VMware Cloud on Dell EMC is a hyperconverged hardware and software-defined data center stack, jointly engineered by VMware and Dell EMC, that includes complete lifecycle management. Simply select the number and size of Dell EMC VxRail hosts needed for your on-premises edge or data center and leave the provisioning, as well as the ongoing lifecycle management, to VMware.
In recent posts, we took a look at how to configure the DNS forwarding and how to set up DHCP relays to integrate more seamlessly with your enterprise services. Now we will walk through the next stage of typical configurations for a vSphere hybrid cloud – AD authentication and Hybrid Linked Mode.
Configure Active Directory Authentication
By default, each new VMware Cloud on Dell EMC SDDC deployment includes an admin account called email@example.com which is initialized with a random password during bring-up. This password can be obtained from the secure VMware Cloud Services portal, along with the unique URL for the vCenter Server that is managing the cluster.
It’s generally not a secure practice for multiple administrators to share a single admin account, as it really complicates things like auditing, password rotation, and handling employee terminations. The solution is to have each administrator log in with their own user account, and a popular way to configure this in vSphere is to incorporate Active Directory (AD) as an authentication source.
Long-time vSphere admins, please note that VMware Cloud on Dell EMC can only be configured for AD authentication over LDAP; it cannot be joined to your AD and cannot use Integrated Windows Authentication, which is deprecated.
Enabling Active Directory over LDAP is straightforward and has two main steps. First, navigate to the single sign on configuration panel and click ADD under the identity sources tab. Fill in the fields with details that are appropriate for your AD domain, as seen in the image below. For more details on the configuration, see the product documentation and also be aware of the pertinent Windows Server LDAP channel binding concern.
Once the new identity source is available, the second step is to grant permissions. The best approach is to designate a group in AD that can be assigned the CloudAdmin role in vCenter. This way, any administrator that is a member of that AD group will be able to log into vCenter without resorting to use of that shared firstname.lastname@example.org account.
Configure Hybrid Linked Mode
Each vCenter Server, whether on-premises or part of VMware Cloud, is a separate entity. By default, an administrator would be required to log into each vCenter individually to manage the underlying SDDC resources. This is a challenge for larger environments that typically have many vCenter Servers. The solution that has been available for quite a long time is to link the different vCenter Servers together, which can be done for on-prem systems through Enhanced Linked Mode (ELM). But to link an on-prem vCenter and a managed VMware Cloud on Dell EMC vCenter, administrators must use Hybrid Linked Mode (HLM). Please take a look at the product documentation for more specific details. The gist of the procedure is that you first download the vCenter Cloud Gateway Appliance and deploy it in the on-prem SDDC, then you link the VMware Cloud SDDC. The download link can be conveniently found under the hybrid cloud administration settings:
Deploy the gateway appliance to on-prem vSphere infrastructure and log in with admin credentials to complete the configuration:
After the two domains are linked, log in to the gateway with your individual admin account and observe that both vCenter Server environments now show in a single UI.
When you add a VMware Cloud on Dell EMC SDDC to your data center, you can manage the resources more effectively by authenticating against your enterprise Active Directory and by linking to your existing vCenter Server environment. This enables workflows such as seamless virtual machine migration and deployment across the two SDDCs.