Using the vRO 2.0 Plugin for Active Directory to Work with Multiple Domains
When working with vRealize Orchestrator and Active Directory it has been possible for a long time to use the built in Active Directory plugin for many tasks. One of the drawbacks with the various iterations of the 1.0.x version of the plugin however, was the lack of support for multiple domains and multiple domain controllers. This was naturally quite restrictive in environments with more than a single domain which is pretty common for many reasons since as distributed management, mergers & takeovers and poor planning ;-)
These issues are addressed in version 2.0 of the plugin, which also supports the latest release of vRO, 6.0.1.
Getting Started
Version 2.0 of the AD plugin did not ship as part of the 6.0.1 vRO release, so it needs to be downloaded and upgraded. In vRO 6.0.1 the version of the AD plugin is 1.0.6.2315152.
So, firstly download the 2.0 version of the AD plugin and copy the file to somewhere accessible from the vRO Configuration Website. From within the Configuration Website navigate to the Plug-ins page and the Install new plug-in section. Select the downloaded plugin file and choose Upload and install.
Accept the License Agreement
All being well you will be informed that the existing plugin was overwritten and the plugin will be installed at next server startup.
Restart the vRO service to compete the installation
Once complete the version of the plugin should show at 2.0.0.2543027
Configuration
Login to vRO with the Client and navigate to Library / Microsoft / Active Directory / Configuration. If you used previous versions of the plugin, you will notice some changes in this folder:
Version 1.0.x
Version 2.0.0.2543027
Run the Add an Active Directory server workflow and configure it for a domain controller in the first domain.
Use a shared session and ideally a dedicated service account with permissions in that AD domain to do what it needs to do:
If everything supplied is correct, then you should receive a successful workflow run:
and then be able to browse through the domain on the Inventory tab:
To add a domain controller from a second domain, run the Add an Active Directory server workflow again. I’m using a DC from a child domain:
Again, with a successful workflow run you should see the green tick:
and on the Inventory tab it is now possible to browse multiple domains! (Woo hoo - you should be saying at this point, it’s quite a big deal if you’ve been waiting for this functionality :-) )
Use Case
Consider an example where you need to create an Organizational Unit in both AD domains. Prior to version 2 of the AD plugin you would have needed to either use multiple vRO servers or likely use some PowerShell scripting instead.
Create a top level workflow New-ADOUinMultipleDomains workflow:
On the Inputs tab create an input ouName:
On the Schema tab drag in the Create an organizational unit Library workflow
On the In tab of the Create an organizational unit Library workflow ouName should be automatically populated with the Input parameter of the same name; if not, make it so:
For ouContainer create an Input Parameter of the workflow parentDomainContainer :
On the Out tab set newOU to be an attribute parentDomainOU:
Repeat the above process with an extra workflow item on the schema for the child domain using Input parameter childDomainContainer and attribute childDomainOU.
Update the Presentation for the Domain Container inputs to provide more friendly text when the workflow runs:
So now our top-level workflow looks like this for Inputs:
and the schema looks like this:
Save and close the workflow. Now run the workflow and populate the fields with a name for the new OU and locations in the parent and child domains to create the OUs in. Note that you are able to browse through both domains, similar to the Inventory view - yay :-) :
We are ready to roll, so hit Submit. All being well we will have a successful workflow run and OUs named Multiple created in both domains in the correct locations.
Final thoughts
When talking with people about vRO I often caution them that just because there is a VMware supplied plugin or one from a third-party, it does not necessarily mean that it will do everything that you need it to do. The AD plugin was a case in point, so the 2.0 version is a welcome and long awaited improvement and reduces the need to fall back to using some form of scripting to achieve AD automation in vRO.