My VCDX Journey – One Year In

Last year, I set a rather challenging goal for myself – to become a VCDX within three years.  I’m now one year in, and I wanted to update my progress.

When I first set the goal, I had only just achieved VCP status with the VCP5-DCV and the VCP5-DT and I was looking at the daunting challenge of the VCAP exams.

Today, I’m much closer to achieving a VCDX.  I’ve completed the prerequisite exams for the VCDX-DT.

But I’m not ready to take the next step of the journey yet.  Although I gained a lot of valuable experience from Virtual Design Master, I don’t have enough real-world experience to put together a #VCDX quality design.

I’m not sure how I am going to rectify this yet, but I have the next year to figure it out and start working on a formal design.

Community Matters – A VMworld 2014 Retrospective

This year’s VMworld was the second that I had the pleasure of attending.  Last year had been my first, and while I had a good time, I didn’t really know anyone or even know what I wanted to get out of it, and I wasn’t the type to just walk up to someone I talked to on Twitter and introduce myself or engage in table talk.

And most nights, after the sessions were done, I would grab dinner alone and go back to my hotel.

What a difference a year makes.

Last year’s conference opened the door and showed how wide and vibrant the greater virtualization community is.  It encouraged me to get more active in my local VMUG, on twitter and through community events such as Virtual Design Master.

I put myself out there, and I grew as both an IT Professional and a person, and along the way, I made new connections and new friends, and my experience at VMworld this year was different because of it.

The moral of the story is to get involved with your local user communities.  Build relationships with others in your profession through groups like VMUG or AITP.  And if one doesn’t exist (or worse, inactive) build it up so others can get the same benefits.

The Changing Face of EUC

The first section of Tuesday’s keynote was devoted to VMware’s End-User Computing division, and they shared their vision for the future of the market.

And let me tell you – it’s game changing.

{Note: I do not have early access to any of the EUC technologies discussed below.  Everything discussed below is from the keynote.]

VMware demonstrated the expanded capabilities in Horizon 6 and the improvements that they’ve made to the Blast protocol.  It’s now possible to deliver 3D applications, such as Autodesk 3D Max and the Adobe Creative Suite, to users without having to install a client on your machine.  Yes, it’s all accessible from an HTML5-enabled web browser.

They demoed CloudVolumes. CloudVolumes is an application layering technology that can overlay desktop applications onto a desktop in real time with no need to recompose linked clone desktops or use complex deployment tools like SCCM.  And it’s easy enough that you can delegate this task to the Help Desk.

And they also talked about the Horizon Suite.  In previous versions of Horizon, the products were stand-alone with limited integration.  VMware has started changing this and more closely integrating the Horizon Suite products in the same way that they’ve been been integrating products into the vCloud Suite.

My employer works in the construction industry, and we have projects across the country.  These jobs often require heavy 3D graphics to support the Autodesk REVIT MEP suite for building information management, and that means deploying workstations that can run MEP effectively to these locations.

The features of the Horizon Suite would change this.  Engineers and Project Managers would be able to access a desktop with AutoCAD from  Safari on an iPad or Chromebook from any jobsite anywhere in the country and provide feedback to engineers in the office.  Engineers would be able to go onsite and work with CAD without having to lug around a 30 pound workstation laptop.

But that wasn’t the most disruptive announcement.  One of the new features that was announced was Project Fargo.  Project Fargo will utilize features in vSphere 6 (currently in beta) to rapidly deploy “disposable” virtual machines up to 30x faster than deploying linked clones.  It almost sounds like the next version of vSphere will be able to use a process similar to forking a process in Linux to build up and tear down desktops.

When you combine Project Fargo with Persona Management (or Liquidware Labs ProfileUnity) and CloudVolumes, you get fully-configured Just-In-Time desktops.

I hope that we’ll hear more about these features over the next couple of months.

#vBrownbag TechTalk at VMworld

The great folks who run #vBrownbag are hosting another series of Tech Talks at this year’s VMworld.  These short talks are given in the Hang Space and feature community members presenting on topics that they’re passionate about and cover a variety of topics including Log Insight, Docker, and OpenStack. 

I’ll be giving a Tech Talk on automating the Microsoft stack using vCenter Orchestrator and PowerShell on Monday at 4:30.

The entire schedule is available here.

If you haven’t double (or tripled) booked yourself yet, and you’re passionate about a topic, there are still some slots available. 

