Monday, March 25, 2013

vSphere 5.1 Single Sign-on (SSO) - Deployment & Configuration Made Easy!!


A few days back one of my favorite blogger – Michael Webster, wrote about vSphere Singe-Sign On and some best practices around it. Interestingly, the title he chose for this article was “Disabling vSphere 5.1 Single Sign-on (SSO) – Don’t do it!

Well, even before reading the article, I knew why he chose that title. Being into the field where we design and implement vSphere stacks for customers, a lot of them who do not see a use case of SSO in there environments ask for ways to DISABLE it completely and deploy the vCenter as they always have with the previous versions of vSphere.

Remember, vSphere Single-on (SSO) is introduced with vSphere 5.1 hence it is the latest enhancement which is also a compulsion or a pre-requisite to install vCenter software. I will not talk about what it does as there are more and enough resources which tell you what is VMware SSO and how it helps. In my opinion, here are the best articles which explain the features and functionality of SSO like no one else.

ü  vCenter Single Sign-On Part 1: what is vCenter Single Sign-On?By Justin King.

ü  vCenter Single Sign-On FAQ (2034918) – VMware KB

Now that you have read those articles and know why VMware introduced Single Sign-on, the purpose behind writing this article is to give you a step by step guideline to deploy SSO. There are a number of such articles available which talk about how to deploy SSO with different scenarios, however with this post I wanted to take the simplest method of all and help people with all the steps from pre-requisites to installation and finally winding up with configuration of SSO. This is specifically for someone who wants vCenter 5.1 without SSO or I should say to install vCenter 5.1 without going through any pains while configuring SSO.

To keep it simple, I will define what all I have in terms of Database, AD Integration, Access rights etc, and then write this post in 4 parts. However, I will not break this into multiple post as I want you to use this as a single reference document without have to jump around much.

vSphere 5.1 Single Sign-on (SSO) - Deployment & Configuration Made Easy!

Part 1 -  vSphere 5.1 Single Sign-on (SSO) - Preparing for installation.

Part 2 -  vSphere 5.1 Single Sign-on (SSO) - Installing SSO, Inventory Service and vCenter Server.

Part 3 -  vSphere 5.1 Single Sign-on (SSO) - Bare minimum configuration of SSO for you to get started with vCenter 5.1.


Let’s start with looking at the basic architecture, requirements and assumptions for this deployment.
                                  
vCenter Architecture Components & Requirements:-

i)        vCenter Server 5.1 b (This is the latest at the time of writing this article and as per the release notes a lot of SSO bugs are fixed with this release.)

ii)       SQL Server 2008 R2, Standard edition for SSO, vCenter and Update Manager Databases.

iii)      A group in active directory with users configured. This would be the first group which would be added to the vCenter and SSO for Administrator access to vCenter. Please plan this carefully and make it ready. You can add multiple such groups with different privileges at a later stage.

iv)      A simple install of SSO would be done on the vCenter Server itself.

Assumptions while writing this article:-

Ø   This is a fresh install of vCenter 5.1 and not an upgrade.

Ø   The process of creating the DB for vCenter and Update Manager is not included as it is the same as previous versions.

Let’s begin the joyride....

Part 1 -  vSphere 5.1 Single Sign-on (SSO) - Preparing for installation.


1-       Prepare a Virtual Machine or a Physical Server on which you will install vCenter. (Virtual Preferred – see why?)

2-       Install the Windows Operating System you desire to and configure the Drive Partitions as per your vCenter Server Low Level Design. (Refer to the following KB from VMware to make sure you meet the pre-requisites)

3-       Create the vCenter and Update Manager Databases and Desired users either manually or using the scripts in the installer folder. This process is same as previous versions so no twists here. Some use the scripts and some DBAs want everything controlled by them and they do it manually. (Refer to the Following Document if you have not done this before)

Note: - Although you can refer to the above document for SSO DB creation as well, however I would recommend you do it as described below.
4-       For creating the SSO Database on SQL run the following Script from SQL Query window in SQL Management Studio. Few things to note here.

i)        Do not copy the First and the Last Line which denote the start and end of script. Copy the rest of the script and paste it.
ii)       Line 3 has the PATH for SSO Database file to be located on C:\. Change the drive letter to a desired partition which you have on vCenter Server for storing databases, i.e. D:\ or F:\ etc.
iii)      Repeat step (ii) on Line 7 for Index file creation and Line 13 for transaction log.

