Data Center Virtualization Certification: VCP6.5-DCV Exam Guide E-Book

Data Center Virtualization Certification: VCP6.5-DCV Exam Guide

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Rahul NairContent Development Editor: Arjun JoshiTechnical Editor: Sayali ThanekarCopy Editor:Safis EditingProject Coordinator: Kinjal BariProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Jisha ChirayilProduction Coordinator: Arvindkumar Gupta

First published: August 2018

Production reference: 1240818

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78934-047-1

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the authors

Andrea Mauro has 20 years of experience in IT, both in industry and the academic world. He currently works as a solution architect at Assyrus (an Italian IT company). He is responsible for infrastructure implementation, architecture design, upgrades, and migration processes.

He is a virtualization and storage architect, specializing in VMware, but also Microsoft, Citrix, and Linux solutions. His first virtualized solution in production was built around ESX 2.x several years ago.

His professional certifications include several VMware certifications (VCP-DCV, vSAN Specialist, VCIX-DCV, VCIX-NV, VCDX-DCV), but also other vendor-related certifications. He is also a VMware vExpert (2010-18), Nutanix NTC (2014-18), and Veeam Vanguard (2015-18).

Paolo Valsecchi has more than 20 years, experience in the IT industry, and he currently works as a system engineer mainly focused on VMware vSphere, Microsoft technologies, and backup/DR solutions. His current role involves covering all the tasks related to ensuring IT infrastructures' availability and data integrity (implementation, upgrade, and administration).

He holds the VMware VCP5/6.5-DCV and Veeam VMCE professional certifications, and he has been awarded the VMware vExpert title (2015-18) and the Veeam Vanguard title (2016-18).

About the reviewer

Karel Novak has 17 years of experience in the IT world. He currently works as a senior virtual infrastructure engineer at Arrow ECS, the Czech Republic, responsible for implementation, design, and complete consultation of VMware and Veeam. As an instructor of advanced VMware and Veeam, he has delivered many courses. He specializes in VMware DCV and NSX and, of course, Veeam. He is a VMware vExpert 2012-2018, VMware vExpert NSX 2016-2017, and a Veeam Vanguard 2015-2018. His highest certifications are VCI-Level2, VCIX6-NV, VCIX6-DCV, VMCT-Mentor, and VMCA. He is also a VMware Certification Subject Matter Expert.

He was a co-author of Mastering VMware vSphere 6.5.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Data Center Virtualization Certification: VCP6.5-DCV Exam Guide

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Configuring and Administering vSphere 6.x Security

Objective 1.1 – Configure and administer role-based access control

Compare and contrast propagated and explicit permission assignments

View/sort/export user and group lists

Add/modify/remove permissions for users and groups on vCenter Server inventory objects

Determine how permissions are applied and inherited in vCenter Server

Create/clone/edit vCenter Server Roles

Configure VMware Identity Sources

Apply a role to a user/group and to an object or group of objects

Change permission validation settings

Determine the appropriate set of privileges for common tasks in vCenter Server

Compare and contrast default system/sample roles

Determine the correct permissions needed to integrate vCenter Server with other VMware products

Objective 1.2 – Secure ESXi and vCenter Server 2

Configure encrypted vMotion

Describe ESXi Secure Boot

Harden ESXi hosts

Enable/configure/disable services in the ESXi firewall

Change ESXi default account access

Add an ESXi Host to a directory service

Apply permissions to ESXi Hosts using Host Profiles

Enable Lockdown Mode

Control access to hosts (DCUI/Shell/SSH/MOB)

Harden vCenter Server

Control datastore browser access

Create/Manage vCenter Server Security Certificates

Control MOB access

Change vCenter default account access

Restrict administrative privileges

Understand the implications of securing a vSphere environment

Objective 1.3 – Configure and Enable SSO and Identity Sources

Describe PSC architecture and components

Differentiate available authentication methods with VMware vCenter

Perform a multi-site PSC installation

Configure/manage identity sources

Configure/manage platform services controller (PSC)

Configure/manage VMware Certificate Authority (VMCA)

Enable/disable SSO users

Upgrade a single/complex PSC installation

Configure SSO policies

Add an ESXi host to an AD domain

Configure and manage KMS for VM encryption

Objective 1.4 – Secure vSphere Virtual Machines

Enable/disable VM encryption

Describe VM Secure Boot

Harden virtual machine access

Control VMware Tools installation

Control VM data access

Configure virtual machine security policies

Harden a virtual machine against DoS attacks

Control VM-VM communications

Control VM device connections

Configure network security policies

Configure VM encrypted vMotion

What is missing

Review questions

Summary

Configure and Administer vSphere 6.x Networking

Objective 2.1 – Configure policies/features and verify vSphere networking

Creating/deleting a vSphere Distributed Switch

Adding/removing ESXi hosts from a vSphere Distributed Switch

Adding/configuring/removing dvPort groups

Adding/removing uplink adapters to dvUplink groups

Configuring vSphere Distributed Switch general and dvPort group settings

Creating/configuring/removing virtual adapters

Migrating virtual machines to/from a vSphere Distributed Switch

Configuring LACP on vDS given design parameters

Describing vDS Security policies/settings

Configuring dvPort group blocking policies

Configuring load balancing and failover policies

Configuring VLAN/PVLAN settings for VMs given communication requirements

Configuring traffic shaping policies

Enabling TCP Segmentation Offload support for a virtual machine

Enabling jumbo frames support on appropriate components

Recognizing the behavior of vDS auto-rollback

Configuring vDS across multiple vCenters to support Long Distance vMotion

Comparing and contrasting vSphere Distributed Switch capabilities

Configuring multiple VMkernel Default Gateways

Configuring ERSPAN

Creating and configure custom TCP/IP Stacks

Configuring Netflow

Objective 2.2 – Configuring Network I/O control (NIOC)

