Before you deploy the components of the VMware Validated Design, you must provide a set of external services.

Active Directory

This validated design uses Microsoft Active Directory (AD) for authentication and authorization to resources within the rainpole.local domain. For a multi-region deployment, you use a domain and forest structure to store and manage Active Directory objects per region.

Table 1. Requirements for the Active Directory Service

Requirement

Domain Instance

Domain Name

Description

Active Directory configuration

Parent Active Directory

rainpole.local

Contains Domain Name System (DNS) server, time server, and universal groups that contain global groups from the child domains and are members of local groups in the child domains.

Region-A child Active Directory

sfo01.rainpole.local

Contains DNS records that replicate to all DNS servers in the forest. This child domain contains all SDDC users, and global and local groups.

Active Directory users and groups

-

All user accounts and groups from the Active Directory Users and Groups documentation must exist in the Active Directory before installing and configuring the SDDC.

Active Directory connectivity

-

All Active Directory domain controllers must be accessible by all components within the management pod.

DHCP

This validated design requires Dynamic Host Configuration Protocol (DHCP) support for the configuration of each VMkernel port of an ESXi host with an IPv4 address. The configuration includes the VMkernel ports for the ESXi management network, vSphere vMotion, VXLAN (VTEP) and NFS.

Table 2. DHCP Requirements

Requirement

Description

DHCP server

The subnets and associated VLANs that provide IPv4 transport for the ESXi VMkernel ports in all pods must be configured for IPv4 address auto-assignment by using DHCP.

DNS

DNS is an important component for the operation of the SDDC. For a multi-region deployment, you must provide a root and child domains which contain separate DNS records.

Table 3. DNS Configuration Requirements

Requirement

Domain Instance

Description

DNS host entries

rainpole.local

Resides in the rainpole.local domain. 

sfo01.rainpole.local

DNS servers reside in the sfo01.rainpole.local domain.

Configure both DNS servers with the following settings:

  • Dynamic updates for the domain set to Nonsecure and secure

  • Zone replication scope for the domain set to All DNS server in this forest.  

  • Create all hosts listed in the DNS Names documentation.

If  you configure the DNS servers properly, all nodes from the validated design are resolvable by FQDN.

NTP

All components within the SDDC must be synchronized against a common time by using the Network Time Protocol (NTP) on all nodes. Important components of the SDDC, such as, vCenter Single Sign-On, are sensitive to a time drift between distributed components. See Time Synchronization.

Table 4. NTP Server Configuration Requirements

Requirement

Description

NTP

NTP source, for example, on a Layer 3 switch or router, must be available and accessible from all nodes of the SDDC.

Use the ToR switches in the management pods as the NTP servers or the upstream physical router. These switches should synchronize with different upstream NTP servers and provide time synchronization capabilities within the SDDC.

As a best practice, make the NTP servers available under a friendly FQDN, for example, ntp.sfo01.rainpole.local for Region A, or ntp.lax01.rainpole.local for Region B.

SMTP Mail Relay

Certain components of the SDDC send status messages to operators and end users by email.

Table 5. SMTP Server Requirements

Requirement

Description

SMTP mail relay

Open Mail Relay instance, which does not require user name-password authentication, must be reachable from each SDDC component over plain SMTP (no SSL/TLS encryption). As a best practice, limit the relay function to the IP range of the SDDC deployment.

Certificate Authority

The majority of the components of the SDDC require SSL certificates for secure operation. The certificates must be signed by an internal enterprise Certificate Authority (CA) or by a third-party commercial CA. In either case, the CA must be able to sign a Certificate Signing Request (CSR) and return the signed certificate. All endpoints within the enterprise must also trust the root CA of the CA.

Table 6. CA Requirements for Signing Certificates of Management Applications

Requirement

Description

Certificate Authority

CA must be able to ingest a Certificate Signing Request (CSR) from the SDDC components and issue a signed certificate.

For this validated design, use the Microsoft Windows Enterprise CA that is available in the Windows Server 2012 R2 operating system of a root domain controller. The domain controller must be configured with the Certificate Authority Service and the Certificate Authority Web Enrollment roles.

FTP Server

Dedicate space on a remote FTP server to save data backups for the NSX Manager instances in the SDDC.

Table 7. FTP Server Requirements

Requirement

Description

FTP server

Space for NSX Manager backups must be available on an FTP server. The server must support SFTP and FTP. The NSX Manager instances must have connection to the remote FTP server.

Windows Host Machine

Provide a Microsoft Windows virtual machine or physical server that works as an entry point to the data center. 

Table 8. Requirements for a Windows Host Machine

Requirement

Description

Windows host machine

Microsoft Windows virtual machine or physical server must be available to provide connection to the data center and store software downloads. The host must be connected to the external network and to the ESXi management network.

For information about the Windows OS requirements for the host and the software downloads for this SDDC validated design, see Third-Party Software.