Your SlideShare is downloading. ×
Module  8 Configuring User Roles and the Virtual Machine Manager Self-Service Portal
Module Overview <ul><li>Configuring User Roles  </li></ul><ul><li>Installing and Configuring the VMM Self-Service Portal <...
Lesson  1 : Configuring User Roles  <ul><li>Role-Based Security Overview  </li></ul><ul><li>What Types of Objects Can You ...
Role-Based Security Overview Membership: <ul><li>Determines which users are part of a particular user role </li></ul><ul><...
What Types of Objects Can You Delegate?  You can delegate permission to these user roles : <ul><li>Host groups </li></ul><...
Role Types  Administrators: <ul><li>Full access to all actions </li></ul><ul><li>Full access to all objects </li></ul><ul>...
Creating a User Role in VMM 2008 R2    Select the user role profile   Wizard configuration options
Demonstration: Creating A User Role  <ul><li>In this demonstration, you will see how to:  </li></ul><ul><ul><li>Add new me...
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Discussion: Designing Role-Based Security   Designing Role-Based Security
Lesson 2: Installing and Configuring the VMM Self-Service Portal   <ul><li>Implementing the VMM Self-Service Portal  </li>...
Implementing VMM Self-Service Portal  To implement the VMM Self-Service Portal : <ul><li>Install the VMM Self-Service Port...
Requirements for the VMM Self-Service Portal Hardware requirements Recommendations Up to 10 concurrent connections  Enable...
Demonstration: Installing the VMM Self-Service Portal <ul><li>In this demonstration, you will see how to install the VMM S...
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Demonstration: Configuring User Access to the Self-Service Portal <ul><li>In this demonstration, you will see how to use t...
Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Securing the VMM Self-Service Portal <ul><li>Configure SSL for the Self-Service Portal  </li></ul><ul><li>Enable Integrate...
Considerations for Implementing the VMM Self-Service Portal <ul><li>Consider limiting virtual machine creation permissions...
Lab : Configuring the VMM Self-Service Portal  <ul><li>Exercise 1: Preparing the Host Group and User Role Requirements  </...
Lab Scenario <ul><li>Contoso, Ltd., has completed its initial deployment of the VMM infrastructure, now is addressing some...
Lab Review <ul><li>Why did Dylan’s account not have access to any virtual machines the first time the user logged in to th...
Module Review and Takeaways <ul><li>Review Questions </li></ul><ul><li>Common Issues and Troubleshooting Tips </li></ul><u...
Upcoming SlideShare
Loading in...5
×

10215 A 08

293

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
293
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Presentation: 75 minutes Lab: 60 minutes After completing this module, students will be able to: Configure user roles. Install and configure the VMM Self-Service Portal. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 10215A_08.ppt. Important: It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Detailed steps for the demonstrations are provided in the course companion CD. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.
  • Briefly present the module’s content. Start a short discussion about strategies that students have used so far for virtual machine backups or backups in general. Emphasize that Windows Server ® 2008 R2 and System Center Virtual Machine Manager 2008 R2 (VMM) have some built-in tools that you can use to back up virtual machines, but with somewhat limited functionality. However, System Center Data Protection Manager (DPM) 2007 Service Pack 1 (SP1) is a product that provides full-featured backup and restore for Hyper-V™-based virtual machines. Ask the students if they use Data Protection Manager 2007 , or if they have experience with some third-party backup tools.
  • Present the lesson’s content. Tell students that this lesson discusses some general concepts about strategies for backing up and restoring virtual machines . Emphasize that you can back up virtual machines by using the same procedure as physical computers. However, virtual machines are different from physical computers since they are mostly contained in one file—the virtual hard disk VHD . Also, point out that the VMM has some backup capabilities that allow you to perform backup of the VMM database, and to restore it from backup.
