VMware Cloud Community
SteveCSchofield
Enthusiast
Enthusiast
‎01-21-2016 04:59 PM

multiple domains (no trust), single instance of vRA 7

Have you done this with 7? Multiple non-trust domains, two vRA appliances behind load-balancer in single instance of vRA.  Does each appliance create a machine account in each domain?

I have two AD domains like I'm looking to add the resource domains within a single vRA 7 instance.

  • prodroot.msd & prodroot.resource.msd
  • qaroot.msd & qaroot.resource.msd

There is no trust between the two AD domains.

vRA Environment

nsx load-balancer

  • vra1
  • vra2
  • iaas-web1
  • iaas-web2
  • dem1
  • dem2
  • agent1
  • agent2

From the docs

Multi-Forest Active Directory Environment Without Trust Relationships

A multi-forest Active Directory deployment without trust relationships allows you to sync users and groups

from multiple Active Directory domains across forests without a trust relationship between the domains. In

this environment, you create multiple directories in the service, one directory for each forest.

See “Configure a Link to Active Directory,” on page 86. The type of directories you create in the service

depends on the forest. For forests with multiple domains, select the Active Directory (Integrated Windows

Authentication) option. For a forest with a single domain, select the Active Directory over LDAP option.

0 Kudos
6 Replies
steveschofield
Enthusiast
Enthusiast
‎01-22-2016 11:38 AM

I ended up reading the documentation and even though our 'non-trust' domains are by definition 'forest' (has an empty root and resource domain), from vRA perspective we are pointing directly to the 'resource' domain.  We were successful adding both Qa-resource and Prd-resource domains to both appliances.  We were able to add both connectors with both domains.  We have some testing to in an HA mode, the documentation on pg 95 vrealize-automation-70-configuration.pdf) states
 

The load balancer URL is <load balancer address>/vcac/org/tenant_name.    when I attemped to type /vcac/org/tenant_name the UI stated it was successful, but it only kept the load-balancer name "vra.example.com"

we have a case open with vmware to provide additional information.  Stay tuned!

0 Kudos
SteveCSchofield
Enthusiast
Enthusiast
‎01-22-2016 11:40 AM

I meant to say we used AD over LDAP.   Not windows integrated option, much easier IMO.

0 Kudos
GrantOrchardVMw
Commander
Commander
‎01-22-2016 01:21 PM

By any chance do you have a VMware SE working with you? I'm seeing some parallels between your questions here and a few of the questions popping up on our internal forums. Could be coincidence Smiley Happy

Grant

Grant http://grantorchard.com
0 Kudos
steveschofield
Enthusiast
Enthusiast
‎01-22-2016 03:14 PM

We do have a SE, TAM and a MCS case.   I'm searching in the community if anyone else has run into 'things'.   I'm a 'former MS MVP' who likes to engage the community.   Are you Captain vRA?  Like Captain vSAN?

0 Kudos
GrantOrchardVMw
Commander
Commander
‎01-22-2016 08:08 PM

It's good to see more community engagement Smiley Happy

Last time I wore tights my wife nearly left me, so no... no Captain vRA for me!

I'll be interested to see how this pans out. I can test it in my environment, but just because things work doesn't mean they are supported. I'll leave that call to engineering and GSS.

Grant

Grant http://grantorchard.com
0 Kudos
steveschofield
Enthusiast
Enthusiast
‎01-30-2016 08:16 PM

AD over LDAP seemed to be easier than using windows auth.  Secondly, the error I was getting on a distributed was related to certs....the advice to others is each service should have their own cert.
0 Kudos