Backing Up Portgroup Data with PowerShell and XML

Managing virtual standard switches (vSwitches) in a VMware environment, large or small, can cause a lot of headaches. Ensuring each portgroup is named the same, has the same VLAN and is present on each host can be a challenge. Virtual distributed switches (dvSwitches) exist to make our lives easier, but aren’t always available due to licensing or other restrictions. They have their own drawbacks, but the good generally outweighs the bad.

As I have been spending a significant amount of time in PowerShell and XML recently I wrote a script designed to backup the Portgroup configuration of all your clusters to ensure that all hosts will have the proper networking configuration during host rebuilds or additions. Let’s walk through this script and show you all the different elements.

1. Here we define and connect to the vCenter server

$vCenterFqdn = "vcenter01.domain.local"
Connect-viserver $vCenterFqdn

2. Here we are defining the path for our Portgroups.xml file. We’ll reference this variable later on.


3. Here we are checking to see if this file already exists. If it does we’ll skip ahead to the population side, but if not we’ll have to create it. $networkCheck tests the path defined in the variable $xmlNetworkPath. If that file is there, we’re writing into the console that it exists and we’re moving on. If it doesn’t exist we move on to step 4.

$networkCheck = Test-Path $xmlNetworkPath
IF ($networkCheck -eq $True){Write-Host "Portgroup file already exists. Continuing..." -foreground "Green"}
{Write-Host "Portgroup file not created. Creating..." -foreground "Yellow"}

4. Since this is our first run, this file doesn’t exist yet so we need to create it. Populating an empty XML file is not something I ever figured out how to do. Someone much smarter than me in XML and PowerShell can figure it out, but I found a nice work around by creating an XML template. This is an outline of what our XML file will be and we’re just filling in the data as we go.

$xmlNetwork=[xml]@’ is saying everything between @’ and ‘@ will be part of this file. At the end, we’re saving this output ($xmlNetwork.Save) to the file path we defined earlier ($xmlNetworkPath).


    <test />

5. In case we run into permissions issues we want to perform an additional check to ensure that file was actually written. For the most part we’re just repeating Step 3. The difference here is we’re changing the output in “Write-Host” but also if the file isn’t created, we need to kill the script. The message is written that the file was not created, then we wait 20 seconds, then exit the script. The reason we add the “Start-Sleep” is in case this script is run by just double-clicking and not triggered from within a powershell window, the script will exit and you’ll never know why.

$networkCheck = Test-Path $xmlNetworkPath
IF ($networkCheck -eq $True){Write-Host "Portgroup file created successfully. Continuing..." -foreground "Green"}
{Write-Host "Portgroup file not created. Exiting..." -foreground "Red"; Start-Sleep 20; Break}}

6. Now we need to read the contents of that XML file we created in XML format. The [XML] denotes that this is an XML file. $xmlNetwork is just the variable name I chose (this can be anything you want) and $xmlNetworkPath is the path to the file we defined in step 2

[XML]$xmlNetwork = Get-Content $xmlNetworkPath

7. Now comes the fun part where we actually start pulling data from vCenter. We’re going to get all the clusters in the vCenter we’re connected to. The ForEach command says that for every cluster we need to run this same command. So in each cluster we’re looking for an ESXi host that is currently connected, then we choose a random host from the cluster (get-random) and on that random host we get all the virtual portgroups that aren’t on dvSwitches.

$getClusters = Get-Cluster
ForEach ($cluster in $getClusters) {
$getPortgroups = $cluster | Get-VMHost | Where {$_.ConnectionState -ne "NotResponding"} | Get-Random | Get-VirtualPortGroup | Where {$_.key -notlike "*dvportgroup*"}

8. Now that we have all these portgroups let’s get all the data we need in them. We perform another ForEach on every Portgroup that was on that host. The $testPg variable is used to see if the current Portgroup name ($pgName.Name) is present in the XML file. What we don’t want is to re-add the same Portgroup name over and over again, we just want a single reference to the portgroup name and we’ll add another entry for the clusters that contain it. $testPg -eq $null means if the portgroup name isn’t there, we’ll create a new entry.

foreach ($pgName in $getPortGroups) {
$testPg = $xmlNetwork.vSwitchConfig.Portgroups.Portgroup|Where {$ -eq $pgName.Name}
IF ($testPg -eq $null)

