ptg6432687 This page intentionally left blank Download at www.wowebook.com ptg6432687 11 Using Virtual Machine Manager 2008 for Provisioning IN THIS CHAPTER . Understanding Roles Based Access and Delegation to Provision Virtual Machines . Managing User Roles . Deploying Virtual Machines . Migrating a VM This chapter covers the administrative provisioning and the delegated provisioning capabilities of Virtual Machine Manager (VMM) for the creation of guest images. This includes building new images from a template and building images from other image files. Understanding Roles-Based Access and Delegation to Provision Virtual Machines System Center Virtual Machine Manager 2008 provides a granular roles-based access control (RBAC) model for managing administrative permissions. Each user role has an administrative profile that determines which actions the user can perform. User roles are scoped to determine which VM objects the user can manage. There are three user roles in VMM 2008: the Administrator role, the Delegated Administrator role, and the Self-Service User role. Administrator Role in VMM 2008 Users in the Administrator role have full rights to the VMM infrastructure and can perform all actions in the VMM Administrator console. Administrators can create new Delegated Administrator and Self-Service User roles. Only members of this role can add additional members to the Administrator role. Download at www.wowebook.com ptg6432687 322 11 Using Virtual Machine Manager 2008 for Provisioning The Administrator role is created when VMM is installed for the first time in the domain. The user who installs VMM is automatically added to the Administrator user role during installation. There is only one Administrator user role in each domain. NOTE Because the Administrator role encompasses the entire VMM infrastructure, this role cannot be scoped. Delegated Administrator Within VMM 2008 Users who are members of the Delegated Administrator role can perform all actions in the VMM Administrator console that apply, or are scoped, to them. The scope of objects is defined during the creation of the role. The Delegated Administrator user role does not exist by default. There can be zero or more Delegated Administrator roles in each domain. Delegated Administrator roles are created by users who are members of the Administrator user role. Members of this user role can create new Delegated Administrator and Self-Service User roles, but only within the scope of objects that applies to them. Self-Service User as a Role in VMM 2008 Members of the Self-Service User role can use the VMM self-service portal to perform actions on their VMs. This role is scoped by a member of the Administrator or Delegate Administrator role to pertain to a specific set of VM objects. Members of this role cannot manage their role or any other role in VMM. They also cannot create new user roles. NOTE Members of the Administrator or Delegated Administrator roles cannot access the self- service portal unless they are members of one or more Self-Service User roles. Managing User Roles User roles are managed by users in the Administrator or Delegated Administrator role using the VMM Administrator console. User roles are granted access to manage objects in a defined scope. Managing the Administrator User Role The administrator role can be used to manage user roles. To manage the user roles, do the following: 1. Open the VMM Administrator console using the shortcut on the Windows desktop or via the Start menu under Microsoft System Center, VMM 2008, VMM Administrator console. Download at www.wowebook.com ptg6432687 323 Managing User Roles A Connect to Server window may open, prompting for the VMM server to connect to. Enter the server name and connection port (the default is port 8100) using the format VMMserver:port. NOTE You m a y choose to always open a connection to t h i s ser ver by s e l e cting t h e Make T h is Server My Default check box. Doing so prevents this connection window from display- ing when the Administrator console is run. 2. Go to the Administration view by clicking the Administration button. Then select User Roles from the view area. 3. Select the Administrator user role in the Results pane. The current members of the Administrator user role are displayed in the Results pane below. 4. Click Properties in the Actions pane to display the properties of the role. 5. The General tab displays the description for the Administrators role. Modify it if desired. 6. Click the Members tab. The current members are listed, as shown in Figure 11.1. 