Explaining NIOC capabilities

Configuring NIOC shares/limits based on VM requirements

Explaining the behavior of a given NIOC setting

Determining Network I/O Control requirements

Differentiating Network I/O Control capabilities

Enabling/Disable Network I/O Control

Monitoring Network I/O Control

What is missing

Review questions

Summary

Configure and Administer vSphere 6.x Storage

Objective 3.1 – Managing vSphere integration with physical storage

Performing NFS v3 and v4.1 configurations

Discovering new storage LUNs

Configuring FC/iSCSI/FCoE LUNs as ESXi boot devices

Mounting an NFS share for use with vSphere

Enabling/configuring/disabling vCenter Server storage filters

Configuring/editing hardware/dependent hardware initiators

Enabling/disabling software iSCSI initiator

Configuring/editing software iSCSI initiator settings

Configuring iSCSI port binding

Enabling/configuring/disabling iSCSI CHAP

Determining use cases for Fiber Channel zoning

Comparing and contrasting array thin provisioning and virtual disk thin provisioning

Objective 3.2 – Configure software-defined storage

Creating vSAN cluster

Creating disk groups

Monitoring vSAN

Describing vVOLs

Understanding a vSAN iSCSI target

Explaining vSAN and vVOL architectural components

vSAN architecture

vVOL architecture

Determining the role of storage providers in vSAN

Determining the role of storage providers in vVOLs

Explaining vSAN failure domains functionality

Configuring/managing VMware vSAN

Creating/modifying VMware Virtual Volumes

Configuring storage policies

Enabling/disabling vSAN Fault Domains

Creating Virtual Volumes given the workload and availability requirements

Collecting vSAN Observer output

Creating storage policies appropriate for given workloads and availability requirements

Configuring vVOLs Protocol Endpoints

Objective 3.3 – Configure vSphere Storage multipathing and failover

Explaining common multi-pathing components

Differentiating APD and PDL states

Comparing and contrasting active optimized versus active non-optimized port group states

Explaining features of Pluggable Storage Architecture (PSA)

Understanding the effects of a given claim rule on multipathing and failover

Explaining the function of claim rule elements

Changing the path selection policy using the UI

Determining required claim rule elements to change the default PSP

Determining the effect of changing PSP on multipathing and failover

Determining the effects of changing SATP on relevant device behavior

Configuring/managing storage load balancing

Differentiating available storage load balancing options

Differentiating available storage multipathing policies

Configuring storage policies including vSphere storage APIs for storage awareness

Locating failover events in the UI

Objective 3.4 – Perform VMFS and NFS configurations and upgrades

Performing VMFS v5 and v6 configurations

Describing VAAI primitives for block devices and NAS

Differentiating VMware filesystem technologies

Migrating from VMFS5 to VMFS6

Differentiating physical mode RDMs and virtual mode RDMs

Creating a virtual/physical mode RDM

Differentiating NFS 3.x and 4.1 capabilities

Comparing and contrasting VMFS and NFS datastore properties

Configuring Bus Sharing

Configuring multi-writer locking

Connecting an NFS 4.1 datastore using Kerberos

Creating/renaming/deleting/unmounting VMFS datastores

Mounting/unmounting an NFS datastore

Extending/expanding VMFS datastores

Placing a VMFS datastore in maintenance mode

Selecting the preferred path/disabling a path to a VMFS datastore

Enabling/disabling vStorage API for array integration (VAAI)

Determining a proper use case for multiple VMFS/NFS datastores

Objective 3.5 – Set up and configure Storage I/O Control

Describing the benefits of SIOC

Enabling and configuring SIOC

Configuring/managing SIOC

Monitoring SIOC

Differentiating between SIOC and dynamic queue depth throttling features

Determining a proper use case for SIOC

Comparing and contrasting the effects of I/O contention in environments with and without SIOC

Understanding SIOC metrics for datastore clusters and Storage DRS

What is missing

Review questions

Summary

Upgrade a vSphere Deployment to 6.x

Objective 4.1 – Perform ESXi Host and Virtual Machine Upgrades

Updating manager

Configuring download source(s)

Setting up UMDS to set up download repository

Importing ESXi images

Creating baselines and/or baseline groups

Attaching baselines to vSphere objects

Scanning vSphere

Staging patches and extensions

Remediating an object

Upgrading a vSphere Distributed Switch

Upgrading VMware Tools

Upgrading virtual machine hardware

Upgrading an ESXI host by using vCenter Update Manager

Staging multiple ESXI host upgrades

Aligning appropriate baselines with target inventory objects

Objective 4.2 – Perform vCenter Server Upgrades (Windows)

