Notes from the field – Cloud Design Part 1

I’ve had an interesting last couple of weeks having discussions with customers who are both already in the public cloud and those that are dipping a toe. One recurrent theme seems to be the idea of taking what you have on premises and putting it into the cloud and expecting it to work in exactly the same way.

I’ve been working with cloud technologies for coming up on 5 years now, and in that time, this concept has been prevalent all the way through. There is a famous quote that seems to have been attributed to different historical people, including Einstein and Henry Ford, but instead I’m going to use Aerosmith’s interpretation of it:-

Cause if you do what you’ve always done
you’ll always get what you always got
Uh could that be nothin’

Steven Tyler, Aerosmith “Get A Grip”

Now that I’ve shoe horned in a hard rock reference, let’s look at what that actually means. For a start, many larger organisations use the end of a DC lease to trigger their move into public cloud by doing a “lift and shift” of VMs into the cloud, maybe deploying a couple of third party appliances (such as CloudGuard IaaS, of course) and then declaring themselves “in the cloud”. Job done.

Well yes and no.

Let me be clear on my view that if you are moving to cloud to save money, you’re doing it for entirely the wrong reasons. Really what you’re buying into is hyperscale technologies – the ability to provision highly complex stacks with a few clicks of a button and paying only for what you use.

If you drag and drop a bunch of most probably oversized VMs into cloud, when you get the monthly bill, you’re in for a shock. In my experience, compute charges make up the lion’s share of your bill. Do your research ahead of time and look if there are ways you can mitigate this cost.

For starters, if you have simple web serving needs, why not use the ability to publish web sites via S3 buckets, or maybe an Azure Web App? There are multiple tiers in the latter service, depending on what levels of performance and resilience you want.

If you have bursty compute requirements, look at auto scaling technologies or even serverless. Don’t be sucked into the dogma that serverless cures all ills, because it doesn’t. Used in the right way, it can be highly cost effective and elegant. Used in the wrong way, it can be expensive and inflexible for your needs.

noun [ C or U ] disapproving
UK /ˈdɒɡ.mə/ US /ˈdɑːɡ.mə/

a fixed, especially religious, belief or set of beliefs that people are expected to accept without any doubts

Cambridge Dictionary

Not to say there isn’t anything wrong with lift and shift of VMs into Azure, AWS, GCP, etc. But it’s a staging post, it’s not a destination. One public sector body I worked with a couple of years ago were really switched on to this. They saw L&S as very much a phase one, then used the “long tail” method of transitioning their apps to something more cloud native, using technologies such as Azure SQL and Azure Web Apps.

As usual, this post is a bit more of a brain dump than anything more formal. In future posts I intend to explore some more of the experiences I’ve had in the field and hopefully some will resonate with you.

As always, comments welcome. You can reach me on Twitter @ChrisBeckett.





VMworld Europe Day One

Today saw the start of VMworld Europe in Barcelona, with today being primarily for partners and TAM customers (usually some of the bigger end users). However, that doesn’t mean that the place is quiet, far from it! There are plenty of delegates already milling around, I saw a lot of queues around the breakout sessions and also for the hands on labs.

As today was partner day, I already booked my sessions on the day they were released. I know how quickly these sessions fill, and I didn’t want the hassle of queuing up outside and hoping that I would get in. The first session was around what’s new in Virtual SAN. There have been a lot of press inches given to the hyper converged storage market in the last year, and I’ve really tried to blank them out. Now the FUD seems to have calmed down, it’s good to be able to take a dispassionate look at all the different offerings out there, as they all have something to give.

My first session was with Simon Todd and was titled VMware Virtual SAN Architecture Deep Dive for Partners. 

It was interesting to note the strong numbers of customer deploying VSAN. There was a mention of 3,000 globally, which isn’t bad for a product that you could argue has only just reached a major stage of maturity. There was the usual gratuitous customer logo slide, one of which was of interest to me. United Utilities deal with water related things in the north west, and they’re a major VSAN customer.

There were other technical notes, such as VSAN being an object based file system, not a distributed one. One customer has 14PB of storage over 64 nodes, and the limitation to further scaling out that cluster is a vSphere related one, rather than a VSAN related one.

One interesting topic of discussion was whether or not to use passthrough mode for the physical disks. What this boils down to is the amount of intelligence VSAN can gather from the disks if they are in passthrough mode. Basically, there can be a lot of ‘dialog’ between the disks and VSAN if there isn’t a controller in the way. I have set it up on IBM kit in our lab at work, and I had to set it to RAID0 as I couldn’t work out how to set it to passthrough. Looks like I’ll have to go back to that one! To be honest, I wasn’t getting the performance I expected, and that looks like it’s down to me.

