VCP7-CMA Section 2 Objective 2.2 Create and Manage Directories

Create and manage LDAP directory for Active Directory in vRealize Automation

Identify Stores can be created and managed by the Tenant Administrator within their specified tenant. They can do this under Administration>Directories Management>Directories

1

To add an LDAP directory for Active Directory select the “Add Directory” button and specify “Add Active Directory over LDAP/IWA”

To configure Active Directory over LDAP, select Active Directory over LDAP and complete the required fields.

2

  • Directory name – The name of the AD Domain you want to sync with
  • Sync Connector – This will be the device that syncs users from Active Directory, when designing vRA solutions ensure the Sync Connector is as close to a DC as possible
  • Directory Search Attribute – The account attribute that contains the Username. In scenarios where a single tenant has multiple directories that may contain users with the same sAMAccountName you may want to specify the userPrincipalName here.
  • Server Location – if vRA cant resolve the AD Domain then you can specify a domain controller by IP by unticking this box
  • Specify a user account used to BIND to Active Directory

Test the connection to Active Directory to ensure it’s working correctly

Click next and select which domains you want to add, you may see multiple domains depending on your AD forest and associated trusts

5

Select how you want to map the user attributes from AD into vRAs Identity Manager. In the screenshot below I have included a screenshot of my Active Directory user information.

By default you will need to provide two values for the vRA manager attribute and the vRA displayName attribute. In vRA you can choose how you want a users name to be displayed, i’m choosing to use the AD attribute or the same name, displayName. You may want the vRA displayName attribute to be the sAMAccountName or something completely different. I’m using the AD title attribute for the vRA manager attribute

Capture

Select which groups you want to sync with vRA, depending on how big your AD structure is depends on how you want to search for groups, I specified the base DN of my whole lab as I only have a few groups in AD, you may want to be more specific with your searches

1

Hit select and Specify the AD groups you want to sync

2

3

Hit next and specify any users not in a group who you want to have access, you can also add a filter to exclude any users by an account attribute, here I’m stopping anyone with the attribute division set to marketing from being added to vRA. Those monkeys are too busy eating unicorn sandwiches to know what they’re doing…

4

Perform the initial sync of the directory service and keep in mind that the default sync period is a week, in real world environments you’d want to change that to suit your environment. You can do that now by clicking the edit button

5

Once the directory service has been added, you can force a sync by selecting the directory from Administration>Directories Management>Directories and then hitting the “Sync now” option

7

 

If you didnt hit the edit button during the creation of the directory service, you can change these settings retrospectively by hitting the “Sync Settings” button as well as checking which domains are syncing, what the AD mapped attributes are mapped to in vRA Identify Manager, also the groups and users who have been sync

8

 

Create and manage Windows Integrated Authentication Directory in vRealize Automation

Identify Stores can be created and managed by the Tenant Administrator within their specified tenant. They can do this under Administration>Directories Management>Directories

1

To Create and manage Windows Integrated Authentication Directory, select the “Add Directory” button and specify “Add Active Directory over LDAP/IWA”

Select Active Directory (Integrated Windows Authentication)

Completing the configuration of this option will add the vRA appliance to the domain

1

Firstly I got the following error

2

So i changed my configuration to suit

3

I subsequently got a new error

4

This is because you must setup Active Directory in the default vsphere.local tenant before it can be added to other tenants.

In order to do this, you will need to log into the default tenant.

The default tenant can be accessed – https://myvraserver.mydomain.local/vcac/

If you’ve not setup your default tenant yet and dove straight into configuring a new tenant, then you may need to create some local users within your default tenant and add the new local user as a tenant admin of the default tenant.

Details of how to do that can be found in my Section 2 Object 2.1 blog

Add the Active Directory (Integrated Windows Authentication) identity source in the default tenant, with a tenant admin of the default  tenant. Follow the wizard through, after the initial configuration page, the process of stepping through Windows Integrated Authentication Directory setup is the same as Active Directory over LDAP setup.

Once this has been completed in the default tenant, you can log on to subsequent tenants and add that domain as an Active Directory (Integrated Windows Authentication) identity source in the same manner.

When vRA is configured with Active Directory (Integrated Windows Authentication) vRA will use it’s computer account for authentication.

Determine and configure appropriate user and directory binding details

Ensure you have properly thought through the Active Directory bind details, ensuring you use a service account to bind to active directory and that your search DNs are not too broad.

As with every configuration, only what is required should be configured.