  • As you introduce this module and lesson, ask students why their organizations are exploring virtualization. Ask them what the most urgent requirements are that are driving the implementation of virtualization. Also ask them to describe what types of virtualization their organizations are implementing or considering. Almost all organizations are looking at some type of virtualization, so use this topic to gain more understanding of the benefits that your students are expecting to gain from virtualization.
  • Stress that permissions filter down from upper level containers to the objects in the containers. The one exception to this is when you configure self-service user roles with permission to a host group. Users in the self-service user role will have access only to the virtual machines to which they have been granted access, not all virtual machines in the host group. Consider opening the VMM console and showing the items where you can delegate permissions.
  • Spend most of the time on the delegated administrator user role. Larger organizations will use this role frequently because it allows administrative privileges, but to a set scope only, such as only to the objects associated with that user. If students are interested in the detailed permission assigned to each user role, show them the tables on the student CD.
  • Stress the differences between creating a self-service user role and a delegated administrator user role. When you change from one type of role to the other on the wizard’s first page, the configuration options change. Also point out that there is no option to restrict which types of tasks a delegated administrator can perform if they are granted permission to a host group. For example, you cannot assign this level of permission to a host group, and then block administrators from creating virtual machines or modifying host properties in the host group. You can restrict these types of permissions only with self-service user groups.
  • Stress the differences between creating a self-service user role and a delegated administrator user role. When you change from one type of role to the other on the wizard’s first page, the configuration options change. Also point out that there is no option to restrict which types of tasks a delegated administrator can perform if they are granted permission to a host group. For example, you cannot assign this level of permission to a host group, and then block administrators from creating virtual machines or modifying host properties in the host group. You can restrict these types of permissions only with self-service user groups. Demonstration Steps: Open the Virtual Machine Manager On NYC-HOST1, open the Virtual Machine Manager. Access the User Roles tab In the left pane, click Administration , and then click User Roles . Add the IT group to the Administrator user role 1.In the center pane, right-click Administrator , and then click Properties . 2.On the Members tab, click Add . 3.In the Select Users, Computers, or Groups box, type IT , and then click Check Names . 4.Click OK twice. Create a new user role named ContosoAdmins with delegated permissions to the Contoso host group and to all library servers 1.Right-click in the User Roles pane, and then click New user role . 2.In the User Role Name box, enter ContosoAdmins . 3.From the User role profile drop down menu, select Delegated Administrator . 4.Click Next . 5.On the Add Members page, click Add . 6.In the Select Users, Computers, or Groups box, type VMMAdmins , and then click Check Names . 7.Click OK , and then click Next . 8.On the Select Scope page, select the Contoso check box, and the All Libraries check box, and then click Next . 9.Click Create .
  • Question : What are the differences between the three user role profiles? Answer : The administrator role is able to perform all actions in the VMM Administrator Console. Members of this user role can create new Delegated Administrator and Self-Service user roles. Only members of the Administrator user role can add additional members. The Delegated administrator is able to perform most actions in the VMM Administrator Console, but only within the role’s defined scope. Members of this user role can create new Delegated Administrator and Self-Service user roles, but cannot modify VMM settings. The Self-Service User is Able to use the VMM Self-Service Portal to perform tasks on their virtual machines as defined in the user role. Members of this user role cannot create new user roles. Question : How will you use the delegated administrator user role in your organization? Answer : Answers will vary. Many organizations may not use the role at all. Large organizations that have multiple locations or business groups managing Hyper-V environments may use this role to delegate the management of Hyper-V hosts or virtual machines based on the distributed administration model.
  • Give students a few minutes to read the scenario, and then ask the discussion questions. Question : What steps will you need to take to ensure that the delegated permissions of this scenario can be met? Answer : Ensure each set of administrators for each location are in an Active Directory® Domain Services (AD DS) group. Create a host group for each of the branch offices. Create a delegated administrator user role for each office, and assign the Active Directory administrative group for each office to the role. Assign permissions for the role to just the local host group. Create a delegated administrator user role and assign the Active Directory group for the server administration team at the head office to the user role. Assign permissions for the role to all host groups and libraries. Add the three senior server administrators to the Administrator user role in VMM. Question : Why would delegated administration be the best role to which to add the remote administrators? Answer : Delegated administrative privileges allow them to administer their remote offices without being able to compromise security at other remote offices.
