VMware NSX-T Data Center Migration – Part 2 – NSX for vSphere (NSX-V) Preliminary Checks

Welcome to the second article in the series detailing a migration of VMware NSX Data Center for vSphere (NSX-V) to NSX-T Data Center. In this article I focus on the preliminary checks to ensure the NSX-V environment is fit for migration.

In part 1 (VMware NSX-T Data Center Migration – Part 1 – Deploy Manager Appliance) I covered the process of deploying the NSX -T Data Center Manager Appliance, as well as a number of prerequisite tasks required to prepare the new NSX-T environment for the eventual migration (coming in part 3).

In this article I detail a number of preliminary checks within the NSX-V environment (including ESXi hosts, vSphere Distributed Switches, VXLAN configuration, VTEP, NSX Controllers, Edge Services Gateways, etc.) to ensure all is well prior to the migration process itself. Where any issues are identified, these must be resolved prior to the migration process.

Continue reading → VMware NSX-T Data Center Migration – Part 2 – NSX for vSphere (NSX-V) Preliminary Checks

vSphere 6.7 Update 1 and Veeam Compatibility Issues

Yesterday, Tuesday 16th October saw the much anticipated release of VMware’s vSphere 6.7 Update 1, however, shortly after the announcement a number of Veeam users decried the release due to compatibility issues with Veeam’s Backup & Replication suite. None other than Veeam’s Anton Gostev first announced the issue with the below tweet:

The very next day the Veeam team announced a workaround in the form of Veeam KB2784, as well as ‘out-of-the-box’ support being included with highly awaited (and much delayed) next release, Update 4.

Where the fault lies with such release/compatibility issues is not the goal of this post (which Twitter seems to be more focused on). However, with a high number of pros likely raising internal changes to upgrade their vCenter(s) and ESXi hosts, you’ll want to implement the Veeam workaround in-line with this upgrade, as well as a number of solid backup/restore tests.

VMworld Europe 2018

VMworld 2018 Europe – Customer Panel on NSX Data Center (NET3042PE)

Not only will this year mark my first ever visit to VMworld Europe, I’ll also be taking part in a Customer Panel session.

If you are interested in hearing my VMware NSX Data Center journey, how we implemented and operationalised NSX; how NSX continues to increase security and application performance, while simplifying troubleshooting and improving network provisioning time, then join me on Thursday, 8th November at 12:00-13:00 to hear more.

To register for the session, simply visit the VMworld 2018 Europe Content Catalogue – Customer Panel on NSX Data Center (NET3042PE).

VMworld Europe 2018

VMware NSX Role Based Access via Active Directory

You may have noticed that your usual Active Directory user account (which might afford you full administrative access in vCenter) doesn’t get you very far when attempting to manage NSX for vSphere. This is by design, as NSX access is not governed or controlled by vCenter Server roles.

NSX utilises it’s own predefined security roles for role based access, all of which can be assigned to Active Directory Users and/or Security Groups. This is great for larger teams with clearly defined areas of demarcation and responsibilities, smaller teams of administrators and read-only support teams, and even one-off auditor visits.

In this post, I detail the procedure for implementing AD integration in VMware NSX for vSphere 6.4.2, however, the procedure is the same for NSX 6.X. Before we start, let’s take a look at the six NSX Security Roles:

NSX Security Roles

  • Auditor – Users in this role can only view system settings and auditing, events and reporting information and will not be able to make any configuration change.
  • Security Engineer – Users in this role can perform all security tasks, such as configuring policies and firewall rules. Users have read access to some networking features, but no access to host preparation and/or user account management.
  • Network Engineer – Users in this role can perform all networking tasks, such as routing, DHCP, bridging, etc. Users have read access to endpoint security features, but no access to other security features.
  • Security Administrator – Users in this role can configure security compliance policies in addition to viewing the reporting and auditing information in the system.
  • NSX Administrator – Users in this role can perform all tasks related to deployment and administration of this NSX Manager instance.
  • Enterprise Administrator (God Mode) – Users is this role can perform all tasks related to deployment and configuration of NSX products and administration of this NSX Manager instance.


Please note, due to current feature parity differences between the vSphere Web Client (Flex) and vSphere Client (HTML 5), the below procedure will need to be performed utilising the vSphere Web Client (Flex).

1. Create your required AD Security Groups, naming accordingly.


2. Log in to the vSphere Web Client (Flex) as administrator@vsphere.local.

3. Browse to Networking & Security > System > Users and Domains.

4. Via the Users tab, click the Add icon.

5. Select Specify a vCenter group and enter the AD Security Group name as per above AD Objects. When ready, click Next.


6. Select the appropriate NSX Security Role to associate with the AD Security Group and click Finish.


7. Repeat steps 4 – 6 until all required AD Security Groups have been added.

8. Confirm successful addition of all NSX Security Roles. At this point, you can assign further AD Users/Security Groups, disable or enable accordingly, and delete.