VSAN under the covers seems a lot more complex than I thought, so I really need to have a good read of the docs before I go ahead and rebuild our labs.

There was also an interesting thread on troubleshooting. There are two fault types in VSAN – degraded and absent. Degraded state is when (for example) an SSD is wearing out, and while it will still work for a period of time, performance will inevitably suffer and the part will ultimately go bang. Absent state is where a temporary event has occured, with the expectation that this state will be recovered from quickly. Examples of this include a host (maintenance mode) or network connection down and this affects how the VSAN cluster behaves.

There is also now the ability to perform some proactive testing, to ensure that the environment is correctly configured and performance levels can be guaranteed. These steps include a ‘mock’ creation of virtual machines and a network multicast test. Other helpful troubleshooting items include the ability to blink the LED on a disk so you don’t swap out the wrong one!

The final note from this session was the availability of the VSAN assessment tool, which is a discovery tool run on customer site, typically for a week, that gathers existing storage metrics and provides sizoing recommendations and cost savings using VSAN. This can be requested via a partner, so in this case, Frontline!

The next session I went to was Power Play :What’s New With Virtual SAN and How To Be Successful Selling It. Bit of a mouthful I’ll agree, and as I’m not much of a sales or pre-sales guy, there wasn’t a massive amount of takeaway for me from this session, but Rory Choudhari took us through the current and projected revenues for the hyperconverged market, and they’re mind boggling.

This session delved into the value proposition of Virtual SAN, mainly in terms of costs (both capital and operational) and the fact that it’s simple to set up and get going with. He suggested it could live in harmony with the storage teams and their monolithic frames, I’m not so sure myself. Not from a tech standpoint, but from a political one. It’s going to be difficult in larger, more beauracratic environments.

One interesting note was Oregon State University saving 60% using Virtual SAN as compared to refreshing their dedicated storage platform. There are now nearly 800 VASN production customers in EMEA, and this number is growing weekly. Virtual SAN6.1 also brings with it support for Microsoft and Oracle RAC clustering. There is support for OpenStack, Docker and Photon and the product comes in two versions.

If you need an all flash VSAN and/or stretched clusters, you’ll need the Advanced version. For every other use case, Standard is just fine.

After all the VSAN content I decided to switch gears and attend an NSX session called  Disaster Recovery with NSX, SRM and vRO with Gilles Chekroun. Primarily this session seemed to concentrate on the features in the new NSX 6.2 release, namely the universal objects now available (distributed router, switch, firewall) which span datacentres and vCenters. With cross vCenter vMotion, VMware have really gone all out removing vCenter as the security or functionality boundary to using many of their products, and it’s opened a whole new path of opportunity, in my opinion.

There are currently 700 NSX customers globally, with 65 paying $1m or more in their deployments. This is not just licencing costs, but also for integration with third party products such as Palo Alto, for example. Release 6.2 has 20 new features and has the concept of primary and secondary sites. The primary site hosts an NSX Manager appliance and the controller cluster, and secondary sites host only an NSX Manager appliance (so no controller clusters). Each site is aware of things such as distributed firewall rules, so when a VM is moved from one site to another, the security settings arew preserved.

Locale IDs have also been added to provide the ability to ‘name’ a site and use the ID to direct routing traffic down specific paths, either locally on that site or via another site. This was the key takeway from the session that DRis typically slow, complex and expensive, with DR tests only being invoked annually. By providing network flexibility between sites and binding in SRM and vRO for automation, some of these issues go away.

In between times I sat the VCP-CMA exam for the second time. I sat the beta release of the exam and failed it, which was a bit of a surprise as I thought I’d done quite well. Anyway, this time I went through it, some of the questions from the beta were repeated and I answered most in the same way and this time passed easily with a 410/500. This gives me the distinction of now holding a full house of current VCPs – cloud, desktop, network and datacenter virtualisation. Once VMware Education sort out the cluster f**k that is the Advanced track, I hope to do the same at that level.

