One of the new features in vRealize Automation 7.2 is an out of the box functionality to create a computer account in a specified OU prior to provisioning the VM. This is a common use case when you are also using Group Policy and/or SCCM as part of your Windows Build process as those tools expect the Windows machine to be in a specific OU once they join the Domain. Sometimes this is also used for Linux machines that use Windows Authentication. Previously this was done through custom vRealize Orchestrator Extensibiity workflows.
Login to the vRA portal as a cloud admin and configure the Active Directory Endpoint
- Click administration
- Click vRO Configuration
- Click Endpoints
- Select the Active Directory Endpoint
- Click Next
- Enter the Active Directory Server FQDN
- Accept the default port or enter it
- Enter the Base DN you want to start searching for OU’s
- Choose if SSL is used
- Enter the default domain name
- enter an account with privileges to add/remove computer accounts to OU’s
- Enter the password
- Click Finish
Create the new Policy
- Enter a name for the new policy (Something descriptive so it’s easy)
- Enter a Description
- Select the endpoint we just created
- Enter the domain name
- Enter the OU Distinguished name for this policy (This is the OU that machines will get created in)
- Click OK
Option A: Apply the policy to a business group (Note: This applies the policy to all blueprints provisioned from this Business group Windows and Linux)
- Click Administration
- Click Users and Groups
- Click Business Groups
- Select the policy we just created
- Click Finish
Option B: Apply the policy to a specific blueprint (Note: The policy is not required on the Business group level, if it is this will over ride that policy)
- Select the machine you want to modify
- Click the properties tab
- Click custom properties
- enter the following custom property
- enter the name of the policy you want to apply
- Click finish
Notice it created the account in the OU prior to provisioning the VM in vSphere
NoteL: Yes it also deletes it when you destroy the machine or the deployment!
For more information and additional custom properties see here
I got some problem running this policy mapping.
It seams to fail from Vro with a error like this one:
Error in (Workflow:Add machine to active directory (Event Broker) / Get Policy Data (item3)#3) Supplied tenant ‘TEST’ is different from the token’s tenant ‘vsphere.local’
I use a different Tenant as the default vphere.local.
Are you using a different Tenant for you test ?
Thanks for your answer.
Are you using 7.2 of vRA? This was an issue with previous versions of vRA.
Yes We running version 7.2 I was able to fix the Issu by setting the authentication source to vRA instead of vsphere center.
Thanks for the reply.
Where did you go to change the authentication source? We are having the same problem.
Also, does this require event broker? We are running the standard version and don’t have event broker feature yet
We are currently encountering same issue. Can you please show us how you change the authentication source.
If you want to add Active Directory as an Identity Source you should:
Log in to your appliance as tenant administrator https://fqdn/vcac
-> Administration -> Directories Management -> Directories ->+Add directory
choose Add Active Directory LDAP/IWA
provide the necessary details about your AD and it’s done!
During the log on you will be able to change the domain that you log on vsphere.local vs your.AD
I’m using vRA 7.1 and external vRO and am getting the following error:
] (com.vmware.vra/getDefaultHostForTenant) Error in (Dynamic Script Module name : getDefaultHostForTenant#8) In order to use the session mode ‘Per User Session’ vCO must be registered in the vCAC component registry.
[2017-01-23 16:22:48.293] [E] Workflow execution stack:
item: ‘Add machine to active directory (Event Broker)/item3’, state: ‘failed’, business state: ‘null’, exception: ‘In order to use the session mode ‘Per User Session’ vCO must be registered in the vCAC component registry. (Dynamic Script Module name : getDefaultHostForTenant#8)’
workflow: ‘Add machine to active directory (Event Broker)’
This is fixed in 7.2 of vRA, can you upgrade and try again?
I got the same Error and I already updated to vRA 7.2 (Build 4659752)
THX that’s a great anrews!
Hi, I configured this in vRA 7.2 and worked as a charm, thank you!
But in other implementation I’m using vRA 7.1 and is not working. What I detected is that the workflow “System\vRealize Automation\AD Integration\Add machine to Active Directory (Event Broker)” is not been executed despite I configured the Business Group AD Policy.
I also tryed with the ext.activedirectory custom propertie, but didn’t work.
We are using the internal vRO appliance.
Do you have any idea how could be happening?
We have this up and running for our Windows server blueprints.
For our Linux based servers, we have multiple OU’s based on the application. I am trying to set up the blueprints so they will allow the user to select the desired OU via – dropdown or tree. I know an XaaS blueprint has that functionality I created.
In this case I am looking to not only select the OU but also set a value that I pass to the local puppet script being executed. Any suggestions?
Wow! Talk about a posting knnokicg my socks off!
I was able to get this working using the Property Dictionary. Under the Property Definitions, create a new entry. Name it ext.policy.activedirectory.id, select it as a string, and a dropdown. Under dropdown, choose external source and find com.vmware.vra.ad/listPolicies in the vCO page that’s presented.
In your Blueprint create a custom property for ext.policy.activedirectory.id and leave the value blank. Check the box to ‘Show in Request’. Your blueprint will now display as many Active Directory Policies as you create.
this seem to only allow 19 AD containers. Is this a hard limitation ?
Should not be, can you open a support request? May be a bug.
Thanks. It works! Great tip. One question:
The field name in the “New request” form is ext.policy.activedirectory.id. Do you know if it is possible to change it, to say something like “AD OU” instead? Thanks.
Never mind. I see now that you do can of course change the label under Property Definitions. My bad.
How does this work if you have two Active Directory servers in two locations (two data centres DC1 and DC2)?
I’ve got two locations with synched AD servers. During the Windows Domain Join process, it registered with the closest AD server. However vRA creates the AD object in DC1’s AD. Unfortunately AD sync between DC1 and DC2 is not that quick.
I’ve had an issue when deploying machines to the second DC, duplicate AD objects are created, which leads to group policies not being applied.
I tried this but it seems customization specs defined at Virtual Center are taking precedence over property dictionary and ad object is moving to default Computers OU.
I seem to be running into the same
You will need to decide which one you want to use. If you are using the property dictionary you will need to remove this from the customization spec.
Great article. Super easy to follow
Also a point – the account that is used in AD must be the same as the customization spec, or is that not the case anymore?
The steps above will create the computer object in the specified OU. Will it join to that domain or I still need to have the vCenter customization spec in my blueprint?
Anyone tried this on a cross domain (trusted) environment? We are having an issue when creating the AD policy. I am getting an error “specified OU could not be found in the selected AD endpoint”.
Here is our AD environment and we created this way:
Domain A (has all user accounts) and Domain B (will contain computer objects)
Domain B trust Domain A (1 way trust only).
Both domain A and Domain B is added successfully into the AD endpoint.
However we are having problem(as mentioned above) when creating AD policy using an account from domainA (eg. svcad@domainA)
The svcad@domainA account has been delegated permission to add/remove computer in the specified OU (ou=w2k12,ou=vra,dc=domainB,dc=com).
I have an event subscription that renames the VMs to a customer defined hostname prefix. This breaks the OU placement because it happens after the initial placement. Is there a way to make an event subscription happen before the OU placement?
Hi Ryan, the customer request me to set multiple LDAP Server HOST/IP in Active Directory server configuration or binding active directory (ex. corp.local), is it possible?
I have this configured and working as expected.
Anyone with an idea how to create a workflow to change Computer OU after deploying. We have a default OU for 95% of the deployments, but need to move the other 5% to other OU’s in AD using vRA if possible