A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.
A service account is a standard Active Directory account that you configure in the following way:
- The password never expires.
- The user cannot change the password.
In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to the Active Directory domain.
Service Accounts in This VMware Validated Design
This Validated Design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.
|User Name||Source||Destination||Description||Required Role|
|svc-domain-join||Various management components (one-time domain join action)||Active Directory||Service account for performing domain-join operations from certain SDDC management components.||
|svc-nsxmanager||NSX for vSphere Manager||vCenter Server||Service account for registering NSX Manager with vCenter Single Sign-On on the Platform Services Controller and vCenter Server for the management cluster and for the shared compute and edge cluster||Administrator|
|svc-vrli||vRealize Log Insight||Active Directory||Service account for using the Active Directory as an authentication source in vRealize Log Insight||-|
|svc-vrli-vsphere||vRealize Log Insight||vCenter Server||Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information||Log Insight User (vCenter Server)|
|svc-vrli-vrops||vRealize Log Insight||vRealize Operations Manager||Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration||Administrator|
|svc-vrslcm-vsphere||vRealize Suite Lifecycle Manager||vCenter Server||A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center management cluster.||vRealize Suite Lifecycle Manager User (Custom)|
|svc-bck-vsphere||vSphere Storage API - Data Protection||vCenter Server||Service account for performing backups using the vSphere Storage API - Data Protection with vCenter Server for the management cluster||VADP Backup Solution Requirements|
|svc-srm||Site Recovery Manager||vCenter Server||Service account for connecting Site Recover Manager to vCenter Server and for pairing sites in Site Recovery Manager||Single Sign-On Administrator|
|svc-vr||vSphere Replication||vCenter Server||Service account for connecting vSphere Replication to vCenter Server and for pairing vSphere Replication instances||Single Sign-On Administrator|
||Service account for access from vRealize Automation to vCenter Server. This account is a part of the vRealize Automation setup process.||
|svc-vro||vRealize Orchestrator||vCenter Server||Service account for access from vRealize Orchestrator to vCenter Server||Administrator|
|svc-vrops||vRealize Operations Manager||Active Directory||Service account for Active Directory integration in vRealize Operations Manager for user authentication||-|
|svc-vrops-vsphere||vRealize Operations Manager||vCenter Server||Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server in to vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server.||vSphere Actions User|
|svc-vrops-nsx||vRealize Operations Manager||
||Local service account for connecting the NSX for vSphere adapter for vRealize Operations Manager to the NSX Manager instances in the SDDC||
|svc-vrops-vsan||vRealize Operations Manager||vCenter Server||Service account for monitoring and collecting metrics about vSAN components from vCenter Server in to vRealize Operations Manager||MPSD Metrics User|
|svc-vrops-mpsd||vRealize Operations Manager||vCenter Server||Service account for storage device monitoring of the vCenter Server instances in the SDDC from vRealize Operations Manager||MPSD Metrics User|
|svc-vrops-srm||vRealize Operations Manager||Site Recovery Manager||Service account for monitoring site recovery of the Management vCenter Server from vRealize Operations Manager||SRM Read-only|
|svc-vrops-vra||vRealize Operations Manager||vRealize Automation||Service account for connecting the vRealize Automation adapter for vRealize Operations Manager to vRealize Automation||
|svc-vra-vrops||vRealize Automation||vRealize Operations Manager||Service account for integration of health statistics from vRealize Operations Manager in the vRealize Automation portal||Read-Only|
|svc-umds||vSphere Update Manager Download Service||--||Local service account for configuring the Update Manager Download Service on the host virtual machine||Administrator|
User Accounts in the Parent Domain
Create the following user accounts in the parent Active Directory domain rainpole.local:
|User Name||Description||Service Account||Member of Groups|
|vra-admin-rainpole||Tenant administrator role in the SDDC for configuring vRealize Automation according to the needs of your organization including user and group management, tenant branding and notifications, and business policies||No||
|vra-arch-rainpole||Tenant blueprint architect role in the SDDC for creating the blueprints that tenants request from the service catalog||No||RAINPOLE\ug-vra-archs-rainpole|
Users in the Child Domains
Create the following accounts for user access in each of the child Active Directory domain to provide centralized user access to the SDDC. In the Active Directory, you do not assign any special rights to these accounts other than the default ones.
|User Name||Description||Service Account||Member of Groups|
|SDDC-Admin||Global administrative account across the SDDC.||No||RAINPOLE\ug-SDDC-Admins|