VCP7-CMA Section 5 Objective 5.2 Create and Manage Fabric Groups, Reservations and Network Profiles

November 30, 2017November 30, 2017 doj1983 VCP7-CMA, VCP7-CMA Section5 Fabric Groups, Network Profiles, Reservations, study guide, VCP7, VCP7-CMA, vRA, vRealize, vRealize Automation

Create and configure a fabric group & Select compute resources to include in the fabric group

The fabric includes all the compute resources that are discovered by endpoint data collection. The fabric is organised into fabric groups for provisioning.

As detailed in section 2.1 The fabric is accessible by all tenants and as such Fabric Group resources can be made available to users who belong to business groups in all tenants. In most scenarios it would be common for the Fabric (Endpoints and Fabric Groups) to be configured in the default Tenant and Tenants access the fabric through reservations.

To clarify, if we have 3 Tenants. Tenant A, Tenant B and Tenant C and the IAAS Administrator of Tenant C created a Fabric Group within Tenant C, then that Fabric Group would be also be available to Tenant B & Tenant A. Commonly this is why the IAAS Administrator, System Administrator and possibly the Fabric Administrator role would belong to a member of IT and the Fabric Groups would be created in the Default Tenant.

To Create a Fabric Group you need to be an IAAS Administrator, this maybe confusing as there is a Fabric Administrator role and it would seem Logical that the Fabric Administrator would create a Fabric Group, however that is not the case.

As we have an IAAS Administrator (Infrastructure Admin) the Infrastructure Admin creates a Fabric Group which is essentially a logical group of infrastructure, if we look at it that way it makes more sense. The IAAS Administrator (Infrastructure Admin) is responsible for creating groups of infrastructure where as the Fabric Administrator is assigned to that group of infrastructure (Fabric Group) to manage amongst other things who has access to that Infrastructure group.

I will reiterate again that learning the vRA roles is very important (details in section 2.1)

To create the Fabric Group, log in as an IAAS Administrator browse to the Infrastructure Tab Select Endpoints>Fabric Groups>New

Since I only have a single compute resource configured in my lab (vCenter) then I can only select this compute resource. Assign a Fabric Administrator and give a Name to the Fabric Group.

If you’re following along in your lab and the compute resource section is blank despite adding an Endpoint then check for this issue.

Configure compute resource Data Collection

Depending on your setup, you may need to log in and out of the tenant to be assigned the Fabric Administrator role. The Required Tabs wont appear until you have done this.

As the Fabric Administrator you will gain a number of new options within the Infrastructure TAB where you can manage the Fabric Group resources you are now responsible for.

Under Infrastructure > Compute Resources > Compute Resources

We can now see the Compute Resources from the Fabric Groups we are responsible for

Ensure that Data Collection is working by clicking the magnifying glass and viewing the info of that compute resource

You can kick off data collection for the compute resource if the info fields haven’t populated by clicking the right facing arrow and selecting Data Collection.

Here we can configure the default Data Collection frequency. By default Inventory, Performance and Network Security Inventory are done daily. It’s worth changing these times to match the requirements of your environment. Keep in mind the impact of collections performed too regularly. As my lab environment is very small I have set my collection times to every hour, you could also come here to request immediate data collection if required

If you’re following along in your lab and Data Collection isn’t working on your compute resource then check for this issue.

Create a vSphere reservation & Assign a business group to the vSphere reservation

Reservations are created by the Fabric Administrator, They are a share of provisioning resources allocated by the fabric administrator from a fabric group and reserved for use by a particular business group.

Each Reservation is for a single business group, a business group can have multiple reservations.

A reservation is a share of the memory, CPU, networking, and storage resources of one compute resource allocated to a particular business group. If we had a vCenter with a total of 96GB of RAM available and 3 Business Groups, we could create 3 reservations on the same compute resource, 1 reservation for each Business Group and assign each reservation 32GB of RAM, so each business group has 32GB of RAM available. vRA reservations are different to vSphere reservations, in that vRA reservations are about what resources are AVAILABLE to a business group rather than guaranteeing that resource to a business group.

Create a reservation under Infrastructure>Reservations>Reservations using the Fabric Administrator role.

