29 Replies to “How to configure Active Directory OU placement Policies in vRA 7.2”

  1. Hello !

    I got some problem running this policy mapping.
    It seams to fail from Vro with a error like this one:
    Error in (Workflow:Add machine to active directory (Event Broker) / Get Policy Data (item3)#3) Supplied tenant ‘TEST’ is different from the token’s tenant ‘vsphere.local’

    I use a different Tenant as the default vphere.local.
    Are you using a different Tenant for you test ?

    Thanks for your answer.

      • Yes We running version 7.2 I was able to fix the Issu by setting the authentication source to vRA instead of vsphere center.

        Thanks for the reply.

        • Where did you go to change the authentication source? We are having the same problem.

          Also, does this require event broker? We are running the standard version and don’t have event broker feature yet

          • We are currently encountering same issue. Can you please show us how you change the authentication source.

          • Hi,
            If you want to add Active Directory as an Identity Source you should:

            Log in to your appliance as tenant administrator https://fqdn/vcac
            -> Administration -> Directories Management -> Directories ->+Add directory
            choose Add Active Directory LDAP/IWA
            provide the necessary details about your AD and it’s done!
            During the log on you will be able to change the domain that you log on vsphere.local vs your.AD

  2. I’m using vRA 7.1 and external vRO and am getting the following error:
    ] (com.vmware.vra/getDefaultHostForTenant) Error in (Dynamic Script Module name : getDefaultHostForTenant#8) In order to use the session mode ‘Per User Session’ vCO must be registered in the vCAC component registry.
    [2017-01-23 16:22:48.293] [E] Workflow execution stack:
    item: ‘Add machine to active directory (Event Broker)/item3’, state: ‘failed’, business state: ‘null’, exception: ‘In order to use the session mode ‘Per User Session’ vCO must be registered in the vCAC component registry. (Dynamic Script Module name : getDefaultHostForTenant#8)’
    workflow: ‘Add machine to active directory (Event Broker)’

  3. Hi, I configured this in vRA 7.2 and worked as a charm, thank you!

    But in other implementation I’m using vRA 7.1 and is not working. What I detected is that the workflow “System\vRealize Automation\AD Integration\Add machine to Active Directory (Event Broker)” is not been executed despite I configured the Business Group AD Policy.

    I also tryed with the ext.activedirectory custom propertie, but didn’t work.

    We are using the internal vRO appliance.

    Do you have any idea how could be happening?

    Thank you!

  4. We have this up and running for our Windows server blueprints.
    For our Linux based servers, we have multiple OU’s based on the application. I am trying to set up the blueprints so they will allow the user to select the desired OU via – dropdown or tree. I know an XaaS blueprint has that functionality I created.

    In this case I am looking to not only select the OU but also set a value that I pass to the local puppet script being executed. Any suggestions?

    • I was able to get this working using the Property Dictionary. Under the Property Definitions, create a new entry. Name it ext.policy.activedirectory.id, select it as a string, and a dropdown. Under dropdown, choose external source and find com.vmware.vra.ad/listPolicies in the vCO page that’s presented.

      In your Blueprint create a custom property for ext.policy.activedirectory.id and leave the value blank. Check the box to ‘Show in Request’. Your blueprint will now display as many Active Directory Policies as you create.

  5. How does this work if you have two Active Directory servers in two locations (two data centres DC1 and DC2)?

    I’ve got two locations with synched AD servers. During the Windows Domain Join process, it registered with the closest AD server. However vRA creates the AD object in DC1’s AD. Unfortunately AD sync between DC1 and DC2 is not that quick.

    I’ve had an issue when deploying machines to the second DC, duplicate AD objects are created, which leads to group policies not being applied.

  6. I tried this but it seems customization specs defined at Virtual Center are taking precedence over property dictionary and ad object is moving to default Computers OU.

  7. Hello,
    The steps above will create the computer object in the specified OU. Will it join to that domain or I still need to have the vCenter customization spec in my blueprint?

  8. Hi,
    Anyone tried this on a cross domain (trusted) environment? We are having an issue when creating the AD policy. I am getting an error “specified OU could not be found in the selected AD endpoint”.
    Here is our AD environment and we created this way:
    Domain A (has all user accounts) and Domain B (will contain computer objects)
    Domain B trust Domain A (1 way trust only).
    Both domain A and Domain B is added successfully into the AD endpoint.
    However we are having problem(as mentioned above) when creating AD policy using an account from domainA (eg. svcad@domainA)
    The svcad@domainA account has been delegated permission to add/remove computer in the specified OU (ou=w2k12,ou=vra,dc=domainB,dc=com).

  9. I have an event subscription that renames the VMs to a customer defined hostname prefix. This breaks the OU placement because it happens after the initial placement. Is there a way to make an event subscription happen before the OU placement?

  10. Hi Ryan, the customer request me to set multiple LDAP Server HOST/IP in Active Directory server configuration or binding active directory (ex. corp.local), is it possible?

  11. I have this configured and working as expected.

    Anyone with an idea how to create a workflow to change Computer OU after deploying. We have a default OU for 95% of the deployments, but need to move the other 5% to other OU’s in AD using vRA if possible

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.