Add a User Defined Windows Administrator to a vRA Blueprint

This post will walk through implementing a process allowing a vRA portal user to specify a user account to be added to the local administrators group on a Windows server provisioned by vRA. There are plenty of posts out there, including a kb article, on adding the virtual machine requester (owner) to the administrators group if that is what you need to do. Before beginning I am assuming you have a fully working vRA installation (I’m using v7.2), and Windows templates with the vRealize Automation Guest Agent installed. Some blueprints would also be handy, but you can create those after.

We’ll need a script on the template Windows machine, in this example I’ve created a Scripts sub-folder within the VRMGuestAgent folder, and a new text file which I’ve saved as AdminUser.cmd. The full path therefore is C:\VRMGuestAgent\Scripts\AdminUser.cmd.

Location

Copy and paste the following line into the batch file: Net localgroup administrators /add %1.

Script

Log in to the vRA portal, for example https://*loadbalancer*/vcac/org/*tenant*. Open the Administration tab and select Property Dictionary. We need to provide the user with a field in the virtual machine request process for them to specify an account to be added as a local administrator. Click Property Definitions and New.

  • Enter a name, it is best practice to use the tenant name, a dot, and then the name of the proeprty definition, for example YourTenant.AdminUser.
  • Enter a useful description, this text will be displayed when the user points to the help symbol next to the field we’re adding in the virtual machine request.
  • Change the Data type to String, and select whether you want the field to be mandatory.
  • From the Display as drop-down menu select Textbox. Click Ok to save.

Admin1

Next click Property Groups. If your blueprints are using an existing property group then click the property group.  If you need to create a new property group click New and enter a name. The following lines need adding to the property group that is used, or will be used, by a blueprint.

  • Name:   VirtualMachine.Software0.Name
  • Value:   AdminUser
    • Replace the value with an appropriate name for the property, I have used the same name as the script but it doesn’t have to match up.
  • Name:   VirtualMachine.Software0.ScriptPath
  • Value:   C:\VRMGuestAgent\Scripts\AdminUser.cmd {YourTenant.AdminUser}
    • Replace the value with the location of the script on the template OS and include the squiggly brackets; with the name of the property definition we created earlier inside.
  • Name:   YourTenant.AdminUser
  • Value:
  • Show in Request:   Yes
    • Enter the name of the property definition we created earlier and leave the value blank (this will be entered by the user). Ensure Show in Request is ticked.

If you are already using VirtualMachine.Software0 for something else, such as adding the virtual machine owner to the local administrators group, then you can amend to VirtualMachine.Software1 and so on. When you’re done the entries should look something like this, click Ok.

Properties

If you haven’t yet assigned a property group to your blueprint then click the Design tab and Blueprints. Click the blueprint to edit, select the vSphere_Machine and click the Properties tab, from the Property Groups tab click Add.

CustomProperty

Select the property group we recently created or changed and click Ok. Click Save and Finish. The values in the property group will now be applied to any virtual machines deployed from this blueprint, repeat as required for any other vSphere_Machines or blueprints.

Assuming your blueprint is published and has the necessary entitlements; click the Catalog tab. Locate the catalog item linked to the blueprint and click Request. Select the vSphere_Machine component and you’ll see the new field for the requester to enter the domain\user or user@domain account to be added to the Windows local Administrator group. If you opted to make data input mandatory you’ll see an asterisk next to the new field.

Request

Defining vRealize Automation Datacenter Locations

This post will walk through defining datacenter locations for VMware vRealize Automation 7.2. The primary two use cases for additional datacenter locations are to allow users to select a datacenter for service deployments, or for the administrator to specify a set datacenter when configuring a blueprint. We will cover both scenarios below.

Adding Datacenter Locations

Datacenter locations are defined in an xml file on the IaaS server(s). If you have multiple IaaS servers then we must perform the change on each server individually, and disable it from the load balancing configuration before commencing. If you are only using a single IaaS server, such as in a lab environment, then obviously this is not necessary. For vRA installations using NSX as a load balancer you can follow the brief steps below, otherwise refer to the documentation for your load balancing solution.

  • Log into the vSphere web client as a user with NSX administrative privileges, select Networking & Security.
  • Click NSX Edges and then double click the NSX Edge containing the load balancing configuration.
  • From the Manage tab select Load Balancer and Pools. Select the pool configured for the IaaS web servers and click Edit.
  • Select one of the nodes in the Members table and click the edit symbol. Untick Enable Member and click Ok.
  • The server is now disabled from the load balancing configuration and you can go ahead and make the change outlined below. Once complete enable the member and disable the next node, repeating the process for each member of the pool.

When the IaaS server node has been disabled in the IaaS Web load balancing pool (if applicable) navigate to C:\Program Files(x86)\VMware\vCAC\Server\Website\XmlData, or replace with the installation directory as appropriate. Edit the DataCenterLocations.xml file, entering your datacenter names in the CustomDataType body, in place of London and Boston.

dcl

Save and close the file, then restart the VMware vCloud Automation Center Service.

service

If you removed the IaaS from the load balancer remember to add it back in, you’ll then need to repeat the process for each instance. Once the change has been made on each IaaS node we can assign the locations to compute resources.

