Deploying and Configuring The vCenter Server Appliance

KB ID 0001146 

Problem

The vCenter Appliance used to be a simple to deploy from OVA, but now you need to deploy it from another machine, (and it has to be a Windows machine).

Solution

Before you attempt to deploy the appliance, ‘pre-create’ its host records in your DNS.

Download the vCenter Appliance .ISO file and mount it on your Windows machine, navigate to the vcsa-iu-installer directory, and run the installer.exe file.

Install > Next > Accept the EULA > Next > Select Embedded Platform Services Controller* > Next.

*Note: For larger environments you can install the PSC on a separate appliance, and it handles things like single sign on, provisioning and certification etc.

Enter the details for the ESX server the appliance is getting deployed on > Next > Enter the name for the VC and its root password > Next > Select the deployment type > Next > Select the storage you want to deploy to, and whether you want to use thin provisioning > Next.

Fill in the IP details for the new appliance, and its DNS settings > Next > Finish.

The appliance will deploy > When completed, you can further configure the appliance > Next  > Enter your NTP settings > Next.

Set the SSO configuration* > username  = administrator@vsphere.local > Password = {something complex}, (you will need it in a minute! (DON’T EVER LOOSE THESE CREDENTIALS!!)) > Next > I usually untick CIEP > Next > Finish

*Note: We will configure domain authentication later.

It will take while to reconfigure, when complete click the hyperlink > vSphere Web Client > Log on with the credentials you entered above.

Join the vCenter Appliance to a Domain

You cannot perform domain authentication unless the appliance is a domain member, so first you need to join a domain.

Administration.

System Configuration.

Nodes > {VC name} > Manage > Active Directory > Join.

Provide the domain name and an account, (with rights to add machines to the domain) > OK.

Nothing happens! This is normal don’t worry, you need to reboot the appliance, this can take a while (actually it reboots quite quickly, but it will be a while before you can login to the web console) > OK.

Over in Active directory you will see a new computer object.

The only indication you will see on the appliance, is now you have a domain name, and the ability to ‘Leave’.

Enable Domain Authentication

Note: If you have a separate Platform Services Controller, use the following article instead;

vSphere: Setup Domain Authentication via PSC

I’m simply going to add my Domain Admins group to the the administrators group on the Virtual Center, there are a number of different roles on ESX you can map to whatever domain groups you want to create.

Administration > Single Sign On > Configuration > Identity Sources > Add.

Active Directory (Integrated Windows Authentication) > Next > You domain should be shown > Next > Finish. 

Select you domain and set is as the default identity source.

Users and Groups > Groups > Administrators > Add.

Change the domain to yours, and add in the Domain Admins group > OK

In ‘Hosts and Clusters‘ view > Select the Virtual Center > Permissions > Add.

Select the Administrators ‘role’ > Then add the Domain Admins group in the same way you did above.

Adding Licences to vCenter

Administration > Licensing > Licences > Licences > Add.

Add your licence code(s) > Next > Give them a sensible name > Next > Finish.

Assets Tab > Select the Virtual Center > Assign Licences > Select the appropriate licence > OK.

Deployment, > System Configuration  >Nodes  > Manage  > Advanced > Active Directory > Join.

Note: If you have already added hosts you can assign their licences here also, I will assign the host licences when I add the hosts to the cluster.

Create a vSphere DataCenter

In hosts and Clusters view > Right click the vCenter > New DataCenter > Give it a name > OK

Create a vSphere Cluster

Right click the DataCenter you have just created > New Cluster > Give it a name > OK

Note: You can enable licensed features here, like DRS, HA, EVC etc. Bur I prefer to do this later.

Adding ESX Hosts to your vSphere Cluster

Right click you cluster > Add Host.

Enter the name or IP > Next > Enter the root account and password > Next (If you get a certificate warning click OK > Next.

Select an appropriate licence, (or select the evaluation licence if you have not yet added any licences) > Next > I always disable lockdown mode > Next > Finish.

 

 

 

 

 

 

 

 

Related Articles, References, Credits, or External Links

Original Article Written 26/01/16

vSphere – Adding Domain Users/Groups to vCenter

OCSP Server – Bad Signing Certificate On Array Controller

OCSP KB ID 0001145 

Problem

I had a client ring in the other day, they have a three tier PKI solution on Windows Certificate Services, that I put in about a year ago, it has been running fine, but now they were seeing some errors.

Bad signing certificate on Array controller.

The following errors were also being logged;

Event ID 23

[box]

Log Name:      Application
Source:        Microsoft-Windows-OnlineResponder
Date:          12/01/2016 08:44:01
Event ID:      23
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      PKICRL00v
Description:
The Online Responder Service could not locate a signing certificate for configuration 
inter00.(Cannot find the original signer. 0x8009100e
 (-2146889714 CRYPT_E_SIGNER_NOT_FOUND))

[/box]

Event ID 34

[box]

Log Name:      Application
Source:        Microsoft-Windows-OnlineResponder
Date:          12/01/2016 08:44:01
Event ID:      34
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      PKICRL00v
Description:
The Online Responder Service encountered an error while submitting the enrollment request
 for configuration inter00 to certification authority PKIINTER00v\PKIINTER00V. The request
 ID is 0.(The system cannot find the file specified. 0x80070002 
(WIN32: 2 ERROR_FILE_NOT_FOUND))

[/box]

OCSP Solution

I quickly ascertained that removing and adding the nodes, didn’t fix the problem. On the OCSP server, launch an MMC session, and add in the Certificates snap-in for local computer. Do a manual enrolment, but in the details, set the issuing CA to one of the CA’s that is displaying an error, (using the OCSP Responder certificate template). Repeat for each CA.

Now add each node, but choose ‘manually select a signing certificate’.

Then assign the certificate, and choose the correct cert for each node.

Related Articles, References, Credits, or External Links

NA