VMFocus

Knowledge

• Identify View Connection Server backup settings
• Identify View Global Settings
• Identify the account to connect to vCenter
• Add View license settings
• Modify Global Policies
• Configure external URL settings
• Identify View Connection Server general settings
• Identify default roles, custom roles, and what permissions are available
• Describe the use of folders within the View Connection Server

Identify View Connection Server Backup Settings

View Connection Backup Settings are located in View Configuration > Servers > Connection Servers you can perform a Backup Manually by Clicking on Backup Now

By default the Connection Server settings are backed up to C:Program DataVMwareVDMBackups on a daily basis at midnight.  The default setting is to keep 10 backups.

This information can be viewed by Selecting the Connection Server and Clicking on Edit and Selecting the Backup Tab

Identify View Global Settings/Modify Global Settings

View Global Setting allow the configuration of items such as Session Timeouts, Pre Login Messages and allows us to change the Data Recovery Password.

View Global Settings can be found at View Configuration > Global Settings

View Global Settings can be modified by Clicking on Edit to change either the General or Security Settings

Identify The Account To Connect To vCenter

This is the account that forms the ‘link’ between View Connection Server and vCenter.

The account can be found by going to View Configuration > Servers > vCenter Servers

Add View License Settings

To Add your View Licenses go to View Configuration > Product Licensing & Usage > Edit License

Configure External URL Settings

When you configure the View Connection Server, the External URL is going to be the internal FQDN of the View Connection Server.

We want to change this to be an External URL, but which can resolved by internal clients.  To achieve this we need to go to View Configuration > Servers > Connection Servers > Edit > General and change the External URL.

Old URL: https://vmf-con01.vmfocus.local:443

New URL: https://view.vmfocus.com:443

As we have changed the DNS name to something external it won’t be able to resolve it in DNS on the LAN.  So let’s create an Active Directory Forward Lookup Zone for vmfocus.com and add in the A record view.vmfocus.com

Jump onto your Domain Controller and open DNS

Expand Forward Lookup Zones and then Right Click New Zone

Click Next

We want to create a Primary Zone so Click Next

The Primary Zone wants to be replicated ‘To all DNS servers running on domain controllers in this domain: vmfocus.local’

We are going to name the zone ‘vmfocus.com’ and Click Next

‘Allow only secure dynamic update’s and Click Next

Hit Finish and the vmfocus.com Forward Lookup Zone will be created

Go into the Forward Lookup Zone for vmfocus.com and a New Host (A or AAA)

Enter the first part of your external DNS name, for me it’s ‘view’ and then the internal IP address of your View Connection Server.  Then Click Add Host

Now go to ping your external DNS name and it should be resolving correctly.

Identify View Connection Server General Settings

I’m slightly ‘miffed’ by this one, I don’t really understand what VMware want.  I have searched through the Administration  Security and Install guides and I can’t see anything relevant.  So onto the next part.

Identify Default Roles, Custom Roles, and What Permissions Are Available

Roles and Permissions enable the administrator to see items and also perform action on objects.  If an administrator doesn’t have rights to view a certain item/area then this will not be visible.

As with vCenter, permissions can either be object specific or global.

View’s default roles are located within View Configuration > Administrators > Roles

The Default Roles are:

• Administrator
• Administrator (Read Only)
• Agent Registration Administrators
• Global Configuration and Policy Administrator
• Global Configuration and Policy Administrator (Read Only)
• Inventory Administrator
• Inventory Administrator (Read Only)

Custom Roles can be created by Clicking ‘Add Role’ As you can see View has a plethora of privileges.

Then giving the role a name for instance ‘View Help Desk’ and choosing what permissions they have e.g. ‘Manage Desktops’

The Custom Role will then appear in the left hand side.  Don’t forget you need to apply the Permissions to the Custom Role, otherwise it err won’t work!

Permissions are essentially who we apply the Custom Role privileges too.  Pretty much it’s going to be an Active Directory Security Group.

