VMware – Setting up ESX NTP Time Sync

ESX NTP KB ID 0000798

Problem

Having your ESX Server running the correct time is quite important, and before you visit this subject, I would suggest you MAKE SURE the time is set in the ESX Servers BIOS, ie the internal clock is set correctly first. I’ve lost count of the amount of times I’ve seen Windows domains fall over because the ESX host has reverted to its BIOS time and replicated that time to its guests, suddenly your domain clocks are two years apart and carnage ensues!

Throughout this procedure I will be setting my VMware environment to sync time with a LOCAL windows domain controller, some may argue if the domain controller is a virtual machine in a virtual environment that this is a BAD IDEA. I understand that argument (but this is my test network). In production I would rather have my devices getting time synchronised from a public reliable public time source.

Solution : ESX NTP

Step 1: vCenter NTP

Assuming you have already set time correctly on you domain controller as per this article. Then the next step is to configure you vCenter server(s) NTP time source. note: If you are using stand-alone ESX Servers please skip this section.

Note: For this to work the hosts need to be able to communicate with the time servers over NTP (UDP Port 123), ensure your firewall has this port open to the NTP source or time sync will fail.

Connect you your vCenter(s) direct admin console https://{ip-or-domain-name}:5400 log in as root. Navigate to Time > Select the correct Time Zone (Note: there is GMT but no BST So if you’re in the UK select Europe/London). Under Time Synchronization > Edit > Mode = NTP > Time Servers = the IP(s) of you time sources > Save.

Have a coffee, eventually it should look like this.

Step 2: ESX NTP (Directly)

Note: If you are managing ESX hosts via vCenter skip to the next section, this procedure is used to set NTP on an ESX host directly. Connect to the management console of your ESX Server. Navigate to Manage > System > Time & Date > Edit NTP Settings.

Select “Start and Stop with Host” > Enter the IP addresses or names of the NTP Source(s) > Save.

 

Step 2: ESX NTP (via vCenter)

Connect to vCenter and select your first ESX host  > Configure > Time configuration > Add Service > Network Time Protocol > Enter the IP addresses(s) or name(s) of you NTP Server(s) > OK.

At this point go and have a coffee > Hit Refresh > ONCE there’s an entry under Last Time Sync > Test Services.

The output should look something like this

 

ESX NTP For OLDER versions of vSphere

Connect to the host (or vCenter and drill down to the host(s)). Select the host in question > Configuration > Time Configuration > Properties > Tick NTP Client Enabled > Options > Add > Add in your public time server IPs > Tick ‘Restart NTP Service to apply changes’ > OK > OK.

Note: I’m in the UK so I’m using two time servers in this country, you may want to use one closer to home.

130.88.212.143 = turnip.mc.man.ac.uk (Manchester University)
130.88.200.4 = dir.mcc.ac.uk (Manchester University)

2. When you see the following all is well.

Note: If all these details are IN RED, then it has failed to sync, either be patient, try putting the host into and out of maintenance mode, or reboot it, if it continues to fail check it can see the public time servers on UDP port 123.

Related Articles, References, Credits, or External Links

NA

VMware vSphere Adding vTPM

vTPM KB ID 0001875

Problem

I’ve been asked about this a couple of times in the past, back then my test bench was running a mix of ESX 6.7 and 6.5 so I could not test and document the process. Now Everything is running ESX 8.x I can test the procedure in anger. The reason is because I was met with this today.

TPM 2.0 must be supported and enabled on this PC

So what’s a TPM, and a vTPM and why is that important?

Trusted Platform Module (TPM): A hardware component that enhances security by providing cryptographic functions and secure storage of cryptographic keys. It is used for tasks such as device authentication, secure boot, and encryption.

Virtual TPM (vTPM): A virtualised version of a TPM that provides the same functionality as a physical TPM but is implemented in software within a virtualised environment. It allows virtual machines (VMs) to use TPM features without requiring a physical TPM chip in the underlying hardware.

Key Functions of vTPM:

  • Secure Boot: Ensures that a system boots using only software that is trusted by the manufacturer.
  • Device Authentication: Verifies the integrity of the device and its software before it is allowed to connect to the network or perform sensitive operations.
  • Encryption Key Storage: Stores cryptographic keys securely, preventing unauthorized access even if the VM is compromised.

Use Cases:

  • Cloud Computing: Provides security features for VMs in cloud environments, ensuring that each VM can have its own isolated and secure TPM instance.
  • Virtualization Platforms: Enhances security in environments using hypervisors such as VMware, Microsoft Hyper-V, or KVM.