  • Mention that when self-service users create a virtual machine, they are granted owner permission to the object. However, this does not mean that other users in the self-service user role or other self-service user roles will be able to use the virtual machine. If a user is creating a virtual machine that will be shared by all members of a self-service user role, the Active Directory account associated with the user role must be assigned as the owner of the virtual machine.
  • Discuss the options for installing the Self-Service Portal on a server that is running another Web site on the default port. You can configure an alternate port number for the existing Web site, configure the Self-Service Portal to use a different port number, or configure host headers for the Self-Service Portal. Another option for configuring the Self-Service Portal is to implement Secure Sockets Layer (SSL). When you install VMM on a server, a self-signed certificate is created on the server. You can use that certificate to enable SSL on the Portal Web site, or install another certificate from an internal or public Certification Authority (CA).
  • Demonstration steps: Install the Self-Service Portal prerequisites 1.On NYC-HOST1 , open Server Manager , and then click Roles . 2.Click Add Role . 3.Select the Web Server (IIS) check box. 4.Click Next twice. 5 . On the Select Role Services page, select the ASP.NET check box, and then click Add Required Role Services . 6. Select the following check boxes: Windows Authentication IIS 6 Metabase Compatibility IIS 6 WMI Compatibility 7.Click Next , and then click Install . 8.When the installer completes, click Close . 9.Close Server Manager. Install the Self-Service Portal 1.Open Windows Explorer, and then browse to E:\\Program Files\\Microsoft Learning\\10215\\Labfiles\\SCVMMSetup . 2.Start the SCVMM Installer by double-clicking setup.exe . 3.Under SETUP , click VMM Self-Service Portal . 4.Click I accept the terms of the agreement . 5.On the Microsoft Update page, click I don’t want to use Microsoft Update , and then click Next . 6.On the Prerequisites Check page, click Next . 7.On the Installation Location page, click Next . 8.On the Web Server Settings page, change the Port Number to 88 , and then click Next . 9.Click Install . When the installation finishes, clear the Check for the latest Virtual Machine Manager updates check box, and then click Close .
  • Review the Web server configuration 1.Open Internet Information Services (IIS) Manager . 2.Expand LON-SRV3 (CONTOSO\\administrator) . 3.Expand Sites , and then click Microsoft System Center Virtual Machine Manager 2008 R2 Self-Service Portal (x64) . This is the Web site that is created when you install the Self-Service Portal Web site. 4.In the Actions pane, click Bindings . 5.Click http , and then click Edit . You can use the Edit Site Binding dialog box to configure the port number that the site uses and to configure the host header. Click Cancel . 6.In the Site Bindings dialog box, click Add . 7.Click https in the Type drop-down list box. 8.In the SSL Certificate list, click SCVMM_CERTIFICATE_KEY_CONTAINERLON-SRV3.Contoso.com , and then click OK . This certificate is the self-signed certificate that was configured when you installed VMM on the server. 9.Click Yes , and then click Close . Close IIS Manager. Question : Why should you consider using a certificate other than the self-signed certificate to secure the portal site? Answer : Clients will not trust the self-signed certificate, so VMM will prompt users with certificate warnings every time they access the site. By using a trusted certificate, you can avoid the warning.
