VMWARE VIEW and multiple domains
Please let me know if VMWARE view can be deployed on multple domains with a network segmented Domain controllers environment, as it seems that VMWARE View seems to allow only one domain controller environment infrastructure though I was suggested by some that there are ways around to accommodate multiple domains for VDI on the vCenter environment. Though the documents from VM VIEW suggests that the multiple trusts can be created, i don't see how it can be segmented for a different VLAN and also workstations can be added on a different domain controllers with clone linked workstations.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
VMware View Configuration does support Multiple Domains for View Composer.
When creating Pools, you get options of what Domain you want to Create the Linked Clones in.
VLANs are configured, with the network settings for the Desktops you've created in vCenter.
However, there have been issued with some thin clients being able to select which domain for the users to login to, when trusts exist.
It was the Wyse V10L which had issues with multiple domains and VMware View 4.5 connection broker.
Solved by latest version of WTOS.
Solved by latest version of WTOS.
ASKER
The problem is.. we want to completely segment them so that they don't see each other. If I createa 2 way trust domain relationship between domain A and B and A and C, Domain Domain B and C see each other and that would be problem for our clients. Basically we want to deploy VMWARE VIEW with multiple domain with completed segmented so no VMWARE VIEW desktop won't see any other domains that its own. We don't want our users able to see any other domains at all.
Any suggestion?
Any suggestion?
ASKER
When you create a linked clones, as far as I know you can add only the domains installed on vCenter server, or am I incorrect?
ah, okay completely segmented, means seperate Tranfer Servers, Composer Service etc
When creating the Desktop Pool, you can specify which domain and AD container you would like the Linked Clones to appear in.
When creating the configuration, and enabling VMware Composer, you add the domains you would like Composer to operate on.
But I dont think this helps you if you want a completely segmented environment with NO trusts.
I think you would have to lab this in detail.
When creating the configuration, and enabling VMware Composer, you add the domains you would like Composer to operate on.
But I dont think this helps you if you want a completely segmented environment with NO trusts.
I think you would have to lab this in detail.
ASKER
Well, I don't mind to create a trust as long as clients won't see other domain names because they are a different customers, but my question is... can i actually implement a separate segmented environment on the client level? as long as those virtual machines don't different domains and those machines are joined to a right domain on a right segmeneted VM VLAN, i don't have any problem but i don't know if it can be implemented practically..
it think that depends on your Linked Clone parent configuration.
of which domain it's in.
as for Trusted Domains, probably not needed, providing you've got the right service accounts in the correct domains for deployment.
as for Trusted Domains, probably not needed, providing you've got the right service accounts in the correct domains for deployment.
ASKER
So are you saying that we don't need to trust between different domains and yet we can still deploy a multi tenant vmware platform for our number of clients?
Just to clarify this, it's a multi tenant platform we want to create, as we are currently maintaining number of client servers physically and the plan is to virtualize them few on our vCenter. Each client has its DC server/servers with its domain infrastrcture. We have already created a VLAN on VM Network and they are physically separated so they are secured. On the server side they are separated and all sorted. The problem is that I don't know how to deploy a virtual desktop to multi customers according to its domain member ship by VMWARE VIEW. We want to create a desktop for client A, B, C, D and so forth and also they all need to be completely separated. I think VSheild is something I need to look it up and segment all clients somehow.
Just to clarify this, it's a multi tenant platform we want to create, as we are currently maintaining number of client servers physically and the plan is to virtualize them few on our vCenter. Each client has its DC server/servers with its domain infrastrcture. We have already created a VLAN on VM Network and they are physically separated so they are secured. On the server side they are separated and all sorted. The problem is that I don't know how to deploy a virtual desktop to multi customers according to its domain member ship by VMWARE VIEW. We want to create a desktop for client A, B, C, D and so forth and also they all need to be completely separated. I think VSheild is something I need to look it up and segment all clients somehow.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
REALLY!!! that will be FANTASTIC!!
I have been confused that always you need a trust for a multi tenant platform..
how about connection manager? are they to be installed on every customers dc?
I have been confused that always you need a trust for a multi tenant platform..
how about connection manager? are they to be installed on every customers dc?
A new server is created and recommended as the connection broker, now this is interesting because you would need to have a Connection Broker on every VLAN.
otherwise there would be no way of clients connecting to their Desktop Pool.
So I think you are going to have to Lab this, or work with a VMware Consultancy to work through this.
otherwise there would be no way of clients connecting to their Desktop Pool.
So I think you are going to have to Lab this, or work with a VMware Consultancy to work through this.
or four NICs in the Connection Broker connected to four different VLANs, but that's not really isolation!
I wouldn't like that!
I wouldn't like that!
ASKER
I'm sorry but i'm wondering why would I need a NIC for every VLAN. Even if it's physically separated with a different servcie console on VM, does it make any difference?
I think the best solution would be to install the connection broker on each VLAN/Server, if possible.
Can we create a multiple connection broker on vCenter Server?
I think the best solution would be to install the connection broker on each VLAN/Server, if possible.
Can we create a multiple connection broker on vCenter Server?
it was just an off the top comments, so you could use JUST a Single BROKER (connection/view server).
otherwise you'll need one per network, and as you want to keep everything isolated.
Isolation at the network level really means you are propbably going to have to have a vCenter server on each network as well, and a transfer server on each network.
It's getting complicated - I'd have to lab and plan this for a client. Not seeing an easy way for you to co-host, 4 different VDIs on a single implementation. Across Domains okay, but different networks complicates things a little.
otherwise you'll need one per network, and as you want to keep everything isolated.
Isolation at the network level really means you are propbably going to have to have a vCenter server on each network as well, and a transfer server on each network.
It's getting complicated - I'd have to lab and plan this for a client. Not seeing an easy way for you to co-host, 4 different VDIs on a single implementation. Across Domains okay, but different networks complicates things a little.
Download the trial if you've not already implemented VMware View 4.5, and try it out. It's very quick to install, provided you've got Windows 2008 Servers (64bit) already templated. SQL 2008 64bit, and vCenter.
server for your Connection Broker (VMware View Server), and Transfer Server (used in Linked Clones), vCenter for VMware Composer, and SQL 2008 server used as well.
We usually recommend 64-bit servers, because of large memory requirements above 4GB, 64bit Win2k8 and SQL 2008 64bit.
ASKER
Thanks alot Hancocka, will try and see, though installing vCenter for each network doesn't justify our expense, given the fact that vCenter per license is so expensive. I will give a try as you said.
Thanks
Thanks
Access must exist between the VMware View (broker) and vCenter.
ASKER
I'm just downloading the trial version of view Connection server. I will set up a broker server for each client and put it on each VLAN, and then install/configure client workstations on each domain.
I will install View Composer on vCenter and hopefully I can see the multiple domains from the admin site but the network betwen our management LAN and customer LAN needs to be communicated, so that vCenter LAN can reach to each connection server installed on customers VLAN.
I wonder if I one way tunnel beween our Management LAN and customer LAN is enough for View composer, or if I need 2 way tunnels between them on the firewall.
I will install View Composer on vCenter and hopefully I can see the multiple domains from the admin site but the network betwen our management LAN and customer LAN needs to be communicated, so that vCenter LAN can reach to each connection server installed on customers VLAN.
I wonder if I one way tunnel beween our Management LAN and customer LAN is enough for View composer, or if I need 2 way tunnels between them on the firewall.