Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website, carlwebster.com, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at info@carlwebster.com and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • 08 Building Webster’s Lab V1 – Additional vCenter Configuration

    September 18, 2019

    Blog, VMware

    Updated 14-Dec-2019

    Before getting to work adding Citrix Virtual Apps and Desktops (CVAD), Parallels RAS, and VMware Horizon to the lab, there are a few additional items on the to-do list for vCenter.

    1. Join vCenter to the lab’s Active Directory (AD) domain
    2. Add the lab’s AD to the SSO
    3. Create a Citrix related service account with minimum VMware permissions for the hosting connection in Citrix Studio and with Citrix App Layering
    4. Create a VMware related service account with minimum vCenter permissions for Horizon

    Log in to vCenter.

    From the Menu dropdown, select Administration, as shown in Figure 1.

    Figure 1
    Figure 1

    Click Configuration, Active Directory Domain, and click Join AD, as shown in Figure 2.

    Figure 2
    Figure 2

    Enter the Domain, a Username/Password, and click JOIN, as shown in Figure 3.

    Figure 3
    Figure 3

    The vCenter appliance is now a domain member but needs a restart.

    From the Menu dropdown, select VMs and Templates, as shown in Figure 4.

    Figure 4
    Figure 4

    Expand the cluster, right-click the vCenter VM, click Power, and click Restart Guest OS, as shown in Figure 5.

    Figure 5
    Figure 5

    Click Yes to confirm the restart, as shown in Figure 6.

    Figure 6
    Figure 6

    Wait about 10 minutes before trying to log in to vCenter. At this point, you must use the administrator vCenter account to log in. Even though we joined, vCenter to the AD domain, the AD domain isn’t a Single Sign-On domain yet.

    Once you have logged on to vCenter, go back to Administration/Single Sign On/Configuration, as shown in Figure 7.

    Figure 7
    Figure 7

    Click Identity Sources and click ADD IDENTITY SOURCE, as shown in Figure 8.

    Figure 8
    Figure 8

    Select Active Directory (Windows Integrated Authentication) from the Identity source type dropdown, if it is not already populated, enter the Domain name, select Use machine account, and click ADD, as shown in Figure 9.

    Figure 9
    Figure 9

    The AD domain now shows as an Identity Source, as shown in Figure 10.

    Figure 10
    Figure 10

    We are not yet ready to log in to vCenter with AD credentials. First, we must add users and groups from the AD domain to a vCenter security role.

    Click Global Permissions, as shown in Figure 11.

    Figure 11
    Figure 11

    Click + (Plus sign) as shown in Figure 12.

    Figure 12
    Figure 12

    Select the AD domain name from the User dropdown, and as you type characters into the next field, users and groups appear, as shown in Figure 13.

    Figure 13
    Figure 13

    Click the user or group you wish to add, the Role the user or group requires, select Propagate to children, and click OK, as shown in Figure 14.

    Figure 14
    Figure 14

    Now we can log in to vCenter with an AD domain account.

    Log off vCenter and log in with an AD domain account that was just granted permission, as shown in Figures 15 and 16.

    Figure 15
    Figure 15
    Figure 16
    Figure 16

    Figure 17 shows a successful login with AD domain credentials.

    Figure 17
    Figure 17

    Next, permissions for service accounts needed for CVAD and Horizon. First up, CVAD.

    For my lab, I need a vCenter account to use with both the CVAD Hosting Connection in Citrix Studio and Citrix App Layering.

    Citrix details the required permissions at  CVAD VMware virtualization environments and Citrix App Layering VMware vSphere.

    To save time, here are the combined permissions with all the duplicates removed.

