Study Guide

Knowledge

• Identify Transfer Server repository
• Identify vCenter Server that contains the Transfer Server
• Identify the Transfer Server virtual machine

I’m not going to follow protocol on this blog post, as I want to show you the configuration steps, you will see by doing this we cover the objectives above with ease.

The Transfer Server Repository is the location for your Linked Clone Replicas (the snapshot of your original Operating System) or your Manual Desktop Pool.  It’s worthwhile noting that the Transfer Server can only be used with Dedicated Desktops, not Floating Desktops.

If you are rolling with Linked Clones, then you need to Publish your Snapshot which is the base image for your Linked Clone Pool.

Couple of caveats before we move forward:

• Make sure your VM is running Hardware Version 7 (at the time of this post 8 is meant to be supported but I haven’t tested it yet).
• Make sure that your Transfer Server SCSI Controller is set to LSI Logic Parallel

The Transfer Server Repository can be a network share located on another server or NAS, or in my case it’s an extra VMDK added to the VMF-TR01.

I have already added my Transfer Server into View to make sure I had it working before I did a blog post!

However, the process to enable the Transfer Server is fairly straight forward, go to View Configuration > Servers > Transfers and Select Add and choose your vCenter Server

Select your Transfer Server from the drop down list and Click Finish

Next we need to add some images to our Repository, so click on Transfer Server Repository and Click Edit and we get an epic failure ‘the settings for the Transfer Server repository cannot be edited until all the Transfer Servers are placed into maintenance mode’.

Simple fix, we just need to do what View tells us.  We need to Enter Maintenance Mode, by virtue of this, no new transfer will be able to take place, so bear this in mind in production.

Cool, now we are in Maintenance Mode, we can add an Image to our Repository.  First thing we are going to do is add another HDD to our Transfer Server.  You can see that I have added a 100GB VMDK Thinly Provisioned

In this instance, I have created a D: Partition called Data and a Folder named ‘TransferServerRepository’

This folder has then been shared out and I have given the Active Directory User ‘service.view’ Read, Write and Modify permissions.

Back to View Administrator and we want to Edit the Transfer Server Repository and enter the following details:

• Network Share \vmf-tr01TransferServerRepository
• User Name service.view
• Password Password
• Domain vmfocus.local

Now we need to Publish our Snapshot to the Transfer Server Repository.  Hit the Contents Tab and Click Publish and we get another epic fail ‘Publishing is not enabled because no Transfer Servers are currently working properly’.

The reason being we are still in ‘Maintenance Mode’ so lets ‘Exit Maintenance Mode’ and try again.

Cool, select your View Composer Image and Click OK (mines already been uploaded).

This is going to take quite a while, so it might be worth grabbing a cup of tea.

Once it’s all done you should see that the Image is Published and the Transfer Server is Ready.

That’s this objective done, we play around with the Transfer Server in a bit more detail during Objective 2.10

Knowledge

• Configure View Connection Server backup settings
• Identify external URL settings
• Identify PCoIP secure gateway
• Identify View Connection Server general settings
• Edit View Security Server settings

Configure View Connection Server Backup Settings

So what actually needs backing up? Well the following components

• View Connection Server
• View Connection Server Active Directory Lightweight Directory Service
• View Composer Database
• View Security Server

We covered where to find the backup settings and how to backup the View Connection Server in VMware View – Objective 2.2 Configure View Standard & Replica Connection Servers.

The good news is that in this backup location we also have a copy of the View Connection Server Active Directory Lightweight Directory Service.

You can confirm this by accessing your View Connection Server and browsing too C:ProgramDataVMwareVDMbackups

To backup the View Composer Database you can do this manually by stopping the View Composer Service and then logging into SQL Server Management Studio and Right Click the Database selecting Tasks and then Backup.

However, most likely you wouldn’t want to stop the View Composer Service as Linked Clone Desktops won’t be available. Rather you would use a product such as Veeam or Unitrends to create a VSS Snapshot of your SQL Server instead.

Last of all VMware recommend you backup your Security Server on a monthly basis, as the server is static (data doesn’t change).

Identify External URL Settings

To allow remote users to access there View Desktop we need to enable access from the outside world.   This is where the External URL Settings come into play.

We need to use a Public IP Address which has an A record assigned to it e.g.

12.89.23.1 = view.vmfocus.com

This Public IP Address then needs to be routed and NAT’d to our View Security Server on Ports:

• TCP 443 Inbound
• TCP 4172 Inbound
• UDP 4172 Inbound

To find the location of your External URL Settings go to View Configuration > Servers > Security Servers > Edit

As you can see, I have updated mine already to https://view.vmfocus.com:443 and 12.89.23.1:4172

Identify PCoIP Secure Gateway

I mentioned back when we installed the Security Server that the PCoIP Gateway wasn’t enabled. So what is the PCoIP Secure Gateway?

