CPU with DS



only 22% on CPU comparing with 50% on Office Scan.

Note: I ran twice on this test.

Protected VM DISK

Protected VM disk with OfficeScan


Disk: 5000KBps for 10 mins.

Protected VM disk with DS:ds-15

It’s very interesting to see the first run disk but nothing on second. The reason is the first run has already load disk data into memory and it doesn’t require to load again at second time. It proves DS is load to memory and scan only memory theory. The DS scan finished in 4.5 mins.

Protected VM Memory

Protected VM with OfficeScan


Memory: Consumed memory is 1.25GB, and active memory is 4GB.

Protected VM with DS


50% of active memory in 4.5 mins. I ran twice.

Protected VM Network

Protected VM with OfficeScan


Network: OfficeScan tried to contact OfficeScan server at beginning. Then, it went quiet.

Protected VM Network Activity with DS:


There is almost nothing on network. It means DS is using ESX module to scan memory directly. It doesn’t go through normal network channel. Because it is using similar theory as vSwitch, I call it a protected vSwitch channel.

From what I can see via Protected VM angle, the resource has been consumed almost 50% less and use only half time to finish scan.

Because using DA actually involves to use Deep Security Virtual Appliance to scan. We need to take look about DS VA.



The truth behind scene is DS VA is actually scanning the data instead of protected VM. That’s why you see low utilization on VM because all what it did was to load data into memory and call vShield Endpoint driver to let DS VA to scan.

DS VA Disk:


Almost nothing on disk VA disk activity.

DS VA Memory:


It consume 1.5GB memory on VA. It’s understandable.

DS VA Network:


This is very interesting. According to this chart, the network activity on DS VA is very high during scanning. It means vShield Endpoint will open port for all VMs sitting on that protected vSwitch instead of just DS VA.


This is the vSwitch vShield Endpoint use. It’s just normal vSwith and you can add adapters if you want. It does bring my concern whether this could be potential security breach.

Here is moment of truth. Will DS actually save resource from ESX perspective?

Following is the data from Physical ESX Host:

ESX CPU utilization

ESX CPU with OfficeScan


4% of total CPUs on ESX box.  I have nothing else was running on that host.

ESX Host CPU Performance on DS


It does finish scan in half time but it actually use 6% of CPUs. Be aware this is not including overhead of ESX host CPU. It’s 2% of higher than OfficeScan.

ESX Disk with OfficeScan


Disk activity on ESX host.

ESX Disk activity with DS


It’s same disk activity but with half loading time.

There ain’t much point to check memory since everything is happening in the memory. Just one module to scan another chunk of memory in the host. That’s all.


Let’s sum up with what we have learned from those data. Please be aware I’m only test single machine scan.

Resource consumption:

ESX Host

OfficeScan DS 7.5
CPU Util 4% 6%
CPU Used time 10 mins 4.5 mins
DISK Util 200CMD/s 200CMD/s
DISK Used time 10 mins 4.5 mins
Memory Same Same
Network 0 0 Nothing on pNIC

It does seem like Host CPU is consumed more resource than officeScan.

but It seems that DS VA doesn’t support multiple threads scanning at same time. If that’s the case, a host can hold about 30 VMs max. So DS Manager will schedule to scan all machines in different time.

This is the end of this Session of this year!

I wish everyone has a wonderful Christmas and Happy New Year!!



In my previous post, I described about vShield Endpoint. In this post, I will talk about the only real product which is actually using and design with this concept. Trend Micro Deep Security 7.5.

Before I started to roll out details, I would like to thank Trend Micro Australia’s help to give me support when I stuck. Thanks guys.


What can Trend Micro Deep Security 7.5 do?

First time I saw this product is on the Vmware seminar. When Trend Micro representative standing on the stage and demonstrate how Deep Security can use only 20% of resource to scan in the virtualization environment.  That was mind blowing because imaging VDI and VMs are calling for schedule scan at same time. How much pressure it will cost to ESX Host? This product is only working with vSphere 4.1. It’s using vShield Endpoint and must use vShield point to do it’s job.   Well, at least, that’s what Trend Micro claimed. So is this true? Please continue to read.

Note: DS 7.5 is actually merely designed for VM environment. It means it’s not a complete solution at this stage. If you want to protect your physical boxes or workstation, you better still use OfficeScan product.

