VMware Cloud Community
siglert
Enthusiast
Enthusiast
Jump to solution

VRA 8.1 Active Directory Integration Issue

I am deploying a multi-machine blueprint where by the users picks any number of web app and db servers and then sends the request.   The request starts to run and using the AD integration plugin it tries to go out and pre-stage computer accounts for the machines in the specified OU.  I am getting intermittent success.  It is not consistent.  When it fails it is due to a java.util.concurrent.TimeOut Exception.   At first I considered it was due to me using the SPN of the name as the AD controller.  So I changed that and am now pointing to a specific Domain controller.  I still get the errors more often than not.  I get a successful run about 1 out of 5 times.  I know its not anything in the blueprint it has to be in the AD Plugin or there may be an issue on my clients AD Domain.  Here is a failed workflow run showing that it fails at the PRESTAGE_COMPUTER_ACCOUNT.  Any help troubleshooting would be appreciative.

pastedImage_0.png

Reply
0 Kudos
1 Solution

Accepted Solutions
siglert
Enthusiast
Enthusiast
Jump to solution

Just FYI,  I solved the issue by not using the AD integration Module.  I created two separate workflows that created a machine in the OU that I wanted and then the other to destroy the computer account when the machine is destroyed.  I created subscriptions on the pre allocate and the post removal and I was successfully able to run a multi machine blueprint numerous times without any failures.  I deployed almost 600 VMs on three separate networks with 3 different images without any failures as a test.  The computer objects were all created and destroyed based on the deployment.

View solution in original post

Reply
0 Kudos
9 Replies
MikeNox
Enthusiast
Enthusiast
Jump to solution

Confirm the AD permissions of the service account used to connect the machine to AD.  For testing, make the account an Domain Admin, and if successful remove the access and try to identify the exact permissions needed in the OUs you are using.  VMware does list the AD Permissions, but I am currently unable to find that document. 

Reply
0 Kudos
siglert
Enthusiast
Enthusiast
Jump to solution

The permissions are fine.  As i stated about 1 in 5 times i get a successful run.  The service account has full permissions to create object in a domain and join object in a domain.

Reply
0 Kudos
MikeNox
Enthusiast
Enthusiast
Jump to solution

I read that it was 1 in 5 success.  I had a similar issue.

Again, I can't seem to find the exact AD permissions needed for this, but in troubleshooting we found that granting the service account DA permissions resolved it.  I was just suggesting a troubleshooting process that would indicate whether it was a ad permissions issue or vRA.  This is version 8.1 and there seem to be a lot of bugs still.

Reply
0 Kudos
siglert
Enthusiast
Enthusiast
Jump to solution

Just FYI,  I solved the issue by not using the AD integration Module.  I created two separate workflows that created a machine in the OU that I wanted and then the other to destroy the computer account when the machine is destroyed.  I created subscriptions on the pre allocate and the post removal and I was successfully able to run a multi machine blueprint numerous times without any failures.  I deployed almost 600 VMs on three separate networks with 3 different images without any failures as a test.  The computer objects were all created and destroyed based on the deployment.

Reply
0 Kudos
lowlysysadmin
Contributor
Contributor
Jump to solution

Hey siglert - I'm having the exact same issue. AD integration randomly stops working.

VRA appliance IP is in an appropriate subnet attributed to a site listed in AD sites and services

Giving service account DA temporarily did not help

Fully qualifying domain name and domain controller names didn't help (ie. ldap://company.com:389 OR ldap://comldapsrv01.company.com:389)

I can't locate the AD integration logs on the appliance itself to troubleshoot any further

Would you mind sharing the logic of your custom workflows/actions? I think I will need to go down the same path. Thanks

Reply
0 Kudos
siglert
Enthusiast
Enthusiast
Jump to solution

Sure here is a VRO package

Reply
0 Kudos
siglert
Enthusiast
Enthusiast
Jump to solution

If its not in the last its for sure in this one.  There are a number of workflows.

Reply
0 Kudos
lowlysysadmin
Contributor
Contributor
Jump to solution

Thanks so much, siglert​ - I am hoping to get a chance to toy with this over the weekend.

Cheers

Reply
0 Kudos
siglert
Enthusiast
Enthusiast
Jump to solution

Let me know how it works out.

Reply
0 Kudos