++++++++++++++++START OF SCRIPT+++++++++++++++++++++++++++++++++++++++

CREATE DATABASE RSA ON PRIMARY(
    NAME='RSA_DATA',
    FILENAME='C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\RSA_DATA.mdf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10%),
FILEGROUP RSA_INDEX(
    NAME='RSA_INDEX',
    FILENAME='C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\RSA_INDEX.ndf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10%)
LOG ON(
    NAME='translog',
    FILENAME='C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Data\translog.ldf',
    SIZE=10MB,
    MAXSIZE=UNLIMITED,
    FILEGROWTH=10% )
GO

-- Set recommended performance settings on the database
EXEC SP_DBOPTION 'RSA', 'autoshrink', true
GO
EXEC SP_DBOPTION 'RSA', 'trunc. log on chkpt.', true
GO
CHECKPOINT
GO

++++++++++++++++END OF SCRIPT+++++++++++++++++++++++++++++++++++++++++

5-       Now that the database is created lets create the users required for SSO Database using the following script. Few things to note here.

i)        Do not copy the First and the Last Line which denote the start and end of script. Copy the rest of the script and paste it.
ii)       On Line 3 and Line 5, change the password as desired; I have set it as VMw@re. DO NOT CHANGE THE LOGIN names of RSA_DBA and RSA_USER else SSO will not work.


++++++++++++++++START OF SCRIPT+++++++++++++++++++++++++++++++++++++++

USE MASTER
GO

CREATE LOGIN RSA_DBA WITH PASSWORD = 'VMw@re', DEFAULT_DATABASE = RSA, CHECK_POLICY = OFF
GO
CREATE LOGIN RSA_USER WITH PASSWORD = 'VMw@re', DEFAULT_DATABASE = RSA, CHECK_POLICY = OFF
GO

USE RSA
GO

ALTER AUTHORIZATION ON DATABASE::RSA TO [RSA_DBA]
GO

CREATE USER RSA_USER FOR LOGIN [RSA_USER]
GO

CHECKPOINT
GO

++++++++++++++++END OF SCRIPT+++++++++++++++++++++++++++++++++++++++++

Assuming that till this point you do not have any errors. If not, then you are done!! The preparation part is over.

Now let us move to Part 2 which of Installation of vCenter.


Part 2 -  vSphere 5.1 Single Sign-on (SSO) - Installing SSO, Inventory Service and vCenter Server.


  1. Login to the VM on which you need to install the vCenter.
  2. Create an ODBC for vCenter and Update Manager (Use 32 bit DSN for Update Manager located under the following directory in that VM - %windir%\SysWOW64\odbcad32.exe
  3. Mount the vCenter Installer ISO on this machine.
  4.  Launch the Installer Menu by clicking on Autorun.
  5. Select vCenter Server Single Sign on and click on Install.
  6. Select the desired installation language and hit OK
  7. Click next to start the Single Sign On Installation Wizard'
  8. Accept the agreement and click next
  9. Choose the “Create the primary node for a new vCenter Single Sign On installation” as this is the first vCenter Single Sign On instant & Click Next.
  10.  Install Basic vCenter Single Sign On.
  11. Fill the admin@System-Domain password then hit next. Note – This password should have atleast 1 Upper Case Letter, 1 Number and one special character. You should note this down and keep it in your bosses’ locker. NEVER FORGET IT.
  12.  Choose “use an existing database”.
  13. Fill the database information with the earlier created databases info as shown in the below screenshot. This includes all the information which we used to create the RSA Database, Users and Passwords in PART A of this article. DO NOT change anything here apart from the Host Name. Your window should look exactly like mine here.
























14. Fill the fully qualified domain name of your SSO server name and hit next.
15. Choose the SSO installation destination folder and hit next.
16. Confirm the https port to be used by SSO and hit next.
17. On the Ready to Install screen hit install to start the installation.
18. On the SSO installation completion screen hit finish and then if the VMware Single Signle Sign on Service has started or not.

If you are following me closely then you should have a started service without any issue and this marks the end of SSO installation. Read on, the configuration is still left :-). Time to install Inventory Service now.

  1. Select VMware vCenter Inventory Service from the VMware Product Installers menu and click Install.
  2. Select the setup language and click OK.




















    3. After the Welcome screen is displayed, click Next
    4. Accept the agreements and hit Next
    5. Choose the installation Destination folder and hit Next
    6. Fill your vCenter Server FQDN and hit next
    7. Confirm the ports to be utilized by vCenter Inventory Service and hit Next.
    8. Select the inventory size that best describes your vCenter Server deployment and hit next.
    9. Enter the SSO Administrator password (It's in your bosses' locker in case you forgot the password :-) ) to register Inventory Service with vCenter Single Sign On.
   10. Hit Install Certificates when prompted.
   11. On the ready to install page hit install.
   