Deep Security provides comprehensive protection, including:

  • Anti-Malware (detect&clean virus)
  • Intrusion Detection and Prevention (IDS/IPS) and Firewall (malicious attack pattern protection)
  • Web Application Protection (malicious attack pattern protection)
  • Application Control (malicious attack pattern protection)
  • Integrity Monitoring (Registry & file modification trace)
  • Log Inspection (inspect logs and event on vm)

The interesting about DS 7.5 and vShield Endpoint is that none of this product can provide complete solution for end users. Each of them play a certain roles in the system. So the result is actually combination of both software.

Let’s take a look with clear table.



My suggestion for installing is to install both vShield Endpoint Agent and DS Agent on your VMs. That’s the only way you can protect your VMs.

Components of Deep Security 7.5

Deep Security consists of the following set of components that work together to provide protection:

Deep Security Manager, the centralized management component which administrators use to configure security policy and deploy protection to enforcement components: Deep Security Virtual Appliance and Deep Security Agent. (You need to install it on one of windows server)

Deep Security Virtual Appliance is a security virtual machine built for VMware vSphere environments, that provides Anti-Malware, IDS/IPS, Firewall , Web Application Protection and Application Control protection. (It will be pushed from DS manager to each ESX)

Deep Security Agent is a security agent deployed directly on a computer which can provide IDS/IPS, Firewall, Web Application Protection, Application Control, Integrity Monitoring and Log Inspection protection. (It need to be installed on the protected VMs)

As matter of fact, you need to download following files from Trend Micro website. Don’t forget to download filter-driver which will be pushed from DS Manager to each ESX host.


Architecture of Deep Security 7.5

Let’s take a look.


There should be only have one DS manager unless you want to have redundancy.

ESX Host must be installed with vShield Endpoint.

Each ESX has it’s own Virtual appliance.

Each VM should have both vShield Endpoint and DS Agent installed.

How does Deep Security 7.5 work?


For malware and virus check:

DS is using vShield Endpoint to monitor protected VM memory. The vSheild Endpoint Agent (or AKA vShield Endpoint thin driver) will open a special channel to allow DS virtual appliance to scan it’s memory via special vSwitch which is running on ESX kernel driver layer.

Since VMware needs to make sure the isolation of VMs traffic and memory, hard disk and no other application should breach this protection, vShield Endpoint is a back door opened by VMware to let third party to scan VM content legally and logically.

For registry keys and logs and other components of VM, we have to relay on DS Agent because vShield Endpoint can allow do so much. That’s why the solution must combine both vShield Endpint and DS agent.

Install Deep Security 7.5

I did encounter some interesting errors during the installation.

But let’s sort out the steps of installation first.

  1. Install Endpoint on your VMware ESXs.
  2. hostInstall DS manager on one of your windows box.
  3. Push Virtual Appliance, filter driver to each ESX host. It will add a appliance into vShield protected vSwitch. Filter driver will be loaded in the ESX kernel.
  4. Install DS agent, vShield Point Agent on VMs you want to protect.

Install Endpoint on your VMware ESXs.

Please click here to see how to do it.

Install DS manager on one of your windows box

Those are easy step. I believe any admin can do his job well.

Let’s me skip some easy parts.




Once you finish installation of DS Manager. You need to configure the DS Manager.

trenddp_13 trenddp_14


This is really tricky part. What are those IP for?

The answer is those IP must not be occupied and it must be in the same subnet as rest of your vShield components are.

Check out this diagram and find out your own vShield  subnet.

On your ESX host(which has Endpoint installed already), you should find this.


so what’s your vSheild Subnet?

The rest is easy part. skip,skip



Basic Configure DS Manager

By now, you have already connect to vCenter and vShield Manager. You suppose to see something like that.


Notice nothing is actually managed and ready. That’s because you need to “Prepare ESX”.


Before you “Prepare ESX”, you need to make sure vShield Endpoint has already installed and you have already download all DS components.



If you didn’t setup your vShield subnet correct, you will run into this error.


In my case, I just need to right click vCenter->Properties-> Network Configuration


please be aware you need to put your ESX into maintenance mode and restart it in terms of pushing DS virtual appliance and filter driver.


You need to import your downloaded files into DS Manager. If you didn’t import before, you will have chance to import again or download.


As usually, I skip some steps.



