Figure 1
Figure 1

08 Building Webster’s Lab V1 – Additional vCenter Configuration

Updated 14-Dec-2019

Before getting to work adding Citrix Virtual Apps and Desktops (CVAD), Parallels RAS, and VMware Horizon to the lab, there are a few additional items on the to-do list for vCenter.

  1. Join vCenter to the lab’s Active Directory (AD) domain
  2. Add the lab’s AD to the SSO
  3. Create a Citrix related service account with minimum VMware permissions for the hosting connection in Citrix Studio and with Citrix App Layering
  4. Create a VMware related service account with minimum vCenter permissions for Horizon

Log in to vCenter.

From the Menu dropdown, select Administration, as shown in Figure 1.

Figure 1
Figure 1

Click Configuration, Active Directory Domain, and click Join AD, as shown in Figure 2.

Figure 2
Figure 2

Enter the Domain, a Username/Password, and click JOIN, as shown in Figure 3.

Figure 3
Figure 3

The vCenter appliance is now a domain member but needs a restart.

From the Menu dropdown, select VMs and Templates, as shown in Figure 4.

Figure 4
Figure 4

Expand the cluster, right-click the vCenter VM, click Power, and click Restart Guest OS, as shown in Figure 5.

Figure 5
Figure 5

Click Yes to confirm the restart, as shown in Figure 6.

Figure 6
Figure 6

Wait about 10 minutes before trying to log in to vCenter. At this point, you must use the administrator vCenter account to log in. Even though we joined, vCenter to the AD domain, the AD domain isn’t a Single Sign-On domain yet.

Once you have logged on to vCenter, go back to Administration/Single Sign On/Configuration, as shown in Figure 7.

Figure 7
Figure 7

Click Identity Sources and click ADD IDENTITY SOURCE, as shown in Figure 8.

Figure 8
Figure 8

Select Active Directory (Windows Integrated Authentication) from the Identity source type dropdown, if it is not already populated, enter the Domain name, select Use machine account, and click ADD, as shown in Figure 9.

Figure 9
Figure 9

The AD domain now shows as an Identity Source, as shown in Figure 10.

Figure 10
Figure 10

We are not yet ready to log in to vCenter with AD credentials. First, we must add users and groups from the AD domain to a vCenter security role.

Click Global Permissions, as shown in Figure 11.

Figure 11
Figure 11

Click + (Plus sign) as shown in Figure 12.

Figure 12
Figure 12

Select the AD domain name from the User dropdown, and as you type characters into the next field, users and groups appear, as shown in Figure 13.

Figure 13
Figure 13

Click the user or group you wish to add, the Role the user or group requires, select Propagate to children, and click OK, as shown in Figure 14.

Figure 14
Figure 14

Now we can log in to vCenter with an AD domain account.

Log off vCenter and log in with an AD domain account that was just granted permission, as shown in Figures 15 and 16.

Figure 15
Figure 15
Figure 16
Figure 16

Figure 17 shows a successful login with AD domain credentials.

Figure 17
Figure 17

Next, permissions for service accounts needed for CVAD and Horizon. First up, CVAD.

For my lab, I need a vCenter account to use with both the CVAD Hosting Connection in Citrix Studio and Citrix App Layering.

Citrix details the required permissions at  CVAD VMware virtualization environments and Citrix App Layering VMware vSphere.

To save time, here are the combined permissions with all the duplicates removed.

Table 1 vCenter Permissions for CVAD and App Layering

Datastore > Allocate space
Datastore > Browse datastore
Datastore > Low level file operations
Folder > Create folder
Folder > Delete folder
Global > Cancel task
Global > Manage custom attributes
Global > Set custom attribute
Host > Configuration
Network > Assign network
Resource > Assign virtual machine to resource pool
vApp > Export
vApp > Import
vApp > vApp application configuration
Virtual machine > Configuration > Add existing disk
Virtual machine > Configuration > Add new disk
Virtual machine > Configuration > Add or remove device
Virtual machine > Configuration > Advanced (or Advanced Configuration)
Virtual machine > Configuration > Change CPU Count
Virtual machine > Configuration > Change resource
Virtual machine > Configuration > Configure managedBy
Virtual machine > Configuration > Disk change tracking (For App Layering, but I can’t find it in vCenter 6.7 U3)
Virtual machine > Configuration > Memory (CVAD and App Layering, but I can’t find it in 6.7 U3. I selected Change Memory.)
Virtual machine > Configuration > Modify Device Settings
Virtual machine > Configuration > Remove disk
Virtual machine > Configuration > Rename
Virtual machine > Configuration > Reset guest information
Virtual machine > Configuration > Set annotation
Virtual machine > Configuration > Settings (In 6.7 U3, Change Settings)
Virtual machine > Configuration > Swapfile placement (In 6.7 U3, Change Swapfile placement)
Virtual machine > Configuration > Upgrade virtual machine compatibility
Virtual machine > Interaction > Answer question
Virtual machine > Interaction > Configure CD media
Virtual machine > Interaction > Console interaction
Virtual machine > Interaction > Device connection (I can’t find this in 6.7 U3. I used Connect devices.)
Virtual machine > Interaction > Power Off
Virtual machine > Interaction > Power On
Virtual machine > Interaction > Reset
Virtual machine > Interaction > Suspend
Virtual machine > Inventory > Create from existing
Virtual machine > Inventory > Create new
Virtual machine > Inventory > Register
Virtual machine > Inventory > Remove
Virtual machine > Provisioning > Clone template
Virtual machine > Provisioning > Clone virtual machine
Virtual machine > Provisioning > Customize (In 6.7 U3, Customize guest)
Virtual machine > Provisioning > Deploy template
Virtual machine > Provisioning > Mark as template
Virtual machine > Snapshot management > Create snapshot
Virtual machine > Snapshot management > Remove snapshot

First, I created a regular domain user account in AD, as shown in Figures 18 and 19.

Figure 18
Figure 18
Figure 19
Figure 19

In the vCenter console, go to Menu -> Administration, as shown in Figure 20.

Figure 20
Figure 20

Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 21.

Figure 21
Figure 21

The hard part is going through all the settings in Table 1 and selecting the required permissions, as shown in Figure 22.

Figure 22
Figure 22

Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 23.

Figure 23
Figure 23

Enter a Role name and an optional Description, click Finish, as shown in Figure 24.

Figure 24
Figure 24

Click Global Permissions and click the + (Plus sign), as shown in Figure 25.

Figure 25
Figure 25

Select your AD domain in the User dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 26.

Figure 26
Figure 26

To test the new service account, launch Citrix Studio, and either create a new Hosting Connection or run through the Site creation wizard (what I am doing), as shown in Figure 27.

Figure 27
Figure 27

Clicking Next tests whether the service account has the required permissions. If the account does not, an error message stating “The user does not have the required permissions on the hypervisor”. If the service was set up correctly in vCenter, the wizard continues to the Storage Management screen, as shown in Figure 28.

Figure 28
Figure 28

Once, creation of the new Hosting Connection or initial Site succeeds, test creating a Machine Catalog to verify the service account works, as shown in Figures 29 and 30.

Figure 29
Figure 29
Figure 30
Figure 30

VMware lists their required permissions for Horizon at Privileges Required for the vCenter Server User.

Figure 31 shows the required permissions for the VMware Horizon service account.

Figure 31
Figure 31

First, I created a regular domain user account in AD, as shown in Figures 32 and 33.

Figure 32
Figure 32
Figure 33
Figure 33

Expand Access Control, click Roles, and click the + (Plus sign), as shown in Figure 34.

Figure 34
Figure 34

The hard part is going through all the settings in Figure 31 and selecting the required permissions, as shown in Figure 35.

Figure 35
Figure 35

Continue selecting the required permissions. When all permissions are selected, click Next, as shown in Figure 36.

Figure 36
Figure 36

Enter a Role name and an optional Description, click Finish, as shown in Figure 37.

Figure 37
Figure 37

Click Global Permissions and click the + (Plus sign), as shown in Figure 38.

Figure 38
Figure 38

Select your AD domain in the User dropdown, then enter the service account name, select the just created Role, you must select Propagate to children, and click OK, as shown in Figure 39.

Figure 39
Figure 39

Figure 40 shows the service account logged in to the VMware Horizon 7 Administrator Console.

Figure 40
Figure 40

New Stuff

Backup the vCenter Server Appliance

One of the new things covered is updating the vCenter Server Appliance (VCSA). Before updating the appliance, VMware recommends making a backup of the VCSA.

In your web browser, go to the VCSA management interface, https://VCSA-ip-address-or-fqdn:5480, as shown in Figure 41.

Figure 41
Figure 41

Login as root using the password created during the install of the VCSA as shown in Figures 42 and 43.

Figure 42 (From the install of VCSA)
Figure 42 (From the install of VCSA)
Figure 43
Figure 43

Click Backup as shown in Figure 44.

Figure 44
Figure 44

Click BACKUP NOW as shown in Figure 45.

Figure 45
Figure 45

Enter the following information:

  1. The Backup location (I created an NFS share on my Synology NAS as shown in Figures 46 and 47)
  2. The credentials to access the Backup location
  3. Optional, credentials to encrypt the backup
  4. Optional, enter a description
  5. Click Start to start the backup process, as shown in Figure 48
Figure 46
Figure 46
Figure 47
Figure 47
Figure 48
Figure 48

The completed backup is listed under Activity, as shown in Figure 49.

Figure 49
Figure 49

Update the VCSA

In the left pane, click Update as shown in Figure 50.

Figure 50
Figure 50

As noted on the Update screen, VCSA updates are cumulative.

Select the most recent update available and click STAGE AND INSTALL, as shown in Figure 51.

Figure 51
Figure 51

Select I accept the terms of the license agreement and click Next as shown in Figure 52.

Figure 52
Figure 52

Select I have backed up vCenter Server and its associated databases and click Finish as shown in Figure 53.

Figure 53
Figure 53

The Staging and Installation begin, as shown in Figure 54.

Figure 54
Figure 54

After about 10 to 20 minutes, you should be able to log in to the VCSA appliance management interface. The Installation shows success, as shown in Figure 55. Click Close.

Figure 55
Figure 55

On the Update screen, you will see the VCSA’s current version and no Available updates, as shown in Figure 56.

Figure 56
Figure 56

Exit the VCSA management interface.

Move the VCSA to Shared Storage

The VCSA was installed in local storage. It can be migrated to shared storage now.

Log in to the VCSA.

From the Home menu, click VMs and Templates, as shown in Figure 57.

Figure 57
Figure 57

Right-click on the VCSA VM and click Migrate, as shown in Figure 58.

Figure 58
Figure 58

Select Change storage only and click Next, as shown in Figure 59.

Figure 59
Figure 59

Select the NFS datastore for the VMs, verify the compatibility checks succeeded, and click Next as shown in Figure 60.

Figure 60
Figure 60

Click Finish, as shown in Figure 61.

Figure 61
Figure 61

The VM storage vMotion starts, as shown in Figure 62.

Figure 62
Figure 62

When the storage vMotion completes, as shown in Figure 63, the VCSA VM Summary shows the Storage as the shared datastore, as shown in Figure 64.

Figure 63
Figure 63
Figure 64
Figure 64

Up next: Install Citrix XenServer 8.0

1 Comment

  1. Ram Prasad

    Excellent Information, very useful. Thank you very much carl

Comments are closed