4. Deploying the MSP Broker Tenant

This guide describes how to deploy the MSP broker tenant with new AD services. The default tenant configuration is:

  • mode: broker
  • ad: create
  • key-name: heat-key
  • cidr:
  • domain_name: vdiprovider.lab
  • password: Providerpassw0rd
  • Stack name: provider

Other options are as described in Master template parameters.

The templates used require a public SSH key. You can use a key previosly uploaded to the Virtuozzo Hybrid Infrastructure self-service panel or generate a new one, as done in this guide.


In case of issues during the deployment, you can delete the stack with openstack --insecure stack delete provider and try again.

Perform these steps to deploy the MSP broker:

  1. Load provider’s OpenStack credentials:

    # source provider-openrc.sh
  2. Generate a new SSH key:

    # openstack --insecure keypair create heat_key > heat_key.priv
  3. Start tenant provisioning:

    # openstack --insecure stack create -t Tenant-Deploy.yaml provider --wait\
    --fit-width --parameter password=Providerpassw0rd --parameter key_name=heat_key
    2020-04-19 18:57:30Z [provider]: CREATE_IN_PROGRESS  Stack CREATE started
    2020-04-19 18:57:30Z [provider.init-stack]: CREATE_IN_PROGRESS  state changed
    2020-04-19 18:57:50Z [provider.init-stack]: CREATE_COMPLETE  state changed
    2020-04-19 18:57:50Z [provider.ad-create]: CREATE_IN_PROGRESS  state changed
    2020-04-19 18:58:15Z [provider.ad-create]: CREATE_COMPLETE  state changed
    2020-04-19 18:58:15Z [provider.lb-create]: CREATE_IN_PROGRESS  state changed
    2020-04-19 18:59:33Z [provider.lb-create]: CREATE_COMPLETE  state changed
    2020-04-19 18:59:33Z [provider.pause]: CREATE_IN_PROGRESS  state changed

    Now stack provisioning pauses for the value of delay (15 minutes by default). This is needed to complete the provisioning of the Active Directory Domain Controller.

    During this stage, the Microsoft Windows Server VM ras-pa-1 boots from the image, SysPrep actions are performed, and the VM restarts. On VM’s second boot, the Cloudbase-Init service in the guest OS starts and invokes PowerShell scripts that deploy ADDS. After that, the VM restarts again. After this, the VM ras-pa-1 is ready to serve as an Active Directory Domain Controller and accept connection from the VMs created next. The 15 minutes set by default should be enough for this operation to complete. You can, however, increase this timeout up to 1 hour by changing the delay parameter in the template.

  4. During the pause stage, change the DNS server of the created private network to the IP address of the newly created ras-pa-1 VM. This needs to be done before any other VMs are deployed, so they can find the AD DNS server and join the domain.

    In the self-service panel of your Virtuozzo Hybrid Infrastructure cluster, find out the IP address of the ras-pa-1 VM on the Virtual machines screen. For example:


    In the Networks section, change the DNS server parameter of the new private network. For example:

  5. Wait for the tenant provisioning to complete:

    2020-04-19 19:15:15Z [provider.pause]: CREATE_COMPLETE  state changed
    2020-04-19 19:15:16Z [provider.server_group_gw]: CREATE_IN_PROGRESS  state changed
    2020-04-19 19:15:16Z [provider.last_pa]: CREATE_IN_PROGRESS  state changed
    2020-04-19 19:15:45Z [provider.last_pa]: CREATE_COMPLETE  state changed
    2020-04-19 19:15:50Z [provider.server_group_gw]: CREATE_COMPLETE  state changed
    2020-04-19 19:15:50Z [provider]: CREATE_COMPLETE  Stack CREATE completed successfully
    | Field               | Value                                |
    | id                  | 266fc393-a332-4ed0-924e-3f8115fdf9c7 |
    | stack_name          | del123                               |
    | creation_time       | 2020-04-19T18:57:29Z                 |
    | updated_time        | None                                 |
    | stack_status        | CREATE_COMPLETE                      |
    | stack_status_reason | Stack CREATE completed successfully  |

After the tenant is ready, you can assign floating IPs to the VMs to be able to log in to them via RDP.

Now you can log in to the ras-pa-1 VM and deploy the first Parallels RAS Publishing Agent in the MSP broker tenant. Next, deploy RAS Secure Gateways in ras-gw-0 and ras-gw-1 VMs. After this, you can deploy and configure the Parallels RAS tenant according to the Parallels RAS Administrator’s Guide.


To make the DNS service more reliable, you can manually deploy the second AD controller and DNS server in the ras-pa-2 VM. Then you can add the IP Address of the ras-pa-2 VM to the list of DNS servers of your tenant network.