Horizon View 6.0 Part 7–Installing View Composer

The last couple of posts have dealt with preparing the environment to install Horizon View 6.0.  We’ve covered prerequisites, design considerations, preparing Active Directory, and even setting up the service accounts that will be used for accessing services and databases.

Now its time to actually install and configure the Horizon View components.  These tasks will be completed in the following order:

  • Install Horizon View Composer
  • Install Horizon View Connection Server
  • Configure the Environment for the first time
  • Install the Security Server

One note that I want to point out is that the installation process for most components has not changed significantly from previous versions.

Before we can install Composer, we need to create an ODBC Data Source to connect to the Composer database.  The database and the account for accessing the database were created in Part 6.  Composer can be installed once the ODBC data source has been created.

Composer can either be installed on your vCenter Server or on a separate Windows Server.  The first option is only available if you are using the Windows version of vCenter.  This walkthrough assumes that Composer is being installed on a separate server.

 

 

Service Account

Part 6 covers the steps for creating the Composer service account.  This account should have local administrator rights on the server prior to installing Composer.

Creating the ODBC Data Source

Unfortunately, the Composer installer does not create the ODBC Data Source driver as part of the Composer installation, and this is something that will need to be created by hand before Composer can be successfully installed.  The View Composer database doesn’t require any special settings in the ODBC setup, so this step is pretty easy.

Note: The ODBC DSN setup can be launched from within the installer, but I prefer to create the data source before starting the installer.  The steps for creating the data source are the same whether you launch the ODBC setup from the start menu or in the installer.

1. Go to Start –> Administrative Tools –> Data Sources (ODBC)

2014-01-04_22-25-06

2. Click on the System DSN tab.

3. Click Add.

2014-01-04_22-25-44

4. Select SQL Server Native Client 10.0 and click Finish.  This will launch the wizard that will guide you through setting up the data source.

2014-01-04_22-26-27

Note:  SQL Server 2012 uses Native Client 11.0. If the Composer database is installed on SQL Server 2012, Native Client 11.0 should be used.

Note: The SQL Server Native Client is not installed by default. If you are connecting to a database on another server, you will need to download and install the native client for SQL Server 2008 R2 from Microsoft (direct download link). 

5. When the Create a New Data Source wizard launches, you will need to enter a name for the data source, a description, and the name of the SQL Server that the database resides on.  If you have multiple instances on your SQL Server, it should be entered as ServerName\InstanceName.  Click next to continue.

2014-01-06_22-50-48

6. Select SQL Server Authentication.  Enter your SQL Server username and password that you created above.  Optional: Check the Connect to SQL Server to obtain default settings box to retrieve the default settings from the server.  Click Next to continue.

2014-01-04_22-28-15

7. Change the default database to the viewComposer database that you created above.  Click Next to continue.

2014-01-04_22-28-55

8. Click Test Data Source to verify that your settings are correct.

2014-01-04_22-29-19

9. If your database settings are correct, you will see the windows below.  If you do not see the TESTS COMPLETED SUCCESSFULLY, verify that you have entered the correct username and password and that your login has the appropriate permissions on the database object.  Click OK to return to the previous window.

2014-01-04_22-29-37

10. Click OK to close the Data Source Administrator and return to the desktop.

2014-01-04_22-29-55

Installing View Composer

Once the database connection has been set up, Composer can be installed.  The steps for installing Composer are:

1.  Launch the View Composer installer.

2.  If .Net Framework 3.5 SP1 is not installed, you will be prompted to install the feature before continuing.

1

3.  Click Next to continue.

2

4.  Accept the license agreement and click next.

3

5.  Select the destination folder where Composer will be installed.

4

6. Configure View to use the ODBC data source that you set up.  You will need to enter the data source name, SQL login, and password before continuing.

7

7. After the data source has been configured, you will need to select the port that Composer will use for communicating with the View Connection Servers.  You also have the option of selecting an existing certificate if you have installed one.

8

8. Click Install to start the installation.

9

9. Once the installation is finished, you will be prompted to restart your computer.

10

So now that Composer is installed, what can we do with it?  Not much at the moment.  A connection server is required to configure and use Composer for linked clone desktops, and the next post in this series will cover how to install that Connection Server.

Horizon View 6.0 Part 6–Configuring the Horizon View Service Accounts and Databases

Back in Part 4, I mentioned that Horizon View required up to a few service accounts to function properly.  One of these accounts is for accessing vCenter to provision and manage the virtual machines that users will connect to.  The other service account is for View Composer and will manage the accounts within Active Directory.  This account is not required if you are not planning to use View Composer and Linked Clones within your environment.