Comparing the methods of upgrading vCenter Server

Upgrading vCenter Server 5.5 on Windows

Upgrading vCenter Server 6.0 on Windows

Mixed platform upgrades

Backup vCenter Server database, configuration and certificate datastore

Backup the Windows vCenter Server

Backup the vCSA

Performing updates as prescribed

Upgrading vCenter Server

Determining the upgrade compatibility of an environment

Determining correct order of steps to upgrade a vSphere implementation

Objective 4.3 – Perform vCenter Server migration to VCSA

Migrating to vCSA

Understanding the migration paths to the vCSA

Migrating from 5.5 to 6.5 with embedded PSC

Migrating from 5.5 to 6.5 with external PSC

Review questions

Summary

Administer and Manage vSphere 6.x Resources

Objective 5.1 – Configure multilevel Resource Pools

Determining the effect of the expandable reservation parameter on resource allocation

Creating a Resource Pool hierarchical structure

Configuring custom Resource Pool attributes

Determining how Resource Pools apply to vApps

Creating/removing a Resource Pool

Adding/removing VMs from a Resource Pool

Determining appropriate shares, reservations, and limits for hierarchical Resource Pools

Objective 5.2 – Configure vSphere DRS and Storage DRS clusters

Adding/removing Host DRS Group

Adding/removing a virtual machine DRS group

Managing DRS affinity/anti-affinity rules

Creating a VM-VM affinity rule

Creating a VM-Host affinity rule

Configuring the proper DRS automation level based on a set of business requirements

Backup a resource pool tree

Restoring a resource pool tree

Explaining how DRS affinity rules effect virtual machine placement

VM-Host affinity rule

VM-VM affinity rule

Understanding network DRS

Differentiating load balancing policies

Host network saturation threshold

Monitoring host network utilization

Describing Predictive DRS

Storage DRS Cluster

Review questions

Summary

Backup and Recover a vSphere Deployment

Objective 6.1 – Configure and Administer vCenter Appliance Backup/Restore

Configuring vCSA File-based backup and restore

Defining supported backup targets

Objective 6.2 – Configure and administer vCenter Data Protection

Deploying VDP application agents

Differentiating VMware Data Protection's capabilities

Explaining VMware data protection sizing guidelines

Creating/deleting/consolidating virtual machine snapshots

Installing and configuring VMware Data Protection

Creating a backup job with VMware Data Protection

Backing up/restoring a virtual machine with VMware Data Protection

Objective 6.3 – Configure vSphere Replication

Comparing and contrasting vSphere Replication compression methods

Configuring a recovery point objective (RPO) for a protected virtual machine

Managing snapshots on recovered virtual machines

Installing/configuring/upgrading vSphere Replication

Replication Configure VMware Certificate Authority (VMCA) integration with vSphere

Configuring vSphere Replication for single/multiple VMs

Recovering a VM using vSphere Replication

Performing a failback operation using vSphere Replication

Deploying a pair of vSphere Replication virtual appliances

Review questions

Summary

Troubleshoot a vSphere Deployment

Objective 7.1 – Troubleshoot vCenter Server and ESXi hosts

Understanding the VCSA monitoring tool

Monitoring status of the vCenter Server services

Performing basic maintenance of a vCenter Server database

Monitoring status of ESXi management agents

Determining ESXi host stability issues and gather diagnostics information

Monitoring ESXi system health

Locating and analyze the vCenter Server and ESXi logs

Determining appropriate commands for troubleshooting

Troubleshooting common ESXi/vCenter issues

Objective 7.2 – Troubleshoot vSphere storage and networking

Identifying and isolating network and storage resource contention and latency issues

Verifyinging network and storage configuration

Verifying that a given virtual machine is configured with the correct network resources

Monitoring/troubleshooting Storage Distributed Resource Scheduler (SDRS) issues

Recognizing the impact of network and storage I/O control configurations

Recognizing a connectivity issue caused by a VLAN/PVLAN

Troubleshooting common storage and networking issues

Objective 7.3 – Troubleshooting vSphere Upgrades and Migrations

Collecting upgrade diagnostic information

Recognizing common upgrade and migration issues with vCenter Server and vCenter Server Appliances

Creating/locating VMware log bundles

Determining alternative methods to upgrade ESXi hosts in the event of a failure

Configuring vCenter Server logging options

Objective 7.4 – Troubleshooting virtual machines

Monitoring CPU and memory usage

Identifying and isolate CPU and memory contention issues

Recognizing the impact of using CPU/memory limits, reservations, and shares

Describing and differentiate critical performance metrics

Describing and differentiate common metrics

Monitoring performance through esxtop

Troubleshooting Enhanced vMotion Compatibility (EVC) issues

Comparing and contrast the Overview and Advanced Charts

Objective 7.5 – Troubleshoot HA and DRS configurations and Fault Tolerance

Troubleshooting common HA and DRS issues

HA configuration

HA Admission Control

HA networking

DRS configuration

DRS workload balancing

Fault Tolerance configuration

Explaining the DRS Resource Distribution Graph and Target/Current Host Load Deviation

Explaining vMotion Resource Maps

What is missing

Review questions

Summary

Deploy and Customize ESXi Hosts

Objective 8.1 – Configure Auto Deploy for ESXi hosts

Describe the components and architecture of an Auto Deploy environment

Implement Host Profiles with an Auto Deploy of an ESXi host

Install and configure Auto Deploy

Deploy multiple ESXi hosts using Auto Deploy

Explaining the Auto Deploy deployment model needed to meet a business requirement

Objective 8.2 – Create and Deploy Host Profiles

Editing answer file to customize ESXi host settings

Modifying and applying a storage path selection plugin (PSP) to a device using host profiles

Modifying and applying switch configurations across multiple hosts using a host profile