  • Demonstration steps: Create a Self-Service user role for IT users 1.On NYC-HOST1 , in the SCVMM Admin Console, click the Administration tab on the bottom left. 2.From the Administration menu, click User Roles . 3.Right-click in the User Roles pane, and then click New user role . 4.In the User Role Name box, enter IT Admins . 5.From the User role profile drop down menu, select Self-Service User . 6.Click Next . 7.On the Add Members page, click Add . 8.In the Select Users, Computers, or Groups box, type IT , and then click Check Names . 9.Click OK , and then click Next . 10.On the Select Scope page, click Contoso , and then click Next . 11.On the Virtual Machine Permissions page, verify that All actions is selected, and then click Next . 12.On the Virtual Machine Creation Settings page, select the Allow users to create new virtual machines check box. 13.Click Add , and then click the Win2008R2Core template. Click OK . 14.Check the Set quota for deployed virtual machines check box. 15.In the Maximum quota points allowed for the user role field, type 20 . 16.Select the Share quota across user role members check box, and then click Next . 17.On the Library Share page, select the Allow users to store virtual machines in a library check box, and then click Next . 18.On the Summary page, click Create . Configure a virtual machine template 1.In the SCVMM Admin Console, in the left pane, click Library . 2.In the center pane, right-click the Win2008R2Core template, and then click Properties . 3.On the Settings tab, change the Quota Points value to 2 . Click OK .
  • Test access to the Self-Service Portal 1.On NYC-HOST1, open Microsoft Internet Explorer®, and then connect to https://NYC-HOST1:88 . 2.Click Continue to this web site (not recommended) . 3. In the Domain\\username field, type Contoso\\Charlotte . In the Password field, type Pa$$w0rd , and then click Log On . 4.On the Computers tab, in the right pane, under Create , click New Computer . 5.Click Continue to this web site (not recommended) . 6.Under Creation Source , verify that only Win2008SRV is available. 7. Under System Configuration , fill in the following information: Name: IT-SVR1 Computer name: IT-SVR1 Admin password: Pa$$W0rd Confirm password: Pa$$W0rd Product Key: TGBRW-66R6T-R6RFC-6F2T9-W844X 8. Click Create . Creating the virtual machine will take several minutes. You can track the progress in the Jobs view in the Virtual Machine Manager console.
  • Talk about what would be required to implement SSL, depending on where the VMM Self-Service Portal faces (internal facing/external facing). Talk about host headers, and why limiting your system to a single host header and not enabling listening for greatly improves security.
  • Stress that the most important question when planning that Self-Service Portal is likely to be whether users can create their virtual machine. Show how almost all of the other questions related to the design of the Self-Service Portal will depend on the answer to this question. Be sure to talk about quota points and the importance. Also mention the difference between individual quota points and group based quota points (a simple tick box). Get the students discussing the differences they might have in their environments when it comes to users and tasks they might need to do on a daily basis.
  • Exercise 1: Planning for the Hyper-V Server Role In this exercise, you will determine the most appropriate Hyper-V implementation based on organizational requirements and scenarios. Estimated time to complete the exercise: 15 minutes Exercise 2: Assessing the Computing Environment by Using the MAP Toolkit In this exercise, you will: Configure the Microsoft Assessment and Planning Solution Accelerator: Create an inventory database. Run the report wizard to create appropriate reports related to virtualization. Analyze the inventory and assessment reports: Analyze the generated reports, and answer questions related to the results. Note: The lab exercise answer keys are provided on the Course Companion CD. To access the answer key, click the link located at the bottom of the relevant lab exercise page.
  • Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Lab Review Questions Question : Why did Dylan’s account not have access to any virtual machines the first time the user logged in to the Self-Service Portal? Answer . The user had not been assigned as the owner of any virtual machines, either through direct configuration for the user account or through group membership. Question : How many virtual machines will members of the Research Admins user role be able to create? Answer : They will be able to create 10 virtual machines. The only available template has a quota value of 2, and the user role has been assigned a total quota of 20.