In addition to these two service accounts, two database accounts may need to be created for the Horizon View Composer database and the Horizon View Events Database.

It’s important to build these accounts with the principle of least privileged access in mind.  These accounts should not have more rights than they would need.  So while the easy way out would be to give these accounts vCenter Administrator, Domain Administrator, and SQL Server or Oracle SysAdmin rights, it would not be a good idea as these accounts could potentially be compromised.

vCenter Service Account

The first account that needs to be created is a service account that View will use for accessing vCenter.  Horizon View uses this account for provisioning and power operations.  The service account should be a standard Active Directory domain user account without any additional administrator-level rights on the domain or on the vCenter server.

There are a couple of different ways to configure your Horizon View environment, sp the actual rights required by vCenter will vary.  I will be using View Composer in this series, so I will be setting up the vCenter Service Account with the permissions required to use View Composer.

Note: If you are not using View Composer, or you plan to use View Composer and Local Mode, different permissions will be required in vCenter.  Please see Chapter x of the Horizon View 6.0  Installation Guide for more details on the permissions that need to be assigned to the service account.

A new role will need to be created within vCenter in order to assign the appropriate permissions.  To create a new role in the vCenter Web Client, you need to go to Administration –> Roles from the main page.  This will bring up the roles page, and we can create a new role from here by clicking on the green plus sign.

2013-12-29_19-14-37

The permissions that need to be assigned to our new role are:

Privilege Group

Privilege

Datastore Allocate Space
Browse Datastore
Low Level File Operations
Folder Create Folder
Delete Folder
Virtual Machine Configuration –> All Items
Inventory –> All Items
Snapshot Management –> All Items
Interaction:
Power On
Power Off
Reset
Suspend
Provisioning:
Customizing
Deploy Template
Read Customization Spec
Clone Virtual Machine
Allow Disk Access
Resource Assign Virtual Machine to Resource Pool
Migrate Powered-Off Virtual Machine
Global Enable Methods
Disable Methods
System Tag
Act As vCenter
Note 1
Network All
Host Configuration:
Advanced Settings Note 1

Note 1: Act as vCenter and Host Advanced Settings are only needed if View Storage Accelerator are used.  If these features are not used, these permissions are not required.

After the role has been created, we will need to assign permissions for our vCenter Server service account to the vCenter root.  To do this from the roles screen, you will need to go back to the vCenter Web Client Home screen and take the following steps:

  1. Select vCenter
  2. Select vCenter Servers under Inventory Lists
  3. Select the vCenter that you wish to grant permissions on
  4. Click on the Manage Tab
  5. Click Permissions
  6. Click the Green Plus Sign to add a new permission
  7. Select the role for View Composer
  8. Add the Domain User who should be assigned the role
  9. Click OK.

2013-12-29_20-33-59

View Events Database Account

The Events Database is a repository for events that happen with the View environment.  Some examples of events that are recorded include logon and logoff activity and Composer errors.

The Events Database requires a Microsoft SQL Server or Oracle database server, and it should be installed on an existing production database server.  There are two parts to configuring the events database.  The first part, creating the database and the database user, needs to be done in SQL Server Management Studio before the event database can be configured in View Administrator.  The steps for configuring Horizon View to use the Events database will happen in another post.

To set up the database, follow these steps:

1. Open SQL Server Management Studio and log in with an account that has permissions to create users and databases.

2. Expand Security –> Logins.

3. Right-click on Logins and Select New Login…

1. Create New User 1

4. Enter the SQL Login Name and Password and then click OK.

2. Create New User 2

5. Expand Databases.

6. Right-click on Databases and select New Database.

7. Enter the database name.  Select the database user that you created above as the database owner.  Click OK to create the database.

3. Create View Events Database

Note: SQL Server named instances are configured to use dynamic ports.  This means that SQL Server will use a new port every time the server is restarted.  The events database does not support dynamic ports, so a static port will need to be configured and the SQL instance restarted prior to configuring the events database in View.  For instructions on how to configure a static ports in SQL Server, please see this article.

View Composer Service Accounts

The last two accounts that need to be set up are for Horizon View Composer.  These accounts are only required if you plan on using Composer and linked clone desktops.

Depending on your configuration, Composer may require two service accounts.  These accounts are:

1. An Active Directory User Account – This service account is used by View for accessing Composer.  This account requires local administrator rights on the Composer server and rights to create computer objects in Active Directory.

