How I became VCP in first place
It is never ending question I get from my followers and my colleagues. So let me put my thoughts on this. Before I do that here is the history on How I became VCP in first place. Back in 2006 my organization, one fine day asked me to attend VCP training provided by VMware. I had no idea what VMware was and I never used any of their product. But vMotion made me felt this product will make significant difference to Infrastructure space across the world.
Out of all the colleagues who attended the VCP training, none was so much passionate about doing VCP as I was. I always want to be different and ahead of time. I thought VCP certification could give me that extra edge. I started preparing for the VCP certification and started reading all product documentations. This process brought me very close to the VMware products. I started learning more about VMware products using various blogs. After watching these blogs I realized I can also blog my experience and I started blogging on VCP3 (http://vmzare.wordpress.com/). It was very interesting to know some unknown facts of VMware products through their documents and blogs. I tried to used the same knowledge within organization. Somewhere I failed and somewhere I was simply ignored. But this never stopped my passion to achieve something different. My journey still continues and I’m now quite familiar with vSphere 4.x and vSphere 5.x and SRM, vShield Product suite and vCloud director. In 2007 I achieved VCP certification. But focus was to do something different.
So now main question?
Shall I do VCP or Hyper-V Certification?
Please ask below questions to yourself
1. “Can you do something different by achieving VCP/Hyper-V Certification”
2. “Can you make difference to your customer/clients”
3. “What are your plan to utilize or leverage this certification?” I hate this answer “I’m doing this just to fill my personal development plan to meet my organization’s performance evaluation criteria” I see it is waste of time and money for both
4. Is your organization utilizing any of the products. Gaining hands-on experience is extremely essential to achieve advance certifications. So think of future. Once Hypervisor is in place, same hypervisor continues to be strategic unless organization is very big and have strong infrastructure team in place.
My Personal Choice
First gets hands-on hypervisor of your choice. Then start learning other hypervisor’s. Hypervisor’s are more or less similar in operation and slightly differ in architecture. Once you know the difference between them, learning become fast and interesting as well. Future is of multi-hypervisor. It is expected that team members know more than one hypervisor as mentioned over here. It will give you edge in current market. I prefer VMware vSphere simply because of strong online community and ease with which you can find help when needed. I’m bit partial here as I’m more focused on vmware product portfolio and know the entire site map of VMware.com. This could be also true for any Microsoft’s expert person.
Do what you like the most, be it Hyper-V, VMware or any other hypervisor. Then keep learning everything about the hypervisor you like and try to apply that learning to solve customer problems or add value to the customer. Never ever forget –> You will need minimum 6 months to completely understand any hypervisor. You can attend 5 day VCP training course and pass using other means in a month but this will never give you edge over hypervisor. Invest your time and reap the results.
Finally follow “3-Idiots Movie Moral”
Kamyab Nahi Kabil Hone Ke Liye Padho. Kamyabi Jhak Maarke Pichhe Ayegi
a.k.a Pursue excellence, and success will follow
The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.
Here’s an excerpt:
19,000 people fit into the new Barclays Center to see Jay-Z perform. This blog was viewed about 72,000 times in 2012. If it were a concert at the Barclays Center, it would take about 4 sold-out performances for that many people to see it.
This post is very different that I have even posted. Not sure If I will continue such musing. Both this is one of those thoughts kept lingering in my mind for a while.
By Multi-Hypervisor environment I meant using more than Hypervisor.
1. vSphere ESXi
3. RHEV/XEN (Not sure if this is the name)
Disclaimer: I know only one Hypervisor i.e. VMware’s vSphere ESXi
First why Multiple Hypervisor’s
1. Single Vendor/All Eggs in one Basket
Historically CIO’s never want to dependent on Single Vendor. This is goes back to same strategy used in olden days for hardware vendor. Big Enterprises will always have mix of hardware Vendor and Strategy e.g. High End systems from HP and Mid and Low End system from IBM & Dell(or other way round). In short use multiple server vendors and remove any possibilities of any vendor to implicitly rule organization’s hardware strategy.
2. License, Support and Ecosystems
Licensing cost will be one of the factor but not the only factor while deciding one Hypervisor or the other. I feel the major influence will be the service which are sold to the internal client or how the charge back model is gets impacted by the overall cost. I think Hyper-V can definitely provide Silver, Bronze level service or uptime and vSphere can do that right from top (Platinum) to bottom (Bronze). But then will Silver level service cost same on vSphere and Hyper-V. I don’t know the figures but we know cost differs by significant margins. CIO’s must direct Infrastructure architects to develop multiple hypervisor strategy and service models
Support and Ecosystem becomes extremely critical in ever becoming complex environment. Ecosystem I meant your configuration and monitoring software. Both Vendors are building up capability to support multi hypervisor environment. For me it is always looks like Indian marrying a Indian Born in UK. Bottom line –> There will be always a case where Vendor A will point to Hypervisor-B and Vendor B will point to Hypervisor A when the problem arises in troubleshooting cross vendor hypervisor software. I would always recommend to use software’s of the respective vendor to management, monitor and configure the ecosystem.