Select your Custom Role > Permissions > Add Permissions

Click Add and then Select what Security Group you are going to apply the Permissions too.  I’m going to roll with ViewAdministrators

View’s Permissions are based around Folders, so we need to choose which Folder (or Root) that we want the Permissions to be applied too.  These ViewAdministrators are new, so they can only have access to the ‘Manual Pool’

Quick recap, we have created a Custom Role called ‘View_Help_Desk’ who have Permissions to ‘Manage Desktops’.  The users who can apply the Permissions to the ‘Manual Folder’ belong to the ‘ViewAdministrator’ Active Directory Security Group.

Describe The Use Of Folders Within The View Connection Server

Folders are at the epicenter of View permissions.  As we assign Permissions too Folders, they should be designed in a logical format.

For example you may wish to have Folders that represent different Company Departments that have different View Desktops.  These View Desktops are then managed by different View Administrators.

Accounts Folder > Managed By > View Help Desk Team A

Marketing Folder > Managed By > View Help Desk Team B

Sales Folder > Managed By > View Help Desk Team C

The only time Folders don’t come into play is when you have a Global Privilege such as ‘Manage Global Configuration and Policies’.

Knowledge

•  Explain the purpose of the Events Database
• Identify minimum requirements for the Events Database
• Identify which database server is being used (i.e., Oracle or SQL).
• Determine port number
• Configure the Events Database settings
• Configure the connection to the Event database

Events Database

The Events Database is like ‘ronseal’ it does exactly what it says on the tin! It’s a repository of VMware View events held in a central location to allow the administrator to view the events for a period of time.  Note, that the time frame the events are held for is configurable.

Great we have an events database which is cool, however, one feature which I have to say, I’m amazed is not within VMware View is the ability to alert on events.  Within vCenter event X occurs you can send an email to your helpdesk or an SNMP notification.  In VMware View we can do err nothing!  I do hope this is addressed in future releases.

The Events Database has the same requirements as the database for View Composer.  To recap the requirements are a SQL database or Oracle database.  For SQL this can be 2005 or 2008 and for Oracle both 10g or 11g can be used.   Both can be on the same instance as the vCenter database.

Installing Events Database

For this installation, I’m using SQL 2008 Express, I have created a database called ViewEvents and service.vmware has DBO rights.  If you are unsure on how to do this, I wrote a guide which can be found here under SQL Configuration.

The really cool thing is this is the first VMware product that we don’t have to mess about with creating a DSN, it’s all done from within the View Connection Server, boom!

Access your View Connection Administrator Console by going to https://servername/admin then to View Configuration > Event Configuration and then click on Edit

As I’m using SQL Express, this means it’s doesn’t use the Port 1433 it uses a dynamic one.  So before we complete the Event Database information we need to check this.

Jump onto your vCenter Server and access SQL Server Configuration Manager and Expand ‘SQL Server Network Configuration’ and you should see ‘Protocols for VIM_SQLEXP’.

Right Click TCP/IP and Select Properties

Select the IP Addresses Tab and scroll all the way to the bottom and you will see our ‘friend’ TCP Dynamic Ports with your number.

Now we have the Port number we can complete the Event Database information as follows:

Database Server: VMF-ADMIN01VIM_SQLEXP

Port: 49237 (your Dynamic Port number)

Database Name: ViewEvents

User Name: service.vmware

Password: Password

Confirm Password: Password

Table Prefix: CON01

The Table Prefix allows you to have one Events Database shared by many Connection Servers.  So the prefix in mine is CON01 which stands for VMF-CON01 which is my first View Connection Server.

Hit OK, and we get a lovely error! ‘An error occurred while attempting to configure the database.  Double check the database parameters and ensure that the database is not down, restarting, or otherwise unavailable’.

