Installing Minimal vRA 7: Part 3b Iaas Install and Automatically Installing Pre-Requisits

Stage 0: I Should Have Clicked the Button

This post, right here, is one of the reasons why vRA 7 is leagues ahead of vRA /vCAC 6.x.    In vRA 6 you had to manually ensure that  each of the many, MANY pre-requisites for installing the IaaS server on a Windows machine were exactly right before trying.  If even the slightest detail was incorrect you had to start over again (and I mean from the vRA appliance forward. It broke everything).  vRA 7 has a nice pre-req checker that  tells you if your out of compliance with any of the requirements and wont let you continue until you’re done.  Crucially, it has a button labelled “Fix” that I didn’t know about that will sort EVERYTHING for you automatically.  I didn’t know about this the first time so spend a good few hours manually sorting all the pre reqs before starting.  This was a waste of time…

So, if you want to get going quickly and easily keep reading.  If you wan to see what is required first hand in getting a server ready for an IaaS install (and it is interesting to see how it all fits together) I would like to direct you to the alternative version of this bog “Part 3 a”<<<COMING SOON>>>


Stage 1: Getting Your Server Ready

NOTE: I’m assuming that you have provisioned a vanilla Windows 2012 R2 server ready to be used as the IaaS server.  It must be:

  • Part of the same domain as the vRA appliance
  • Be registered in DNS
  • Have no ports blocked between it and the vRA VA (personally I just turn the FW off in the lab).
  • Meet the minimum system requirements of 2 x vCPU, 8GB RAM, 30GB HDD space (in addition to Windows)
    • For a lab environment you CAN drop the RAM after install but not before completion.

Stage 2: Install IaaS Management Agent

Before starting the main install of the IaaS server you need to install the IaaS Management Agent on the IaaS server (It looks for it in the initial setup).  You can get this by navigating to the URL https://<VRA Appliance FQDN>:5480/installer on the iaas server.

vra installer.png

This brings up a page with various packages available for download from the vRA7 appliance server.  We’re interested in the top one at this time.  Click the link to download the Management Agent Installer.


Save this file somewhere easy on your IaaS server and then run the installer to start the wizard. Continue through until you reach the Management Site Service window.

Welcome… next!
Sign away your soul and continue…
Install to an appropriate location and continue…

At this stage you’ll be asked to fill out a few important fields.  The main thing to note here is that if you get the vRA appliance address incorrect (or the UN/pwd) you will be unable to load the SHA1 fingerprint and continue.

You also have to tick the box confirming that you know the fingerprint is correct.  I’m not checking this in this guide but you should do in a production environment (steps on how to do this will be in the “enterprise” deployment blog).

Once you’ve got the URL, Username and Password correct you’ll be able to load the fingerprint and continue.

Information of your vRA Appliance

Next you’ll be asked to ender the active directory account created earlier that will be used to run the Management Agent Service.  This must have local admin rights as well as Logon as a service and logon as batch job rights.

NOTE: If you need to enable the logon as a service right for the account but dont know how to Follow this link to the Microsoft TechNet article describing how to achieve this.

Entering the Service account information
Ready? Continue…
In Progress…

Stage 4: Starting the IaaS Install Automation Wizard

Now we’re finally ready to start the main IaaS install and configuration using the new Wizard process.  To start, navigate to the following URL in a browser from the IaaS server:


The vRA appliance URL

This will bring you to a logon screen where you need to log on as root with the password specified in Part 1 of this blog series.

Appliance Logon page

Once you successfully logon for the first time the Wizard should automatically start.

IMPORTANT: The Wizard will only start ONCE.  if you get part way through the process and quit you will not be able to initiate setup via this method again.  If this happen you’ll have to use the old fashioned method of install and configuration.

The wizard begins
Another EULA. Does ANYONE read these?

After the EULA you get to select your instillation type.  For this exercise we are installing vRA 7 in the Minimal Deployment type so ensure this is selected.  You also get the option to deselect the Infrastructure as a Service option to not install the IaaS server portion of vRA (and thus rely on Advanced services and Orchestrator).  We want to be able to use the ‘easy’ Blueprints in the test environment so we’re going to install it (i.e. ensure it’s checked as an option).

