Configure File Services

You can configure the File Services, which enable you to create file shares on your vSAN datastore. You can enable vSAN File Services on a regular vSAN cluster, a vSAN stretched cluster, or a vSAN ROBO cluster.

Prerequisites

Ensure that the following are configured before enabling the vSAN File Services:

Every ESXi host in the vSAN cluster must have minimal hardware requirements such as:

4 Core CPU
10 GB physical memory

You must ensure to prepare the network as vSAN File Service network:

If using standard switch based network, the Promiscuous Mode and Forged Transmits are enabled as part of the vSAN File Services enablement process.
If using DVS based network, vSAN File Services are supported on DVS version 6.6.0 or later. Create a dedicated port group for vSAN File Services in the DVS. MacLearning and Forged Transmits are enabled as part of the vSAN File Services enablement process for a provided DVS port group.
Important: If using NSX-based network, ensure that MacLearning is enabled for the provided network entity from the NSX admin console, and all the hosts and File Services nodes are connected to the desired NSX-T network.

Allocate static IP addresses as file server IPs from vSAN File Service network, each IP is the single point access to vSAN file shares.

For best performance, the number of IP addresses must be equal to the number of hosts in the vSAN cluster.
All the static IP addresses must be from the same subnet.
Every static IP address has a corresponding FQDN, which must be part of the Forward lookup and Reverse lookup zones in the DNS server.

If you are planning to create a Kerberos based SMB file share or a Kerberos based NFS file share, you need the following:

Microsoft Active Directory (AD) domain to provide authentication to create an SMB file share or an NFS file share with the Kerberos security.
(Optional) Active Directory Organizational Unit to create all file server computer objects.
A domain user in the directory service with the sufficient privileges to create and delete computer objects.

Procedure

Navigate to the vSAN cluster and click Configure > vSAN > Services.
On the File Service row, click Enable.
The Configure File Service wizard opens.
Review the checklist on the Introduction page, and click Next.

In the File service agent page, select one of the following options to download the OVF file.

Option	Description
Automatic approach	This option lets the system search and download the OVF. Note: Ensure that you have configured the proxy and firewall so that vCenter can access the following website and download the appropriate JSON file. https://download3.vmware.com/software/VSANOVF/FsOvfMapping.json For more information about configuring the vCenter DNS, IP address, and proxy settings, see vCenter Server Appliance Configuration. If an OVF is already downloaded and available, then following the options are available: Use current OVF: Lets you use the OVF that is already available. Automatically load latest OVF: Lets the system search and download the latest OVF.
Manual approach	This option allows you to browse and select an OVF that is already available on your local system. Note: If you select this option, you must upload all the following files: VMware-vSAN-File-Services-Appliance-x.x.x.x-x_OVF10.mf VMware-vSAN-File-Services-Appliance-x.x.x.x-x-x_OVF10.cert VMware-vSAN-File-Services-Appliance-x.x.x.x-x-x-system.vmdk VMware-vSAN-File-Services-Appliance-x.x.x.x-x-cloud-components.vmdk VMware-vSAN-File-Services-Appliance-x.x.x.x-x-log.vmdk VMware-vSAN-File-Services-Appliance-x.x.x.x-x_OVF10.ovf

Option

Description

Automatic approach

This option lets the system search and download the OVF.

Note:

Ensure that you have configured the proxy and firewall so that vCenter can access the following website and download the appropriate JSON file.
https://download3.vmware.com/software/VSANOVF/FsOvfMapping.json
For more information about configuring the vCenter DNS, IP address, and proxy settings, see vCenter Server Appliance Configuration.
If an OVF is already downloaded and available, then following the options are available:
- Use current OVF: Lets you use the OVF that is already available.
- Automatically load latest OVF: Lets the system search and download the latest OVF.

Manual approach

This option allows you to browse and select an OVF that is already available on your local system.

Note: If you select this option, you must upload all the following files:

VMware-vSAN-File-Services-Appliance-x.x.x.x-x_OVF10.mf
VMware-vSAN-File-Services-Appliance-x.x.x.x-x-x_OVF10.cert
VMware-vSAN-File-Services-Appliance-x.x.x.x-x-x-system.vmdk
VMware-vSAN-File-Services-Appliance-x.x.x.x-x-cloud-components.vmdk
VMware-vSAN-File-Services-Appliance-x.x.x.x-x-log.vmdk
VMware-vSAN-File-Services-Appliance-x.x.x.x-x_OVF10.ovf

In the Domain page, enter the following information and click Next:

File service domain: The domain name must have minimum two characters. The first character must be an alphabet or a number. The remaining characters can include an alphabet, a number, an underscore ( _ ), a period ( . ), a hyphen ( - ).
DNS servers: Enter a valid DNS server to ensure the proper configuration of File Services.
DNS suffixes: Provide the DNS suffix that is used with the file services. All other DNS suffixes from where the clients can access these file servers must also be included. File Services does not support DNS domain with single label, such as "app", "wiz", "com" and so on. A domain name given to file services must be of the format thisdomain.registerdrootdnsname. DNS name and suffix must adhere to the best practices detailed in https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain.

