Posted on by Aaron Rombaut

MyLab: Overview

Overview

From time to time, I completely wipe out my lab and just start over. This keeps me fresh on the technology and allows me to discover new puzzles as software is always changing. The one thing that is consistent in my lab is a VMware host, a PowerEdge R730xd, and a Synology DS1511+ Network Attached Storage (NAS).

These new posts are going to allow me to capture any details and be the living documentation. My lab may come up and go down, but a lot of the times I use similar Group Policies or names. These posts will be the information that stays current while the lab is ever changing.

In the future, I would like to get this as code (infrastructure as code), where possible, so that the process is more defined. Rather than build and configure, I would rather configure and build. That is likely a little ways off, however.

To keep things simple, I am going to preface the posts with MyLab: and then include whatever technology I am documenting at that time. The goal for my lab is usually a fully secured and operational VMware Horizon implementation.

Assumptions

This is not a how-to guide or a complete click-to-click guide on how to do everything. This series (and my whole blog, really) assumes that you have somewhat of a clue on what you are doing and you just need a little guidance. For instance, I am documenting the virtual machine hardware I am using below, but I am not going to go through how to install the operating systems or do a minimal configuration like setting host names or IP addresses.

When I am documenting the installation and configuration of a product or component, I will likely leave out steps such as clicking on Next, OK, or Finish. I assume you can read since you are here and hopefully the User Interfaces are easy enough to navigate with each product.

Disclaimer

I have it stated elsewhere as well, but I figure I will mention it again. Yes, I do work for VMware, Inc, and no, this is not an endorsement for their products nor a representation of their beliefs or mentality. This series and this site are entirely of my professional opinion and methodologies, only. The only thing you will encounter here is my sass and my opinions, like them or not.

Virtual Machine Hardware

Windows Server 2022 Virtual Hardware

I have a host with lot’s of available RAM and do not intend to starve my virtual machines. Most of the time, the Windows Server will boot and take a lot of resources, but then hand off unused resources appropriately.

Name: <device short code>-<vlan>-<last octet>
Compatibility: ESXi 7.0 U2 virtual machine
Guest OS family: Windows
Guest OS version: Microsoft Windows Server 2022 (64-bit)
Enable Windows Virtualization Based Security: <checked>

Select storage.

CPU: 4
Cores per Socket: 2

Memory: 8 GB
Hard disk 1: 120 GB
Disk Provisioning: Thin provisioned
SCSI Controller 0: VMware Paravirtual

Network Adapter 1: <choose vlan>
Adapter Type: VMXNET 3
CD/DVD Drive 1: Datastore ISO file
Status: Connect at power on > <checked>
CD/DVD Media: <choose ISO file>
Video Card: Specify custom settings
Total video memory: 256 MB

Review the settings and ensure they are set appropriately.

Fedora Server 38 Virtual Hardware

Name: <device short code>-<vlan>-<last octet>
Compatibility: ESXi 7.0 U2 virtual machine
Guest OS family: Linux
Guest OS version: Red Hat Fedora (64-bit)

Select storage.

CPU: 4
Cores per Socket: 2

Memory: 8 GB
Hard disk 1: 120 GB
Disk Provisioning: Thin provisioned
SCSI Controller 0: VMware Paravirtual

Network Adapter 1: <choose vlan>
Adapter Type: VMXNET 3
CD/DVD Drive 1: Datastore ISO file
Status: Connect at power on
CD/DVD Media: <choose ISO file>
Video Card: Specify custom settings
Total video memory: 256 MB

Review the settings and ensure they are set appropriately.

Minimal Configuration Tasks

At the bare minimum, after the virtual machine is built and the operating system is installed, VMware Tools is installed on Windows guests and open-vm-tools is installed on Linux guests. I get the first domain controller configured with a new forest and then I set the following on the rest of the virtual machine guests:

  • Host name (Windows uses UPPERCASE)
  • IPv4 Address
  • IPv6 is in use in my lab but auto-configured
  • Correct the time, if needed
  • Time zone
  • Optionally configure NTP, if available

Secondary Configuration Tasks

Once I have an established domain, I will configure the following:

  • DNS – include static addresses for IPv4 and IPv6 devices
  • Define computer objects in Active Directory
  • Set up a basic user
  • Set up an administrative user (and sometimes a separate domain or enterprise admin)

Order of Operations

While building the lab, it occurred to me that I should document the logical build of the lab. Some components require others to be available prior to deploying or installing. I will add links here to make it easier to get to the section needed.