Implementation:

  • Software-Based: Implemented as part of the virtualization software stack.
  • Isolation: Each vTPM instance is isolated from others, ensuring that the security properties of TPM are maintained even in a multi-tenant environment.

Advantages:

  • Scalability: Easily scalable across many VMs without the need for physical TPM hardware.
  • Flexibility: Can be deployed in various virtualized environments and cloud infrastructures.

To summarise, vTPM provides the security benefits of TPM in virtualised and cloud environments, enabling secure operations and cryptographic functions for virtual machine

Solution: VMware vTPM

vTPM Prerequisites

To install and configure a vTPM (Virtual Trusted Platform Module) on VMware ESXi, certain prerequisites must be met to ensure compatibility and proper functionality. Here are the main prerequisites:

  • VMware ESXi Version: vTPM is supported on ESXi 6.7 and later versions. (If you have 1x older host then you will NOT be able to utilise vTPM).
  • VM Hardware Version: The virtual machine (VM) must be configured with hardware version 14 or higher. This ensures that the VM can support the vTPM functionality.
  • vSphere: vSphere 6.7 or later is required. This includes both vCenter Server and the ESXi hosts.
  • UEFI Firmware: The VM must be configured to use UEFI (Unified Extensible Firmware Interface) firmware instead of BIOS. vTPM is not supported with legacy BIOS firmware.
  • Key Management Server (KMS): A Key Management Server must be configured and accessible. VMware vSphere requires a KMS to manage the encryption keys used for VM encryption and vTPM. This cannot be done with the ‘built in’ Native Key Provider.
  • Virtual Machine Compatibility: Ensure that the guest operating system of the VM supports TPM. Most modern operating systems, including Windows 10, Windows Server 2016/2019, and certain Linux distributions, support TPM.
  • Permissions: Appropriate permissions are required to configure vTPM. Ensure that you have the necessary administrative privileges in vCenter Server to configure VM options and encryption settings.

vTPM: Adding VMware Native Key Provider

With you vCenter selected > Configure > Key Providers > Add > Give the Key Provider a sensible name > Untick “Use Key provider only with TPM protected ESXi Hosts  (Recommended)* > Add Key Provider.

*Note: Each ESXi server DOES NOT need to have its own physical TPM chip unticking this option lets you deploy vTPM to a VM on ANY host regardless of whether it has a TPM chip or not.

Before it can be used you have to back it up > Select you Key Provider > Backup > Tick ‘Protect this Native Key Provider with a password (Recommended) > Supply and conform a password > Tick “I have saved the password in a secure place” > Backup Key Provider.

Adding vTPM to a Virtual Machine

Right click the VM in question  > Edit Settings.

Add New Device > Trusted Platform Module > OK.

I Dont See Trusted Platform Module?

Yeah, I knew all my pre-requisites had been met, but if you’ve read from the start you will know this VM came from a 6.7/6.5 environment, so not being able to add a vTPM was probably a hardware version problem, to save you googling Hardware version 14 is ESX 6.7 compatibility, so you have to change the compatibility, like so.

 
Right click the VM > Compatibility > Upgrade VM Compatibility > Yes > Select a version that 6.7 or newer > OK.

Note: If you cannot perform this procedure, you can bypass the check for both a TPM and an unsupported CPU by following the procedure in the following article.

Windows 11 Unsupported CPU

Related Articles, References, Credits, or External Links

NA

VMware Enable SSH (vSphere ESX)

 

VMware Enable SSH KB ID 0000299 

Problem

Should you wish to get SSH (remote secure console) access to your ESX  hosts, you need to do the following.

ESX Version 8 and Newer

ESX Version 6.5 and Newer

ESX version 5 and Newer

ESX version 4.1.0

ESX version 4.0.0 and earlier

ESX version 4.0.0 and earlier

Solution

VMware Enable SSH ESX 8.0

Directly on an ESX Host: If you have a stand-alone ESX Server running version 8.x, Log in via the web console >  Select ‘Host’ > Actions > Services > Enable Secure Shell (SSH).

Via vSphere/vCenter: If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacentres’ view > Select the Host  > Configure > Services > Locate SSH > Start.

Enable SSH Permanently: Some people don’t want this enabled for security reasons, and in production that makes sense, but on my test network I always have SSH enabled. from the same screen as above with SSH selected > Edit Start-up Policy > Select ‘Start an stop with host” > OK.

VMware Enable SSH 6.5

If you have a stand-alone ESX Server running version 6.5, it’s a lot easier to enable ESX access. Select ‘Host’ > Actions > Service > Enable Secure Shell (SSH). Note: You can also enable the direct console access here.

