Skip navigation

Hi all,

vRO8 is out and the Java Client is gone. The HTML Client has some very nice features but will hopefully get some improvements soon.


What I personal missing the most is the tree view of the Workflows, Actions, Resources and the Configuration. Especially the Workflows and Actions are bugging me as one needs to know what the workflow or Action is called...and that's a bit least for me...I know where stuff is not necessarily that its called.


so I came up with a mini Workflow that will just export (to the local disk of the vRO) all Workflows, Actions, Configuration Elements and Resource Elements.


PLEASE NOTE: Even if you write to /var/run/vco/ in the vRO, the real path via SSH is /data/vco/var/run/vco (Container!!!)


I attached the Package but here is the Code too:

//do Workflows

var myFileWriter = new FileWriter("/var/run/vco/workflows.txt");;


for each (wfc in Server.findAllForType("WorkflowCategory")){


   for each (wf in wfc.allWorkflows){

  myFileWriter.writeLine("- " 




//do Actions

var myFileWriter = new FileWriter("/var/run/vco/actions.txt");;


for each (mod in System.getAllModules()){


   for each (act in mod.actionDescriptions){

  myFileWriter.writeLine("- " 




//do Resources

var myFileWriter = new FileWriter("/var/run/vco/resourses.txt");;


for each (resCat in Server.getAllResourceElementCategories()){


   for each (res in resCat.allResourceElements){

  myFileWriter.writeLine("- " 




//do Configs

//do Resources

var myFileWriter = new FileWriter("/var/run/vco/configurations.txt");;


for each (confCat in Server.getAllConfigurationElementCategories()){


   for each (conf in confCat.allConfigurationElements){

  myFileWriter.writeLine("- " 




Hi all,

so...i figured something out and wanted to share it with you guys. vRA 7.5 (Hotfix4 VMware Knowledge Base ) has come a long way in regards of custom forms. However there are still some things that are annoying, such as that one must imput Memory in MB. I undertsand that that is a left over from the vCenter API...but seriously...its 2019!


So I finaly came up with a workaround (requires custom forms, vRA 7.5 Hotfix >=4)

1) create a vRO action (I call it memGB2MB) that looks like this:

Header 1Header 2Header 3
Scriptreturn memGB*1024;


2) Create an custom form of your  blueprint and drag at least CPU and Mem on it.

3) Add a new Integer field and call it Memory (GB). Then assign it all the restrictions that the blueprint has in regards of Memory.
(If you havent noticed yet. The blueprint restrictions are transfered ONLY once, when creating a custom form. If you update the Mem or CPU limits in the blueprint later, they are not passed dynamically to the custom form.)

4) Now click on the field Memory (MB) field and go to values. Select external source and then the vRO action you have created and Field Memory GB as the input.

5) You can give the whole thing a go now..or just directy set the Memory (MB) fields Visibility to false.

Well..there is more.


The method would allow you to use a Array/String to display a dropdown menu for CPU and/or Memory. You just need a new action that has as an input a string, as the output a number and the following script:

return parseInt(memGB*1024,10);


have Fun!


Looks like this affects quite a lot of Properties. Just found the same problems with VMware.VirtualCenter.Folder and VirtualMachine.Network0.Name


HI all,

you have probably noticed that when you are using vRA custom forms that the ReservationPolicyID  isn't working and throwing you the following error.:

(vRA 7.5 plus  )

The following component requests failed: smallRHEL. Allocation request [Composition RequestId: [969dfad8-52b4-4f39-8e68-ba9c6dcba281], CompTypeId: [Infrastructure.CatalogItem.Machine.Virtual.vSphere], BlueprintId: [smallRHEL], CompId: [smallRHEL], BlueprintRequestId: [5cb0a374-982c-454a-8cc7-c38eb0517dd4], RootCafeRequestId: [9da8ba9d-63ef-4a73-8a16-421f51d9fa5a], SubtenantId: [06890147-51f7-4857-98c7-e5b6ca2d9dcd]] with binding id [20fd1dba-3807-4ece-8b1a-6ad5dc1a5ce2] failed with [Infrastructure service provider error: A server error was encountered. Error requesting machine. Guid should contain 32 digits with 4 dashes (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).].


