V(x)Block – AMP VUM & SQL Active Directory Integration

When a VxBlock is shipped from the factory all Windows & SQL user/db accounts are setup as local accounts, due to obvious reasons (customer AD does not exist in factory!). This post details the steps to integrate a VUM VM & SQL with Active Directory and change the local WIN&SQL accounts to AD accounts, along with modifying the SQL DB permissions to an assigned AD account.

At a high level these are the prerequisite steps:

– Change DNS values on the Windows VUM VM (if different from LCS stated values).
– Join Windows VUM VM to AD.
– Reboot VUM VM.
– Snapshot VUM VM (precautionary step).
– Add domain\svc_vum to local admin group of the VUM VM.

Use the following procedure to configure domain service accounts for the VUM Server and services & configure SQL Server access permissions on a VxBlock based EHC deployment:

Before you begin Ensure the following:
The Service accounts for Update Manager Server must be created in the customer domain. Sample service account for Update manager server are domain\svc_vum

1. Configuring AMP vSphere Update Manager Service Account permissions on the SQL Server Database

  • Login to the VUM SQL Server using a Domain Account and launch the SQL Management Studio.

Note: Please ensure the values in the script are updated as per the Customer Logical Configuration Survery.

The following script changes the SQL Domain Accounts Permission for the vSphere Update Manager database:

CREATE LOGIN [DOMAIN\svc_vum] FROM WINDOWS with DEFAULT_DATABASE=vum,
DEFAULT_LANGUAGE=us_english
go
use extvc
go
CREATE USER [DOMAIN\svc_vum] for LOGIN [DOMAIN\svc_vum]
go
use MSDB
go
CREATE USER [DOMAIN\svc_vum] for LOGIN [DOMAIN\svc_vum]
go
use vum
go
sp_addrolemember @rolename = 'db_owner', @membername = 'DOMAIN\svc_vum'
go
use MSDB
go
sp_addrolemember @rolename = 'db_owner', @membername = 'DOMAIN\svc_vum'
go
  • From the SQL Management Studio, expand the hierarchical Object Explorer on the left hand side, expanding Security -> Logins.VUMAD10
  • Right click on the VUM service account login for example domain\svc_vum and select Properties.
  • From the Default database drop-down list select the VUM database and click OK.

2. Assigning service account privileges for vSphere Update Manager:

  • Login to the vSphere Update Manager using Microsoft RDP Client.
  • In the Server Manager, click Tools, and from the menu select Computer Management.VUMAD6
  • In the side bar, navigate to Local Users and Groups, expand it and select Groups.
    Open the Administrators group and add the vSphere Update Manager service account, for example domain\svc_vum, and click OK.VUMAD7

3. Assigning ‘Log On As A Service’ privileges for vSphere Update Manager:

  • Login to the vSphere Update Manager using Microsoft RDP Client.
  • In the Server Manager, click Tools, and from the menu select Local Security Policy.VUMAD8
  • In the side bar, navigate to Local Policies, expand it and select User Rights Assignment.
  • In the right-hand side pane, select and double-click on Log on as a Service.VUMAD9
  • Click on Add user or Group.. type domain\svc_vum for vSphere Update Manager and click on Check Names.
  • Ensure that the service acocunt lookup succeeds and then click OK

4. Configure ‘Log on account’ for VUM

  • Login to the vSphere Update Manager server using the RDP Client and domain account (domain\svc_vum)
  • Open CMD Prompt (Run As Administrator) and run the command services.msc
  • Locate and stop the VMware vSphere Update Manager Service
  • Right-click the service and click Properties.
  • On the Log On tab, select This account, and enter the credentials for the domain\svc_vum service account.
  • Click Apply.
  • Click OK.VUMAD1

5. Validate ODBC

  • From the Control Panel, click Administrative Tools > Data Sources (ODBC).
  • On the System DSN tab, select the VUM database DSN and click Configure.VUMAD2
  • Set the DSN to use Windows Authentication and verify that the default database is the VUM database. Do not change any other settings.VUMAD3VUMAD4
  • On the last page of the DSN wizard, click Test Data Source to verify that the settings are valid and to ensure there is a database connection.VUMAD5
  • Click OK to save the changes.

Start the VMware vSphere Update Manager Service. Ensure that each service starts properly and then log off the server.

Remove snapshots.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s