If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacenters’ view > Select the Host  > Configure > Security Profile > Scroll down to ‘Services’ > Edit.

Locate ‘SSH > Start > OK.

Once enabled you will see the following warning on the hosts summary page, however, in version 6.5 you can suppress this error.

VMware Enable SSH ESX 5

ESX 5 has a built in firewall, which can have SSH opened in the VI clients, or just as with version 4.1.0 you can enable SSH Locally from the console from troubleshooting options.

Enable Remotely

1. Log into the host with the VI client > Select the host > Configuration > Security Profile > Properties.

2. Locate SSH Server > Tick it > Options > You can either manually start it or set it to start automatically.

3. You will see the following warning to “retrieve” the firewall settings (because you have just changed them) > Select Yes.

Note: Having it running will still cause the “Configuration Issues – SSH for the host has been enabled” nag screen on the summary tab of the host.

VMware Enable SSH ESX 4.0.1

Starting with version 4.0.1 you can enable SSH access from the server console.

1. Go to the normal ESX console > Press F2 > Log in >Troubleshooting Options.

2. Select “Enable Remote Tech support” toggle on and off with {enter} if you want to SSH in the server remotely using PuTTy for example > If you want to log on directly at the console choose “Enable Local Tech Support”.

3. Note: Having it running will still cause the “Configuration Issues – Remote Tech support Mode (SSH) for the host {hostname} has been enabled” nag screen on the summary tab of the host.

Grant SSH Access to ESX 4.0.0 and earlier

1. Go to the normal ESXi console.

2. Press ALT+F1 > the screen will change > Type unsupported {enter} > Note: Nothing will appear on the screen till you hit {enter} > Type in the root password and press {enter}.

3. You now need to edit a config file, the only editor we have is vi (sorry) issue the following command,

[box]vi /etc/inetd.conf[/box]

4. The vi editor will open the file, use the arrow keys to move down to the line that says,

[box]#ssh stream tcp nowait root…[/box]

Press I on the keyboard (that puts the vi editor into insert mode) and delete the hash “#” mark from the beginning of the line.

5 Then, to save the changes press {Esc} > type in :wq {Enter} (that’s write the changes and quit if you’re interested).

6. Enter the following command.

[box]

cat /var/run/inetd.pid

[/box]

It will provide you with a number, (in the example below its 4983, yours will be different).

7. Issue the following command.

[box]

kill -HUP {the number you got from above}

[/box]

8. To get back to the usual ESXi screen and exit command line press ALT+F2.

9. You can now connect with an SSH client like Putty.

 

Related Articles, References, Credits, or External Links

Original Article written: 07/12/11

ESX4 – Grant Root User SSH Access

Thanks to Dave Corrasa for the feedback.

vSphere Adding iSCSI Storage

vSphere Adding iSCSI KB ID 0001378

Problem

iSCSI storage is nice and cheap, so adding iSCSI 10/1Gbps storage to your virtual infrastructure is a common occurrence.

vSphere Adding iSCSI Solution (vSphere 7/8)

Add a Software iSCSI Adaptor: Select the host > Configure > Storage Adapters > Add > Software iSCSI adaptor > OK.

After a few seconds you should see it appear at the bottom of the list.

Create a vSwitch and VMKernel:If you already have this configured you can skip this section, but basically you need a vSwitch, with a VMKernel interface (that has an IP address on it that can ‘see’ your iSCSI device), and then you need to connect a physical NIC from that vSwitch the iSCSI network (or VLAN).

With the host still selected > Configure > Virtual Switches > Add Networking.

.

VMKernel Network Adapter > Next.

New Standard Switch > Set the MTU to 9000 to enable jumbo frames > Next.

Note: Make sure the physical switches you are connecting to also support Jumbo Frames. Each vendor will be slightly different to configure.

THIS IS CONFUSING: Select the NIC you want to add the the vSwitch, and then ‘Move Down‘ so that it is listed in Active Adapters > Next.

Give the switch a sensible name (like iSCSI) > Next.

Define the IP address of the VMKernel (this needs to be able to see the iSCSI Target IP addresses) > Next.

Note: Don’t worry about the default gateway, it will display the default gateway of the managment network, that’s fine, unless you need to route to the iSCSI devices).

Review the settings > Finish.

You should now have a new vSwitch for iSCSI.

vSphere Adding iSCSI Storage: Create Port Binging

Back on the Storage Adapters tab > Select the iSCSI adapter > Network Port Binding > Add.

Select the one you’ve just created > OK.

vSphere Adding iSCSI Storage: Add iSCSI Target

Dynamic Discovery > Add.

Add in the iSCSI Target IP for your storage device/provider > OK.

