VCAP5-DCA Study Guide is now available

The content of this study guide was first published as a series of posts on this blog.

The posts were written in preparation for my VCAP5-DCA exam and are based on the official VMware Blueprint. At the time I started writing; other great Study guides were available, although most of these guides were based on the VCAP4-DCA exam.

The posts had to meet the following goals:

• Based on the official Blueprint, follow the objectives as close as possible.
• Refer to the official VMware documentation as much as possible. For that reason, every Objective starts with one or more references to the VMware documentation.
• In case the official documentation is not available or not complete, provide an alternative.
• Write down the essence of every objective (the Summary part).
• If necessary, provide additional explanation, instructions, examples and references to other posts. All this without providing too much information.

I hope all this will help you in your preparation for your exam. I welcome your comments, feedback and questions.

Download Guide: VCAP5-DCA Study Guide_20121229

VCAP5-DCA Objective 8.2 – Administer vSphere using the vSphere Management Assistant

Objectives

• Install and configure vMA
• Add/Remove target servers (Note: This Objective has been updated per 21-01-2013)
• Perform updates to the vMA
• Use vmkfstools to manage VMFS datastores
• Use vmware-cmd to manage VMs
• Use esxcli to manage ESXi Host configurations
• Troubleshoot common vMA errors and conditions

Install and configure vMA

Official Documentation:
vSphere Management Assistant Guide vSphere 5.0, Chapter 2 “Getting started with the vMA”, section “Deploy vMA”.

Summary:
The vSphere Management Assistant (vMA from now on) and the documentation can be found at: http://www.vmware.com/support/developer/vima/

Note: multiple versions are available! You can deploy vMA 5.0 on vSphere 4.0 Update 2 or later (no vSphere 5.1) and vCenter Server 4.0 Update 2 or later. The vCenter Appliance 5.0 is also supported. After installation, you can target even ESX/ESXi 3.5 Update 5 servers.

The vMA comes as a SUSE Linux Enterprise Server 11‐based virtual machine that includes pre-packaged software such as the vSphere command‐line interface, and the vSphere SDK for Perl. The vMA allows administrators to run scripts or agents that interact with ESXi hosts and vCenter Server systems without having to authenticate each time. The vMA comes as a virtual appliance

Under normal conditions, you will deploy the vMA in your cluster. Another way is to deploy vMA on your workstation and take it with you, with your own tools and scripts.

Read the rest of this entry »

VCAP5-DCA Objective 8.1 – Execute VMware Cmdlets and customize scripts using PowerCLI

Objectives

• Install and configure vSphere PowerCLI
• Install and configure Update Manager PowerShell Library
• Use basic and advanced Cmdlets to manage VMs and ESXi Hosts
• Use Web Service Access Cmdlets
• Use Datastore and Inventory Providers
• Given a sample script, modify the script to perform a given action

Install and configure vSphere PowerCLI

Official Documentation:
vSphere Power CLI User’s Guide 5.0, Chapter 3 “Installing vSphere PowerCLI”, page 15.

Summary:
vSphere Power CLI User’s Guide 5.0, Chapter 2 “vSphere PowerCLI System Requirements” presents an overview of the supported Operating Systems, required software and supported VMware environments.

Windows versions starting from XP SP2 are supported. To run vSphere PowerCLI, you need:

• .NET 2.0 SP1
• Windows PowerShell 1.0/2.0

Most VMware environments are supported.

vSphere PowerCLI can be downloaded from: http://www.vmware.com/go/powercli

Installation is straightforward. If the PowerShell Execution Policy on your machine is set incorrectly, a warning message appears before finalizing the vSphere PowerCLI installation. Ignore it and continue with the installation.

For security reasons, Windows PowerShell supports an execution policy feature. It determines whether scripts are allowed to run and whether they must be digitally signed. By default, the execution policy is set to Restricted, which is the most secure policy. If you want to run scripts or load configuration files, you can change the execution policy by using the Set-ExecutionPolicy cmdlet.
Start the vSPhere PowerCLI console and type:

Set-ExecutionPolicy RemoteSigned

Other references:

• A

Read the rest of this entry »

VCAP5-DCA Objective 7.2 – Configure and Maintain the ESXi firewall

Objectives

• Enable/Disable pre-configured services
• Configure service behaviour automation
• Open/Close ports in the firewall
• Create a custom service
• Set firewall security level

Enable/Disable pre-configured services

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 37.