Well it allows secure connections to your View Desktop remotely.  No VPN Client software required, how awesome is that?

To enable PCoIP Secure Gateway go to View Configuration > Servers > General and place a tick in ‘Use PCoIP Secure Gateway for PCoIP connections to desktop’.

Note, when you have the Security Server role installed all connections go via this rather than too the Connection Server.

Identify View Connection Server General Settings

I’m slightly ‘miffed’ by this one, I don’t really understand what VMware want.  I have searched through the Administration  Security and Install guides and I can’t see anything relevant.  So onto the next part.

Edit View Security Server Settings

The Security Server Settings are located under View Configuration > Servers > Security Servers > Select Security Server > Edit

Not a huge amount to see really, the only items we can change are the External URL and the Public IP Address.  We covered both of these earlier on i this blog post.  So it’s time to move onto the next objective.

Knowledge

• Identify View Connection Server backup settings
• Identify View Global Settings
• Identify the account to connect to vCenter
• Add View license settings
• Modify Global Policies
• Configure external URL settings
• Identify View Connection Server general settings
• Identify default roles, custom roles, and what permissions are available
• Describe the use of folders within the View Connection Server

Identify View Connection Server Backup Settings

View Connection Backup Settings are located in View Configuration > Servers > Connection Servers you can perform a Backup Manually by Clicking on Backup Now

By default the Connection Server settings are backed up to C:Program DataVMwareVDMBackups on a daily basis at midnight.  The default setting is to keep 10 backups.

This information can be viewed by Selecting the Connection Server and Clicking on Edit and Selecting the Backup Tab

Identify View Global Settings/Modify Global Settings

View Global Setting allow the configuration of items such as Session Timeouts, Pre Login Messages and allows us to change the Data Recovery Password.

View Global Settings can be found at View Configuration > Global Settings

View Global Settings can be modified by Clicking on Edit to change either the General or Security Settings

Identify The Account To Connect To vCenter

This is the account that forms the ‘link’ between View Connection Server and vCenter.

The account can be found by going to View Configuration > Servers > vCenter Servers

Add View License Settings

To Add your View Licenses go to View Configuration > Product Licensing & Usage > Edit License

Configure External URL Settings

When you configure the View Connection Server, the External URL is going to be the internal FQDN of the View Connection Server.

We want to change this to be an External URL, but which can resolved by internal clients.  To achieve this we need to go to View Configuration > Servers > Connection Servers > Edit > General and change the External URL.

Old URL: https://vmf-con01.vmfocus.local:443

New URL: https://view.vmfocus.com:443

As we have changed the DNS name to something external it won’t be able to resolve it in DNS on the LAN.  So let’s create an Active Directory Forward Lookup Zone for vmfocus.com and add in the A record view.vmfocus.com

Jump onto your Domain Controller and open DNS

Expand Forward Lookup Zones and then Right Click New Zone

Click Next

We want to create a Primary Zone so Click Next

The Primary Zone wants to be replicated ‘To all DNS servers running on domain controllers in this domain: vmfocus.local’

We are going to name the zone ‘vmfocus.com’ and Click Next

‘Allow only secure dynamic update’s and Click Next

Hit Finish and the vmfocus.com Forward Lookup Zone will be created

Go into the Forward Lookup Zone for vmfocus.com and a New Host (A or AAA)

Enter the first part of your external DNS name, for me it’s ‘view’ and then the internal IP address of your View Connection Server.  Then Click Add Host

Now go to ping your external DNS name and it should be resolving correctly.

Identify View Connection Server General Settings

I’m slightly ‘miffed’ by this one, I don’t really understand what VMware want.  I have searched through the Administration  Security and Install guides and I can’t see anything relevant.  So onto the next part.

Identify Default Roles, Custom Roles, and What Permissions Are Available

Roles and Permissions enable the administrator to see items and also perform action on objects.  If an administrator doesn’t have rights to view a certain item/area then this will not be visible.

As with vCenter, permissions can either be object specific or global.

View’s default roles are located within View Configuration > Administrators > Roles

The Default Roles are:

• Administrator
• Administrator (Read Only)
• Agent Registration Administrators
• Global Configuration and Policy Administrator
• Global Configuration and Policy Administrator (Read Only)
• Inventory Administrator
• Inventory Administrator (Read Only)

Custom Roles can be created by Clicking ‘Add Role’ As you can see View has a plethora of privileges.

