Friday, May 30, 2014

VMware ESXi requires No-Execute Memory Protection enabled

Today building my new Virtual Home LAB I had an issue with my new HP DL360-G5.
Note: VMware doesn't support ESXi 5.5 running on DL360-G5(in this case Intel Xeon 5150). But it runs smoothly without any issues. Even is not VMware supported in the HCL.

When I was installing ESXi 5.5 (HP-5.73.21 build) on this server I received a purple screen with this warning:

VMware ESXi 5.5 (VMKernel Release Build 1623387)

The system has found a problem on your machine and cannot continue.

VMware ESXi requires the Execute Disable/No Execute CPU feature to be enabled

This means that you server have the No-Execute Memory Protection option disabled.

You can check here VMware KB regarding this issue.

Is very easy to fix it.
Restart you server, enter BIOS and change the option No-Execute Memory Protection to enable.

Then you can re-run ESXi install again.

Tuesday, May 6, 2014

vCenter 5.5 SSO one-way Trusts between Domains/Forests Bug

There is a bug in vCenter 5.5 with AD vs SSO that we found out and that is an hassle to big environments with several domains and have only one-way trust.

I will try to use simple examples so that you can understand more real environments.

You have a global domain and several subdomains(let say in different continents and also country subdomains),,, etc. There is only trust(one-way) across the most of the multiple domains and forests. In this case was a one-way trust from our internal domain( to the global domain(

All your users are from global domain. Also permissions to the the vCenter you have Groups from your internal subdomain( and add users from global domain( and maybe from other global domains,

AD configurations for the vCenter permissions.

AD Group vCenter Admin(admins from you internal domain, but also from the global domain)
AD Group Sales Rep(users from internal, but also from,

Those groups have rights to vShere Client, but also vSphere Web Client.

Here is the problem, using Groups from local domain and add global users(or other one-way trust subdomain).

Users from other others domains inside Groups from the internal domain will not be able to connect to vSphere Client(no permissions), will connect to vSphere Web Client, but will not see any vCenter.

Solution/Workaround?? Just use users directly(from any domain) and then they can login and have the proper permissions.
If you add the users directly to the vCenter(Clusters, Pools, Folders, etc.) users can login.

In our case was an big, big problem, we have hundred of users that login to the vCenters from different projects and different parts of the world, and we need to add those, one by one in Clusters, Pools, Folders etc.

This is not a proper way to manage permissions with Groups/Users. But was the only way, or rollback to 5.0.

After we contact VMware support, they recognize the bug(after lot of tests, emails and remote sessions), and promise that the bug will be fixed in the future(maybe vCenter 5.5 update 2).

Check VMware KB regarding AD trusts and check VMware notes: VMware is aware of both of these limitation with vSphere 5.5 and is working towards resolving them.