Here is another tricky. Because my ESX has different default IP as DS default. so once the DS Manager deploy the virtual appliance to ESX, the appliance only has default DHCP IP which is wrong in my case also the virtual network is also wrong. I encounter this problem.


All what you need to do is to jump on ESX and virtual appliance console to change IP of that appliance. The default username and password is dsva.



Once you changed the IP, reboot this VM. Go back to DS Manager and double click dsva object to activate it.


Make sure the security profile is loaded. That’s very important!!


System will automatically offer you some VMs to protect. You can choose “no” at this stage. Why? because you haven’t installed vShield Endpoint agent and DS agent on your VMs yet.


By now, the installation steps have finished here.

In my next post, I will talk about how to configure Trend Micro Deep Security 7.5 and performance result comparing with OfficeScan and virus testing.

Let me show you a picture what a DS manager look like when a VM is fully protected to finish this post.



Trend Micro Deep security installation guide

Trend Micro Deep security User guide

First of all, I would like to apologize for updating my blog late since I was called away last week and not able to do too much.

I’m going to talk about vShield Edge and vApp. First of all, let’s review why we need vShield Edge. The last post can be found here.

What is vEdge?

vShield Edge is deployed as a virtual appliance to provide firewall,VPN, Web(HTTP only) load balancer, NAT, and DHCP services. Eliminate the need for VLANs by creating a barrier between the virtual machines protected by vShield Edge and the external network for port group isolation. Satisfy your network security within virtualized environments:

  • Consolidate edge security hardware: Provision edge security services, including firewall and VPN, using existing vSphere resources, eliminating the need for hardware-based solutions.
  • Ensure performance and availability of web services: Efficiently manage inbound web traffic across virtual machine clusters with web load balancing capabilities.
  • Accelerate IT compliance: Get increased visibility and control over security at the network edge, with the logging and auditing controls you need to demonstrate compliance with internal policies and external regulatory requirements.

Why do we need vEdge?

VMware is trying to design cloud system which can be used by ISP to host multiple Enterprise clouds on one datacenter.


VMware needs a cheap and efficient way to manage internal network to make sure the data between different clouds can be isolated from different network level but also be connected with well control. vEdge is used to allow you to isolate different cloud with NAT, load balance, DHCP and VPN.

Here is a good example for NAT using. There are two Test environment coexists in the same network because NAT function vEdge provides.


With vEdge, you can separate your Network tenancy into different connections without security breach or other threat.


Install vEdge

Installing vEdge is required to install license first. It’s the same location as you will do for others.


The next step is to choose which vSwitch (vSS or vDS) you want to deploy vEdge. Not like Zone which can be installed on vNic level, vEdge can be only setup on PortGroup.


All what you need to do is to choose a portgroup and click Edge menu on the right hand and provide information for vEdge VM and click to install.


Since vShield zone is base on Network crossing host, only one VM will be created and deployed by vShield Manager.  vSheild-Edge-DvPorgGroup can be migrated to other Host without any issues.


There is option when you install vEdge on Portgroup. It’s called Port Group Isolation.

You can prepare and install a port group isolation on vDS. It is an option for vEdge and it only works for vDS based vShield Edge. The port group Isolation creates a barrier between the protected VM and external network. Only NAT nuels or VLAN tags are configured.

At same time, a new vShield-PGI-dvSwitch will be created to handle traffic control. Each port group isolation will create a new VM.

Configuring vEdge

Everyone configures it differently. Please check out screen shots.










Load Balancer

Load Balancer is only for HTTP protocol at this stage. It’s designed for front web servers.


Few things to be aware:

  • At this day, vEdge can handdle 40,000 concurrent sessions.
  • You can make rules in the different layer, but new rules don’t apply to established sessions unless you manually apply it.
  • You can always create security groups as logical unit to manage your rules.
  • There is no package capture functions in vShield.
  • vEdge license can be included in Vmware View premium version.
  • vZone license can be included in vSphere Advanced.
  • vApp license can be included in vCloud director.

We will talk about vApp in next post.


Here is a details you may find handy in the future. As we all use Microsoft products, MS always release their Demo with vhd format. I always thought it would pretty easy and straight forward to convert vhd to vmdk. But it turns out it’s not exactly smooth like it sounds. so I write this article to help everyone who may have same issue.

Let’s check out the basic requirement.