Creating/editing/removing a host profile from an ESXi host

Importing/exporting a Host Profile

Attaching and apply a Host Profiles to ESXi hosts in a cluster

Performing compliance scanning and remediation of ESXi hosts and clusters using Host Profiles

Enabling or disabling Host Profiles components

Review questions

Summary

Configure and Administer vSphere and vCenter Availability Solutions

Objective 9.1 – Configure vSphere HA cluster features

Modify vSphere HA cluster settings

Configure a network for use with HA heartbeats

Apply an admission control policy for HA

Enable/disable vSphere HA settings

Configure different heartbeat datastores for a HA cluster

Apply virtual machine monitoring for a cluster

Configure Virtual Machine Component Protection (VMCP) settings

Implement vSphere HA on a vSAN cluster

Explain how vSphere HA communicates with distributed resource scheduler and distributed power management

Objective 9.2 – Configure vCSA HA

Enable and Configure vCSA HA

Understand and describe the architecture of vCSA HA

Review questions

Summary

Administer and Manage vSphere Virtual Machines

Create and manage vSphere Virtual Machines and templates

Determine how using a shared USB device impacts the environment

Configure virtual machines for vGPUs, DirectPath I/O and SR-IOV

Configure virtual machines for multicore vCPUs

Differentiate virtual machine configuration settings

Interpret virtual machine configuration file (.vmx) settings

Enable/disable advanced virtual machine settings

Create and manage a content library

Publish a content catalog

Subscribe to a published catalog

Determine which privileges are required to globally manage a content catalog

Compare the functionality of automatic sync and an on-demand sync

Configure content library to work across sites

Configure content library authentication

Set/configure content library roles

Add/remove content libraries

Consolidate physical workloads using VMware vCenter Converter

Install vCenter Converter standalone instance

Convert physical workloads using vCenter Converter

Modify server resources during conversion

Interpret and correct errors during conversion

Deploy a physical host as a virtual machine using vCenter Converter

Collect diagnostic information during the conversion operation

Resize partitions during the conversion process

Determine which virtual disk format to use

Review questions

Summary

Mock Exam 1

Mock exam 1

Configure and administer vSphere 6.x security

Configure and administer vSphere 6.x networking

Configure and administer vSphere 6.x storage

Upgrade a vSphere Deployment to 6.x

Administer and manage vSphere 6.x Resources

Backup and recover a vSphere Deployment

Troubleshoot a vSphere Deployment

Deploy and customize ESXi Hosts

Configure and administer vSphere and vCenter Availability Solutions

Administer and manage vSphere Virtual Machines

Summary

Mock Exam 2

Mock exam 2

Checking your answers

Summary

Understanding VMware Certification Paths

Certification paths

Certification levels

Certification life cycle

Some demographics data

Most required certifications

Certification versus accreditation or awards

Summary

VCP6.5-DCV Certification

Certification paths

No VCP certification

Required training courses

Exams to pass

Holding an active VCP5-DCV or VCP6-DCV

Recommended training courses

Exams to pass

Holding an expired VCP-DCV

Required training courses

Exams to pass

Holding an active VCP in a different path

Recommended training courses

Exams to pass

Order of the different steps

Certification benefits

What's next?

Summary

Before, During, and After the Exam

Before the exam

Attending a course

Studying by yourself

Books

Videos

Online resources

Hands-on Labs

Checking your exam preparation

Mock exams

During the exam

Which exam to take

Foundation exam

VMware Certified Professional 6.5 - Data Center Virtualization exam

VMware Certified Professional 6.5 - Data Center Virtualization Delta exam

Types of questions

Time management

Foreign language notes

After the exam

Scoring in VMware exams

What's next?

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

The VMware Certified Professional (VCP) 6.5 Data Center Virtualization certification demonstrates your skills and your ability to successfully install, configure, and manage a VMware vSphere 6.5-based infrastructure, including all of its components and layers: vCenter Server, ESXi hosts, and virtual machines.

This book describes the various paths to reaching this industry-standard certification (which is still one of the most sought-after and best-paying certifications to have), and prepares you for the whole journey along whichever path to the certification you choose.

The main part of this book is focused on the VCP65-DCV exam (2V0-622), but much of what you will learn can also be applied to the delta exam (2V0-622D). The book follows the related VMware Certified Professional 6.5 - Data Center Virtualization Exam Preparation Guide (https://mylearn.vmware.com/lcms/web/portals/certification/exam_prep_guides/Exam_Prep_Guide_2V0-622_3Oct2017.docx.pdf), and it is structured using the same objectives.

The different chapters are grouped in different sections, according to the preparation and schedule being discussed. The aim of this book is to provide a reference point that can help your preparation for the exam in a timeframe of four weeks.

Who this book is for

The book is focused on the VCP6.5-DCV exam, covering all the required objectives outlined in the exam preparation guide.

For this reason, the expected readers for this book are vSphere administrators and IT architects who want to achieve the VCP6.5-DCV certification and have already gained some experience with the vSphere platform.

The book can also be used to learn more about the VMware vSphere 6.5 product, but this book does not provide a complete overview and is definitely not targeted at those who want to learn about the product from scratch.

For those wishing to start down a path toward the VMware certification for the first time, one requirement is to attend to an official course, which can provide the right information for those who are starting from scratch.

What this book covers

Everything outlined in the official VMware Certified Professional 6.5 - Data Center Virtualization Exam Preparation Guide, as well as what you will need to know for the VCP6.5-DCV certification exam, is covered in this book. The book is composed of 10 chapters, which cover the following topics.

