In response to Gabes article on default installation settings there are some things I personally almost always do different and I wanted to point them out. Consider them my recommendations / best practices and not necessary VMware’s. I’ve added two (*) and have a different opinion on some of Gabe’s best practices (-)
COS Memory:
- Although COS memory is “dynamic” I still always increase it to the full 800. The overhead of this in most of the servers(usually always 48GB+) is tiny. (-)
Host Configuration:
- Hostnames in lowercase characters; to avoid any HA issues. (*)
- I never change the name of the Service console portgroup, people are used to this name changing it leads to confusion in most cases and it is a critical part of your host. (-)
- Avoid using agents within the Service Console. (*)
vSwitch settings:
- Mac address changes: Reject (-)
A best practice recommended by VMware PSO to ensure that when someone changes a MAC within the OS all inbound packets are dropped. - Forged Transmit: Reject (-)
Setting Forged Transmits to reject ensures that the originator of the packet is validated. Any outbound frame with a MAC address that is different from the one currently set on the adapter will be dropped. Again a best practice recommended by VMware PSO.
Duncan,
Regarding to this statement: “Hostnames in lowercase characters; to avoid any HA issues.”, is it true then that HA is case sensitive?
Would you please link to Gabe’s presentation??
I’ve read it, it’s good…
Thank you, Tom
Tom: http://www.gabesvirtualworld.com/vmware-vsphere-4-default-installation-settings/
Do you not set a password for single user mode as a standard best practice?
Allowing any user to reset the root password without authentication seems a big hole to leave open in my opinion.
Who needs a COS. ESXi all the way!
Hello,
to set a password for single user mode is a good practice but not such a big hole in my opinion. To connect with single user mode, physical access to server console is required. And if someone has physical access, nothing can protect your server.
If your server has remote control capabilities(ilo, DRAC, etc) and you enabled them, then your first concern should be to protect them(use a strong password and control network access with vlans for example) and then the OS for console access security(grub/single login passwords).
If MAC changes and forged transmits are set to reject, I’d be concerned that MS NLB clusters wouldn’t work anymore.
I agree with the lowercase hostnames/HA issue. I’ve seen this problem with HA in class alot.
The issue with using mixed case or uppercase hostnames is that the DNS lookup will return all lowercase so it fails a strict compare. With some versions of vcenter this will cause HA configuration to fail – its easier just to avoid it all together with lowercase hostnames.
@KyleMcM : That’s definitely something that is discussed. But most of my customers have a closed datacenter and restricted access to console already.
@richard: http://kb.vmware.com/kb/1003735