VCAP-DTA Section 1 Notes

By | February 11, 2014

Section 1 – Deploy View Installations and Upgrade Existing Deployments

Objective 1.1 – Deploy Highly Available View Installations

  • Configure highly available connectivity to the View environment
    • To provide high availability and load balancing, you can install one or more additional instances of View Connection Server that replicate an existing View Connection Server instance.  These additional instances as installed as ‘Replica’ servers.
  • Configure stateful and stateless load balancing for a View implementation
    • No information found on View specific configuration of this.  Does this mean MS NLB?
    • Stateless, once the client is connected to a server it is always redirected to the same server.
    • Stateful, the load balancer looks at each session and assigns it to the appropriate server based on load
  • Implement vSphere cluster isolation and High Availability rules
    • Configure HA\DRS, however unable to use this if using local storage to host desktops
    • Consider anti-affinity rules to separate Connection Servers
    • 8 host cluster for VMFS (v5.1)
    • 32 host cluster for NFS (v5.1 & v5.2)
    • Cluster configuration is also important because each View desktop pool must be associated with a vCenter Server resource pool. Therefore, the maximum number of desktops per pool is related to the number of servers and virtual machines that you plan to run per cluster

If you use VMware HA and are planning for a fixed number of desktops per server, run each server at a reduced capacity. If a server fails, the capacity of desktops per server is not exceeded when the desktops are restarted on a different host. For example, in an 8-host cluster, where each host is capable of running 128 desktops, and the goal is to tolerate a single server failure, make sure that no more than 128 * (8 – 1) = 896 desktops are running on that cluster

  • Configure a View implementation with multiple vCenter Servers

View Configuration > Servers>vCenter   (Add instances)

To ensure more operations are completed simultaneously within one maintenance window, you can add multiple vCenter Server instances (up to five) to your pod, and deploy multiple desktop pools in vSphere clusters managed by separate vCenter Server instances. A vSphere cluster can be managed by only one vCenter Server instance at one time. To achieve concurrency across vCenter Server instances, you must deploy your desktop pools accordingly

 

Objective 1.2 – Deploy and Configure View Composer

  •  Install, Configure and Upgrade View Composer
    • Can perform upgrade by installer wizard (GUI)
  • Upgrade database manually via sviconfig.exe on Composer server
    • Create backup, check ODBC settings, stop Composer service, disable provisioning
    • sviconfig -operation=databaseupgrade -dsnname=LinkedClone -username=Admin
    • Start service
  • Implement and Update certificates for View Composer

If you import a CA-signed certificate before you install View Composer, you can select the signed certificate during the View Composer installation. This approach eliminates the manual task of replacing the default certificate after the installation.

If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate after you install View Composer, you must import the new certificate and run the SviConfig ReplaceCertificate utility to bind your new certificate to the port used by View Composer

The following example replaces the certificate that is bound to the View Composer port:

    • Stop the Composer service
    • sviconfig -operation=ReplaceCertificate -delete=false
    • Start the Composer service
  • Configure View Composer for one-way and two-way trust scenarios
    • Use vdmadmin command to configure domain filtering, to limit the domains that a View Connection Server instance searches and that it displays to users
    • Add the domain FARDOM to the search exclusion list for the View Connection Server instance csvr1
      • vdmadmin -N -domains -search -domain FARDOM -add -s csvr
    • Add the domain NEARDOM to the exclusion list for a View Connection Server group.
      • vdmadmin -N -domains -exclude -domain NEARDOM -add
    • Create new domain Trust via Active Directory – Domains and Trusts>Properties of Domain>Trusts

VMware KB Article

http://community.spiceworks.com/topic/336411-vmware-view-multiple-domains-without-a-two-way-trust

Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated against Active Directory for the joined domain. Users are also authenticated against any additional user domains with which a trust agreement exists.

For example, if a View Connection Server instance is a member of Domain A and a trust agreement exists between Domain A and Domain B, users from both Domain A and Domain B can connect to the View Connection Server instance with View Client. Similarly, if a trust agreement exists between Domain A and an MIT Kerberos realm in a mixed domain environment, users from the Kerberos realm can select the Kerberos realm name when connecting to the View Connection Server instance with View Client.

  • Migrate View Composer to a standalone installation

View 5.2 Upgrades guide p30

If looking to keep linked clones when migrating View Composer to standalone install, you must migrate existing Composer database and also import existing RSA keys which help encrypt\decrypt data

  1. In View admin>Servers  Select vCenter Server tab, select vCenter Server instance and Disable provisioning
  2. Optional – Migrate the View Composer database to a new location (database server)
  3. Uninstall the View Composer service from the current computer.
  4. Migrate the RSA key container to the new computer
  5. Install the View Composer service on the new computer
  6. During the installation, specify the DSN of the database that was used by the original View Composer service. Also specify the domain administrator user name and password that were provided for the ODBC data source for that database.
  7. If you migrated the database, the DSN and data source information must point to the new location of the database.
  8. Configure an SSL server certificate for View Composer on the new computer.
  9. You can copy the certificate that was installed for View Composer on the original computer or install a new certificate.
  10. In View Administrator, click View Configuration > Servers, select the vCenter Server instance that is associated with this View Composer service, and click Edit.
  11. If you are installing View Composer with vCenter Server on the new computer, select View Composer co-installed with the vCenter Server.
  12. If you are installing View Composer on a standalone computer, select Standalone View Composer Server and provide the FQDN of the View Composer computer and the user name and password of the View Composer user.
  13. In the Domains pane, click Verify Server Information and add or edit the View Composer domains as needed.