Chapter 1, Configuring and Administering vSphere 6.x Security, looks at the various aspects to consider when securing the vSphere environment, such as roles, permissions, encryption, authentication, and patching.

Chapter 2, Configure and Administer vSphere 6.x Networking, is completely dedicated to vSphere networking. It explains standard and distributed virtual switches and covers the design, management, and optimization of the virtual network.

Chapter 3, Configure and Administer vSphere 6.x Storage, is focused on vSphere storage, covering the different connectivity options and protocols, such as NFS, FC, FCoE, and iSCSI. Datastore options and use cases are also discussed.

Chapter 4, Upgrade a vSphere Deployment to 6.x, covers the upgrade and migration procedures of vSphere from version 5.5 and 6.0 to version 6.5.

Chapter 5, Administer and Manage vSphere 6.x Resources, explains resource pool management and DRS configuration, describing the use of affinity and anti-affinity rules. It also discusses the new network DRS capability used to prevent migration recommendations to saturated host networks.

Chapter 6, Backup and Recover a vSphere Deployment, covers the backing up and restoration of the vCenter Server Appliance, as well as the backing up, recovery, and replication of virtual machines using vSphere Protection Data and vSphere Replication.

Chapter 7, Troubleshoot a vSphere Deployment, walks through the troubleshooting part of a virtual environment, providing a short overview of some topics and possible use cases.

Chapter 8, Deploy and Customize ESXi Hosts, covers the management and the configuration of the vSphere Auto Deploy and Host Profile features for optimizing and automating the ESXi host's deployment.

Chapter 9, Configure and Administer vSphere and vCenter Availability Solutions, goes into the configuration settings for vSphere HA and the vCenter Server Appliance (VCSA) HA setup.

Chapter 10, Administer and Manage vSphere Virtual Machines, covers some advanced features available for virtual machines, the configuration and use of content libraries, and the consolidation process using the vSphere vCenter Converter tool.

To get the most out of this book

For the topics and the procedures covered, the book is oriented to experienced vSphere administrators and IT architects who have achievement of the certification as their goal. The purpose of this book is to provide the information and the procedures you need to prepare for the exam.

This book uses the VMware vSphere 6.5 Update 1 platform (ESXi, vCenter Server) as a reference, as well as some optional components, such as VMware vCenter Converter 6.2. These are the minimum software requirements to use in a lab to follow the topics covered in the book.

To practice the configuration procedures used through the various chapters, it is strongly recommended that you build a small lab environment to test and practice what you read through the chapters. VMware vSphere 6.5 Update 1 can be downloaded as a 60-day, fully working trial (during the trial period, it will be an Enterprise Plus version) to experiment with and learn how vSphere works.

Also, be sure to understand the limits of the available vSphere 6.5 features. The exam was very rich in the past, with those numbers now you must remember just the main limits. For more information, see this site: https://configmax.vmware.com/.

Each chapter is accompanied by some review questions at the end, which you should answer to verify that you have understood the content presented in the chapter. Take your time to practice and study the book to successfully achieve the VCP6.5-DCV certification.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/DataCenterVirtualizationCertificationVCP6Dot5DCVExamGuide_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "StackName is the name of the new TCP/IP stack."

A block of code is set as follows:

<config> <vpxd> <network> <rollback>false</rollback> </network> </vpxd></config>

Any command-line input or output is written as follows:

esxcli system settings advanced set -o /Net/UseHwTSO -i 0

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "On the Select name and location page, type the name of the new distributed port group, or accept the generated name."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Configuring and Administering vSphere 6.x Security

Security has become a critical aspect of every infrastructure, but for virtual environments, there are some advantages compared to the traditional infrastructures.

One of the main pillars of system virtualization is the Virtual Machine (VM) isolation principle, which protects a VM from other VM attacks, while also protecting the virtualization host from possible VM attacks. Of course, the isolation properties don't work for the network layer; other solutions are required to increase network security, such as VMware NSX.

While isolation protects the host level from the VM level, in some cases, it's also necessary to protect the VM level from the underlying infrastructure; for example, in a public cloud infrastructure, the consumer might have some concerns about how the provider manages the security and privacy of their data.

VMware vSphere 6.5 has introduced some important new security features, such as VM encryption, encrypted vMotion, and Secure Boot Support for VMs and ESXi.

The following topics will be covered in this chapter:

Understanding role-based access control in vSphere

Tuning and hardening guidelines for vCenter, ESXi, and VMs

Working with encryption and secure VMs

Objective 1.1 – Configure and administer role-based access control

Role-based access control (RBAC) is a common approach to managing authorizations and permissions, based on specific roles assigned to specific users or groups.

VMware vSphere provides the following four categories of permissions, from the most general to the most specific:

Group membership in the SSO domain

: Some users of the vCenter

Single Sign-On

(

SSO

) domain, such as the default administrator, have specific, implicit permissions. For more information, refer to

Objective 1.3

.

Global permissions

: These permissions are applied to a global root object, and can propagate to all objects. Also, they can span across different VMware products (for example, vSphere and vRealize Orchestrator).

vCenter permissions

: This is the main model used by vSphere Server to assign granular permissions to objects in different inventories.

ESXi local permissions

: Each ESXi host has local permissions, local rules, and local users. For hosts managed by vCenter, vCenter permissions are usually used. But local permissions still exist, and they are the only permission model for standalone ESXi hosts.

This chapter will mainly focus on vCenter and global permissions, as required by the exam questions. Objective 1.3 will provide more information about SSO-related concepts. ESXi local permissions are not covered in detail, but the RBAC model is quite similar to the one used by the vCenter permissions.

The official vSphere 6.5 Security Guide contains detailed information about authentication, authorization, and different permission configurations, and can be accessed at https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-652-security-guide.pdf.

Compare and contrast propagated and explicit permission assignments

The VMware vSphere RBAC model is based on the following concepts:

Inventory

: A collection

of multiple virtual or physical objects

managed by vCenter, in a hierarchical organization. In vCenter Server, there are four different types of inventories, with different types of objects. For more information, refer to

Table 1.1

.

Object

: Each object in the vCenter inventory has associated permissions, or inherits them from its parent object.

User and Group

: In vCenter Server, users are authenticated through the SSO component; in ESXi, users are authenticated with a local authentication or AD authentication (refer to

Objective 1.3

). Note that y

ou can only assign privileges to authenticated users, or groups of authenticated users.

Privilege

: This is the ability to access or execute specific functions, tasks, and operations.

Role

: Roles are just groups of privileges, used to make permissions management much easier.

Permission

: Permissions specify which role matches a specific group of users, for a specific object.

The following table summarizes the types of inventories, with the different types of objects:

vCenter inventory

Related objects

Hosts and clusters

vCenter Servers

Data centers

Folders

Clusters

Hosts

Resource pools

vApps

VMs

VMs and templates

vCenter Servers

Data centers

Folders

vApps

VMs

Templates

Storage (Data stores and data store clusters)

vCenter Servers

Data centers

Folders

Data store clusters

Data stores

Networking

vCenter Servers

Data centers

Folders

Portgroups

Distributed Virtual Switches

Distributed

Portgroups

Distributed

Uplinks

VMware vCenter permissions are assigned to objects in the vCenter inventory hierarchy by specifying which user or group has which privileges on that object. Then, to specify the privileges, you use specific roles.

View/sort/export user and group lists

User and group lists can be displayed and sorted from the vCenter Web Client in the Users and Groups menu, located via Home | Administration | Single Sign-On.

You can choose a specific domain (identity source, as described later). The Users tab will show the users, and the Groups tab will show the groups.

To sort a column, just click on the column heading. To change the order direction (ascending or descending), just click on it again. To show or hide a column, right-click on any of the column headings and select or deselect the name of the relevant column.

You can export the displayed list to a file (in a Comma-Separated Values (CSV) format) by selecting the Export button, as follows:

Add/modify/remove permissions for users and groups on vCenter Server inventory objects

As described previously, a permission is a match between an object in the vCenter object hierarchy, a user (or a group), and a role.

With vSphere Web Client, you can manage vCenter permissions for users or groups by selecting one object from one of the vCenter inventories and then clicking on the Permissions tab:

With the selected toolbar, you can add, edit, or remove selected permissions.

For Global Permissions, the toolbar remains the same, but you must select the Global Permissions menu that is located at Home | Administration | AccessControl:

Remember that global permissions can span more vCenter servers in the same SSO domain.

When you add or modify a permission, you need to select one or more users (or groups), a specific role, and whether the permission will be propagated in the objects hierarchy (refer to the next section for more information):

For more information, refer to the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-3B78EEB3-23E2-4CEB-9FBD-E432B606011A.html).

Determine how permissions are applied and inherited in vCenter Server

If you assign a permission to an object, it can be propagated down the objects hierarchy. The propagation isenabled by default, but you can disable propagation for each permission by checking the Propagate to children checkbox, as follows:

VMware vCenter objects are hierarchical. This means that permissions (with thePropagate to childrenoption) will be inherited (all child objects inherit from their parent objects). The following diagram, from the vSphere Security Guide, shows the entire objects hierarchy:

Note that some objects can exist in different inventories (such as VMs in Hosts and Cluster, VMs, and Templates inventories). This means that different permissions can be applied in different views.

For more information, refer to the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html).

Create/clone/edit vCenter Server Roles

In VMware vCenter, there are different types of roles, as follows:

Default roles

: These are predefined on vCenter Server, and cannot be modified or deleted.

Sample roles

: These are also predefined, and are used to manage certain types of tasks. They can be cloned, modified, or removed.

Custom roles

: These can be defined by the administrators, and are created from scratch or cloned from existing roles.

The following table summarizes the predefined roles:

Type

Role

System role

Administrator role

No cryptography administrator role

No access role

Read-only role

Sample role

VM

power user role

VM

user role

Resource pool administrator role

VMware consolidated backup user role

Data store consumer role

Tagging admin role

Network administrator role

Content library administrator role

Usually, role names are quite descriptive about what kinds of tasks will be permitted, but you can edit them to see the complete list of privileges.

You can manage the vCenter roles using the vSphere Web Client by selecting theRolesmenu and navigating toHome | Administration | Access Control:

The selected toolbar will allow you to create, clone, modify, or delete a role.

To create a new role from scratch, just click on theCreate role actionicon, type a name for the new role, and then select the right privileges for the role.

To clone an existing role into a new role, just select the desired source role and click on theClone role action icon, then type a name for the new role. At that point, you can modify it with theEdit action icon.

For more information, you can refer to the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-18071E9A-EED1-4968-8D51-E0B4F526FDA3.html).