Directory Service: Configure an Active Directory domain to vSAN File Services for authentication. If you are planning to create an SMB file share or an NFSv4.1 file share with Kerberos authentication, then you must configure an AD domain to vSAN File Services.

Enter appropriate values in the following text boxes to configure the Active Directory domain to vSAN File Services:

Option	Description
AD domain	Fully qualified domain name joined by the file server.
Organizational unit (Optional)	Contains the computer account that the vSAN File Services creates. In an organization with complex hierarchies, create the computer account in a specified container by using a forward slash mark to denote hierarchies (for example, organizational_unit/inner_organizational_unit). Note: By default, the vSAN File Services create the computer account in the Computers container.
AD username	User name to be used for connecting and configuring the Active Directory service. This user name authenticates the active directory on the domain. A domain user authenticates the domain controller and creates vSAN File Services computer accounts, related SPN entries, and DNS entries (when using Microsoft DNS). As a best practice, create a dedicated service account for the file services. A domain user in the directory service with the following sufficient privileges to create and delete computer objects: (Optional) Add/Update DNS entries
Password	Password for the user name of the Active Directory on the domain. vSAN File Services use the password to authenticate to AD and to create the vSAN File Services computer account.

Note:

vSAN File Services does not support the following:
- Read-Only Domain Controllers (RODC) for joining domains because the RODC cannot create machine accounts. As a security best practice, a dedicated org unit must be pre-created in the Active Directory and the user name mentioned here must be controlling this organization.
- Disjoint namespace.
- Spaces in organizational units (OUs) names.
- Multi domain and Single Active Directory Forest environments.
Only English characters are supported for Active Directory user name.
Only single AD domain configuration is supported. However, the file servers can be put on a valid DNS subdomain. For example, an AD domain with the name example.com can have file server FQDN as name1.eng.example.com.
Pre-created computer objects for file servers are not supported. Make sure that the user provided here have sufficient privilege over the organizational unit.
vSAN File Services update the DNS records for the file servers if the Active Directory is also used as a DNS server and the user has sufficient permission to update the DNS records. vSAN File Services also has a Health Check to indicate if the forward and reverse lookups for file servers are working properly. However, if there are other proprietary solutions used as DNS servers, the Vi admin must update these DNS records.

In the Networking page, enter the following information, and click Next:
- Network
- Protocol
- Subnet mask
- Gateway
In the IP Pool page, enter the following information, select a Primary IP, and then click Next.
- IP address
- DNS name
- Affinity site: This option is available if you are configuring vSAN file service on a stretched cluster. This option allows you to configure the placement of the file server on Preferred or Secondary site. This helps in reducing the cross-site traffic latency. The default value is Either, which indicates that no site affinity rule is applied to the file server.
  Note: If your cluster is a ROBO cluster, ensure that the Affinity site value is set to Either.
  In a site failure event, the file server affiliated to that site fails over to the other site. The file server fails back to the affiliated site when it is recovered. Configure more file servers to one site if more workloads can be expected from a certain site.
  
  Note: If the file server contains SMB file shares, then it does not failback automatically even if the site failure is recovered.
Consider the following while configuring the IP addresses and DNS names:
- To ensure proper configuration of File Services, the IP addresses you enter in the IP Pool page must be static addresses and the DNS server must have records for those IP addresses. For best performance, the number of IP addresses must be equal to the number of hosts in the vSAN cluster.
- You can enter up to 32 IP addresses.
- You can use the following options to automatically fill the IP address and DNS server name text boxes:
  AUTO FILL: This option is displayed after you enter the first IP address in the IP address text box. Click the AUTO FILL option to automatically fill the remaining fields with sequential IP addresses, based on the subnet mask and gateway address of the IP address that you have provided in the first row. You can edit the auto filled IP addresses.
  LOOK UP DNS: This option is displayed after you enter the first IP address in the IP address text box. Click the LOOK UP DNS option to automatically retrieve the FQDN corresponding to the IP addresses in the IP address column.
  Note:
  
  All valid rules apply for the FQDNs. For more information, see https://tools.ietf.org/html/rfc953.
  
  The first part of the FQDN, also known as NetBIOS Name, must not have more than 15 characters.
  The FQDNs are automatically retrieved only under the following conditions:
  - You must have entered a valid DNS server in the Domain page.
  - The IP addresses entered in the IP Pool page must be static addresses and the DNS server must have records for those IP addresses.
Review the settings and click Finish.

Results

The OVF is downloaded and deployed. The file services domain is created and the vSAN file services is enabled. File servers are started with the IP addresses that were assigned during the vSAN File Services configuration process.

The OVF is downloaded and deployed.
The file services domain is created and the vSAN file services is enabled.
The file servers are started with the IP addresses that were assigned during the vSAN File Services configuration process.
A File Services VM (FSVM) is placed on each host.

Note: The FSVMs are managed by the vSAN File Services. Do not perform any operation on the FSVMs.