I finally found the workaround that fixes this issue. The problem seems to be caused by  the element coming onto the canvas as an DataGrid, Switching it to DropDown will solve the problem. Here is how to do this:


  • Create a ReservationPolicyID Property Definition and link it to the action : com.vmware.vra.reservations/getApplicableReservationPolicies
  • Assign the ReservationPolicyID  to the Blueprint
  • Create a Custom Form
  • Drag the ReservationPolicyID  onto the canvas
  • save the form
  • export the form to JSON
  • Open  the JSON (I use Notepad++ and JSTool)
  • Look in the schema section (scroll down) for your ReservationPolicyID it should look like this:

"CentOS_7~ReservationPolicyID": { "label": "Cluster", "type": { "dataType": "complex", "isMultiple": false }, "default": "", "valueList": { "id": "com.vmware.vra.reservations/getApplicableReservationPolicies", "type": "scriptAction", "parameters": [] }, "placeholder": "No data found", "constraints": { "required": true } },

  • Exhange the "type": { "dataType": "complex", "isMultiple": false } to "type": { "dataType": "string", "isMultiple": false} so only this is left "type": { "dataType": "string"}
  • Save the file
  • Import the JSON into customForms
  • DONE

I´ve published several very useful vRealize Orchestrator workflow packages on my website. They are good for extending vRealize Automation or to use with vCenter WebClient.



  This package enables vRO to send HTML formatted emails via SMTP.


  • Use preformatted HTML or plaintext email Templates
  • Replace {tags} in the Mail template with vRO values
  • Repeats HTML structures and fills them either with values from arrays or from properties.
  • Use a configuration to centrally store your mail settings


The coolMail subsystem works by substituting a tag with an vRO value. A coolMail tag can be freely defined and must have { } winged brackets around it. For example {} or {userName}.

The User just prepares a HTML template (e.g. using and inserts tags where later values from vRO should be displayed. This enables one for example to create very nice looking HTML email that can be used with vRealize Automation (vRA).





  This package enables vRO to run scripts of various types inside a VM using VMware tools.


  • Easy to use script ruinning engine
  • Replace {tags} in the script template with values from vRO
  • Can use Windows, Linux, (virtual) ESXi and Photon OS 
  • Runs Linux Bash, Linux PHP, Linux Python, Linux Perl, Windows DOS, Windows PowerShell, Windows Diskpart
  • Can be easily addapted to run other OSs or Script types
  • Stores Configuration centraly and differentiates between Linux and Windows login credentials


CoolRun enables you to run scripts inside a VM without caring to much about copy, run, check etc. Using {tags} in the script you can replace these tags with any value from vRO. The workflow has the correct script exection setting for Linux Bash, Linux PHP, Linux Python, Linux Perl, Windows DOS, Windows PowerShell, Windows Diskpart build in. This for example allows a user to create a workflow that would add a new Disk to a Windows VM and then runs Windows Diskpart to create a partition, formatting it and assign a lab to it.

CoolRun is also built in such a way that it can be easily adapted to other script languages as well as OSs.  





This workflow allows you to completely read out a property in all its details. The output will be displayed into the logs of the workflow. This workflow is extremly useful for vRealize Automation (vRA)


  • Recursive logging of properties within properties
  • displaying the variable type
  • showing the content of arrays


This workflow will log the content of a property into the logs (System.log). The property can consists of multiple properties in properties as well as arrays. The workflow will also log all system context variables (mostly used with vRA). The input variable debugFlag can be null. If set to false the workflow is not executed. This can be used to make sure that the logging will only work in a debug situtation.



Daniel Langenhan Enthusiast

my little Lab

Posted by Daniel Langenhan Dec 13, 2016

Hi all,

lately I had several people ask about my Lab. Well its small and extremely transportable. It packs down into a standard cabin sized carry-on suitcase.


CassyShuttle SZ170R8, Barebone (max 64GB, Size:  216 x 198 x 332 mm)
CPUIntel Core i7-6700K 4000 1151 TRAY (4Ghz)
Memory2x Crucial SO-DIMM 32GB DDR4-2133 Kit (D432GB 2133-15 K2 CRU)
Hard Disks

Samsung MZ-75E1T0B 1 TB, Solid State Drive

Western Digital WD4002FFWX 4 TB

Additional Network (optional)Intel® PRO/1000 PT Dual Port Server Adapter
Network Switch (optional)Netgear GS108T-200GES (8ports, VLAN)
Bridge (optional)ASUS RT-N12
OSESXi 6.0
Cost(April 2016, Germany) ~ 1.600 EUR


The Lab is pretty fast (due to the 4GHz) and I'm running on it: vCenter Appliance, a AD,DHCP,DNS,DB,Email Windows 2008R2 as well as NSX, VRA (7.2), vROPS (6.4)

Hi all,

I just finished finished working though the REST of VEeam in order to create a VeeamZip using VRO. Here is what I learned.


Veeam (version 9) has quite a nice REST and its not that bad documented when you start getting the hang of it. You find the full veeam REST docu here:

There is a nice tutorial that gets you started:

Veeam is XML based, so you ned to know how to work with XML in VRA (see Publications)

Adding the VEEAM REST host:

  1. Login to vRO Client
  2. Start the workflow: Library | HTTP-REST | Add a REST host
  3. The URL is either http://[veeamserver]:9399 or https://[veeamserver]:9398
  4. Use Basic security and the credentials of an user that has the Veeam Backup Administrator role


Logon & Logoff

  • The logon process is by POSTing to the session Manager. The return contains a session ID that we need for logoff or for further actions.
var PostResponse = veeamHost.createRequest("POST", "/api/sessionMngr/?v=v1_1", null).execute();
var sessionID = ((xmldoc.getElementsByTagName("SessionId")).item(0)).textContent;

  • logoff is simply done by DELETEing the session
var PostResponse = veeamHost.createRequest("DELETE", "/api/logonSessions/"+sessionID, null).execute();


Creating the veeamzip

We need the following REST call to creat a veeam Zip :

Boiling down to the following XML we have to post:

POST http://localhost:9399/api/backupServers/f365fbd8-fbd2-43ad-9f7a-c87cd390a0d9?action=veeamzip

<?xml version="1.0" encoding="utf-8"?>

<VeeamZipStartupSpec xmlns="" xmlns:xsd="" xmlns:xsi="">








Lets discuss the three IDs we need from veeam before we can get started (highlighted above):

The backupServer ID is the veeam server that is used to create the request. You can get it using:

var PostResponse = veeamHost.createRequest("GET", "/api/backupServers", null).execute();


The VmRef is made out of the ID for the attached vCenter and the (the vCenter moRef). Its called a hierarchy in Veeam. You get the existing hierarchy by:

var PostResponse = veeamHost.createRequest("GET", "/api/hierarchyRoots", null).execute();


The repository ID represents the storage where you will store the VeeamZip. You can get that by using:

var PostResponse = veeamHost.createRequest("GET", "/api/repositories", null).execute();


To create the Veeamzip I used the following code:

xml='<?xml version="1.0" encoding="utf-8"?><VeeamZipStartupSpec xmlns="" xmlns:xsd="" xmlns:xsi=""><VmRef>urn:VMware:Vm:'+hiracy+'.''</VmRef><RepositoryUid>urn:veeam:Repository:'+repository+'</RepositoryUid><CompressionLevel>3</CompressionLevel><DisableGuestQuiescence>false</DisableGuestQuiescence><BackupRetention>Never</BackupRetention></VeeamZipStartupSpec>';
var request  = veeamHost.createRequest("POST", "/api/backupServers/"+veeamServer+"?action=veeamzip", xml);
request.contentType = "application\/xml";
request.setHeader("Accept", "application/xml");
var response = request.execute();


In order to check if the task has finished I used:

var veeamTask = ((xmldoc.getElementsByTagName("TaskId")).item(0)).textContent;

    var PostResponse = veeamHost.createRequest("GET", "/api/tasks/"+veeamTask, null).execute();
    var state = ((xmldoc.getElementsByTagName("State")).item(0)).textContent;
} while (state !="Finished")


Check up on the state of the backup

The task only shows up for some 5-10 seconds and then it shows finished, however the backup job isnt finished yet. To check up on the Backup job use this

var PostResponse = veeamHost.createRequest("GET", "/api/backupSessions", null).execute();
for (i=0;i<refs.length;i++){
    if (jobName.indexOf(>=0){
        var jobGET = veeamHost.createRequest("GET", "/api/backupSessions/"+jobID+"?format=Entity", null).execute();


Example Package

Attached is my code as a package...have fun!

The Package contains 3 workflows and a configuration. Use AddVeeamHost to add the veeam as REST client, it also outputs all the XML to get the IDs. The getVeeamStuff gets all the IDs you need. Go and add the IDs and the link to the veeam host to the configuration and then use createVeeamZip to create a veeamZip of a VM

The new Horizon accesspoint can be configured via REST and for that we even have a swagger UI as well as a config documentation.




https:// [FQDN]:9443/swagger-ui/index.html

The swagger will be located on your Backend Or Management NIC of the Accesspoint.