9. If the Portgroup isn’t there we need to create a new entry. Looking at the XML file outline we created in Step 4 you see the tag. This is used to work around my inability to create new entries in XML. We copy the section below and then fill out the data as we go


The variable “$xmlNetwork” was defined in Step 6 and is the name of our XML file. The addition of “.vSwitchConfig” is the top level tag in our XML file from Step 4.
The variable “$parentNode” defines the top-level of the XML file we’ll be using from our template.
The variable “$destinationNode” defines where this copied data is going to be placed.
The variable “$cloneNode” defines what tag we’re copying from $parentNode.
The variable “$addNameAttribute” is creating an attribute called “name” and the name we’re giving it is the name of the portgroup we’re pulling from vCenter. Adding “.Value = ” to the end of this variable gives us the ability to define the name when we’re creating the new portgroup tag.
The variable $newNode is used to create the new Portgroup tag and then “.InnerXML =” allows us to chose the template tag from the XML file.
(The use of [void] is something I don’t fully grasp. This is the only way it works, but I can’t tell you why.)
Using $destinationNode.AppendChild is saying place this new tag into the $destinationNode location. $newNode is the data that’s being added. “.Attributes” allows us to assign the new name Attribute we defined and “.Append($addNameAttribute)” places that attribute tag.
The variable $updateNetwork is a lookup in the XML file to find a portgroup with the tag we just created.
Once we find that portgroup, $updateVLAN, $updateVirtualSwitch, and $updateCluster are used to assign the values to these empty tags that were created.

$parentNode = $xmlNetwork.vSwitchConfig.templates
$destinationNode = $xmlNetwork.vSwitchConfig.Portgroups
$cloneNode = $parentNode.SelectSingleNode("Portgroup")
$addNameAttribute = $xmlNetwork.CreateAttribute("name")
$addNameAttribute.Value = $pgName.Name
$newNode = $xmlNetwork.CreateElement("Portgroup")
$newNode.InnerXML = $cloneNode.InnerXML
$updateNetwork = ($xmlNetwork.vSwitchConfig.Portgroups.Portgroup|Where {$ -eq $pgName.Name})
$updateVLAN = $updateNetwork.vlanId = $pgName.VLanId.ToString()
$updateVirtualSwitch = $updateNetwork.virtualSwitch = $pgName.VirtualSwitchName
$updateCluster = $updateNetwork.cluster = $cluster.Name

10. In the event this portgroup already exists, we have the ELSE portion of our IF statement we started in Step 8. Here we’re referencing the portgroup in question and checking to see if the cluster tag has already been added. We look up the portgroup name “$testPg” and search for a cluster that matches the cluster we’re currently working with. If that cluster doesn’t exist, we add a new element ($xmlNetwork.CreateElement(“cluster”)) and populate its value ($addCluster.InnerText = $cluster.Name)

If that cluster tag already exists for that Portgroup, we don’t do anything “{}”

ELSE {($testCluster = $testPg|Where {$_.cluster -eq $cluster.Name});
IF ($testCluster -eq $null) {
$addCluster = $xmlNetwork.CreateElement("cluster");
$addCluster.InnerText = $cluster.Name
$testPg.AppendChild($addCluster) | Out-Null }ELSE{}}

11. Once all of our clusters and Portgroups have been looped through. We need to save that data to the XML file we created.


12. Now that the file has been saved, we want to see what data has been written. This isn’t required, but just adds a nice little output to the screen so you can see that the data has been populated as expected.

We perform the same Get-Content command with our [XML] tag. Then we write the output of every portgroup, sorted by name, into a table so we can see all the data.

[XML]$xmlNetwork = Get-Content $xmlNetworkPath
Write-Host "The following Portgroup configuration exists in $($xmlNetworkPath)" -foreground "Yellow"
$xmlNetwork.vSwitchConfig.Portgroups.Portgroup | Sort name | Format-Table

I have obscured some of the networks and VLANs in use in my environment, but this is the output you can expect.