Then giving the role a name for instance ‘View Help Desk’ and choosing what permissions they have e.g. ‘Manage Desktops’

The Custom Role will then appear in the left hand side.  Don’t forget you need to apply the Permissions to the Custom Role, otherwise it err won’t work!

Permissions are essentially who we apply the Custom Role privileges too.  Pretty much it’s going to be an Active Directory Security Group.

Select your Custom Role > Permissions > Add Permissions

Click Add and then Select what Security Group you are going to apply the Permissions too.  I’m going to roll with ViewAdministrators

View’s Permissions are based around Folders, so we need to choose which Folder (or Root) that we want the Permissions to be applied too.  These ViewAdministrators are new, so they can only have access to the ‘Manual Pool’

Quick recap, we have created a Custom Role called ‘View_Help_Desk’ who have Permissions to ‘Manage Desktops’.  The users who can apply the Permissions to the ‘Manual Folder’ belong to the ‘ViewAdministrator’ Active Directory Security Group.

Describe The Use Of Folders Within The View Connection Server

Folders are at the epicenter of View permissions.  As we assign Permissions too Folders, they should be designed in a logical format.

For example you may wish to have Folders that represent different Company Departments that have different View Desktops.  These View Desktops are then managed by different View Administrators.

Accounts Folder > Managed By > View Help Desk Team A

Marketing Folder > Managed By > View Help Desk Team B

Sales Folder > Managed By > View Help Desk Team C

The only time Folders don’t come into play is when you have a Global Privilege such as ‘Manage Global Configuration and Policies’.

Knowledge

•  Explain the purpose of the Events Database
• Identify minimum requirements for the Events Database
• Identify which database server is being used (i.e., Oracle or SQL).
• Determine port number
• Configure the Events Database settings
• Configure the connection to the Event database

Events Database

The Events Database is like ‘ronseal’ it does exactly what it says on the tin! It’s a repository of VMware View events held in a central location to allow the administrator to view the events for a period of time.  Note, that the time frame the events are held for is configurable.

Great we have an events database which is cool, however, one feature which I have to say, I’m amazed is not within VMware View is the ability to alert on events.  Within vCenter event X occurs you can send an email to your helpdesk or an SNMP notification.  In VMware View we can do err nothing!  I do hope this is addressed in future releases.

The Events Database has the same requirements as the database for View Composer.  To recap the requirements are a SQL database or Oracle database.  For SQL this can be 2005 or 2008 and for Oracle both 10g or 11g can be used.   Both can be on the same instance as the vCenter database.

Installing Events Database

For this installation, I’m using SQL 2008 Express, I have created a database called ViewEvents and service.vmware has DBO rights.  If you are unsure on how to do this, I wrote a guide which can be found here under SQL Configuration.

The really cool thing is this is the first VMware product that we don’t have to mess about with creating a DSN, it’s all done from within the View Connection Server, boom!

Access your View Connection Administrator Console by going to https://servername/admin then to View Configuration > Event Configuration and then click on Edit

As I’m using SQL Express, this means it’s doesn’t use the Port 1433 it uses a dynamic one.  So before we complete the Event Database information we need to check this.

Jump onto your vCenter Server and access SQL Server Configuration Manager and Expand ‘SQL Server Network Configuration’ and you should see ‘Protocols for VIM_SQLEXP’.

Right Click TCP/IP and Select Properties

Select the IP Addresses Tab and scroll all the way to the bottom and you will see our ‘friend’ TCP Dynamic Ports with your number.

Now we have the Port number we can complete the Event Database information as follows:

Database Server: VMF-ADMIN01VIM_SQLEXP

Port: 49237 (your Dynamic Port number)

Database Name: ViewEvents

User Name: service.vmware

Password: Password

Confirm Password: Password

Table Prefix: CON01

The Table Prefix allows you to have one Events Database shared by many Connection Servers.  So the prefix in mine is CON01 which stands for VMF-CON01 which is my first View Connection Server.

Hit OK, and we get a lovely error! ‘An error occurred while attempting to configure the database.  Double check the database parameters and ensure that the database is not down, restarting, or otherwise unavailable’.

I spent a lot of time troubleshooting this starting with the basics which was telnet from the VMF-CON01 to VMF-ADMIN01 on Port 49237 which worked.  I then created a DSN on VMF-CON01 connecting to VMF-ADMIN01 and this also worked.  So it was time to hit google! I followed these resources:

• VMware KB 1029537 Configuring VMware View Event database fails with the error: An error occurred while attempting to configure the database*
• This article by Jason Langone, which was very informative but didn’t fix my issue.

*Note don’t change your SQL Port to 1433 from Dynamic as you will find that your vCenter Services won’t start.

