Archives for March 2013

Voted into the Top 25 Virtualization Bloggers for 2013

For a number of years vSphere-Land has a vote drive for the top VMware Virtualization blogs. After some nail biting for the last week, the results are finally in! And to my surprise and delight I was voted into the Top 25 Virtualization Bloggers for 2013, at number 24. I feel very honored I’m glad my hard work with all my blogging has been appreciated by the community.

There are some great first timers on the list, such as Cormac Hogan which has stellar storage related blog articles. And of course Mike Webster (Long White Clouds), focusing on security and SSL certificates. I’m honored to be a first timer on the list, and broke into the top 25 at #24! I also made the Favorite Independent Blogger at #11, just after Julian’s Great blog (WoodITWork).

You can check out the whole list at vSphere-Land here. But here’s a snippet of the Top 25 Virtualization Bloggers for 2013. Thanks for everyone that voted, I’m honored!

Top 25 Virtualization Bloggers

Top 25 Virtualization Bloggers for 2013

VMware Horizon View 5.2 Install Part 4: VM and Pool Creation

As a quick recap of this series we are installing VMware Horizon View 5.2 for a small pilot of a Windows 8 VDI desktop. In Part 1 we installed the Connection Server, in Part 2 we configured an SSL certificate, and in Part 3 we performed some basic Connection Server configuration.

In this installment we really get our hands dirty, and get to the fun stuff. First, we will provision a new Windows 8 VM, then properly configure AD, and finally create a pool for our Windows 8 VM.

For this exercise I would suggest using Windows 8 x64, Enterprise edition. I’m only preparing one VM in this demo, but feel free to create a larger pool.

Additional articles in this series:

VMware Horizon View 5.2 Part 1: Basic Installation
VMware Horizon View 5.2 Part 2: SSL Certificate
VMware Horizon View 5.2 Part 3: Initial Config

Prepare Win8 VM for Horizon View 5.2

1. In vCenter provision a new Windows 8 x64 (or x86) VM using hardware version 9. I would do a minimum of 3GB of RAM and a 30GB C drive. Mount the Windows 8 ISO, and do a regular installation.

2. Install VMware tools, then configure the network properties, do Windows update, and join to your domain.

3. By default Windows 8 has aggressive power settings, and the VM will suspend after a while. I recommend using the High Performance power profile. I would also enable remote desktop access as well.

4. As part of your Horizon View 5.2 downloads you should have downloaded the agent installer. Copy the appropriate agent (x86 or x64) to the VM and start the installer.

5. If you are asked to reboot the VM, do so. Re-run the installer and select all defaults and wait for the install to complete.

Configure Active Directory

1. Create a new OU for your VDI computers. We will need to apply a GPO to them, so a new OU makes life easier. I called the OU Windows 8 VDI.

2. Create a domain security group that users will go into that are authorized to get a desktop from the pool that we will define later on. I called my group VDI_Windows 8 Standard. Add a couple of test users to this group.

3. We need to modify the Remote Desktop Users group to allow the group we just created access. You can do this any number of ways, but let’s create a new GPO for this purpose. Link the GPO to the VDI OU you created.

4. Open the GPO and navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsRestricted Groups.

5. Right click on Restricted Groups and add the group Remote Desktop Users. Now add the group you created and added to users to back in step 2. Be sure to add this group under Members of this group in the upper half of the window.

6. Reboot your Win8 and make sure the policy has applied to the computer.

Creating a Desktop Pool

1. Launch the Horizon View Administrator and in the left pane under Inventory select Pools. Click Add Pool.

2. For this mini-pilot effort we will do a Manual Pool using Dedicated with automatic assignment.

3.  Choose vCenter virtual machines.

4. You should now see your vCenter server listed.

5. On the Pool ID screen you need to configure the ID, Display Name, Folder and an optional description. The ID has limitations on what characters you can use (e.g. no spaces) and the box will be outlined in red if you violate the rules.

6. The pool settings are highly dependent on your environment, so feel free to tweak them as needed. I changed a few settings to those shown below.

VMware Horizon View

7. Locate the Windows 8 VM(s) that you have provisioned and add them to the pool.

8. If your infrastructure meets the requirements, the wizard will now allow you to choose to use the storage accelerator. If you aren’t using a third-party storage appliance like Atlantis Computing ILIO then I would enable the feature.

9. On the Ready to Complete screen review all of your choices. At the top of the window mark the Entitle users after this wizard finishes.