Finally I went to a quick talk called 10 Reasons Why VMware Virtual SAN Is The Best Hyperconverged Solution. Rather than go chapter and verse on each point I’ll list them below for your viewing pleasure:-

  1. VSAN is built directly into the hypervisor, giving data locality and lower latency
  2. Choice – you can pick your vendor of choice (HP, Dell, etc.) And either pick a validated, pre-built solution or ‘roll your own’ from a list of compatible controllers and hard drives from the VMware HCL
  3. Scale up or scale out, don’t pay for storage you don’t need (typically large SAN installations purchase all forecasted storage up front) and grow as you go by adding disks, SAS expanders and hosts up to 64 hosts
  4. Seamless integration with the existing VMware stack – vROps adapters already exist for management, integration with View is fully supported etc
  5. Get excellent performance using industry standard parts. No need to source specialised hardware to build a solution
  6. Do more with less – achieve excellent performance and capacity without having to buy a lot of hardware, licencing, support etc
  7. If you know vSphere, you knopw VSAN. Same management console, no new tricks or skills to learn with the default settings
  8. 2000 customers using VSAN in their production environment, 65% of whom use it for business critical applications. VSAN is also now third generation
  9. Fast moving road map – version 5.5 to 6.1 in just 18 months, much faster rate of innovation than most monolithic storage providers
  10. Future proof – engineered to work with technologies such as Docker etc

All in all a pretty productive day – four sessions and a new VCP for the collection, so I can’t complain. Also great to see and chat with friends and ex-colleagues who are also over here, which is yet another great reason to come to VMworld. It’s 10,000 people, but there’s still a strong sense of community.


VCP6-CMA – Section 2: Administer vRealize Automation Users, Roles and Privileges


Objective 2.1: Create Roles and Apply Privileges to Roles

Configure system-wide roles and responsibilities

  • There are three system wide roles, they are:-
    • System Administrator (create tenants, configure identity stores, assign IaaS and tenant administrator roles, configure Orchestrator, configure branding, notifications and monitor system logs)
    • IaaS Administrator (configure IaaS features and global properties, manage IaaS licences, create and manage fabric groups, create and manage endpoints and associated credentials, configure proxy agents, manage AWS instance types, monitor IaaS logs)
    • Fabric Administrator (manage build profiles, manage compute resources, manage cost profiles, manage network profiles, manage AWS EBS volumes and key pairs, manage machine prefixes, manage property dictionary, manage reservations and reservation policies)
    • Login as a tenant administrator and go to Administration > Users & Groups > Identity Store Users & Groups. Search for the required group, add the required roles from the list and click Update to save.

Assign user roles within tenants

    • There are seven tenant based roles, including:-
      • Tenant administrator (manage tenant identity stores, user and group roles, custom groups, tenant branding, notification providers and scenarios, create and manage approval policies, manage catalog services, item and actions, manage entitlements, monitor tenant machines and send reclamation requests, configure Orchestrator servers, plug-ins and workflows for use in the Advanced Service Designer, create and publish shared IaaS blueprints)
  • Service Architect (Define custom resource types, create and publish service blueprints with the ASD, create and publish custom actions)
  • Business Group Manager (create and publish business group specific blueprints from IaaS, catalog items and entitlements, monitor resource usage in a business group)
  • Support User (Request and manage items on behalf of other users within their business groups)
  • Business User (Request and manage services)
  • Approval Administrator (Create and manage approval policies)
  • Approver (Approve catalog requests, including provisioning requests or any resource actions)
  • Login as a tenant administrator and go to Administration > Users & Groups > Identity Store Users & Groups. Search for the required group, add the required roles from the list and click Update to save.

Configure tenant roles and responsibilities

  • Login to the vRealize Appliance as a tenant administrator
  • Select Administration > Groups
  • Click the Add icon
  • Select Identity Store Group
  • Type a group name in the Add existing Identity Store groups to this group search box
  • Select one or more roles from the Add Roles to this Group list (The Authorities Granted by Selected Roles list indicates the specific authorities you are granting)
  • Click Update.
  • Changes to user access rights are reflected immediately

 Add identity stores

    • Login to the vRealize Appliance as a tenant administrator
    • Select Administration > Identity Stores
    • Click the Add icon
    • Type a name in the Name text box
    • Select the type of the identity store from the Type drop-down menu
      • OpenLDAP
      • Active Directory
  •  Type the URL for the identity store in the URL text box. (For example, ldap://
  • Type the domain for the identity store in the Domain text box
  • (Optional) Type the domain alias in the Domain Alias text box
  • Type the login user Distinguished Name in the Login User DN text box (For example, cn=demoadmin,ou=demo,dc=dev,dc=mycompany,dc=com).
  • Type the password for the identity store login user in the Password text box.
  • Type the group search base Distinguished Name in the Group Search Base DN text box (For example, ou=demo,dc=dev,dc=mycompany,dc=com)
  • Type the user search base Distinguished Name in the User Search Base DN text box (For example, ou=demo,dc=dev,dc=mycompany,dc=com)
  • Click Test Connection
  • Click Add