Now we are getting closer :-)

Okay, now is the time for vCenter Install. It is exactly the same as you did it before,but let me take you through this and I will post the important screenshots in this article to make sure you are going in the right direction.

1.    Launch the installer using an account with administrator privileges.
2.   Select vCenter Server from the VMware Product Installers menu and click Install.
3.     Select the setup language and click OKWait while the installation process begins.
4.   After the Welcome screen is displayed, click Next.
5.   On the End-User Patent Agreement screen, click Next.
6.   On the License Agreement screen, select the radio button to accept the terms of the license agreement, and click Next.
7.   You can enter a License key for ESXi now, or you can enter it later. The system can run in evaluation mode for 60 days.
8.   Use an existing supported database and specify an appropriate ODBC Data Source Name. Click Next.
9.   Specify the account to be used by the vCenter Server Service. Select Use SYSTEM Account (default), or deselect it and specify another local or domain account name and password (if needed). Click Next. To specify a domain account, precede the account name with the domain name and a forward slash (/) as in: domain_name/account_name.
10.  Select Create a standalone VMware vCenter Server instance (default) to install either a standalone instance of vCenter Server or the first in a series of linked vCenter systems.
11.  Confirm the ports to be used by vCenter Server and click Next.
12.  Choose the size of your environment
13.  Complete your Single Sign On and Lookup Service information and click Next. (Time to peep into the bosses' safe)
14.  Register a vCenter Server administrator user or group with vCenter Single Sign On. This is the group which will automatically get added to SSO.

***This means all the users which are a part of this group in the AD would be Administrators on the vCenter Server. You can later add mode groups depending on your use case.
























15. Click on Next on the vCenter Inventory Service Information. (Leave the defaults)
16.  Select vCenter Installation Destination Folder
17.  Hit install to start the installation.
18.  Hit finish to exit the installation wizard



We are done with the complete installation now. Lets just move and and configure the SSO in the simplest possible manner and start using this vCenter and the awesome features which vCenter 5.1 gives you.


Part 3 -  vSphere 5.1 Single Sign-on (SSO) - Bare minimum configuration of SSO for you to get started with vCenter 5.1.

Assuming you have installed the vSphere Web Client from the same bundle, let us go ahead and do some configurations on the SSO server.

1- Launch the vSphere Webclient. So if the web client is on the vCenter Server. Simply launch https://vcenterip:9443/. This should launch the login page. Use the SSO Admin credentials to Login.




















2- Click on Administration under the Home menu.






















3- Click on SSO Users & Groups to add the Group which we created for VMware Administrators as the Principal Group to the SSO Administrators.



















4- Select the Administrators Group and click on Add Principal




















5- Search for the Domain Group which you created earlier and add that as a Principal (domain\VM-ADMIN)





















6- Now that the users are added, let us go ahead and ease out the SSO Policies. Click on Configuration and then Policies.
























7- Click on Password Policies and click on Edit to change them as per your wish. The screenshot below shows what I have selected for my environment.


















7- Click on Lockout Policies and click on Edit to change them as per your wish. The screenshot below shows what I have selected for my environment.



















8- Click on OK to confirm the changes.


You are done now :-) The entire process takes around 2 hours to get everything up and running. Hopefully, this will help you avoid all those NASTY issues you have read about and have you vCenter 5.1 with SSO production ready.



As always, share & benefit others!!!


Saturday, March 16, 2013

How to License vCenter Operations Manager (vCOPS) 5.6 !!

In a recent engagement, I got an opportunity to work on installing the VMware Stack in a Greenfield deployment. Along with the vSphere 5.1 suite, this deployment also had the installation of vCOPS 5.6. After the deployment of the OVF template, we registered the vCenter with the vCOPS on the Admin UI.

As you know, vCOPS Foundation is now a part of vSphere 5.1 and all the editions of vSphere can deploy the vCOPS 5.6 and use the performance management features of this product for free. The snippet below shows the licensing details in all the versions of vSphere which now include vCOPS Foundation.





















Once you register the vCOPS to vCenter, it will automatically show the software being registered and licensed as Foundation version. You will now be able to install the plugin and start accessing the vSphere UI to see how your infrastructure is performing. Remember you would just see one screen here which will show you all the objects of the vCenter and the health.

