Setting Up the MiDesktop Instant Clone Base Image (RHEL)

Overview

The base image must be properly configured before deploying a desktop pool. This document contains the steps that must be completed to ensure it is set up correctly and in accordance with vendor best practices.

Red Hat Satellite Requirement

Red Hat Satellite account is required for all RHEL Horizon View pools because the RHEL base image must be registered with Satellite for lifecycle management, updates, and patching.

If your team does not have a Red Hat Satellite subscription, please contact the Red Hat Satellite at U-M for consultation and assistance in obtaining the required subscription.

Install the Operating System (for Blank Images ONLY)

  1. Open a web browser to MiDesktop vCenter. For more information, see steps in Accessing MiDesktop vCenter.
  2. Click the base image, and then click the Summary tab.
  3. Click Launch Remote Console and power on the VM.
  4. Click the VMRC menu > Removable Devices > CD/DVD drive 1 > Select Datastore ISO file
  5. When the file browser opens, navigate to NFS-MACC-VDI > ISOs, and select the folder which contains your ISO file. If the ISO you need is not available, send a request to [email protected] so it can be added
  6. Issue a CTRL + ALT + DEL on the VMRC console to restart the VM and boot to the ISO to load the OS

Configure Active Directory

  1. Before beginning, the base image must be added to UM Active Directory. Please see Configure Active Directory Information on the Onboarding section of the MiDesktop service page to ensure you have the correct permissions to continue.
  2. Create an Active Directory computer object in your OU - it must have the same name as the hostname of your base image.

Log in to the Base Image and Change the Admin and Root Passwords (for MiDesktop-Provided Images)

  1. MiDesktop will provide a local admin password for the base image
  2. Follow steps in Accessing vCenter to Manage Base Images
  3. Click the base image, and then click Summary tab
  4. Click Launch Remote Console and power on the VM
  5. Log into the base image with the temporary credentials provided. You will be prompted to change the admin password at the first login.
  6. Set the root password 
sudo passwd root
  1. Reboot
  2. Log in again, and open a terminal to perform the remaining steps of this document.

Register the Base Image with Satellite Server

  1. Navigate to https://satellite.linux.it.umich.edu/users/login.
  2. Click ContentLifecycle Activation Keys.
  3. Click your group’s activation key.
  4. Click System Registration  link.
  5. Click Generate.
  6. Copy the registration command. You will run this command on the base image in the next step.
  7. SSH to the base image as root. 
  8. Paste and run the command copied in Step 6. 
  9. Reboot
  10. Log in to the base image using the administrator account (not root), and open a terminal to perform the remaining steps of this document

Update OS and Install VM Tools

Run:

sudo dnf update
sudo dnf install -y open-vm-tools open-vm-tools-desktop

Install Crowdstrike

  1. Verify your group has a unique Crowdstrike Customer ID. If not, please see CrowdStrike Falcon for Units for more information before continuing.
  2. Download the Crowdstrike installer from MiDesktop Downloads onto the base image.
  3. Navigate to the directory with the install file and run:
sudo yum install ../Downloads/falcon-sensor_[version].rpm
  1. Remove the agent ID:
sudo /opt/CrowdStrike/falconctl -d -f --aid
  1. Add the customer ID:
sudo /opt/CrowdStrike/falconctl -s --cid=your dept cid --tags=optional.tags
  1. Start the Falcon agent:
sudo systemctl start falcon-sensor
  1. Confirm Falcon installation:
sudo ps -e | grep falcon-sensor

You should receive results for the running Falcon sensor:

XXX ?        00:00:08 falcon-sensor-b

Install NVIDIA vGPU Driver (for GPU Base Images ONLY)

  1. Verify secure boot is disabled on the base image:
mokutil --sb-state

If enabled, contact [email protected] to disable it before continuing

  1. Check DRM KMS status:
cat /proc/cmdline

If nvidia-drm.modeset=1 is present:

sudo nano /etc/default/grub

Find the kernel command line, e.g. GRUB_CMDLINE_LINUX="rhgb quiet nvidia-drm.modeset=1"

Delete only nvidia-drm.modeset=1 so it becomes GRUB_CMDLINE_LINUX="rhgb quiet"

Apply the change

sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Reboot

Verify nvidia-drm.modeset=1 is not present 

cat /proc/cmdline
  1. Check Nouveau driver status:
lsmod | grep nouveau

If you get any results, the driver is enabled and must be disabled:

sudo nano /etc/modprobe.d/blacklist-nouveau.conf

Add these lines, save and exit:

blacklist nouveau
options nouveau modeset=0

Regenerate initramfs:

sudo dracut -f

Reboot

Verify Nouveau is not loaded

lsmod | grep nouveau  
  1. Disable Wayland (with gdm display manager):
sudo nano /etc/gdm/custom.conf

Uncomment this line, then save and exit:

WaylandEnable=false

Reboot

  1. Before continuing, ensure you can reach the base image via SSH. During the NVIDIA driver installation, the desktop environment is temporarily disabled so SSH is the only way to complete the installation. Ensure that SSH access is restricted to authorized users only.