Deployment type selection screen

Now there is the first of two prerequisite check screens.  This is checking for the pre-reqs for the install to begin. the screen below shows you how the screen looks if you have NOT deployed the IaaS Management agent on this server already (or if it’s not contactable).

Install Pre-req screen

You’ll be unable to proceed unless the agent shows up and can contact the vRA 7 appliance.  As we have already installed and configured the agent you should see something like this…

A visible management agent

Note:  In the above screenshot time sync was out as my windows box wasn’t using the same time sync as the ESXi host.  The install fixes this which is why the NTP configuration option is important.  It must be set to the same as the source for the appliance.

Next up is the important bit.  The prerequisite checker screen.  vRA 7 IaaS is still very specific in what you need to be able to successfully install the componant on the Windows server.  There’s a LONG list of things that have to be ‘just so’ listed in the manual.  If you want to know how everything hangs together and what needs to be changed check out “Part 3a” of my guide where i do everything manual because I thought I had to.  If not… Click the  Run button and the wizard will go off and start checking the system for you.

Pre-Req Checker Screen

Once you’ve click to start the process the screen will show the status.  First off you’ll see something like that shown below.  The name of the IaaS server is displayed and a “waiting….” style message appears.  On my lab this took 3-5 mins.


Soon after you’ll probably be greeted with something like this telling you that your server isn’t configured right…

Panic! (Don’t panic)

Now, in vCAC / vRA 6.x this would mean checking every setting it said was wrong (or guessing) or reinstalling if everything looked ok (but wasn’t).  In vRA 7, however,  VMware have made this bit far, far better that before.

You can simply click the “Fix” button on the pre-req checker screen and the wizard will go off and fix pretty much everything for you (A restart will be required).  It looks like this:

Fixing everything for you.  Please wait…

I tried this twice and it worked perfectly both times.  Your mileage may vary but i gave it a vanilla Windows 2012 R2 server and it behaved brilliantly.  Anyone coming from vCAC / vRA 6.x will understand how big of a deal this is!

If y0ur server requires a reboot let it come back up and re navigate to: https://<vr_server&gt;:5480 and log back in as root.  The Wizard will (should) restart where it left off.  You should find that the wizard restarts at the pre-req checker stage.  Re run, ensure things are ok and continue on…

Once you’re done you can continue on to the vRealize Automation Host specification page. you can enter the host manually if you want or, as I prefer, click the Resolve Automatically option and the wizard should resolve the FQDN itself. NOTE: The screenshot below has the Enter Host option selected the one we’re talking about appears beloe.

Enter your FQDN…

I actually think this is a good test that everything is working correctly before going any further as the management service SHOULD be able to see the appliance at this point.  If you can’t then you might want to fix that first! (Remember NOT to cancel the wizard).

It will look something like this if it’s working:

Automatically resolved!

Once the appliance information has been entered it’s on to specifying the administrator password for the default tenant account.  The default tenant account is the part of vRA when you can log in and configure everything important vRA related INCLUDING creating other tenants and setting up permissions for others to use them.

This is the only tenant that can do this so be sure not to lose this password or set it to something completely esoteric for no reason.

Chose a sensible, secure password…

We now need to specify the configuration parameters for the IaaS server (the one you’re on).

The IaaS web address should be the same as the DNS entry you’ve set up (i.e. the servers FQDN if you get windows do it when you joined the domain).

The Install IaaS Components on drop down should only have one entry (this server).

The Username field should be set to the domain account you set up right at the beginning that has local admin rights on this server.  The password is, obviously, the one you set.

Security Passphrase is very important.  Communication to the SQL database will require the use of an encryption key (that you’re setting here).  This must be remembered at al costs.  Recovery in the event of a failure without this phrase is not possible.  I personally like to go with something long but memorable such as “thephantommenacewascompletegarbageandyouknowit” just ensure you remember it!

IaaS Host configuration

Next is the SQL server configuration.  You don’t have to have pre created a database as the wizard will do this for you.   In the lab we’re using default settings and Windows Authentication. Just ensure that the account you’re logged on as / Running the Management agent as is also a dbcreator / sysadmin on your SQL server before continuing.