Configure VMware Identity Sources

When a user logs in to a vSphere environment, the vCenter SSO will validate the user's credentials through one of the configured identity sources.

If the user also specifies the domain name (using the domain\user or user@domain format), the authentication will match the specific identity source.

Identity sources are some kind of centralized user and group system, usually some type of authentication domains, and vSphere supports the following:

SSO domain

: This is a default identity source, created with the configuration of the PSC.

AD (native)

: When the SSO is joined to an AD domain, it is possible to use the domain or the forest as an authentication source.

LDAP (AD)

: The users are defined on an AD domain, but you don't have to join the SSO to the AD domain.

LDAP (OpenLDAP)

: The users are defined on an OpenSource LDAP server.

Local OS

: The users are defined in the SAM file (for Windows-based SSO) or the

/etc/passwd

and

/etc/shadow

files (for Linux-based SSO).

You can add new identity sources or remove existing ones, and you can also change the default source.

Note that you must have vCenter SSO administrator privileges in order to manage the identity sources.

From the vSphere Web Client, just select the Configuration menu, located at Home | Administration | Single Sign-On. Then, select the Identity Sources tab:

To configure a new identity source, select Identity Sources and click on the plus icon (+). Then, choose the proper identity source type and enter the specific identity source settings.

For example, for AD, you will see a screen like the following:

Apply a role to a user/group and to an object or group of objects

Once a role has been defined, you can use it to assign specific authorizations to authenticated users or groups.

The entire procedure was described previously, in the Adding/modifying/removing permissions for users and groups in vCenter Server inventory objects section.

Note that some objects may reference other objects, such as VMs that include data store objects (for the virtual disk locations) and network objects (for the connected portgroups). In those cases, you will need to apply for the right roles in all of the different inventories.

Change permission validation settings

As described previously, the SSO component can have different identity sources. When a directory service (such as AD or LDAP) is used, the SSO regularly validates users and groups on the directory domain. This validation occurs at regular intervals, specified in the vCenter Server settings.

You can view or change these settings with the vSphere Web Client by selecting your vCenter Server in the vSphere object navigator and then selecting the Configure tab and clicking on General under Settings.

Select the User directory area, and view or change the values as needed:

There are different options and settings, as follows:

User directory timeout

: This is the maximum amount of time, in seconds, that SSO allows a search to run on the selected domain source. For large domains, this can be increased.

Query limit

: This helps you to define whether there must be a maximum number of users and groups that vCenter can display.

Query limit size

: This is the maximum number of users and groups that vCenter displays in the

Select Users or Groups

dialog box. If you enter

0

(zero) or remove the previous option, all users and groups will appear.

Validation

: This is used to define whether validation is enabled or disabled.

Validation period

: This is how often, in minutes, validation is performed.

For more information, refer to the vCenter Server and Host Management Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vcenterhost.doc/GUID-007C02A8-C853-4FBC-B0F0-933F19768DD4.html).

Determine the appropriate set of privileges for common tasks in vCenter Server

Many tasks require permissions on multiple objects in the inventory. Without all of them, the task cannot be completed successfully.

The following table, from the VMware guide, shows some examples of common VM administration tasks with their required privileges, and, where applicable, the appropriate sample roles that can be used (instead of configuring the single privileges):

Task

Required privileges

Applicable role

Create a VM

On the destination folder or data center:

Virtual machine

|

Inventory

|

Create new

Virtual machine

|

Configuration

|

Add new disk

(if creating a new virtual disk)

Virtual machine

|

Configuration

|

Add existing disk

(if using an existing virtual disk)

Virtual machine

|

Configuration

|

Raw device

(if using an RDM or SCSI pass-through device)

Administrator

On the destination host, cluster, or resource pool, navigate to Resource | Assign virtual machine to resource pool

Resource pool administrator or administrator

On the destination data store or the folder that contains the data store, navigate to Datastore | Allocate space

Data store consumer or administrator

On the network that the VM will be assigned to, navigate to Network | Assign network

Network consumer or administrator

Power on a VM

On the data center in which the VM is deployed, navigate to Virtual machine | Interaction | Power On

VM power user or administrator

On the VM or the folder of VMs, navigate to Virtual machine |Interaction |Power On

Deploy a VM from a template

On the destination folder or data center, navigate to Virtual machine | Inventory | Create from existing orVirtual machine | Configuration | Add new disk

Administrator

On a template or folder of templates, navigate to Virtual machine |Provisioning| Deploy template

On the destination host, cluster, or resource pool, navigate to Resource | Assign virtual machine to resource pool

On the destination data store or folder of data stores, navigate to Datastore| Allocate space

Data store consumer or administrator

On the network that the VM will be assigned to, navigate to Network| Assign network

Network consumer or administrator

Take a VM snapshot

On the VM or a folder of virtual machines, navigate to Virtual machine | Snapshot management | Create snapshot

VM power user or administrator

Install a guest operating system on a VM

On the VM or folder of VMs, navigate to:

Virtual machine

|

Interaction

|

Answer question

Virtual machine

|

Interaction

|

Console interaction

Virtual machine

|

Interaction

|

Device connection

Virtual machine

|

Interaction

|

Power Off

Virtual machine

|

Interaction

|

Power On

Virtual machine

|

Interaction

|

Reset

Virtual machine

|

Interaction

|

Configure CD media

(if installing from a CD) or

Configure floppy media

(if installing from a floppy disk)

Virtual machine

|

Interaction

|

VMware Tools install

VM power user or administrator

On a data store that contains the installation media ISO image, navigate to Datastore |Browse datastore (if installing from an ISO image on a data store)

On the data store to which you upload the installation media ISO image, navigate to Datastore |Browse datastore or Datastore |Low level file operations

Migrate a VM with vMotion

On the VM or folder of VMs, navigate to:

Resource

|

Migrate powered on virtual machine

Resource

|

Assign Virtual Machine to Resource Pool

(if the destination is a different resource pool from the source)

Resource pool administrator or administrator

On the destination host, cluster, or resource pool (if they are different from the source), navigate to:

Resource

|

Assign virtual machine to resource pool

Cold migrate (relocate) a VM

On the VM or folder of VMs, navigate to:

Resource

|

Migrate powered off virtual machine

Resource

|

Assign virtual machine to resource pool

(if the destination is a different resource pool from the source)

Resource pool administrator or administrator

On the destination host, cluster, or resource pool (if different from the source), navigate to:

Resource

|

Assign virtual machine to resource pool

On the destination data store (if it is different from the source), navigate to Datastore | Allocate space

Data store consumer or administrator

Migrate a VM with Storage vMotion

On the VM or folder of VMs, navigate to Resource | Migrate powered on virtual machine

Resource pool administrator or administrator

On the destination data store, navigate to Datastore | Allocate space

Data store consumer or administrator

These are just examples, but in most cases, you will need to build your own custom role (or set of roles).

Other software or solutions based on vSphere may specify the right privileges that are needed in order to build custom roles with minimum privileges.

Compare and contrast default system/sample roles

As described in the Creating/cloning/editingvCenter Server roles section, there are two different types of predefined roles:

System roles (cannot be modified or deleted)

:

Administrator role

: With this role, you can correspond to all

privileges

. By default, users with this role are the SSO administrator, the vCenter

root

(or administrator) user, and ESXi

vpxuser

(used by the vCenter agent).

No cryptography administrator role

: This role has the same privileges as the administrator role, except for cryptographic operations privileges. This means that users cannot encrypt or decrypt VMs, or access encrypted data.

Read-only role

: With this role, it's possible to view the details of the object, but it's not possible to change anything.

No access role

: With this role, it's not possibleto vieworchangethe object in any way. By default, new users and groups are assigned to

this role

.

Sample roles

(can be cloned, modified, or removed)

:

VM

administrator

: This role allows for complete and total control of a VM, including some related host operations.

VM

power user

:

This role

grants rights only to a VM, including changing the settings or creating snapshots.

VM

user

: This role grants access rights exclusively to VMs, with limited functions, such as powering on, powering off, or resetting the

VM

, or running media from the virtual discs.

Resource pool administrator

: This role is permitted to create resource pools and assign those pools to

VM

s.

Data center administrator

: This role permits adding new data center objects.

VMware consolidated backup user

: This role is required for the old VCB framework, but is a good starting point for other backup products.

Data store consumer

: This role allows using space on a data store.

Network consumer

: This role allows assigning a network to a

VM

or a host.

For more details, see Table 1.2 or the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-18071E9A-EED1-4968-8D51-E0B4F526FDA3.html).

Determine the correct permissions needed to integrate vCenter Server with other VMware products

Sample roles can match specific integration requests. Also, Table 1.3, from the vSphere 6.5 Security Guide, showed some examples of common tasks with their required privileges, and, where applicable, the appropriate sample roles that can be used.

However, for other VMware products (and third-party products), you may need a specific set of permissions, and this list is usually provided by the related product documentation.

Also, remember that global permissions can span different VMware products. For example, for vCenter Orchestrator, you can use global permissions.

Objective 1.2 – Secure ESXi and vCenter Server 2

To increase the security of ESXi, vCenter, and other vSphere components, you will need to use different approaches, as follows:

Protecting the physical layer

: For example, for the networking part, use dedicated VLAN for different traffic.

Securing network communications

: This at least applies to infrastructural components. By default, management traffic is already encrypted. Note that one new feature of vSphere 6.5 is the ability to also encrypt vMotion traffic.

Applying the minimum privileges

: Limit all the services, permissions, access to minimize the attack surface.

Hardening is a process that enhances the security of a system, a service, or an entire infrastructure, by reducing the attack surface and minimizing the possible vulnerabilities and related risks.

VMware has built in a set of Security Hardening Guides (https://www.vmware.com/security/hardening-guides.html), including one related to the vSphere environment. The vSphere 6.5 Security Configuration Guide is a spreadsheet file with several possible hardening actions and guidelines, each classified with a risk profile. There are also some example scripts, for enabling security automation.

The Security Guide contains in-depth information on how to secure ESXi hosts (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-A706C6C6-DF07-455B-99B9-5B8F8580F1EB.html) and vCenter components (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-8C5F5839-37EC-409E-8C46-C8AD146CBC73.html):https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-652-security-guide.pdf

Configure encrypted vMotion

This is a new option in vSphere 6.5 (but only for the Enterprise Plus edition), in order to secure the vMotion network traffic.

The vMotion encryption feature isn't simply an encrypting of the entire network channel for the vMotion traffic; it's a per-VM setting. There aren't certificates to manage or import on the infrastructural side.

This will be discussed later, in Objective 1.4, because it's related to the VM options.

On the infrastructural side, you will need to configure the proper key servers (as described in Objective 1.3).

Describe ESXi Secure Boot

Unified Extensible Firmware Interface (UEFI)