I was still in the same boat, so it was time to hit the View Connection Server log files to dig a bit deeper.  These are located in C:ProgramDataVMwareVDMlogs if you used the detault installation location.  Now searching threw log files is painful so to narrow it down, I start from the bottom (most recent events) and search for the keyword SQL.  This is where I found the golden gem that is

‘SQL exception when connecting to database: Login failed for user ‘service.vmware’

Now I was really puzzled as my DSN connected correctly without any issues.  That’s when the light bulb went off, maybe the Event’s Database uses SQL Authentication rather than Windows Authentication.  Checking the DSN again I used SQL Authentication with a random account I created and it worked.

With this in mind, I created a SQL Authentication Login called ‘service.view’ using the following settings:

• Untick Enforce password policy
• Untick User must change password at next login
• Untick Enforce password expiration

Next I created a Database called ViewEvents and made ‘service.view’  the Owner

Back into Logins > service.view> Properties and change the Default database to ViewEvents and Hit OK

Let’s give it another whirl shall we.  Jump back onto your View Connection Server and go into View Configuration > Event Configuration > Edit and enter the following details:

Database Server: VMF-ADMIN01VIM_SQLEXP

Port: 49237 (your Dynamic Port number)

Database Name: ViewEvents

User Name: service.view

Password: Password

Confirm Password: Password

Table Prefix: CON01

Hit OK, and boom, it has worked!

We are now in a position to change the Event Settings or in other words how long we can see stuff for.  The default setting allows 3 Months of events to be shown within View Administrator and an event is classified as new for 2 Days.

These can be changed by clicking on Edit and selecting the desired values.

This has been a slightly longer than expected blog post, but it’s great when things go wrong as ultimately you end up learning more!

Knowledge

• Identify default View Composer port settings
• Identify domain accounts used for QuickPrep
• Identify the vCenter Server system
• Identify necessary account domain permissions and domain trust relationships
• Enable View Composer from View Administrator and add domain account(s)

We installed View Composer in Objective 1.1, now it’s time to configure this badboy!

Identify Default View Composer Port Settings

This is quite an easy one, the default port to allow View Composer to speak to vCenter is 18443.

Identify Domain Accounts Used For QuickPrep

So what is quick prep, well it’s VMware’s version of sysprep but on steroids  You may have noticed that when you perform a sysprep it does take quite a while as the VM goes through various stages of configuration and performs a full clone of the template VM.  QuickPrep doesn’t go into the same level of detail, instead it:

• Creates a new Computer Account in Active Directory in the relevant OU
• Gives each Virtual Desktop a unique name
• Joins the Virtual Desktop to the domain

Interestingly, according to VMware KB 2003797 Quick Prep doesn’t create a new SID.

Let’s create a Service Account with the relevant rights to use Quick Prep.  In Active Directory create a new user, I’m going to call mine service.viewcomposer

Next we need to give this Service Account rights to Create and Delete Computer Objects in Active Directory.  Depending on how Organisational Unit structure you might do this on specific OU’s or on the whole domain.  I’m going to do it on the whole domain as it’s easier for lab purposes.

TOP TIP: Ensure View > Advanced Features is ticked

Right Click your Domain in Active Directory Users & Computers and Click Properties

Select the Security Tab and click Advanced (I don’t know why but hitting Advanced gives me a sense of power!)

Hit Add

Enter in your Service Account name, Check the name and then Hit OK

Ensure that ‘Apply to’ is ‘This object and all descendant objects ‘ and Permissions are ‘Create Computer Objects’ and ‘Delete Computer Objects’.  Once you have done this Click On Properties

We are going to apply the permissions to ‘Write all properties’ Hit OK.  You will notice that various other permissions are auto populated.

Identify The vCenter Server System

Login to your View Connection Server and go to View Configuration > Servers > vCenter Servers which will tell you your vCenter Server.  Mine is VMF-ADMIN01

Identify Necessary Account Domain Permissions & Domain Trust Relationships

View Composer requires specific permissions within Active Directory which are:

• List Contents
• Read All Properties
• Write All Properties
• Read Permissions
• Create Computer Objects
• Delete Computer Objects

Using the methodology above, we need to create an Service Account with these permissions.  As I don’t want to repeat myself, I bit like Blue Peter, here is one I made earlier which is called service.view

Enable View Composer From View Administrator & Add Domain Account(s)

Awesome, now it’s time to enable View Composer.

Login to your View Connection Server and go to View Configuration > Servers > Select your vCenter Servers > Edit

Click Enable View Composer (I have already done this) so I can only Click on Edit

We are going to use View Composer co-installed with vCenter Server on Port 18443

Lastly, we are going to add in our Active Directory Domain by Click Add

Enter in your Domain Name as an FQDN and type your View Composer Service Account credentials in.  Then Hit OK.