Wednesday, October 27, 2010

Undocumented ESXi 4.1 Features

So I have been tasked with a VMware ESXi 4.1 rollout in an enterprise environment.  The Vertical is not important other than to say they are affected with something that rhymes with Tan Bleach Riley, so the security constraints are insane (think asking permission to open http access internally).

As I go forward and deploy I noticed a few settings in the Security Configuration area of vSphere for these servers that looks like:


You may notice a few additions like Direct Console UI (which can bite you severely if you turn it off and need access to your console locally to reconfigure or restart networking), and the Tech Support Options are somewhat self explanatory (since VMware took their unsupported mode and made it a legit feature), however what are I/O Redirector (Active Directory Service) and LBTD...

Well I asked one of my friends and one of the most highly experienced VMware gurus that I know, SBeaver (as many of you know him www.beaverdam.net/blog) for a rundown.  He had the following to say on those two items:

  • I/O Redirector (Active Directory Service) - is or is related to the iSCSI Initiator
  • LBTD - is part of the Host Profile Enhancements for 4.1 and is the Load Balanced Teaming Daemon
I tried to do a little follow up now armed with Steve's key acronym decryption decoder ring, and it seems that the LBTD is used as an additional network load balancing technology in addition to ESX 4.0 favorites:
  • Route based on the originating virtual Port ID
  • Route based on IP hash
  • Route based on source MAC hash
 According to: VMware KB Article: 1022590

It appears there can still exist a condition that would result in two heavy loaded VMs congesting a physical adapter while other adapters are relatively free, and that by using the Load Balanced Teaming you can relieve this issue and also gain:
  • Dynamic adjustments to load
  • Different NIC speeds are taken into account. You can have a mix of 1Gbit, 10Gbit, and even 100Mbit NICs.
This feature can only be utilized with a virtual distributed switch (vDS) so plan accordingly and don't forget to tell the network team that you are exploring new strategies in nic teaming and that you may need some etherchannels opened up.

As for I/O Redirector (Active Directory Service) I am not finding a lot about it, so I will keep poking and divulge what I can.

On the top of the virtual mountain searching for the root of the world to see if its been /jail-ed,

-Virt
Posted by totalogic at 2:00 PM

2 comments:

  1. UnknownMay 17, 2011 at 4:01 PM

    I/O Redirector (Active Directory Service) is NOT related to iSCSI.

    All 3 of these services are different components required for vSphere 4.x host-level AD Authentication. If the host is not joined to a domain, the 3 services with "(Active Directory Service)" in the name have no need to be running.

    Enjoy!

    ReplyDelete
  2. kevinJune 8, 2011 at 8:26 PM

    Hai, thanks for sharing..

    im just trying explore the vSphere more deeper...

    this feature can only utilized with vDS, it is only default vDS from vSphere or either with Nexus 1000V???

    Rgrds

    ReplyDelete

Subscribe to: Post Comments (Atom)