Select the appropriate vRA resource you want to create a reservation on.

On the general Tab, give the reservation a Name, select which Tenant you wish to create the reservation for. Remember that Fabric and Fabric Groups are available to all tenants, as a reservation links Fabric Groups to Business Groups, it makes sense that a reservation can be created in Tenant A for a Fabric Group in Tenant B.

Reservation policies are a way to guarantee that the selected reservation satisfies additional requirements for provisioning machines from a specific blueprint. For example, if a blueprint uses a specific VM Template, you can use reservation policies to limit provisioning to a reservation linked to a vCenter endpoint that has that VM Template available.

Select the Priority, if the Business Group is provisioning a machine and has multiple vCenter reservations then this priority will set the provisioning preference.

Ensure that the reservation is enabled.

On the resources tab, select the Compute Resource you wish to create a reservation for and complete the required fields

The Machine Quota field limits the number of Machines (VMS) that can be provisioned using this reservation.

The Network tab contains information relating to which networks (port groups) are available to the business group when provisioning virtual machines, This will be explained in the network profile types objective below., for now I just selected a single port group.

The properties tab is where we can assign custom properties to the reservation, custom properties are covered in section 1.1

Once a reservation is assigned to a Business Group we can see the business groups quota allocation used from Administration>Users & Groups>Business Groups

Create a vCloud Air Reservation

vCloud Air Reservations are created in the same manor as vCenter reservations with the exception that you select vCloud Air from the vRA Resource Types.

Create and configure network profile types

First and foremost there’s a really good blog post from VMware on use cases for Network Profiles here.

External network profiles

Essentially an External Network is a pre-existing subnet within your environment that can be VXLAN\VLAN backed, it’s already deployed and an IP range is already assigned to the network. The Network Profile will specify the existing gateway of that subnet, the subnet mask and the available IP range on that network.

NAT network profiles

Used when deploying networks with overlapping IPs, dynamically provisioning an NSX edge to NAT to these networks externally. You need an external network profile (next hop network) in order to create a NAT network profile, the specified external network will be where the newly deployed NSX edge GW will attach it’s Uplink, all other provisioned networks will be attached to an NSX LIF.

Routed network profile

When deploying networks behind a pre-existing NSX DLR and wanting those networks to dynamically route out an up stream NSX Edge. You need an external network profile (next hop network) in order to create a routed network profile, the DLR will use the GW IP specified in the external network profile to distribute the new network routes to.

Network Profiles are created within Infrastructure>Reservations>Network Profiles

Select the profile type you want to create, here we are selecting External Network

Complete the required tabs

General

DNS

Network Ranges

Once this has been completed we can assign it to a network within a business group reservation from the Network tab, a machine provisioned using this reservation resource on the 168_DATA network will now receive it’s IP settings from the 168_DATA_NP network profile.

In order to create NAT & Routed network profiles you really need to have an understanding of what you’re trying to achieve, I will link another blog about NAT & Routed Network Profiles and how it relates to my lab environment later, this should hopefully help the concept of these profiles stick.

Create and configure machine prefixes

Machine Prefixes are used to generate names of provisioned machines and are shared across all tenants. Fabric administrators are responsible for managing machine prefixes. Every business group has a default machine prefix and every blueprint must also have a machine prefix, if no prefix is specified in the blueprint it will use the default prefix specified in the business group.

Machine Prefixes relating to Blueprints is covered in Section 1 Objective 1.1

You specify a number of digits to each prefix and then the next number. With a machine prefix of DLVRA a number of digits of 3 and then the next number of 1, the first Machine provisioned will be DLVRA001 and the next DLVRA002 and so on.

Prefixes are created under Infrastructure>Administration>Machine Prefixes by the Fabric Administartor

Ensure that all business groups have been assigned a Default Prefix, Machine prefixes was also covered in Section 2.3

Tools

VCP7-CMA Section 5 Objective 5.1 Create and Manage VMware Endpoints

November 29, 2017November 29, 2017 doj1983 VCP7-CMA, VCP7-CMA Section5 Endpoint, NSX, Proxy agent, vCloud Air, VCP7-CMA, vRA, vRealize, vRealize Automation, vRO

Create and configure a vSphere Endpoint

A vSphere endpoint enables vRealize Automation to provision virtual machines against the resources managed by a vCenter Server instance.