Appoint tenant administrators

  • IaaS administrators cannot be added until IaaS components have been installed
  • You must first configure an identity store
  • Type the name of a user or group in the Tenant Administrators or Infrastructure Administrators search box and press Enter
  • Verify that the user or group name appears in Tenant Administrators or Infrastructure Administrators list
  • Click Update

Objective 2.2: Configure AD/LDAP Integration

Configure identity stores

  • Login to the vRealize Appliance as a tenant administrator
  • Procedure is much the same as in the “Add Identity Stores” listed above.
  • Changes can be made to search DNs, LDAP bind user and LDAP URL/port if required
  • Each tenant must have at least one identity store

Link an identity store to a tenant

  • Login to the vRealize Appliance as the system administrator
  • Click Add Tenant and fill in the details
  • Procedure is much the same as in the “Add Identity Stores” listed above

Configure a Native Active Directory Identity Store

  • Native Active Directory identity store is only available on the default tenant
  • Login to the vRealize Appliance as a system administrator
  • Join your Identity Appliance to Active Directory to enable Native Mode
  • When in the tenants view, select the default tenant (vsphere.local)
  • Click the Identity Stores tab, click Add and type in the name of the joined AD domain
  • Click Add and Update


vRealise Automation – What I Learned This Week

As I mentioned previously, my new role has meant that I have to get up to speed on all things automation very quickly indeed. This week I have been spending all of my time getting to grips with vRA – it’s architecture, components, installation and design considerations (amongst other things). I’m not going to re-invent the wheel by writing my own install and config guide, there are a ton of brilliant resources out there already, so I’m going to link to them (more for my own reference than anything else I think).

I think the first thing is not to be fazed by putting together a small scale vRA setup. You just need three VMs to get started, and two of those are already built out for you as virtual appliances. Install in this order:-

  • Deploy SSO / ID appliance OVF and configure as appropriate (IP addresses, root passwords etc.)
  • Deploy vRA appliance OVF and configure as appropriate (IP addresses, root passwords etc)
  • Deploy IaaS stack on a Windows Server

To get started and before you install anything, I’d highly recommend watching the videos at virtualjad.com. They’re pretty bite size (generally 15-20 mins per video) and go through the install path and configuration. I managed to follow that quite easily, but I’ll be honest and say that the customisation stuff blew my brain. I’ll have to go back and re-watch that, it just could have been a bit of overload.

In terms of the actual installation, as the OVFs can be redeployed at any time, there’s no real worry about breaking those on initial installation. The Windows IaaS box should be snapshotted before running the main installation and make sure to run Brian Graf’s awesome pre-reqs PowerShell script to make sure all bits like Windows Server roles, Java and IIS is configured correctly. I did this by hand previously and it was torture.

Configure a service account and give it administrator permissions from vCenter down (I know this is bad practice, but we’re talking about a lab environment) and also give it access to SQL. Don’t create the vRA database, the IaaS installer will do this for you. Also, there is no need to configure an ODBC connection.

The install pre-req script does not appear to set the local security policy on the IaaS box, so you will need to add in your service account user to the “Log on Locally” and “Logon as a service” policies. You will get a warning from the IaaS installer if this has been missed, so don’t worry. If you get any 401 errors when browsing within the Infrastructure tab, double check your service account is a member of the local Administrators group.

Other Random Stuff

Can’t see the vCenter VM templates in the vRA interface? Ensure you have a network policy configured and mapped to the port group on the vCenter side, then you should see the templates when creating a blueprint. This one kept me going for hours.

Can’t see the Advanced Services designer? Follow this blog post and ensure you have a Service Architect role properly configured.

Can’t add a plug-in into the built in Orchestrator server on the vRA appliance? You need to start the vco-configurator service on the appliance. Thanks again to Ryan Kelly, who seems to have bumped his head on all the things I’ve seen so far and helped me fix it. Top man!


Top vBlog 2015 Voting Is Open!

Anyone who know me knows that I am as shamelessly competitive as the next man, but if you hadn’t heard, voting is now open in the annual 2015 Top vBlog competition, over at vSphere-Land.com. There are dozens and dozens of fine blogs from which to choose, from the industry heavyweights such as Duncan Epping and Frank Denneman, to jobbing journeymen like me.

I’ve already voted in the poll and in keeping with the spirit of the competition, I’ve not voted for myself and neither have I voted for anyone who is a friend but whose blog I don’t commonly visit.

Why vote?

Blogs take time, money and energy to keep going. More often than not, they are written in the author’s own time and on web sites paid for out of their own pocket. Certainly in my case, I’ve learned a lot over the years from blogs, and if you’ve been in this game long enough, a blog posting somewhere (usually from years back) will have got you out of a pickle at some point.