It is also helpful to take a snapshot of the base image before continuing so that any missteps can be reverted.

  1. Download the NVIDIA vGPU driver (.rpm file) and the ClientConfig Token file from the MiDesktop downloads site. Also download the Horizon View Agent .tar.gz file since you will be unable to do it later.
  2. Install dependencies:
sudo dnf install libXScrnSaver nss-tools pulseaudio-utils
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
sudo yum install libappindicator-gtk3
  1. Install the NVIDIA driver

Navigate to the directory containing the NVIDIA vGPU driver and run: 

sudo dnf install ./nvidia-linux-grid-<version>.rpm

        Reboot

  1. Set license type:
sudo nano /etc/nvidia/gridd.conf

Set FeatureType=1, save and exit

  1. Copy the client config token to the NVIDIA GPU license directory and set the permission mode:
sudo cp /path/to/Prod_DLS_ClientConfigToken__[token date].tok /etc/nvidia/ClientConfigToken/
sudo chmod 744 /etc/nvidia/ClientConfigToken/client_configuration_token_*.tok

Verify:

sudo ls -l /etc/nvidia/ClientConfigToken

The expected result should be:

 -rwxr--r-- 1 root root

Restart the NVIDIA GRID licensing service:

sudo systemctl restart nvidia-gridd

Verify licensing status:

nvidia-smi -q | grep "License Status" 

Configure Base Image Active Directory

  1. Install SSSD package
sudo dnf install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
  1. Verify the domain is discoverable via DNS:
realm discover adsroot.itcs.umich.edu
  1. If you have not already downloaded the Horizon Agent, download it from the MiDesktop Downloads site and extract the files:
tar -xzvf /path/Omnissa-horizonagent-linux-[version].tar.gz
  1. Navigate to the extracted directory
cd /path/Omnissa-horizonagent-linux-[version]
  1. Run the Horizon Agent pre-check:
sudo ./easyinstall_viewagent.sh -p
  1. Join the domain using the Horizon Agent easy installer:
sudo ./easyinstall_viewagent.sh -c -l advanced

Respond to the prompts:

DNS server: 10.10.10.10,10.10.5.5

Host name: [base image hostname]

IP address of the ntp server: [leave blank]

Join the active directory: y

Domain FQDN: adsroot.itcs.umich.edu

User name used to join domain: [domain user name]

Input the computer OU to join: [leave blank, it will join the domain in the OU in which the computer object was created during Active Directory configuration]

Password: [domain user password]

  1. Review the summary and confirm

Modify SSSD Configuration

  1. Modify the SSSD configuration:
sudo nano /etc/sssd/sssd.conf
  1. Replace the file contents with this, then save and exit:
[sssd]
domains = adsroot.itcs.umich.edu
config_file_version = 2
services = nss, pam

[domain/adsroot.itcs.umich.edu]
ad_gpo_access_control = permissive
ad_gpo_map_interactive = +gdm-hzncred
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ADSROOT.ITCS.UMICH.EDU
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = adsroot.itcs.umich.edu
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
case_sensitive = False
dydns_update = True
ignore_group_members = True
ldap_user_gid_number = primaryGroupID
  1. Reboot

 

Install Horizon View Agent

  1. Navigate to the Omnissa Horizon agent folder:
cd /path_to/Omnissa-horizonagent-linux-[version]
  1. Install the Horizon agent:
sudo ./easyinstall_viewagent.sh -i
  1. Reboot

 

Modify View Agent Configuration

  1. Edit the custom View agent configuration:
sudo nano /etc/omnissa/viewagent-custom.conf

Uncomment the following lines:

SSOUserFormat=[domain]\\[username]
OfflineJoinDomain=sssd
  1. Restart

Unregister the Base Image From Satellite

  1. Unregister
sudo subscription-manager unregister
sudo subscription-manager clean
  1. Remove any remaining subscription/product identity data
sudo rm -rf /etc/pki/consumer /etc/pki/product
sudo rm -f /etc/rhsm/facts/*
  1. Reset machine ID (important for networking and identity)
sudo rm -f /etc/machine-id
sudo systemd-machine-id-setup

Remove Initial Setup Wizard

sudo dnf remove -y gnome-tour 

Take a Snapshot

Once the base image is configured, take a snapshot for use later in the new VDI pool creation process to create the virtual desktops.

  1. Shut down the base image.
  2. From MiDesktop vCenter, click the Snapshots tab and click Take Snapshot.
  3. Name the snapshot, enter a description (optional), and click Create.
    Note: Remember the snapshot name. This is used to create the desktop machine pool later.
Last Updated
Tuesday, June 23, 2026