External services include Active Directory (AD), Dynamic Host Control Protocol (DHCP), Domain Name Services (DNS), Network Time Protocol (NTP), Simple Mail Transport Protocol (SMTP) Mail Relay, File Transfer Protocol (FTP), and Certificate Authority (CA).

Active Directory

This VMware Validated Design uses Active Directory (AD) for authentication and authorization to resources in the rainpole.local domain.

For information about the Active Directory versions supported by the vSphere version in this design, see https://kb.vmware.com/kb/2071592.

Table 1. Active Directory Requirements
Requirement Domain Instance DNS Zone Description
Active Directory configuration Parent Active Directory rainpole.local Contains Domain Name System (DNS) server, time server, and universal groups that contain global groups from the child domains and are members of local groups in the child domains.
Region-A child Active Directory sfo01.rainpole.local Contains DNS records that replicate to all DNS servers in the forest. This child domain contains all SDDC users, and global and local groups.
Active Directory users and groups - All user accounts and groups from the Active Directory Users and Groups documentation must exist in the Active Directory before installing and configuring the SDDC.
Active Directory connectivity - All Active Directory domain controllers must be accessible by all management components within the SDDC.


This Validated Design requires Dynamic Host Configuration Protocol (DHCP) support for the configuration of each VMkernel port of an ESXi host with an IPv4 address. The configuration includes the VMkernel ports for the VXLAN (VTEP).

Table 2. DHCP Requirements
Requirement Description
DHCP server The subnets and associated VLANs that provide IPv4 transport for VXLAN (VTEP) VMkernel ports must be configured for IPv4 address auto-assignment by using DHCP.


For a single-region deployment, you must provide a root domain and a child domain that contain separate DNS records.

Table 3. DNS Server Requirements
Requirement Domain Instance Description
DNS host entries rainpole.local Resides in the rainpole.local domain. 

Resides in the sfo01.rainpole.local domain.

Configure both DNS servers with the following settings:

If you configure the DNS servers properly, all nodes from the Validated Design are resolvable by FQDN as well as IP address.


All components in the SDDC must be synchronized against a common time by using the Network Time Protocol (NTP) on all nodes. Important components of the SDDC, such as vCenter Single Sign-On, are sensitive to a time drift between distributed components. See Time Synchronization for Consolidated SDDC.

Table 4. NTP Server Requirements
Requirement Description

An NTP source, for example, on a Layer 3 switch or router, must be available and accessible from all nodes of the SDDC.

Use the ToR switches as the NTP servers or the upstream physical router. These switches should synchronize with different upstream NTP servers and provide time synchronization capabilities in the SDDC. As a best practice, make the NTP servers available under a friendly FQDN, for example, ntp.sfo01.rainpole.local.

SMTP Mail Relay

Certain components of the SDDC send status messages to operators and end users by email.

Table 5. SMTP Server Requirements
Requirement Description
SMTP mail relay An open mail relay instance, which does not require user name-password authentication, must be reachable from each SDDC component over plain SMTP (no SSL/TLS encryption). As a best practice, limit the relay function to the IP range of the SDDC deployment.

Certificate Authority

The majority of the components of the SDDC require SSL certificates for secure operation. The certificates must be signed by an internal enterprise CA or by a third-party commercial CA. In either case, the CA must be able to sign a Certificate Signing Request (CSR) and return the signed certificate. All endpoints within the enterprise must also trust the root CA of the CA.

Table 6. Certificate Authority Requirements
Requirement Description
Certificate Authority

CA must be able to ingest a Certificate Signing Request (CSR) from the SDDC components and issue a signed certificate.

For this VMware Validated Design, use the Microsoft Windows Enterprise CA that is available in the Windows Server 2016 operating system of a root domain controller. The domain controller must be configured with the Certificate Authority Service and the Certificate Authority Web Enrollment roles.

SFTP Server

Dedicate space on a remote SFTP server to save data backups for the NSX Manager instances in the SDDC.

Table 7. SFTP Server Requirements
Requirement Description
SFTP server An SFTP server must host NSX Manager backups. The server must support SFTP and FTP. NSX Manager instances must have connection to the remote SFTP server.

Windows Host Machine

Provide a Microsoft Windows virtual machine or physical server that works as an entry point to the data center. 

Table 8. Windows Host Machine Requirements
Requirement Description
Windows host machine Microsoft Windows virtual machine or physical server must be available to provide connection to the data center and store software downloads. The host must be connected to the external network and to the ESXi management network.