To set up the management pieces of vSphere, I need to have an account or accounts created in Active Directory. I need to determine how many to create and what permissions they need.
In Single Sign on Server, I need to choose an account that vCenter server will use when it connects to SSO. I can use the default admin@system-domain. Or I can add an account that is configured in Active Directory. Or, I can also use an active directory group instead of an individual user. What is the best way to do this and if I use an AD account, what permissions does it need at the domain level and at the local level on the Single Sign on Server? (I'm using multisite mode, so I can't use local accounts)
In SQL Server, I need to choose an account to use for the SQL server service. Should this account be an active directory account or a local user account? If so, what permissions should be assigned to the account in Active Directory and what permissions should be assigned to it on the local machine? What AD group, if any should it be a part of? What local permissions does it need?
In vCenter Server, I need to choose an account to run the "vCenter Server Service" in. Is it best to use the default "system" account or to use an account from Active Directory, or a local account?
I'm trying to get a big picture of an AD account/group strategy to use that covers the main management pieces of vSphere - vCenter Server, Single Sign on, Inventory Service, Web Client Services.
For example, create one group called "vSphere Services", then create separate accounts for each management piece, and assign them specific permissions on specific systems. Or create separate groups for each management piece and assign permissions to the groups. Is it better to consolidate some of these user names or split them out? Any experiences / suggestions welcome. Thanks.