Sunday, October 21, 2018

Platform Service Controller ... Embedded or External?


By release of vSphere 6.0 Update 1 VMware introduce Platform Service Controller to separate management and controlling some of important services like SSO, as the virtual infrastructure athentication broker, licensing service to manage vsphere licenses, lookup service and also Certificate Authority (VMCA). when you install vcenter components for the first time, you should install PSC before all or join your vcenter server to another installed PSC in the post-installation execution of vcenter server.
If you want to install a new PSC server you can select one of these two way: Embedded (Setup with vCenter server togather in one Server/VM/Appliance) or External (Separated from vCenter Server/VM/Appliance). 
Now there is an ambiguous question, which of these ways is better for us to setup?


As a broad concept view, embedded is better for small or medium environment and external is suitable for enterprise, but let's check more details:
The first and important point is network connection between PSC and VC servers when you decide to install in external mode. If any connectivity lose happened or a physical accident cause outage on connection between two server, all components of virtual infrastructure will be compromised. Although role of DNS servers that provides name resolution is now very important, because any issue on this service will cause connection problem.
So if you want to setup external PSC, you must provide a high-reliable and fully-redundant network connections between VC and PSC (physical servers or their ESXi hosts if you setup on VM/VA) so it's management will be more complex (fewer physical or Virtual Server made management procedures easier and simpler, and no need to more licenses for their OS too.)
After release of vSphere 6.5 update 2 you can join other instances of VC with embedded PSC to enable enhanced linked mode (15 VCSA instance as a single inventory view) and it's a perfect improvement from VMware. So one of the main reason of choosing external PSC has been set aside.
When you provide embedded PSC you cannot provision windows and linux-appliance in mixed-OS environment. (On later versions embedded PSC linked mode was not supported for windows-based vCenter server and only available on VCSA, but thanks to VMware, i think it's fixed in vSphere 6.7 update 1 Build 10244745, because we could join an embedded VCSA to an embedded WBVC in our pilot environment today)
However it's possible to migrate PSC from embedded  mode to external after deployment, but first of all it's recommended take a backup from VC / PSC servers, then VC must be reconfigured to an external PSC before pointing it to a new external PSC in different domain name. (Embedded re-pointing is supported only by vCenter 6.7 Update 1)


As the last hint, vCenter High Availability feature can be activated in embedded PSC and only vCenter Server standard license is enough to enable HA (Note that VCHA is only available for VCSA not WBVC). So this method of PSC provisioning will be simplified and there is no need to use Load-Balancer for PSC and VC servers/VMs/VAs.





Thursday, October 11, 2018

NTP setting revert problem with ESXi 6.7

Last weekend we had encountered a big problem with ESXi host time settings after upgrading one of the test servers to version 6.7 (and also last build 8941472, but I'm not really sure about that it's the cause of the problem). After server starting up, NTP service stop working correctly and sadly there is no way to change it (manually or automatic by any NTP servers) and any changes will fail back to defaults.
So after trying the  GUI method, we edited /etc/ntpd.conf file and unfortunately nothing happened. As the last way of NTP troubleshooting, useful ESXCLI commands help us to fix it by setting these below command:
 
# esxcli system time set -d 11 -H 01 -m 55 -M 05 -y 2018

To prevent possible host revert to old-time setting, you must ensure that the hardware clock is the same as the system time:

# esxcli hardware clock set -d 11 -H 01 -m 55 -M 05 -y 2018

There are some commands by shell our SSH access for ESXi NTP settings that's useful to know:

Enable NTP service:
# chkconfig ntpd on
# chkconfig --list | grep ntpd

Restart NTP service:
# /etc/init.d/ntpd restart

Display NTP peers:
# ntpq -p

Check ESXi time:
# esxcli hardware clock get
# esxcli system time get

Monitor NTP transmits between host (as NTP client) and NTP Server:
# watch ntpq -p Host / NTP server
# tcpdump-uw -c 5 -n -i vmk0 host NTP_server and port 123

I hope this is gonna be useful for you ;) ... and never lose your host's time as I do :D

I will start a new journey soon ...