Microsoft System Center 2012 R2 App Controller is a component of System Center, an extension of Virtual Machine Manager (VMM), and relatively easy to implement. App Controller is a web-based self-service vehicle to facilitate the deployment of virtual machines (VMs) and services. App Controller can connect to private clouds based on a VMM server, to Windows Azure subscriptions, and to third-party hosting providers and can manage resources among these three environments. Based on VMM’s role-based security model which defines who can do what and to what extent, App Controller can delegate authority by modeling a business function as a user role, thereby noticeably simplifying the security administration and management of a multitenant environment. Above all, as hybrid cloud becomes an emerging platform for next-generation computing, App Controller enables deployment of such hybrid scenarios and helps accelerate their adoption.
This chapter covers some of the basics including the system requirements, prerequisites, installation, role-based security model, operations model, and user interface (UI) of App Controller.
The system requirements for installing the App Controller server, the App Controller web console on a client computer, and the Windows PowerShell Module for App Controller can be found in the Microsoft TechNet Library at http://technet.microsoft.com/library/dn249764.aspx so they won’t be repeated here. Note that an App Controller installation is an extension of a targeted VMM server which must be specified during installation of App Controller.
This section summarizes the prerequisites for installing the App Controller server in your environment.
The Windows Assessment and Deployment Kit (ADK) for Windows 8.1 is a required component for installing System Center 2012 R2 App Controller. The ADK for Windows 8.1 is available as a free download from Microsoft at http://www.microsoft.com/en-us/download/details.aspx?id=39306. The ADK for Windows 8.1 is a realization of Microsoft deployment and assessment methodologies and includes a suite of free tools to facilitate and improve the quality of Windows deployment and fundamentally reduce the overall costs associated with deployment. The ADK for Windows 8.1 includes the following:
Application Compatibility Toolkit (ACT) This can be used to build inventories and assess compatibility when migrating an application. The ACT uses a database instance that must be running on Microsoft SQL Server 2005 (or Express edition) or later.
Deployment Tools These are tools can be used for customizing disk images and automating Windows deployments.
Windows Preinstallation Environment Also known as Windows PE, this is a minimal operating system that can be used to prepare a computer for installation or servicing. Windows PE requires the Deployment Tools.
User State Migration Tool (USMT) This can be used for migrating user data from an existing Windows installation to a new one. USMT includes three tools: ScanState, LocalState, and USMTUtils.
Volume Activation Management Tool (VAMT) This can be used for automating and managing Windows activations of Windows and Microsoft Office. It employs a database which must be a Microsoft SQL Server 2008 (or Express edition) instance or later.
Windows Performance Toolkit (WPT) This can be used to monitor and profile Windows operating systems and applications. WPT includes the Windows Performance Recorder, Windows Performance Analyzer, and Xperf tools.
Windows Assessment Toolkit This is a 2.4 GB download that can be used to produce diagnostics and remediation information of a local system by running jobs to measure and record the performance, reliability, and functionality. The Windows Assessment Toolkit requires the Deployment Tools, Windows PE, WPT, and SQL Server 2012 Express which is also included in the download.
For installing App Controller, the Deployment Tools and Windows PE are especially essential. Figure 1-1 shows the initial installation screen for installing the ADK for Windows 8.1, which is currently in preview at the time of this writing.
At the end of the ADK installation, there is a check box to bring up the ADK Getting Started Guide which offers an overview of the ADK along with scenarios to help you better understand Microsoft’s deployment and assessment methodologies. The guide now has a tile that can be pinned for frequent access as shown in Figure 1-2.
Installing App Controller on a server requires a domain user account with local Administrator privileges. The service account to run App Controller services can be the built-in Network Service account or a domain account.
Prior to installing App Controller, be sure to identify a supported version of a Microsoft SQL Server instance in your environment or create a new instance. The user account installing App Controller must have at least database owner (DBO) permissions on the database associated with your App Controller installation.
The System Center 2012 R2 App Controller installation process is very similar to that of System Center 2012 App Controller and is initialized by running Setup.exe as an administrator. The installation startup screen has links to important online content including the Release Notes, Installation Guide, and so on (see Figure 1-3). There is also an option on this screen to install the Windows PowerShell module for App Controller.
If you do not provide a product key during installation, App Controller will be installed as an evaluation edition. To provide a product key afterwards, simply rerun the setup program again and select the Upgrade option.
There are a number of prerequisites for installing App Controller in an environment. When starting the installation process, a built-in prerequisites checker will identify the hardware/software components in place and suggest follow-up actions, as applicable, for any missing components. For example, Figure 1-4 shows an example of a blocked installation attempt where some prerequisites are missing. If desired, you can install the missing prerequisites at this time and then afterwards click the Verify Prerequisites Again link to rerun the prerequisites checker.
Once all of the prerequisites have been met, the Setup Wizard will continue and the installation process can proceed to the next step.
By default, the setup program installs App Controller at C:Program FilesMicrosoft System Center 2012 R2App Controller.
Either the built-in Network Service account or a domain account can be used as the service account for running the App Controller services. The default port for the internal communication of App Controller services is 18622 but this is customizable as shown in Figure 1-5.
The installation process provides the opportunity to specify the IIS website binding (IP address and TCP port). The default port is the SSL port 443 as shown in Figure 1-6. Setup can generate a self-signed certificate or you can select an existing x.509 certificate that has already been installed on the local machine. The figure shows an existing certificate named as ac.contoso.corp being designated as the SSL certificate for the App Controller website. By using IIS, which is required when installing App Controller, you can easily generate an SSL certificate using your enterprise public key infrastructure (PKI).