10. When the Entitle window pops up add your entitlement group (e.g. VDI_Windows 8 Standard).

11. Reboot your Windows 8 VMs, and wait a few minutes. In the View Administrator click on Desktops and you should see your desktop(s) listed. Wait (a while) for the status to change to Available. It could be very slow to change from the Startup status so be patient.

Stay tuned for upcoming installments in the Horizon View 5.2 series, coming to a blog near you.

Cisco UCS Firmware 2.1(1b) released

New Cisco UCS firmware has now released! Their long anticipated first patch release of the 2.1 firmware, 2.1(1b) is out and you can download it today. Version 2.1, released in November of 2012, adds a number of great new features including the ability to rename service profiles. Since 2.1 added so many new features, there are bound to be some bugs/issues. So after several months of 2.1 in the field, you may now want to strongly consider jumping on 2.1(1b).

2.1(1b) adds a few new features, most notable in my book as the ability to run memory at 1333MHz vice 1066MHz in the B200 M3/C240M3 servers when all three DIMM slots are populated with memory. That’s great for a VDI blade, where you may fully populate it with 384GB using 16GB DIMMs.

Release 2.1(1b) adds support for the following:
•Cisco UCS B200 M3 blade server configurations with a single CPU
This patch release provides support for UCS B200 M3 blade server configurations with a single CPU, in addition to the previously supported dual CPU configurations.

New Software Features in Release 2.1(1b) adds support for the following:
•BIOS Policy Settings—Provides the ability to select refresh interval rate for internal memory.
•Memory Speed—Enables 1333 MHz memory speed for 8GB/16GB 1600-MHz RDIMMs populated with 3 DIMMs Per Channel/1.5v on the Cisco UCS B200 M3 blade server and Cisco UCS C240 M3 rack server.
•Call Home—Enables you to configure call home for CMOS battery voltage low alert.

There’s also a nice, relatively short, list of resolved caveats. I won’t post all of those, but you can check out the full release notes here.

On March 6, 2013 Cisco also released v2.1.1d of the UCS drivers ISO.

VMware Horizon View 5.2 Install Part 3: Initial Config

Welcome to the third part in the series for installing and configuring VMware Horizon View 5.2. In Part 1 and Part 2 we performed a basic install of the VMware Horizon View connection server role and setup a trusted SSL certificate. In this installment we will do some basic configuration of a vCenter role, setup a service account, add a license key, and link the Connection server to vCenter.

Additional articles in this series:

VMware Horizon View 5.2 Part 1: Basic Installation
VMware Horizon View 5.2 Part 2: SSL Certificate
VMware Horizon View 5.2 Part 4: VM and Pool Creation

VMware Horizon View 5.2 Initial Configuration

1. Create a domain service account that the View connection server will use to connect to vCenter. On a domain controller create a new AD service account, and set the password to never expire. In my environment the account is called SVC-View01-001. Name is not important, so use whatever naming convention suits you.

2. Login to the vSphere Web Client and from the Home page click on Administration.

In the Administration page click on Role Manager. Create a new role by clicking on the green plus icon. Call it something like View Administrator.
3. Add all of the privileges to the View Administrator role shown in the VMware table below.
4. In the vSphere Web Client navigate to Home > vCenter > Hosts and Clusters, then click on the vCenter name. Now click on the Manage tab and then the Permission tab. Click on the green plus icon to add a permission.
5.  Add the domain service account in the left pane, and change the role to View Administrator in the right pane.
6. Launch the View administrator and in the left pane expand View Configuration. Click on Product Licensing and Usage. Enter your View 5 product license key.
7. Under View Configuration click on Servers. Click on the vCenter Servers tab and click Add. Enter the vCenter’s FQDN, your service account name and password. Review the advanced settings in the lower half of the pane to see if they make sense for your environment. I left the defaults.
8. Since we haven’t yet installed View Composer (optional component), select Do not use View Composer.
9. If you are using vCenter 5.1 and ESXi 5.1, you will be presented with some new storage settings. I would leave the all the defaults, as those will produce the best results. If you are using a third party VDI storage accelerator such as Atlantis Computing ILIO then I would disable these storage features as they won’t provide much benefit.
10. At this point the vCenter should be successfully added and have green check boxes under all features.
We have now covered the major configuration steps for the View Connection server components. Next up is a little AD work, creating a VM template, and adding a few desktops to the View administrator console. You can check out that installment in Part 4 here.