Sharepoint 2010 Demo.

You need to download 28 winrar compressed files from Microsoft website. It will occupy 17GB space.

Extra those 17GB files, you will get two folders.  2010-7a (44GB,vhd) and 2010-7b (14GB,vhd) file.

These vhd are using thin mode. The full size of vhd is 133GB each.


Run Sharepoint Demo in the Test or Dev Environment.

Hyper-V Solution:

You can install Windows 2008 R2 on a real physical server and add on Hyper-v feature.  However, if you don’t have Hyper-V, you may encounter following.

Hyper-V in Vmware Env  issues:

1.MS doesn’t allow you to enable Hyper-v feature on a VM. There is no other way to install Hyper-V on VM.

2. Virtual PC can’t run this Demo either. As matter of fact, MS recommend only use Hyper-V R2 to run it.


Vmware Solutions:

If you environment is complete VMWare, we need to figure out a solution to run DEMO in the Vmware vSphere Test or Dev env. But we also don’t want to waste all unnecessary space during the procedure. So for all converting, vhd or vmdk must be stay in thin disk mode.


Using Vmware Convert:

Vmware Convert is an excellent tool. However it doesn’t support vhd file directly. It requires thirdparty software to do preparation. Vmware Converter has 5 ways to import other machines into Vmware.

  1. Power-On Machine(As long as they are windows server and 2003 up. Physical or VM, using MS VSS.)
  2. VMware Infrastructure virtual Machine (convert a vm from Vmware ESX itself)
  3. Vmware Workstation or other Vmware virtual machine (must be a vm, not just a single disk. For vm server as well.)
  4. Backup image or third-party virtual machine (Support virtual PC, Symantec Recovery Imange, Acronis etc, must be a vm, not a single disk).
  5. Hyper-V server (It will deploy convert agent on Hyper-v, doesn’t require reboot).


In our case, we need to use method 3,4 or 5 to do the job.

Method 3 requires a Vm workstation or VM server version of VM. We can use Starwind to do this job.


Starwind free tool V2V convert can convert VHD to VMDK and vice verse.

It can has following options. First 3 options are what we concern.


Vmware growable image and VMware pre-allocated image are VMware workstation version VMDK. First option is to use thin disk mode.If you choose this one, you have to download a VM workstation or VM Server to create a VM.

Vmware ESX Server image is what we want. But it has biggest issue. There is only thick mode for this option. In our case, you have to convert 43GB VHD(thin mode) to 131GB VMDK (ESX but thick mode). You can upload this big fat file to your storage space but it will cause lots disk consumption and time.


Then, you can use VMware converter to import it into ESX.

Method 4 is the one I recommend here.

All what you need to do is to download Virtual PC 2007 SP1 which can be installed on the Windows 2008 R2. You can simply run it easily and ignore the warning it gives you since you don’t need actually to run vm.

You just need to create a Mcirosoft Virtual PC VM. Then, you can use VMware convert to import it into ESX.


Method 5 is a little distance to go.

You need to install a Hyper-v on bare physical hardware and create a VM and import the vhd disk. Then, you can use VMware convert to import it into ESX.



Convert VHD to Vmware method.

Install Virtual PC 2007 sp1-> Create a vm->using vhd->save vmc file->load VM Converter->use method 3->import into vSphere

Install Starwind->Convert VHD to ESX Server VM->save full size VMDK file ->Upload full size VMDK file->Create VM in vSphere->using VMDK disk (full size)

Install Starwind->Convert VHD to VM workstation vmdk(thin)->save thin vmdk file->install VM workstation or VM Server->Create vm->load vmdk->create vmx file->load VMConvert->import into vSphere with thin mode

Or you can use Winimage to replace Starwind


Download virtual pc 2007 sp1

With new release of ESXi4.1, we all need to update vSphere components which includes HP CIM agent.

It’s very easy step if you have prepared.


1. We need to download hp CIM agent for ESXi 4.1 from here

2. We need vMA 4.1 or vSphere CLI available. Please refer to my last post about vMA 4.1.

3. We need to have http server ready. A simple MS windows server can do the job. You need to make sure IIS is installed.

4. Put your host into maintenance mode


1. Downloading the 4MBs zip file from HP website. Here

2. Setup IIS so you can download zip from your internal site.

vihostupdate supports both local zip file and http zip file. But we don’t want to upload to little poor vMA (only 5GB size). so you want to build a IIS virtual directory just let vMA able to download zip file from other local server.

