Building Hybrid Cloud on Nutanix CE – Part III

0 Shares

In this third part of the Hybrid Cloud blog post series we’re going to setup Group Policy Central Store, enable Windows Remote Management (WinRM), install and configure ControlUp and Local Administrator Password Solution (LAPS). 

To take advantage of the benefits of .admx files, you must create a Group Policy Central Store in the SYSVOL folder on a Windows domain controller. The Central Store is a file location that is checked by the Group Policy tools by default. The Group Policy tools use all .admx files that are in the Central Store. The files that are in the Central Store are replicated to all domain controllers in the domain.

Copy the folder C:\Windows\PolicyDefinitions to \\FQDN\sysvol\FQDN\Policies. You can verify it working by opening the Group Policy Management Console.

Next we’re going to create a Group Policy to allow for Windows Remote Management. I’m going to name it Global CC – WinRM.

Go to Computer Configuration – Policies – Administrative Templates – Windows Components – Windows Remote Management (WinRM) – WinRM Service. Double-click Allow remote server management through WinRM and set it to Enabled as shown below.

Go to Computer Configuration – Preferences – Control Panel SettingsServices and choose New – Service. Choose Automatic (Delayed Start) as startup type, pick WinRM as the service name, set Start service as the action.

Go to Computer Configuration – Windows Settings – Security Settings – Windows Defender Firewall with Advanced Security and browse down to Inboud Rules. Right-click to create a New Rule.

Next up is the ControlUp Console which you can automatically download and install using my Github code.

Start .\ControlUpConsole.exe and log on or create a new Account.

Click Add Machines.

This will automatically install the ControlUp agent on all selected Servers.

Next I’m going to create a Service Account for ControlUp Monitor called svc-controlup with a complex password set to never expires.

This account needs Allow log on Locally. Create a new GPO called Global CC – ControlUp and go to Computer Configuration – Windows Settings – Security Settings – Local Policies – User Rights Assignment. Be aware that you NEED to add Administrators as well.

In the same policy also add the firewall port used by ControlUp.

Head back to ControlUp – Add Monitor.

Add the Service Account credentials and click Shared to be able to reuse.

The rest is straight forward or consult ControlUp documentation for more details. I’m going to install the Monitoring Agent on my MDT server. In Larger Enterprises you would setup multiple dedicated servers for this purpose only.

The last part of this blog post is deploying and configuring LAPS. First we need to create a Share where we’ll host the MSI we’re going to deploy through Group Policy. YEAH I’m not a big fan either, but that’s the fastest and easiest way to get this up and running as quick as possible. RDP into your Domain Controller or File Share where you want to host the Share.

Download Local Administrator Password Solution (LAPS) into a sub folder called LAPS\Version on that new share created above.

Create a new Group Policy at Domain Root called Global CC – LAPS and go to Computer Configuration – Policies – Software Settings – Software Installation and right click to Add New Package. Navigate to the MSI using FQDN and select Assigned.

Now reboot all your VMs for the software to be installed. One of the many amazing features of ControlUp is Manage Programs and Updates which allows you to see where LAPS are installed.

On your Management Server install all the LAPS components.

Last step is to copy the AdmPwd.admx and AdmPwd.adml located in C:\Windows\PolicyDefinitions to your Central Group Policy Store.

Edit the policy Global CC – LAPS and go to Computer Configuration – Policies – Administrative Templates – LAPS

Finally open PowerShell as Administrator and run the following commands to the extend AD Schema. The last line is for which OU you want to enable LAPS.

MAKE SURE YOU HAVE DOMAIN ADMIN ACCOUNT WHICH IS NOT THE DEFAULT ADMINISTRATOR OR YOU WILL LOCK YOUR SELF OUT. HAPPENED TO ME AND TRYING TO RECOVER NOW!!!! OR SIMPLY DO NOT ADD THE GPO AT ROOT LEVEL SO IT DOES NOT APPLY TO DOMAIN CONTROLLERS. STAY TUNED…..

And thats’s it. In Part 4 we’re going to configure DNS corretly, setup a Group Policy for Authoritive Time Server automation and Citrix Cloud Connector with the Nutanix Plugin.

0 Shares

Leave a reply