VMware Horizon View 5.2 Install Part 2: SSL Certificate

This is the second part in a blog series of how to install and configure VMware Horizon View 5.2. In Part 1 we did the basic connection server install, and installed Adobe Flash player. Next up is configuring a trusted SSL certificate for VMware Horizon View.

There are a number of ways to request and mint SSL certificates. You could use a commercial CA, Microsoft internal CA or another flavor of CA if you wish. Unlike some vCenter components the View SSL certificate does not need any unusual properties beyond Server Authentication usage. No unique OU properties, no client authentication, no data encryption, etc. I would advise using a SAN certificate, so you can access the server via shortname and the FQDN without certificate errors.

I am using an Enterprise online Windows Server 2012 Certificate Authority in this example. The CA has been pre-configured to issue a variety of certificate template types, one of which I called “Server Authentication-SAN”. You don’t need a template with this name, but the template needs to support the SAN field, which the basic “computer” template will NOT. For general steps on how to configure a custom certificate template for a Microsoft CA, see my article here.

Additional articles in this series:

VMware Horizon View 5.2 Part 1: Basic Installation
VMware Horizon VIew 5.2 Part 3: Initial Config
VMware Horizon View 5.2 Part 4: VM and Pool Creation

VMware Horizon View SSL Certificate Installation

1. On the View server open a blank MMC. Add the Certificates snap-in and chose Computer account.

2. Open the Personal certificates container and expand Certificates. Depending on the auto-enrollment policy (if any) in your domain, you may find two or more certificates listed. One of the certificates will be the self-signed VMware certificate that we no longer want to use. You can see this by looking at the “Issued By” field.

3. Now we want to request a new certificate from our online CA via a the certificate request wizard. Right click on Certificates, select All Tasks, then Request New certificate.

4. A couple of clicks into the wizard you should see an Active Directory Enrollment Policy listed.

5. Click Next and you should now see one or more templates that your CA administrator has published. If you use the standard “Computer” template the CA will strip any SAN values that you enter. So if you want a SAN certificate you will need to use a CA template that allows for such usage. Since SAN certificate are not uncommon, I already had a certificate template ready. Again, for a link how to create a custom CA template see my article here.

6. Check the box next to your SAN template. Click on the line of text next to the yellow warning. On the Subject tab you now need to configure the “Common name” for the subject name and add two “DNS” alternative names. Use the View server FQDN for the Subject Name and add both the FQDN and short name DNS names for the alternative name, as shown below.

7. Click on the General tab and enter a friendly name of vdm.

8. Click on the Private Key tab and under Key Options allow the private key to be exportable.

9. Click OK then click on Enroll. If all goes well you should get a succeeded message.

10. In the MMC double click on the new certificate and validate all properties, including Subject Alternative Name are properly populated.

11. At this point you can either delete the self-signed VMware certificate, OR you must remove the vdm friendly name from the VMware certificate. View looks for a single certificate with the vdm friendly name. To remove the VDM friendly name from the VMware certificate just right click on the VMware certificate and select Properties, then delete the friendly name.
12. Restart all of the View services on your View server. The critical one is the VMware View Security Gateway Component. If it stops running shortly after you start it, there’s a problem with your certificate. The most common cause is having a certificate that does NOT allow exporting of the private key. You may see something like:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

13. Now you can launch the View administrator and change the URL to either the server’s short name or FQDN, and you should NOT see any browser SSL errors.

14. Once you login you can click on the Dashboard icon on the left and view the server details for your connection server. It should show a valid SSL certificate.

Congratulations on configuring your View Connection Server SSL certificate. Very easy, and straight forward (vCenter team are you listening?). Next up is Part 3, where configure basic parameters in the View Connection Server.

VMware Horizon View 5.2 Install Part 1: Basic Installation

In case you missed it, VMware has recently GA’d their Horizon Suite of software. This is a re-branding and expansion of the end user computing portfolio, which includes View, their VDI solution. You can see my blog post for the full announcement here. This series will cover the VMware Horizon View 5.2 install process, which is pretty straight forward.

Last year I started  a View 5.1 install series, but for various reasons I didn’t get all the parts posted that I wanted. So I will endeavor for my View 5.2 series to go end-to-end, time permitting. Thankfully View is much easier to install and configure than vCenter 5.1, so I don’t expect a 15 part series to get through the full process.