After you download the zip file, you put it into one of folders where IIS is installed (in my case, it’s E:\Install\vmdownload).

Then, you need to open IIS Manager and right click Default Web site and choose “New” for Virtual Directory.

Go through the wizard as default (read only will be fine and build a virtual direcotry. (In my case, it’s vmdownload).

You can just try to download that file from any IE and to test it.

Make sure you type full address and include filename as well because you don’t have browse rights to that folder.

3. Use vMA to update hp cim to your host

You need to log in vMA and target your host first.

Then, you need to check out and see what has been installed. –server <server> –query

If you can’t find the bundle file, you can use these command to install –server <server> –install –bundle <local_path>/ –bulletin

After installation, you are required to reboot your hosts.

After reboot, you can run command to verity the installation.


If anyone can recall, I wrote a post about vMA 4.0 before. With new vSphere 4.1 released, vMA has released a new version 4.1 to work with new vSphere 4.1.

During the installation and configuring vMA 4.1, I have encounter multiple errors. I would like to thank William Lam’s help from the forum. If you want to read more about vMA 4.1 scripting, please follow William’s blog in the reference.

What’s New about vMA 4.1?

Apart from vMA is using new OS (CentOS) and it’s using vSphere CLI 4.1, SDK for Perl 4.1 and upgrade version of VMware Tools, the new version if vMA brought us a different way of authentication.  AD Authentication. Also there are some new commands to replace the old one. I’m going to elaborate as follow.

Download vMA 4.1

Downloading vMA 4.1 is pretty easy. Anyone can go to here to download OVF file and related documents. vMA 4.1 is able to load on both vCenter 4.0 and vCenter 4.1. You can get pretty good idea about how to install from vma_guide. However, there are some mistakes in the docs I would like to point out later.

Configuration vMA 4.1

When you first time run vMA, it will give  you a wizard to let you configure vMA. If you miss the chance, you can run

sudo system-config-network-tui

to reactive the wizard.

Join vMA, and ESX(i) into Active Directory


First of all, let’s talk about the concept behind this topic. Why do we need to join vMA and ESX(i) into AD?

The reason we join the ESX(i) into AD is to easy our management and try to use less username and passwords to control ESX(i). As you all know, vCenter is in the AD already. In default, Domain admin has rights to log on vCenter and manage it. However, ESX(i) use local user database and you have to use root every time in terms of logging and execute command.

I believe the second reason for ESX(i) to join the domain is to help domain users for vCLI access. Let’s image you can log on vMA(or use vSphere CLI and your script files) with your own domain accounts and execute commands against the vCenter and Hosts directly. No need to remember another set of username and passwords anymore. Everything will be integrated with same service account or domain user account.

Join ESXi to Active Domain

Connect to your vCenter which has ESXi 4.1 as host.

If you type your domain in the filed then click “Join domain” button, you must use “username” instead of “domain\username”.

I followed the smooth blog to configure it, I got following error. So you must not user domain\username format.

After you join the ESX(i) 4.1 to AD, you can connect ESX directly with vSphere Client and go to permission and add your domain account into local user database. For the rest, you can follow with smooth blog in reference.

Join vMA 4.1 into Active Directory

This is also pretty straight forward operation.

You log on vMA 4.1 with vi-admin account (vi-user hasn’t enabled yet, you have to do it manually). then, you type

sudo domainjoin-cli join your_domain your_domain_admin_user

then, you type password as what vma_guide indicated. But you may see following warning after you join the domain.

Those pam module are part of CentOS module and they are designed to not only join vMA to Windows AD, so does Linux AD. So it’s normal for you to see those warning.

You can use sudo domainjoin-cli query to verify as what I did.

Connect to vCenter and ESX(i) Hosts

There are two different ways you can authenticate your vMA to vCenter and Hosts.

Active Directory Authentication

Like what I have mentioned above, the concept for this one is to let your admin to log on with vMA with their own domain account and able to run commands against vCenter and Host without typing multiple times username and password. Comparing with fastpass authentication, vMA doesn’t store username and password into local vMA box. More secure in certain way. You don’t need to have extra passwords to memorize.


Your vMA must joined the domain.

Your vCenter must joined the domain.