9. Log in to either the vSphere Web Client or vSphere HTML5 Client as a user associated to one of the newly added AD Security Groups and test access. Below I detail an example of both Auditor and Enterprise Administrator roles.

Here, the user is assigned the NSX Auditor Security Role.
Here, the user is assigned the NSX Enterprise Administrator Security Role.

Further Reading

London VMUG - LonVMUG

London VMUG – 14th June 2018

Thursday 14th June saw the latest London VMUG take place at Tech UK, London, with the User Group marking it’s third outing for 2018 in just six months! Rarely does any event see such heavy hitters as Duncan Epping, Frank Denneman, and Niels Hagoort in one place, but today, we got to see all three in attendance. Add to that line-up further awesomeness in the form of  vCommunity member, Chris Porter, and this was one truly great London VMUG indeed! I’ve been to a number of VMUGs around the UK, however, this was to be my first time joining the London gang.

London VMUG - 14th June 2018 Agenda
London VMUG 14th June 2018 Agenda

Continue reading → London VMUG – 14th June 2018


Editing Protected VMs in vSphere

By design, there are certain virtual machines and/or appliances within vSphere which are protected to prevent editing (this can include NSX Controllers, Edges, Logical Routers, etc.) In a live/production environment, you’d not normally care about editing these appliances, however, in a lab environment (especially one where resource is tight), reducing memory and/or CPU allocation can help a lot. As such, this article will cover the process of removing the lock on protected VM in vSphere, in order to enable editing.

The scenario: a customer needs to reduce the resource allocation of an NSX Controller, however, due to the VM in question being protected/locked, editing the VM’s resources is not possible via UI or PowerCLI.

The process of removing this lock is quick and easy, however, we first need to identify the virtual machine’s Managed Object Reference (moRef ID). Please note, VMware do not support or recommend this procedure in any way.  As such, this procedure should not be implemented in a production environment.

Continue reading → Editing Protected VMs in vSphere

vRealize Log Insight Logo

VMware vRealize Log Insight: Part 2 – VMware NSX Integration via Content Packs

In Part 1 of this series we covered the simple installation and configuration of VMware vRealize Log Insight. In Part 2 we will cover how we can further configure and customise Log Insight via Content Packs in order to leverage further logging capabilities.

As mentioned in Part 1, one of the caveats of utilising this ‘free’ version of Log Insight (or more aptly, the 25 OSI license available to all vCenter Server licensees), is the ability to use VMware-only Content Packs. This is far from a bad thing and, as a result, enables us to integrate with other VMware products including NSX, Horizon, SRM, etc. In this article we will focus on the former product.

Continue reading → VMware vRealize Log Insight: Part 2 – VMware NSX Integration via Content Packs

vRealize Log Insight Logo

VMware vRealize Log Insight: Part 1 – Install & Configuration

If, like most of us, you forward vCenter and ESXi host Syslog data to centralised Syslog targets (and if you don’t, then I’d advise you do), then you’ll be pleased to hear that (as long as you have a valid vCenter Server license) you’ll be able to utilise the power of VMware vRealize Log Insight to interrogate this data.

This article will be the first in a two part VMware vRealize Log Insight series, the first of which will detail the simple installation and configuration process, with the second article focusing on advanced configuration and integration with VMware NSX via vRealize Log Insight Content Packs (vRealize Log Insight add-ins enabling further integration with both VMware and 3rd party products).

Continue reading → VMware vRealize Log Insight: Part 1 – Install & Configuration

VMware NSX Guides

VMware NSX Guides

VMware NSX Guides

If you’ve somehow managed to miss these brilliant (and free) VMware NSX guides, then worry not, as here are the links in all their glory. I cannot praise these books enough. Simply brilliant (and free!)

VMware NSX Micro-segmentation Day 1, by Wade Holmes

In Day 1, Wade Holmes details the migration away from a perimeter-orientated approach, to that of a micro-segmented architecture. VMware NSX enables organisations to utilise enhanced security functionality, whilst visualising traffic within the software-defined data centre.

VMware NSX Micro-segmentation Day 1, by Wade HolmesVMware NSX Micro-segmentation Day 1, by Wade Holmes

VMware NSX Micro-segmentation Day 2, by Geoff Wilmington

In Day 2, Geoff Wilmington complements the first guide by delving deeper into micro-segmentation, and details the process of both building and planning an architecture best suited to your applications. Also touched on are the additional tools such as VMware Log Insight, Application Rule Manager, and vRealize Network Insight.

From a personal point of view, the process of planning the migration of applications into NSX was a little daunting during my own implementation, and this guide has been simply invaluable.