There must be a proxy agent installed for EACH vCenter server you intend to add as an endpoint.

To Install the proxy agent. On a Windows Server browse to the vRA appliance and select the “vRealize Automation Component Installation Page”

Then select the IaaS Installer

Open the installer, accept the license and then proceed through the installation. Set the Appliance host name and the ROOT username and password details to access the VAMI page

Select Proxy Agents to install

Set the user with which the Windows Service will run under.

Select the vSphere agent type and complete the required fields. The Manager Service host and Model Manager web Service host will be running on an IAAS server. Depending on your deployment model this maybe the same server

Note that the Endpoint name must MATCH the value we give in vRealize Automation.

Add the endpoint and then let installation continue and complete.

We can now see the service running on the Windows Server we installed the proxy agent on.

The service shows the SERVICE name and not the ENDPOINT name we specified.

FYI you specify a vSphere proxy agent for a vCenter during the installation of vRA, I had forgotten what I called my endpoint and subsequently thought it was worth running through this process for study purposes

I stopped the other proxy agent that was running on my IAAS box

To Add a vSphere Endpoint to vRA you need to have the IAAS Administrator role assigned to your user.

Browse to the Infrastructure TAB and Select Endpoints.

Select new and browse to Virtual > vSphere (vCenter)

Complete the fields ensuring that the NAME section matches the ENDPOINT name of the proxy agent configured above. I’m using my DLIAASSVC service account to connect to vCenter.

Add a vRealize Orchestrator endpoint to vRealize Automation

The vRA Appliance has an embedded Orchestrator Appliance that can be used in smaller deployments or you can configure an external Orchestrator appliance\cluster in larger deployments.

The tenant administrator can configure tenant specific Orchestrator settings under Administration tab > vRO Configuration> Server Configuration.

Here you can choose to use the default Orchestrator Server that was configured by the system administrator in the default tenant, this will be the embedded Orchestator appliance out of the box. Or you can configure an external Orchestator server

As I havent configured the default tenant to use a different Orchestator appliance I am using the default Orchestator server in my lab which is the embedded Orch Appliance by default.

You can browse to the default Orchestrator Control center using the standard orchestrator ports, although known that the control center service is stopped by default.

https://dlvra01.danlab.local:8283/vco-controlcenter/

If you browse to the vRA splash page you can launch the Orchestrator client

The Orchestrator client opens using port 443 on the vRA appliance and not 8281 and the default login for the Orchestrator client is the same system administrator account you’d use to access the default tenant “administrator”

You will still need to add the vRealize Orchestrator Appliance as an Endpoint even if you’re using the embedded appliance.

Logged in as an IAAS Admin

Browse to the Infrastructure TAB and Select Endpoints.

Select new and browse to Orchestrator > vRealize Orchestrator

Enter the name and optionally the description.

The address for the embedded vRO appliance will be https://VRAFQDN:443/vco

As I’ve not configured my Orch appliance to be integrated with AD yet i’m using the default vRO username and password which is the same credentials used to log in to the default vRA tenant.

There is a priority option, if you have multiple Orch endpoints this priority option will help vRA determine which vRO appliance to execute the workflow from. The highest priority Orch endpoint will be used first, then subsequently the next highest priority if no others are available.

Lower values mean higher Priority, in older versions of vRA the same could be achieved by setting the VMware.VCenterOrchestrator.Priority property on the vRO endpoint Properties tab, the property is case sensitive.

At this point vRA knowns about vRO & vCenter (vSphere)

However as vRO does all the heavy lifting when it comes to Automation, vRO also needs to know about vCenter & vRA. Configuring vRA & vCenter settings in vRO is covered in Section 6 however as this Section covers endpoint configuration, you can configure some vCenter vRO settings within vRA.