Impact of Multiple Hypervisor’s
1. Evolving 3rd Party Software
3rd Party Software vendor’s started developing product to support multi-Hypervisor environment. I know at least Veeam is doing it. And there might be many but I see major change happening very soon. Right now let’s say we have Gold, Platinum VMs in vSphere ESXi and Silver, Bronze are in Hyper-V, there will be time when customer wants to upgrade to Gold or Platinum service or in simple words customer felt vSphere will offer better stability so they want to move to vSphere i.e. at lower level it is VHD to VMDK conversion. No…not offline but online conversion. If there is Storage vmotion why can’t be vmotion irrespective of hypervisor. After all now we aim everything to be defined by the Software. I have always believed it is not the need that pushes to innovate but the innovation drives the need. e.g. Apple iPhone. World was happy in pre-iPhone world but now everyone wants iPhone and every other phone started copying iPhone interface.
So I see this segment will emerge. Platspin was number 1 vendor when it came to P2V and capacity planning for P2V, I see similar kind of software will evolve where in online conversion happens from VHD to VMDK or vMotion/Live Migration happens over different Hypervisor. CIO’s will always love such flexibilities.
2. Complexities and System Administrators
Biggest impact Multiple hypervisor will have is on Operations team. Supporting multi-hypervisor needs training and of course understanding the subtle differences. Different maintenance cycle and upgrade procedures and that too without impacting services will need detailed strategy and planning. Even with single hypervisor I see operations team (network, Storage and OS) acting independently in their own Island of excellence (Is it). If these team don’t talk frequently there is always a chance for major outage. I think operation team must be renamed a datacenter operations team and whole team becomes responsible for virtual datacenter. If Network is down Hypervisor is down, so are the services and if you have FCoE even Storage then. If they don’t work closely such outage window can become very long. Entire team ,ust understand the impact of services when two ports on different switch goes down. This has potential to bring 50-100 services down and business loss.
Before I start, please don’t be surprised If I come up with Part-III. If you happen to read my blog on Another-case-of-SSO it is extension of same post but in different lights. In fact the previous post also faced the same problem which I ‘m going to discuss below here today.
Same situation or scenario. Goal –> Upgrade vSphere 4.1 infrastructure to 5.1. We have 4.1 Infrastructure and were moving up to 5.1. Similar procedure followed and all went ok with same warnings. Un-explained Reverse lookup problem when we know it is correct. It is unclear how this wizard checks the reverse lookup. It always gives us false alarms (some times just forces us to ignore even in real cases, which is bad I think).
However this time we changed the order of installation
1. I logged into vCenter with Service Account (we are going to install everything in single box, as I realized it doesn’t matter unless you have multiple sites accessing vCenter SSO)
2. SSO was first installed
3. We didn’t installed inventory service but installed Webclient first. Why ? check this post
4. Luckily Identity source was added, so we don’t have to do anything there. I was happy
5. We went ahead with inventory service installation. All was okay here as well
6. Last one–> vCenter Upgrade –> All okay again
Now the moment of truth. I tried to login to vcenter using my domain credentials. It failed. . Using SSO Admin account it was working but no using AD or local administrator account. In fact local administrator account will never work if you use a mutli-site configuration option So don’t try and get confused if you get the error “Incorrect login name or password”
For next 3 hours I tried all possible ways to get inside the vCenter using C# client or Webclient but no success.
This means only one of the two things
1. Either vCenter is unable to talk to identity source via SSO
2. Or Identity source is missing from SSO.
But in this case identity source was added automatically So point 2 was not the case. Then Point 1 was the case? For some reason it strike to me to get someone else account to login, So after another 30 min I requested one of my colleague to login to vCenter, Surprised Surprised !!! He can login using web client and also using C# client. It was getting interesting now. Even Point 1 was invalid now. So SSO was talking to identity source using my colleague account BUT was failing to authenticate using my credentials, Is something wrong with my account. To confirm further I asked few other users to login. I got mixed results. Few can login and few cannot. Problem was getting more and more interesting.
But we crossed the maintenance window agreed with the client. And we were at the moment where roll back was the only option. But great thanks to this article by NiTRo. I quickly disabled SSO and people can continue their work.
Next Day : I Google’d & found nothing. Finally opened a call with VMware support.
I was in the VMware queue for record 1 hr 30 min. You can guess why this wait time and this article might also supports your guess also.
Engineer took not more than 30 minutes to solve this problem. Again your guess might support this.
Problem was so easy but so difficult to see something which is so obvious. Unfortunately there is nothing in the VMware documentation to see this so obvious.
Authentication Type: Reuse Session –> This uses the account where you have put the service account credentials while installing SSO. This account must have permissions to read all user attributes in the active directory.
Sorry I know I’m not clear here but this is what KB Article:2037546 states
“If the service account cannot read these attributes, the logins fail. The solution is to increase the permissions on this service account so that it is able to read all user attributes.”