If you want to directly operate on Host without using “–vihost”, your ESX needs to join domain.

DNS host file must be preconfigured so vMA will know what your vCenter/host IPs are.

customize server list

Modify DNS host files

Well, the reason we setup DNS hosts file is we want to just type server name or host name to make it work. No one wants to type 10.163.x.x all day.

The solution is using hosts file just like what we did on lmhosts for windows.


Open console (or connect vMA with ssh tool , like putty) of vMA.

Login as vi-admin

The host file is located at /etc

You must use “sudo chmod a+w hosts” to make hosts file writeable.

Use “sudo vi hosts” to add your vcenter and host IP

Save and quit vi

One thing I must point out is all server name must be FQDN and no exception!

customize server list

vMA needs to know how many servers you may connect to (although it can only operate on one server a time). vMA needs to know which servers you are going to use AD authentication and which servers you are going to use fastpass authentication. That’s why you need to build a server list.

You must log on with vi-admin to build server list.

To view current server list.

vifp listserver -l

You must use “-l” parameter in terms of to see authentication method.

If server you want is not in the list, make sure DNS host file has configured and you can use following command to add.

vifp addserver yourhost –authpolicy adauth (this is for AD authentication)


vifp addserver yourhost (this is for fastpass authentication)

If you try to add vCenter, you must use domain admin account because vi-admin doesn’t exist in vCenter unless you manually added in. For Host, you need to type root password and vMA will automatically add vi-admin users into Host.

Notice: There is a big trick here. If system prompt and ask you username and password, you can type “domain\username”. But if you want to use domain\username in the command line, you have to use “domain\\username”.

Now, you are ready to connect your server.


1. Log in vMA with your domain admin account (normal domain account will work too!! But they don’t have rights to operate on vCenter).

2. target your server (vCenter or Host).

You must target one object to send command with. If you don’t do that, you will get error message like

“Error connecting to server at ‘https://localhost/sdk/webService&#8217;: Connection refused”

3. Send command to object

If you target to a vCenter and your command is a HOST base command, you must “–vihost your_host_name” to tell vCenter which Host you want. Also, the name must be FQDN!.

Notice: I was told from Vmware Support, if you use “–vihost” , then you will be asked to type username and password again!

If you target to a Host, you can just use command and it should work.

Here is the tricky thing. It should work and you shouldn’t type any credentials anymore. But some of users like me do get asked to type username and password again! Maybe it’s a bug of vMA 4.1. I’m investigating this matter with Vmware as I’m typing.


New Updates about this issue.
I just got call from Vmware Support and they admited this is a bug in the vMA 4.1. They will

fix this issue in the next release.


Fastpass authentication

This is old authentication method as previous version. Basically, the vMA stored your credentials in the local and you don’t need to type multiple times when you operate on Hosts and vCenter. The reason for that is vMA actually create vi-admin accounts into Hosts.


DNS host file must be preconfigured so vMA will know what your vCenter/host IPs are.

customize server list

Please check above post to look for details about how to do it.

This is reference for fastpass authentication.


1. Log in vMA with vi-admin.

2. target your server (vCenter or Host).

You must target one object to send command with. If you don’t do that, you will get error message like

“Error connecting to server at ‘https://localhost/sdk/webService&#8217;: Connection refused”

3. Send command to object

If you target to a vCenter and your command is a HOST base command, you must “–vihost your_host_name” to tell vCenter which Host you want. Also, the name must be FQDN!.


I just spent sometime on vSphere 4.1 yesterday and I would like to share some feeling about this product to everyone.

vSphere 4.1 ESXi is ready

ESXi 4.1 is adjusted for taking over ESX. The new ESXi installation is faster than it was before. The ESXi help document is much better than what it was before. Some of new details are quite interesting.

For example:

You have Troubleshooting Options in the new version.

Inside of this option, you can easily to enable ssh and enable local tech support.

However, once you enable these options, you will get a yellow mark on your host to indicate your server is “not safe” from vCenter.

vCenter must be 64bit, Update Manager must be 32bit?

The new version of vCenter are not much difference on installation part except you have to install it on a 64bit OS instead of 32bit OS. I installed the new one on windows 2008 R2 without any issue.

Notice there is a new prompt during the installation to let you choose how much memory you reserve for Java.

