There are a few different way’s to update to vCenter server appliance (VCSA). In this post we will be going through using CLI method to apply vCenter patches. Before updating VCSA make sure you have a current backup and take a snapshot before proceeding in case of any issues with the update.
First we need to connect to the vCenter server using SSH. I will be using the inbuilt OpenSSH feature in PowerShell but you can use what ever SSH client you prefer.
Next we need to connect to the vCenter server using ssh.
Next we can run the below command to view the vCenter update history
software-packages list --history
We can use the below command. This will list the current update settings, if the vCenter server has no internet access then you could update the URL to use an internal web site that contains the update files.
We will be using the default URL from the update.get command when running the update
VMware is depreciating Integrated Windows Authentication in vSphere 7.0. The feature will be removed in a later release. Below is from the VMware KB.
Support for IWA continues to be available in vSphere 7.0 and will be phased out in a future release. Although IWA can still be configured, we highly recommend using AD over LDAP or Federated Identity (AD FS).
In this post we will be going through changing over to using Active Directory over LDAP. We will also be using LDAPS as this is secured with certificates and is much better from a security side and Microsoft are requiring this on applications that use LDAP.
As part of our VMware 6.7 to 7.0 Upgrade we wanted to audit the existing vCenter server permission. We have a lot of contractors who come in to do work and users who have had permission assigned but these permission are not always removed.
We wanted to get a report that export each of the permission assigned in vCenter.
I could do this manually but this would take a while and is not that easily repeatable so I decided to create a quick script that will export the required information.
The script will be calling two command (Get-VIPermission to export permission and Get-VIRole to export the assigned privileges) and then formation the results.
The script also has some mandatory variables (one for the vCenter server and one for the export path) and there is some error handling incase there is no connection to vCenter server or the export folder doesn’t exist.
There are three type of object in VMware permissions.
Privilege: Allow specific actions (create, delete, manage.. ) or rights to view specific properties
Role : A set of privileges assigned to an object to allow assignment
Permission: Is either a set of a users or groups that have been assigned to a role
If we run Get-ViPermission on we will see all permission returned.
We can select one specific permission by using -principal and expand using format-list. This gives a bit more information but we are missing the assigned privilege’s.
This is where we use Get-VIRole as this has a property that shows privileges that have been assigned to the role.
In this post we will go through using vSphere Lifecycle Manager VLM to upgrade an ESXI host from 6.7 to 7.0. Lifecycle Manager replaces vSphere Update Manager in vCenter server 7.0 the process is pretty much the same as in VUM.
Before upgrading to a new version of ESXI first step should be to check VMware compatibility, this can be done by either checking the VMware compatibility matrix.
The process of patching vCenter server appliance has become a lot easier in recent years. Keeping vCenter fully up to date is important for stability and security.
In this post we will go through the process of patching for vCenter 7.0 to the latest version using the GUI connecting to the internet. You can also update using command line or by downloading and mounting the ISO image.
First we need to logon to the admin management console.
Use the root logon that was configure when setting up the appliance.
First steps is to confirm there is a valid backup of the appliance.
Click backup now.
There is an issue with vCenter 6.7U2 and above where it fails on SMB with SMB location is invalid if SMBv1 is disabled. So if you get that error you can just enabled SMBv1 temporarily or enabled OpenSSH on Windows to allow SSH connection which is what I would do in production.
Once completed the backup should kick off.
I also usually take a snapshot as that is the quickest recover option.
Once we have a back up, we can now continue with the updating the appliance. The current version of the appliance is 22.214.171.12400.
Go to Update and click check updates
Once the check is completed select the latest patch. Select either stage only or stage and install if you want the update to be installed straight away. The version we will be updating to is 7.0.1.00200.
Accept the end user agreement.
This will run a pre-check on vCenter before the upgrade will continue. Once no issue are found put in the administrator’s password.
Tick the box to confirm that a backup has been completed.
The install will now start and can take a hour or so to complete.
During the upgrade there will be outages to vCenter while services restart.
vCenter should now be update to the latest version.