SQL server configuration…

Next up is the Distributed Execution Managers setup.  DEMs are actually two separate processed.  The DEM-Orchestrator that takes care of scheduling asks within vRA and the DEM-Worker which handles the actual execution of vRA tasks (up to 15 per DEM-W).

These are installed to an IaaS server (in our case THIS IaaS server) they need a name and a description (I’ve not been very creative in the example below).  These processes run as Windows services so the username and password must be from an account that has Logon As A Service Rights in the IaaS system.  This is the account we set up earlier.

DEM setup…

On to the next step… Agents.  This is where you enter the infomration used to set up  the communication between the vRA install and you vCenter & vSphere endpoints.  vRA will then install and agent that allows communication between the two systems.  Remember, vCenter doesn’t know about vRA, it’s vRA that gathers information on vCenter and then send requests.  The agent is the go-between / proxy for this two way communication.

IMPORTANT: The Endpoint name and Agent Name fields should be descriptive and the SAME.  This is because the explicit name of these two inputs are used in the configuration of vRA down the line and it’s something you have to manually type in and GET RIGHT.  Specifically, there’s no way I know of getting the correct Endpoint name if you can’t remember it or didn’t call it the same as the Agent (which shows up in Windows services).  So, if you forget and want to configure an endpoint manually for an agent you can’t remember the name of you’re left with a free form text box and not a hope in heck!  This is one of the parts of vCAC that seems to have carried over….  It needs to go!

So, enter sensible information and the details of the relevant username and password (that has vCenter Admin rights in this case) and continue.  As before, in a production environment this would probably be a separate account.

Get this right!

Now it comes to Certificates.  These are tricky in vRA under an enterprise install.  BUT, in a minimal install you are allowed to use Self-Signed Certificates.  And we are most certainly going to do this!  First up is the certificate for the virtual appliance.

The screen below shows the result of the following procedure.

Select the Generate Certificate option.
Type in a relevant Organisation, Organizational unit and country code (the first two can be whatever, the country code needs to be right).
Click Save Generated Certificate and wait a sec.
The screen will refresh to that shown below.

Generated Self-Signed Certificate…

Now on to the creation of the Web certificate for the IaaS server.  Same procedure as before using the same values and you should be left looking at a screen as shown below. This is a time saving of about 3 hours and two servers over the enterprise way of doing this section.

Another certificate done quick!

Finally… the Manager service certificate.  It should pick up that it’s on the same box as the IaaS Web server and use the cert you just generated.  It will look something like this.

Using the Web cert.

The wizard is now almost done.  It’s time to validate the install.  Click the Validate button and you’re away.  Progress will be shown like the screenshot below.

Mid-Way through validation

Take note of this line.  It really does take this long.  Go make another cuppa…

Please wait…

After the wait you should be greeted with this.  We’re finally ready to install.


The next screen gives very important advice.  vCAC 6.x was notorious for failing the install and leaving everything in such a state that you had to rebuild from scratch (yes, seriously) and try again with fingers crossed.  Guard against this possibility by snapshotting the vRA appliance, this IaaS server and the SQL server before attempting the install.  It’s worth the wait!

DO THIS, It’s really important

Once you’ve done this it’s time to ignore this next screen and press Install.


Now all you need to do is wait while everything gets installed and configured. a pretty helpful status is shown.

NOTE: I ended up with a screen showing “success” and “100%” install but with the final item on the list still showing as in progress.  This is, I think, a bug.  everything had completed fine and the system functions as expected.


Once the install is complete vRA will ask you for the licence key.

NOTE: You don’t HAVE to enter a key at this time.  However, you can’t do anything if you don’t as there’s no free trial period with vRA 7.  If you go on without the key you can display the logon page and sign in.  However, it just sits there with a spinning wheel and wont load the mains creen

Licence…. You need one…

Next to the option to turn on telemetry which sends info to VMware.  IMO this product needs all the help it can get (despite being awesome).  Turn it on.

Enable Big Brother (y/n)

Finally there is the option to create a vRA catalog items that will go off and create a suite of blueprints for you to get you started.  This is quite a cool idea and takes the guess work out of navigating the interface the first time.  it’s basic but its useful.

You simply need to choose a password for a user that will be created called configurationadmin.  In the next stage you’ll log in as this user and run the process to create initial blueprints.


