Category Archives: active directory

Using the vRO 2.0 Plugin for Active Directory to Work with Multiple Domains

When working with vRealize Orchestrator and Active Directory it has been possible for a long time to use the built in Active Directory plugin for many tasks. One of the drawbacks with the various iterations of the 1.0.x version of the plugin however, was the lack of support for multiple domains and multiple domain controllers. This was naturally quite restrictive in environments with more than a single domain which is pretty common for many reasons since as distributed management, mergers & takeovers and poor planning ūüėČ

These issues are addressed in version 2.0 of the plugin, which also supports the latest release of vRO, 6.0.1.

Getting Started

Version 2.0 of the AD plugin did not ship as part of the 6.0.1 vRO release, so it needs to be downloaded and upgraded. In vRO 6.0.1 the version of the AD plugin is




So, firstly download the 2.0 version of the AD plugin and copy the file to somewhere accessible from the vRO Configuration Website. From within the Configuration Website navigate to the Plug-ins page and the Install new plug-in section. Select the downloaded plugin file and choose Upload and install.


Accept the License Agreement


All being well you will be informed that the existing plugin was overwritten and the plugin will be installed at next server startup.


Restart the vRO service to compete the installation


Once complete the version of the plugin should show at



Login to vRO with the Client and navigate to Library / Microsoft / Active Directory / Configuration. If you used previous versions of the plugin, you will notice some changes in this folder:

Version 1.0.x




Run the Add an Active Directory server workflow and configure it for a domain controller in the first domain.



Use a shared session and ideally a dedicated service account with permissions in that AD domain to do what it needs to do:


If everything supplied is correct, then you should receive a successful workflow run:


and then be able to browse through the domain on the Inventory tab:


To add a domain controller from a second domain, run the¬† Add an Active Directory server workflow again. I’m using a DC from a child domain:


Again, with a successful workflow run you should see the green tick:


and on the Inventory tab it is now possible to browse multiple domains! (Woo hoo – you should be saying at this point, it’s quite a big deal if you’ve been waiting for this functionality ūüôā )


Use Case

Consider an example where you need to create an Organizational Unit in both AD domains. Prior to version 2 of the AD plugin you would have needed to either use multiple vRO servers or likely use some PowerShell scripting instead.

Create a top level workflow New-ADOUinMultipleDomains workflow:


On the Inputs tab create an input ouName:

On the Schema tab drag in the  Create an organizational unit Library workflow


On the In tab of the Create an organizational unit Library workflow ouName should be automatically populated with the Input parameter of the same name; if not, make it so:


For ouContainer create an Input Parameter of the workflow parentDomainContainer :




On the Out tab set newOU to be an attribute parentDomainOU:




Repeat the above process with an extra workflow item on the schema for the child domain using Input parameter childDomainContainer and attribute childDomainOU.




Update the Presentation for the Domain Container inputs to provide more friendly text when the workflow runs:


So now our top-level workflow looks like this for Inputs:



and the schema looks like this:


Save and close the workflow. Now run the workflow and populate the fields with a name for the new OU and locations in the parent and child domains to create the OUs in. Note that you are able to browse through both domains, similar to the Inventory view – yay ūüôā :





We are ready to roll, so hit Submit. All being well we will have a successful workflow run and OUs named Multiple created in both domains in the correct locations.




 Final thoughts

When talking with people about vRO I often caution them that just because there is a VMware supplied plugin or one from a third-party, it does not necessarily mean that it will do everything that you need it to do. The AD plugin was a case in point, so the 2.0 version is a welcome and long awaited improvement and reduces the need to fall back to using some form of scripting to achieve AD automation in vRO.

Automating vCAC Tenant Creation with vCO: Part 2 AD Users, Groups and OUs

In this series we will see how to automate the creation of a tenant in vCAC using vCO. There are multiple tasks to provision a tenant in vCAC, so even though it is an automation product itself, there’s no reason why you shouldn’t look at automating parts of it too.

