Category Archives: active directory

Using the vRO 2.0 Plugin for Active Directory to Work with Multiple Domains

When working with vRealize Orchestrator and Active Directory it has been possible for a long time to use the built in Active Directory plugin for many tasks. One of the drawbacks with the various iterations of the 1.0.x version of the plugin however, was the lack of support for multiple domains and multiple domain controllers. This was naturally quite restrictive in environments with more than a single domain which is pretty common for many reasons since as distributed management, mergers & takeovers and poor planning ūüėČ

These issues are addressed in version 2.0 of the plugin, which also supports the latest release of vRO, 6.0.1.

Getting Started

Version 2.0 of the AD plugin did not ship as part of the 6.0.1 vRO release, so it needs to be downloaded and upgraded. In vRO 6.0.1 the version of the AD plugin is 1.0.6.2315152.

 

ADPlugin01

 

So, firstly download the 2.0 version of the AD plugin and copy the file to somewhere accessible from the vRO Configuration Website. From within the Configuration Website navigate to the Plug-ins page and the Install new plug-in section. Select the downloaded plugin file and choose Upload and install.

ADPlugin02

Accept the License Agreement

ADPlugin03

All being well you will be informed that the existing plugin was overwritten and the plugin will be installed at next server startup.

ADPlugin04

Restart the vRO service to compete the installation

ADPlugin05

Once complete the version of the plugin should show at 2.0.0.2543027

ADPlugin06

Configuration

Login to vRO with the Client and navigate to Library / Microsoft / Active Directory / Configuration. If you used previous versions of the plugin, you will notice some changes in this folder:

Version 1.0.x

ADPlugin07

Version 2.0.0.2543027

ADPlugin08

Run the Add an Active Directory server workflow and configure it for a domain controller in the first domain.

ADPlugin09

 

Use a shared session and ideally a dedicated service account with permissions in that AD domain to do what it needs to do:

ADPlugin10

If everything supplied is correct, then you should receive a successful workflow run:

ADPlugin11

and then be able to browse through the domain on the Inventory tab:

ADPlugin12

To add a domain controller from a second domain, run the¬† Add an Active Directory server workflow again. I’m using a DC from a child domain:

ADPlugin13ADPlugin14

Again, with a successful workflow run you should see the green tick:

ADPlugin15

and on the Inventory tab it is now possible to browse multiple domains! (Woo hoo – you should be saying at this point, it’s quite a big deal if you’ve been waiting for this functionality ūüôā )

ADPlugin16

Use Case

Consider an example where you need to create an Organizational Unit in both AD domains. Prior to version 2 of the AD plugin you would have needed to either use multiple vRO servers or likely use some PowerShell scripting instead.

Create a top level workflow New-ADOUinMultipleDomains workflow:

ADPlugin17

On the Inputs tab create an input ouName:

On the Schema tab drag in the  Create an organizational unit Library workflow

ADPlugin19

On the In tab of the Create an organizational unit Library workflow ouName should be automatically populated with the Input parameter of the same name; if not, make it so:

ADPlugin20

For ouContainer create an Input Parameter of the workflow parentDomainContainer :

ADPlugin21

 

ADPlugin22

On the Out tab set newOU to be an attribute parentDomainOU:

ADPlugin23

 

ADPlugin24

Repeat the above process with an extra workflow item on the schema for the child domain using Input parameter childDomainContainer and attribute childDomainOU.

ADPlugin25

ADPlugin26

 

Update the Presentation for the Domain Container inputs to provide more friendly text when the workflow runs:

ADPlugin30

So now our top-level workflow looks like this for Inputs:

ADPlugin27

 

and the schema looks like this:

ADPlugin28

Save and close the workflow. Now run the workflow and populate the fields with a name for the new OU and locations in the parent and child domains to create the OUs in. Note that you are able to browse through both domains, similar to the Inventory view – yay ūüôā :

ADPlugin31

ADPlugin32

 

ADPlugin33

We are ready to roll, so hit Submit. All being well we will have a successful workflow run and OUs named Multiple created in both domains in the correct locations.

ADPlugin34

ADPlugin35

ADPlugin36

 Final thoughts

When talking with people about vRO I often caution them that just because there is a VMware supplied plugin or one from a third-party, it does not necessarily mean that it will do everything that you need it to do. The AD plugin was a case in point, so the 2.0 version is a welcome and long awaited improvement and reduces the need to fall back to using some form of scripting to achieve AD automation in vRO.

Automating vCAC Tenant Creation with vCO: Part 2 AD Users, Groups and OUs

In this series we will see how to automate the creation of a tenant in vCAC using vCO. There are multiple tasks to provision a tenant in vCAC, so even though it is an automation product itself, there’s no reason why you shouldn’t look at automating parts of it too.

