Change domain (vCenter / vCloud Director - the whole shebang)

jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
For PCI-DSS compliance we need to rebuild our whole domain infrastructure. One part will be putting the virtual infrastructure in its own / new domain.

Has anyone been through that sort of exercise before ? I just cannot even begin to imagine what sort of trouble I will be facing as our environment has not just a single vCenter, but three sites with each having their own vCloud Director instance.
My own knowledge base made public: :p


  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,172 ■■■■■■■■■□
    Will the new domain trust the old domain?

    I haven't done this before. I figure as long as you ensure that you have other accounts (i.e., local machine accounts) with full administrator rights throughout the entire vSphere infrastructure (temporarily), you should be fine when you remove the vCenter server from the domain. You're probably using an AD account as your vSphere services account, so you will need to account for whether that account will continue to have enough rights on the server when you remove the server from the domain.

    You shouldn't have to do anything to SQL Server (aside from making sure you have an account that can administer SQL server when the server is removed from the first domain).
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    They won't have trust, which makes it a bit harder - yes SQL isn't the problem - it is using DSNs anyway .. But I am concerned not just about vCenter but vCloud Director as well
    My own knowledge base made public: :p
  • JBrownJBrown Member Posts: 308
    jibbajabba wrote: »
    They won't have trust, which makes it a bit harder - yes SQL isn't the problem - it is using DSNs anyway .. But I am concerned not just about vCenter but vCloud Director as well

    It sounds like you suppose to go with a new forest rather than a new domain in the same forest. No shared accounts then, if PCI requires a separate forest with out trust to your production environment is the requirement.
    I am not familiar with a PCI compliance rule book, but how about building a setup consisting of three forests where:

    Forest A has full 2 way non-transitive trust with Forest B (VMware) and Forest C (clients):
    1. Forest A, contains all the management, Admin, and Service accounts, along with Management servers (Exchange, SCCM, Blackberries, Finance related servers, etc)
    2. Forest B contains all the Vmware hosts, vcenters/vCD-utilizing primarily Admin/service accounts from Forest A
    3. Forest C contain workstations, and end user accounts- same as above.
    There is some initial pain in setting up the Groups and membership, but you will get there as long as you plan the grouping correctly.
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    Sorry, I did mean a complete new forest .. basically the vCenter and its attached hosts / vCloud Director environment needs to be moved into an isolated environment with a complete new forest / domain. We just have to assume that there is no way of communicating between the two environments. At least for now ...
    My own knowledge base made public: :p
Sign In or Register to comment.