Accessing the Swagger UI

  1. Open a browser and browse to https:// [FQDN]:9443/swagger-ui/index.html
  2. Authenticate with admin and the password you specified at deployment.
  3. You see the picture below


Change the SSL Certificate

  1. Click on ServerCertificate
  2. Then Click on PUT /v1/config/certs/ssl
  3. Click on the side (Model Schema). This will transfer the values into the body
  4. Copy the Values into a notepad
  5. Replace the String(s) with the Private Key and with the Certificate chain.
  6. Copy/Paste the notepad content back into the body
  7. Click on Try it out.
  8. Check the result.



Changing the Connection settings

These settings make sure that the Accesspoint can connect to the Conenction Server (or its load balancer) as well as make sure that the tunnels are terminated at the correct point.

  1. Click on EdgeServiceSettings
  2. Click on GET /v1/config/edgeservice
  3. Click on Try it Out!
  4. Copy the Response Body into a notepad
  5. Edit the settings as required. Also you ONLY need the part shown below, not the JSON array {[…]} around it.


"identifier": "VIEW",

"enabled": true,

"proxyDestinationUrl": "https://connection1.mylab.local:443",

"proxyDestinationUrlThumbprints": "sha1=42 41 ba da 3b 58 4b 59 01 b1 66 38 01 59 26 28 78 5d 3a 0a",

"pcoipEnabled": true,

"pcoipExternalUrl": "",

"blastEnabled": true,

"blastExternalUrl": "access1.mylab.local:8443",

"tunnelEnabled": true,

      "tunnelExternalUrl": "access1.mylab.local:443",

"proxyPattern": "/",

"matchWindowsUserName": false,

"gatewayLocation": "External",

"windowsSSOEnabled": false


  1. Copy the settings
  2. Click on PUT /v1/config/edgeservice/view
  3. Past the settings into body
  4. Click on Try it out!
  5. The response should be 200. Anything else (400 and more) indicates an error.




There can be problems if your certs are not up to scratch. In that case you may need to clear your cache. Clearing the cache in Crome is done by pressing [CTRL] + [Shift] + [DEL].


Im currently working on a VRO Package for might be a bit in the making...Im very bussy.

Creating a Certificate for vRO is a good idea...and it is even easier if you are using the VMCA (VMware Certificate Authority) that is part of the PSC (Platform Controller Service).

The cool thing is that if you have used your own enterprise CA to make the VMCA a Subordinate Certificate Authority ( then your CA trusts your VMCA and VMCA trusts vRO.

If you dont have a CA you can export the VMCA root cert and import it into your trusted root certificates on your computer, which automatically results that the certs for vCenter and all ESXi server URLS are trusted. (see VMware Certificate Authority overview and using VMCA Root Certificates in a browser)


1. Open a SSH connection to your PSC (or to vCenter if your PSC is installed with the vCenter)

2. Create a Config file /tmp/vro.conf with a content simular to this:

Country = DE

Name= vro

Organization = vLeet GmbH

OrgUnit = Consulting

State = Bayern

Locality = Munich

IPAddress =

Email =

Hostname = vro.mylab.local

3. Run the following commands to generate a cert using vmca

cd /usr/lib/vmware-vmca/bin/

./certool ‑‑genkey ‑‑privkey=/tmp/vro.prikey ‑‑pubkey=/tmp/vro.pubkey

./certool ‑‑gencert ‑‑privkey=/tmp/vro.prikey ‑‑cert=/tmp/vro.cert ‑‑config /tmp/vro.conf

4. Download the vmca root certificate

wget --no-check-certificate -O /tmp/

5. Build the .pem file

cd /tmp


awk 1 vro.prkey vro.cert certs/6bc2e122.0 >vro.pem

6. Use SCP to download the .pem file to your local computer

7. Open the Orchestrator Control Center, Click on Certificates and select Orchestrator Server SSL Certificate

8. Click on Import and select the .pem file to import.

9. Click again on import and then reboot the Appliance.


This is just ONE of the new updates in the upcoming vRealize Orchestrator Cookbook 2nd Edition. Check my website ( ) for more information

Since vRO7 the Log4j Syslog Appender has been deprecated and will be removed. That’s not really a cause for panic as we can use the Log Insight Agent to forward your log files to the Syslog Server.

There are a few catches on the way.