I spent a lot of time troubleshooting this starting with the basics which was telnet from the VMF-CON01 to VMF-ADMIN01 on Port 49237 which worked.  I then created a DSN on VMF-CON01 connecting to VMF-ADMIN01 and this also worked.  So it was time to hit google! I followed these resources:

• VMware KB 1029537 Configuring VMware View Event database fails with the error: An error occurred while attempting to configure the database*
• This article by Jason Langone, which was very informative but didn’t fix my issue.

*Note don’t change your SQL Port to 1433 from Dynamic as you will find that your vCenter Services won’t start.

I was still in the same boat, so it was time to hit the View Connection Server log files to dig a bit deeper.  These are located in C:ProgramDataVMwareVDMlogs if you used the detault installation location.  Now searching threw log files is painful so to narrow it down, I start from the bottom (most recent events) and search for the keyword SQL.  This is where I found the golden gem that is

‘SQL exception when connecting to database: Login failed for user ‘service.vmware’

Now I was really puzzled as my DSN connected correctly without any issues.  That’s when the light bulb went off, maybe the Event’s Database uses SQL Authentication rather than Windows Authentication.  Checking the DSN again I used SQL Authentication with a random account I created and it worked.

With this in mind, I created a SQL Authentication Login called ‘service.view’ using the following settings:

• Untick Enforce password policy
• Untick User must change password at next login
• Untick Enforce password expiration

Next I created a Database called ViewEvents and made ‘service.view’  the Owner

Back into Logins > service.view> Properties and change the Default database to ViewEvents and Hit OK

Let’s give it another whirl shall we.  Jump back onto your View Connection Server and go into View Configuration > Event Configuration > Edit and enter the following details:

Database Server: VMF-ADMIN01VIM_SQLEXP

Port: 49237 (your Dynamic Port number)

Database Name: ViewEvents

User Name: service.view

Password: Password

Confirm Password: Password

Table Prefix: CON01

Hit OK, and boom, it has worked!

We are now in a position to change the Event Settings or in other words how long we can see stuff for.  The default setting allows 3 Months of events to be shown within View Administrator and an event is classified as new for 2 Days.

These can be changed by clicking on Edit and selecting the desired values.

This has been a slightly longer than expected blog post, but it’s great when things go wrong as ultimately you end up learning more!

Knowledge

• Identify default View Composer port settings
• Identify domain accounts used for QuickPrep
• Identify the vCenter Server system
• Identify necessary account domain permissions and domain trust relationships
• Enable View Composer from View Administrator and add domain account(s)

We installed View Composer in Objective 1.1, now it’s time to configure this badboy!

Identify Default View Composer Port Settings

This is quite an easy one, the default port to allow View Composer to speak to vCenter is 18443.

Identify Domain Accounts Used For QuickPrep

So what is quick prep, well it’s VMware’s version of sysprep but on steroids  You may have noticed that when you perform a sysprep it does take quite a while as the VM goes through various stages of configuration and performs a full clone of the template VM.  QuickPrep doesn’t go into the same level of detail, instead it:

• Creates a new Computer Account in Active Directory in the relevant OU
• Gives each Virtual Desktop a unique name
• Joins the Virtual Desktop to the domain

Interestingly, according to VMware KB 2003797 Quick Prep doesn’t create a new SID.

Let’s create a Service Account with the relevant rights to use Quick Prep.  In Active Directory create a new user, I’m going to call mine service.viewcomposer

Next we need to give this Service Account rights to Create and Delete Computer Objects in Active Directory.  Depending on how Organisational Unit structure you might do this on specific OU’s or on the whole domain.  I’m going to do it on the whole domain as it’s easier for lab purposes.

TOP TIP: Ensure View > Advanced Features is ticked

Right Click your Domain in Active Directory Users & Computers and Click Properties

Select the Security Tab and click Advanced (I don’t know why but hitting Advanced gives me a sense of power!)