All together this is what the script looks like:

#Connect to the defined vCenter Server
$vCenterFqdn = "vcenter01.domain.local"
Connect-viserver $vCenterFqdn

#Define XML File Path

#Check for Portgroup XML File
$networkCheck = Test-Path $xmlNetworkPath
IF ($networkCheck -eq $True){Write-Host "Portgroup file already exists. Continuing..." -foreground "Green"}
{Write-Host "Portgroup file not created. Creating..." -foreground "Yellow"

#Create XML Portgroup File


    <test />

$networkCheck = Test-Path $xmlNetworkPath
IF ($networkCheck -eq $True){Write-Host “Portgroup file created successfully. Continuing…” -foreground “Green”}
{Write-Host “Portgroup file not created. Exiting…” -foreground “Red”;Start-Sleep 20; BREAK}}

#Get contents of XML file
[XML]$xmlNetwork = Get-Content $xmlNetworkPath

#Gather all hosts in each cluster
$getClusters = Get-Cluster
foreach ($cluster in $getClusters) {
$getPortgroups = $cluster | Get-VMHost | Where {$_.ConnectionState -ne “NotResponding”} | Get-Random | Get-VirtualPortGroup | Where {$_.key -notlike “*dvportgroup*”}
foreach ($pgName in $getPortGroups) {
$testPg = $xmlNetwork.vSwitchConfig.Portgroups.Portgroup|Where {$ -eq $pgName.Name}
IF ($testPg -eq $null) {
$parentNode = $xmlNetwork.vSwitchConfig.templates
$destinationNode = $xmlNetwork.vSwitchConfig.Portgroups
$cloneNode = $parentNode.SelectSingleNode(“Portgroup”)
$addNameAttribute = $xmlNetwork.CreateAttribute(“name”)
$addNameAttribute.Value = $pgName.Name
$newNode = $xmlNetwork.CreateElement(“Portgroup”)
$newNode.InnerXML = $cloneNode.InnerXML
$updateNetwork = ($xmlNetwork.vSwitchConfig.Portgroups.Portgroup|Where {$ -eq $pgName.Name})
$updateVLAN = $updateNetwork.vlanId = $pgName.VLanId.ToString()
$updateVirtualSwitch = $updateNetwork.virtualSwitch = $pgName.VirtualSwitchName
$updateCluster = $updateNetwork.cluster = $cluster.Name
} ELSE {($testCluster = $testPg|Where {$_.cluster -eq $cluster.Name});
IF ($testCluster -eq $null) {
$addCluster = $xmlNetwork.CreateElement(“cluster”);
$addCluster.InnerText = $cluster
$testPg.AppendChild($addCluster) | Out-Null }ELSE{}}

#Display Results
[XML]$xmlNetwork = Get-Content $xmlNetworkPath
Write-Host “The following Portgroup configuration exists in $($xmlNetworkPath)” -foreground “Yellow”
$xmlNetwork.vSwitchConfig.Portgroups.Portgroup | Sort name | Format-Table

Create vCenter 5.5 Upgrade Baseline

I have a preference to do brand new installs of ESXi for each new release. With new releases there are new options, new features, and caveats with existing functionality. This means the migration process takes longer, but it helps ensure that I’m applying current best practices each and every time instead of applying upgrades to a flawed design.

In some instances this isn’t a concern and we can use vCenter with Update Manager to upgrade hosts to the latest version of ESXi and preserve our current configuration (name, IP, storage, etc). I use this process when remotely upgrading Hosts in my colo facility without having console access to the physical servers.

This is a step by step guide to creating an upgrade baseline to upgrade an existing ESXi Host (5.0 for this writing) to 5.5 and begin the upgrade process on a Host.


1. Existing host running 5.0 or 5.1 connected to vCenter Server 5.5
2. vCenter Server 5.5 with Update Manager installed
3. Downloaded .ISO of ESXi 5.5


1. Using the vSphere thick client (not web client), connect to the vCenter server and click the “Home” button followed by “Update Manager” under “Solutions and Applications”
2. Click on “ESXi Images” tab
3. Click the link for “import ESXi Image” to wards the top right corner
4. Click “Browse” and locate the .ISO of ESXi, click “Open” then click “Next”

  • a. If you receive a security warning, click the check box to install the certificate and click “Ignore”
  • b. The ISO should upload. When completed click “Next”

5. Enter the name of this upgrade baseline identifying the version in the name or description then click “Finish”
6. Click the “Home” button followed by “Hosts and Clusters”
7. Click on the Host to be upgraded and then click the “Update Manager” tab
8. Click the “Attach” link towards the top right corner
9. Place a check in just the upgrade baseline created and then click “Attach”
10. Click the “Remediate” button towards the lower right corner

  • a. Confirm Upgrade baselines and the ESXi 5.5 baseline are selected then click “Next”
  • b. Accept the license agreement and click “Next”
  • c. Leave “Remove installed third-party software” unchecked and click “Next”
  • d. Leave the schedule as “Immediate” and click “Next”
  • e. Since this host is not in a cluster, choose “Power off virtual machines” and click “Next” (THIS WILL POWER OFF ANY VMS THAT ARE ON THAT HOST)
  • f. Click the “Finish” button

11. This process takes awhile and you’ll lose access to the server while it is remediating. If you have access to the console during this time, it is a good idea to have it open and watch the progress.

