Building Microsoft System Center Cloud – High-level design – Active Directory

It is not always easy to divide Low-level Design and High-Level Design. How to differentiate between high-level and low-level design depends on the entity that we refer to. When we need to design our cloud then high-level decision could be for example choice of the technology that makes our SQL Servers highly-available. But when we talk about our business or company (the entity) then SQL Servers are in Low-level Design category. This means that following division to High-level Design and Low-level Design are only within our entity.

High-level Design

As I wrote in the first article we will not speak about the high-level design because we cannot do any high-level design in our simple environment that is not modeled according needs of the business. I will just point you to a few important questions that you should ask during low-level design of your environment.

Low-level Design

Questions you need to ask

Group Managed Service Accounts

Unfortunately it is not possible to use Group Managed Service Accounts (gMSA) introduced in Microsoft Windows Server 2012. System Center Unified Installer do not allow to set accounts without passwords and it is not possible to change service account for System Center Virtual Machine Manager after installation. That is mean that it is possible to use gMSA for some System Center products (for example it is well documented how to use gMSA for Orchestrator) but from my point of view there are not too much reasons to use gMSA when you cannot use it for all System Center products.

Container in Active Directory for Virtual Machine Manager

For the not clustered deployment of the VMM you can choose to store encryption keys on a local server or use configure distributed key management that require container in the AD. The clustered deployment of the VMM require distributed key management because the cluster nodes needs a central store for the keys.

Distributed key management is preferred even for the not clustered deployment because in the case you install VMM on a new server without encryption keys you will have to correct a lot of VMM objects (Run As account credentials, passwords and product keys) and that could have serious impact on your business.

Extend the Active Directory Schema for Configuration Manager

When you extend the AD schema for Configuration Manager you can publish site information to AD. The extension is not required but after extension you will be able easily use all Configuration Manager features.

Leave a Reply

Your email address will not be published. Required fields are marked *

Active Directory Advanced function AlwaysOn Availability Groups AlwaysOn Failover Cluster Instances Building Cloud Cloud Cluster Cmdlet Database Deployment Design DFS Domain Controller DSC Fabric Failover Clustering File Server Group Policy Hardware Profile Host Hyper-V Installation Library Library Asset Library Server Network Operations Manager Orchestrator PowerShell PowerShell User Group PowerShell Workflow Security Service Manager SQL Server Storage System Center Template Time Time Synchronization Tips Virtual Machine Virtual Machine Manager VM Network VM Template Windows Server 2012 R2