Unfortunately the View 5.2 components are NOT supported on Windows Server 2012 (Horizon Mirage IS though), so we will be using Windows Server 2008 R2 for the connection server VM. For the client OS I will use Windows 8 x64 Enterprise, as that is now supported with View 5.2 on vSphere 5.1 (not vSphere 5.0 though).

Additional articles in this series:

VMware Horizon View 5.2 Part 2: SSL Certificate
VMware Horizon VIew 5.2 Part 3: Initial Config
VMware Horizon View 5.2 Part 4: VM and Pool Creation

VMware Horizon View 5.2 Install

1. Provision a Windows Server 2008 R2 SP1 VM, and do your normal configuration such as joining it to your domain. Resist the strong urge to use a Windows Server 2012 VM, as that is not supported. Note to View team: Please get with the program. vCenter 5.0 U2 supports WS2012, why can’t you?

2. Download the Horizon Suite 1.0 components from the VMware site. Copy the Connection Server installer to your newly provisioned VM and start the install process.

3. Once you get to the Destination Folder, you can leave the default value or put it elsewhere like on the D drive. For this example I’ll keep it simple and leave it on the C drive.

4. Next up you need to decide what role this particular server will be used for. For this series we will start off with the View Standard server.

5. The wizard will now prompt you for a data recovery password. Should your View server become inoperable or face other technical issues, you may need the recovery password to well….recover your environment. So make sure you write this down and keep it in a safe place. The password can be from 1 to 128 characters.
6. If in your environment you use the Windows firewall, View can automatically configure the appropriate rules. Since I’m using the Windows firewall, I want View to configure the rules for me. Note that if you want to use the Security server, it requires the use of Windows firewall to establish an IPsec connection to the Connection server. So I would advise using the Windows firewall.
7. Now you need to tell View what administrator group will have access into the View console. I would strongly urge the use of a domain security group vice the local administrator group. Following my favorite RBAC naming convention I’m using APP_View_All_Administrator. You should create your own group.
8. Next up it will ask you if you want to send anonymous data to VMware. I most certainly do NOT, but the choice is yours.
9. Click Install and wait for the installer to complete.
10. Unfortunately the View console relies on the very insecure Adobe Flash player. So download it to the computer(s) that you want to access the View console from.
In Part 2 we will configure the SSL certificate for the View connection server. In this area the View team is light-years ahead of the vCenter team. Installing a trusted SSL certificate is cake, and shockingly uses the Windows OS certificate store (yeah!).

VMware Horizon Suite 1.0 is now GA!

Today VMware released their Horizon Suite 1.0. What is Horizon Suite? Basically its a re-branding of their View product, with additions to the suite via some acquisitions over the last couple of years. Major components in the Horizon Suite include:

  • Horizon Workspace 1.0
  • Horizon Mirage
  • Horizon View 5.2

As seems par for the course, you need to look closely at the licensing model since some bundle/suites are based on concurrent users, while others are named users. If you currently own View licenses with concurrent licenses, watch out if you want the Horizon Suite. You MUST switch to the named user model. Named user licenses allow you to use multiple devices to access your desktop remotely.

Horizon View: Concurrent User

  • Horizon View
  • ThinApp
  • Workstation
  • vSphere
  • vCenter

Horizon Mirage: Named User

  • Horizon Mirage
  • ThinApp
  • Workstation
  • Fusion Pro

Horizon Workspace: Named User

  • Horizon Workspace
  • ThinApp
  • Workstation
  • Horizon Mobile for Android

Horizon Suite: Named User

  • Horizon View Bundle
  • Horizon Mirage Bundle
  • Horizon Workspace Bundle

For a great blog digging into the technical enhancements in this release of the Horizon Suite, check out this great post by Andre Leibovici. A taste of the new features includes:

  • Windows 8 support (requires vSphere 5.1, not 5.0)
  • Hardware accelerated 3D graphics
  • Improved Lync support
  • Multi-touch for Windows 8
  • Faster PCoIP performance
  • Multi-VLAN support
  • Better security

Unfortunately View does NOT support Windows Server 2012 for any components. This seems a bit odd, as vSphere 5.0 U2 fully supports vCenter/VUM on Windows Server 2012, which came out in December 2012. Mirage does support Windows Server 2012, though. I’m a bit baffled by the lack of SQL 2012 support even though that hit the streets nearly one year ago. VMware is very inconsistent on what server-side MS products they support.

As always, reading the release notes is very insightful. You can find the View 5.2 release notes here. For all of the View 5.2 docs, go here.