Once the upgrade is complete the Host will be available within vCenter and will be running ESXi 5.5. Once completed, make sure you double-check your settings (time, network, DNS) to ensure all your settings are still there. Also, take this time to attach your patches baseline and get the latest patches applied to this Host.

vCenter 5.5 Update Manager Install with SQL Mirroring

When I first started at my current job we were a company with a few standalone SQL Servers. There were development and production instances on both SQL 2005 and 2008. This isn’t a problem, but we lacked any kind of High Availability for these databases. One of the first projects I took on was creating a SQL 2012 Failover Cluster. The setup was relatively painless and it provided us the ability to patch SQL hosts without having to take down any of the applications that depending on it. The drawback was every time I did a cluster failover vCenter Update Manager would stop working and the service needed to be restarted. A minor annoyance, but something that always bothered me.

To alleviate this (and with available SQL licenses), I implemented a new SQL 2012 Mirrored instance and while I was building our brand new ESXi 5.5 environment it was the perfect time to move the vCenter Update Manager database to SQL mirroring. While I don’t have a blog post about how to setup SQL Mirroring (but I do have the process documented), this shows the process of provisioning the databases on the Principle and the Mirror and the commands to mirror the database with automatic failover (with a Witness server). In the future I hope to blog about the setup of SQL Mirroring.



  1. Have vCenter 5.5 already installed and running
  2. Download the ISO for vCenter 5.5 from VMware which will need to be mounted on the server that will host vCenter Update Manager (VUM).
  3. Have an additional Disk drive added to the destination server hosting Update manager because I prefer leaving the OS drive for the OS and all programs are installed on the secondary data disk.
  4. 3 Servers with SQL installed and configured for mirroring (Principle, Mirror, Witness).
  5. Install the 64-bit SQL 10 Native Client from the SQL 2008 install .ISO (sqlncli.msi) on the server hosting VUM.
  6. A domain user account to run the VUM service and connect to SQL (domain\vupdatemanager for this writing)


SQL Mirroring Configuration:

  1. Connect to the principle SQL server (SQLMir-01 for this writing)
  2. Expand Security and Logins. Right click “Logins” and click “New Login”
  3. Enter the login name for the Update Manager Active Directory account, choose “Windows Authentication”
    1. Change the “Default database” to “msdb” and click “OK”
    2. Click on “User Mapping” and place a check next to “msdb” then under “Database role membership” place a check next to “db_owner”
  4. Right click on “Databases” and choose “New Database”

    1. Enter the database name

      1. Click the “…” button next to “Owner” and browse for the login we just created, place a check mark for it and click “OK” and “OK”
    2. Click the “Options” link on the left side and ensure that Recovery Model is set to “Full” and Compatibility level is set to “SQL Server 2012 (110)” then click “OK”
  5. Right click on the newly created database and go to “Tasks” followed by “Back Up”

    1. Name the backup file and note the location of the backup file and click “OK”
    2. Navigate to that Location and copy the backup
    3. Paste this file on to the Mirror Server
  6. Connect to the Mirror SQL Server (SQLMir-02 for this writing) and create the Update Manager account just like in Step 3 on that server as well (Do not create the database)
  7. Right click on “Databases” and choose “Restore Database”

    1. Click “Device” for the source, then click the “…” button, click the “Add” button and it locate the .BAK file. Click on it and click “OK”, then “OK” again.
    2. Click the “Options” link on the left side and change “Recovery state” to “RESTORE WITH NORECOVERY” then click “OK”
  8. On the Mirror SQL server (SQLMir-02), click on “New Query” and run the following command: (This is creating the connection for the Mirror to allow mirroring from the Principle)

    1. ALTER DATABASE vCenterUpdateManager
      SET PARTNER = 'TCP://'
  9. Back on the primary SQL server, click on “New Query” and run the following commands:
    1. ALTER DATABASE vCenterUpdateManager
      SET PARTNER = 'TCP://'
      ALTER DATABASE vCenterUpdateManager
      SET WITNESS = 'TCP://'