In part 2 we will create the AD Users, Groups and OUs to support the vCAC tenant. In this example we will create:

OUs

TenantName and sub-OUs, Users and Groups

Users

A vcoservice account and tenant admin

Groups

A tenant admin group and infrastructure admin group

1) We’re using vCO 5.5.1 and the AD plugin ships by default. We need to configure it to work with a Domain Controller, so run the Configure Active Directory Server workflow.

vCOADPlugin01

vCOADPlugin02

 

vCOADPlugin03

vCOADPlugin04

Now in the vCO Inventory view we can traverse the AD structure

vCOADPlugin05

2) Use a vCO Configuration Element to store the default Tenants OU.

Since we will place each tenant OU into the default Tenants OU each time, we can store this object in a vCO Configuration Element and assign it as an attribute in the workflow.

vCOADPlugin05b

vCOADPlugin05c

vCOADPlugin05d

vCOADPlugin05e

vCOADPlugin05f

3) Create a workflow for the AD requirements. Later on we will plug this into the Create Tenant workflow which will handle all of the different parts. Add an input tenantName¬†….

vCOADPlugin06

vCOADPlugin07

 

Here we work on the presentation of the input and ensure that the user is guided into supplying us with the correct information.

vCOADPlugin08

vCOADPlugin08b

and an attribute tenantOU (the configuration element created above)

vCOADPlugin09

vCOADPlugin10

vCOADPlugin11

4) Create an OU

Add the Create an organizational unit workflow to the schema

vCOADPlugin12

Set the In parameters, firstly ouName

vCOADPlugin13

and also ouContainer

vCOADPlugin14

Create an Out parameter, which will be the Tenant OU that this workflow creates

vCOADPlugin15

I find the Visual Binding tab really useful as a quick visual checker that everything is set as I am expecting

vCOADPlugin16

We need to create two sub-OUs from the tenant OU. Since the Create OU workflow only creates one, I will show you an alternative for creating multiples rather than adding the workflow many times. Create a scriptable task and call it Create Sub OUs

vCOADPlugin17

As inputs we need the tenantName and tenantNameOU .

vCOADPlugin18

For outputs we need to create the two OUs as attributes of type AD:OrganizationalUnit since we will need to use these OUs later.

 

vCOADPlugin20

Again, mapped out view helps me to visualise I am on the right track….

The scripting code to create the OUs is relatively straightforward. We can call any action by using the path to it and then supplying the necessary parameters. In this case we use the createOrganizationalUnit and getOrganizationUnitFromOrganizationUnit  actions from the ActiveDirectory plugin.

// Create the Users and Groups OUs using the createOrganizationalUnit action
System.getModule("com.vmware.library.microsoft.activeDirectory").createOrganizationalUnit("Users",tenantNameOU);
System.getModule("com.vmware.library.microsoft.activeDirectory").createOrganizationalUnit("Groups",tenantNameOU);

// Retrieve the OU objects for Output
var usersOU = System.getModule("com.vmware.library.microsoft.activeDirectory").getOrganizationUnitFromOrganizationUnit(tenantNameOU,"Users");
var groupsOU = System.getModule("com.vmware.library.microsoft.activeDirectory").getOrganizationUnitFromOrganizationUnit(tenantNameOU,"Groups");

vCOADPlugin22

 

5) Create Users and Groups

Now we need to create some user accounts and groups, so add a scriptable task

vCOADPlugin23

As inputs we need tenantName, tenantOU, usersOU and groupsOU.

vCOADPlugin24

We need to output one of the users, its password and two of the groups for use later on:

vCOADPlugin25a

 

 

We need them to be out-parameters, not attributes, so that we can use them outside of the workflow later. If you create the Source parameter by clicking in the correct place above and choosing parameter rather than attribute then the workflow Out parameters will be created for you.

 

vCOADPlugin26

We also need to make use of a Configuration Element  for the ActiveDirectory domain. This provides a handy way to supply static values to the workflow without hard-coding them into a script element somewhere.

Navigate to Configuration Elements and create a new one

vCOADPlugin27

vCOADPlugin28

vCOADPlugin29

We can use this Configuration Element in our workflow by adding it as an attribute. Use the chooser button to select it.

vCOADPlugin30

vCOADPlugin31

Add the dnsDomain string to the Users and Groups scriptable task

vCOADPlugin32

vCOADPlugin32a

To create the user accounts we need to supply a password. I generate a random one with a helper action createRandomPassword. Store this somewhere that you can easily reference.

vCOADPlugin34a

We want to output two users and two groups from the workflow and also the vcosvcPassword.