To use an existing View Composer database, you must migrate the RSA key container from the source computer on which the existing View Composer service resides to the computer on which you want to install the new View Composer service.

  1. In the source computer on which the existing View Composer service resides, open a command prompt and navigate to the %windir%\Microsoft.NET\Framework\v2.0xxxxx directory.
  2. Type the aspnet_regiis command to save the RSA key pair in a local file
    • aspnet_regiis -px “SviKeyContainer” “keys.xml” -pri
    • The ASP.NET IIS registration tool exports the RSA public-private key pair from the SviKeyContainer container to the keys.xml file and saves the file locally.
    • Copy the keys.xml file to the destination computer on which you want to install the new View Composer service.
    • On the destination computer, open a command prompt and navigate to the %windir%\Microsoft.NET\Framework\v2.0xxxxx directory.
    • Type the aspnet_regiis command to migrate the RSA key pair data
    • aspnet_regiis -pi “SviKeyContainer” “path\keys.xml” –exp  where path is the path to the exported file.

Objective 1.3 – Deploy and Configure a View Security Server

  • Configure and enable firewall ports and rules
  • Deploy and administer a View security server
    • Refer to View Administration (p48) and Architecture (p69) guides
  • Enable secure tunnelling for PCoIP and RDP
  • Configure certificates for View Security Server
    • See Section 8
  • Configure Smartcard or two-factor authentication for external access

Objective 1.4 – Deploy and Configure View Transfer Server

  • Configure storage for View Transfer Server and the repository
    • VM requires x4 SCSI controllers, configured when adding Transfer Server VM into View Admin
  • Configure the View Transfer Server firewall
    • Incoming TCP – 80 and 443
  • Configure security policies for Local Mode
    • View>Policies>Global Policies
    • Pool (if local mode)>Policies

Objective 1.5 – Upgrade View Infrastructure Components

Order: Composer, Connection Server, Security Server, Transfer Server, Agent & Client

Upgrade View Composer

  • Backup database, disable provisioning, any pools with refresh at log off should be set to ‘Never’
  • Run installer wizard and upgrade
  • Or manually upgrade database via Composer server
    • sviconfig -operation=databaseupgrade -dsnname=LinkedClone -username=Admin

Upgrade View Connection Server

  1. Stop the service called VMware View Connection Server service, on all View Connection Server instances in the group.
  2. Do not stop the VMwareVDMDS service. The VMwareVDMDS service must be running so that the View LDAP database can be upgraded.
  3. On the host of one of the View Connection Server instances in the group, run the installer for the new version of Connection Server.
  4. Verify that the VMware View Connection Server service restarts after the installer wizard closes and you can log in to View Connection Server, and click About in View Administrator to verify that the new version is being used.
  5. Stop the View Connection Server service again
  6. After all servers in the group are upgraded, start the View Connection Server service on all of them.
  7. Use the vdmexport.exe utility to back up the newly upgraded View LDAP database (only one server)
  8. On one of the upgraded View Connection Server instances, copy the GPO templates and load them into AD.

Upgrade View Security Server

Re-pairing

  • View Configuration>Servers>Connection Servers>More Commands
  • Enable IPsec during the upgrade

Before you can upgrade or reinstall a security server instance, you must remove the current IPsec rules that govern communication between the security server and its paired View Connection Server instance. If you do not take this step, the upgrade or reinstallation fails.

If you plan to pair a security server with this View Connection Server instance, verify that Windows Firewall with Advanced Security is set to on in the active profiles. It is recommended that you turn this setting to on for all profiles. By default, IPsec rules govern connections between security server and View Connection Server and require Windows Firewall with Advanced Security to be enabled

By default, communication between a security server and its paired View Connection Server instance is governed by IPsec rules. When you upgrade or reinstall the security server and pair it again with the View Connection Server instance, a new set of IPsec rules must be established. If the existing IPsec rules are not removed before you upgrade or reinstall, the pairing fails.

You must take this step when you upgrade or reinstall a security server and are using IPsec to protect communication between the security server and View Connection Server. You can configure an initial security server pairing without using IPsec rules.  Before you install the security server, you can open View Administrator and deselect the global setting Use IPSec for Security Server Connections, which is enabled by default. If IPsec rules are not in effect, you do not have to remove them before you upgrade or reinstall

  1. In View Administrator, click View Configuration>Servers.
  2. Security Servers tab, select security server and click More Commands > Prepare for Upgrade or Reinstallation.

If you disabled IPsec rules before you installed the security server, this setting is inactive. In this case, you do not have to remove IPsec rules before you reinstall or upgrade.

The IPsec rules are removed and the Prepare for Upgrade or Reinstallation setting becomes inactive, indicating that you can reinstall or upgrade the security server.

You can also use the vdmadmin command with the -S option to remove a security server from your View environment. You do not have to use this option if you intend to upgrade or reinstall a security server without removing it permanently

    • vdmadmin -S -s connsvr3 -r

vdmadmin command

Upgrade View Transfer Server

  • View Administrator > View Configuration > Servers > Transfer Servers tab, select the View Transfer Server, and click Enter Maintenance Mode. Wait until the status changes to Maintenance.
    • The status remains in Maintenance Pending until all active transfers are complete.
    • On the virtual machine that hosts the View Transfer Server instance, run the installer
    • Verify that the VMware View Transfer Server service restarts after the installer wizard closes.
    • View Administrator > View Configuration > Servers > Transfer Servers tab, select the View
    • Transfer Server, and click Exit Maintenance Mode

Leave a Reply