You can create a vSphere endpoint for vRealize Orchestrator in vRA by going to Administration tab > vRO Configuration > Endpoint

Give the endpoint a name, matching it to the vRA endpoint name

Set the vCenter hostname

Set the user name of the user that Orchestator will use to connect to vCenter. I have created a vRO service account. So all actions performed by vRO can be traced under this vRO Service Account. It has Administration privledges and global admin privledges

Adding the endpoint through vRA kicks off the vRO “Add a vCenter Server Instance” worflow. Essentially here vRA is calling a vRO API to run the workflow, running this workflow directly through vRO is covered in Section 6.4

Once this has been completed, we can see in the vRO inventory that the vCenter has been added to vRO and we can now run vRO workflows against the vCenter from vRA

Configure the NSX plugin in vRealize Orchestrator

Some of this section seems to be covered in Section 6 objective 4 “Install and configure NSX plugin” so I wont included the installation of the plugin here. See section 6.4 for those details.

With the NSX plugin installed, run the workflow under Libary>NSX>Configuration> Create NSX endpoint

This will add NSX as an endpoint in vRO, enter the workflow input parameters required to connect to NSX Manager

Troubleshot if required, successfully running the workflow will show NSX manager in the vRO inventory.

Integrate vRealize Automation with NSX

To Add an endpoint in NSX you will need the IAAS Administrator role assigned to your user account.

Browse to Infrastructure>Endpoints>New

Complete the required fields and add the NSX endpoint

Perform data collection in vRealize Automation

This is done by the IAAS Administrator under Infrastructure>Endpoints select the vRO appliance and then start Data Collection.

Configure NSX Network and Security for the vSphere endpoint

This is done by the IAAS Administrator under Infrastructure>Endpoints, within the vSphere vCenter endpoint, under the associations tab.

Assign the appropriate NSX manager to the correct vCenter

Adding the NSX association on the vSphere Endpoint will automatically add the vCenter endpoint to the NSX Associations.

Create and configure a vCloud Air Endpoint

This is done by the IAAS Administrator under Infrastructure>Endpoints, select new and under cloud select vCloud Air, complete the required information to add the vCloud Air endpoint.

Tools

vRA 7.3 PhysicalHostPingService: ignoring exception. IAAS Service error MSDTC Issue

November 29, 2017 doj1983 Uncategorized CMA, Compute, error, IAAS, MSDTC, PhysicalHostPingService, Service, vRealize Automation

Pretty much EVERY time I install vRA Version 7.* I always get an error relating to the vRA IAAS Service.

It stops Endpoint Compute Services from being displayed, stops data collection of all added endpoints and generally makes vRA a paperweight.

The error can be found under Infrastructure>Monioring, you’ll know you have issues if you have hundreds\thousands of the same error!

The full error looks like this…

The error is related to the MS DTC service, if your Windows SQL Server and Windows IAAS Manager Servers have been rolled out from the same vSphere template then you will likely get the error, I read a large number of blogs that say this only happens if Sysprep hasn’t been run, however I see this issue whether SYSPREP is run or not. The GUID of MS DTC doesn’t seem to change and the duplicate GUID entries of the SQL & IAAS Manager Server results in the issue.

Uninstalling\Re-Installing\Re-Configuring MS DTC seems to be the most appropriate resolution to this issue, I run the following commands on all IAAS Manager Servers and SQL Servers. I then restart The SQL, IAAS MAnager & vRA Appliance for good measure.


Uninstall-Dtc -confirm:$false


Install-Dtc


Set-DtcNetworkSetting -DtcName "Local" -RemoteAdministrationAccessEnabled:$False -RemoteClientAccessEnabled:$True -InboundTransactionsEnabled:$True -OutboundTransactionsEnabled:$True -LUTransactionsEnabled:$True -XATransactionsEnabled:$False -AuthenticationLevel Mutual -Confirm:$False

VCP7-CMA Section 2 Objective 2.4 Manage User and Group Role Assignments

November 27, 2017 doj1983 VCP7-CMA, VCP7-CMA Section2 study guide, VCP7-CMA, vRealize

Explain the roles available to vRealize Automation

The roles available in vRealize Automation have been detailed in my blog post on Section 2 Objection 2.1

I would reiterate that learning the differences between these roles is an essential part to passing the VCP7-CMA exam

Assign roles to individual users for a given design & Assign roles to directory groups for a given design

Under the administrator tab > Users & Groups > Directory Users & Groups you can search for a directory user or group that has sync’d with vRealize Automation (as detailed in Objective 2.2) and assign roles to these users or groups .