First we need to configure the forwarding:

  1. Login to the Orchestrator Control Center
  2. Go to Logging Integration
  3. Tick the box next to Enable logging to a remote log server to configure Syslog
  4. Select Use Log Insight Agent
  5. Enter your FQDN or IP of your Syslog server as well as port 514.
  6. Select the Syslog Protocol.
  7. Click on Save

The Log Insight Linux Agent sends the logs via TCP (not UDP) so you may need to adjust your Syslog server

After you have configured the Log Insight settings in the Control Center you still need to configure the Log Insight Linux Agent and tell him what logs to pass on. To do this follow these steps:

  1. Connect to Orchestrator via SSH
  2. Edit the file /var/lib/loginsight-agent/liagent.ini
  3. Add the following entries at the end:




include= scripting.log; scripting.log.*





  1. Restart the log insight agent with the command 
    service liagentd restart
  2. Check the logfiles for errors

This should now forward all the Server and Scripting logfiles to your syslog server. All Orchestrator logfiles can be found at


The configuration of the Log insight Linux Agent is documented in the VMware vRealize Log Insight Agent Administration Guide

1 Create DashboardOnly Role

For the Customers we are creating a role that has can only see dashboards that are shared with the Customer group.

These instructions are compiled using vROPS 6.1

1.1 Create the Role

Let’s create the role.

  1. Login as Admin
  2. Go to Administration and the on Access control
  3. Click on Roles
  4. Create a new Role (green plus) and give it the name DashboardOnly
  5. Click ok and then select the newly created role
  6. Click on the pencil that is next to permissions to edit the roles permission

  1. Select only the following rights:
  • Administration
    • Login interactively
  • Content
    • Views Management
      • § Read
      • § Render
  • Environment
    • View Dashboard homepage

                The Views Management Items are ONLY required if your Dashboards contain Views.

2 Group, Users and Objects

After we created the role we need to create a group assign users to it (if it is a local group) and then assign this group to the DeashboardOnly role as well as make sure the users can only see the objects he or she should see.

You can either import an AD group or create a local group. The local group is created in VROPS only and has the advantage that I can pick and choose what users I want it there without having to create extra AD group for it, however it also means that you have to administer users and groups in AD as well as in vROPS.

2.1 Import AD group

To import a AD group follow these steps:

  1. Click on Import Group
  2. Select a search string and click on Search
  3. Select the group you like to import
  4. Click on Next and continue with the section Assign Role and Objects



2.2 Create local Group

To create a local group follow these steps:

  1. Click on Add
  2. Give the group a name
  3. Click on Next


  1. Now you can select the members that your local group should contain. These could be local user accounts or imported accounts.
  2. Now continue with the section Assign Role and Objects


2.3 Assign Role and Objects

Independent weather if you imported or create a group we continue to assign now objects to this group.

  1. Use the pulldown menu to select the DashboardOnly group
  2. And then tick the box Assign this role to the group
  3. Now either select a custom Group that contains all the objects for the Dashboards or chose the Objects using the Infrastructure library.
  4. Select the Object or Group you want to use
  5. Ticking the Propagation box will select all descendants of this object.
  6. Click on Finish


3 Remove default Dashboards

Now that we created the needed Groups and assigned them the role and the Objects we can now assign them the dashboards. We are also need to take away the default ones.

3.1 Remove Share

First of all we need to remove the standard shared dashboards.

  1. Go to Content | Dashboards
  2. From the Gear Icon pulldown menu select Share Dashboards


  1. Select all Dashboards and then select Stop Sharing
  2. Select all the dashboards again and this time drag them onto your Administrator group

3.2 Assign the Customer Dashboards

We now need to assign the Dashboards the Users should see to the new Group.

  1. Go to Content | Dashboards
  2. From the Gear Icon pulldown menu select Share Dashboards
  3. Select all the dashboards you want the customer to use and drag them onto the new group
  4. The new group should now be showing the dashboards



3.3 Remove the 3 default dashboards

The 3 dashboards (Recommendations, Diagnose and Self Health) cannot be unshared that easy. To remove them we need to delete a file on the vROPS nodes. Please note that this works only for users that have NOT been logged on before. This solution works only for new user that have not been logged in yet.

