VMware Cloud Community
apenkontap
Contributor
Contributor
‎08-20-2014 12:11 PM

Is Active Directory a prerequisite for VCOPS, SRM, vSphere Replication, and VDP deployment?

Hi,

I guest this is my first post in the community Smiley Happy

I'm trying to deploy ESXi, vCenter Server (virtual appliance), VCOPS, SRM, vSphere Replication, and VDP in a customer (all in version 5.1). They currently have no access to Active Directory Domain Services (or other directory services, such as LDAP) because the AD is managed by IT in HO (a multinational company). They also have no access to the authorized DNS servers.

For this deployment, I have a few (I hope) fundamental questions about VMware products implementation.

  1. I know that ESXi & vCenter Server can be deployed without the existence of AD. However, can VCOPS, SRM, vSphere Replication, and VDP be deployed in the same manner (only using local auth)?
  2. If they can be deployed with only local auth, will there be problem/loss in functionality in all the products (beside centralized auth and RBAC) ?
  3. In the future, when the customer have access to AD (or create a new ADDS), will it be easy to change all the product configurations to use AD auth service (join domain) ?
  4. Beside centralized auth, RBAC, and SSO (maybe?), is there any other fundamental benefit in using AD with VMware products (exclude VMware vCloud and friends) ?
  5. They will deploy their DNS server instance (with the same domain name as the authorized DNS server). Since this is not the authorized DNS server, IT operations staff will still be using IP to connect to all VMware products. Thus, is there a benefit in deploying their own DNS server? Will it still be needed for VMware products  to talk to each other?
  6. Will it just fine not to deploy a DNS server?

These questions have been on my nerve since last week. I don't have the resource to try and answer my own questions, so I hope you can share your thoughts and experiences with me.

Many thanks.

--

Warm Regards,

Apenk

Reply
0 Kudos
6 Replies
blabarbera
Enthusiast
Enthusiast
‎08-20-2014 01:10 PM

I can really only speak to vSphere Replication, and the answer is no - you don't need it. Everything works fine with local auth and literal addresses (no DNS or ADDS in one of my environments, which is used solely as a replication target). SRM might be a little more tricky. Hopefully someone with SRM experience can shed some light on that for you.

Reply
0 Kudos
apenkontap
Contributor
Contributor
‎08-20-2014 08:48 PM

Hi Blabarbera,

Thank you for your response.

I'm still waiting to confirm my other concerns.

Reply
0 Kudos
apenkontap
Contributor
Contributor
‎08-21-2014 03:09 AM

Does anyone has any experience for this matter?

Thanks.

Reply
0 Kudos
blabarbera
Enthusiast
Enthusiast
‎08-21-2014 08:08 AM

I thought about this a little more and wanted to add a few things.

1.) Will you be using the vCenter Server appliance? If so, then you'll likely run into some issue configuring email alerts with no ADDS/DNS if you'll be using a mail server that exists in another domain. VMware KB: Emails sent from VMware vCenter Server Appliance 5.x are rejected

2.) Will any of the components sit on separate networks (across WAN), and will any of these networks have DNS?

3.) Since you're asking about SRM I am assuming you will have a replication/recovery target offsite somewhere? With no DNS, how do the users access the systems being run in the vSphere environment (the systems you are protecting)? Literal IP's? The idea with SRM is to be able to failover to a hotsite and do so with relative transparency to the users. Without a DNS server I'm thinking that you would probably be losing a lot of the automation in failover/failback that SRM can offer. SRM can update all of your DNS records during failover in order to redirect traffic. Without DNS I would imagine the process of updating IP's is a manual one. Hopefully someone with firsthand SRM experience can shed some light on this.

4.) Page 20 of the VCOPS implementation guide only states that domain accounts are recommended for users. Nothing about being required. I'm thinking you'll probably find a few hiccup as DNS seems to be largely assumed these days. http://www.vmware.com/pdf/vcops-5-installation-guide.pdf

Reply
apenkontap
Contributor
Contributor
‎08-21-2014 08:39 PM

Hi Blabarbera, thank you for your great thoughts.

1. Yes, it will be the virtual appliance. Email alerts will not be used, instead solely rely on SNMP.

2. All the components will sit on the same network. This network will have DNS server. The problem is, the new deployed DNS server will use the same domain name / zone as the authorized DNS server. I think this deployment model will not have impact to all the components. However, it will be an inconvenience for operations staff.

3. Yes, there will be a recovery target offsite. The systems that will be protected is using the authorized DNS. I guess I am going to learn more about SRM...

4. Thank you for this information. I have also read the VDP administration guide, and it said that DNS is mandatory or else there will be some problems. The key thing is that if we are not using DNS, VMware will not support it.

Reply
0 Kudos
apenkontap
Contributor
Contributor
‎08-24-2014 09:25 PM

Hi,

Just some updates.

I have implemented VDP & VCOPS without Active Directory and they work just fine (I use DNS though).

I will post the update after I have implemented SRM.

Thank you.

Reply
0 Kudos