By voting for your favourite blogs, it’s your way of giving these folks a pat on the back for the fine work they continue to do, not just about VMware products but also related ecosystem products such as networking, storage and utilities. It costs you nothing except about 10 minutes of your valuable time and you should pick the blogs you read and enjoy the most. I read Duncan and Cormac Hogan’s blogs a lot, so I made sure I voted for them. There are no massive cash rewards for this, just the knowledge that people enjoy and respect the effort that goes in, and more than anything else, the willingness to share it.

So vote now!

The poll is open until 19th March, but don’t leave it until the last minute or you’ll just forget. As I said earlier, the whole thing is simple and takes 10 minutes, tops.

I will! What’s involved?

Basically pick your 10 favourite blogs and then rank them into order of preference. I won’t say who I voted as number 1, but I suspect it will be the same as many others!

Then choose your favourite storage blog, your favourite scripting blog, favourite VDI blog (cough Virtual Fabric, cough, splutter!), favourite new blogger and favourite independent blogger. There are also categories for favourite news site and favourite podcast.

Enter your e-mail address (not shared with anyone) , complete the captcha and you’re done! Do it now and pat your favourite blogger virtually on the back!

Click here to vote.


Why the VMUG UK conference is not a “poor man’s” VMworld

Miss VMworld this year? Yep, me too. I seem to attend every other year, and this year was when I missed out. That being said, what did you miss? Well the keynotes were streamed live and can be played back again now on demand. Hands On Labs? Well you can use them any time you like via the magic of the interwebs. OK, so you don’t get access to the Solutions Exchange and there were lots of really cool breakout sessions that you can only view if you have the appropriate access to the VMworld website.

Did you know that on November 18th there is the UK VMUG User Conference? It’s at the National Motorcycle Museum in Solihull, a small journey away from Birmingham airport. I’m here to tell you that this event is not a poor man’s VMworld and the two should not really be compared. Here’s why.

I’ve been to VMworld twice and the UK VMUG twice, so I feel pretty well qualified to comment on both events. The UK VMUG is obviously a much smaller event, but remember that old saying “small ones are more juicy?”. Even though it’s a fraction of the scale of VMworld, you can get just as much out of the single day at the UK VMUG as you can from VMworld.

For starters, the keynote is by Joe Baguley. For those that don’t know, he’s the CTO for EMEA at VMware. His keynotes are often quite thought provoking, witty and a little left field. They’re not a typical dry keynote of numbers and bar charts, roadmaps and gratuitous slides with customer logos on them. They’re probably in there too, but this event is a little different. It’s for users by users.

As well as there being several parallel breakout tracks, you can decide which areas you want to specialise in, such as EUC (obviously where I’ll be!), SDDC, NSX and partner sessions. You don’t have to register for the breakouts in advance, just turn up. If you don’t feel like going to the vRealise session, don’t. Go to the Horizon View one instead! There’s a much easier flow to these events than you get at VMworld.

In terms of partner support, pretty much all the main guys are there. Veeam are platinum sponsors and then there is an array of gold sponsors with household names such as Brocade, Cisco and SanDisk, as well as up and coming partners such as Nutanix, Atlantis and Tintri (apologies if I haven’t name checked you!). The point being is that all the main partners will be there, in a much smaller and more intimate setting and in a more techie based environment than you might get at VMworld. Plus there’s a better chance of having a decent conversation with one of the aforementioned vendors! At VMworld, the large scale of it all doesn’t always make it easy to sit down with the appropriate person at a vendor booth.

So why else should you go? Here’s an abridged roll call of the confirmed speakers so far :-

  • Chris Wahl
  • Joe Baguley
  • Cormac Hogan
  • Mike Laverick
  • Matt Steiner
  • Alan Renouf
  • Barry Coombs
  • Peter Von Oven
  • Jonathan Medd
  • Lee Dilworth
  • Ricky El-Qasem

All well known names in the community and excellent presenters all. There are also several more informal sessions taking place throughout the day, including an AMA (Ask Me Anything) session with VMware GSS (so I’ll be asking my stock question of “if you were a dinosaur, which one would you be and why?”) and the now traditional design session with my former colleague Darren “Grandpa” Woollard. Sit down with him and whiteboard out some design discussions around deployment of VMware and associated technologies. Just remember to SPEAK SLOWLY AND LOUDLY! ;-). The latest event agenda is available here.

There are also the usual slew of event giveaways and prizes, and if you ask him nicely, Darren may autograph your left pectoral.