  • Review Questions Point the students to the appropriate section in the course so that they are able to answer the questions presented in this section. 1.What are the three user role components? How do they relate to each other? Answer: profile, scope and membership. The profile lists the actions that can be performed by the user role, the scope lists the objects that can be managed, and the membership indentifies who can perform the tasks. 2.What are the three role types in VMM? Answer: Administrator role, Delegated Administrator Role, and Self-Service User Role 3.Can you install the Self-Service Portal on Windows Server Core? Answer: No, you cannot install the Self-Service Portal on Windows Server Core. Real-World Issues and Scenarios Question : Your user account is a member of a delegated administrator group that has permission to all host groups in the VMM deployment. However, when you try to access the Self-Service Portal site to troubleshoot a user issue, you do not have access to the site. What do you need to do to access the site? Answer: Your account must be added to a Self-Service user role because, by default, the Administrator and Delegated Administrator roles do not have access to the Self-Service Portal . Question: Your organization has a main office and a branch office. You have deployed two Hyper-V servers in the branch office. You need to ensure that the network utilization between the main office and branch office is minimized when users in the branch office create new virtual machines. What should you do? Answer: You will need to configure the VMM library server in the branch office, and then ensure that the virtual machine templates required for the branch office are stored in the local library. Then ensure that the Self-Service users in the branch office can use only the local library server.
  • Transcript of "10215 A 08"

    1. 1. Module 8 Configuring User Roles and the Virtual Machine Manager Self-Service Portal
    2. 2. Module Overview <ul><li>Configuring User Roles </li></ul><ul><li>Installing and Configuring the VMM Self-Service Portal </li></ul>
    3. 3. Lesson 1 : Configuring User Roles <ul><li>Role-Based Security Overview </li></ul><ul><li>What Types of Objects Can You Delegate? </li></ul><ul><li>Role Types </li></ul><ul><li>Creating a User Role in VMM 2008 R2 </li></ul><ul><li>Demonstration: Creating A User Role </li></ul><ul><li>Discussion: Designing Role-Based Security </li></ul>
    4. 4. Role-Based Security Overview Membership: <ul><li>Determines which users are part of a particular user role </li></ul><ul><li>Members may be individual users or groups </li></ul><ul><li>Members maybe in multiple user roles including user roles based on different profiles </li></ul>Profile determines : <ul><li>Which actions are permitted </li></ul><ul><li>Which user interface is accessible </li></ul><ul><li>How the scope is defined </li></ul>Scope determines : <ul><li>On which objects a user may take actions </li></ul>Membership Profile Scope User Role
    5. 5. What Types of Objects Can You Delegate? You can delegate permission to these user roles : <ul><li>Host groups </li></ul><ul><li>Library servers </li></ul><ul><li>Virtual machines </li></ul>
    6. 6. Role Types Administrators: <ul><li>Full access to all actions </li></ul><ul><li>Full access to all objects </li></ul><ul><li>Can use the Admin console or PowerShell interface </li></ul>Delegated Administrators: <ul><li>Full access to most actions </li></ul><ul><li>Scope can be limited by host groups and Library servers </li></ul><ul><li>Can use the Admin console or PowerShell interface </li></ul>Self-Service users <ul><li>Limited access to a subset of actions </li></ul><ul><li>Scope can be limited by host groups and Library share </li></ul><ul><li>Can use the Self-Service Portal or PowerShell interface </li></ul>
    7. 7. Creating a User Role in VMM 2008 R2   Select the user role profile Wizard configuration options
    8. 8. Demonstration: Creating A User Role <ul><li>In this demonstration, you will see how to: </li></ul><ul><ul><li>Add new members to the administrator profile </li></ul></ul><ul><ul><li>Create a delegated administrator profile, and delegate specific host groups and libraries to that profile </li></ul></ul>
    9. 9. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
    10. 10. Discussion: Designing Role-Based Security   Designing Role-Based Security