The default App Controller database is named AppController, as shown in Figure 1-7, but this is customizable.
Once App Controller has been successfully installed as indicated by all checkmarks in a green circle on the final page of the App Controller Setup Wizard, be sure to review and document the installation logs by clicking the View Logs link as shown in Figure 1-8.
The App Controller installation log files are stored in either %LOCALAPPDATA% AppControllerLogs or ProgramDataAppControllerLogs. Figure 1-9 shows the log files folder of a typical App Controller installation.
The Services node in Computer Management in Figure 1-10 shows that four services are installed by the App Controller setup program.
Before examining the experience of using App Controller, we will first review the App Controller security model to better understand the targeted usage scenarios. As mentioned earlier, App Controller is a self-service portal for an authorized user to manage service deployments. The authorization model that App Controller uses is inherited from that of the associated VMM server. In the VMM administration console, the Security node in the Setting workspace can be used to define new user roles as shown in Figure 1-11.
A user role is a policy consisting of membership and a profile. The latter specifies a set of operations that can be operated on authorized objects. Specifically, a user role defines not only what tasks a user can perform on authorized resources, but also to what extent with what privileges such tasks can be performed. Once a user has been authenticated, those roles that the user is a member of are in effect.
A key benefit of this model is that with membership and a profile, that is, who and what to do, you can model an individual performing a specific business function with a particular set of tasks. This delegation model is called role-based security and significantly simplifies security administration because instead of specifying many individual operations on many individual objects, you can tie business functions to membership in a particular user role. By adding or removing a user from a user role, the user automatically inherits or is deprived of the operations, scopes, and privileges defined in the associated profile. Employing user roles also offers consistency in authorizing resources and provides a user-defined abstraction that translates security and administration requirements into the customer’s business functions.
In System Center 2012 R2 App Controller there are four user role profiles. These roles are briefly described in the sections that follow.
The Fabric Administrator role is a privileged role that can perform all tasks on authorized objects.
The Read-Only Administrator role can read the information of, but not modify, an object. The Read-Only Administrator role is intended for monitoring and auditing purposes.
The Tenant Administrator role is a project/release/function leadership role. Users assigned this role can manage self-service users, virtual machines, and service deployment including user access and quotas.
The Application Administrator role manages resources deployed by the individual. Users assigned this role can perform only those tasks specifically marked in the Permissions page of the profile. Figure 1-12 shows the list of tasks available for the Application Administrator role.
Each of the above user roles can access resources using either the App Controller web-based interface or the VMM administration console. The visibility of the underlying fabric (that is, the servers, networking, and storage resource pools) will vary depending on user role. One key distinction of accessing resources with App Controller and VMM Admin Console is that App Controller does not reveal fabric regardless of whether the account is a VMM administrator or one with a Fabric Administrator role. However, accessing with VMM admin console, a VMM administrator and a Fabric Administrator will see fabric workspace while a Tenant Administrator or an Application Administrator will not. In fact, an idea of App Controller is to enable a service owner or technical leadership to manage a service deployment without concerning the underlying infrastructure and technical complexities. Limiting fabric visibility is here an advantage. For those who need an access to fabric, log in a VMM admin console instance instead.
This section briefly describes the App Controller operations model and user interface. Further information on configuring App Controller and using the user interface will be found in later chapters throughout this book.
After installing App Controller, a VMM administrator can log on using the App Controller web-based interface and connect a VMM server, clouds, Windows Azure subscription, third-party hosting, and network shares. Once the user has been authenticated, resources authorized for the user become accessible based on the user role assigned to the user.
Figure 1-13 shows an example of what a VMM administrator might see upon first logging on to the web-based interface after the App Controller installation process has finished. The Overview page includes Next Steps with a list of links for performing common tasks needed for configuring the App Controller environment. The navigation pane has a Settings workspace available for the VMM administrator to use. In the next chapter, we will walk through such steps as branding the App Controller website, connecting to VMM and Windows Azure, consuming services, and operating on deployment instances.
NOTE Cloud service providers can provide multiple instances of App Controller targeting different users with different resources for different deployment scenarios to best serve the intended users.
As Figure 1-13 shows, the navigation pane for the App Controller web-based interface shares some similarity with the VMM admin console. But since App Controller is mainly a vehicle for consuming and managing resources, the web-based interface is used for deploying and operating on instances instead of for defining and configuring resources. From the top of the navigation pane, the workspaces are as follows:
Overview This is a snapshot of the resources that are manageable based on what has been configured in the Settings workspace in the VMM administration console. Unlike in the VMM administration console, the Settings workspace is not visible to users in the App Controller web-based interface. In addition, the visibility and operability of resources like clouds, services, VMs, and library items are based on the user roles relevant to the authenticated user. The operations model for App Controller is to have only those resources authorized for the user to be visible so that the user can self-serve and deploy services with minimal IT support, if any.
Cloud This is a logical container for the host services.
Services This shows VMs that can be identified, managed, and operated as a single entity in order to deliver a particular line-of-business (LOB) application.
Virtual Machines This shows deployed instances of VM templates. Here the individual VMs can be viewed and operated as individual objects.
Library This is a repository for all of the resources available for creating virtual machines.
Jobs This records a history of the jobs performed by App Controller.
Settings This is where you can establish connections and access VMM and Windows Azure.
13.59.136.170