Log into the vRA tenant portal as a fabric administrator, you may need to clear your browser history to show the updated datacenters in the xml file we changed earlier. Open the Infrastructure tab and browse to Compute Resources, Compute Resources. Move the mouse pointer over the compute resource and click Edit, from the drop-down Location menu select the site to associate with the compute resource, click Ok. Repeat this for each compute resource requiring an assigned datacenter location.

compute

Selecting Datacenter Locations

Now that we have available locations assigned to our compute resource we can specify this using a blueprint. Log into the vRA tenant portal as a tenant administrator, from the Design tab select Blueprints. Select the blueprint to edit and click Edit. The main 2 options we are concerned with for datacenter locations are:

  • Allow the user to select the datacenter location.
    • From the General tab select the Display location on request tickbox. Click Save and Finish. Assuming the blueprint is published with appropriate catalog entitlements then when the user requests the catalog item they can select from the drop-down Location menu in the vSphere machine General tab.

usersite

  • Set the datacenter location in the blueprint, and do not allow the user to change the location. This option is useful for when the administrator wants to set where certain blueprints are deployed.
    • Check the setting mentioned above is unticked. Navigate to the Properties tab and select Custom Properties. Click New to add a new property. In the Name field enter Vrm.DataCenter.Location, in the Value field enter the site name, matching one of the site names we added previously, click Ok. Click Save and Finish. When the user requests the catalog item it will be deployed at the datacenter defined by the blueprint custom property.

adminsite

vRealize Automation 7.0 Install Guide

This post will walk through the installation of vRealize Automation v7 in a minimal deployment, whilst the process is very similar to that of an enterprise deployment the latter requires additional planning and design based on your own environment and additional instances deploying to create a distributed solution for production workloads.

Architecture

There are two deployment types for vRealize Automation v7. A minimal deployment is a single appliance and single Windows server containing the IaaS components. This is intended for proof of concept or dev environments, you can protect the management services by adding them to a highly available cluster made up of a minimum of 3 ESXi hosts, however this deployment model should not be used for production workloads.

minimaldeployment

An enterprise deployment consists of multiple appliances and typically multiple Windows servers to form a distributed, load balanced and highly available environment. For assistance with planning the architecture of an enterprise deployment you should review the vRealize Automation 7 Documentation Centre in detail.

enterprisedeployment

In terms of the vRealize appliance, the following services are now consolidated into a single instance:

  • vRealize Automation core services
  • vPostgress database
  • Embedded vRealize Orchestrator instance
  • vIDM (virtual identity manager)

In both deployment models management agents are used to register IaaS nodes with the vRealize Automation appliance to automate the install of IaaS components. This includes:

  • IaaS Website
  • Model Manager
  • vCAC Manager Service
  • Distributed Execution Managers
  • vRA Automation Agents
  • IaaS database (can also be external)

Prerequisites

The vRealize Automation appliance comes as a preconfigured OVA that is deployed to your existing vCenter server, it requires the following:

  • Components are identified by FQDN and as such DNS must be in place to resolve host names.
  • A service account should be used for the installation which has administrative access to vCenter.
  • Timekeeping must use a consistent source to ensure synchronisation across the vRealize Automation appliance, IaaS server and external database servers.
  • For minimal deployments the installer generates self-signed certificates. For enterprise deployments you can use an internal or external CA, multi-use wildcard certificates are supported.
  • The appliance needs 4 vCPU, 18 GB RAM and 60 GB disk for small active directories (under 25,000 users to be synced). For large active directories (over 25,000 users to be synced) the appliance needs 22 GB RAM.
  • vRealize Automation uses port 443 for communication but there are a number of other ports which should be open if you have firewalls between the management and database servers in your environment.

The IaaS components are installed on a separate physical or virtual Windows machine, the requirements are:

  • Windows Server 2008 R2 SP1 or Windows 2012 R2 operating system.
  • Microsoft .NET Framework 4.5.2.
  • Windows PowerShell 2.0 or 3.0.
  • Microsoft Internet Information Services 7.5.
  • Java JRE 1.7 64 bit or above.
  • A service account should be used for installation which has administrative access on the Windows server.
  • Resource requirements for the IaaS components are 2 vCPU, 8 GB RAM and 30 GB disk.
  • For minimal deployments the installer generates self-signed certificates. For enterprise deployments obtain a multi-use certificate from an internal or external CA that your web client trusts.

The database can be on the same server as the IaaS components or an external database, the requirements are:

  • Microsoft SQL Server 2012 SP1 / SP2 or SQL Server 2014 SP1.
  • SQL server must be configured on the default port of 1433.
  • TCP/IP protocol for SQL Server must be enabled.
  • If you use the IaaS server as a database server then you should also factor in additional SQL resource.
  • The Microsoft Distributed Transaction Coordinator service must be enabled on all IaaS Windows servers and SQL Server nodes.