The SQL Servers (Principle, Mirror, Witness) have multiple network connections (Production, Mirror, and Backup). A DNS entry was created for their Mirror network IPs to allow them to communicate over a non-routable network to minimize latency. Mirroring would work if I set the string to “TCP://” if a private network isn’t available.


vCenter Update Manager Install/Config:

  1. Login to the server as the user account that will connecting to vCenter/update manager database (domain\vupdatemanager for this writing)
  2. Create a 32bit ODBC connection to the SQL database
    a. Navigate to C:\Windows\SysWOW64 and open “odbcad32.exe”
    b. Click the “System DSN” tab then click the “Add” button
    c. Scroll to the bottom and choose “SQL Server Native Client 10.0” and click “Finish”
    d. Enter the name of the connection and find the SQL Server\Instance and click “Next”
    e. Choose “With Integrated Windows authentication” and click “Next”
    f. Change the default database to the Update Manager Database then set the Mirror Server as the SQL Server Name\Instance. Click “Next”
    g. Click “Finish” then click “Test Data Source”. If test is successful, click “OK” then “OK” again and again
  3. After the ISO has been mounted on the virtual machine, open “Computer” and open the CD
  4. If the installer doesn’t automatically open, locate the “autorun” application and double-click it.
  5. At the installer screen, choose “vSphere Update Manager” under the “VMware vCenter Support Tools” section. Then click “Install”
    a. Choose the appropriate language and click “OK”
    b. Click “Next” to begin the install process
    c. Accept the license agreement and click “Next”
    d. Leave the box for “Download updates from default sources” checked and click “Next”
    e. Enter the FQDN or IP of the vCenter server to be connected to as well as the username/password for the account you’re currently logged in as (I’ve made this account an Administrator in vCenter at the Datacenter level)
    f. Choose “Use an existing supported database” and then choose the DSN connection created in step 2 and click “Next”
    g. Click “Next” to confirm the database information and click “OK” to ignore the warning about Full recovery
    h. Choose the IP address and note the ports being used then click “Next”
    i. Change the Install directory from C: to D: and then click “Next”
    j. Click “Install”
    k. Click “Finish”
  6. After installation completes, press the Start button, Administrative Tools, then Services
    a. Locate the “VMware vSphere Update Manager Service”, right click and choose “Properties”
    b. Click the “Log On” tab and click the “This account” button then enter the login information for the domain account used for update manager then click “Apply”
    c. Click “OK” for the dialog box about granting log on as a service rights
    d. After the new service account has been applied, click the “General” tab then click the “Stop” button. Once the service has stopped, hit the “Start” button. Then click “OK”
  7. Open up the vSphere client (not the web interface) and login to the vCenter server
    a. Click the “Home” button
    b. Click the “Update Manager” button under “Solutions and Applications”
    c. Click on the “Baselines and Groups” tab
    d. Click the “Create” link towards the top right corner under “Compliance View”
    e. Select “Host Baseline Group” and give it a name (“All Patches” for this example). Click “Next”
    f. Click “Next” through “Upgrades” page
    g. Select both Critical and Non-critical patches and click “Next”
    h. Click “Next” through the “Extensions” page
    i. Review the settings and click “Finish”
  8. Click the “Home” button again then choose “Hosts and Clusters”
    a. (For this writing, we’ll attach the baseline group to the Datacenter, but I usually apply this at the cluster level)
    b. Click on the Datacenter then click on the “Update Manager” tab
    c. Click the “Attach” link towards the top right corner
    d. Under “Baseline Groups” choose the name of the Baseline group created and click “Attach”
    e. Once attached, all the Hosts will display under “All Groups and Independent Baselines”. Click the “scan” button towards the top right corner
    f. Click the “Scan” button on the pop up box
    g. Once scanning is completed, click the “Stage” button towards the bottom right corner
    h. Ensure both Critical and Non-critical patches are selected as well as the host and click “Next”
    i. Click “Next” after reviewing the patches to be applied
    j. Then click “Finish” (All patches that can be staged will be placed on the host, some that can’t be staged will be loaded once you choose “Remediate”)
    k. Once staged, click the “Remediate” button towards the bottom right corner
    l. Click the baseline group created earlier then click “Next”
    m. Review the patches and click “Next”
    n. Choose “Immediately” for the remediation time and click “Next”
    o. Choose your VM power state options (In a multi-host cluster choosing “Do Not Change VM Power State” will cause VMs to be vMotioned to another host when entering maintenance mode)
    p. Click Finish (This will cause the Host to enter maintenance mode, apply patches, and reboot if necessary)
  9. After the host finishes rebooting we’ll see the new build number

Applying baselines at the cluster level will help to ensure all your hosts are running the same builds/patches and help prevent version mismatch issues. I prefer to created one baseline for all my hosts that includes any required extensions. In my environment we run NetApp storage which requires a host component to take advantage of VAAI. By adding this into my required patching I make sure all my hosts are able to take advantage of this.

