Welcome to TechNet Blogs Sign in | Join | Help

News

  • Dislaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.

    Locations of visitors to this page
How to Configure VMM 2008 to Run With a Domain Service Account, using a Remote SQL Database

TipBy default, System Center Virtual Machine Manager 2008 installs the Virtual Machine Manager Service to run under the LocalSystem account. This is a configuration that runs just fine, but what if, for security reasons, you want to use a domain account instead?

While the option to specify a domain account exists as part of the installation program, the recommended way to achieve this is by completing the following:

Step 1: Install the SQL Management Tools on the VMM Server

Prior to running the installation of the VMM Server, go ahead and install the SQL Management Tools on the VMM Server. If you fail to do so, the VMM Setup will prompt you to first complete this step before continuing. It is of importance if we are installing VMM to a remote database.

Step 2: Install SCVMM using LocalSystem as the Service Account

Run through the VMM installation and select to use LocalSystem when you are asked what service account you want to use. We will change this later to a domain account. When prompted to store SQL locally or remotely, select your remote SQL Server of choice.

Step 3: Create the SQL SPN's Manually

After the VMM installation completes, contact your DBA and gather the following information:

  • SQL Server FQDN
  • SQL Server Instance Name
  • SQL Server Service Account for the above Instance Name
  • Port on which the above instance is running

For our illustration in this document we will be using the following values:

  • SQL Server FQDN: SQLserver1.mydomain.local
  • SQL Server Instance Name: Instance1
  • SQL Server Service Account for the Instance: mydomain\SQLserviceAccount
  • Port on which the above instance is running: 1433

IMPORTANT: In ADSIedit: If SQL is running under LocalSystem, we want to look at the computer object for that server. If SQL is running under a domain service account, we want to look at it instead.

On a domain controller, open ADSIedit.msc and find the SQL Server Service Account (LocalSystem or Domain SQL Service Account) and right-click | Properties. Page down the Attributes and look for servicePrincipalName then double-click. Ensure the following SPN's exist and if not, add them:

* Remember the port 1433 is the default port and could be different.

  • MSSQLsvc/SQLserver1:1433
  • MSSQLsvc/SQLserver1.mydomain.local:1433

It should look something like this:

image

If your SQL server is a cluster, we would want to add the Instance Name instead of the Server Name as a SPN. In the case of a cluster, we would add the following SPN's:

  • MSSQLsvc/Instance1.mydomain.local:1433
  • MSSQLsvc/Instance1:1433

* Remember the port could be 1433 or some other port. Consult your DBA for this information.

Arrange a good time with your DBA to restart the SQL Service on the SQL Server.

Step 4: Create the VMM Domain Service Account and add it to the appropriate groups

Back to the VMM Server. Create a VMM Domain Service Account in Active Directory that will be used to run the VMM Service. For our example we will call ours mydomain\VMMSvc. Add this user to the following groups:

  • Local Group Administrators on the VMM Server
  • Local Group Administrators on all Hosts
  • Local Group Administrators on all Library Servers
  • Local Group "Virtual Machine Manager Servers" on the VMM Server
  • BuildIn Group in Active Directory called "Windows Authorization Access Group"

Step 5: Set the HOST SPN's for the new VMM Service Account

On a domain controller, open ADSIedit.msc and find the VMM Domain Service Account (and right-click | Properties). Page down the Attributes and look for servicePrincipalName then double-click.

We need to add the new VMM Service Account SPN, thus add the following 2 SPN's:

* Remember VMMscv is the name of your VMM Domain Service Account.

  • HOST/VMMsvc
  • HOST/VMMsvc.mydomain.local

It should look something like this:

image

Step 6: Change the VMM Service to use the new VMM Domain Service Account

On the VMM Server, open Administrative Tools |Services and open the "Virtual Machine Manager" service. Click on the "Log On" tab and provide the credentials of the new VMM Domain Service Account - in our example it is mydomain\VMMsvc.

imageWe also have to make a change in the registry. Open Regedit and browse to:

HKLM\SOFTWARE\Microsoft\Microsoft System Center Virtual Machine manager\Setup

In this key there is a value for VMMServiceAccount. Change it from LocalSystem to your VMM Domain Service Account, example mydomain\VMMsvc.

Step 7: Configure SQL for the new VMM Domain Service Account

On the SQL Server, open the SQL Server Management Studio. Brows down to [SQL Instance] | Security | Logins and right-click on Logins and select "New Login".

General: At Login Name type the name of your VMM Domain Service Account - mydomain\VMMsvc.

Server Roles: Select "public"

User Mappings: Select the "MAP" checkbox next to the "VirtualManagerDB" and ensure the role membership for "public" and "db_owner" has been selected. Click OK and create the Login.

After you have created the login, right-click on the login you just created and make sure that the Default Schema is set to DBO.

Step 8: Reconfigure the Self-Service Portal to use the new VMM Domain Service Account

At the VMM Server running the Self-Service portal, open RegEdit and add the following string:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft System Center Virtual Machine Manager Self-Service Portal\Settings

Value Name: VMMServerSPN

Data Type: REG_STRING

Value Data (example): HOST/VMMsvc

* This value that you are adding we configured in STEP 5. Here the VMMsvc will be the name of the user account you created to be the VMM Domain Service Account. In this case, just the user name, not the domain name. If you are running in disconnected namespaces, specify the FQDN instead, thus: HOST/VMMsvc.mydomain.local.

Step 9: Configure Trust For Delegation for your new VMM Domain Service Account

On your Domain controller, open Active Directory Users and Computers. Find the user account you want to use as your VMM Domain Service Account, VMMsvc in our example. Right-click and select Properties. Click on the Delegation tab. Select "Trust this user for delegation to specific services only", then select the option for Kerberos only and click on Add. Click on Users and Computers and select the VMM Domain Service Account, VMMsvc in our case. Then when the Service Types are listed, select HOST and click OK. Reboot the VMM Server.

Justin Luyt | Senior Support Engineer

Posted: Wednesday, July 01, 2009 6:23 PM by jchornbe

Comments

No Comments

Anonymous comments are disabled
Page view tracker