    Table 1 vCenter Permissions for CVAD and App Layering

    Datastore > Allocate space
    Datastore > Browse datastore
    Datastore > Low level file operations
    Folder > Create folder
    Folder > Delete folder
    Global > Cancel task
    Global > Manage custom attributes
    Global > Set custom attribute
    Host > Configuration
    Network > Assign network
    Resource > Assign virtual machine to resource pool
    vApp > Export
    vApp > Import
    vApp > vApp application configuration
    Virtual machine > Configuration > Add existing disk
    Virtual machine > Configuration > Add new disk
    Virtual machine > Configuration > Add or remove device
    Virtual machine > Configuration > Advanced (or Advanced Configuration)
    Virtual machine > Configuration > Change CPU Count
    Virtual machine > Configuration > Change resource
    Virtual machine > Configuration > Configure managedBy
    Virtual machine > Configuration > Disk change tracking (For App Layering, but I can’t find it in vCenter 6.7 U3)
    Virtual machine > Configuration > Memory (CVAD and App Layering, but I can’t find it in 6.7 U3. I selected Change Memory.)
    Virtual machine > Configuration > Modify Device Settings
    Virtual machine > Configuration > Remove disk
    Virtual machine > Configuration > Rename
    Virtual machine > Configuration > Reset guest information
    Virtual machine > Configuration > Set annotation
    Virtual machine > Configuration > Settings (In 6.7 U3, Change Settings)
    Virtual machine > Configuration > Swapfile placement (In 6.7 U3, Change Swapfile placement)
    Virtual machine > Configuration > Upgrade virtual machine compatibility
    Virtual machine > Interaction > Answer question
    Virtual machine > Interaction > Configure CD media
    Virtual machine > Interaction > Console interaction
    Virtual machine > Interaction > Device connection (I can’t find this in 6.7 U3. I used Connect devices.)
    Virtual machine > Interaction > Power Off
    Virtual machine > Interaction > Power On
    Virtual machine > Interaction > Reset
    Virtual machine > Interaction > Suspend
    Virtual machine > Inventory > Create from existing
    Virtual machine > Inventory > Create new
    Virtual machine > Inventory > Register
    Virtual machine > Inventory > Remove
    Virtual machine > Provisioning > Clone template
    Virtual machine > Provisioning > Clone virtual machine
    Virtual machine > Provisioning > Customize (In 6.7 U3, Customize guest)
    Virtual machine > Provisioning > Deploy template
    Virtual machine > Provisioning > Mark as template
    Virtual machine > Snapshot management > Create snapshot
    Virtual machine > Snapshot management > Remove snapshot

    First, I created a regular domain user account in AD, as shown in Figures 18 and 19.

    Figure 18
    Figure 18
    Figure 19
    Figure 19

    In the vCenter console, go to Menu -> Administration, as shown in Figure 20.

    Figure 20
    Figure 20

    Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 21.

    Figure 21
    Figure 21

    The hard part is going through all the settings in Table 1 and selecting the required permissions, as shown in Figure 22.

    Figure 22
    Figure 22

    Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 23.

    Figure 23
    Figure 23

    Enter a Role name and an optional Description, click Finish, as shown in Figure 24.

    Figure 24
    Figure 24

    Click Global Permissions and click the + (Plus sign), as shown in Figure 25.

    Figure 25
    Figure 25

    Select your AD domain in the User dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 26.

    Figure 26
    Figure 26

    To test the new service account, launch Citrix Studio, and either create a new Hosting Connection or run through the Site creation wizard (what I am doing), as shown in Figure 27.

    Figure 27
    Figure 27

    Clicking Next tests whether the service account has the required permissions. If the account does not, an error message stating “The user does not have the required permissions on the hypervisor”. If the service was set up correctly in vCenter, the wizard continues to the Storage Management screen, as shown in Figure 28.

    Figure 28
    Figure 28

    Once, creation of the new Hosting Connection or initial Site succeeds, test creating a Machine Catalog to verify the service account works, as shown in Figures 29 and 30.

    Figure 29
    Figure 29
    Figure 30
    Figure 30

    VMware lists their required permissions for Horizon at Privileges Required for the vCenter Server User.

    Figure 31 shows the required permissions for the VMware Horizon service account.

    Figure 31
    Figure 31

    First, I created a regular domain user account in AD, as shown in Figures 32 and 33.

    Figure 32
    Figure 32
    Figure 33
    Figure 33

    Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 34.