Search for the user or group you wish to assign roles to.

Click on the user or group and assign the roles you wish to assign to the user or group

Create vRealize Automation custom groups and assign roles

To create a custom group under Administration Tab > Users & Groups > Custom Groups > New. Select the roles you wish to assign to the Custom Group.

The “Authorities Granted by Selected Roles” will show you the overall privileges of the Custom Group

When creating a LAB and to get yourself familiar with vRA you may want to create a god role and assign all Roles to the “god” custom group. Whether this is beneficial for the exam is debatable as learning the privileges assigned to each role is important for the exam.

You can then add directory users/groups or local tenant users to the Custom Group

Tools

vRO convert objects from string to object type

November 26, 2017 doj1983 vRO convert, objects, string, vRO

This code can be used to convert a vDS portgroup name in type string to a vDS portgroup object in type VC:DistrubutedVirtualPortgroup

You can use this to convert anything by calling the appropriate methods and querying the appropriate value.

Here we call the getAllDistributedVirtualPortgroups() method to get all vDS portgroups but you could call the getAllVirtualMachines() or getAllDatastores() method.

Set an input parameter of pgName in type string and the output Parameter as nicnetwork of type VC:DistrubutedVirtualPortgroup

The vDS portgroup .name value will have the vDS name in brackets after the portgroup in a similar format to “MyPortgroup (myVDS)”

So the input string would have to be represented in this way to work or you’d need to elaborate on the java script.


var portgroups = VcPlugin.getAllDistributedVirtualPortgroups();

var arraylength = portgroups.length;
var i = 0;

while (i < arraylength){ if (portgroups[i].name == pgName){ nicnetwork = portgroups[i]; }

i++;

}

vRO Return Datastores over a specified TB size

November 26, 2017November 26, 2017 doj1983 vRO Datastore, Orchestrator, Return TB Size, vRO

This code will return only the datastores over a specified Terabyte size.

Set two input parameters

inputTB as type number, this will be the TB size that will determine the Datastores to return.

set another input parameter as inDS as array type VC:Datastore

Set the output parameter as outDS as array type VC:Datastore


var tbSize = inputTB * 1073741824;

System.log("Variable tbSize is "+tbSize);

var ds = new Array();

for each (d in inDS){ if (d.summary.capacity >= tbSize){ ds.push(d);} System.log("name: " + d.name +" Size: "+ d.summary.capacity);}

outDS = ds;

vRO vMotion VM to SDRS Datastore cluster and inflate disk

November 26, 2017November 26, 2017 doj1983 vRO Cluster, Datastore, Disk, inflate, Orchestrator, SDRS, Storage Pod, vMOTION, vRealize, vRO

The following can be used to vMotion a machine to an SDRS Datastore Cluster, inflating the disk to Lazy Zero at the same time (done by VcVirtualMachineRelocateTransformation.flat)

Create two input parameters. vMotionVM of type VC:VirtualMachine & a parameter name SDRSCL of type VC:StoragePod

The output parameter will be myVcTask of type VC:Task


var storageSpec = new VcStoragePlacementSpec();
var StorageResourceManager = vMotionVM.sdkConnection.storageResourceManager;
var myStoragePlacementResult = VcStoragePlacementResult();
var myKey = new Array();
var podSelectionSpec = new VcStorageDrsPodSelectionSpec();
var relocateSpec = new VcVirtualMachineRelocateSpec();
relocateSpec.transform = VcVirtualMachineRelocateTransformation.flat;

podSelectionSpec.storagePod = SDRSCL;

storageSpec.type = "relocate";
storageSpec.vm = vMotionVM;
storageSpec.podSelectionSpec = podSelectionSpec;
storageSpec.relocateSpec = relocateSpec

myStoragePlacementResult = StorageResourceManager.recommendDatastores(storageSpec);

myKey[0] = myStoragePlacementResult.recommendations[0].key
myVcTask = StorageResourceManager.applyStorageDrsRecommendation_Task(myKey);