In part 2 we will create the AD Users, Groups and OUs to support the vCAC tenant. In this example we will create:


TenantName and sub-OUs, Users and Groups


A vcoservice account and tenant admin


A tenant admin group and infrastructure admin group

1) We’re using vCO 5.5.1 and the AD plugin ships by default. We need to configure it to work with a Domain Controller, so run the Configure Active Directory Server workflow.






Now in the vCO Inventory view we can traverse the AD structure


2) Use a vCO Configuration Element to store the default Tenants OU.

Since we will place each tenant OU into the default Tenants OU each time, we can store this object in a vCO Configuration Element and assign it as an attribute in the workflow.






3) Create a workflow for the AD requirements. Later on we will plug this into the Create Tenant workflow which will handle all of the different parts. Add an input tenantName¬†….




Here we work on the presentation of the input and ensure that the user is guided into supplying us with the correct information.



and an attribute tenantOU (the configuration element created above)




4) Create an OU

Add the Create an organizational unit workflow to the schema


Set the In parameters, firstly ouName


and also ouContainer


Create an Out parameter, which will be the Tenant OU that this workflow creates


I find the Visual Binding tab really useful as a quick visual checker that everything is set as I am expecting


We need to create two sub-OUs from the tenant OU. Since the Create OU workflow only creates one, I will show you an alternative for creating multiples rather than adding the workflow many times. Create a scriptable task and call it Create Sub OUs


As inputs we need the tenantName and tenantNameOU .


For outputs we need to create the two OUs as attributes of type AD:OrganizationalUnit since we will need to use these OUs later.



Again, mapped out view helps me to visualise I am on the right track….

The scripting code to create the OUs is relatively straightforward. We can call any action by using the path to it and then supplying the necessary parameters. In this case we use the createOrganizationalUnit and getOrganizationUnitFromOrganizationUnit  actions from the ActiveDirectory plugin.

// Create the Users and Groups OUs using the createOrganizationalUnit action

// Retrieve the OU objects for Output
var usersOU = System.getModule("").getOrganizationUnitFromOrganizationUnit(tenantNameOU,"Users");
var groupsOU = System.getModule("").getOrganizationUnitFromOrganizationUnit(tenantNameOU,"Groups");



5) Create Users and Groups

Now we need to create some user accounts and groups, so add a scriptable task


As inputs we need tenantName, tenantOU, usersOU and groupsOU.


We need to output one of the users, its password and two of the groups for use later on:




We need them to be out-parameters, not attributes, so that we can use them outside of the workflow later. If you create the Source parameter by clicking in the correct place above and choosing parameter rather than attribute then the workflow Out parameters will be created for you.



We also need to make use of a Configuration Element  for the ActiveDirectory domain. This provides a handy way to supply static values to the workflow without hard-coding them into a script element somewhere.

Navigate to Configuration Elements and create a new one




We can use this Configuration Element in our workflow by adding it as an attribute. Use the chooser button to select it.



Add the dnsDomain string to the Users and Groups scriptable task



To create the user accounts we need to supply a password. I generate a random one with a helper action createRandomPassword. Store this somewhere that you can easily reference.


We want to output two users and two groups from the workflow and also the vcosvcPassword.

Here’s the code to create the users and groups, and add the users to the groups



// Create vcoService and Tenant Admin users
var vcosvcPassword = System.getModule("com.jonathan.action.general").generateRandomPassword(12)
System.getModule("").createUserWithPassword(tenantName + "_vCOSvc",vcosvcPassword,vcosvcPassword,dnsDomain,tenantName + "_vCOSvc",usersOU);
var tenantadminPassword = System.getModule("com.jonathan.action.general").generateRandomPassword(12)
System.getModule("").createUserWithPassword(tenantName + "_TenantAdmin",tenantadminPassword,tenantadminPassword,dnsDomain,tenantName + "_TenantAdmin",usersOU);

System.log("vcosvc password is: " + vcosvcPassword);
System.log("tenantadmin password is: " + tenantadminPassword);

// Retrieve the vcoService and Tenant Admin users
var vcoServiceUser = System.getModule("").getUserFromContainer(usersOU,tenantName + "_vCOSvc");
var tenantAdminUser = System.getModule("").getUserFromContainer(usersOU,tenantName + "_TenantAdmin");