Here’s the code to create the users and groups, and add the users to the groups

 

 

// Create vcoService and Tenant Admin users
var vcosvcPassword = System.getModule("com.jonathan.action.general").generateRandomPassword(12)
System.getModule("com.vmware.library.microsoft.activeDirectory").createUserWithPassword(tenantName + "_vCOSvc",vcosvcPassword,vcosvcPassword,dnsDomain,tenantName + "_vCOSvc",usersOU);
var tenantadminPassword = System.getModule("com.jonathan.action.general").generateRandomPassword(12)
System.getModule("com.vmware.library.microsoft.activeDirectory").createUserWithPassword(tenantName + "_TenantAdmin",tenantadminPassword,tenantadminPassword,dnsDomain,tenantName + "_TenantAdmin",usersOU);

System.log("vcosvc password is: " + vcosvcPassword);
System.log("tenantadmin password is: " + tenantadminPassword);

// Retrieve the vcoService and Tenant Admin users
var vcoServiceUser = System.getModule("com.vmware.library.microsoft.activeDirectory").getUserFromContainer(usersOU,tenantName + "_vCOSvc");
var tenantAdminUser = System.getModule("com.vmware.library.microsoft.activeDirectory").getUserFromContainer(usersOU,tenantName + "_TenantAdmin");

System.log("Tenant admin is: " + tenantAdminUser.distinguishedName);

// Create the Tenant Admin and Infra Admin groups
System.getModule("com.vmware.library.microsoft.activeDirectory").createUserGroup(tenantName + "_TenantAdmins",groupsOU);
System.getModule("com.vmware.library.microsoft.activeDirectory").createUserGroup(tenantName + "_InfraAdmins",groupsOU);

// Retrieve the Tenant Admin and Infra Admin groups and fix the SamAccountName
tenantAdminsGroup = System.getModule("com.vmware.library.microsoft.activeDirectory").getUsergroupFromContainer(groupsOU,tenantName + "_TenantAdmins");
tenantAdminsGroup.setAttribute('SamAccountName',tenantName + "_TenantAdmins");

infrastructureAdminsGroup = System.getModule("com.vmware.library.microsoft.activeDirectory").getUsergroupFromContainer(groupsOU,tenantName + "_InfraAdmins");
infrastructureAdminsGroup.setAttribute('SamAccountName',tenantName + "_InfraAdmins");
//Add tenant admin to admin groups
var tenantAdminUserArray = [tenantAdminUser];
tenantAdminsGroup.addElements(tenantAdminUserArray);
infrastructureAdminsGroup.addElements(tenantAdminUserArray);

vCOADPlugin35

Finally we need to get the usersOU and groupsOU out of the workflow, having already used them in the workflow. Add an additional scriptable task to do this.

vCOADPlugin42 vCOADPlugin43

vCOADPlugin44

vCOADPlugin46

 

 

 

That’s our completed AD workflow.

It’s worth testing the workflow at this point to ensure that everything works so far.

vCOADPlugin37

vCOADPlugin38

And here’s the result

vCOADPlugin39

 

 

 

Automating vCAC Tenant Creation with vCO: Part 1 AD SSL
Automating vCAC Tenant Creation with vCO: Part 2 AD Users, Groups and OUs
Automating vCAC Tenant Creation with vCO: Part 3 Install the vCAC plugin for vCO
Automating vCAC Tenant Creation with vCO: Part 4 Creating a Tenant
Automating vCAC Tenant Creation with vCO: Part 5 Creating an Identity Store
Automating vCAC Tenant Creation with vCO: Part 6 Adding Administrators
Automating vCAC Tenant Creation with vCO: Part 7 Creating a vCAC Catalog Item

Automating vCAC Tenant Creation with vCO: Part 1 AD SSL

In this series we will see¬†how to automate the creation of a tenant in vCAC using vCO. There are multiple tasks to provision a tenant in vCAC, so even though it is an automation product itself, there’s no reason why you shouldn’t look at automating parts of it too.

In parts 1 and 2 we will look at the AD requirements for a tenant. Since most organisations will likely use AD for authentication we will create the minimum users and groups required for a vCAC tenant in a structure that lends itself to further expansion.

In part 1 we will setup AD to accept requests via SSL. The AD plugin for vCO requires an SSL connection to a Domain Controller for any request that requires a password. For example creating a user or computer account, but not a group or an OU. Since we need to create some user accounts we will need to configure AD for SSL. (More on ways around this in a future post)

There are a number of different ways to go about this, so look into it properly for your own environment. There are various options with internal and external certificates, so find the best for your situation. Since this is in my lab and I only have one DC, I’m going to install AD Certificate Services on the DC and use an internal cert for the DC.

1) Ensure you have installed the AD Certificate Services role.

ADSSL00

2) Setup automatic certificates for computers in the Default Domain Controllers Group Policy

ADSSL01

ADSSL02

ADSSL03

ADSSL04

3) Check that your DC has been issued a certificate. Note: to speed this part up you may need a gpupdate /force and possibly also a reboot.