Install & Configure vCSA and vCenter 5.5

The steps below are to install and configure the vCenter Server Appliance, configure SSO to lookup users in a specific OU in Active Directory, add an Administrator, add your first host, and configure email server settings.


  1. Download the latest version of the vCenter Server Appliance ( for this writing) and place it some where that is accessible by the client hosting the vSphere client
  2. Have the vSphere Thick client installed
  3. Have a datastore created for the appliance (VM_Appliances for this writing)
  4. Identify the Fully Qualified Domain name and IP address of the server ahead of time


      1. Login to the vSphere client, choose File then Deploy OVF Template
      1. Click “Browse”, locate the OVF/OVA, and click “Open”, then click “Next”
      1. Click “Next” after reviewing the template details
      1. Name the vCSA, choose the inventory location, and click “Next”
      1. Choose the datastore and click “Next”
      1. Verify the datastore name and size and click “Next” (Size is not adjustable)
      1. Select the appropriate “Destination Network” and click “Next”
      1. Enter the following information and click “Next”
        1. Hostname = Name of Appliance
        1. Default Gateway = IP of the gateway of  the Destination Network
        1. DNS = IP of the DNS Server (Separate each DNS server with commas, though it didn’t seem to apply these settings)
        1. Network 1 IP Address = IP address of the vCenter Server Appliance
        1. Network 1 Netmark = Subnet mask of the Destination Network
      1. Verify the settings and click “Finish” to begin deployment of the vCSA
      1. Once deployment is finished, click “Close”
      1. Right click on the vCSA in the vSphere client and choose “Upgrade Virtual Hardware” then click “Yes” to upgrade the configuration
      1. Right click on the vCSA and choose “Open Console”
      1. Click the “Power On” button in the console
      1. Once the appliance has finished booting, open a browser and connect to the web interface (https:// ipaddress:5480)
      1. Click “Continue” to the security warning on your web browser
      2. Enter the default username and password for the vCSA (username: root, password: vmware)
      1. After login, accept the licensing agreement and click “Next” (this part may take awhile)
      1. Once you get to “Configure Options” press the “Cancel” button (After a few unsuccessful attempts to configure through the wizard, it is easier setting it up manually)
      1. At the home page of the vCSA admin page, click on the “Database” tab
      •  Change the “Database type” to “embedded” and click “Save Settings” (may take a minute or 2)
      1. Click on the “SSO” tab
        • Change the “SSO deployment type” to “embedded”
        • Set the admin password for the “administrator@vsphere.local” account (Save this information immediately!)
        • Click “Save Settings” (will take a few  minutes)
        • Once you see the message “Operation was successful” you can move on to the next step
      1. Click on the “Network” tab
        • Ensure the Hostname (must be a FQDN if adding to a domain), IPv4 gateway, preferred & alternate DNS servers, and IPv4 static IP addressing is set. If any entries is missing, add them now
        • Once saved, click on the “System” tab and click on “Reboot”
      1. Log back in (if necessary and continue with the next step)
      1. Click on “Authentication” tab
        • Check the box for “Active Directory Enabled”
        • Enter the domain name
        • Enter a domain admin account for “Administrative user” (Domain admin)
        • Enter the password for this account and click “Save Settings” (This will add the appliance to the domain)
      1. Click on the “Update” tab then click “Check Updates” to see if there are any available updates
        • Install any updates that are available
        • Click on “Settings” under “Update”
        • Choose “Automatic check for updates”
        • Set your frequency (usually once a week) and then click “Save Settings”
      1. Click on the “Admin” tab
        • Enter the current administrator password (default is “vmware”)
        • Enter the new administrator password and immediately save it (I use keepass for my passwords)
        • Click “Yes” for administrator password expiration
        • Enter the password validity time in days
        • Enter a group account for email expiration warning
        • Click “Submit”
      1. Once the settings are saved, click on “System” tab then choose “Reboot”
      1. Once the vCSA is back up, you should be able to login to the vSphere Web Client (https:// IPofvCSA:9443)
      2. Download and install the “Client Integration Plug-in”