So then, there you go. I will be along there, feel free to say hello if you see me, I don’t bite. Unless you’re slathered in Nutella, obviously.

Did I say it was free? Register here now, and get yourself along!



VCAP-DTA – Objective 5.2 – Deploy ThinApp Applications using Active Directory

Once we have a repository configured for our ThinApps, we next continue the groundwork by preparing Active Directory. We can then harness Active Directory groups to control access to the ThinApps.

  • Create an Active Directory OU for ThinApp packages or groups – From your domain server, go to Administrative Tools and select Active Directory Users and Groups. From wherever in the hierarchy the exam asks you to, right click and select New, Organizational Unit. Give the OU a name and click OK.
  • Add users to individual ThinApp package OU or groups – Again not really a View skill as such, just some basic AD administration. Now you created your OU(s) as above, to create a user right click on the ThinApp OU, click New, User, fill out the appropriate details, click Next, enter password information and click Next and Finish. To add a group, right click on the appropriate OU, click New, Group, give the group a name and select the type and click OK. To add users to an existing group, double click the group, click Members, Add and enter the user names and click Check Names. Click OK twice.
  • Leverage AD GPOs for individual ThinApp MSIs – Group Policy can be used to publish an existing ThinApp MSI without the need for a repository, or in parallel. To configure this, go to Administrative Tools, Group Policy Management. Right click the OU in which you would like to create the GPO. Select Create a GPO in this domain, and link it here (for a new GPO, or select Link an existing GPO if asked).Name the GPO and click OK. Once the GPO is created, right click on it and select Edit. In either Computer Configuration or User Configuration select Policies and then Software Settings. Right click on Software Installation and select New, Package. Browse to the network location of the MSI and select the MSI and then Open. Accept the defaults to Assign the package to a user or computer or click Advanced for further settings. Click OK. If you select Advanced, use the tabs across the top to make changes as appropriate and click OK. You may need to run gpupdate.exe to refresh Group Policy.
  • Create and maintain a ThinApp login script – The ThinReg utility can be used in an existing login script to deploy ThinApps to users. For example, in the NETLOGON share, you can add a line or lines into the logon script to invoke thinreg.exe. In it’s simplest form, just add the line thinreg.exe \\server\share\application.exe /Q. The /Q switch just runs the command silently. It may well crop up as a specific requirement on the exam.


VCAP-DTA – Objective 5.1 – Create a ThinApp Repository

There are two objectives in this section which are around setting up the ThinApp repository on the network to be used by the View infrastructure to distribute applications from. It’s telling that this topic has several tools references to it, so we’re going outside the confines of the View Administration guide really for the first time.

Again it’s difficult to imagine within the confines of a tight three hour exam that you will be asked to package up anything other than a relatively simple application, but be prepared for the odd curve ball. Ultimately as long as you understand the fundamentals, you can go a long way to scoring points on this objective, even if you don’t get it completely right.

  • Create and configure a ThinApp repository – The creation of the ThinApp repository is done from within View Administrator. Go to View Configuration, ThinApp Configuration, Add Repository then enter in a Display Name and Share Path (e.g. \\server\thinapp\repo) and add a Description if you like.
  • Configure a ThinApp repository for fault tolerance using DFS or similar tools – In order to create a DFS share, you need to have the File Services role enabled on the server. DFS is basically a network share made up of chunks of storage from different servers. You reach the DFS share by using the path \\domain\\dfsroot, so for example \\beckett.local\dfs-share. DFS also has file replication technology built in you can use for further resilience. I can’t really think you’ll be asked to do too much with DFS in the exam as much of this is based on the Windows server itself. What you will probably need to know is how to point a ThinApp repository at a DFS share (so use the example syntax above). This is pretty much all that is listed in the ThinApp reference materials.


VCAP-DTA – Objective 4.1 – Build, Upgrade and Optimize a Windows Desktop Image

Section 4 is based around the building and maintaining of desktop images. This is a pretty broad area that can encompass a whole raft of different settings and considerations, so again we need to try and be smart and take a guess at what the exam might ask us to do, really based on the very tight time constraints of the exam.

The tools reference lists only the View Administration guide and View Administrator, so this gives us some idea of the scope of the question. My guess is we’ll have a least a vanilla build of Windows 7 with no VMware Tools or View Agent. There may also be some other tasks to complete, such as enabling remote access and also tuning for PCoIP performance (there may well be the odd RDP question on the exam, but my expectation is PCoIP will be the primary focus as RDP is pretty much deprecated).

There is only one skill and ability being measured in this objective.