  1. Login to the vROPS node as root
  2. Delete (or better move) the following file. (Rename doesn’t seam to work)


The path has changed its now:




The way to change the default dashboards has changed. Please follow this KB:

VMware Knowledge Base


 mv //usr/lib/vmware-vcops/tomcat-web-app/webapps/vcops-web-ent/dashboards/ootb/All/All.json /root/
 cd /usr/lib/vmware-vcops/tools/opscli/
 $VMWARE_PYTHON_BIN ./ dashboard hide [user name|group name] all

HI all,

So in my lab im using the vSphere appliance 6 and I just redeployed vRO and had trouble connecting vRO to SSO. I got the error Server returned 'request expired' less than 0 seconds after request was issued, but it shouldn't have expired for at least 600 seconds.

Turns out this has to do with the timeSync between vRO and SSO (vCenter appliance or VCSA). In My case the culpit was the vCenter Appliance. Here how to investigate and fix it:

(I set both to the Host time...not really good but a fast fix)


Check the time

  • Login to the Linux (root) and use the command date to see the current time on the VM

Set the TimeZone

  • Open the vRO console and use Set Timezone
  • Open a browser on: https://[vro FQDN or IP]:5480
  • Login with root and go to System | Time Zone and set the timezone
  • Go to Admin | Time Settings and set ntp (or Host time)



Check the time

  • Open the konsole. Use F2 to login and activate the BASH Shell
  • Press Alt-F1 to get to the bash Shell and login
  • use time.get to get the current time

Set the TimeZone

  • Open the konsole. Use F2 to login and activate the BASH Shell
  • Press Alt-F1 to get to the bash Shell and login
  • use the command timesync.set --mode [host | ntp] to set the mode.
  • If you are using NTP:
    • use the command ntp.get to see what server you get your time from
    • use the command ntp.server.set --servers [list of hostnames or IPs] to set a new NTP server

The script underneath will read out the SRM protection group and SRM Recovery Plan as well as other SRM information for each VM. You can then either export this as a csv or use them as tags in vCenter. The advantage is that you not only see those information directly in the VM summery but you also now can search for a SRM group and find all associated VMs.


#load VMware PowerCLi module
if ((Get-PSSnapin | where {$_.Name -ilike "VMware.VimAutomation.Core"}).Name -ine "VMware.VimAutomation.Core"){
    Write-Host "Loading VMware PowerCli"
    Add-PSSnapin VMware.VimAutomation.Core -ErrorAction SilentlyContinue

#define varibales

#basic connections
Write-Host "connecting vCenter"
#$VINCred=Get-Credential #interactive logon, renove comments from connect lines
$vcConnect=Connect-VIServer "myVC.mylab.local" #-Credential $VINCred
Write-Host "connecting SRM"
$srmConnect=Connect-SrmServer #-Credential $VINCred

try {
    $SRMApi = $srmConnect.ExtensionData
    #get all revovery plan and store
    Write-Host "Build Recovery Object List" -NoNewline
    foreach ($plan in $SRMApi.Recovery.ListPlans()){
        $tempObj= New-Object PSObject -Property @{"moref"=($plan.moref.Value);"Name"=($plan.GetInfo().Name)}
        $RecoveryObj += $tempObj
        Write-Host "." -NoNewline
    Write-Host "`n"
    #get all protected VM (moref, potgroup and RecovPlan) and write to object
    Write-Host "Getting VM infos"
    foreach ($protGroup in $SRMApi.Protection.ListProtectionGroups()){
            #get ProtGroup name
            Write-Host "`nWorking on Protection Group: "+$protGroupName -NoNewline
            #get PortGroup RecoveryPlan(s)
            #A ProtectionGroup can belong to more then one RecoveryPlan
            foreach($TempPlan in $recoveryplan){
                #find Recovery and get the name
                foreach ($test in $RecoveryObj) {
                    if ($TempPlan.moref.value -eq $test.moref){
            $recoveryPlanName=$TempPlanName -join ','
            #get all proetced VMs
            foreach ($protVM in $protGroup.ListProtectedVMs()){
                $tempObj= New-Object PSObject -Property @{"VMmoref"=($protVM.Vm.MoRef);"ProtGroup"=$protGroupName;"RecoPlan"=$recoveryPlanName;"State"=($protVM.State);"NeedConfig"=($protVM.NeedsConfiguration);"Faults"=($protVM.Faults)}
                Write-Host "." -NoNewline
    }#end of get VMs
    Write-Host "`n"

