Under Directories, click Add Directory
Here I am going for IWA (Integrated Windows Authentication)
Note: For the sync to be successful, the AD users will have to have
- First Name
- Last Name
- Email Address
Here enter a name and select Integrated Windows Authentication
Enter the credentials of a user with Domain Admin permissions
Select the domain you wish to sync users from. Here I only have one domain
Here I leave the defaults
Here enter the DNs of the groups you wish to sync. The DNs can be found under the Group Properties in Active Directory Users and Computers (You need to enable the Advanced under View)DC
Here I add two groups
- CN=vRA Admins,CN=Users,DC=open902,DC=com
- CN=vRA Users,CN=Users,DC=open902,DC=com
Do the same for individual users not part of the group – i.e. Domain Admin
See the error ? This is because the individual user (Domain Admin) added is also part of other groups, like Schema Admins, Enterprise Admins etc. – which aren’t synced on the previous screen. I am honestly not sure if it matters, but I have worked on other environments where this isn’t avoidable – so I do not think this is a ‘deal breaker’
Anyway – I don’t really need the domain admin, so I remove it as individual user – you can now see that the warning has disappeared
Sync should now start
Ensure the Sync finishes successfully
Now it is time to hand out some permissions
Under Directory Users and Groups, select the appropriate group you wish to give permissions to (admin permissions that is).
Click the user or group you want to give admin permissions to.
Select the type of permission you want to give.
Note: Business Management * will only appear when you integrated vRB for Cloud
Btw. – I highly recommend Grant Orchard’s Visual Guide to vRA 7 Permissions, it shows perfectly what’s what 🙂
As confirmation you can now see who is member of the group added – here I only have one user
Note: It IS best practise to assign roles only to those who need them. This is a lab environment so I have a user who rules them all 🙂
Now log out.
Once logged out, you can see the possible domain to login.
Once logged in, select the default tenant. Here add the required admin group to the IaaS administrators
Click Finish and log back out.
Note: May as well get a drink. I have noticed that it can take a few moments for the new permissions to propagate. This in fact seems to be the case for any new permissions given to AD users. This isn’t an ‘AD thing’ but merely some internal funny stuff vRA ‘does’ (yes, that is totally a professional term).
Click Change to different domain
Select the newly added domain
Enter the credentials of the admin you just created
You should now see additional tabs such as Design and Business Management (if applicable)
As mentioned – now it is time to create the Endpoints. First, I will add an Orchestrator Endpoint.
The reason I am doing this before vCenter is NSX.
If you have the Orchestrator Endpoint in place and you then create a vCenter Endpoint with Network Security (NSX) – it is able to create the NSX Endpoint in vRO automatically.
If you don’t have the vRO Endpoint in place BEFORE you add Network Security to the vCenter one, the collection will fail
Let’s start the vRO Configurator. SSH to the vRA appliance and start the vRO Configrator
Michaels-MBP:vra.open902.com mike$ ssh [email protected] VMware vRealize Appliance [email protected]'s password: Last login: Wed Nov 23 14:56:53 UTC 2016 from 192.168.1.201 on ssh vra:~ # service vco-configurator start Starting tcServer Using CATALINA_BASE: /var/lib/vco/configuration Using CATALINA_HOME: /opt/pivotal/pivotal-tc-server-standard/tomcat-8.5.4.B.RELEASE Using CATALINA_TMPDIR: /var/lib/vco/configuration/temp Using JRE_HOME: /usr/java/jre-vmware Using CLASSPATH: /opt/pivotal/pivotal-tc-server-standard/tomcat-8.5.4.B.RELEASE/bin/bootstrap.jar:/opt/pivotal/pivotal-tc-server-standard/tomcat-8.5.4.B.RELEASE/bin/tomcat-juli.jar Using CATALINA_PID: /var/lib/vco/configuration/logs/tcserver.pid Tomcat started. Status: RUNNING as PID=6520 vra:~ #
Now browse to the Control Center (you might need to give it 2 minutes)
Use the root credentials of your vRA appliance (remember, this is the embedded vRO appliance)
Select Configure Authentication Provider
Here I set the authentication source to use my vRA Admin Group as admins
Restart vRO for the changes to take effect
You should now be able to use vRO using the vRA admin.
While we’re here, may as well add all certificates
Here I imported both, PEM created earlier, the vCenter and NSX Manager one
Now back to vRA.
Create credentials of a user part of the vRO admin group just configured for vRO – and the SSO Admin for the vCenter Endpoint (or using a user with administrative permissions in vCenter)
Now create a new Endpoint – this time of type Orchestration > vRealize Orchestrator
Note: You will see the vCenter Endpoint in the below screenshot – ignore that 🙂
Enter the details – note – the vRO instance I am using here is the embedded vRA one – so the URL is the vRA appliance.
Oh and you’ll get an error
Now add the Custom Property mentioned
VMware.VCenterOrchestrator.Priority with a value of 1 or greater
Hover over the Endpoint and select Data Collection
The Data Collection should have succeeded.
Next, create a vCenter Endpoint
Enter the vCenter details. Ensure the name matches the endpoint configured during the wizard.
Here you can see I have also NSX in my environment. This isn’t essential or part of vRA. But … can be 🙂
To easily test whether the Endpoint is configured correctly, check the logs. You can see the said error repeats every minute. So once you configured the Endpoint, the errors should stop 🙂
Another Endpoint I will create is for Active Directory
Navigate to Administration > vRO Configuration > Endpoints
Select the Active Directory Plugin
Give it a name
Ad the details relevant to your AD
You won’t get a success message, but an error if credentials an / or host is wrong.
In future articles I will go through things like Fabric Groups, Business Groups etc.