Summary:
An ESXi host has a group of preconfigured services, which can be found via: Configuration, Software, Security Profile, Services Section.

Figure 1 – ESXi Services

Behaviour can be changed by selecting a service and choosing “Options”.
Services can be stopped or (re)started and the “Startup Policy” can be adjusted.

Figure 2 – Service Options

The default and recommended Startup Policy is “Start automatically if any ports are open, and stop when all ports are closed”.
If any port is open, the client attempts to contact the network resources pertinent to the service in question. If some ports are open, but the port for a particular service is closed, the attempt fails, but there is little drawback to such a case. If and when the applicable outgoing port is opened, the service begins completing its tasks. In other words, service behaviour depends on the firewall settings.

Policy “Start and stop with host” means: The service starts shortly after the host starts and closes shortly before the host shuts down.

Policy “Start and stop manually”: The host preserves the user-determined service settings, regardless of whether ports are open or not. This setting is preserved after rebooting a host.

Important NOTE: ESXi firewall automates when rule sets are enabled or disabled based on the service Startup policy. When a service starts, its corresponding rule set is enabled. When a service stops, the rule set is disabled.

Other references:

• A

Configure service behaviour automation

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 38.

Summary:
See previous one.

Other references:

• A

Open/Close ports in the firewall

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, page 34.

Summary:
An overview of the ESXI firewall configuration can be found via: Configuration, Software, Security Profile, Firewall Section.

Figure 3 – Firewall overview

After selecting a Service or Client, you can adjust the Firewall settings and depending on the Service, the Service Options become available (see previous section).

Figure 4

You can specify which networks are allowed to connect to each service that is running on the host.

You can use the vSphere Client or the command line to update the Allowed IP list for a service. By default, all IP addresses are allowed.

Other references:

• A

Create a custom service

vSphere Security Guide, Chapter 3 “Securing the Management Interface”, section “Rule Set Configuration Files”, page 34.

Summary:
The firewall rule set definitions are stored on the ESXi host in the folder: /etc/vmware/firewall.

The default file is service.xml. Depending on your configuration, additional rule sets can be found. E.g.: Adding an ESXi host to an HA enabled Cluster adds the fdm.xml rule set.

The vSphere Security Guide contains detailed information how to create a new configuration file.

Tip: you can create a new ruleset by copying an existing rule set and start editing. If you are familiar with the vi editor, stay on the ESXI host, otherwise use WinSCP to copy back-and-forth to your favourite Management station.

After adding a service, you need to refresh the firewall settings. On the ESXi host, use the following command:

# esxcli network firewall refresh

Other references:

• See also VMware KB 2008226 “Creating custom firewall rules in VMware ESXi 5.0”

Set firewall security level

???

Summary:
The following esxcli command shows some important ESXi firewall settings:

# esxcli network firewall get
   Default Action: DROP
   Enabled: true
   Loaded: true
#

For troubleshooting purposes, you can temporarily disable the firewall with this command:

# esxcli network firewall set --enabled false
# esxcli network firewall get
   Default Action: DROP
   Enabled: false
   Loaded: true
#

The default policy can also be adjusted from DROP to PASS (Not a good idea) with:

# esxcli network firewall set --default-action true
# esxcli network firewall get
   Default Action: PASS
   Enabled: true
   Loaded: true
#

You can also completely shut down the firewall:

# esxcli network firewall unload
# esxcli network firewall get
   Default Action: PASS
   Enabled: true
   Loaded: false
#

Figure 5- Firewall Unloaded

Other references:

• A

VCAP5-DCA Objective 9.2 – Install ESXi hosts using Auto Deploy

Objectives

• Install the Auto Deploy Server
• Utilize Auto Deploy cmdlets to deploy ESXi hosts
• Configure Bulk Licensing
• Provision/Re-provision ESXi hosts using Auto Deploy
• Configure an Auto Deploy reference host

To start with, the official and some other useful documentation on this objective:

• vSphere Installation and Setup Guide, Chapter 5
• vSphere 5.0 Evaluation Guide Volume 4 – Auto Deploy
• vSphere 5.0 Evaluation Guide Volume 1, section on Image Builder, page 91.
• Understanding vSphere Auto Deploy
• Video vSphere Auto Deploy Demo
• Good reading on Auto Deploy Rules and Rule Sets by Joe Keegan (thanks Joe!).
• VMware Blogs Using the vSphere ESXi image Builder CLI by Kyle Gleed.