At this point it’s a good idea to do a full storage rescan.

No Storage Has Appeared? Remember at this point your iSCSI storage device probably needs to ‘allow’ this ESX server access to the storage before it will either appear (if it’s already been formatted as VMFS and is in use by other hosts) or if it’s the first host that needs to connect to format the datastore as VFMS.

How this is done varies from vendor to vendor.

If you need to add the storage manually > Host > Storage > New Datastore.

vSphere Adding iSCSI Solution (vSphere 5/6)

Add a Software iSCSI Adaptor: Select the host > Configure > Storage Adaptor > Add > Software iSCSI adaptor.

After a few seconds you should see it appear at the bottom of the list.

Create a vSwitch and VMKernel:If you already have this configured you can skip this section, but basically you need a vSwitch, with a VMKernel interface (that has an IP address on it that can ‘see’ your iSCSI device), and then you need to connect a physical NIC from that vSwitch the iSCSI network (or VLAN).

Note: You can add a port group to an existing switch, (or use a distributed switch!) Here I’m using a standard vSwitch and keeping my storage on its own vSwitch.

With the host still selected > Configure > Virtual Switches > Add.

VMware Kernel Adaptor > Next > New Standard Switch > Next > Add in the Physical NIC that’s connected to your iSCSI network > Next.

Give the VMKernel port a name (i.e. Storage-iSCSI) > Next > Put in the IP details* > Next > Finish.

*Note: You may need to add a gateway if your iSCSI device is on another network.

Jumbo Frames Warning: Edit the properties of the switch and set it’s MTU to 9000 to allow for jumbo frames.

vSphere Adding iSCSI Storage, make sure the physical switches you are connecting to also support Jumbo Frames. Each vendor will be slightly different in my case the switches are Cisco Catalyst 3750-X’s so I just need to enable jumbo frames universally on the switch (which requires a reload/reboot!)

Allow Jumbo Frames Cisco Catalyst 3750-X

Execute the following commands;

[box]

Petes-Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Petes-Switch(config)#system mtu jumbo 9198
Changes to the system jumbo MTU will not take effect until the next reload is done

Then Reboot/Reload the Switch and Check

Petes-Switch#show system mtu

System MTU size is 1500 bytes
System Jumbo MTU size is 9198 bytes
System Alternate MTU size is 1500 bytes
Routing MTU size is 1500 bytes

[/box]

vSphere Configure iSCSI: Back on your vCenter, we need to ‘Bind’ the VMKernel port we created above, to our Software iSCSI adaptor. With the host selected > Configure > Storage Adaptors > Select the iSCSI Adaptor > Network Port Binding > Add.

Select the VMKernel Port  > OK.

Note: If you can’t see/select anything, make sure each iSCSI port group is set to use ONLY ONE physical NIC, (i.e. move the others into ‘unused’). That’s on the port group properties NOT the failover priority of the vSwitch.

Add an iSCSI Target to vSphere: With the iSCSI Adaptor still selected > Targets Add.

Give it the IP address of your iSCSI device.

At this point, I would suggest you perform a ‘Storage Rescan’.


Ensure ALL HOSTS, have had the same procedure carried out on them. Then (assuming you have configured your iSCSI device), presented the storage, and allowed access to it from your ESX hosts. Right click the Cluster > Storage > New Datastore > Follow the instructions.

IBM Storagewize v3700 iSCSI 

This article is just for configuring the VMware side, but just as a placeholder, (and to jog my memory if ever I put in another one.) The process is.

1. iSCSI IP addresses, Note: these are under Settings > Network > Ethernet Ports. (Not iSCSI confusingly.) 

2. Create the Hosts (Note: you can copy the iqn in from vCenter).

 

3. Create MDiscs (RAID groups) from the available disks, Note: Global Spares are allocated here.

4. Create a Pool, I don’t really see the point of these, but you need one to create a volume.

5. Create the Volumes, which you will present to the Hosts, then create host mappings.

 

Related Articles, References, Credits, or External Links

vSphere ESX – Configure Buffalo Terastation 5000 as an iSCSI Target

ESX: This PC Can’t Run Windows 11

KB ID 0001763

Problem: This PC Can’t Run windows 11 

When attempting to install Windows 11 on ESX (in this example vSphere 6.7) you will receive the following error;

Windows Setup
This PC can’t run Windows 11
This PC doesn’t meet the minimum system requirements to install this version of Windows. For more information, visit https://aka.ms.WindowsSysReq

The reason you are seeing this is probably not because you don’t have the RAM,  CPU, or storage requirements, it’s probably because setup can’t see a TPM 2.0 chip. So you can either bypass this requirement or install a virtual TPM 2 chip. (I could not do this, as I’ve still got ESX 6.5 in my test cluster and all the hosts need to be 6.7 or above).