Click the Create Initial Content button and you should see:

More success!

That’s it!  Now it’s time to log in and create some blueprints.  This will be covered in part 4 of this series!



Onwards… To part 4




Installing Minimal vRA 7: Part 2 Deploying The vRA Appliance

Now that we know what we’re aiming for we can get the really easy bit out of the way right now.  Deploying the  vRA 7 Virtual Appliance.  Throughout this example I’m using the svc-vra-admin account created in step 1 as it has rights for pretty much everything.

NOTE: My lab was running vSphere 5.5 when I did this blog post so screenshots below are from the c# client and NOT the Web client (yes, yes I know….).  Any additional posts after install will probably be from the Web Client and vSphere 6.0

Deployment Steps

I’m going to assume here that you have already downloaded the vRA 7 appliance OVA from VMware website.  If not, go do it now.

Step 1: Create a DNS entry for your appliance

vRA and, indeed, most other VMware products really like DNS to be set up correctly or they will behave most oddly.  Therefore, before deploying the vRA appliance you should.

  1. Log on to your server hosting DNS (in my case my labs AD).
  2. Create a new A record and associated PTR for the vRA appliance.
    1. e.g vra7.lab.local,
    2. Ensure the Create Associated Pointer (PTR) record option is ticked (if using Windows DNS).
  3. Check the new name is ping-able from within your environment.

Step 2: Deploy the OVF

With that step out of the way we can now deploy and configure the appliance.

  • Open Virtual Center and select File > Deploy OVF TemplateSnapCrab_LABVC01lablocal - vSphere Client_2016-1-5_12-5-39_No-00.png
  • The  deployment wizard will start.  Select your downloaded OVA file and continue through the steps (Shown Below).  These initial steps allow you to pick a name and location for the appliance.  My values are shown for example.  Continue until you get to the Disk Format stage of the wizard.
Select the source of your OVA file and continue…
Ignore the details and continue…
Press Accept without reading just like everyone else and continue…
Give you VM a sensible name (e.g. use your DNS name) and continue…
Select Your host / cluster and continue…
Select a resource pool if you want to and continue…
Select the datastore you want to deploy to…
  •  This next window is probably where you want to start paying actual attention to the  wizard.  The default option here is Thick Provisioned, Lazy Zeroed.  For a quick deployment and a lab setup this is silly and wasteful so ensure you select Thin Provisioned and continue…
Select Thin Provisioning and continue…
  • The next screen is the most important to get exactly right now or else there will be issues later down the line.  You’ll need to fill out:
  • Initial Root Password: Something memorable for logging in as root (Don’t Forget This!)
  • Enable SSH service in the appliance: Checked. As this is a lab we want to turn this on as we’re going to play.  If you were installing that as a production system you should leave this off for security reasons and only enable it when required.
  • Hostname: The FQDN of your appliance as its been set up in DNS. <server>.<domain>.<whatever> or, in my case: vra7.lab.local
  • Default gateway:  Your route to the internet or network for this appliance
  • Domain Name: The domain suffix of the VM <domain>.<whatever> or, in my case. lab.local
  • Domain Search Path: the NETBIOS style name of the domain all user / security accounts are contained in e.g. <Domain>.  In my case it’s just called “lab”
  • Domain Name Servers:  The IP Addresses  (IPV4) of the DNS server to use for the appliance.  In this example DNS is installed on my AD server so I use this IP.
  • Network 1 IP Address: the IP V4 network address you want to assign to the appliance.
  • Network 1 Netmask: The subnet mask for the appliance.

Once you’re sure all of the entries are correct for your environment continue…

Make sure all these entries are accurate!
  • Check the details are correct, click next and get the appliance provisioning into your lab.  Make sure you check the Power on after deployment option.  Saves waiting around!
Ready to deploy!  Go Make A Cuppa.
  • Wait for the VM to deploy and turn on  Once it’s up and running open up a CMD / PowerShell window and ping the appliance via it’s DNS name.  This ensures that DNS is working correctly and the appliance has successfully applied it’s network settings. If it fails here fix DNS resolution before going any further.


That’s it.  The appliance is now up and running  and it should even look like this if you go to the console and take a look.


