Back in Part 4, I mentioned that Horizon required up to a few service accounts to function properly. One of these accounts is for accessing vCenter to provision and manage the virtual machines that users will connect to. The other service account will manage computer accounts within Active Directory, and this account is only required if you are using Horizon Composer or Instant Clones.
In addition to these two service accounts, two database accounts may need to be created for the Horizon Composer database and the Horizon Events Database. Edit: The supported database matrix has changed significantly since Horizon 6.2. Please validate that your database is compatible by checking the VMware Product Interoperability Matrix.
It’s important to build these accounts with the principle of least privileged access in mind. These accounts should not have more rights than they would need. So while the easy way out would be to give these accounts vCenter Administrator, Domain Administrator, and SQL Server or Oracle SysAdmin rights, it would not be a good idea as these accounts could potentially be compromised.
vCenter Service Account
The first account that needs to be created is a service account that Horizon will use for accessing vCenter. Horizon uses this account for provisioning new virtual desktops and performing power operations. The service account should be a standard Active Directory domain user account without any additional administrator-level rights on the domain or on the vCenter server.
There are a couple of different ways to configure your Horizon environment, so the actual rights required in vCenter will vary. The specific permissions that are required can be found in the Configuring User Accounts for vCenter Server and View Composer section of the Horizon 7 documentation.
A new role will need to be created within vCenter in order to assign the appropriate permissions. To create a new role in the vCenter Web Client, you need to go to Administration –> Roles from the main page. This will bring up the roles page, and we can create a new role from here by clicking on the green plus sign.
For the purposes of this walkthrough, I’ll be setting up my service account with permissions to deploy linked clone desktops using Horizon Composer. The permissions that need to be assigned to our new role are:
Low Level File Operations
Configuration –> All Items
Inventory –> All Items
Snapshot Management –> All Items
Read Customization Spec
Clone Virtual Machine
Allow Disk Access
Assign Virtual Machine to Resource Pool
Migrate Powered-Off Virtual Machine
Act As vCenter Note 1
Advanced Settings Note 1
Note 1: Act as vCenter and Host Advanced Settings are only needed if Storage Accelerator are used. If these features are not used, these permissions are not required.
After the role has been created, we will need to assign permissions for our vCenter Server service account to the vCenter root. To do this from the roles screen, you will need to go back to the vCenter Web Client Home screen and take the following steps:
- Select vCenter
- Select vCenter Servers under Inventory Lists
- Select the vCenter that you wish to grant permissions on
- Click on the Manage Tab
- Click Permissions
- Click the Green Plus Sign to add a new permission
- Select the role for Horizon Composer
- Add the Domain User who should be assigned the role
- Click OK.
Horizon Events Database Account
The Events Database is a repository for events that happen with the Horizon environment. Some examples of events that are recorded include logon and logoff activity and Composer errors.
The Events Database requires a Microsoft SQL Server or Oracle database server, and it should be installed on an existing production database server. There are two parts to configuring the events database. The first part, creating the database and the database user, needs to be done in SQL Server Management Studio before the event database can be configured in Horizon Administrator. The steps for configuring Horizon to use the Events database will happen in another post.
Note: Horizon also supports sending event data off to a syslog server. This can be used in place of an events database. Configuring a syslog server is beyond the scope of this article.
To set up the database, follow these steps:
1. Open SQL Server Management Studio and log in with an account that has permissions to create users and databases.
2. Expand Security –> Logins.
3. Right-click on Logins and Select New Login…
4. Enter the SQL Login Name and Password and then click OK.
5. Expand Databases.
6. Right-click on Databases and select New Database.
7. Enter the database name. Select the database user that you created above as the database owner. Click OK to create the database.
Note: SQL Server named instances are configured to use dynamic ports. This means that SQL Server will use a new port every time the server is restarted. The events database does not support dynamic ports, so a static port will need to be configured and the SQL instance restarted prior to configuring the events database in Horizon. For instructions on how to configure a static ports in SQL Server, please see this article.
Active Directory Provisioning Account
The Active Directory Provisioning Service account is used by Horizon to manage the computer accounts that are created for Instant Clone and Linked Clone desktops.
This account can be created as a standard domain user, and it should not have domain administrator or account operator rights – it only needs a select group of permissions on the OU (or OUs) where the virtual desktop computer accounts will be placed.
After this account has been created, you need to delegate permissions to it on the OU (or OUs) where your VDI desktops will be placed. If you use the structure like the one I outlined in Part 4, you only need to delegate permissions on the top-level OU and permission inheritance, if turned on, will apply them to any child or grandchild objects beneath it.
Note: If inheritance is not turned on, you will need to check the Apply to All Child Objects checkbox before applying the permissions.
The permissions that need to be delegated on the OU are:
- Create Computer Objects
- Delete Computer Objects
- Write All Properties
- Reset Password
Note: Although granting this account Domain Administrator or Account Operator permissions may seem like an easy way to grant it the permissions it needs, it will grant a number of other permissions that are not needed and could pose a security risk if that account is compromised. Only the required permissions should be granted in a production environment.
Horizon Composer Service Account
The last two accounts that need to be set up are for Horizon Composer. These accounts are only required if you plan on using Composer and linked clone desktops.
I recommend two accounts for Composer. These accounts are:
1. A Composer Service Account– This service account is by Horizon to connect to Composer. It is a standard Active Directory user account that requires administrator rights on the Composer server. This account is only required if Composer is not installed on the vCenter Server.
2. A Horizon Composer Database User – This service account is a local SQL Server user account and is required if the SQL Server database is located on a remote server. If SQL Server is installed on the Composer Server, Windows authentication can be used.
Configuring the Composer Database and Database Service Account
Like the Event database above, Composer requires its own database. This database is used to keep track of linked clones, replicas, and pending recompose operations.
The steps below will walk through setting up the Composer database. If your Composer database is located on a separate server, you will have to use SQL authentication, and the steps for creating the SQL user are included.
Note: If your Composer database is located on the same server as the Composer service, you can use Windows Authentication for accessing the database.
1. Log into your database server and open SQL Server Management Studio.
2. Log in as a user with administrator rights on SQL Server.
3. Create a new SQL Login by expanding Security –> Logins. Right click on Logins and select New Login.
4. Enter a login name such as HorizonComposerDB or HorizonComposerUser, select SQL Server Authentication, and enter a password twice. You may also need to disable Enforce Password Expiration or Enforce Password Policy depending on your environment. Click OK to create the account. Note: Check with your DBA on password policy settings and requirements. In the absence of existing policies, I recommend disabling Password Expiration and Password Policy requirements on this account because an expired SQL User password will break the environment. There is a VMware KB on how to change the database user password, but I would recommend avoiding that issue entirely.
5. After the SQL login is created, you need to create an empty database. To create the database, right click on the database folder and select New Database.
6. In the database name field, enter a name such as HorizonComposer. This will be the name of the database. To select an owner for the database, click on the … button and search for the database user account you created above. Click OK to create the database.
You will have a blank database that you can use for Composer after you click OK.
Configuring Composer to use this database will be covered during the Composer installation.
This wraps up all of the prerequisites for the environment. In the next couple of sections, I will be covering the installation and configuration of VMware Horizon.