VMware Fusion Note: Be aware to run Windows 11 on VMware Fusion,  you need to set the HDD to 64GB (or greater) and the RAM to 4096 GB or this error will persist.

VMware ESX Note: MAKE SURE you change the boot options to EFI and enable secure boot, in the VM properties.

Windows 11: Bypass the TPM 2.0 Requirement

Press SHIFT+F10 (or Fn+Shift+F10 on a mac) this will open a command window > type ‘regedit’ {Enter} > the registry editor will open > Navigate to;

[box]

HKEY_LOCAL_MACHINE > SYSTEM > Setup

[/box]

Create a NEW KEY called LabConfig.

Note: There is a newer version of this fix you can find here

In the new key, create a new 32 Bit DWORD object.

Call the new object ByPassTPMCheck and give it a value of 1.

Close the registry editor, type exit to close the command window. Then close the error window, (as shown below).

You will be asked to confirm that you want to exit, do so, and setup will restart, and then progress normally.

 

Note: If you are in a VMwar environment, you can also (with some caveats) install a vTPM

VMware vSphere Adding vTPM

Or if upgrading, you can bypass the TPM and CPU checks.

Windows 11 Unsupported CPU

Related Articles, References, Credits, or External Links

NA

VMware ESX – Sockets and Cores (Logical Processors)

KB ID 0001124 

Problem

While explaining to a client the difference between Sockets, Cores, Logical processors, I had to revisit this post today, so I updated it for vSphere7

Calculating Sockets and Cores

 Essentially;

A: Processor Sockets: The Physical amount of CPUs on the motherboard.

B: Cores Per Socket: For a dual core processor this would be 2, triple core=3, quad core = 4, hex core = 6, octa core=8, deca core=12, etc.

C: Logical Processors: This is the amount of sockets, multiplied by the cores, and if Hyperthreading is enabled on the processors (see above), then that figure is doubled.

Related Articles, References, Credits, or External Links

NA

Your vSphere Client Session Is No Longer Authenticated

KB ID 0001711

Problem

I updated my vCenter to 6.7.0.45100 yesterday, and since then every time I tried to login to the HTML5 web client, it authenticated, let me in, showed me the error (below), then kicked me out again?

Solution

I assumed, (wrongly) that the upgrade had overwritten the webclient.properties file that controls timeouts. this may be you problem, see the following article If my ‘fix’ does not work for you.

vSphere HTML5 Web Client – Disable the Console Timeout

In the end my fix was quick and simple, go to add/remove programs and locate the vSphere Enhanced Authentication Plugin (in my case version 6.5.0) and uninstall it.

Related Articles, References, Credits, or External Links

NA

OVA / OVF Deployment Gets Stuck ‘Validating’

KB ID 0001664

Problem

I had this problem (on sphere 6.7) the other day when trying to deploy some OVA files on my test network.

Solution

Well as stated elsewhere I tried reconnecting to my vCenter using its FQDN, this didn’t solve the problem, using Flash or HTML5 didn’t cure the problem either. What did cure the problem was using a different browser! I switched from IE to Chrome and it worked fine.

Update: I Also cured this problem by using Microsoft Edge (The new chromium based one).

Related Articles, References, Credits, or External Links

VMware vSphere – How to Import and Export OVF and OVA Files

VMware: Export a VM to OVA With PowerCLI

VMware: ISO Upload or Deploy OVA Fails ‘Undetermined Reason’

vSphere: Get ESX Server Serial Numbers

KB ID 0001670

Problem

A few weeks ago I needed to sort out some extended warranty for a customers servers. To do that  I needed the serial numbers of those servers, (a mixture of IBM/Lenovo and Dell Servers).

As I didn’t fancy a drive to two different datacenters, I wanted to try and get them programatically.

Solution

After some searching I came across a post by one of my old EE buddies LucD with exactly what I needed. I’m assuming you have PowerCLI setup before beginning.

Connect to your Virtual infrastructure;

[box]

Connect-VIServer {vCenter-server-FQDN}

[/box]

Then, (assuming you have a folder called C:\Temp that you can write to).

[box]

Get-VMHost | Select Name, @{N='Serial';E={(Get-EsxCli -VMHost $_).hardware.platform.get().SerialNumber}} | Export-Csv c:\temp\serial.csv -NoTypeInformation -UseCulture

[/box]

Then  open your C:\Temp\SerialNumber.csv file, and there’s your serial numbers.

 

Related Articles, References, Credits, or External Links

NA