System.log("Tenant admin is: " + tenantAdminUser.distinguishedName);

// Create the Tenant Admin and Infra Admin groups
System.getModule("").createUserGroup(tenantName + "_TenantAdmins",groupsOU);
System.getModule("").createUserGroup(tenantName + "_InfraAdmins",groupsOU);

// Retrieve the Tenant Admin and Infra Admin groups and fix the SamAccountName
tenantAdminsGroup = System.getModule("").getUsergroupFromContainer(groupsOU,tenantName + "_TenantAdmins");
tenantAdminsGroup.setAttribute('SamAccountName',tenantName + "_TenantAdmins");

infrastructureAdminsGroup = System.getModule("").getUsergroupFromContainer(groupsOU,tenantName + "_InfraAdmins");
infrastructureAdminsGroup.setAttribute('SamAccountName',tenantName + "_InfraAdmins");
//Add tenant admin to admin groups
var tenantAdminUserArray = [tenantAdminUser];


Finally we need to get the usersOU and groupsOU out of the workflow, having already used them in the workflow. Add an additional scriptable task to do this.

vCOADPlugin42 vCOADPlugin43






That’s our completed AD workflow.

It’s worth testing the workflow at this point to ensure that everything works so far.



And here’s the result





Automating vCAC Tenant Creation with vCO: Part 1 AD SSL
Automating vCAC Tenant Creation with vCO: Part 2 AD Users, Groups and OUs
Automating vCAC Tenant Creation with vCO: Part 3 Install the vCAC plugin for vCO
Automating vCAC Tenant Creation with vCO: Part 4 Creating a Tenant
Automating vCAC Tenant Creation with vCO: Part 5 Creating an Identity Store
Automating vCAC Tenant Creation with vCO: Part 6 Adding Administrators
Automating vCAC Tenant Creation with vCO: Part 7 Creating a vCAC Catalog Item

Automating vCAC Tenant Creation with vCO: Part 1 AD SSL

In this series we will see¬†how to automate the creation of a tenant in vCAC using vCO. There are multiple tasks to provision a tenant in vCAC, so even though it is an automation product itself, there’s no reason why you shouldn’t look at automating parts of it too.

In parts 1 and 2 we will look at the AD requirements for a tenant. Since most organisations will likely use AD for authentication we will create the minimum users and groups required for a vCAC tenant in a structure that lends itself to further expansion.

In part 1 we will setup AD to accept requests via SSL. The AD plugin for vCO requires an SSL connection to a Domain Controller for any request that requires a password. For example creating a user or computer account, but not a group or an OU. Since we need to create some user accounts we will need to configure AD for SSL. (More on ways around this in a future post)

There are a number of different ways to go about this, so look into it properly for your own environment. There are various options with internal and external certificates, so find the best for your situation. Since this is in my lab and I only have one DC, I’m going to install AD Certificate Services on the DC and use an internal cert for the DC.

1) Ensure you have installed the AD Certificate Services role.


2) Setup automatic certificates for computers in the Default Domain Controllers Group Policy





3) Check that your DC has been issued a certificate. Note: to speed this part up you may need a gpupdate /force and possibly also a reboot.


4) You should also test that it is listening on port 636 for secure LDAP requests. You can use the built-in ldp.exe tool.



Now that we have that up and running, we can move onto Part 2 AD Users, Groups and OUs


Automating vCAC Tenant Creation with vCO: Part 1 AD SSL
Automating vCAC Tenant Creation with vCO: Part 2 AD Users, Groups and OUs
Automating vCAC Tenant Creation with vCO: Part 3 Install the vCAC plugin for vCO
Automating vCAC Tenant Creation with vCO: Part 4 Creating a Tenant
Automating vCAC Tenant Creation with vCO: Part 5 Creating an Identity Store
Automating vCAC Tenant Creation with vCO: Part 6 Adding Administrators
Automating vCAC Tenant Creation with vCO: Part 7 Creating a vCAC Catalog Item

vCO Create Random Password Action

Need to create a random password in vCO, maybe to be able to create a user account in Active Directory or elsewhere? I created an action for this task which can be reused in any workflow. The code for this is below.