Hit Add

Enter in your Service Account name, Check the name and then Hit OK

Ensure that ‘Apply to’ is ‘This object and all descendant objects ‘ and Permissions are ‘Create Computer Objects’ and ‘Delete Computer Objects’.  Once you have done this Click On Properties

We are going to apply the permissions to ‘Write all properties’ Hit OK.  You will notice that various other permissions are auto populated.

Identify The vCenter Server System

Login to your View Connection Server and go to View Configuration > Servers > vCenter Servers which will tell you your vCenter Server.  Mine is VMF-ADMIN01

Identify Necessary Account Domain Permissions & Domain Trust Relationships

View Composer requires specific permissions within Active Directory which are:

• List Contents
• Read All Properties
• Write All Properties
• Read Permissions
• Create Computer Objects
• Delete Computer Objects

Using the methodology above, we need to create an Service Account with these permissions.  As I don’t want to repeat myself, I bit like Blue Peter, here is one I made earlier which is called service.view

Enable View Composer From View Administrator & Add Domain Account(s)

Awesome, now it’s time to enable View Composer.

Login to your View Connection Server and go to View Configuration > Servers > Select your vCenter Servers > Edit

Click Enable View Composer (I have already done this) so I can only Click on Edit

We are going to use View Composer co-installed with vCenter Server on Port 18443

Lastly, we are going to add in our Active Directory Domain by Click Add

Enter in your Domain Name as an FQDN and type your View Composer Service Account credentials in.  Then Hit OK.

Knowledge

• Identify minimum hardware and software requirements for installation
• Identify required firewall rules
• Navigate the View Connection Server installation wizard

Hardware Requirements

Processor  2 vCPU

Memory 4GB RAM Minimum Server 2008 R2 and 2GB RAM Minimum Server 2003 R2

SCSI Controller LSI Logic Parallel

Operating System – Software Requirements

Windows Server 2008 R2 64 Bit Standard or Enterprise

Windows Server 2003 R2 32 Bit Standard or Enterprise

Storage Requirements

The Transfer Server connects to the ‘image library’ which is essentially the holding place for all virtual desktop images which have been configured to run in ‘Local Mode’.

With the above in mind, the Transfer Server must have:

• Enough space to hold a copy of the ‘image library’
• Access to the datastore that hold the virtual desktop disks

Firewall Rules

It is important to note that the Transfer Server does not secure TCP transactions.  So we might want to think about configuring ‘Local Mode’ to only allow updates when the user is connected to the LAN.

The ports that are required to be opened inbound to the Transfer Server are:

• Port 80
• Port 443

Transfer Server Installation

As with previous posts, it’s a good idea to start with what the Transfer Server does.  In a nutshell it allows users to take there Virtual Desktops offline and use them in what’s known as ‘Local Mode’.

The Virtual Desktop is downloaded to the users machine (which you probably would want to do on the LAN) and is then available offline.  Any changes are held in a snaphot.  When the user is back online, the data is synched back to the Transfer Server.

A couple of items before we go over the installation process:

• Transfer Server has to be installed on it’s on VM
• You can have multiple Transfer Servers for load balancing

VMware have an excellent KB 2032741 which covers how Local Mode works.

I haven’t followed the specification guidelines as I’m installing it in my lab, instead I have created a server called VMF-TR01 with the following specification:

1 x vCPU

4 GB RAM

1 x vNIC

1 x LSI Logic Parallel SCSI Controller

1 x 30GB Thin Provisioned HDD for Operating System

1 x 100GB Thin Provisioned HDD for Image Repository

The VMware View Transfer Server is part of the VMware View Connection Server installation, which can be downloaded from here.  As at the time of this blog post, the most recent version is VMware-viewconnectionserver-x86_64-5.1.2-928164.exe

Launch the View Connection Server installer on your Transfer Server and click Next

Accept the EULA and Click Next

Choose the installation location, in most setups I tend to leave this as the default.