Probably useful, but not in the official Curriculum:

• vSphere Auto Deploy Gui 5.0

A few words on this Objective. Imho Auto Deploy is a though subject you cannot learn by reading manuals, tutorials and blog posts. You should really play a lot in a home lab or test environment to get a good understanding on the architecture of Auto Deploy and the components. The vSphere Installation and Setup Guide presents a lot of information, but is a bit overwhelming. In my case, I have followed these steps:

• I have Prepared my home lab for Auto Deploy. I have watched Trainsignal vSphere 5 Training, lesson 28 on this subject. Also this post “Using vSphere 5 Auto Deploy in your home lab” by Duncan Epping was very useful.
• In a small home lab you will practice by using nested ESXi servers, read this post by Eric Gray, or this post by Vladan Seget.
• The vSphere 5.0 Evaluation Guide Volume 4 – Auto Deploy was also very useful for a good understanding on how to set up Deploy Rules. In this guide the three Deploy Rules (Image Profile Rule, vCenter Folder/Cluster Rule and Host Profile Rule) are being used.
• Get familiar with the commands presented in the Get-DeployCommand. Joe Keegan’s post helped me lot understanding the Deploy Rules
• The vSphere 5.0 Evaluation Guide Volume 1, has a nice introduction on the Image Builder. A useful exercise is trying to upgrade the Image Profile (for that reason I have started with a rather old one)
• The last step so far is reading Chapter 5 in the vSphere Installation and Setup Guide to glue everything together.

Figure 1 – Auto Deploy Overview (Graphic provided by VMware)

Read the rest of this entry »

VCAP5-DCA Objective 9.1 – Install ESXi hosts with custom settings

Objectives

• Create/Edit Image Profiles
• Install/uninstall custom drivers
• Configure advanced bootloader options
• Configure kernel options
• Given a scenario, determine when to customize a configuration

Create/Edit Image Profiles

Official Documentation:
vSphere Installation and Setup Guide, Chapter 6 “Using vSphere ESXi Image Builder CLI”,  page 123.

Summary:
The Image Builder CLI, is a set of PowerCLI Cmdlets that allows you to create and maintain custom ESXi images used to deploy hosts in your vSphere 5.0 environments.

The Image Builder creates Custom Image Profiles that can be exported to:

• ISO images;
• Offline depot (ZIP file), to be used by vSphere Update Manager or by the esxcli software vib command.

Figure 1 (Source: VMware)

The Concepts of Image Builder are explained in vSphere Installation and Setup Guide , Chapter 6, “Using vSphere ESXI Image Builder CLI”, page 123.

Read the rest of this entry »

VCAP5-DCA Objective 7.1 – Secure ESXi hosts

Objectives

• Add/Edit Remove users/groups on an ESXi host
• Customize SSH settings for increased security
• Enable/Disable certificate checking
• Generate ESXi host certificates
• Enable ESXi lockdown mode
• Replace default certificate with CA-signed certificate
• Configure SSL timeouts
• Configure vSphere Authentication Proxy
• Enable strong passwords and configure password policies
• Identify methods for hardening virtual machines
• Analyze logs for security-related messages
• Manage Active Directory integration

Last Update: 24-12-2012

Add/Edit Remove users/groups on an ESXi host

Official Documentation:
vSphere Virtual Machine Administration, Chapter 4 “Authentication and User Management”, Section “Managing vSphere Users / Groups”, page 42.

Summary:
When a vSphere Client or vCenter Server user connects to ESXi, a connection is established with the VMware Host Agent process. The process uses the user names and passwords for authentication.

ESXi authenticates users accessing hosts using the vSphere Client or SDK. The default installation of ESXi uses a local password database for authentication.

ESXi uses the Pluggable Authentication Modules (PAM) structure for authentication when users access the ESXi host using the vSphere Client. The PAM configuration for VMware services is located in /etc/pam.d/system-auth-generic, which stores paths to authentication modules. Changes to this configuration affect all host services.