Physical Networking

Configure VLANs and Subnets on the firewall (network core, in my case). I do use IPv6 in my lab, but let auto-config do a lot of that work for me, so I do not pay attention to the subnets. The only time I need the individual IPv6 address is when I am configuring DNS records.

  • WAN – no VLAN, uses DHCP
  • DMZ – VLAN 99 – 192.168.99.0/24
  • Out-of-Band Management (iDRAC) – VLAN 2 – 192.168.2.0/24
  • MyLab Network – VLAN 92 – 192.168.92.0/24
  • VDI Network – VLAN 29 – 192.168.29.0/24

Configure the switch with Jumbo frames (MTU 9216 or 9000) depending on the switch. There will be additional VLANs configured on the switch that are not on the firewall as well. These are layer 2 networks and do not need a Layer 3 Switched Virtual Interface (SVI).

  • vSAN (if used)
  • iSCSI-A – VLAN 11 – 172.16.11.0/24
  • iSCSI-B – VLAN 12 – 172.16.12.0/24 (iSCSI Multipathing (MPIO) requires two separate subnets)
  • vMotion – VLAN 15
  • Black hole VLAN 999 – it is best practice to shutdown and move the unused interfaces to a “black hole” VLAN. This VLAN will not have access to anything.

Main ESXi Host

I only have one host so things are a little different than running a multi-host cluster. A few things I make sure to do are install any Dell firmware updates (BIOS, network, etc.) to the host itself, configure the iDRAC for out-of-band management (just in case scenarios), and ensure ESXi is installed and patched.

Direct Console User Interface (DCUI)

From the DCUI, I will configure a few critical items so that I can access the host from a web browser.

  • Configure a secure password
  • Configure the management network, consisting of the Network Adapters to use, the VLAN, IPv4 Configuration is set to static and configured, DNS configuration, and the Custom DNS Suffixes to use.
  • Enable ESXi Shell and SSH from the troubleshooting options since this a lab device and not in production (where money is made and potential for loss of life occurs).

Once these items are all configured, I can logout and verify my IP addresses.

Open a web browser and access the IP address or fully qualified domain name for the host. Since the host may not have a certificate, yet, you are likely to encounter a security banner. Once I log into the ESXi host, I am presented with an option to Join the VMware Customer Experience Improvement Program. I will uncheck this option as it is not needed.

Once I get past that, I see that I have a ton of work to do!

Virtual Networking

This host has four network interfaces, so I break up the first two on vSwitch0 for Management and virtual machine traffic and the other two are on vSwitch1 for storage traffic.

I change the MTU to 9000 on both switches as well as make both vmnics active.

Once I have vSwitch1 configured, I configure the two iSCSI VMkernel NICs. VMkernel adapters segregate the network traffic and provide services for the host. Provide a name, VLAN ID, increase the MTU to 9000, and assign an IP address. I am using a 172.16.0.0/24 prefix, here, but I always use the VLAN ID in the third octet and the fourth octet will be the same as the host. I find this easy to keep track of in the future. There is no designated iSCSI service, so there is nothing to check.

When configuring the vMotion adapter, make sure to use the dedicated vMotion TCP/IP Stack! Since I am only running on one host, the vMotion VMkernel adapter is not necessary.

Port Groups

Since there are VLANs configured on the switch and the traffic is being tagged to the ESXi host, I will also need to add a couple port groups so that I can use the network.

iSCSI Multipath I/O (MPIO)

I have very limited bandwidth in my lab as I am still using 1 Gbps links. One thing that helps is configuring iSCSI MPIO. I have an article already published that describes how I did this.

VMware, Synology, iSCSI, and Multipath I/O (MPIO)

The gist, though, is that the Synology NAS is configured with two subnets, one per interface. The iSCSI traffics travels through the physical switch through to the virtual switch, vSwitch1 in my case. I configure two VMkernel adapters on their individual subnets and set the the opposite adapter to Unused so that only one adapter is Active at a time.

