External services include Active Directory (AD), Dynamic Host Control Protocol (DHCP), Domain Name Services (DNS), Network Time Protocol (NTP), Simple Mail Transport Protocol (SMTP) Mail Relay, File Transfer Protocol (FTP), and Certificate Authority (CA).

Active Directory

This VMware Validated Design uses Active Directory (AD) for authentication and authorization to resources in the rainpole.local domain.

You must provide a domain controller in each ROBO location.

Table 1. Active Directory Requirements

Requirement

Domain Instance

DNS Zone

Description

Active Directory configuration

Parent Active Directory

rainpole.local

Contains Domain Name System (DNS) server, time server, universal groups, and service accounts.

Active Directory users and groups

-

All user accounts and groups from the Active Directory Users and Groups documentation must exist in the Active Directory before installing and configuring the SDDC.

Active Directory connectivity

-

All Active Directory domain controllers must be accessible by all management components within the SDDC.

DHCP

This Validated Design requires Dynamic Host Configuration Protocol (DHCP) support for the configuration of each VMkernel port of an ESXi host with an IPv4 address. The configuration includes the VMkernel ports for the VXLAN (VTEP).

Table 2. DHCP Requirements

Requirement

Description

DHCP server

The subnets and associated VLANs that provide IPv4 transport for VXLAN (VTEP) VMkernel ports must be configured for IPv4 address auto-assignment by using DHCP.

DNS

For a ROBO deployment, you must provide a root domain which contains the DNS records.

Table 3. DNS Server Requirements

Requirement

Domain Instance

Description

DNS host entries

rainpole.local

Resides in the rainpole.local domain. 

Configure DNS servers with the following settings:

  • Dynamic updates for the domain set to Nonsecure and secure

  • Zone replication scope for the domain set to All DNS server in this forest.  

  • Create all hosts listed in the Host Names and IP Addresses in ROBO documentation.

If you configure the DNS servers properly, all nodes from the Validated Design are resolvable by FQDN as well as IP address.

NTP

All components in the SDDC must be synchronized against a common time by using the Network Time Protocol (NTP) on all nodes. Important components of the SDDC, such as vCenter Single Sign-On, are sensitive to a time drift between distributed components. See Time Synchronization in ROBO.

Table 4. NTP Server Requirements

Requirement

Description

NTP

An NTP source, for example, on a Layer 3 switch or router, must be available and accessible from all nodes of the SDDC.

Use the ToR switches as the NTP servers or the upstream physical router. These switches should synchronize with different upstream NTP servers and provide time synchronization capabilities in the SDDC. As a best practice, make the NTP servers available under a friendly FQDN, for example, ntp.rainpole.local.

SMTP Mail Relay

Certain components of the SDDC send status messages to operators and end users by email.

Table 5. SMTP Server Requirements

Requirement

Description

SMTP mail relay

An open mail relay instance, which does not require user name-password authentication, must be reachable from each SDDC component over plain SMTP (no SSL/TLS encryption). As a best practice, limit the relay function to the IP range of the SDDC deployment.

Certificate Authority

The majority of the components of the SDDC require SSL certificates for secure operation. The certificates must be signed by an internal enterprise CA or by a third-party commercial CA. In either case, the CA must be able to sign a Certificate Signing Request (CSR) and return the signed certificate. All endpoints within the enterprise must also trust the root CA of the CA.

Table 6. Certificate Authority Requirements

Requirement

Description

Certificate Authority

CA must be able to ingest a Certificate Signing Request (CSR) from the SDDC components and issue a signed certificate.

For this VMware Validated Design, use the Microsoft Windows Enterprise CA that is available in the Windows Server 2012 R2 operating system of a root domain controller. The domain controller must be configured with the Certificate Authority Service and the Certificate Authority Web Enrollment roles.

SFTP Server

Dedicate space on a remote SFTP server to save data backups for the NSX Manager instances in the SDDC.

Table 7. SFTP Server Requirements

Requirement

Description

SFTP server

An SFTP server must host NSX Manager backups. The server must support SFTP and FTP. NSX Manager instances must have connection to the remote SFTP server.

Windows Host Machine

Provide a Microsoft Windows virtual machine or physical server that works as an entry point to the data center. 

Table 8. Windows Host Machine Requirements

Requirement

Description

Windows host machine

Microsoft Windows virtual machine or physical server must be available to provide connection to the data center and store software downloads. The host must be connected to the external network and to the ESXi management network.