Since VMware vCenter Server Appliance is a crucial piece of software that can affect access to your entire environment,...
you should take special care when you configure vCenter Server to set it up properly. Although the vCenter Server Appliance has feature parity with Windows-based vCenter, there are still things you need to configure for both Linux and Windows versions.
In this article, we'll focus on the post-configuration steps that ensure everything in vCenter Server works the way it should, as well as additional configuration actions, such as setting time syncing, adding vCenter Server Appliance (vCSA) to Microsoft Active Directory (AD) and setting up directory services to manage the vSphere environment.
Set up vCenter Server time configuration
There are a few things you need to do to configure vCenter Server once it's deployed; the first is time configuration. Use the VMware Appliance Management Interface (VAMI) to connect to vCenter Server. In a web browser, go to the VAMI and enter the following: https://<fqdn or ip>:5480. Log in as root.
Next, go to the Time menu, where you'll see two adjustable settings, highlighted in Figure A:
- Time zone. If the time zone is set up incorrectly, you can change it here.
- Time synchronization. There are three options for time synchronization. VMware recommends that you point the vCenter Server to an external time source. But, in certain situations -- such as highly secure environments without internet access -- this isn't possible.
Under Time Synchronization, next to Time Servers, you'll notice I've entered the following VMware time servers: 0.vmware.pool.ntp.org, 1.vmware.pool.ntp.org and 2.vmware.pool.ntp.org. Any standard time server should do -- these were just the easiest for me to remember.
Check for updates to vCenter Server
Next, you'll want to check for any recent patches or updates. To do this, select Update from the sidebar to the left, and then click the Check Updates button, shown in Figure B. If there are any new patches or updates available, the Install Updates button -- which is grayed out in Figure B -- will become visible. Note that you typically need to reboot vCenter Server after an update.
Change password expiration settings
Another important step to configure vCenter Server is to change password expiration settings for the local root user. The root password is set to expire after 365 days by default. You can either disable this policy or enter an email address to receive an expiration warning when the time comes. To complete either of these tasks, select Administration from the sidebar on the left and make changes as needed.
During deployment, you must assign a single sign-on (SSO) to the administrator. This password is also dependent on a policy. If you decide not to use AD as an identity source, you should verify whether the default settings work for you. If you do choose to use AD for authentication, the SSO admin account password expiration won't affect you.
Configure AD and set global permissions
If you do choose to configure AD, it will connect the freshly deployed vCenter Server to your existing AD environment. This is a common practice, as it enables you to reuse an existing username and password for your team or for individual users.
To configure AD, connect to the vSphere Web Client by entering the following:
https://<fqdn or ip>/vsphere-client
Next, go to Administration > Single Sign On > Configuration and locate the Identity Sources tab. You'll notice an arrow pointing to a small green plus sign in Figure C; clicking this plus sign opens the Add Identity Source window, from which you can select an identity source type and configure the identity source.
Next, you need to grant global permission to any groups or users who will be using the system. Always use caution when assigning global permissions and verify that you really want to assign permissions to all objects in all inventory hierarchies.
To assign global permissions, go to Administration > Global Permissions, and then follow the steps illustrated in Figure D:
- Click the Add button under Users and Groups to add a new global permission.
- Select a domain from the drop-down menu.
- Choose one of the options from the Users/Group menu.
- Click the Add button.
- Click OK to complete.
Once you've validated your users and groups, you can choose a role for that group. For the purpose of this example, I selected a domain administrators' group, so I selected Administrator as a role from the drop-down menu under Assign Role shown in Figure E. Note that if you select a standard domain user group, you can easily map it to other options, such as Virtual Machine User or Virtual Machine Power User. Tick the Propagate to Children checkbox to specify whether you want to those permissions to propagate to all subcontainers.
You can now add vCSA to your AD the same way you manage Windows computers. Connect to the vSphere Web Client and, under Administration, choose Deployment > System Configuration. Under the Nodes section, open your node of choice and locate the Manage tab. Click the Settings button and choose Active Directory from the Advanced settings options. You are now able to join the AD domain. You can also add a firewall exception and change the vCSA host name in this section.
Add a vCenter Server license
The final step to configure vCenter Server is to license it. VMware currently offers a 60-day trial for vCenter Server, after which point you'll need to purchase a license. To do so, connect to the vSphere Web Client and, under Administration, expand the Licensing option. Choose Licenses and locate the Licenses tab. To add a new license, click the green plus sign to add a vCenter Server license, enter license keys and edit license names.
You're now ready to get started with vCenter Server, to create and configure cluster and data centers objects, and to add your ESXi hosts.
If you want to further protect vCenter Server from failure, you can configure vCenter Server High Availability (HA), but only for vCSA. HA clones the current active node to create a passive node and a witness node. If the active node becomes unavailable, HA for vCSA will automatically promote the passive node to active. There is some brief downtime associated with this process, as the newly promoted active node needs to initialize and start up the services that provide authentication access to resources for vCenter admins and end users.