There’s one input passwordLength¬†to determine how long you want the password to be.


The action can be used in a workflow like so:



Alternatively, you can download the action to import into your own vCO install from my vCOModules repository on GitHub, where I’m beginning to store modules of generic actions I use. Only a few items there at the minute, but plenty to follow……

if (passwordLength == null || passwordLength == "" || passwordLength < 5) {

	throw "Parameter PasswordLength needs to be at least 5";

var pickNumber = passwordLength - 4

function shuffle(string) {
    var parts = string.split('');
    for (var i = parts.length; i > 0;) {
        var random = parseInt(Math.random() * i);
        var temp = parts[--i];
        parts[i] = parts[random];
        parts[random] = temp;
    return parts.join('');

var lowercase = 'abcdefghijklmnopqrstuvwxyz';
var numbers = '0123456789';
var special = '!?£$@';
var all = lowercase + uppercase + numbers + special;

var c1 = lowercase.charAt(Math.floor(Math.random() * lowercase.length));
var c2 = uppercase.charAt(Math.floor(Math.random() * uppercase.length));
var c3 = numbers.charAt(Math.floor(Math.random() * numbers.length));
var c4 = special.charAt(Math.floor(Math.random() * special.length));
var c5 = '';

for( var i=0; i < pickNumber; i++ ){
	c5 += all.charAt(Math.floor(Math.random() * all.length));

var c6 = c1 + c2 + c3 + c4 + c5;
password = shuffle(c6);

return password;

VCSA: ‘Active Directory Enabled’ Fails During Setup Wizard

During the setup wizard of the vCenter Server Appliance I experienced an error at the step to make it Active Directory Enabled.


In this instance I received the below error:

Failed to execute '/usr/sbin/vpxd_servicecfg 'ad' 'test' 'sunnydale\vcentersvc' CENSORED 'sunnydale.local'':
VC_CFG_RESULT=309(Error: Invalid hostname. FQDN is required for joining a domain.)


Initially I thought it may be something to do with how I was specifying the AD domain name or username. Didn’t get very far with that, so I skipped it for the time being and decided to come back to it later.

This setting can later be configured from vCenter Server, Authentication . Attempting the same from there results in a similar error:

AD Authentication settings
Error: Invalid hostname. FQDN is required for joining a domain.


What the error (obviously) actually means is that the hostname specified on the Network page is the full FQDN and not a standalone hostname. So I had not specified that correctly as part of the initial setup.

Not this:



Rather this:



Also, make sure you have created a DNS A record for this server.

Once that was resolved I had some further issues with the formatting of the Domain and Admin User, in the end the below worked, i.e. username in the format [email protected]¬† . (Note I had been experimenting with a change to the administrator account rather than the vcentersvc service account which is why that is different below, I don’t think that was the cause of the issue)


Learn Active Directory Management in a Month of Lunches – 50% off promo code

Wanted to let readers know that I have a 50% off promo code for an upcoming book from Richard Siddaway, ‘Learn Active Directory Management in a Month of Lunches’. It’s now available in Manning’s Early Access Program and I have a 50% of promo code which is valid until¬†Feb 26, 2013 12 midnight EST. Use the code below when ordering:


Here’s the book abstract:

Active Directory is the heart of a Windows network, providing a centralized location for administration, security, and other core management functions. For example, Active Directory authenticates all users in a Windows network and enforces policies for managing your desktop estate. If you’re new to Active Directory administration‚ÄĒor if you find yourself unexpectedly thrust into that role‚ÄĒyou need to get a handle on Active Directory quickly. This is the book for you.

Learn Active Directory Management in a Month of Lunches is a practical, hands-on tutorial designed for IT pros new to Active Directory. It skips the theory and concentrates on the day to day administration tasks you need to know to keep your network running smoothly. Just set aside an hour a day for a month‚ÄĒlunchtime would be perfect‚ÄĒand you’ll be comfortable and productive with Active Directory before you know it.