    Figure 34
    Figure 34

    The hard part is going through all the settings in Figure 31 and selecting the required permissions, as shown in Figure 35.

    Figure 35
    Figure 35

    Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 36.

    Figure 36
    Figure 36

    Enter a Role name and an optional Description, click Finish, as shown in Figure 37.

    Figure 37
    Figure 37

    Click Global Permissions and click the + (Plus sign), as shown in Figure 38.

    Figure 38
    Figure 38

    Select your AD domain in the User dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 39.

    Figure 39
    Figure 39

    Figure 40 shows the service account logged in to the VMware Horizon 7 Administrator Console.

    Figure 40
    Figure 40

    New Stuff

    Backup the vCenter Server Appliance

    One of the new things covered is updating the vCenter Server Appliance (VCSA). Before updating the appliance, VMware recommends making a backup of the VCSA.

    In your web browser, go to the VCSA management interface, https://VCSA-ip-address-or-fqdn:5480, as shown in Figure 41.

    Figure 41
    Figure 41

    Login as root using the password created during the install of the VCSA as shown in Figures 42 and 43.

    Figure 42 (From the install of VCSA)
    Figure 42 (From the install of VCSA)
    Figure 43
    Figure 43

    Click Backup as shown in Figure 44.

    Figure 44
    Figure 44

    Click BACKUP NOW as shown in Figure 45.

    Figure 45
    Figure 45

    Enter the following information:

    1. The Backup location (I created an NFS share on my Synology NAS as shown in Figures 46 and 47)
    2. The credentials to access the Backup location
    3. Optional, credentials to encrypt the backup
    4. Optional, enter a description
    5. Click Start to start the backup process, as shown in Figure 48
    Figure 46
    Figure 46
    Figure 47
    Figure 47
    Figure 48
    Figure 48

    The completed backup is listed under Activity, as shown in Figure 49.

    Figure 49
    Figure 49

    Update the VCSA

    In the left pane, click Update as shown in Figure 50.

    Figure 50
    Figure 50

    As noted on the Update screen, VCSA updates are cumulative.

    Select the most recent update available and click STAGE AND INSTALL, as shown in Figure 51.

    Figure 51
    Figure 51

    Select I accept the terms of the license agreement and click Next as shown in Figure 52.

    Figure 52
    Figure 52

    Select I have backed up vCenter Server and its associated databases and click Finish as shown in Figure 53.

    Figure 53
    Figure 53

    The Staging and Installation begin, as shown in Figure 54.

    Figure 54
    Figure 54

    After about 10 to 20 minutes, you should be able to log in to the VCSA appliance management interface. The Installation shows success, as shown in Figure 55. Click Close.

    Figure 55
    Figure 55

    On the Update screen, you will see the VCSA’s current version and no Available updates, as shown in Figure 56.

    Figure 56
    Figure 56

    Exit the VCSA management interface.

    Move the VCSA to Shared Storage

    The VCSA was installed in local storage. It can be migrated to shared storage now.

    Log in to the VCSA.

    From the Home menu, click VMs and Templates, as shown in Figure 57.

    Figure 57
    Figure 57

    Right-click on the VCSA VM and click Migrate, as shown in Figure 58.

    Figure 58
    Figure 58

    Select Change storage only and click Next, as shown in Figure 59.

    Figure 59
    Figure 59

    Select the NFS datastore for the VMs, verify the compatibility checks succeeded, and click Next as shown in Figure 60.

    Figure 60
    Figure 60

    Click Finish, as shown in Figure 61.

    Figure 61
    Figure 61

    The VM storage vMotion starts, as shown in Figure 62.

    Figure 62
    Figure 62

    When the storage vMotion completes, as shown in Figure 63, the VCSA VM Summary shows the Storage as the shared datastore, as shown in Figure 64.

    Figure 63
    Figure 63
    Figure 64
    Figure 64

    Up next: Install Citrix XenServer 8.0







    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    One Response to “08 Building Webster’s Lab V1 – Additional vCenter Configuration”

    1. Ram Prasad Says:

      Excellent Information, very useful. Thank you very much carl