VMware Cloud Community
craigso
Enthusiast
Enthusiast

vRA 8.1 - Select AD Bind Location (Override AD Integration OU)

I am looking for a way to allow a user to choose their AD bind location at request time in vRA 8.1. We were able to achieve this in 7.6 by overriding a custom property and away it went, so now I'm trying to achieve that same behavior within 8.x. I've already got AD integration configured and I can see vRA creating/deleting computer objects in the configured OU. Now I'm looking for a way to override the location.

I understand it may be possible if we bypass the use of AD integration in favor of event subscriptions and custom workflows. I've also read a few users here complain that AD integration has a few bugs in it where objects are not getting created. Ideally I'd first like to give AD integration a shot before looking at the subscription method.

Any thoughts are welcomed. Thanks for reading.

8 Replies
nachogonzalez
Commander
Commander

Hello, hope you are doing fine

I think what you are looking for is in vRA Identity Manager --> Identity and Access Management --> Select your directory --> Sync Settings --> Groups/UserspastedImage_0.png

Hope this works

Warm regards

Reply
0 Kudos
craigso
Enthusiast
Enthusiast

Correct me if I'm wrong but those appear to be just the DN of where the group is located? What I'm looking for a is a property I can override similar to 7.6 to dynamically change the AD bind location.

Reply
0 Kudos
nachogonzalez
Commander
Commander

Sorry, the cropping has gone bad lolpastedImage_1.png

pastedImage_0.png

You can do it from here

From the users side you can set filters

Reply
0 Kudos
craigso
Enthusiast
Enthusiast

I guess what I'm missing here is how to use this for specifying where to create a computer account object when binding (joining) it to AD?

Reply
0 Kudos
emacintosh
Hot Shot
Hot Shot

I don't see any obvious way. 

Based on when it the object is created, it seems to happen after compute.provision.pre and before compute.provision.post, but I could be missing something there.  I am logging the properties for multiple event topics (including those two), and I don't see any that refer to the OU that has been configured.  It's possible that a relevant property could be in a topic I'm not logging though?  Or maybe an undocumented property? 

Aside from a specific/known property, I thought maybe you could add a project to an AD integration multiple times with different OUs/Tags for each, and use the tags in the blueprint somehow to choose the one with the OU you want.  But it looks like you can only add a project once, and therefore one OU per project.

I hoped that maybe you could reference a property in the Relative DN field like you can for the naming template in a project, but that doesn't work either.  It looks like the full DN Path is validated before it allows you to save it.  I was thinking/hoping to use something like ${resource.ou} ....

I'm certainly no expert, so it could still be doable, but nothing jumps out as to how...

GParker72
Contributor
Contributor

Did you get this resolved ?  I am looking at doing the same kind of thing … add the machine name to AD during deployment.

Reply
0 Kudos
craigso
Enthusiast
Enthusiast

I didn't. What I ended up doing is just not using the AD integration at all and built workflows to do this for me then trigger them with event subscriptions. I would much prefer to use AD integration, but it's not there yet.

Reply
0 Kudos
tracilcurran
Contributor
Contributor

Full disclosure, I work here, but we provide as part of our integration and extensibility solutions.

  • Drive Microsoft Active Directory registration and de-registration automatically during the machine lifecycle
  • Use of a “build OU” during provisioning for the purpose of software deployments/configurations that require a less restrictive Group Policy
  • Capability to move to a final OU post-provisioning
  • Capability to dynamically create and remove OUs
  • Capability of adding computer account to an existing Active Directory security group
  • Templating of OU and Security Group designations

We have a free trial available - and you can see if it solves it. https://www.cloudbolt.io/onefuse/

Reply
0 Kudos