Now you are  ready to move on to the next stage of preparing the Windows server for the IaaS install.  You can do this the easy way or the hard (but interesting way).  I learnt on vCAC 6.0.x so have a healthy distrust for the automatic pre req install. So, I did it manually first.  Only LATER did I try the automatic method and find out that it actually works…. So I present both ways.

Hard Way: Installing Minimal vRA 7: Part 3a – Manually Installing Pre-Requisites
Easy Way: Installing Minimal vRA 7: Part 3b – Automatically Installing Pre-Requisits

Installing Minimal vRA 7: Part 1 Which Version For The Lab?

Finally, after pretty much a full year of waiting VMware released version 7 of the vRealize Automation suite.  Rumour is that it’s far easier to install, more stable and bug free than before.  Given the difference between the hell that was 6.0.1 and the, much better but still poor, 6.2.2 releases I’ve had the pleasure of deploying I’m hopeful of significant progress.  Obviously I want to check it out as son as possible so this series of Blogs will be about getting it deployed in my home lab.

Installing In A Home Lab

vRA is a beast when it comes to system requirements 6.x was massive but 7 is much improved.  Gone are the requirements for a separate Identity appliance (SSO) and pSQL DB to talk to the vRA host.  Both of these as now included in the basic appliance.  It’s still beefy though so, for a 1st time I’m going to deploy the “minimal” version of vRA

So, What Does It Look Like?

The minimal install looks like this:


This is nice and simple for the lab.  We only NEED two boxes.  One vRA appliance and one Windows Box for the IaaS components, agents and SQL.

In this series of blog posts I’m going to be using a SQL server I already have as part of the lab (the same one that houses my Virtual Center DB). Therefore I’ll be interacting with three boxes that make up the install.

So, What’s Being Provisioned?

The vRA7 lab install will be made up of:

  • 1 x vRealize Automation appliance, which deploys the management console, manages Single Sign-On and houses the internal PSQL DB and Orchestrator server.
  • 1 x Windows Server box (2012 R2) for the  Infrastructure as a Service (IaaS) components.  This includes the Web Server, Model Manager Data, Manager Service (agent), Distributed Execution Managers (worker and orchestrator) as well as the agents for vSphere / vCenter etc.

What Have I already Provisioned?

  • An MS SQL Server for the IaaS Database (Server 2012).  This is already set up in my lab.
  • An Active Directory Domain with a domain already set up.  This is fr creating users and groups with relevant permissions.

What We Need To Proceed

To complete the install you’ll need:

  • 1 x vRA7 OVF file from VMware to deploy the appliance.
    • Download from the MY VMware site.
  • 1 x Vanilla Windows 2012 R2 server for the IaaS components
    • 2 x vCPUs
    • 8GB RAM
    • 60GB HDD (30GB Windows, 30GB Free for IaaS Components)
  • 1 x Licence Key for vRA.
    • It doesn’t work without one so don’t try (installs, wont log in)

Accounts And Logins Required

Before you start it’s best to create any users and groups you may require now.  vRA has some specific requirements such has insisting that the IaaS server is installed as the account that has local admin rights on the Windows Server. I have created the following users and groups that are used in my Active Directory.

User: svc-vra-admin
This is my generic service account that I create for anything vRA related.  In this case it’s used to log on and install the IaaS components as well as run the vRA services (i.e. the service runs AS THIS USER).  It’s also the account I give permissions in vCenter to have admin access for data collection later in the process.  In a real world environment you probably shouldn’t just use the one account. However, as this is a lab PoC test I have.

Member Of Groups:
vRA Administrators 
– For defining an account as having vRA admin permissions.
vRA Users – For defining an account as a standard user.
VC Admins – Group giving members admin rights to my Virtual Center.
vRO Admins – Group giving members admin rights in vRO.

Additional Standard Groups This User Is A Member Of:
Domain Admin
Domain Users

NOTE:  This isn’t close to best practice.  In a shared environment, anything facing the internet or a real deployment Create seperate users as appropriate.  After this simple guide I will be doing an “Enterprise” install with the correct segregation of duties. This solution is, obviously, not production ready!

Once you’ve got all this downloaded and provisioned You’ll be ready for the Next Stage.  Deploying the vRA Appliance