  • Create, configure, optimize and maintain a base Windows desktop image for View Implementation 
    • Pre-requisites of Windows installation and available Active Directory will most likely already have been completed for you.
    • Add the View users group to the local Remote Users group in Windows
    • Ensure you have administrative rights to the VM before proceeding to installation
    • Enable 3D rendering on the VM if asked to do so
    • Install VMware Tools and ensure NTP is set to an external source, not to the host
    • Install updates, service packs etc
    • Install anti-virus (seems unlikely this will come up, but you never know)
    • Install smart card drivers if required (again, seems unlikely)
    • Set power option to Turn off the display – never (required for PCoIP)
    • Set Visual Effects – Adjust for best performance (done in Control Panel, System, Advanced System Settings, Performance Settings)
    • Configure the IP stack (DHCP, DNS, etc)
    • Join the desktop to the Active Directory domain
    • Install the View Agent
    • Following steps are listed as optional, but may still come up on the exam
    • Disable unused ports such as LPT1, COM1, etc
    • Choose a basic theme, disable the screen saver and set the background to a solid colour, check hardware acceleration is enabled
    • Select the high performance power management profile
    • Disable Indexing Service
    • Remove restore points (disable?)
    • Disable System Protection on C:\
    • Disable any other unneeded services in the Services applet
    • Delete hidden uninstall folders, such as folders in C:\Windows starting with $NtUninstall
    • Clear down all event logs
    • Run Disk Defragmenter and Disk Cleanup

As part of this section is “maintain”, it might well be possible you’re asked to update the base image with a couple of patches and recompose the pool.

VCAP-DTA – Objective 4.2 – Deploy Applications to Desktop Images

So now we have the desktop image built, patched and optimised, we now have to install applications. Objective 4.2 has two skills and abilities – identifying MSI installation options and determining when to use native installs.

  • Identify MSI installation options
    • I’m not sure I understand what is being asked on this one beyond what the command line switches for msiexec.exe are and how they affect application installations
    • There are several command line options that can be used with MSI based installers, the best way (and probably the quickest) for the exam is to simply run msiexec /? from a command prompt to get a list of them all. In fact, you don’t even need the question mark, just run the command with no switches to get a summary list of your options. This screen is shown below :-


  • Determine when to use native installs
    • Again another skill/ability being tested that is worded a bit strangely, in my opinion. When would you natively install an application? What is implied by the term? I can only presume this question is based around ThinApp, so when would you embed an application into the base image and when would you ThinApp it?
    • If my assumption/interpretation above is correct, then we have to look at the limitations of ThinApp to guide us on what applications can and can’t be virtualised and added to the ThinApp repository
    • The limitations of ThinApp 4.7 are listed in the user guide, and amongst other things include :-
      • Applications requiring the installation of kernel mode drivers
      • Anti-virus, firewall products
      • Scanner and printer drivers
      • Some VPN clients
      • Device drivers (mouse etc.)
      • Shell integration is limited
      • Network DCOM is not supported


VCAP-DTA – Objective 3.2 – Configure and Manage Pool Tags and Policies

This objective is relatively short and only has one skill being measured, the ability to correctly configure tags. As a refresher, tags can be used to provide a level of security on connection servers and pools and gives the ability to provide what VMware refers to as “Restricted Entitlement”, which means Connection Servers can only access certain pools. The most obvious and common use case for tagging is when Security Servers are in play, and you want to restrict incoming users from the internet to only use particular Connection Servers.

So then, with only one skill/ability being measured in this section, let’s get to it!

  • Configure tagging for specific Connection Server or security server access – Tagging is done from within View Administrator. You can set tags on Connection Servers and also on pools. One thing you need to be aware of is tag matching – this defines whether or not a user is permitted access to a desktop and will most likely be something you’ll be tested on in the exam.
    • To set a tag on a Connection Server, go to View Administrator and View Configuration, Servers, Connection Servers, choose your Connection Server, click Edit and in the top box, assign the tags you want to use. The example below illustrates two tags in use. This is an internal Connection Server, so it’s been tagged as “Internal” and “Secure”. Note a comma separating multiple tags.


