VMware Cloud Community
hawks76
Enthusiast
Enthusiast
‎01-20-2023 08:18 AM

AD Integration/Customization Spec vRA 8.9/8.10 created 2 AD Computer Objects

We have been using vRA 8.x since Sept. 2022.  No issues at all with deployments up until Dec. Suddenly, deployments started creating 2 AD Computer objects (1 that is prestaged by vRA and another that is created when joined to the domain by customization spec). I have a support request open with VMware, but so far they have been stumped.  Wondering if anyone else has seen something similar. I've narrowed it to something with the customization spec through testing different configurations on blueprints. For whatever reason, the cusotmization spec stopped seeing the staged computer object in the a specified OU and creates a new on in the default OU

Reply
0 Kudos
4 Replies
DanielStastka
Enthusiast
Enthusiast
‎01-23-2023 06:01 AM

I create a Computer-Object on Subscription by "compute.provision.pre" by Build-in vRo Workflow "Create a computer in an organizational unit".  If you have large AD-Enviroment you must check thats replication of ad-objects are on all DC's. It's possible thats Computer-Object are not on all DC's present. I think the best time is to create that before cloning.

The Join to AD will performed by Sysprep "VM Customization Specifications" (vSphere). Sysprep does not support Join with specified OU. He take the existing Object.

Testet on vRA 8.6/8.8/8.10

You can create own workflow with "netdom join"  Join domain to a specific OU for guest operating system customization. (88471) (vmware.com)

By default, Active Directory will not allow a duplicated computer name in the Domain. Attempting to rename or join a machine with an existing name will cause the error as "Object already exist" or similar.

Dany

Tags (2)
Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
‎01-24-2023 06:46 AM

I understand Customization Specs don't have the ability to create AD objects in specific locations, by prior to early December, when the customization spec was applied by vCenter as part of vRA provisioning, it always saw the pre-existing AD object created by the AD Integration in vRA and joined the domain using that object instead of creating a new one.

Reply
0 Kudos
DanielStastka
Enthusiast
Enthusiast
‎01-30-2023 01:17 PM

Windows updates released on and after 11. October 2022, contain additional protections introduced by CVE-2022-38042. Maybe is that your Problem. What was your last update from your template?

You can change the Owner of ComputerObject or you change regestry-Value of NetJoinLegacyAccountReuse on your template.

Reply
0 Kudos
hawks76
Enthusiast
Enthusiast
‎03-21-2023 07:47 AM

Just circling back around for future reference for anyone else that may have an issue like this. It turns out our AD team had made some changes that negatively impacted replication. The finally admitted such and fixed it.  

Reply
0 Kudos