VMware vRealize Configuration Manager Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Adding a network authority account to manage machines in multiple domains

For medium to large infrastructures, there are always multiple Active Directory domains available. We can use VCM to manage servers in multiple domains. This recipe explains what you need to do for that.

Getting ready

There should be a proper name resolution. If there is a firewall in between, then the ports stated in the first chapter must be open.

We need a network authority account per domain in order to manage the machines in that domain and VCM functions such as collecting data, patching, and so on.

How to do it...

We need to add the domains and network authority account and finally associate them with one another.

Go to Administration | Settings | Network Authority

We have three options:

  • Available Domains (identified while performing the installation); we can add new ones if required
  • Available Accounts (we assigned one NAA while performing VCM deployment)
  • Assigned Accounts

Available Domains

Domains are identified in one of the steps when we perform the VCM server installation; now, we can add extra domains. Click on Add under Available Domains, and provide the domain Name and Type.

Available Accounts

Under Available Accounts, we can see which network authority accounts are available and then add any extra accounts or remove unwanted ones.

Assigned Accounts

This is the place where we associate available accounts with available domains.

Go to Assigned Accounts | By Domain | Active Directory, and then click on Edit Assigned Accounts and associate the available accounts with this domain.

How it works...

Basically, by following this process, we assigned an account that has local admin privileges or the rights explained in the first chapter to all the machines in the respective domain that will be managed by VCM.

We can assign as many accounts as required. When a VCM function is started, assigned accounts will be tried in the specified order. When something starts a subsequent time, the last successfully used account will be used first. Accounts are listed in the order in which they are assigned, from top to bottom.

If a machine is in multiple lists (such as a domain and a machine group), the authority account that will be used to contact it will be in the following order:

  • The last account that worked
  • The accounts assigned to the domain
  • The accounts assigned any machine group (including the default All Machines group) to which the machine belongs

We need to do this for Windows only, as in the case of Linux, we need to accept the certificate in the VCM console. Unless we accept the certificate, we will not be able to patch the Linux machine from VCM. To accept the certificate, on the VCM console, go to Administration | Certificates, select the machine, and click on Change Trust Status. Follow the wizard, and you will see a handshake symbol in front of the machine. This will allow you to patch the Linux machine from the VCM console. The steps to perform this action are a part of the next recipe.

上一章目录下一章