Hello daphnissov,

I am trying to Create a multi-machine blueprint to stand up a complete new environment. AD server, Root and Intermediate CAs, DNS, NTP.  I used the url (https://www.faqforge.com/powershell/set-active-directory-windows-server-2016-using-powershell/) to configure Active Directory using powershell commands as part of software components. However post executing the commands the server denies login. I did tried public forums and some google search but was not able to find any relevant article. I am trying to do it for the first time. To begin with I need to know if there is a way to deploy and configure a full fledged Active Directory or Domain Controller using vRealize Automation without having to do any manual steps on the server itself.

If you have done it in the past or know any blog/url where someone has achieved this task in the past then please share so that I can get some help.

Basically, I need to know if I can deploy/configure a full fledged Active Directory or Domain Controller or both using vRealize automation. I am going step by step in achieving the below end result:

End users to have the ability to deploy a logically separated environment which will consist of Active Directory,CAs,DNS,NTP. Any new machine that gets provisioned should get joined to the new domain. We should have variables that can be passed for domain name, username, etc

That is a very skinny article and there are, I'm sure, much better blogs out there. Using software components to tackle this should work. You will need to reboot the AD server after its configuration. There are lots of pieces to your request and so working on them one by one is a better approach than all at once. But your bigger issue here is this is a complex task and you aren't providing very much information. For example:

However post executing the commands the server denies login.

What does this mean? Where do you execute them? How? What is the end result? How is the login attempted? There are hundreds of questions in this piece alone.

And then in, presumably, your requirements statement:

Any new machine that gets provisioned should get joined to the new domain.

Explain this. You're using vRA to deploy an isolated AD environment. You now want to provision new VMs also from vRA into this? Again, hundreds of questions/variables to answer here.

I'm glad to help you achieve this, but I'm not going to A) write it for you from scratch or B) be your solutions architect. You'll have to be more explicit and tell me what you've done yourself. Please read the article in my signature to understand why.

Hello daphnissov,

Apologies if I did not make it clear but in no manner I want you to write it from scratch for me. I am trying to achieve the requirement I mentioned. I have never done it in the past hence want to know if it is possible to achieve it. I will detail the steps I tried myself. I will answer the questions as well. Below is the steps I tried:

1. https://virtualhobbit.com/2015/07/15/building-an-advanced-lab-using-vmware-vrealize-automation-part-...

2. Deployed a VM using blueprint and then used software component where I used the Powershell scripts downloaded from below location:

Script Active Directory Installation and Configuration (Automated)

3. Once this is done I had the reboot option checked in the configure option under Software Component tasks so it is going for a reboot. When the server reboots and is back online it is already a DC and the name is the one specified during running the DCpromo usage. It denies login of both local user and domain user. Domain I understand because it is not part of the earlier domain it used to be but why Local login is denied is what I was not able to troubleshoot as had no option of login into the system. The ask I had here was have you done it cleanly in the past or know someone who did install a Domain Controller/Active Directory in the past without any Manual intervention on the server itself just with the usage of vRealize automation alone?? If yes then I needed the url to the same so that I can corelate of what is that I am doing incorrectly.

I am Sorry but in no manner I want you or anyone to write it from scratch for me. I just wanted to know if someone has achieved this in the past and if it is feasible just with the usage of vRealize Automation alone with no Manual intervention on the end server itself which is supposed to be the new Domain Controller.

4. Any new machine that gets provisioned should get joined to the new domain.

Answer: The ask is once the Domain Controller is installed and configured say with the name test.local. Then the subsequent machine in the multi machine blueprint let's say the second machine blueprint should deploy another server but this server should join to the new domain controller (test.local) that got configured with the first machine blueprint. My ask was can this be achieved or has someone done this kind of deployment/use case in past?

This is a very complex task and I am trying to go step by step on this and hence needed experts advise to see if it is possible to begin with.

Regards

Saurabh Kumar

Ok, so more info here which is good. I have never done this task myself but I know how I would approach it and you seem to be thinking in the right direction.

First thing to solve is the software component which configures a new AD environment. Export that blueprint and attach it to your next reply. Just the software component. If you can't get this working, nothing else matters.

All of this should be possible with vRA and I see no reason why it wouldn't work. I would provide the following cursory advice:

1. The template you use to deploy the VM which will ultimately be configured as an AD server must not be joined to a domain first. Giving it a static IP is necessary. Check the vCenter customization spec and ensure it isn't joining a domain first. Do some test deploys from vRA to ensure you can deploy just a single machine blueprint that gets a static IP on the network and remains in a workgroup. Next thing would be to run the software component and see what gets completed. Does it fail anywhere?
2. On the matter of the software component, the code needs to be written in such a way that you know it executed successfully. Simply copying and pasting someone else's PowerShell into a software component doesn't necessarily work because of how vRA invokes the software component. When I see what you've built I can offer more advice.
3. No place have you said versions of anything. What version of vRA? What version of Windows Server? What version of vSphere?
4. The client VM that you say should be part of the same multi-machine blueprint that must then join this new AD:  It too needs to be a workgroup deployment at first. This means you'll have to pass the AD domain parameter to another software component which joins said machine to that AD. You'll probably need to use property binding between two software components to make this work. Do you know how to do that?
5. CA, DNS, and NTP. Are these all roles that can be enabled on your domain controller? You haven't really said.
6. What does the completed topology need to look like? Two machines? More?
7. Once this multi-machine blueprint is created and works, what then? What are requirements built around that? For example, do future, single-machine blueprints that a user could deploy need to join this AD? Lots of possible complexity here which you haven't really described.