The rest of installation are not much difference for Update Manager except you need to build a 32bit DSN while vCenter must use 64bit DSN. I’m able to install them on the same box.

You can add domain users into ESX now.

The new version also provide function to let your domain account into ESX box. But I’m not quite sure why people want to do that. Domain account is not safe and let ESX to talk to domain to pass through authentication instead of using vpxuser?

Anyway, I will try to update more new features in the future. Tell me what you think about vSphere 4.1

This is fix up for PVSCSI issue in ESX 4.0 U2. Previous link

Basically, there are 2 errors you may encounter during adding pvscsi device  to windows 2k3 and 2k8.

1. PXE issue

After you added new disks, you encounter PXE issue. Even if disk you installed is the secondary disk, you will still encounter this issue.


Vmware bug

New Updates:

Just spoke to Vmware support and they are able to reproduce this issue in their lab.


Vmware vCenter 4 U2 can’t take too many options in adding and changing hardware at same time. so do one step a time.

E.g: add disk. then, click ok. Get into setting, change type of scsi, ok. etc.

New fix:

This issue is caused by boot SCSI card sequence has changed after you delete and add new SCSI controller.

All what you need to do is to make sure the SCSI (0:0) is in the first bootable position like what  you can see in the diagram.

2. Blue screen of windows

After changing boot disk SCSI controller type, you can see windows started, then, you encounter blue screen. The system keep restarts.

Cause: Windows doesn’t have your SCSI driver.

Solution: You must have all SCSI drivers available in device manager before you load all type of disks. If you build machine with PVSCSI, you won’t have LSI SCSI driver. So you need to add secondary disk of LSI to let vmtools to install driver.


This is third part of Using ESXi to replace ESX. I really hope I can myself clear and anyone who visit my sites would like it and enjoy the time when you are here. Please do leave comments and footprints. Thanks.

After discussing about staring point and architecture, it’s time for us to install and configure ESXi. There are some tips and tricks I would like to share with you in this chapter.

Install ESXi 4

First of all, you need to download vendor version of ESXi (please refer to PART 2) and you should load it with your ILO or something similar. You can ask your SAN team to block HBA or move that HOST out of Storage group but in this case, I didn’t do that since it’s merely lab test server.

The installation is pretty straight forward. You don’t have many choice to go. Basically, it’s either install or not. Once  you get into installation, the only thing you would be offer to make choice is where you want to put your files on.

As you can see, the first one is my local disk. Disk 1 is KVM adapter. Disk 2 is my Test SAN Lun. So go for local disk is what I want.

ESXi Partitions

I did brief ESXi partitions in last article. I will give you more details in this one. By default, the ESXi builds 3 partitions out of your local disk.

They are:

  • Swap Partition also called vFat Scratch partition (Used for vm-support to store temp space, upgrade, 4GB)
  • Diagnostic Partition (for CPU, memory core dump, 112MB).
  • bootloader Partition (4MB)
  • Primary boot bank (Core hypervisor(32MB), VMKernel, Server manufacturer customizatons, 255MB)
  • Backup boot bank (started with empty, will be filled later as backup of boot bank, 255MB)
  • Store partition (Auxiliary files, VI Client, Vmware tools, runtime storage, 917MB)
  • VMFS Partition (rest of DISK space)

Plus, visorfs (325.5MB) runs in-memory file system which holds /var/logs, /tmp,/etc/vmware, etc.

I mentioned this picture in my last post, but this is better version. From this picture, you can clearly see which partitions are and what’s they are for.  fdisk -l shows disk information. It’s all physical.  Please be aware the size of partition has been increased since ESXI4.

df -h is to display file system command. Be aware the first one (visorfs) is in memory. This is only display partition list which has been mounted from file system. It’s not all current not existed partitions.

This pictures indicates what has been mounted under /vmfs/volumes. Notice there are 6 mounted but only 5 of them got link files. The scratch doesn’t have link file but you can access from /scratch.

Well, this is ESXi. So you don’t get any other options to choose for the rest of installation. Let’s just quick go through it.

blah, blah, blah


After reboot, you suppose to see this picture from your ILO or KVM. Then, ESXi installation is finished.

This interface is not just some quick menu of ESXi, it’s DCUI (Direct Console User Interface). I will leave it for next post.

Hope you can enjoy my post and not falling sleep. :p

To be continued…..