Wednesday, August 26, 2015

ESXi vs. ESX: A comparison of features

VMware made the decision to make VMware ESXi, our next generation hypervisor, freely available to proliferate the VMware platform and allow administrators to prove its value at no cost. However, the fact that the older platform, VMware ESX, is not also available for free has lead some people to believe that ESXi may be inferior or not as feature-rich as ESX. This is certainly not the case. In fact, the opposite is true. ESXi has a superior architecture and we encourage customers to deploy ESXi as part of any new vSphere deployment. Our future posts will compare ESX 4 and ESXi 4 in detail on topics like hardware compatibility list, performance, and management to demonstrate that ESXi is either on par with or superior than ESX. But for now, here are some key points you should know about ESXi vs. ESX:
  1. The functionality and performance of VMware ESX and ESXi are the same; the difference between the two hypervisors resides in their packaging architecture and operational management. VMware ESXi is the latest hypervisor architecture from VMware. It has an ultra thin footprint with no reliance on a general-purpose OS, setting a new bar for security and reliability (learn more).
  2. In the future, ESXi’s superior architecture will be the exclusive focus of VMware's development efforts.
  3. New and existing customers are highly encouraged to deploy ESXi. Many Fortune 100 companies have already standardized on the ESXi platform.
Although one instance of free VMware ESXi can be managed with the vSphere Client, the free version has two important limitations:
  1. vCenter cannot manage free ESXi without a vSphere license as its APIs only grant read-only access.
  2. Automated scripts cannot change hypervisor settings. 
However, once ESXi is licensed for any vSphere SKU, its APIs become both read- and write-accessible, unlocking the full functionality of vCLI, vMA, PERL Took Kit, Powershell Tool Kit, or other VMware management interfaces.The table below, available here, explains how different license levels unlock ESXi (and ESX) functionality. Please note that vSphere Essentials, an all inclusive package that can be deployed on up to three servers, is priced at under $1000. 
The ESX Team
vsphere_detailed_comparison.gif

Joining vSphere Hosts to Active Directory

I recently blogged about how in vSphere 5.1 you can now assign full admin privileges to named users, and in that post I commented that while it is possible to create local user accounts on each vSphere host that a better approach is to add your host to a Microsoft Active Directory (AD) domain and use your existing AD credentials instead.  In this post I will provide an example showing how to do this.

Note that although the ability to assign full admin privileges to local users is new in vSphere 5.1, the ability to join vSphere hosts to active directory is not new.  In this example I’m using vSphere 5.0.
Prerequisites
Of course before you can add your vSphere hosts to AD you need to have an AD domain.  In addition you need to have a domain admin account with the rights to add computers to the domain.
Adding vSphere Hosts to Active Directory
To add a vSphere hosts to AD log on to the vSphere Client and from the “Host and Clusters” view:
  1. Select the host.
  2. Select the “Configuration” tab.
  3. Select “Authentication Services”.
  4. From the “Authentication Services Settings”, select “Properties…”.
This will launch the “Directory Services Configuration” wizard where you will:
  1. Set “Select Directory Service Type” to “Active Directory”.
  2. Enter the name of the AD domain.
  3. Click “Join Domain”.
When you click “OK” you will be prompted to enter the username and password of the AD domain admin account that will be used to add the host.
Monitor the progress in the “Recent Tasks” section and make sure it completes successfully.
That’s it, the host has been added to Active Directory and a corresponding computer account for the host created.
The next step is to setup user privileges.  There are a couple ways to do this, you can assign privileges to individual users or to AD groups.
Assign Privileges to a User
To assign privileges to individual users you need to use the vSphere client and connect directly to the vSphere host.
Once you have logged in select the “Permissions” tab, right-click on the white background and select “Add Permission…”.
From the “Assign Permissions” pop-up you first need to select the user by clicking the “Add” button.
This will bring up the “Select Users and Groups” pop-up.  Use the pull-down menu to change the “Domain:” to the name of the AD domain, find the user in the list, click “Add”, and then click “OK”.
Next, choose the role to assign to the user.  Use the drop-down menu on the right to select the desired role and then select OK.
The user is now shown with the assigned role:
Note you will need to repeat these steps for each user on each vSphere hosts.
Assign Privileges to a Group
To help simplify the configuration you can assign permissions to an AD group opposed to individual users.  With groups you only need go through the steps to assign privileges to the group once on each host opposed to once for each user.  Once you assign the privileges to the group you manage user access by simply adding and removing users to/from the group in AD.
The steps to assign privileges to an AD group are the same as shown above, the only difference is instead of choosing a user you would chose a group.
The “ESX Admins” Group
Using AD groups helps simplify user configurations but there is still a requirement to repeat the configuration on each host, and if you have a lot of hosts this can still be a bit tedious.  To avoid having to connect to each host to manually setup a group account VMware provides a default AD group named “ESX Admins” that automatically gets added to each host by default.
The key to remember here is that not only is this group added to each host, but by default it is also granted full administrative rights.  As such it is important to limit the AD users who get assigned to the “ESX Admins” group.  Arbitrarily assigning all vSphere admins to the “ESX Admins” group could compromise security.    A few important things to note about the “ESX Admins” group:
  1. The group is not created in active directory by default.  An administrator must manually create the group, but once created by default all users that are members of this group get full admin access to all vSphere hosts added to the domain.
  2. You can disable admin access to the “ESX Admins” group using the “Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd” setting.
  3. You can change the name of the “ESX Admins” group using the “Config.HostAgent.plugins.hostsvc.esxAdminsGroup” setting.
Summary
Adding your vSphere hosts to Active Directory can simplify user management and help improve security.  It’s relatively easy to add local users to a hosts and to assign them administrative privileges, but if you have a lot of administrators the steps to configure each account will need to be repeated multiple times on each host.
You can simplify the local user configuration by using AD groups.  With groups, rather than repeating the setup for multiple user accounts you only need to configure the group account once on each host.  Once privileges have been assigned to the group you control who has access to the host by adding and removing users to/from the AD group.
VMware provides a default AD group called “ESX Admins” that, if created in AD, will automatically get added to each host when it is added to active directory.   By default the “ESXi Admins” group is assigned full administrative rights to the vSphere host so it’s important to limit the users that are members of this group.  You can change this behavior, as well as change the name of the group using the “Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd” and “Config.HostAgent.plugins.hostsvc.esxAdminsGroup” settings.