Monday, December 9, 2013

How to build a System Center Virtual Machine Manager 2012 R2 lab - part 8

In the previous post you saw how to configure SQL Server for your virtual infrastructure. In this post you will setup a sixth virtual machine named LAB2013VMM01 that will host your actual System Center Virtual Machine Manager 2012 R2 installation. You will also go through all the prerequisites for SCVMM to work.



Under VMWare Workstation configure a new virtual machine and install Windows 2012 R2 with a GUI (even though it looks like you have the option to install SCVMM in Core mode starting from version 2012). Once the installation has ended, and you have deployed the VMWare tools, connect as a Domain Admin and use once again the basic configuration cmdlets:
Get-NetAdapter -Name Ethernet0 | % {
  $_ | Set-NetIPInterface -Dhcp Disabled
  $_ | New-NetIPAddress -IPAddress 192.168.134.17 -PrefixLength 24 -DefaultGateway 192.168.134.2
  $_ | Set-DnsClientServerAddress -ServerAddresses 192.168.134.10
}
Rename-Computer –NewName LAB2013VMM01 –Restart
netsh advfirewall set allprofiles state off
cscript C:\Windows\System32\Scregedit.wsf /ar 0
Add-computer –DomainName LAB2013.local –Restart
Time to review the four main prerequisites for SCVMM:
  • During the installation of a VMM management server, on the Configure service account and distributed key management page, you will need to configure the System Center Virtual Machine Manager service to use either the Local System account or a Domain account. You can change this later on, of course. If you choose to use a Domain account make it belong to the Local Administrators Group. In any case there are many reasons to choose to run SCVMM with a Domain account, though I am not going to detail this here.
  • During the installation of a VMM management server, you will need to configure Distributed Key Management. On the 'Configure service account and distributed key management' page of Setup, you can select to use Distributed Key Management to store encryption keys in Active Directory Domain Services (AD DS) instead of storing the encryption keys on the computer on which the VMM management server is installed. The advantage of storing your keys in AD DS is that if you need to move your VMM installation to another computer, all your data are retained. Cool, uh? Also storing keys in AD DS is the only possible way if clustering your VMM. You must create a Container (i.e. SCVMMDKM) in AD DS before installing VMM. The domain account your created in the first step must have full rights on this Container.
  • The third prerequisite is to install Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1.
  • The fourth is to install SQL Server 2012 Command Line Utilities.
Remember that using a Domain Account and storing the encryption keys are two of the pillars of a Highly Available VMM Management Server, which is out of scope for my lab for now. Maybe I’ll come back on this topic in a future post.

The first two prerequisites are easily accomplished with Powershell:
On the Domain Cotroller (LAB2013AD01 in my case) type the following command to create a new account for SCVMM:
New-ADUser -Name "SCVMM Account" –SamAccountName SCVMMsvc -Description "SCVMM 2012 R2 Server Service Account" -Enabled $true -AccountPassword (Read-Host -AsSecureString "SCVMM Service Account Password")
Note the password you used! Now retrieve the SID of this new user account:
[System.Security.Principal.IdentityReference]$UserSid = (Get-ADUser scvmmsvc).SID
Create a variable containing the DN of your domain:
$ADRoot = (Get-ADDomain).DistinguishedName
Create the Active Directory Container:
New-ADObject -Name "SCVMMDKM" -Type Container –path “CN=System,$ADRoot” –passthru

DistinguishedName   Name                ObjectClass         ObjectGUID
-----------------   ----                -----------         ----------
cn=SCVMMDKM,CN=S... SCVMMDKM            container           59722f15-51af-4c...
Now retrieve the existing ACL of the Container (note the use of the AD: PSDrive):
$Acl = Get-Acl "AD:CN=SCVMMDKM,CN=System,$ADRoot"
Now the tricky part: you have to create the ActiveDirectoryAccessRule that goes into the AddAccessRule method. This object has six different constructors and each can be used for a different use case. Luckily we can check the syntax on MSDN or execute the following command:
[System.DirectoryServices.ActiveDirectoryAccessRule].GetConstructor
OverloadDefinitions ------------------- System.Reflection.ConstructorInfo GetConstructor(System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, System.Reflection.CallingConventions callConvention, type[] types, System.Reflection.ParameterModifier[] modifiers) System.Reflection.ConstructorInfo GetConstructor(System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, type[] types, System.Reflection.ParameterModifier[] modifiers) System.Reflection.ConstructorInfo GetConstructor(type[] types) System.Reflection.ConstructorInfo _Type.GetConstructor(System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, System.Reflection.CallingConventions callConvention, type[] types, System.Reflection.ParameterModifier[] modifiers) System.Reflection.ConstructorInfo _Type.GetConstructor(System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, type[] types, System.Reflection.ParameterModifier[] modifiers) System.Reflection.ConstructorInfo _Type.GetConstructor(type[] types)
To give the SCVMMsvc user account full rights on the SCVMMDKM Container you need to choose a constructor that accepts:
  • An IdentityReference object that identifies the trustee of the access rule. It is the SID of the user account SCVMMsvc.
  • The access rights that are assigned to an Active Directory Domain Services object. You will use GenericAll because it gives the right to create or delete children, delete a subtree, read and write properties, examine children and the object itself, add and remove the object from the directory, and read or write with an extended right.
  • An AccessControlType: Allow or Deny
$Ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $UserSid, "GenericAll", "Allow"
$Acl.AddAccessRule($Ace)
Set the Acl:
Set-Acl -aclobject $Acl "AD:CN=SCVMMDKM,CN=System,$ADRoot"
The last step you have to perform to met the first two prerequisite is to add the new SCVMMsvc account to to local administrator group on your SCVMM server LAB2013VMM01:
([ADSI]"WinNT://LAB2013VMM01/Administrators,group").psbase.Invoke("Add",([ADSI]"WinNT://LAB2013.local/SCVMMsvc").path)
Easy, right?
Now, for Windows ADK, you can find it here: http://www.microsoft.com/en-eg/download/details.aspx?id=39982 It’s a small file (1.4MB) named adksetup.exe.

The two features that you need for SCVMM are Deployment Tools and Windows PE:

The installer will download these features (that’s why it is so important to have proper internet connection and a valid DNS forwarding in your LAB). This can take a significant amount of time depending on download speed.

You can take a walk here since this step is pretty long download. When you come back the Windows ADK will be finished and you will see the following window:

Now install the SQL Server 2012 Command Line Utilities from the Microsoft SQL Server 2012 Feature Pack. You can download them from http://www.microsoft.com/en-us/download/details.aspx?id=29065

The installation ends quickly since there are no prerequisites to meet under Windows 2012 R2:

Restart this virtual machine since you made a lot of modifications (this step is not required but I suggest you to do so):
Now you have all the SCVMM prerequisites met. Time to install System Center, which I will explain in the next post!

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...