    #check if Tag Categories Exist, if not create
    if ((Get-TagCategory  -Name 'SRMPrortectionGroup' -ErrorAction:SilentlyContinue) -eq $null){
            Write-Host "Creating Tag Category SRMPortectionGroup"
            New-TagCategory "SRMPrortectionGroup" -Cardinality "Single" -EntityType VirtualMachine -Confirm:$false
    if ((Get-TagCategory  -Name 'SRMRecoveryPlan' -ErrorAction:SilentlyContinue) -eq $null){
            Write-Host "Creating Tag Category SRMRecoveryPlan"
            New-TagCategory "SRMRecoveryPlan" -Cardinality "Single" -EntityType VirtualMachine -Confirm:$false
    #loading TagCategories
    $TC_SRMGroup=Get-TagCategory  -Name 'SRMPrortectionGroup'
    $TC_SRMPlan=Get-TagCategory  -Name 'SRMRecoveryPlan'
    #Tagging Protected VMs
    Write-Host "Assigning tags" -NoNewline
    foreach ($vmObj in $ProtectedVM) {
        #get VMObject from Moref
        $VM=Get-VIObjectByVIView -MORef ($vmObj.VMmoref)
        #Check if Protection group tag exists
        if ((Get-Tag -Name ($vmObj.ProtGroup) -Category $TC_SRMGroup -ErrorAction:SilentlyContinue) -eq $null){
            Write-Host ("Creating Tag {0}" -f ($vmObj.ProtGroup))
            New-Tag -Name ($vmObj.ProtGroup) -Category $TC_SRMGroup -Confirm:$false
        #assign Protection group tag
        $vm|New-TagAssignment -Tag (Get-Tag -Name ($vmObj.ProtGroup))  -Confirm:$false
        #Check if Protection group tag exists
        if ((Get-Tag -Name ($vmObj.RecoPlan) -Category $TC_SRMPlan -ErrorAction:SilentlyContinue) -eq $null){
            Write-Host ("Creating Tag {0}" -f ($vmObj.ProtGroup))
            New-Tag -Name ($vmObj.RecoPlan) -Category $TC_SRMPlan -Confirm:$false
        #assign Recovery plan tag
        $vm|New-TagAssignment -Tag (Get-Tag -Name ($vmObj.RecoPlan)) -Confirm:$false
    }#end of Tagging

# Write-Host "Exporting VM info"    
# $ProtectedVM|select-Object VMmoref,ProtGroup,RecoPlan,State,NeedConfig | Sort-Object -Property VMmoref|Export-Csv -Path d:\tmp\Protvms.csv

} #end of try
Catch {
    Write-Host $_.Exception.Message -ForegroundColor Red
    Write-Host "Disconnecting vCenter"
    Disconnect-SrmServer $srmConnect -Confirm:$false -Force:$true
    Write-Host "Disconnecting SRM"
    Disconnect-VIServer $vcConnect -Confirm:$false -Force:$true

************** vROPS 6.3 UPDATE **************

The following blog has been updated to reflect changes in version 6.2 to 6.3 as well as repair some other issues.



As you may have found the existing official documentation on vROPS Remote collectors is pretty thin. As I was involved in a project to get this all going in a Enterprise setting I thought I would share some documentation with you.


First of all here is the official doco:


And here is a good post about some questions you may have:


If you have not worked with vROPS 6 yet there is a good book I would recommend:

Architecture background

The deployment we are looking at is a vROPS 6.0.2 with vRIN 5.8.4 (vRealize Infrastructure Navigator formally vCenter Infrastructure Navigator, VIN) and with SRM integration of vRIN.

The idea is to have a central vROPS cluster and then use remote collectors to get data from other vCenters that are disbursed throughout the word.

However you can also use this for pure vROPS remote collectors

The main site consists of an vROPS Master, a replica and a Data node. vROPS is connected to the local vCenter (Protected site) as well as to the VRIN that is paired with the same vCenter. vRIN is configured to collect information form the VMs as well as from SRM.

Each remote site has a remote collector that is paired with the remote vCenter (Protected Site) as well as the vRIN instance. vRIN is configured to collect information form the VMs as well as from SRM.




Using vROPS and SRM together is something that needs to be discussed. Some people have the idea that they like to monitor the VMs that fail over from the protected vCenter to the recovery vCenter and that it all then magically works. This is not the case.

Each VM (or actually every object) in vCenter has its unique moref (managed object reference) and even if a VM has the same name in the Protected vCenter as in the Recovery vCenter it’s a different object. When SRM protects a VM it will create a placeholder VM on the recovery site. This placeholder VM is basically only the VMX file and has no VMDKs attached to it. SRM will furnish the VMs with VMDKs at the time of recovery.