Since vCOPS 5.0 use to work as an a-la-carte product, VMware, like its other products and solutions, turned vCOPS into a Suite with the release of 5.6. Here is how the licensing looks like now:-



So if you are moving from vCOPS 5.0 to vCOPS 5.6 and you have other products such as VCM, VIN etc, then you can upgrade just the vCOPS key to the version which you are entitled to. This single key will support all the products in the suite.

So in our case, we have a key for vCOPS 5.6 Advanced Edition which covered all the products. As soon as this key was upgraded to vCOPS 5.6 all the other product keys (VIN, VCM etc) will be disabled in the My VMware Portal.

Now, you need to add this key on your vCenter Server under the Home -> Licensing. Now you can assign this new key to the vCOPS under the Asset option in the Licensing window.

Once you have done this, you need to ensure that the vCOPS Foundation which you installed and configured before, you need to do the following:-

1- Login to the vCops Admin UI.
2- Click on Status Tab
3- Click on Restart to restart the vCOPS services.

 Once the services are restarted, check the log to see what license has been registered. It should show up as Advanced Edition. 






Now when you login to the vCOPS vSphere UI, you will be able to see the other tabs related to Capacity Management and also license VCM, VIN and other products in the Advanced Suite.

Hope this helps you to solve the licensing troubles which you might face during upgrades and fresh installs of vCenter Operations Manager 5.6.

Share to spread the word & benefit others!!!

Thursday, March 14, 2013

vSphere Architecture Design Review Process - Things to do!!

In my current project I am roped in to work on reviewing the existing architecture of a client with a large install base of vSphere. In the process I developed a small review process which I have represented in a form of a flowchart.

I thought it would be helpful for VMware consultants and customers in the field in order to review there existing designs and see how that design decision which was taken some time back, impacts the current operations of a VMware Virtual Datacenter.

For those who have worked on vSphere Designs would know that each design choice has to go through a decision tree which will then allow you to chose what is best for your vSphere Infrastructure. These decisions are taken on the basis of Requirements, Constraints, Assumptions and Risks involved in a design. 

The design review process works on the similar lines, however along with the Requirements, Constraints, Assumptions and Risks, you also have the opportunity to get the current state of the infrastructure through Assessments. In most of the cases you will notice that there are deviations from the standard design due to unforeseen constraints, requirements of even sprawl of virtual machines. The design review process involves this other angle which allows you to fix things in the architecture so that it holds good for the current requirements, constraints, assumptions and risks.

Enough of talking. Here is how I believe the process should be:-



























Hope this will help the people who are making those tough choices in the world of VMware Virtualization.



Share to spread the word & benefit others!!!

Sunday, March 10, 2013

How to Backup & Restore a VMware vSphere Distributed Virtual Switch (VDS)

One of the new features of vSphere 5.1 Web Client is to help you backup the settings of your existing Distributed Virtual Switch. You can keep this backup handy for either applying of a new DVSwitch or to restore the settings of the original DVswitch form where you took this backup.

This is a simple Export and Import task, however since the vSphere Web Client is new and most of the admins are not as familiar with the Web Client, as they are the C# client also referred as a thick client, I thought I will write this small article with screenshots. More importantly, I will also try and tell you in which situations such a backup would help.

Let's have a look at the process to EXPORT the settings:-

1- Login to the vSphere Web Client with a user with Admin / Network Privileges.
















2- Click on Networking -> Right Click on your dvSwitch -> All vCenter Actions -> Export 
Configuration.




















3- Choose to Save either the DVS settings only or DVS and Port Group Settings.














4- Click on Yes to confirm the export.









5- On the next Screen give this file a name and save it on a desired location on your computer.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Now, let's have a look at the process to IMPORT the settings:-

1- Login to the vSphere Web Client with a user with Admin / Network Privileges.


2- Click on Networking -> Right Click on your dvSwitch -> All vCenter Actions -> Restore
Configuration.























3- Select the backup file from which you wish to restore the settings of the dvSwitch.















4- Click on Next, confirm the settings and click on Finish.
















--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Things to remember:-

While I was playing around with this backup, there are a few things which I learnt from my mistakes. Here are a few things you should know about this backup:-

a) This backup & restore does not re-creates the DVS, it helps you backup and restore configuration of a DVS.

b) You can use this backup to apply these settings across different DVS switches.

c) You need to create a DVS switch yourself and then apply these settings.

d) You can only Backup and Restore from a vSphere Web Client and not the C# client.

e) You can backup or restore the configuration of an onlder DVS as well such as 4.0, 4.1, 5.0 versions of DVS.

Enjoy the great features of DVS 5.1 and vSphere web client, this is an intelligent Virtual Switch which has loads to offer.


Share to spread the word & benefit others!!!