2. A Horizon View Composer Database User – This service account is a local SQL Server user account and is required if the SQL Server database is located on a remote server.  If SQL Server is installed on the Composer Server, Windows authentication can be used.

Configuring the Composer Service Account

The first is the account that will be used by View Composer.  This account can be created as a standard domain user.  This account should not have domain administrator or account operator rights – it only needs a select group of permissions on the OU (or OUs) where the View Desktops are being stored.

After this account has been created, you need to delegate permissions to it on the OU (or OUs) where your VDI desktops will be placed.  If you use the structure like the one I outlined above, you only need to delegate permissions on the top-level OU and permission inheritance, if turned on, will apply them to any child or grandchild objects beneath it.

Note:  If inheritance is not turned on, you will need to check the Apply to All Child Objects checkbox before applying the permissions.

The permissions that need to be delegated on the OU are:

  • Create Computer Objects
  • Delete Computer Objects
  • Write All Properties
  • Reset Password

Note: Although granting this account Domain Administrator or Account Operator permissions may seem like an easy way to grant it the permissions it needs, it will grant a number of other permissions that are not needed and could pose a security risk if that account is compromised.  Only the required permissions should be granted in a production environment.

The account will also need to be granted local administrator rights on the Composer server.  If the account is not a local administrator, you will not be able to configure Composer from within the View Administrator.

Configuring the Composer Database and Database Service Account

Like the Event database above, Composer requires its own database.  This database is used to keep track of linked clones, replicas, and pending recompose operations.

The steps below will walk through setting up the Composer database.  If your Composer database is located on a separate server, you will have to use SQL authentication, and the steps for creating the SQL user are included.

Note: If your Composer database is located on the same server as the Composer service, you can use Windows Authentication for accessing the database.

1. Log into your database server and open SQL Server Management Studio.

2014-01-04_22-20-17

2. Log in as a user with administrator rights on SQL Server.

3. Create a new SQL Login by expanding Security –> Logins.  Right click on Logins and select New Login.

2014-01-04_22-21-46

4. Enter a login name such as viewComposerDB or viewComposerUser, select SQL Server Authentication, and enter a password twice.  You may also need to disable Enforce Password Expiration or Enforce Password Policy depending on your environment.  Click OK to create the account.  Note: Check with your DBA on password policy settings.

2014-01-04_22-23-50

5. After the SQL login is created, you need to create an empty database.  To create the database, right click on the database folder and select New Database.

2014-01-04_22-19-58

6. In the database name field, enter a name such as viewComposer.  This will be the name of the database.  To select an owner for the database, click on the … button and search for the database user account you created above.  Click OK to create the database.

2014-01-04_22-24-23

You will have a blank database that you can use for View Composer after you click OK.

Configuring Composer to use this database will be covered during the Composer installation.

This wraps up all of the prerequisites for the environment.  In the next couple of sections, I will be covering the installation and configuration of Horizon View.

Horizon View 6.0 Part 5–SSL Certificates

SSL certificates are an important part of all Horizon View environments .  They’re used to secure communications from client to server as well as between the various servers in the environment.  Improperly configured or maintained certificate authorities can bring an environment to it’s knees – if a connection server cannot verify the authenticity of a certificate – such as an expired revocation list from an offline root CA, it will stop any communications with the impacted host.

If you read my previous series on View 5.3, the post about SSL certificates was the last regular post in the series, and it came after the other components were installed and configured.  In an production environment, you would most likely install the SSL certificates before installing the Horizon View components.

Most of the certificates that you will need for your environment will need to be minted off of an internal certificate authority.  If you are using a security server to provide external access, you will need to acquire a certificate from a public certificate authority.  If you’re building a test lab or don’t have the budget for a valid certificate, you can use a free certificate authority such as StartSSL.

Prerequisites

Before you can begin creating certificates for your environment, you will need to have a certificate authority infrastructure set up.  Microsoft has a great 2-Tier PKI walkthrough on TechNet. 

Note: If you use the walkthrough to set up your PKI environment., you will need to alter the configuration file to remove the  AlternateSignatureAlgorithm=1 line.  This feature does not appear to be supported on vCenter  and can cause errors when importing certificates.

Once your environment is set up, you will want to create a template for all certificates used by VMware products.  Derek Seaman has a good walkthrough on creating a custom VMware certificate template.

Note: Although a custom template isn’t required, I like to create one per Derek’s instructions so all VMware products are using the same template.