We are going to install a View Transfer Server, click Next

We now need to enter the following details:

• Network Domain, in my case vmfocus.local
• Server Name, I’m rolling with VMF-TR01.vmfocus.local
• Administrators Email Address, mine is admin@vmfocus.com

Once you are happy these are right, Click Next

Good old Windows Firewall makes an entrance, select ‘Configure Windows Firewall Automatically’

That was rather quick, we can Click Install

Boom, the Transfer Server installation is complete

Naturally, we have to configure the Transfer Server, but we will leave that for Objective 2.5

Knowledge

• Describe characteristics of required Active Directory domain accounts (e.g., permissions).
• Describe characteristics of required Active Directory groups
• Identify and describe the GPO template files
• Describe Organizational Units (OUs) for machine accounts and kiosk mode client accounts
• Verify trust relationships

Active Directory Requirements

Each View Connection Server must belong to an Active Directory domain, in my case this is vmfocus.local.  The View Connection Server must be a member server and not a domain controller (same requirements for vCenter Server).

Note, the View Connection Server can be located in a different domain as along as you have a two way trust relationship in place.

Active Directory Security Groups are used to specify which users are allowed to access which desktops and pools.  Active Directory Security Groups are also used to define which users are allowed to administrator the View Connection Server.  To make things simple, I have created two Security Groups:

• ViewAdministrators
• ViewUsers

Note, Security Servers reside in the DMZ and as such are not required to be part of an Active Directory domain.

Organizational Unit’s should be created for View Desktops, to ensure that only specific Group Policy Objects are applied to them.  As you can see I have created one called ‘View Desktops’.

Different OU’s should be used for Kiosk/Thin Clients as different Group Policy Objects will be applied to them e.g. for a kiosk/thin client you would want to be locked down so only View can be launched and on a normal laptop or desktop the Group Policy Object would be less restrictive.

Template Files

VMware View comes with a number of Administrative Templates twhich have common configuration settings to make our life a bit easier!

These can be found on your View Connection Server under …VMwareVMware ViewServerextrasGroupPolicyFiles

To import the ADM template files, launch Group Policy Management

Right Click Group Policy Objects and click New

Give the new Group Policy Object a name, in my case, I’m going to roll with ‘View Common’ then hit OK

Now we are going to Right Click and Edit the ‘View Common’ Group Policy

Double Click ‘Computer Configuration’ then expand ‘Policies’ and lastly Right Click Administrative Templates and select Add/Remove Template

Click Add

Browse to the location on your View Connection Server and select the ADM template you want to add.  In this example, we are going to use vdm_common.adm by going to \VMF-CON01c$Program FilesVMwareVMware ViewServerextrasGroupPolicyFiles

If you have been successful, you should see the ‘vdm_common’ ADM in your Add/Remove Templates dialogue box.

To verify the ‘vdm_common’ ADM expand Administrative Templates > Classic Administrative Templates (ADM) and you should see VMware View Common Configuration

Rinse and repeat for the rest of the View ADM templates you want to import.

TOP TIP: Create a GPO for each View ADM Template, to make management easier.

Remote Desktop Users

To allow users access to there View Desktop, we need to give them the Remote Desktop Users rights.  Does this mean that each user has access to any desktop? Nope, as the connection still goes via the ‘View Connection Server’ which checks rights to access the relevant desktop.

The easiest and most effective way to grant ‘Remote Desktop User’ rights is to use Restrictive Groups.

Create a new Group Policy Object, I’m going to call mine ‘Remote Desktop Users’, I know very original!

Edit the GPO, and browse to Computer Configuration > Windows Settings > Security Settings > Restricted Groups

Right Click anywhere on the right hand side and Select Add Group

Type in Remote Desktop Users and hit OK

Now we need to specify who is going to be a member of the Remote Desktop Users group.  Click Add from the ‘Members of this group’ dialog box.

To keep things simple, I’m going to add ‘Domain Users’

Hit OK and you will see ‘Members of this group’ has been updated to include ‘Domain Users’.

Now you need to link the ‘Remote Desktop Users’ GPO to the appropriate OU in your Active Directory environment.