So now that we installed the VRA for the first site in the previous post. It is time to go through the next tasks.
These tasks involves setting up the default tenant with the required user and also integrate AD to allow AD to work with the sub tenant created later.
Before getting that far though I created two groups in AD:
T1vraAdministrators and T1vraUsers
I added an admin account called vraadmin to the administrators and my own account to the users group.
Also for the Directory sync you need an account with privileges to search AD. This should just need to be a normal domain account, unless the OUs and containers were changed to deny this. This is for the below part regarding Bind and Base DN. It is also listed in the vra-workbook spreadsheet that I mentioned in the first part. You can find a copy of it here: vRA_7_Worksheet_empty.
Getting Base DN and Bind DN: (via CLI)
“dsquery user” (if not that big else you may need to be a bit more specific and use “-name <name>
“dsquery group” will show you groups, should you prefer to add groups later. Again you may need to be more specific as it gives you all groups in AD.
Apart from this you need also a password of the service account (in my case service account).
Having done these couple of steps up front it is time to log into the default tenant.
You do this by going to the fqdn of your vra server and then selecting the first menu item (vRealize Automation console).
Next you are asked to enter your system administrator account and password that you setup during the installation. (administrator)
Once done you get presented with the default tenant page:
You see how there is already one tenant on the first page, vsphere.local. This is your default tenant. The default tenant is created during the installation and contains all settings that will be used to create tenants in the future. It is recommended to avoid changing too many things in the default tenant as this is the tenant that will be used to create future sub tenants.
What we should configure though is:
Tenant and IaaS administrator.
Create the new tenant.
User the created account to log in to configure AD in the default tenant and then repeating those steps for local user and AD integration in the newly created tenant.
So click on on the default tenant (vsphere.local)
The first page is the general tab, there is nothing that can be changed there apart from the description. Hit the “Next” button at the bottom of the screen.
On the Local users tab, click the plus symbol to create a new user.
Full in the details and click OK.
You should now have a default user in the tenant.
Press the “Next” button at the bottom of the screen to go to Administrators.
Enter the username you just selected to search of the user and mae this user tenant administrator. Enter the same user for IaaS. This is not the normal way to do it but for the default tenant this is ok. After adding them press the Finish button to complete this part of the configuration.
While here you may as well create the tenant you will use.
So on the default screen, click the little plus for new tenant.
Give the new tenant a name, if you want a description. In my case the tenant will be for my first site, which is a management site. The URL will reflect this info also.
Then add a URL name, that is the name of the tenant itself
and optionally a contact email.
Click next and create the local user and then click next to create the administrator, exactly as in the default tenant. You will see that no user is moved across to the new tenant from the default tenant. Press finish to complete the creation of the new tenant. You should now have two tenants listed as below.
Now log out of the tenant, where you are logged in as administrator. Now Log in to your default tenant.
Once logged in go to Administrator –> Directories –> Add Directory
Select “Active Directory over LDAP/IWA.
Select LDAP or IWA depending on what you like. There is only the next screen which is different, the rest is pretty much the same.
For LDAP this is how it looks: I filled in the name of the connection under Directory name and then left the rest as default, then copied in the Base DN and Bind DN from my spreadsheet, test the connection and continued to the next page.
For IWA this is how it looks, one other difference is that with IWA you get a computer account in AD.
Next you select the domain to sync, in my case there is only one, so make sure it is selected and continue.
Then you get prompted for attributes. There is only the one mandatory to edit with is the upn name. Leave it as it is and continue.
Then you can select groups to sync if you want to, I selected my two groups and continued.
Next it is the users, I left it as default here and continues.
After that you are done and the sync will start. You get an info screen to tell you this may take some time.
At the end you can go to Directories and click on your Active Directory over LDAP and then you have three fans on top. Click the Sync Log to check that all was synchronized OK.
There should be a check mark on the right to show it was successful.
If you go to Directory groups and search for one of the AD groups should now find it and going to members you should see the member(s).
This is pretty much what I wanted to cover in this post. Next up is a short post on custom groups.
You now need to log out and log into the tenant you have created and perform the same steps. If you do this only on the subtenant, authentication will not work via AD.
After adding it to the sub tenant you should now have the choice of your AD for authentication on the login screen under choose other domain. and not only the built-in identity store.
One other thing to do would be to go to the sub tenant and add the domain admin (or admin group) to the tenant admin and IaaS admin.
To do this go to the default tenant, log in as system administrator, then click on the tenant you created. Go to Administrators. Search for the users in AD in my case it is site1mgmtAdmins and add them to Tenant Administrators if not already there, and repeat this for the IaaS and click finish. Now should should be able to create endpoints with your AD vra admin account(s).