    • To add tags to an existing pool, in View Administrator go to Inventory, Pools, select the Pool you wish to tag, click Edit and then Pool Settings. At the top of this screen is General and Connection Server Restrictions. Click Browse and click the Restricted to these tags radio button. Select the appropriate tag as per below :-


    • Click OK to apply the setting.
    • To apply a tag during pool creation, when you get to the Pool Settings screen, you basically access the same dialog screen. So under the General heading at the top, go to Connection Server Restrictions, click Browse and select the appropriate tag as shown above.
  • In respect of tag matching, be aware of the following matrix as you may be asked to troubleshoot an access issue during the exam which may be caused by incorrect tagging :-
    • Connection Server no tags – Pool no tags – access permitted
    • Connection Server no tags – Pool tags  – one or more tags – access denied
    • Connection Server one or more tags – Pool no tags – access permitted
    • Connection Server one or more tags – Pool one or more tags – access depends on tags matching

VCAP-DTA – Objective 3.3 – Administer View Desktop Pools

This objective is the guts of spinning up virtual desktops for users, and covers the full range of desktop pool types available. So full and linked clone pools, assignment types, Terminal Services or manual pools, user and group entitlements and finally refreshing, recomposing and rebalancing pools. Sounds like a lot, but actually there’s a nice flow to this objective and it should be quite straight forward.

  • Create and modify full or linked-clone pools – To create a new pool in View Administrator, go to  Inventory, Pools, Add. The pool creation wizard is generally pretty easy to follow and there’s not much value I can to it here. Click Next until you reach the third screen of the wizard, entitled vCenter Server. This screen provides the option for Full virtual machines or View Composer Linked Clones. Select the appropriate radio button for the type you want and continue on through the screens to finish the pool creation wizard. The choice selection screen is shown below :-


    • To modify an existing pool, go to Inventory, Pools, select the pool you are interested in and click Edit. You can change various settings on an existing pool, such as the pool display name, remote protocol settings, power management, storage accelerator etc. You cannot change the pool type once it has been created.
  • Create and modify dedicated or floating Pools – To create a floating pool, you can only select Automated Pool or Manual Pool in the initial pool definition type screen. When you click Next, you then get presented with the choice of creating a Dedicated or Floating pool. Remember dedicated pools mean once a user is assigned a desktop, they own it “forever” whereas a floating pool is in essence the “next cab off the rank” and is not persistently tied to a single user. Each type has their own use case. From here, complete the wizard with the required settings to provision the pool.
    • To modify an existing pool, go to Inventory, Pools and select the pool you wish to modify. Click Edit and make changes as appropriate. With a dedicated pool, your only option is to enable/disable automatic assignment. A floating pool has additional options for editing settings, including vCenter Settings (changing datastores etc.) and also Guest Customizations.
  • Build and maintain Terminal Server or manual desktop pools – Manual and Terminal Services pools are an extension of View by adding in the View Agent to an existing virtual machine, Terminal Server or even a physical PC or blade PC.
    • To add a manual pool, ensure the agent is installed on the endpoint (and you may be tested on this!), go to Inventory, Pools, Add, Manual Pool. Again the wizard is pretty straight forward, populate all the settings you need.
    • To add a Terminal Services pool, again make sure the View Agent is installed on the endpoint before you proceed.
  • Entitle or remove users and groups to or from pools – Once you’ve built your pools, you also need to add an entitlement. This is simply users and/or groups from Active Directory that you want to grant access to desktops to. This can be done in one of two ways – either when the pool is created (final wizard screen, tick the box for entitle users after this wizard finishes) or afterwards if you forget during pool creation, or if you want to add additional users or groups. If you select to entitle on completion, click Add and use the search box to find the users or groups you want to entitle, as shown below :-


    • To add entitlements retrospectively, go to Inventory, Pools, Entitlements and this brings you into the same dialog as above where you simply repeat the same steps to add users and/or groups.
  • Refresh, recompose or rebalance pools – Depending on your design or operational procedures (or if you’re asked to by the exam!), you will need to refresh, recompose or rebalance your desktop pools. As a refresher, this is what each term means :-
    • Refresh – Reverts the OS disk back to the original snapshot of the clone’s OS disk
    • Recompose – Simultaneously updates all linked clone machines from the anchored parent VM, so think Service Pack rollout as a potential use case
    • Rebalance – Evenly redistributes linked clone desktops among available datastores
    • To perform these operations, the desktops must be in a logged off state with no users connected. Go to View Administrator, Inventory, Pools and select the pool you want to manage. Under the Settings tab, click the View Composer button and choose the operation – refresh, rebalance or recompose
    • When you choose the refresh action, you specify when you want the task to run and whether you want to force users to log off or wait for them to log off. You can also specify a logoff time and message, this is customisable from Global Settings. Check your settings and hit Finish to start the operation.
    • When you select recompose, select the snapshot you want to use and whether or not to change the default image for new desktops. Again run through the scheduling page and choose your settings, click Next and Finish.
    • When you select rebalance, you simply fill out the scheduling page and click Finish.
    • Remember if you’re asked to set a custom logoff message, this is done from View Configuration, Global Settings, Display warning before forced logoff.