Creating The Certificate Request

Horizon View 6.0 handles certificates the same way as Horizon View 5.3.  Certificates are stored in the Windows certificate store, so the best way of generating certificate requests is to use the certreq.exe certificate tool.  This tool can also be used to submit the request to a local certificate authority and accept and install a certificate after it has been issued.

Certreq.exe can use a custom INF file to create the certificate request.  This INF file contains all of the parameters that the certificate request requires, including the subject, the certificate’s friendly name, if the private key can be exported, and any subject alternate names that the certificate requires.

If you plan to use Subject Alternate Names on your certificates, I highly recommend reviewing this article from Microsoft.  It goes over how to create a certificate request file for SAN certificates.

A  certificate request inf file that you can use as a template is below.  To use this template, copy and save the text below into a text file, change the file to match your environment, and save it as a .inf file.

;----------------- request.inf -----------------
[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=<Server Name>, OU=<Department>, O=<Company>, L=<City>, S=<State>, C=<Country>" ; replace attribues in this line using example below
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = "vdm"
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[Extensions]

2.5.29.17 = "{text}"
_continue_ = "dns=<DNS Short Name>&"
_continue_ = "dns=<Server FQDN>&"
_continue_ = "dns=<Alternate DNS Name>&"

[RequestAttributes]

CertificateTemplate = VMware-SSL

;-----------------------------------------------

Note: When creating a certificate, the state or province should not be abbreviated.  For instance, if you are in Wisconsin, the full state names should be used in place of the 2 letter state postal abbreviation.

Note:  Country names should be abbreviated using the ISO 3166 2-character country codes.

The command the generate the certificate request is:

certreq.exe –New <request.inf> <certificaterequest.req>

Submitting the Certificate Request

Once you have a certificate request, it needs to be submitted to the certificate authority.  The process for doing this can vary greatly depending on the environment and/or the third-party certificate provider that you use. 

If your environment allows it, you can use the certreq.exe tool to submit the request and retrieve the newly minted certificate.  The command for doing this is:

certreq –submit -config “<ServerName\CAName>” “<CertificateRequest.req>” “<CertificateResponse.cer>

If you use this method to submit a certificate, you will need to know the server name and the CA’s canonical name in order to submit the certificate request.

Accepting the Certificate

Once the certificate has been generated, it needs to be imported into the server.  The import command is:

certreq.exe –accept “<CertificateResponse.cer>

This will import the generated certificate into the Windows Certificate Store.

Using the Certificates

Now that we have these freshly minted certificates, we need to put them to work in the View environment.  There are a couple of ways to go about doing this.

1. If you haven’t installed the Horizon View components on the server yet, you will get the option to select your certificate during the installation process.  You don’t need to do anything special to set the certificate up.

2. If you have installed the Horizon View components, and you are using a self-signed certificate or a certificate signed from a different CA, you will need to change the friendly name of the old certificate and restart the Connection Server or Security Server services.

Horizon View requires the certificate to have a friendly name value of vdm.  The template that is posted above sets the friendly name of the new certificate to vdm automatically, but this will conflict with any existing certificates. 

1
Friendly Name

The steps for changing the friendly name are:

  1. Go to Start –> Run and enter MMC.exe
  2. Go to File –> Add/Remove Snap-in
  3. Select Certificates and click Add
  4. Select Computer Account and click Finish
  5. Click OK
  6. Right click on the old certificate and select Properties
  7. On the General tab, delete the value in the Friendly Name field, or change it to vdm_old
  8. Click OK
  9. Restart the View service on the server

2

Certificates and Horizon View Composer

Unfortunately, Horizon View Composer uses a different method of managing certificates.  Although the certificates are still stored in the Windows Certificate store, the process of replacing Composer certificates is a little more involved than just changing the friendly name.

The process for replacing or updating the Composer certificate requires a command prompt and the SVIConfig tool.  SVIConfig is the Composer command line tool.  If you’ve ever had to remove a missing or damaged desktop from your View environment, you’ve used this tool.

The process for replacing the Composer certificate is:

  1. Open a command prompt as Administrator on the Composer server
  2. Change directory to your VMware View Composer installation directory
    Note: The default installation directory is C:\Program Files (x86)\VMware\VMware View Composer
  3. Run the following command: sviconfig.exe –operation=replacecertificate –delete=false
  4. Select the correct certificate from the list of certificates in the Windows Certificate Store
  5. Restart the Composer Service

3

A Successful certificate swap

At this point, all of your certificates should be installed.  If you open up the View Administrator web page, the dashboard should have all green lights.  If you do not see all green lights, you may need to check the health of your certificate environment to ensure that the Horizon View servers can check the validity of all certificates and that a CRL hasn’t expired.

