www.open902.com

My own Knowledge Base made public ..

vRA7 – AD Integration

To do any of the interesting stuff in vRA – we need some AD integration to give a user the required permissions – that is the user we will be using for most parts.

One note: This is a lab environment. I therefore won’t bother with the creation of different users for different roles in vRA – The procedures are the same, but I won’t go through the tedious bits 🙂

I suggest heading over to VMware.com to read up on the different roles possible. It really depends on your environment anyway, as to who can do what etc.

User Roles Overview @ VMware.com

In my environment I have created two AD User Groups

  • vRA7-Admins
  • vRA7-Users

With two users belonging to its respective group, called cunningly

  • vRA7-Admin
  • vRA7-User

So, let’s hand out some permissions.

Whilst logged in as configurationadmin, navigate to Administration > Directory Management.

Click Directories and then Screen Shot 2016-01-21 at 11.23.15

vra7_config_024

Enter here your Active Directory details – here I am using the Integrated Active Directory Authentication

Click Save & Next

vra7_config_025

vra7_config_026

Select your domain you want to use for authentication – I don’t have any trust with other domains, so here I see only one.

Click Next

vra7_config_027

I just keep the defaults.

Click Next

vra7_config_028

Here click Screen Shot 2016-01-21 at 11.28.27 in order to add groups to be synced.

vra7_config_029

Here you need to enter the DN of a particular group

If you have enabled the ‘Advanced Options‘ in your ‘Active Director Users and Groups‘, you should be able to find the DN in the groups’ properties

vra7_config_031

Note: You can also find the DNs using ADSI Edit

In my example the above mentioned groups have the following DNs

  • vRA7-Admins
    • CN=vRA7-Admins,OU=Service Accounts,DC=vspherelab,DC=co,DC=uk
  • vRA7-Users
    • CN=vRA7-Users,OU=Service Accounts,DC=vspherelab,DC=co,DC=uk

Click Screen Shot 2016-01-21 at 11.28.27 and add the DNs. I am not sure why it displays “0 of 1 Groups to sync” – but there we go. Click Next

vra7_config_033

When you clicked ‘Next’ – you can quickly see that it changes from 0 of 1 to 1 of 1 – You can confirm that by clicking ‘Previous’

vra7_config_034

As all users in groups will be synced as well, I don’t need to specify additional User DNs

vra7_config_035

If you want to change the Sync Frequency, click Edit

vra7_config_036

Change the frequency and click Save

vra7_config_037

Now click Sync Directory

vra7_config_038

Depending on your environment – the sync can take a while, but in mine it took less than 30 seconds

vra7_config_039

Click Screen Shot 2016-01-21 at 11.44.49

vra7_config_040

In the above screenshot you can see that I only have two groups and one user. But I should have two groups and two users.

So I made a mistake in AD somewhere and I show further down how to see what went wrong.

But if you didn’t make mistakes, you should have the relevant users and groups imported into vRA – you can give out some permissions.

As mentioned, I want / need an admin.

Navigate to Administration. If you are still in the same Directory view, click ‘back’

vra7_config_041

Click Users & Groups > Directory Users and Groups

vra7_config_042

In the search field, type the group or user which should be your admin.

Here you can see what is wrong – I am missing my vra7-admin

vra7_config_043

I checked AD and I actually forgot to add my admin user to the admin group. As I mentioned earlier – I only synced groups and its included users, not users specifically.

I now moved the user back into the group, but as you may remember, I set the sync frequency to hourly. Don’t want to wait so I just kicked off a sync manually

vra7_config_044

There we go – two groups, two users.

Now when searching again (under Users & Groups) – I finally see my admin

vra7_config_045

I click the usergroup which should have full admin permission. Here ‘vra7-admins

vra7_config_046

I give all permissions .. and click Next

You can see that the group has that one member (atm) – vra7-admin

vra7_config_047

Click finish. You’ll pushed back to the main screen.

vra7_config_048

Now test the user. Logout by clicking Screen Shot 2016-01-21 at 11.57.16

vra7_config_049

Since you now have integrated vRA with Active Directory, you have a selection of domains. Here in my case

  • vsphere.local (default)
  • vspherelab.co.uk (AD integrated)

vra7_config_050

Click Screen Shot 2016-01-21 at 12.01.01and select the newly added domain.

Click Next

vra7_config_051

Enter the AD credentials of the user added (the one which we gave EVERYTHING)

vra7_config_052

You should be able to login and see the default screen

vra7_config_053

Now you got a GOD like user, apart from Fabric permissions – because there isn’t a fabric group – yet. That will be the next step.

For now you will notice that the Infrastructure tab will be empty.

vra7_config_054

We also need to give our admin IaaS Administrator permissions. As mentioned, I am using the standard tenant (vsphere.local). Logout and log back in with the default System Administrator

vra7_config_063

Click the default tenant vsphere.local

vra7_config_061

And under the tab administrators, add your ‘domain’ admin to the IaaS Admins

vra7_config_062

Logout again, time to create a Fabric Group 🙂