This book makes no assumptions about your background and starts by introducing Active Directory and walking you through its basic features. You’ll learn how to administer AD both from the GUI tools built into Windows and by using PowerShell and the AD cmdlets. Along the way, you’ll touch on best practices for managing user access, setting good group policies, automating backup processes, and more. The examples in the book use Windows Server 2012 version of Active Directory and point out any important differences from earlier versions.

SAP Single Sign On Issues with Windows Server 2008 R2 Domain Controllers

By default, Data Encryption Standard (DES) encryption for Kerberos authentication is disabled  in Windows Server 2008 R2, this is a change from Windows Server 2003. If you are running an application which uses DES encryption for Kerberos application, such as SAP, then you may see issues authenticating users against 2008 R2 DCs. You will see errors in the System Log like the below for the users in question:

“While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.”

To resolve this issue you need to make the Group Policy change to allow DES encryption for Kerberos authentication on the DCs, documented in this KB

  1. In the Group Policy Management Console (GPMC), locate the following location:
    Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
  2. Click to select the Network security: Configure encryption types allowed for Kerberos option.
  3. Click to select Define these policy settings and all the six check boxes for the encryption types.
  4. Click OK. Close the GPMC.

To be able to make this change, you need to have first installed the following hotfix, . This fix is included in Windows Server 2008 R2 SP1, so if you have installed that you are already good to go.

A good discussion of this issue and further steps you may need to take with service accounts can be found here:

Running AD Schema Update for 2008 R2 in a 32-bit DC Environment

To upgrade Active Directory from Windows Server 2003 to Windows Server 2008 R2 requires the usual AD schema upgrade first of all. Windows Server 2008 R2 is 64-bit only, so if you try running the usual command to upgrade the schema from a 32-bit Domain Controller:

adprep /forestprep

you get the following result, “adprep.exe is valid, but if for a machine type other than the current machine.”:

An alternative is to try running it from a 64-bit machine that is not a DC, but then you discover that this process absolutely must be run from a DC:

So what do you do? The answer is that you run adprep32.exe, a 32-bit version of adprep, which is included in the same folder:

adprep32 /forestprep

Active Directory: How do you solve a problem like Maria? Or John Smith?

The larger your organisation gets so do the number of users within your Active Directory and consequently the chances of employing people with the same name. Unless you have good naming policies from the start you may well end up with an untidy directory and if you are using Exchange an address book where it is hard to distinguish between people with the same Display Name.

The below script will generate you a report listing all users whose Display Name matches that of somebody else and for instance what a new Display Name would look like if you added their department field in brackets after their name – of course you could use another field entirely to distinguish them.

Note: that it is using the Quest AD cmdlets.

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}
$myCol = @()

foreach ($user in $users){

    foreach ($duplicateuser in ${

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"

    $MYInfo = ‚Äú‚ÄĚ | Select-Object UserID,CurrentDisplayName,newDisplayName,Department
    $MYInfo.UserID = $duplicateuser.Name
    $MYInfo.CurrentDisplayName = $duplicateuser.DisplayName
    $MYInfo.NewDisplayName = $NewDisplayName
    $MYInfo.Department = $duplicateuser.Department
    $myCol += $MYInfo

$myCol | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

After reviewing the report and deciding to fix everyone on the list you could do it with the very similar code below:

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}

foreach ($user in $users){

    foreach ($duplicateuser in ${

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"
    Set-QADUser $duplicateuser -DisplayName $NewDisplayName


Of course you might be in a scenario where some people already have brackets after their name and you wish to create a report of those. The below one liner will give you those results.

Get-QADUser -ldapfilter '(&(displayname=*(*)*)(mail=*))' -DontUseDefaultIncludedProperties | Select-Object name,displayname,department | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

UK PowerShell User Group Events in Jan and Feb 2010

The first two sessions of the UK PowerShell User Group for 2010 will be online sessions.

The first event will take place on Tuesday 26th Jan 2010 7.30pm GMT. We will be looking at the Windows 2008 R2 cmdlets and provider for Active Directory.

Sign up details are available on Richard Siddaway’s blog.

The second event will take place on Tuesday 9th Feb 2010 7.30pm GMT. We will be looking at WMI and WQL.

Details again on Richard Siddaway’s blog.