So if you are connection a vROPS instance to the Proetced and the Recovery site, VROPS will see two different VMs (each with the same name). One will be active monitored and the other one is powered off. However you just wasted a vROPS VM licence for an essentially dead VM. The placeholder VM on the protected site shouldn’t be on, if it are in a DR scenario.


So what would be the benefit of an vROPS in DR?

The only thing would be the ability to use all the data that is collected from the point on that the placeholder VM is started. You could use the troubleshooting options as well as some of the views etc. But all forecasts will be unusable. Please remember that vROPs needs at least 3 weeks of data collection to make accurate future predictions.


In my personal opinion vROPS in DR is just a waste of licensing and space. I can not see any real benefits. Please feel free to correct me.


VRIN - SRM integration

For VRIN to be integrated in SRM the user must have permission on the PAIRED SRM instance. Meaning the users needs to have permissions on vCenter as well as on the SRM instance that this vCenter is paired with. As for the role…that’s a bit tricky there isn’t really any great doco about it I successfully used for vCenter the read rights plus Virtual machine | Interaction | Console interaction | Guest operating system management by VIX API. For SRM I haven’t really tested it that much and used the Admin role…properly there is a better solution.


Open Ports

The following figures show all the Network ports that need to be in place for vROPS & vRIN in regards to the above scenario.





The are heaps of posts about how to deploy and configure vROPS and vRIN so I will not cover this.

We will focus on deploying and configuring the remote collectors.



Deploy VROPS Remote collector

  • Deploy the vROPS OVA using vSphere Web Client (The Fat client can be used, but you shouldn’t)
  • Fill out the deployment tool as usual
  • Choose the Remote Collector (Standard or Large) for deployment
  • Choose TimeZone where the remote collector is placed
  • Deploy and power on the VM
  • Wait for VM to be ready (the VM Console shows the IP etc)
  • Open Web Browser and connect to IP or FQDN of the Remote collector
  • Click on Expand Existing Installation
  • Enter the nodes name (maybe create a Naming Standard!)
  • Select Remote Collector
  • Enter the FQDN of master node and click on Validate
  • Accept The Certificate
  • Enter the vROPS Admin password
  • Wait until the config is done…THIS may take some time (10 minutes plus).
  • Click on “finish adding Nodes” the Remote collector should now show Online and poweredOn
    You can do that step also thought the /admin interface on the Master node.
  • Logout
  • Login to the vROPS UI
  • Check the Cluster Management page of your VROPS installation. Your Remote controller should now show up.

Adding Remote collector to vROPS Cluster Collector Groups

A collector group is a group of collectors. The idea is to have multiple remote collectors in one site and then use them to spread the load of the collection. You don’t have to create a collector group to use a remote collector.

Go to Administration and then to Collection Groups. Here you can create a new Collection group and assign remote collectors to it.

Add remote sources to Solutions

  • Login to the vROPS UI
  • Go to Solutions and mark VMware vSphere then click on the Gears Icon (configure)
  • Mark vCenter Adapter and then select the green + to add a new instance (or edit an existing instance. If you do so STOP the collector first and then start it later again)
  • Give it a Display name and description. Make sure that you have a good Naming Standard as its important that you can identify which instance is connected to what using which remote collector.
  • Enter the FDQN of the of the vCenter as: https://[vCenter FQDN]/sdk
  • We need to select how we connect to this instance. Expand Advanced settings and select the remote collector or Collector group that you want to use to connect to this instance of vCenter.
  • You may want to create new Credential for this connection
  • Click on Test.  if that works click on save Settings
  • Accept the SSL certs
  • Repeat the above for the vRealize Infrastructure Navigator Solution (also using the remote collector in the advanced settings)


To see if everything is working do the following:

  • WAIT 5 to 10 minutes. vROPS collects data (by default) every 5 minutes. So after adding an adapter instance you have to wait for at least one cycle (better two).
  • Go to the Cluster Management Page in Administration and click on your master node.
  • Below you now the amount of objects and metrics vROPs is collecting for the a given Adapter instance. If nothing is shown the collection isn’t working. See below.
  • Click on the remote collector and see how many objects and metrics are collected. If none are showing it either has connection problems or it is not used.
  • If you don’t see any objects and metrics check the following:
    • Are you able to connect to the vCenter? Check the Adapter instance and click on Test?
    • Is port 443 and 6061 open between the remote collector and the vROPS cluster?
    • Check the collector logs on the remote collector and see if there are any Warnings or errors