VCP7-CMA Section 2 Objective 2.3 Create and Manage Business Groups

November 21, 2017November 30, 2017 doj1983 VCP7-CMA, VCP7-CMA Section2 Automation, Section 2, study guide, vcp, VCP7, VCP7-CMA, vRA, vRealize

Configure business groups for a given design

To understand the requirement of a business group you need to understand a little about the vRA fabric. In vRA, infrastructure resources you can perform actions on are called Endpoints (see Objective 3.4) for instance a vCenter is an endpoint because we can provision VMs to it etc. (other endpoints could be AWS, Hyper-V or things like NSX as we can create vxlan portgroups or vRO as we can start workflows)

If you have Multiple vCenter endpoints you may want to group these together in a Fabric Group because the same administrator is likely responsible for all vCenters, a fabric administrator can then be assigned to this fabric group. As you may have a different administrator (or maybe developers) who are responsible for vRO, you may want to group these vRO endpoints in a different Fabric Group so you can assign a different fabric administrator

Once a fabric group is created that contains endpoints (defined as compute resources) a fabric administrator will grant access to these compute resources\endpoints by defining a reservation. The reservation will be specific to a business group and define the relationship between the business group and the compute resource\endpoint within the fabric group. This allows business groups to consume the compute resource\endpoint and allows the Fabric administrator to put a restriction on the amount of endpoint resource that can be consumed by that business group

Catalogue items are also scooped to a business group through entitlements.

The “My Goals” Wizard lists tasks which are useful to complete before creating a business group. These can be found under My Goals>Tenant Configuration

We have already created a Directory service that allows us to assign directory users to a business group (in the case of my lab Active Directory LDAP) in Objective 2.2

We will detail the creation of Custom Groups in Objective 2.4

We will also configure Users & Groups in Objective 2.4

Configuring Branding is not specifically called out in any Objective, and isn’t a requirement for a business group, I will come back and visit this in Objective 2.1 managing tenants.

Adding and configuring a notification provider (specifying an email server) is also not covered in any objective within the exam blueprint but is covered below as business group managers will receive emails from the business group

Adding Notification Providers is done by the Tenant Admin role

To Configure Notification providers click on the link in My Goals>Tenant Configuration>Configure Notification Providers or browse to Administration > Notifications > Email Servers

You will need to set an in going and outgoing email server, my vRA appliance has access to the internet and since I dont have an exchange server i’m using my ISP settings to configure the provider!

Business Groups are created by the Tenant administrator under Administration > Users and Groups > Business Groups.

Custom Properties are covered in Objective 1.1 and can be assigned to a business group.

There’s a good blog here on Active Directory Policies, no need to re-write the wheel!
Add users and groups to appropriate support roles for a given design

A business group must have at least one business group manager, who monitors the resource use for the group and can be the approver for catalog requests.

Lets assume a development team has their own business group, a developer, who will be a business group user, has an entitlement to a catalogue item that allows them to provision a virtual machine to any of the endpoints that the business group (development team) has a reservation too.

The business group manager, who is likely to be the development team manager or team leader, can be set as an approver of that catalog item request and the virtual machine wont be provisioned until the development team manager has approved the developers request.

It’s good to have this ability to approve requests as only the business group manager has access to monitor resource usage within their business group.

The business group manager will also create and manage entitlements to catalogue items for their business group.

The details of all vRA roles are found on my Objective 2.1 blog

Determine and select the appropriate machine prefix for the business group

Creating machine prefixes is described in Section 5 objective 5.2

Once a machine prefix has been created, you can set the default Business group machine prefix on the infrastructure tab of the Business group. When a virtual machine is provisioned by a user within the business group the default pre-fix will be used to form the VM name based on these settings. This does not stop a different pre-fix from being assigned within a catalogue blueprint & the default business group machine pre-fix can also be changed at any time.

If the pre-fix is changed, it will only affect new Virtual Machines being provisioned and will not change the name of virtual machines that have already been provisioned!

The active directory container option is for WIM provisioning only, if you don’t intend to use WIM Provisioning to build Windows Servers then stick with the Active Directory Policies on the general tab to define the destination OU of provisioned VMs, however for the exam it’s good to know the difference between the two options.

