Good Morning,

Thanks for the information, but I am still struggling to get this to work. I am trying to set this up as shown below.

Root domain - flintstone.org

Child domain 1 - fred.flintstone.org

Child domain 2 - wilma.flintstone.org

Primary LDAP - dc1.flintstone.org

Root - dc=flintstone, dc=org

Use Global Catalog - checked

Username -

User lookup base - dc=flintstone, dc=org

Group lookup base - dc=flintstone, dc=org

vCO Admin Group - cn=vCOAdmins, OU=AdminGroups, dc=fred, dc=flintsone, dc=org

If I apply those settings then I am told that the is not a member of the vCO Admin group even though it is and my Plug-ins settings shows an error. If I login using the vCO client then I cannot find any virtual machines when I try and run a simple workflow such as the Extract VM Information workflow.

What I am trying to achieve is to allow users from both the fred.flintstone.org and the wilma .flintstone.org domains to use vCO. Can you please tell me if my configuration looks right or if I am making some obvious error?

Thanks,

Dave.

Is the user fred directly part of the vcoAdmins group? or 'via' others groups?

It should work. If your domain is configured as a Tree. The referrals is not working if domains are part of the same forest but not of the same tree.

How did you configure the vCenter 4.0 plugin? To be able to see VMs, you must add vCenters servers in it. If you use default configuration when adding a vCenter server, the user that is accessing vCenter must not be the same than the user accessing vCO

Good Morning,

The vCO user is a member of the vCOAdmins group and the domains are child domains of the root domain as shown below.

flintstone.org

/ \

fred.flintstone.org wilma.flintstone.org

The vCOAdmin group is in the fred.flintstone.org child domain.

What I am trying to achieve is for users in both of the child domains to be able to use Orchestrator.

I have configured the vCentre plug in and if I set the search paths to start at the fred.flintstone.org level then it works, but users from the wilma.flintstone.org child domain cannot use Orchestrator.

Thanks for your time and effort in looking at this.

Regards,

Dave.

Could you try to use a Group from the main flintstone.org domain?

Curious if you ever resolved this issue, or if anyone else has encountered as this is rather an old post. I am encountering a smiliar situation.

Using your model for illustration, I created a VCOAdmin group in the fred.flintstone.org child domain, with members from the wilma.flintstone.org child domain. You cannot login to VCO using a wilma.flintstone.org AD account, but you can using a fred.flintstone.org AD account. Seems odd, as AD authentication for RDP is working fine for wilma.flintstone.org accounts, with the VCO server being located within the fred.flintstone.org domain.

We've worked around this in the past by placing the VCO service account in the same child domain as the user accounts, but that's not consistent with our architectual standards. All items with the VCO config sections are green.

Any guidance on solving would be appreciated.

Has anyone had any luck (or encountered an issue) with this??? It's extremely frustrating. I am able to add the VCO-Admin group which contains members from a different domain, however you cannot login to the VCO client as one of those users.