This configuration allows the adapters to be “pinned” and also provides a predictable path for the network traffic.

Configuring the Multipathing Policy

There is no use in configuring MPIO and then sending the traffic down one link still. I change the policy from the default, Most Recently Used (VMware), to Round Robin (VMware). This allows both paths to be used equally. There are other policy parameters that can be configured from the command line that I recommend, but are dependent on the storage provider. Common additional parameters I see are to change the default IOPS from 1000 to 1. This helps prevent saturation in a multi-host clustered environment. Since I only have one host, just changing to Round Robin (VMware) is good enough for me.

Configure Network Time Protocol (NTP) Servers

I use chronyd on two Fedora Linux 38 (Server Edition) servers. One server gets time from pool.ntp.org and the other gets time from time.cloudflare.com. Then each server peers to each other and are in sync.

Microsoft Active Directory

Most of the time, I will just build a single Domain Controller, but sometimes I will configure two. One of the most important configuration items here is having accurate time for Kerberos Authentication (using the w32tm and using the NTP servers configured) and having accurate DNS forward and reverse lookups. If using more than one domain controller, be sure to set the time on the Primary Domain Controller (PDC) emulator. This is the default source of time for domain connected devices. I do not use the domain controller for non-Windows devices.

I will tend to configure an Organization Unit (OU) for the domain to keep all things domain-related separate from the stock containers. This allows me to then configure Security Groups, a general user, and an administrative user.

Lastly, I will tend to build out cursory Group Policy Objects (GPO) that set the Firewall and enable and configure Remote Desktop.

Certificate Authority

Same as the domain controllers, sometimes I configure just a root server and not an intermediate. Sometimes, I configure both for a more realistic experience. Either way, I will configure a VMware template so that I can secure all devices. I do use the VMware certificate for non VMware devices as well, such as Microsoft SQL Server and Dell iDRAC. It is just a customized template based off the Web Server template, anyways.

Microsoft SQL Server

Speaking of Microsoft SQL, I will usually always configure at least one. But sometimes, it’s good to refresh my skills and notes on an Always On availability group database.

It is imperative to secure the SQL server with TLS certifcates so I get that out of the way.

Lastly, I need other services to be able to communicate to these servers, so I open up TCP 1433 on the Windows Firewall. This can be done through Group Policy, but I usually do not build a separate container for just SQL servers so I do it on an individual server basis.

Microsoft File Server

Files are always needing to be shared and since I am also planing on using VMware Dynamic Environment Manager (DEM) is required. For this service, one server is more than enough. This server will also get the VMware Workspace ONE Access connector for Directory Sync, Kerberos Auth, User Auth, and Virtual Apps Sync.

VMware vCenter

Once all the critical infrastructure services are configured and online, I will then install VMware vCenter. One of the first things I will do after it comes online is change the certificate so that I no longer get the security warnings. I will then change the ESXi host certificate out and add to vCenter so I have more features and a favorable interface available to me.

Configuring Workloads

Once the critical infrastructure is configured, vCenter is online and configured, and the ESXi host is added, I am able to build out whatever workloads I am wanting to test and learn at the time. The current iteration of my lab will be two parts, a VDI lab and a VMware Aria lab.

VMware End User Computing (EUC) Components

  • VMware Horizon
  • VMware App Volumes
  • VMware Dynamic Environment Manager (DEM)
  • VMware Unified Access Gateway (UAG)
  • VMware Workspace ONE Access

VMware Aria Components

  • VMware Aria Automation Suite Lifecycle
    • VMware Suite Lifecycle appliance
    • VMware Aria Automation appliance
    • VMware Workspace ONE Access appliance
  • VMware Aria Operations
  • VMware Aria Operations for Logs

Summary

There was a lot to digest there for sure. This was just an overview, though and more in-depth details surrounding each component are available. The idea for me was that if you click on a technology link here, you will be fully configured and ready for use by the end of the post as long as the Order of Operations are followed. As I am using my lab and configuring, I am sure I will come back to these pages and update as necessary. Stay tuned and thank you for taking the time to navigate my blog!

Leave a Reply

Your email address will not be published. Required fields are marked *