The AD Container option expects an active directory DN name in the form of

ou=windows,dc=danlab,dc=local

Tools

VCP7-CMA Section 2 Objective 2.2 Create and Manage Directories

November 19, 2017 doj1983 VCP7-CMA, VCP7-CMA Section2 Objective 2.2, Section 2, study, study guide, VCP7, VCP7-CMA, vRA

Create and manage LDAP directory for Active Directory in vRealize Automation

Identify Stores can be created and managed by the Tenant Administrator within their specified tenant. They can do this under Administration>Directories Management>Directories

To add an LDAP directory for Active Directory select the “Add Directory” button and specify “Add Active Directory over LDAP/IWA”

To configure Active Directory over LDAP, select Active Directory over LDAP and complete the required fields.

Directory name – The name of the AD Domain you want to sync with
Sync Connector – This will be the device that syncs users from Active Directory, when designing vRA solutions ensure the Sync Connector is as close to a DC as possible
Directory Search Attribute – The account attribute that contains the Username. In scenarios where a single tenant has multiple directories that may contain users with the same sAMAccountName you may want to specify the userPrincipalName here.
Server Location – if vRA cant resolve the AD Domain then you can specify a domain controller by IP by unticking this box
Specify a user account used to BIND to Active Directory

Test the connection to Active Directory to ensure it’s working correctly

Click next and select which domains you want to add, you may see multiple domains depending on your AD forest and associated trusts

Select how you want to map the user attributes from AD into vRAs Identity Manager. In the screenshot below I have included a screenshot of my Active Directory user information.

By default you will need to provide two values for the vRA manager attribute and the vRA displayName attribute. In vRA you can choose how you want a users name to be displayed, i’m choosing to use the AD attribute or the same name, displayName. You may want the vRA displayName attribute to be the sAMAccountName or something completely different. I’m using the AD title attribute for the vRA manager attribute

Capture

Select which groups you want to sync with vRA, depending on how big your AD structure is depends on how you want to search for groups, I specified the base DN of my whole lab as I only have a few groups in AD, you may want to be more specific with your searches

Hit select and Specify the AD groups you want to sync

Hit next and specify any users not in a group who you want to have access, you can also add a filter to exclude any users by an account attribute, here I’m stopping anyone with the attribute division set to marketing from being added to vRA. Those monkeys are too busy eating unicorn sandwiches to know what they’re doing…

Perform the initial sync of the directory service and keep in mind that the default sync period is a week, in real world environments you’d want to change that to suit your environment. You can do that now by clicking the edit button

Once the directory service has been added, you can force a sync by selecting the directory from Administration>Directories Management>Directories and then hitting the “Sync now” option

If you didnt hit the edit button during the creation of the directory service, you can change these settings retrospectively by hitting the “Sync Settings” button as well as checking which domains are syncing, what the AD mapped attributes are mapped to in vRA Identify Manager, also the groups and users who have been sync

Create and manage Windows Integrated Authentication Directory in vRealize Automation

Identify Stores can be created and managed by the Tenant Administrator within their specified tenant. They can do this under Administration>Directories Management>Directories

To Create and manage Windows Integrated Authentication Directory, select the “Add Directory” button and specify “Add Active Directory over LDAP/IWA”

Select Active Directory (Integrated Windows Authentication)

Completing the configuration of this option will add the vRA appliance to the domain

Firstly I got the following error

So i changed my configuration to suit

I subsequently got a new error

This is because you must setup Active Directory in the default vsphere.local tenant before it can be added to other tenants.

In order to do this, you will need to log into the default tenant.

The default tenant can be accessed – https://myvraserver.mydomain.local/vcac/

If you’ve not setup your default tenant yet and dove straight into configuring a new tenant, then you may need to create some local users within your default tenant and add the new local user as a tenant admin of the default tenant.

Details of how to do that can be found in my Section 2 Object 2.1 blog

Add the Active Directory (Integrated Windows Authentication) identity source in the default tenant, with a tenant admin of the default tenant. Follow the wizard through, after the initial configuration page, the process of stepping through Windows Integrated Authentication Directory setup is the same as Active Directory over LDAP setup.

Once this has been completed in the default tenant, you can log on to subsequent tenants and add that domain as an Active Directory (Integrated Windows Authentication) identity source in the same manner.