11 FIGURE 11.1 Managing members of the Administrator user role. Download at www.wowebook.com ptg6432687 324 11 Using Virtual Machine Manager 2008 for Provisioning 7. To remove members from the Administrator user role, select the user to remove and click the Remove button. NOTE There must be at least one member in the Administrator user role at all times. VMM will not allow you to remove all members of the Administrator user role. 8. To add members to the Administrator user role, click the Add button and enter the name or names of the users or security groups to add. Click the Check Names button to resolve the users or groups. Members must be users or security groups in the Active Directory where the VMM server is a member or in a domain where a full two-way trust exists. 9. Click OK to close the Administrator Properties window. Creating a Delegated Administrator User Role The delegated administrator role can be used to manage user roles. To manage the user roles, do the following: 1. Open the VMM Administrator console using the shortcut on the Windows desktop or via the Start menu under Microsoft System Center, VMM 2008, VMM Administrator console. A Connect to Server window may open, prompting for the VMM server to connect to. Enter the server name and connection port (the default is port 8100) using the format VMMserver:port. NOTE You m a y choose to always open a connection to t h i s ser ver by s e l e cting t h e Make T h is Server My Default check box. Doing so prevents this connection window from display- ing when the Administrator console is run. 2. Go to the Administration view by clicking the Administration button. Then select User Roles from the view area. 3. Click New User Role in the Actions pane. 4. On the General page, enter the following information: a. User Role Name—Type a name for the Delegated Administrator role. b. Description—Type a useful description for the Delegated Administrator role. c. Profile—Select Delegated Administrator from the Profile drop-down list. Click Next to continue. Download at www.wowebook.com ptg6432687 325 Managing User Roles 5. On the Add Members page, click Add to add new members to the role. Enter the name or names of the users or security groups to add. Click the Check Names button to resolve the users or groups. Members must be users or security groups in the Active Directory where the VMM server is a member or in a domain where a full two-way trust exists. NOTE The administrator may choose to not populate the members of the Delegated Administrator user role at this time. Members may be populated after the role is created. Click Next to continue. 6. On the Object Scope page, select the objects that members of this group can monitor. The delegated administrator will not be able to view or monitor objects from the Administrator console that are not selected in this page. Click Next to continue (see Figure 11.2). 11 7. On the Summary page, carefully review the settings and click Create to proceed with the creation of the Delegated Administrator role or click Previous to go back and change the configuration. FIGURE 11.2 Scoping the objects for the Delegated Administrator user role. Download at www.wowebook.com ptg6432687 326 The Create User Role Wizard offers a View Script button. This option allows the adminis- trator to view, modify, and save the PowerShell commands that the wizard will execute to create the Delegated Administrator role, as shown in the following example: $AddMember = companyabc\amy $hostGroup1 = Get-VMHostGroup -VMMServer vmm2008 | where {$_.Path -eq “All Hosts\Domain Hosts\SF Core Hosts”} $libServer2 = Get-LibraryServer -VMMServer vmm2008 | where {$_.Name -eq “VMM2008.companyabc.com”} $AddScope = $hostGroup1, $libServer2 Set-VMMUserRole -AddMember $AddMember -AddScope $AddScope -VMMServer vmm2008 -Job- Group 06fb48f5-96c7-4133-acc4-cbf58f5fb2e4 New-VMMUserRole -Name “SF Core Server Delegated Administrators” -Description ““ - UserRoleProfile DelegatedAdmin -JobGroup 06fb48f5-96c7-4133-acc4-cbf58f5fb2e4 This code can be saved and edited to facilitate creating other Delegated Administrator groups from the VMM command shell. Creating a Self-Service User Role The Self-Service User role grants users permissions to operate, create, manage, store, create checkpoints for, and connect to virtual machines (VMs) in their scope using the VMM self-service portal. 1. Open the VMM Administrator console using the shortcut on the Windows desktop or via the Start menu under Microsoft System Center, VMM 2008, VMM Administrator console. A Connect to Server window may open, prompting for the VMM server to connect to. Enter the server name and connection port (the default is port 8100) using the format VMMserver:port. NOTE You may choose to always open a c onnection to this ser ver by selecting the Make This Server My Default check box. Doing so prevents this connection window from displaying when the Administrator console is run. 2. Go to the Administration view by clicking the Administration button. Then select User Roles from the view area. 3. Click New User Role in the Actions pane. 4. On the General page, enter the following information: a. User Role Name— Type a name for the Delegated Administrator role. b. Description—Type a useful description for the Delegated Administrator role. c. Profile—Select Self-Service User from the Profile drop-down list, as shown in Figure 11.3. Click Next to continue. 