Before start building our cloud environment on the basis of our previous Lab posts. lets quick recall what we have covered yet.
Install Active Directory and DHCP Server
Install CA and NTP Server
Install Syslog Server
Install SQL Server and Virtual SAN (openfiler)
Install Management Server
Install Management, RG vCenters and ESXi Servers
Configure Maintenance Schedule for vCenter DBs
Install Singed Certificate for vCenter and ESXi From Microsoft CA
Now Lets move and start building our cloud environment.
In this Lab we will perform following tasks
- Active Directory Environment configuration for vCenter Rights.
- VCenter Basic Configuration.
- Configure VCenter Identity Source (domain).
- Add another SSO Administrator in vCenter
- Assign VCenter Permissions/Roles
1-Active Directory Environment configuration for VCenter Rights
Now we have installed vCenter. Which will be used for management of our cloud environment.in production, there might be different admins for vCloud and vsphere.so you have to give them access accordingly. In my lab I give you tour, how you will create this type of structure.
Login to your active directory server (cloud-ad.vmlab.com).go to “administrative tools-> active directory user and computer” or type “dsa.msc” on your command prompt.
In this demo I am going to create some basic structure (users/groups) for vCenter environment and give them permission accordingly. Ok let start.
First of all, I am going to create an OU (Container). So we can easily separate our user/group structure.
Right click on the Active Directory root (vmlab.com) -> new-> organization unit.
Give the OU a name, in my case I am using (cloud-Mgmt). You can choose as you like.
Next step is to create some users/groups in this OU. first, I am going to create a vCenter admin user. Right click OU->New-> User
Provide the user information, in my case user name is “VC.firstname.lastname@example.org”-> click “Next”
Set the password for user and set it to “Password Never expires”. In production this might not be a good choice -> Click “Next” and your “vc.admin” user is created
*NOTE: Repeat the same steps for other users, if you have multiple admins in your domain*
Now create a “vCenter admin” group. Which contains all our admin users. It is always a good practice and easy to give access to a group rather than single user basis. Until/unless you have a special use case.
Right Click Cloud-Mgmt OU-> new-> Group
Provide a group name. In my case I am using “vCenterAdmins”. Click “OK”
Now add users to this group.in my case, I am going to add email@example.com user which I have created earlier.
Double click on Group -> Member -> Add -> Enter name of the user -> click “OK” twice.
*NOTE: Repeat the same steps for other cloud admin users*
Here is final structure Look and feel (you can define according to your use case)
Enough with AD side. Now let’s move to “vCenter web client” and give permission to these users/groups.
2-vCenter Basic Configuration
Open the web client, in my case (https://vc-rg.vmlab.com:9443/vsphere-client).
You probability wondering why I choose web client inserted of old classic vSphere client.it is because of two reasons.
- You can only add SSO administrative from web client.
- It is future client for vSphere administration. Get used to it.
Provide the SSO Administrative user/password. Which set during installation. the default user name for SSO in vCenter 5.5 is firstname.lastname@example.org
3-Configure VCenter Identity Source (domain).
Before we add any new administrator users, let’s get vCenter SSO tied in to our local LDAP. In my lab, that’s “Active Directory”.
Click on “Administration” in the left hand menu
Navigate to vCenter Servers > Administration > single sign On->Configuration->Click “+” to add
VMware has managed to simplify the addition of an Active Directory domain as an Identity Source by using the machine account of the vCenter SSO machine to authenticate (and it works great!)
Configure the setting as highlighted above -> Click “OK”
Once you’ve added your new Identity Source, add it as the “default domain”
4-Add another SSO Administrator in vCenter
Navigate to vCenter Servers Home Page > Administration > single sign On->Users and Groups ->Groups-> Select the administrators group->Click “+” to add
Select your domain (vmlab.com) -> vCenterAdmins->Add-> Ok
Verify the user.
according to this step,we assume that above added group has the full SSO administration permissions now. but if your login into the vCenter using vSphere Webclient the you will get following issue as mentioned in the below note
*NOTE: vCenter Server is not listed in the inventory after installing or upgrading to vSphere 5.5 KB (2059528)*
Navigate to vCenter Servers > Manage > Permissions, click on the “+” to add a user/group.
Add your domain Admin Group/user (in my case it is vCenterAdmins) as administrator role on vCenter Level as well.
Now log in with the newly added vCenter SSO administrator and verify the permission.
*NOTE: SSO User has full administrative right on vCenter and every other vSphere Product who will integrate with vCenter*
5-Assign VCenter Permissions/Roles
In this section. We are going to assign different roles/permission on our AD Users which we have created above at vCenter level.
Navigate to vCenter Servers > Manage > Permissions, click on the “+” to add a user
Assign a role, in my case it is (Virtual machine user(sample)), Click “Add”
From Domain Select “VMLab”, search for user group (vCenterusers) which we created earlier and click “Add”-> click “OK” twice.
Click “Ok”, verify user/group and role.
Now “logout” and “login” with any user which is in “vCenterUser” group to verify the permissions.