Evaluate directory synchronization health and troubleshoot issues

Once you’ve added your directory you can check for issues by selecting the domain from under Administration>Directories Management>Directories

From here you can then check the Sync Log to ensure that syncing has\is working OK

6

You can set safeguards that will prevent the removing or adding of too many users\groups during a sync operation if required

9

vRA uses the Identity Manager from horizon. If you look at the vRA appliance you will be able to see the following directory

/storage/log/vmware/horizon

if we list the contents of that folder we can see a connector.log file

5

if we grep the log file for our LDAP configured Domain Controller we can see entries relating to our LDAP configuration, see this file can also be used for troubleshooting

6

 

Tools

VCP7-CMA Section 2 Objective 2.1 Create and Manage Tenants

  • Create a new tenant for a given design

VMware Docs link

Out of the box a default tenant named vsphere.local is created, which is accessed via the https://myvraserver.mydomain.local/vcac/ url. You log into the default tenant using the System Administrator role with the username administrator and the password set for the system administrator account during the installation of vRA.

 

Once inside the default tenant you will see the default tenant listed under the tenant section, any  new tenants created will also be displayed here.

dften

All new tenants are created inside the default tenant by the system administrator

 

To create a tenant select new and fill in the details required

danlabtent

click submit and next to proceed to creating a Local User or Users for the new tenant, these local users are specific to the new tenant, you don’t have to create local users at this stage to complete creating the tenant however you wont be able to log into the new tenant if you dont!

If you want to use directory users, you must create the local user(s), assign them/it as tenant and iaas admins, log into the new tenant with the new local user, setup the identity source, log back into the default tenant with the system administrator account, edit the new tenant, add the domain users or groups as the tenant and iaas admins!

Then you will be able to log into the new tenant as a tenant/iaas admin to start the configuration of the new tenant.

user

Assign the roles of Tenant Administrator and IaaS Administrators if required, you don’t have to assign these roles at this time to finish creating the new tenant, however you wont be able to log into the tenant if you dont assign these roles to a local user. Once you have configured an identify source we can come back into the default tenant and add directory users and\or remove the local user(s) from these groups.

roles

It’s important to understand that privileges of the IaaS administrator role are NOT tenant specific. The IaaS administrator role is System Wide, so even though our new local user “danlab” is specific to the danlab tenant, this user has system wide IaaS privileges.

This is because the Infrastructure Fabric is available to all tenants. Depending on how you want your architecture configured you may want an IaaS administrator per tenant to configure endpoints, and have fabric groups per tenant as shown below

multiiaas

However I would say in the majority of vRA architectures it’s more common to see the below with System Administrator, IaaS Administrator and Fabric roles assigned to members of IT within the default tenant with Tenants then having access to that infrastructure via Fabric Groups

single iaas

  • Create, add, and manage local users

Creating local users for a tenant can be done inside the default tenant by the system administrator as described above.

  • Configure administrative access and describe privilege level differences between roles

There are many Roles within vRA, each role having different privileges. 2 roles are system wide  (System Administrator role and the IaaS Administrator role) and having the following provileges

system wide

The remaining roles are Tenant Specific

tenant1

tenant2

tenant3

tenant 4

I would say learning the differences in these roles is very important for the exam, little more than hands on experience will help you with this. For that that are creating a vRA lab to study, you may want to assign yourself “god” permissions. The only way to do that is to create a custom group

Inside the new Tenant, select Administration>Custom Groups> Create a new custom group, give it a Name, Assign ALL Roles to the group, then on the members tab select your local user (or directory account if you’ve already added a directory service)

Once the account is created, log out of vRA and back in for the permission changes to take affect.

godrole

  • Determine the unique URL used to access the tenant

The unique URL is set during the creation of the tenant. When creating my tenant i specified the URL danlab as can be seen below.

danlabtent

So my tenant will be access via

https://myvraserver.mydomain.local/vcac/org/danlab

Note that this is different from the default tenant which is accessed via

https://myvraserver.mydomain.local/vcac/

Assume we created a third tenant named test1 with a URL of test1 and a forth tenant named test2 with a url of test2bob then access would be as follows

default tenant – https://myvraserver.mydomain.local/vcac/

danlab tenant – https://myvraserver.mydomain.local/vcac/org/danlab

test1 tenant – https://myvraserver.mydomain.local/vcac/org/test1

test2 tenant – https://myvraserver.mydomain.local/vcac/org/test2bob

Tools