ESXi users fall into two categories:

• Authorized vCenter Server users
• Direct-access Users

VMware recommends these Best practices:

• Do not create a user named ALL. Privileges associated with the name ALL might not be available to all users in some situations.
• Use a directory service or vCenter Server to centralize access control, rather than defining users on individual hosts.
• Choose a local Windows user or group to have the Administrator role in vCenter Server.
• Because of the confusion that duplicate naming can cause, check the vCenter Server user list before you create ESXi host users to avoid duplicating names. To check for vCenter Server users, review the Windows domain list.

Important Note: By default, some versions of the Windows operating system include the NT AUTHORITY\INTERACTIVE user in the Administrators group. When the NT AUTHORITY\INTERACTIVE user is in the Administrators group, all users you create on the vCenter Server system have the Administrator privilege. To avoid this, remove the NT AUTHORITY\INTERACTIVE user from the  Administrators group on the Windows system where you run vCenter Server.

Remember:

• You can assign a Role to  User or Group;
• A role is a set of Privileges;
• Roles are assigned to Objects;
• Permission = User/Group + Role;
• Permissions are inherited (flows down the tree)
• Apply Permissions on the level where it is needed

To Add or Edit Local Users and Groups:

• With the vSphere Client, connect to an ESXi host (not the vCenter Server)
• Select the Host object
• Go to Tab “Local Users & Groups”
• Now you can Add, Remove or Edit a User or Group

Figure 1

Read the rest of this entry »

VCAP5-DCA Objective 6.5 – Troubleshoot vCenter Server and ESXi host management

Objectives

• Troubleshoot vCenter Server service and database connection issues
• Troubleshoot the ESXi firewall
• Troubleshoot ESXi host management and connectivity issues
• Determine the root cause of a vSphere management or connectivity issue
• Utilize Direct Console User Interface (DCUI) and ESXi Shell to troubleshoot, configure, and monitor an environment

Troubleshoot vCenter Server service and database connection issues

Official Documentation:

Summary:

I assume this topic refers to the Microsoft Windows based vCenter Server (and not the vCenter Server Appliance.

The VMware VirtualCenter Server is one of many – but probably – the most important Service on the vCenter Server. The actual Service runs under the name: vpxd.exe.

Figure 1 – vCenter Services

VMware has done a good job publishing some very nice KB articles related to troubleshooting the vCenter Service.

Read the rest of this entry »

VCAP5-DCA Objective 6.4 – Troubleshoot storage performance and connectivity

Objectives

• Use esxcli to troubleshoot multipathing and PSA-related issues
• Use esxcli to troubleshoot VMkernel storage module configurations
• Use esxcli to troubleshoot iSCSI related issues
• Troubleshoot NFS mounting and permission issues
• Use esxtop/resxtop and vscsiStats to identify storage performance issues
• Configure and troubleshoot VMFS datastores using vmkfstools
• Troubleshoot snapshot and resignaturing issues
• Analyze log files to identify storage and multipathing problems

Use esxcli to troubleshoot multipathing and PSA-related issues

Official Documentation:
vSphere Command-Line Interface Concepts and Examples, Chapter 4 “Managing Storage”, section “Managing Paths”, page 42.

Summary:
Multipathing, PSA and the related commands have been discussed in Objective 1.3 “Configure and manage complex multipathing and PSA plugins”.

See also this post for an graphical overview of the ESXCLI command.

Read the rest of this entry »

VCAP5-DCA Objective 6.3 -Troubleshoot Network Performance and Connectivity

Objectives

• Utilize net-dvs to troubleshoot vNetwork Distributed Switch configurations
• Utilize vSphere CLI commands to troubleshoot ESXi network configurations
• Troubleshoot Private VLANs
• Troubleshoot vmkernel related network configuration issues
• Troubleshoot DNS and routing related issues
• Use esxtop/resxtop to identify network performance problems
• Analyze troubleshooting data to determine if the root cause for a given network problem originates in the physical infrastructure or vSphere environment
• Configure and administer Port Mirroring
• Utilize Direct Console User Interface (DCUI) and ESXi Shell to troubleshoot, configure, and monitor ESXi networking

Utilize net-dvs to troubleshoot vNetwork Distributed Switch configurations

Official Documentation:

Summary:
There is not much official documentation on the net-dvs command. The reason for this is probably because the command is unsupported.

Figure 1

As you can see, most options are not documented. The most common options:

Read the rest of this entry »