    11. 11. Lesson 2: Installing and Configuring the VMM Self-Service Portal   <ul><li>Implementing the VMM Self-Service Portal </li></ul><ul><li>Requirements for the VMM Self-Service Portal </li></ul><ul><li>Demonstration: Installing the VMM Self-Service Portal </li></ul><ul><li>Demonstration: Configuring User Access to the Self-Service Portal </li></ul><ul><li>Securing the VMM Self-Service Portal </li></ul><ul><li>Considerations for Implementing the VMM Self-Service Portal </li></ul>
    12. 12. Implementing VMM Self-Service Portal To implement the VMM Self-Service Portal : <ul><li>Install the VMM Self-Service Portal </li></ul><ul><li>Create or configure host groups </li></ul><ul><li>Add default virtual machine paths </li></ul><ul><li>Create a self-service user role </li></ul><ul><li>Assign self-service user accounts or groups as virtual machine owners </li></ul><ul><li>Create virtual machine templates (optional) </li></ul>
    13. 13. Requirements for the VMM Self-Service Portal Hardware requirements Recommendations Up to 10 concurrent connections Enables monitoring and managing the hardware and software in a distributed environment More than 10 concurrent connections Enables automated installation and configuration of software and operating system updates Operating system Requirements Windows Server 2003 and Windows Server 2003 R2 <ul><li>Web Server </li></ul><ul><li>Windows Powershell </li></ul><ul><li>.NET Framework 2.0 </li></ul>Windows Server 2008 and Windows Server 2008 R2 <ul><li>Web Server server role with selected role services </li></ul><ul><li>Windows Powershell </li></ul>
    14. 14. Demonstration: Installing the VMM Self-Service Portal <ul><li>In this demonstration, you will see how to install the VMM Self-Service Portal </li></ul>
    15. 15. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
    16. 16. Demonstration: Configuring User Access to the Self-Service Portal <ul><li>In this demonstration, you will see how to use the VMM Self-Service Portal </li></ul>
    17. 17. Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
    18. 18. Securing the VMM Self-Service Portal <ul><li>Configure SSL for the Self-Service Portal </li></ul><ul><li>Enable Integrated Windows Authentication for the Self-Service Portal </li></ul><ul><li>Disable ISAPI Handlers that are not needed </li></ul><ul><li>Add Self-Service user roles </li></ul>
    19. 19. Considerations for Implementing the VMM Self-Service Portal <ul><li>Consider limiting virtual machine creation permissions </li></ul><ul><li>Plan for Hyper-V host and storage capacity </li></ul><ul><li>Consider limiting virtual machine management tasks </li></ul><ul><li>Plan for geographical locations </li></ul><ul><li>Standardize Hyper-V host server builds and configurations </li></ul><ul><li>Implement Performance and Resource Optimization </li></ul><ul><li>Use Active Directory groups for Self-Service user roles </li></ul><ul><li>Configure the Self-Service Administrative Contact </li></ul>
    20. 20. Lab : Configuring the VMM Self-Service Portal <ul><li>Exercise 1: Preparing the Host Group and User Role Requirements </li></ul><ul><li>Exercise 2: Implementing the Self-Service Portal </li></ul>Logon information Estimated time: 5 0 minutes NYC-Host1, NYC-Host2 Host machines Virtual machines NYC-DC1 User name Administrator Password Pa$$w0rd
    21. 21. Lab Scenario <ul><li>Contoso, Ltd., has completed its initial deployment of the VMM infrastructure, now is addressing some of the other business requirements that relate to the project. One requirement is that the research department must manage their own virtual environment and needs to deploy and manage their own virtual servers and test workstations. You can configure the VMM environment so that key members of the research department can create and manage virtual machines, and so that all members of the research department can manage the virtual machines dedicated to the department. You need to ensure that the members of the research department can manage only the virtual machines on host computers assigned to the department. </li></ul>
    22. 22. Lab Review <ul><li>Why did Dylan’s account not have access to any virtual machines the first time the user logged in to the Self-Service Portal? </li></ul><ul><li>How many virtual machines will members of the Research Admins user role be able to create? </li></ul>
    23. 23. Module Review and Takeaways <ul><li>Review Questions </li></ul><ul><li>Common Issues and Troubleshooting Tips </li></ul><ul><li>Real-world Issues and Scenarios </li></ul><ul><li>Best Practices </li></ul>

    ×