VMware NSX Micro-segmentation Day 2, by Geoff WilmingtonVMware NSX Micro-segmentation Day 2, by Geoff Wilmington

Operationalizing VMware NSX, by Kevin Lees

In Operationalizing VMware NSX, Kevin Lees discusses how best to bring VMware NSX into ‘business as usual’. Both monitoring and troubleshooting are covered, and insights into team structures and cultures, team roles and responsibilities, etc., are provided. Unlike the ‘how-to’ style of the first two books, this third guide provides a fantastic insight into how NSX can be brought into service.

Operationalizing VMware NSX, by Kevin LeesOperationalizing VMware NSX, by Kevin Lees

Automating NSX for vSphere with PowerNSX, by Anthony Burke

Lastly, Automating NSX for vSphere with PowerNSX by Anthony Burke will be a firm favourite for all PowerShell fans wanting to get down and dirty with NSX.

Automating NSX for vSphere with PowerNSX, by Anthony BurkeAutomating NSX for vSphere with PowerNSX, by Anthony Burke

vSphere vCenter Server Migration Featured

VMware vSphere 6.5: Migration from Windows vCenter to vCenter Server Appliance

Following on from my previous posts (What’s New in vSphere 6.5 and VMware VCSA 6.5: Installation & Configuration), a major area for discussion (and excitement) is the VMware Migration Assistant which, should you wish, is able to easily migrate you away from the Windows-based vCenter Server to the Linux-based vCenter Server Appliance (VCSA).

There are pros and cons to the vCenter appliance of course, as well as a healthy number of supporters in each camp, but if you fancy shaving some licensing costs (Windows Server and SQL Server), would like to enjoy a faster vSphere experience (since 6.0), or would just like to be able to take a quick backup of vCenter without having to either snapshot both Windows and SQL Servers elements, or by utilising your backup product of choice to take a full image of your environment, you might just want to take VCSA for a spin.

This post will detail the migration process of a Windows-based vCenter 6.0.0 U2 to vCenter Server Appliance 6.5.

vSphere vCenter Server Migration Featured

Migration Process

1. Via the Windows Server hosting vCenter Server, mount the VCSA installation media, and launch the VMware Migration Assistant (\migration-assistant\VMware-Migration-Assistant.exe). It is imperative that the Migration Assistant is left running throughout the entire migration process, and not stopped at any stage. If the Migration Assistant is stopped, the migration process will need to be restarted from scratch.

2. Leave the assistant running and, via a management workstation, server, etc., mount the VCSA installation media and launch the vCenter Server Appliance Installer (path). Click Migrate to start the process.

3. Click Next.

4. Accept the EULA and click Next.

5. Enter the details and SSO credentials for the source Windows vCenter Server (i.e. – the one which is currently running the Migration Assistant…it is still running, right?) Once complete, click Next.

6. Verify the certificate thumbprint and accept by clicking Yes.

7. Specify a target ESXi host or vCenter Server and SSO credentials. Here, I have specified my vCenter Server, still managing my lab environment. Once complete, click Next.

8. Verify the certificate thumbprint and accept by clicking Yes.

9. Specify a destination VM Folder where your new vCenter Server Appliance will be created.

10. Specify the compute resource destination. Here, I have chosen a generic compute cluster, and I’ll leave the rest to DRS.

11. Configure the new target appliance with a VM name and root credentials.

12. Choose your deployment size. For my lab environment, and for this article in particular, I’ve opted for a ‘Tiny’ deployment.

13. Specify a target datastore to house the appliance, and enable thin (or not) disk provisioning.

14. Configure the network settings accordingly. Here, my VCSA will be housed on a vSphere Distributed Switch port group (vDS_VL11_Servers). The temporary TCP/IP configuration will be removed during the finalisation of the migration process, as the original IP configuration will follow the migrated appliance.

15. Review your configuration and click Finish.

16. The migration will now begin and you will be able to track the process via a number of updates.

17. Throughout the migration process, you will note the new appliance being deployed via vSphere as per below screenshots.

18. Stage 1 is now complete. To start Stage 2, click Continue.

19. Click Next.

20. Following pre-migration checks, you will be prompted to specify AD user credentials. Once complete, click Next.

21. Choose what data you wish to migrate, and click Next.

22. Opt in/out of the CEIP and click Next.

23. Review your configuration and click Finish, but ensure you have a backup of your vCenter server and its database before proceeding. You have been warned!

24. Click OK to acknowledge the Shutdown Warning.

25. Migration of the Windows Server-based vCenter Server to vCenter Server Appliance will now begin.

26. The transfer process will now begin and will progress through the below three steps. You might want to grab a cup of coffee (or three) at this stage while the migration progresses.

27. Once complete, we’re done. Log in to the vCenter Server Appliance and away to go.