If you are using a certificate signed on an internal CA for servers that your end users connect to, you will need to deploy your root and intermediate certificates to each computer.  This can be done through Group Policy for Windows computers or by publishing the certificates in the Active Directory certificate store.  If you’re using Teradici PCoIP Zero Clients, you can deploy the certificates as part of a policy with the management VM.  If you don’t deploy the root and intermediate certificates, users will not be able to connect without disabling certificate checking in the Horizon View client.

Doing Things Because They Are HARD–My Virtual Design Master Experience

“We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too. “

– John Fitzgerald Kennedy, September 12th, 1962

If you haven’t noticed, the frequency of my posts has dropped off quite a bit.  It’s surprising, even to me, since Horizon View 6.0 just came out.

My time, over the last couple of weeks, has been occupied by a few tasks.  Most of that time has been occupied by the Virtual Design Master competition.

What is Virtual Design Master?

Virtual Design Master is a community-run Internet “reality show,” now in it’s second season, that showcases the infrastructure design skills of the contestants.  It’s one part Chopped, one part Iron Chef, and one part The Walking Dead. 

Contestants are tasked with putting together a formal design, following a design methodology, on an open-ended but challenging problem surrounding the storyline for the season.  All decisions must be justified and design decisions documented.

Oh…and did I mention that you have four days to do it?

Each week, the participants have to defend their design to noted members of the virtualization community and get feedback on the choices they made.

Why do it?

Virtual Design Master can be hard and stressful.  There is a lot to learn in a short period of time, and it has to be balanced with family, work, and anything else going on in life.

The challenges can require cutting edge, or even bleeding edge, technology that needs to be learned in a few days.  For instance, one of the constraints of the moonbase challenge was working with an IPv6-only network.  The design had to identify which components would not work with IPv6 or would require a dual-stack approach and design around it.  Other constraints on that challenge required participants to learn about technology that they might not have used on a daily basis.

It also forces you to document your design with a formal design document.  The document isn’t a simple two to three page abstract but a detailed document outlining the design decisions, components, justifications, and component configurations as they are intended to be implemented.

Although the process of designing an infrastructure and documenting it in a short period for the competition can be challenging, it’s not nearly as bad as it sounds.

The community around the competition is great, and competitors are more than willing to help each other with questions on equipment and design reviews.  Answers to questions are a tweet or an email away.

But the takeaway that I found most useful was learning how to write a design document.  Prior to participating, I had never written a formal design.  In the two weeks of Virtual Design Master, I’ve written two that were longer and more elaborate than any design documentation I had seen for a project that I participated in.

Writing documentation has some secondary benefits as well.  It makes you think about your design and how you would explain it.  That makes it easier to explain, and eventually, defend.  This, in turn, makes it easier to answer the question “If I was hit by a bus, what would my replacement need to know?”

Takeaways

I started this post with an excerpt from a speech by President Kennedy where he announced his vision of putting a man on the moon within a decade.  There is one segment of that speech that really sums up what this competition does:

…not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills…”

Participating in Virtual Design Master is a lot of fun and a great learning experience.  But it also challenges you, organizes you, and prepares you for bigger things.

As John Arrasjid said:

It is great practice for taking your skills to the next level, learning, and engaging the community.

Horizon View 6.0 Part 4–Active Directory Configuration

When you build a Horizon View environment, the virtual desktops that users connect to run Windows.  The servers that provide the virtual desktop infrastructure services run on Windows.  So, as you can imagine, Active Directory plays a huge role in Horizon View.

When you’re planning a Horizon View deployment, or rearchitecting an existing deployment, the design of your Active Directory environment is a critical element that needs to be considered.  How you organize your virtual desktops, templates, and security groups impacts Group Policy, helpdesk delegation rights, and View Composer.

Some Active Directory objects need to be configured before any Horizon View components are installed.  Some of these objects require special configuration either in Active Directory or inside vCenter.  The Active Directory objects that need to be set up are:

  • An organizational unit structure for Horizon View Desktops
  • Basic Group Policy Objects for the different organizational units
  • An organization unit for Microsoft RDS servers if application remoting is used

Optionally, you may want to set up an organizational unit for any security groups that might be used for entitling access to the Horizon View desktop pools.  This can be useful for organizing those groups and/or delegating access to Help Desk or other staff who don’t need Account Operator or Domain Administrator rights.

