Back in Part 4, I mentioned that Horizon View required up to a few service accounts to function properly. One of these accounts is for accessing vCenter to provision and manage the virtual machines that users will connect to. The other service account is for View Composer and will manage the accounts within Active Directory. This account is not required if you are not planning to use View Composer and Linked Clones within your environment.
In addition to these two service accounts, two database accounts may need to be created for the Horizon View Composer database and the Horizon View Events Database.
It’s important to build these accounts with the principle of least privileged access in mind. These accounts should not have more rights than they would need. So while the easy way out would be to give these accounts vCenter Administrator, Domain Administrator, and SQL Server or Oracle SysAdmin rights, it would not be a good idea as these accounts could potentially be compromised.
vCenter Service Account
The first account that needs to be created is a service account that View will use for accessing vCenter. Horizon View uses this account for provisioning and power operations. The service account should be a standard Active Directory domain user account without any additional administrator-level rights on the domain or on the vCenter server.
There are a couple of different ways to configure your Horizon View environment, sp the actual rights required by vCenter will vary. I will be using View Composer in this series, so I will be setting up the vCenter Service Account with the permissions required to use View Composer.
Note: If you are not using View Composer, or you plan to use View Composer and Local Mode, different permissions will be required in vCenter. Please see Chapter x of the Horizon View 6.0 Installation Guide for more details on the permissions that need to be assigned to the service account.
A new role will need to be created within vCenter in order to assign the appropriate permissions. To create a new role in the vCenter Web Client, you need to go to Administration –> Roles from the main page. This will bring up the roles page, and we can create a new role from here by clicking on the green plus sign.
The permissions that need to be assigned to our new role are:
Low Level File Operations
||Configuration –> All Items
Inventory –> All Items
Snapshot Management –> All Items
Read Customization Spec
Clone Virtual Machine
Allow Disk Access
||Assign Virtual Machine to Resource Pool
Migrate Powered-Off Virtual Machine
Act As vCenter Note 1
Advanced Settings Note 1
Note 1: Act as vCenter and Host Advanced Settings are only needed if View Storage Accelerator are used. If these features are not used, these permissions are not required.
After the role has been created, we will need to assign permissions for our vCenter Server service account to the vCenter root. To do this from the roles screen, you will need to go back to the vCenter Web Client Home screen and take the following steps:
- Select vCenter
- Select vCenter Servers under Inventory Lists
- Select the vCenter that you wish to grant permissions on
- Click on the Manage Tab
- Click Permissions
- Click the Green Plus Sign to add a new permission
- Select the role for View Composer
- Add the Domain User who should be assigned the role
- Click OK.
View Events Database Account
The Events Database is a repository for events that happen with the View environment. Some examples of events that are recorded include logon and logoff activity and Composer errors.
The Events Database requires a Microsoft SQL Server or Oracle database server, and it should be installed on an existing production database server. There are two parts to configuring the events database. The first part, creating the database and the database user, needs to be done in SQL Server Management Studio before the event database can be configured in View Administrator. The steps for configuring Horizon View to use the Events database will happen in another post.
To set up the database, follow these steps:
1. Open SQL Server Management Studio and log in with an account that has permissions to create users and databases.
2. Expand Security –> Logins.
3. Right-click on Logins and Select New Login…
4. Enter the SQL Login Name and Password and then click OK.
5. Expand Databases.
6. Right-click on Databases and select New Database.
7. Enter the database name. Select the database user that you created above as the database owner. Click OK to create the database.
Note: SQL Server named instances are configured to use dynamic ports. This means that SQL Server will use a new port every time the server is restarted. The events database does not support dynamic ports, so a static port will need to be configured and the SQL instance restarted prior to configuring the events database in View. For instructions on how to configure a static ports in SQL Server, please see this article.
View Composer Service Accounts
The last two accounts that need to be set up are for Horizon View Composer. These accounts are only required if you plan on using Composer and linked clone desktops.
Depending on your configuration, Composer may require two service accounts. These accounts are:
1. An Active Directory User Account – This service account is used by View for accessing Composer. This account requires local administrator rights on the Composer server and rights to create computer objects in Active Directory.
2. A Horizon View Composer Database User – This service account is a local SQL Server user account and is required if the SQL Server database is located on a remote server. If SQL Server is installed on the Composer Server, Windows authentication can be used.
Configuring the Composer Service Account
The first is the account that will be used by View Composer. This account can be created as a standard domain user. This account should not have domain administrator or account operator rights – it only needs a select group of permissions on the OU (or OUs) where the View Desktops are being stored.
After this account has been created, you need to delegate permissions to it on the OU (or OUs) where your VDI desktops will be placed. If you use the structure like the one I outlined above, you only need to delegate permissions on the top-level OU and permission inheritance, if turned on, will apply them to any child or grandchild objects beneath it.
Note: If inheritance is not turned on, you will need to check the Apply to All Child Objects checkbox before applying the permissions.
The permissions that need to be delegated on the OU are:
- Create Computer Objects
- Delete Computer Objects
- Write All Properties
- Reset Password
Note: Although granting this account Domain Administrator or Account Operator permissions may seem like an easy way to grant it the permissions it needs, it will grant a number of other permissions that are not needed and could pose a security risk if that account is compromised. Only the required permissions should be granted in a production environment.
The account will also need to be granted local administrator rights on the Composer server. If the account is not a local administrator, you will not be able to configure Composer from within the View Administrator.
Configuring the Composer Database and Database Service Account
Like the Event database above, Composer requires its own database. This database is used to keep track of linked clones, replicas, and pending recompose operations.
The steps below will walk through setting up the Composer database. If your Composer database is located on a separate server, you will have to use SQL authentication, and the steps for creating the SQL user are included.
Note: If your Composer database is located on the same server as the Composer service, you can use Windows Authentication for accessing the database.
1. Log into your database server and open SQL Server Management Studio.
2. Log in as a user with administrator rights on SQL Server.
3. Create a new SQL Login by expanding Security –> Logins. Right click on Logins and select New Login.
4. Enter a login name such as viewComposerDB or viewComposerUser, select SQL Server Authentication, and enter a password twice. You may also need to disable Enforce Password Expiration or Enforce Password Policy depending on your environment. Click OK to create the account. Note: Check with your DBA on password policy settings.
5. After the SQL login is created, you need to create an empty database. To create the database, right click on the database folder and select New Database.
6. In the database name field, enter a name such as viewComposer. This will be the name of the database. To select an owner for the database, click on the … button and search for the database user account you created above. Click OK to create the database.
You will have a blank database that you can use for View Composer after you click OK.
Configuring Composer to use this database will be covered during the Composer installation.
This wraps up all of the prerequisites for the environment. In the next couple of sections, I will be covering the installation and configuration of Horizon View.