上QQ阅读APP看书,第一时间看更新
How to do it...
Carry out the following steps, using the ADUC console to create service accounts:
- Create the following accounts and groups in your domain; you can name them according to your naming convention:
-
- SCVMM Service user account: RLLAB\vmm-svc
- SCVMM Run As user account: RLLAB\vmm-admin
- SCVMM administrators security group: RLLAB\vmm-admins
- SQL Service user account: RLLAB\sql-svc
- SQL Server system administrators' user account: RLLAB\sql-admin
I normally create these accounts under a previously created OU: Service Accounts.
- After creating the accounts, double-click on the vmm-admins security group.
Make sure that the Password never expires and the User cannot change password options are checked for those accounts. Also make sure there is no GPO Applying that changes these settings. Note though that Group Managed Service Accounts ( GMSAs) are not supported by VMM.
- Select the Members tab and then click on Add.
- Enter vmm-svc and click on OK.
- Log in to the VMM management server (vmm-mgmt01) with an account that has local administrator rights (for example, RLLAB\Administrator).
- Launch Server Manager from the Start menu. Click on Tools and then click on Computer Management.
- Expand System Tools, select Local Users and Groups and go to Groups, double-click on Administrators, and then add vmm-admins.
Optionally, you can use the following PowerShell commands to create the accounts and add the VMM-Admins group to the local Administrators group on the VMM server:
Add-WindowsFeature -Name "RSAT-AD-PowerShell"
$addn=(Get-ADDomain).DistinguishedName
$ouname=Read-host "Enter OU's name (for example, Service Accounts):"
$vmmsrv=Read-Host "Enter VMM server name:"
$dname=(Get-AdDomain).Name
New-AdUser "VMM Service Account" -SamAccountName "vmm-svc" -DisplayName "VMM Service Account" -AccountPassword (ConvertTo-SecureString -AsPlainText "Type account's password" -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$addn"
New-ADGroup -Name "VMM-ADMINS" -GroupCategory Security -GroupScope Global -Path "OU=$ouname,$addn"
Add-AdGroupMember VMM-ADMINS -Members vmm-svc
Invoke-Command -ComputerName $vmmsrv -Credential (Get-credential) -ScriptBlock {net localgroup administrators $args[0]\vmm-admins /add} -ArgumentList $dname
Add-WindowsFeature -Name "RSAT-AD-PowerShell"
$addn=(Get-ADDomain).DistinguishedName
$ouname=Read-host "Enter OU's name (for example, Service Accounts):"
$vmmsrv=Read-Host "Enter VMM server name:"
$dname=(Get-AdDomain).Name
New-AdUser "VMM Service Account" -SamAccountName "vmm-svc" -DisplayName "VMM Service Account" -AccountPassword (ConvertTo-SecureString -AsPlainText "Type account's password" -Force) -PasswordNeverExpires $true -Enabled $true -Path "OU=$ouname,$addn"
New-ADGroup -Name "VMM-ADMINS" -GroupCategory Security -GroupScope Global -Path "OU=$ouname,$addn"
Add-AdGroupMember VMM-ADMINS -Members vmm-svc
Invoke-Command -ComputerName $vmmsrv -Credential (Get-credential) -ScriptBlock {net localgroup administrators $args[0]\vmm-admins /add} -ArgumentList $dname
- Repeat steps 5 to 7 for all of the VMM servers: vmm-console and vmm-lib01.
- Log in to the SQL Server (w2k16-sql) with an account that has local administrator rights (for example, RLLAB\Administrator).
- Launch Server Manager from the Start menu. Click on Tools and then click on Computer Management.
- Expand System Tools, select Local Users and Groups and go to Groups, double-click on Administrators, and then add sql-svc and sql-admin.
You can use the domain policy to assign those accounts to the local Administrators group on the VMM and SQL servers. For more information, see http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx.