Horizon Composer installation prerequisites
There are a number of prerequisites that should be addressed prior to installing Horizon Composer:
- At least one configured Horizon Connection Server with a license key installed
- An Active Directory user account or security group that will be granted the necessary permissions within Microsoft Active Directory and the vCenter Server
- A dedicated host server for Horizon Composer or an existing Windows-based vCenter Server; whichever is selected must be running supported host OS
- A Static IP address for the dedicated Horizon Composer host server (required only if you are using a dedicated server)
- Local administrator access on the host server
- A supported Horizon Composer database as referenced in Chapter 1, VMware Horizon Infrastructure Overview
- A 64-bit ODBC connection to the Horizon Composer database configured on the Composer host server
In addition to the items described in Chapter 1, VMware Horizon Infrastructure Overview, the following items should be prepared in advance of the installation.
Horizon Composer service account
Horizon Composer requires access to the vCenter Server in order to perform tasks related to the creation and management of virtual desktops. To facilitate this access, you can either grant additional permissions to the Horizon Connection Server vCenter user account created in Chapter 2, Implementing Horizon Connection Server , or create a dedicated AD user account that Horizon Composer will use to access the vCenter Server and Active Directory.
Tip
In Chapter 2, Implementing Horizon Connection Server, we granted the vSphere permissions required just for the Horizon Connection Server itself. In the examples provided in this chapter we will use the same SvC-Horizon account for Horizon Composer, although you can create a dedicated account if you desire. Just remember to grant whichever account you use with Composer local administrator access on the Composer host server, as well as the needed privileges in AD as outlined in this chapter.
If you install Horizon Composer directly on the vCenter Server, you have no option but to use the Horizon Connection Server vCenter AD account for Horizon Composer. If this is the case, you will need to grant that account or security group the additional vCenter and AD permissions outlined in this section.
This section assumes that you will use a dedicated AD account and a stand-alone instance of Horizon Composer.
Horizon Composer vCenter permissions
The following table outlines only those vCenter permissions required for Horizon Composer. Using the procedure outlined in Chapter 2, Implementing Horizon Connection Server, we can create a vCenter role just for the Composer service account, or we could modify the existing role we created to add the permissions is outlined in the following table:
The decision on whether or not to use separate AD accounts for the Horizon Connection Servers and Horizon Composer is up to you. In some cases organizational security policies will require it in order to minimize the permissions any one account has within your down, which makes the decision an easy one.
For the purpose of this chapter we will create the following:
- AD service account named:
svc-horizoncomp - vSphere role with the above listed permissions named:
Horizon Composer
Create a Horizon Composer vCenter role and grant permissions
The following steps outline how to create a vCenter role for Horizon Composer and grant the permissions. If examples are needed, refer to the screenshots for this process found in Chapter 2, Implementing Horizon Connection Server . The process of creating a vCenter role is the same in this case; all that is changed is the role name, vCenter permissions granted, and target AD account.
- In vSphere Web Client, navigate to Home | Administration | Roles, click the green + sign, and then enter a role name such as
Horizon Composer. - From within the Create Role window, expand each privilege group listed in the table provided previously in this section and check the required privilege items. All listed privileges must be checked in order for Horizon Composer to function properly. Click on OK when finished with creating the role.
- In the vSphere Web Client, click the following in order, Home | Hosts and Clusters, the vCenter Server at the top level of the inventory, the Manage tab, the Permissions section, and finally the green + sign. This will open the Add Permission window used in the next step.
- In the Add Permission window, click on the Add... button to open the Select Users/Groups window.
- In the Domain: drop-down menu, select the AD domain that contains the Horizon Composer user. In our example, the domain is named VJASON.
- In the Users and Groups list, select the Horizon Composer service account. For our sample environment, we will search for and select the account named
svc-horizoncomp. Once selected, click on the Add button. Click on OK to close the Select Users/Groups window. - In the Add Permission window | Assigned Role drop-down menu, select the Horizon Composer role we created in step 2, and then click OK to close the window and complete the action.
Horizon Composer now has sufficient permissions on the vCenter Server to deploy and manage linked clone virtual desktops and Windows RDS servers.
Horizon Composer Active Directory permissions
The Horizon Composer AD account requires permission to manage the AD Computer objects for the virtual desktops that it creates. As there is some risk associated with granting accounts direct access to AD in order to create and delete computer objects, it is important to minimize the access granted to the Horizon Composer account.
To minimize risk, the following guidelines are recommended:
- Create an AD organizational unit (OU) that will be used only to store linked clone virtual machines created using Horizon Composer
- Grant the Horizon Composer AD account the minimum permissions required in order to manage the AD computer accounts contained within the OU
To grant the necessary permissions, you need at a minimum full control over the OU which will contain the Horizon linked clone AD computer accounts. This gives you the ability to not only delegate the required permissions for Horizon Composer, but also to create additional child OUs to enable additional control over the various Horizon pools that you provision.
Tip
Separating the AD computer accounts of desktop pools into separate OUs enable us to customize the group policies for each.
Delegate permissions for Horizon Composer in Active Directory
The following steps outline the process used to delegate the minimum permissions required for Horizon Composer. In our example, we will be granting to the AD account svc-horizoncomp the necessary permissions for the Horizon | Computers OU.
- From the Windows Start menu, select Administrative Tools | Active Directory Users and Computers.
- Right-click on the parent OU that will contain the virtual desktops created using Horizon Composer and select Delegate Control... as shown in the following screenshot to open the Delegation of Control Wizard. In our example, the OU is named Computers.
- In the Delegation of Control Wizard window, click Next >.
- In the Delegation of Control Wizard | Users or Groups window, click Add...to open the Select Users, Computers, or Groups window as shown in the following figure.
- In the Select Users, Computers, or Groups window, type the name of the Horizon Composer service account (
svc-horizoncomp), click OK to return to the Delegation of Control Wizard- Users or Groups window, and then click Next >. - In the Delegation of Control Wizard | Tasks to Delegate window, click the Create a custom task to delegate radio button and then click Next >.
- In the Delegation of Control Wizard | Active Directory Object Type window, click the Only the following objects in the folder radio button, then click the Computer objects, Create selected objects in this folder, and Delete selected objects in this folder check boxes as shown in the following screenshot, and then click Next >.
- In the Delegation of Control Wizard | Permissions window, click the General, Property-specific, Read, Read All Properties, Write All Properties, and Change password check boxes as shown in the following screenshot, and then click Next >.
- In the Delegation of Control Wizard | Completing the Delegation of Control Wizard window, review the changes, making any changes if needed, and then click Finish.
The Horizon Composer service account now has the permissions needed to manage AD computer objects in the selected OU and any child OUs within it.
Horizon Composer database
Horizon Composer requires an external database in order to store information about vCenter Server connections, AD connections, and linked clone desktops and Windows RDS servers as well as their associated virtual hard disks.
Chapter 1, VMware Horizon Infrastructure Overview, outlines the different database types that are supported by Horizon Composer. In addition to using a supported database platform, the following database configuration item must be performed for both Microsoft SQL Server and Oracle databases:
- Create a 64-bit Database Source Name (DSN) connection for the Horizon Composer database on the Composer host server. This process is outlined in the Microsoft How-to guide titled Using the ODBC Data Source Administrator ( http://windows.microsoft.com/en-us/windows/using-odbc-data-so urce-administrator )
When using Horizon Composer with SQL Server databases the following general requirements must be met:
- Local SQL instance: Windows NT authentication is supported; database owner permissions are required if not already present
- Remote SQL instance: Requires an SQL Server user account, SQL Server authentication, and the account must have database owner permissions
When using Horizon Composer with Oracle databases the following general requirements must be met:
- The database should be created with the general purpose or transaction processing template using the Database Configuration Assistant
- An Oracle database user account is required with a minimum of the following permissions:
- Connect
- Resource
- Create view
- Create sequence
- Create table
- Create materialized view
- Execute on
dbms_lock - Execute on
dbms_job - Unlimited tablespace
The database schema (for both Oracle and SQL Server) will be installed during the installation of Horizon Composer.