11 Using Virtual Machine Manager 2008 for Provisioning Download at www.wowebook.com ptg6432687 327 FIGURE 11.3 Creating the Self-Service User role. Managing User Roles 11 5. On the Add Members page, click Add to add new members to the Self-Service User role. Enter the name or names of the users or security groups to add. Click the Check Names button to resolve the users or groups. Members must be users or security groups in the Active Directory where the VMM server is a member or in a domain where a full two-way trust exists. Click Next to continue. NOTE The administrator may choose to not populate the members of the Delegated Administrator user role at this time. Members may be populated after the role is created. 6. On the Object Scope page, select the objects that members of this Self-Service User role can monitor. Click Next to continue. 7. On the Virtual Machine Tasks page, configure one of the following: a. Select All Tasks to permit this Self-Service User role to perform all VMM tasks, as shown in Figure 11.4. Download at www.wowebook.com ptg6432687 328 TABLE 11.1 Self-Service User Virtual Machine Tasks Task Description Start Allows the user to start processing of a VM. Stop Allows the user to stop processing of a VM. Pause & Resume Allows the user to pause processing of a VM and resume processing after the VM has been paused. Checkpoint Allows the user to manage checkpoints on a VM. Remove Allows the user to delete and discontinue management of a VM from VMM. Local Administrator Grants the user local administrator permission on VMs they create. Remote Control Allows the user to connect to and control a VM remotely. This is also known as Virtual Machine Remote Control (VMRC) access. b. Select Only Tasks Explicitly Checked in the “Approved Tasks” Grid. Table 11.1 lists all the tasks available for the Self-Service User to run. 11 Using Virtual Machine Manager 2008 for Provisioning 8. The VM Creation Settings page provides the option to allow users to create their own VMs. If this right will not be granted, click Next; otherwise, configure the following: FIGURE 11.4 Configuring the tasks the Self-Service User role can run. Download at www.wowebook.com ptg6432687 329 Managing User Roles 11 a. Check the Allow Users to Create New Virtual Machines check box to allow self- service users to do so. b. In the Templates pane, click Add to add a new template that the self-service user can deploy. NOTE To search for a template, type the complete filename or the first few letters of the tem- plate name in the Look For box. In the Library group list, select the library group where the VM files are stored. To filter the files by group, click a group type in the Group By list. c. Optionally, the administrator can set a quota for deploying VMs. Quotas are used to limit the number of VMs the users can deploy at one time. 9. On the Library Settings page, the administrator can grant members of this self- service user group access to a library share to store their own VMs. To configure this setting: a. Check the Allow Users to Store Virtual Machines in a Library check box. b. Select the VMM Library server to allow users to access. If a large number of library servers are listed, the administrator can type the first few characters of the library server name in the Look For box to limit the results. NOTE Stored VMs do not count against the VM quota that may have been set when allowing self-service users to create a VM. c. To specify the Library Path, click Browse and select the share path to allow access to the Self-service user. NOTE The library path entered can exist at any point under the MSSCVMMLibrary share. For example, if the Librar y Path is specified as \\VMM2008.companyabc.com\ MSSCVMMLibrary\VHDs, the self-service user can access that folder and any subfold- ers, but cannot access the higher-level \\VMM2008.companyabc.com\ MSSCVMMLibrary folder itself. d. Click Next to continue. Download at www.wowebook.com . $hostGroup1 = Get-VMHostGroup -VMMServer vmm2008 | where {$_.Path -eq “All HostsDomain HostsSF Core Hosts”} $libServer2 = Get-LibraryServer -VMMServer vmm2008 | where {$_.Name -eq “VMM2008.companyabc.com”}. $AddScope = $hostGroup1, $libServer2 Set-VMMUserRole -AddMember $AddMember -AddScope $AddScope -VMMServer vmm2008 -Job- Group 06fb48f 5-9 6c 7-4 133-acc4-cbf58f5fb2e4 New-VMMUserRole -Name “SF Core Server. may open, prompting for the VMM server to connect to. Enter the server name and connection port (the default is port 8100) using the format VMMserver:port. NOTE You m a y choose to always open