Creating An Organizational Unit for Horizon View Desktops

The first think that we need to do to prepare Active Directory for a Horizon View deployment is to create an organizational unit structure for Horizon View desktops.  This OU structure will hold all of the desktops created and used by Horizon View.  A separate OU structure within your Active Directory environment is important because you will want to apply different group policies to your Horizon View desktops than you would your regular desktops.  There are also specific permissions that you will need to delegate to the View Composer service account.

There are a lot of ways that you can set up an Active Directory OU structure for Horizon View.  My preferred organizational method looks like this:

2013-12-28_21-55-14

View Desktops is a top-level OU (ie – one that sites in the root of the domain).  I like to set up this OU for two reasons.  One is that is completely segregates my VDI desktops from my non-VDI desktops and servers.  The other is that it gives me one place to apply group policy that should apply to all VDI desktops such as disabling non-essential services, turning off screen savers, or setting the inactivity timeout to lock the machine.

I create three child OUs under the View Desktops OU to separate persistent desktops, non-persistent desktops, and desktop templates.  This allows me to apply different group policies to the different types of desktops.  For instance, you may want to disable Windows Updates and use Persona Management on non-persistent desktops but allow Windows Updates on the desktop templates.

You don’t need to create all three OUs.  If your environment consists entirely of Persistent desktops, you don’t need an OU for non-persistent desktops.  The opposite is true as well.

Finally, I tend to create department or location OUs underneath the persistent or non-persistent OUs if I have locations that require special Group Policy settings in addition to the default settings.  One example where I used this was in a previous job that HEAVILY used Microsoft Access databases at one site.  Microsoft Access includes a security groups option that uses a centrally stored database file to manage access to databases.  This can be configured with group policy, and since other locations used Access without the security groups configured, applying that policy to all desktops would have broken any Access databases that the other locations used.

These grandchild OUs are completely optional.  If there is no need to set any custom policy for a location or a department, then they don’t need to be created.  However, if a grandchild OU is needed, then an entire pool will need to be created as desktop pools are assigned to OUs.  Adding additional pools can add management overhead to a VDI environment.

Creating an Organizational Unit for RDS Servers

Horizon View 6.0 added PCoIP support for multi-user desktops running on Windows Server with the Remote Desktop Session Host role.  These new abilities also added support for remote application publishing.

RDS servers need to be handled differently than virtual desktops.  They’re managed differently than your virtual desktops, and some features such as Persona Management are not available to RDS servers.

If application remoting or multi-user desktops are going to be deployed, an organizational unit for RDS servers should be created underneath your base servers organizational unit. 

Horizon View Group Policy Objects

Horizon View contains a number of custom group policy objects that can be used for configuring features like Persona Management and optimizing the PCoIP protocol.  The number of Group Policy objects has been increased in Horizon View 6, and the number of templates has increased as well.

Unfortunately, most of the Group Policy templates are distributed as ADM files.  There are a number of drawbacks to ADM files in modern Active Directory environments.  The main one is that you cannot store the Group Policy files in the Central Store.

If you plan on using the Group Policy templates, it’s a good idea to convert them into the ADMX format.  I had previously written about converting the View Group Policy templates into the ADMX format and the reasons for converting here.

Horizon View Service Accounts

Horizon View requires a service account for accessing vCenter to provision new virtual machines.  If View Composer is used, a second service account will be needed to create computer accounts in Active Directory for linked clones.  I will cover setting up those account in a future section.

In the next section, I’ll cover SSL certificates for Horizon View servers.

Horizon View 6.0 Part 3–Desktop Design Considerations

Whether it is Horizon View, XenDesktop, or some other package, the implementation of a virtual desktop environment requires a significant time investment during the design phase.  If care isn’t taken, the wrong design could be put into production, and the costs of fixing it could easily outweigh the benefits of implementing a virtual desktop solution.

So before we move into installing the actual components for a Horizon View environment, we’ll spend the next two posts on design considerations.  This post, Part 3, will discuss design considerations for the Horizon View virtual desktops, and Part 4 will discuss design considerations for Active Directory.

Virtual desktop environments are all about the end user and what they need.  So before you go shopping for storage arrays and servers, you need to start looking at your desktops.

There are three types of desktops in Horizon View 6:

  • Full Clone Desktops – Each desktop is a full virtual machine deployed from a template and managed as an independent virtual machine.
  • Linked Clone Desktop – A linked clone is a desktop that shares its virtual disks with a central replica desktop, and any changes are written to its own delta disk.  Linked clones can be recomposed when the base template is updated or refreshed to a known good state at periodic intervals.  This feature requires Horizon View Composer.
  • Remote Desktop Session Host Pools – Horizon View has supported Windows Terminal Services for multiuser session support in a limited capacity.  Horizon 6 has enhanced the RDSH features to include PCoIP support and application remoting.  When RDSH desktops and/or application remoting are used, multiple users are logged into servers that host user sessions.  This feature requires Windows Server 2008 R2 or Server 2012 R2 with the RDSH features enabled.

There are two desktop assignment types for desktop pools:

  • Dedicated Assignment – users are assigned to a particular desktop during their first login, and they will be logged into this desktop on all subsequent logins.
  • Floating Assignment – users are temporarily assigned to a desktop on each login.  On logout, the desktop will be available for other users to log into.  A user may not get the same desktop on each login.

Unless you have some overriding constraints or requirements imposed upon your virtual desktop project, the desktop design choices that you make will influence and/or drive your subsequent purchases.   For instance, if you’re building virtual desktops to support CAD users, blade servers aren’t an option because high-end graphics cards will be needed, and if you want/need full clone desktops, you won’t invest in a storage array that doesn’t offer deduplication.

There are a couple of areas that need to be considered when designing the virtual desktops:

  • Horizon View Configuration Maximums -  There isn’t an official VMware document that outlines the official configuration maximums for a Horizon View environment.  However, Ray Heffer has that information available on his blog.
  • Applications – What applications are installed on the end-user desktops?  Who uses them?  Do any of the applications have any special hardware or licensing requirements?  Are there any restrictions on who can access or use corporate applications or where they can be accessed from?
  • Management Tools – What desktop management tools exist in the environment?  The lack of a management tool to deploy applications like SCCM or Altiris will make it harder to manage full clone desktops.
  • Physical Desktop Performance – When sizing out the virtual desktops that make up the desktop pools, it’s important to know  how physical desktops are utilizing the resources they have.  This is important for two reasons – it ensures that the virtual desktops are not being overprovisioned with CPU or RAM and that proper reservations and limits are set on the resource pools that the virtual desktops are assigned to.
  • Company Culture – Are users granted admin rights and able to install their own software without asking IT?  Are computers locked down and all applications white-listed?  Or is it somewhere in the middle? Do users already have experience with remote solutions such as Microsoft RDSH desktops or Citrix?  These are important considerations to keep in mind because environments where users have free run of their company computers may reject a centrally managed VDI environment or increase the workload for the IT staff, and staff who have no experience using Citrix or RDSH may have a hard time adjusting to their desktop being remote.
  • Use Case – How are the virtual desktops going to be used?  What problems are they going to solve for the business and the employees?
  • User Profile Data – User specific session settings need to be preserved, especially if you are using non-persistent desktops or RDSH pools.  Microsoft, VMware, and other partners like Liquidware Labs provide tools for profile management.  If persistent desktops are deployed, user data may remain on the virtual machine, and a backup plan will need to be put in place to protect this data.
  • Antivirus and Security – Users will be accessing the Internet from their virtual desktops, so they need to be secured from the myriad of threats out there.  When selecting an antivirus solution for virtual desktops, you need to understand the impact that it will have on I/O when it updates and scans.  You may also want to look at hypervisor-level security solutions using vShield Endpoint.

Once you have answers to these questions, you’ll be able to put together a design document with the following items:

  • Number of linked clone base images and/or full clone templates
  • Number and type of desktop pools
  • Number of desktops per pool
  • Number of Connection and Security Servers needed

If you’re following the methodology that VMware uses in their design exams, your desktop design document should provide you with your conceptual and logical designs.

Once you have a desktop design document,  you’ll be able to start the infrastructure design.  This phase would cover the physical hardware to run the virtual desktop environment, the network layer, storage fabric, and other infrastructure services such as antivirus.

The desktop design document will have a heavy influence on the decisions that are made when selecting components to implement Horizon View 6.  The components that are selected need to support and enable the type of desktop environment that you want to run.

In part four, we will cover Active Directory design for Horizon View environments.

Follow

Get every new post delivered to your Inbox.

Join 669 other followers