Shulou(Shulou.com)06/02 Report--

The purpose of deploying the service is to make it easier for users to use and to meet the leaders' needs for cost and data security. The company uses CEVA compilation tools with license for development, in order to save costs, purchased a stand-alone version of the program, in order to allow 10-person development team to use. At first, it was envisioned to meet multi-user scenarios through the deployment of remote desktop services. But the program in the remote desktop under the most critical build button can not be pressed! The requirement is 1. Employees are not allowed to access the host (import and export using USB interface is prohibited) 2. All remote desktops are required, and similarly, VNCserver cannot be accessed (and cannot control the remote desktop to export files to this machine). I want to try it under the console of VM under XenCenter. After cloning the system, build can press!! However, due to multi-user use and privileges cannot be too high, if you use multiple users and user groups to manage the XenServer server, you must use the Active Directory user account for authentication.

Scenario analysis:

Data security requirements:

To avoid the user directly connecting the mouse and keyboard operation, USB directly exposed the problem, decided to virtualize the compilation environment, the scheme is XenServer.

Cost requirements:

To meet the leadership's cost requirements, decide not to go to XenDesktop, XenApp, etc., and use the free XenCenter to install to several user computers that need to be compiled for "pressing the build button."

This introduces the question of risk:

In the end, whether ordinary users can use XenCenter to operate, in view of the risk, it is decided to introduce AD for user rights to control XenCenter permissions.

Build the solution:

I. the basic environment of AD domain

Operating system: Windows 2008 R2 (note here that I have tried to use Windows 2012 many times to install, but there is always an error in XenCenter (see Appendix 1 for details). It is recommended to use Windows 2008 R2 to avoid repeated debugging)

Installation steps: 1. Add roles and Features Wizard-add Active Directory Domain Services

Next, click "this server is promoted to a domain controller"

two。 At this point, choose to add a new forest, and enter the domain name you want to add in the root domain name: XXXXX.com

3. Configure the basic forest function and domain function level (XenServer supports the use of Windows2003 or higher version of Active Directory server, and the measured version 2012 cannot be successful). Enter the restore password below.

4. NetBIOS is configured. It defaults to the domain name of XXXXX.

5. Carry out installation

After successful installation, check the port of windows firewall * 53 UDP/TCP DNS * 88 UDP/TCP Kerberos 5 * 123 UDP NTP * 137 UDP NetBIOSName Service * 139 TCP NetBIOS Session (SMB) * 389 UDP/TCP LDAP * 445 TCP SMB over TCP * 464 UDP/TCP Machine password changes * 3268 TCP Global Catalog Search

2. XenCenter configures XenServer to join AD domain control

The AD domain will be configured on the XenCenter and user-assigned permissions will be added.

1. First, log in to XenCenter using root, set the network card DNS of the pool to the IP address of the AD domain control server, and try to use console to ping this address to see if it works. If it does not, please check the configuration of DNS.

two。 Use root to log in to the XenCenter, select the pool, and configure Users on the right

Use the administrator to log in. Note that the host clock of installing XenServer and AD server must be the same, otherwise an error will be reported. For more information, please see Appendix 2.

3. Log in to the domain, Domain note that XXXXX.com,User must be logged in using administrator administrator. Login without administrator account will report an error (see Appendix 2 for details)

The login success is as follows:

3. Add AD account and empower Xen

At this time, it is necessary to add a few more accounts and authorize the accounts.

Enter Windows2008 to configure-Control Panel-Administrative tools-Active Directory users and computers

Find Users.

Fill in the user name and password, and fill in two places for the user name

Set password

Add an account to Xen

Give permissions to the account

There are a total of 6 permissions. I have made a brief analysis of the permissions:

Read Only: used by managers, mostly used by leaders to check the usage of virtual machines, that is, to see what the name of the server, memory usage, and so on.

VM Operator: development and use, available to meet basic console viewing, switch operation and other daily operations

VM Admin: used by operation and maintenance for testing, you can choose where to start virtual machines and templates, modify memory attributes, etc.

VM Power Admin: used by operation and maintenance host administrators to configure dynamic memory and snapshots

Pool Operator: used by senior operation and maintenance administrators to manage pool configuration, such as HA,WLB, etc.

Pool Admin: used by operation and maintenance managers, similar to root (after use, you can configure XenDesktop without using root, which can be stored in the security account machine) to allocate role, connect the command line of XenServer and graphics console.

I have compiled the following table of relevant permissions for your reference:

Finally, the developers can be configured with VM Operator permissions, and they can restart independently to avoid stutters caused by memory leaks.

The old technology, everyone can reprint if necessary, here are some mistakes encountered in their deployment to share with you

Appendix 1

Windows 2012 system sets up the error message generated by AD domain:

Appendix 2

Note that the clock must be consistent (there can be a difference of several minutes), otherwise an error will be reported and the configuration will not be successful.

Appendix 3

You must log in using the domain administrator administrator, or the error will be as follows

Daily operation and maintenance failure:

① one day the VM operator reported that he could not log in to the corresponding server using XenCenter.

Solution: you can log in when you modify the XenServer system and install the XenCenter desktop host.

Troubleshooting and resolution steps:

Step 1: check the AD server to see if the VM operator's AD password has expired-not expired

Step 2: configure users and leave the domain

Step 2: log in again and report an error as follows

Could not enable external authentication: Clock skew detected with active directory server

Log in to XenServer by shell, and the time for modifying the XenServer system is the same as the time for installing the XenCenter desktop host.

② management received a request to add accounts for new employees one day. The account has been added successfully in AD, but the user cannot be bound in XenCenter. Error: Subject cannot be reslved by the external directory service.

The error after being added is as follows:

View log information:

Solution: synchronize the time of the XenServer host and the AD server to successfully bind the new AD account to the host.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.