The software versions listed above may change based on product updates and as such before proceeding you should check the vRealize Automation Support Matrix.

Deploy the vRealize Automation Appliance

The first step is to download and deploy the vRealize Automation appliance. If you are entitled to download vRA you will see this listed in your myvmware.com downloads portal. If you are unable to download vRA speak to your account manager.

download

Download the OVA file and deploy this to your existing vCenter server. Follow the OVF deployment wizard and give your appliance a unique name in accordance with the naming convention of your organisation. You will configure network settings and a root password. Select power on after deployment or manually power on the appliance once it has been deployed.

Re-initiate Install Wizard

The installation wizard starts the first time anyone logs into the vRealize Automation appliance on port 5480. If the installation wizard was cancelled you can restart the wizard by completing the following steps:

  • Enable SSH under the Admin tab.
  • Use an SSH client to connect to the vRealize Appliance, log in as root.
  • Run vcac-vami installation-wizard.This command changes the start_wizard = false value to start_wizard = true in the /etc/vcac/vami.ini file.

Installation Process

Open a web browser and connect to https:\\:5480. Where is the fully qualified domain name configured during deployment of the vRealize Automation appliance. In a minimal deployment it simplifies things to run the vRA installation wizard from the Windows machine that will become the IaaS server.

Log in with the root account. The vRealize Automation installation wizard welcome page appears, click Next.

vra1

Accept the license terms and click Next. Select the deployment type, ensure Install Infrastructure as a Service is selected and click Next. The deployment type I will be using for the purpose of this install is minimal deployment.

vra2

If you are running the install wizard from the Windows machine that will become the IaaS server then on the Installation Prerequisites page click vCAC-IaaSManagementAgent-Setup.msi. Save and run the downloaded file.

If you are running the install wizard from a separate client then save the msi file and copy it to the the Windows machine that will become the IaaS server, run the installer from there.

Alternatively log in to the Windows machine that will become the IaaS server and browse to https:\\:5480/installer. Where is the fully qualified domain name of your vRA appliance. Click vCAC-IaaSManagementAgent-Setup.msi, save and then run the downloaded file.

vra3

On the vRealize Automation management agent installation window click Next to proceed. Accept the license terms and confirm the installation destination folder. In the vRA appliance address field enter https:\\:5480. Where is the fully qualified domain name of your vRA appliance.

Enter the root username and password configured during deployment of your vRA appliance. Click Load to load the SHA1 fingerprint and tick I confirm the fingerprint matches the Management Site Service SSL certificate, click Next.

vra4

Enter the IaaS service account details and click Next and Install.

vra5

Once the install is complete click Finish and return to the vRealize Automation install wizard. Configure the time server and click Next. On the prerequisite checker click Run.

vra6

The wizard will now run the pre-installation checks, this may take a few minutes. Once complete and the status shows a green tick click Next. Attend to any discrepancies and make sure you have taken into consideration all the prerequisites listed above.

vra7

In the vRealize Automation host screen enter the FQDN of your vRealize Automation appliance, click Next.

vra8

Enter a password for the vRealize Automation administrator account, make sure you note down this password. At the time of writing passwords containing special characters, although accepted, may cause failures when performing operations later in vRealize Automation. Avoid using double quotation marks, commas, equals, blank spaces and non ASCII or extended ASCII characters.

vra9

Enter the FQDN of the IaaS server and the username and password. The username should be in the format of DOMAIN\username. Enter a security passphrase, if you are installing a distributed environment this should be the same passphrase across all components. The security passphrase cannot be recovered so make sure you have recorded it, then click Next.

vra10

Enter the SQL Server details and click Next.

vra11

The Distributed Execution Managers page will be auto-populated as it picks up our single IaaS instance we installed earlier. Click Next.

vra12

Likewise the Agents screen will also be auto-populated with our IaaS server.  Note the Endpoint field, you may want to change this from the default name to something easily identifiable if you intend on connecting vRealize Automation to multiple vCenter servers. All other options should be auto-populated, if these aren’t filled in go back and check your IaaS server installation, firewall and network connectivity of the server.

vra13

Since we are using the minimal deployment model the appliance will self-generate an SSL certificate. Enter the requested details and click Save Generated Certificate, then click Next. On the Web Certificate page ensure Keep Existing is selected and click Next. Accept the default manager service certificate and click Next.

vra14

On the Validation page click Validate to validate the installation settings and prerequisites.

vra16

The validation process can take up to 30 minutes, once complete click Next.

vra20

Skip the create snapshots message by clicking Next. The installation process can now commence, click Install.

vra18

Once the installer has completed click Next to finalise the setup.

vra21

Enter your vRealize Automation license key and click Next.

vra22

Choose whether to participate in the customer experience improvement program and click Next. Click Finish on the installation wizard completion page.

vra25

The installation is now complete and you can log into the vRealize Automation web interface using the IaaS web address and administrator account, both configured during the installation wizard.

vra26

Once the components are installed there is further work to do to configure your environment. This post is the first in a series on vRealize Automation 7, subsequent links will be posted here at a later date.