When vRA is configured with Active Directory (Integrated Windows Authentication) vRA will use it’s computer account for authentication.

Determine and configure appropriate user and directory binding details

Ensure you have properly thought through the Active Directory bind details, ensuring you use a service account to bind to active directory and that your search DNs are not too broad.

As with every configuration, only what is required should be configured.

Evaluate directory synchronization health and troubleshoot issues

Once you’ve added your directory you can check for issues by selecting the domain from under Administration>Directories Management>Directories

From here you can then check the Sync Log to ensure that syncing has\is working OK

You can set safeguards that will prevent the removing or adding of too many users\groups during a sync operation if required

vRA uses the Identity Manager from horizon. If you look at the vRA appliance you will be able to see the following directory

/storage/log/vmware/horizon

if we list the contents of that folder we can see a connector.log file

if we grep the log file for our LDAP configured Domain Controller we can see entries relating to our LDAP configuration, see this file can also be used for troubleshooting

Tools

Create a custom ESXi ISO for Intel NUC install

November 17, 2017November 17, 2017 doj1983 ESXi, Home Lab ESXi, image, LAB, NUC, powercli, profile, VSAN

Add the VMware depot index to the software depot


Add-EsxSoftwareDepot <a href="https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml">https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml</a>

Add the USB 3.0 Network Adapter VIB to the software depot. You’ve vSuperstar William Lam to thank for this!!

https://github.com/lamw/ax88179_178a-esxi


Add-EsxSoftwareDepot c:\image\vghetto-ax88179-esxi65-bundle.zip

Clone an ESXi image (the one specified below is 6.5u1) give it a name and set a vendor


New-EsxImageProfile -CloneProfile "ESXi-6.5.0-20170702001-standard" -name "ESXi-6.5.0-u1-NUC7" -Vendor "dojohnson.co.uk"

Remove the current e1000e driver from the newly created ESXi image


Remove-EsxSoftwarePackage -ImageProfile "ESXi-6.5.0-u1-NUC7" -SoftwarePackage "net-e1000e"

Remove the current ne1000 driver from the newly created ESXi image


Remove-EsxSoftwarePackage -ImageProfile "ESXi-6.5.0-u1-NUC7" -SoftwarePackage "ne1000"

remove the current USB NIC driver from the newly created ESXi image


Remove-EsxSoftwarePackage -ImageProfile "ESXi-6.5.0-u1-NUC7" -SoftwarePackage "vmkusb"

Add the USB NIC VIB we added to the software depot earlier, to the newly created ESXi image


Add-EsxSoftwarePackage -ImageProfile "ESXi-6.5.0-u1-NUC7" -SoftwarePackage "vghetto-ax88179-esxi65"

Add a working version of the e1000e driver, to the newly created ESXi image


Add-EsxSoftwarePackage -ImageProfile "ESXi-6.5.0-u1-NUC7" -SoftwarePackage "net-e1000e 3.2.2.1-2vmw.600.3.57.5050593"

export the new image to an ISO


Export-ESXImageProfile -NoSignatureCheck -ImageProfile "ESXi-6.5.0-u1-NUC7" -ExportToISO -filepath c:\image\ESXi-6.5.0-u1-NUC7.iso

Once you have the exported ISO, download rufus and build a bootable ISO

www.dojohnson.co.uk

Welcome to Dans Blog

VCP7-CMA Section 5 Objective 5.2 Create and Manage Fabric Groups, Reservations and Network Profiles

VCP7-CMA Section 5 Objective 5.1 Create and Manage VMware Endpoints

vRA 7.3 PhysicalHostPingService: ignoring exception. IAAS Service error MSDTC Issue

VCP7-CMA Section 2 Objective 2.4 Manage User and Group Role Assignments

vRO convert objects from string to object type

vRO Return Datastores over a specified TB size

vRO vMotion VM to SDRS Datastore cluster and inflate disk

VCP7-CMA Section 2 Objective 2.3 Create and Manage Business Groups

VCP7-CMA Section 2 Objective 2.2 Create and Manage Directories

Create a custom ESXi ISO for Intel NUC install