No one in our Active Directory team understood this statement. If you know please, May I request you to help me what this permission means for an active directory service account in the comments section. Thanks in advance.
I was very unhappy. I have raised it via my @techstarts twitter handle and I got response from the VMwareKB is below.
I greatly appreciate VMwareKB super fast response but unfortunately reading 65 KB article to understand single feature doesn’t sound good investment of time.
1. SSO sits between vCenter and your identity source. Its function is to pick your credentials and give to identity source and use “Authentication Type” to access AD. If this doesn’t work you won’t be allowed to login to vCenter SSO. If you are sure this is broken check SSO logs. SSO logs are many (Check here) and the one which you should use is log which is not part of this KB. This log is imsTrace.log (trace log) located in C:\Program Files\VMware\Infrastructure\SSOServer\logs
2. Check vCenter Logs
3. vCenter SSO is at 1.0 version expect yourself in the middle of this or that problem. Prepare yourself and Say “All is well”
Each identity source known to vCenter Single Sign On is associated with a domain (not active directory domain). You can specify 1 or more default domains.
Why use or what is the benefit of it?
vCenter Single Sign On uses default domains to authenticate users when a user name is provided without a domain name. If a user name exists in more than one of the specified default domains, and you don’t use domainname\username format or username@domainname format, SSO attempts to authenticate the user against each domain in the order listed. Authentication succeeds with the first domain that accepts the credentials that the user provided. By default, Single Sign On first validates the user against the local operating system identity source.
Copied from vSphere Security Guide
Deploying vCenter Single Sign-On in Basic mode means that a standalone version of vCenter Single Sign-On is installed on a system. Multiple vCenter Server, Inventory Service, and vSphere Web Client instances can point to this standalone version of vCenter Single Sign-On.
Basic mode means no High Availability or Multi-Site configuration.
In this installation admin@system-domain is granted Administrator’s privileges on vCenter.
It is very small blog but it made lot of sense when I actually figured it out while troubleshooting SSO. Here is the order of installation
1. SSO Installation ( NO Dependencies)
2. vCenter Inventory Service (Dependency on SSO)
3. vCenter (Need both vCenter Inventory Service & SSO installation)
4. vSphere Web Client (Dependency on SSO)
Keep in mind vSphere web Client has no dependencies on vCenter
One of the problem which is very common is that SSO doesn’t detect Domain and fails to add identity source. If it cannot add identity source you have to manually add it.
We only realize this when we are upgrading or installing vCenter. While installing/Upgrading vCenter you get an error, unable to detect identity source and Wizard will provide you option to add default administrators group.
Copied from vSphere Security Guide
NB: In high availability and multisite Single Sign-On modes, there is no local operating system identity source. Therefore, it will not work if you enter Administrators or Administrator in the text box vCenter Server administrator recognized by vCenter Single Sign-On. Administrators is treated as the local operating system group Administrators, and Administrator is treated me as local operating system user Administrator.
For example, to grant a group of domain administrators permission to log in to vCenter Server, type of name of the domain administrators group, such as Domain Admins@VCADSSO.LOCAL
It means that when you select high availability mode administrators group should be in groupname@activedirectorydomainame format
But in spite of that it may not work. So here is this trick that has worked for me.
1. Install Web Client
2. Login with admin@system-admin account
3. Add identity source as explain in Previous Post
4. Start installation/Upgrade wizard again, it works like a charm
Hope it helps you all !!!
You can configure vCenter Single Sign On for High Availability (HA) by installing two nodes in HA mode and putting them behind load balancing software. In HA mode, both the nodes work with the same database, use the same data, and have the same user stores.
1. SSO.PREETAM.COM act as a load balancer
2. SSO1.PREETAM.COM act as primary node
3. SSO3.PREETAM.COM act as Backup/Secondary node and is Joined to Primary node using High availability option shown below
4. SSODB.PREETAM.COM hosts the Database for SSO server.
For High Availability solution to work seamlessly, you must configured Load balancer
vCenter SSO installation Option
Below are the various options you see while installing vCenter SSO. In vSphere 5.1, vCenter Single Sign On (SSO) can be deployed in three modes: Basic, HA, or Multisite. HA mode can utilize a load balancer to increase the availability of the service
If you want to create to High availability or Multi-site vcenter SSO in future you must select Primary Node option as shown below & discussed above
If the administrator password for the Single Sign On system expires and you are unable to log in to the vSphere Web Client, a user with Single Sign On administrator privileges must reset it or you have to reset password from command line.
Reset vCenter SSO Password
2. Run the following command
3. Enter the current password for the user, even if it has expired.
4. Enter the new password and enter it again for confirmation.
Lockout Policy Basics and Configuration parameters
Security Best Practice: You cannot rename admin@system-domain user, instead it is recommended to create equivalent user with same privileges as admin user and disable admin user. It is also recommended to change the password and account lockout policy to same as your active directory domain