        • You’ll need to close your current browser to complete installation. Reopen and enable the Plugins after revisiting the URL above
      1. Login using the username “administrator@vsphere.local” and the password setup in step 20
      1. Click on “Administration”
      1. Click on “Configuration”, then click the “Identity Sources” tab and press the “+” button
      1. Choose the following for setting up Active Directory Auth for a specific group using a service account
        • Choose “Active Directory as a LDAP Server”
        • Enter the name (Just a reference name)
        • Enter the Distinguished name of the OU where users will be located
        • Enter the Domain name
        • Enter the Domain alias
        • Enter the Distinguished name for groups (for us, it’s the same as for users)
        • Enter the primary server URL (Format: ldap:\\
        • Enter the secondary server URL (same format as above)
        • Username: A domain account in the OU above (do not use a users account, make it a service account)
        • Password: Password for domain account
        • Press “Test Connection” to ensure it all works and then click “OK”


      1. Under “Single Sign-On” on the left, click on “Users and Groups”
      1. Click the “Groups” tab, then click on “Administrators”
      1. Click the “Add Members” button
      1. Change the Domain to the Domain that was just added. Search for the Domain users/groups that need Administrator access, click on each one and click “Add” followed by “OK”
      1. Once the users have been added, click on the “Home” button towards the top left
      1. Click on “vCenter”
      1. Under “Inventory Lists”, click on “vCenter Servers”
      1. Click on the name of your vCenter Server
      1. Click the “Manage” tab, followed by the “Permissions” button
      1. Click the “+” button to add a new administrator.
        • When the “Add Permission” box appears, click the “Add” button at the bottom
        • Change the Domain to Domain added earlier
        • Search for the same users/groups added as vCSA admins, select each one and click “Add” followed by “OK” when completed
        • Under “Assigned Role” change from “No access” to “Administrator”. Ensure “Propogate to children” is selected and click “OK”
      1. Once Domain permissions have been assigned, sign out of the web interface as “administrator@vsphere.local” and login with domain credentials (domain\username)
      1. Once logged in as Domain account, click on “vCenter”
      1. If you see the number “1” next to “vCenter Servers” under “Inventory Lists” then permissions were assigned correctly.
      2. Click on vCenter Servers, then click on the vCenter server and click the “Manage” button in the middle pane
      1. Under the “Settings” tab click on “Advanced Settings”
      1. Locate the key “config.registry.key_managedIP” and if the Value is “–“,  click the “Edit” button towards the top right
      • Scroll down to that key and enter the IP address of the vCenter Server appliance and click “OK” (Without this entry, in the event of a DNS failure, the hosts will not be able to check in with the vCenter server and could become disconnected. Thanks to Virtual Barker for pointing this out)
      1. Click on on the “vCenter” link towards the top left
      1. Click on “Datacenters”
      1. Click the “Create a new datacenter” button
      1. Choose a name of the Datacenter (I usually use location), click on the vCenter server instance and click “OK”
      1. Click on “vCenter” towards the top left
      1. Click on “Hosts” under “Inventory Lists”
      1. Click the “Add a host” button
      1. Follow these steps to add a host to your newly created datacenter
        • Enter the fully qualified domain name of your host
        • Click on the destination datacenter and then click “Next”
        • Enter the username and password for the “root” account then click “Next” (Click “Yes” for the security alert)
        • Review the details of the Host then click “Next”
        • Assign a license key (if available) and click “Next”
        • Make sure “Enable lockdown mode” is unchecked and click “Next”
        • Click “Next” through “VM location” as we haven’t created a new tag yet
        • Click “Finish”
      1. Click on “vCenter” button towards the top left
        • Click on “vCenter Servers” under “Inventory Lists”
        • Click on the name of the vCenter server
        • Click the “Manage” tab
        • Under “vCenter Server Settings” on the General page, click the “Edit” button
        • Click the “Mail” link and enter your mail server address and the mail sender address and then click “OK”

At this point you are ready to start adding more hosts, creating clusters and deploying virtual machines. Before you are ready for production, ensure that you create alerts for monitoring VM and Host health such as CPU and memory usage, CPU ready latency, storage latency and VM snapshot size. I’ll address the common alerts I create in each new build in a later post.