As I said, first order of business is to get a workable software component going which creates a new AD domain and promotes it to a domain controller. Once you have that working in a standalone fashion, you can take the next steps, but not before.

Hello daphnissov,

First of all thanks a lot for answering my questions and guiding me into a right direction. I am also getting stuck at the very first task of building a full fledged Domain Controller/ Active Directory. I am doing troubleshooting and must be able to fix it if the machine would have allowed me to login post failure or incomplete configuration somehwere during execution. That is the main reason I posted this to see if someone has already configured a full fledged DC/AD in the past already so that I can co-relate to see what is that I am missing or doing incorrectly.

Ques 1: I configured network profiles which ensures static network assignment for the VM's. I will modify guest customization spec in vCenter to ensure provisioned VM's remains a part of workgroup.

Ques 2: I used the PS script from that url but modified it to my own versions to suit my environment variables,etc

Ques 3: VRA-7.4, vCenter and ESXi- 6.7 and Windows Server- 2016

Ques 4: yes I do have idea about how to do property binding as I have used it for a multi-tier multi machine blueprint earlier and was able to successfully achieve that where I had my web and app getting deployed in AWS and DB deployed in vCenter. Used the below url for guidance:

https://www.definit.co.uk/2018/03/three-tier-app-for-vrealize-automation/  ...It looked like attached image post completion.

Ques 5: CA needs to be separate. DNS and NTP roles can be enabled on the DC itself.

Ques 6: The completed topology looks like multiple machines. Basically it will be used for test/development purpose where individual teams will have capability of deploying their own Active Directory/Domain Controllers and any new VM's in the respective new DC that they provision.

Ques 7: Once this multi-machine blueprint starts working then it will be made available to multiple end-user department where they will have the ability to deploy their own DC/AD and future single machines that will join to their respective DC that they built using the multi-machine blueprint. This use case was given by the customer because they want respective teams to have the capability of using their own DC/AD. In brief a complete logically separated environment for each team where they manage the entire life-cycle of their own machines without having the need to do any modifications or changes on the production Active Directory, Domain Controller, CA server, etc.

Regards

Saurabh Kumar

I am doing troubleshooting and must be able to fix it if the machine would have allowed me to login post failure or incomplete configuration somehwere during execution.

Yes, understand, but you did not attach the software component as I requested.

That is the main reason I posted this to see if someone has already configured a full fledged DC/AD in the past already so that I can co-relate to see what is that I am missing or doing incorrectly.

Yes, you've said this multiple times which I understand. Let me state my position once again:  I have not done this myself but am sure it can be accomplished. I would be glad to help assist you get there. If you only wish help from those few who might have done this, you are welcome to wait for other replies.

Ques 6: The completed topology looks like multiple machines. Basically it will be used for test/development purpose where individual teams will have capability of deploying their own Active Directory/Domain Controllers and any new VM's in the respective new DC that they provision.

This part is the one that's going to cause problems. Deploying a fully-functional DC, CA, and DNS is one thing. But using the vRA catalog for further user requests to join that specific domain is quite another. There may be options here, but that is a separate concern.

Ques 7: Once this multi-machine blueprint starts working then it will be made available to multiple end-user department where they will have the ability to deploy their own DC/AD and future single machines that will join to their respective DC that they built using the multi-machine blueprint.

If they have machines that are in that same multi-machine blueprint that need to join the DC that was rolled out in that blueprint, that shouldn't be an issue. But the answer to your question #6 suggests otherwise. Need clarification which it is.

In brief a complete logically separated environment for each team where they manage the entire life-cycle of their own machines without having the need to do any modifications or changes on the production Active Directory, Domain Controller, CA server, etc.

This is possible and I've seen it done. The idea being that each business group has their own AD domain and any deployed VMs to that business group get joined to that domain. It's something that has been set up in advance outside of vRA and vRA is simply using that pre-existing domain. If all they want is the ability to have one AD per group in some fashion, this doesn't need to be delivered as a catalog item.

If you would like me to help you further, please export and attach your software component that you have built thus far.

Hello daphnissov,

First of all a huge thank you for stepping in and taking out time for guiding me during this difficult phase of mine in trying to accomplish something I have never done before.

Basically, I am using an answer file that is attached for your reference and is placed on a file server. I call for that answer file using the below command in my software components install section:

dcpromo.exe /unattend:\\ipaddress of the file server\software\answer_file.txt.

I am not a Windows person and have very basic knowledge about DC/AD etc. I did find another way of installing/configuring DC/AD using Powershell scripts which I will be testing in 2-3 days and post that software component also for your review.

With respect to question 6 and question 7. The ask is that end user deploy their own DC as the first machine and any machine that gets deployed post that (within the same multi-machine blueprint) or later as individual machines should get joined to the DC that was deployed by the end user as the first machine.

If all they want is the ability to have one AD per group in some fashion, this doesn't need to be delivered as a catalog item?

Answer: They want the ability to not have any pre AD or DC created. They want the end users to have the ability of creating their own DC and AD when they need during their testing or POC and then destroy them post their testing/POC is done.

Regards

Saurabh Kumar

In the configure section of the software component. I do use:

Import-Module ServerManager

Install-WindowsFeature RSAT-ADDS