ADSSL05

4) You should also test that it is listening on port 636 for secure LDAP requests. You can use the built-in ldp.exe tool.

ADSSL06

ADSSL07

Now that we have that up and running, we can move onto Part 2 AD Users, Groups and OUs

 

Automating vCAC Tenant Creation with vCO: Part 1 AD SSL
Automating vCAC Tenant Creation with vCO: Part 2 AD Users, Groups and OUs
Automating vCAC Tenant Creation with vCO: Part 3 Install the vCAC plugin for vCO
Automating vCAC Tenant Creation with vCO: Part 4 Creating a Tenant
Automating vCAC Tenant Creation with vCO: Part 5 Creating an Identity Store
Automating vCAC Tenant Creation with vCO: Part 6 Adding Administrators
Automating vCAC Tenant Creation with vCO: Part 7 Creating a vCAC Catalog Item

vCO Create Random Password Action

Need to create a random password in vCO, maybe to be able to create a user account in Active Directory or elsewhere? I created an action for this task which can be reused in any workflow. The code for this is below.

There’s one input passwordLength¬†to determine how long you want the password to be.

generateRandomPassword01

The action can be used in a workflow like so:

generateRandomPassword02

 

Alternatively, you can download the action to import into your own vCO install from my vCOModules repository on GitHub, where I’m beginning to store modules of generic actions I use. Only a few items there at the minute, but plenty to follow……

if (passwordLength == null || passwordLength == "" || passwordLength < 5) {

	throw "Parameter PasswordLength needs to be at least 5";
}

var pickNumber = passwordLength - 4

function shuffle(string) {
    var parts = string.split('');
    for (var i = parts.length; i > 0;) {
        var random = parseInt(Math.random() * i);
        var temp = parts[--i];
        parts[i] = parts[random];
        parts[random] = temp;
    }
    return parts.join('');
}

var lowercase = 'abcdefghijklmnopqrstuvwxyz';
var uppercase = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
var numbers = '0123456789';
var special = '!?¬£[email protected]';
var all = lowercase + uppercase + numbers + special;

var c1 = lowercase.charAt(Math.floor(Math.random() * lowercase.length));
var c2 = uppercase.charAt(Math.floor(Math.random() * uppercase.length));
var c3 = numbers.charAt(Math.floor(Math.random() * numbers.length));
var c4 = special.charAt(Math.floor(Math.random() * special.length));
var c5 = '';

for( var i=0; i < pickNumber; i++ ){
	c5 += all.charAt(Math.floor(Math.random() * all.length));
}

var c6 = c1 + c2 + c3 + c4 + c5;
password = shuffle(c6);

return password;

VCSA: ‘Active Directory Enabled’ Fails During Setup Wizard

During the setup wizard of the vCenter Server Appliance I experienced an error at the step to make it Active Directory Enabled.

VCSA01

In this instance I received the below error:

Failed to execute '/usr/sbin/vpxd_servicecfg 'ad' 'test' 'sunnydale\vcentersvc' CENSORED 'sunnydale.local'':
VC_CFG_RESULT=309(Error: Invalid hostname. FQDN is required for joining a domain.)

VCSA02

Initially I thought it may be something to do with how I was specifying the AD domain name or username. Didn’t get very far with that, so I skipped it for the time being and decided to come back to it later.

This setting can later be configured from vCenter Server, Authentication . Attempting the same from there results in a similar error:

AD Authentication settings
Error: Invalid hostname. FQDN is required for joining a domain.

VCSA03

What the error (obviously) actually means is that the hostname specified on the Network page is the full FQDN and not a standalone hostname. So I had not specified that correctly as part of the initial setup.

Not this:

VCSA04

 

Rather this:

VCSA05

 

Also, make sure you have created a DNS A record for this server.

Once that was resolved I had some further issues with the formatting of the Domain and Admin User, in the end the below worked, i.e. username in the format [email protected]¬† . (Note I had been experimenting with a change to the administrator account rather than the vcentersvc service account which is why that is different below, I don’t think that was the cause of the issue)

VCSA06

Learn Active Directory Management in a Month of Lunches – 50% off promo code

Wanted to let readers know that I have a 50% off promo code for an upcoming book from Richard Siddaway, ‘Learn Active Directory Management in a Month of Lunches’. It’s now available in Manning’s Early Access Program and I have a 50% of promo code which is valid until¬†Feb 26, 2013 12 midnight EST. Use the code below when ordering:

learnadmau

Here’s the book abstract:

Active Directory is the heart of a Windows network, providing a centralized location for administration, security, and other core management functions. For example, Active Directory authenticates all users in a Windows network and enforces policies for managing your desktop estate. If you’re new to Active Directory administration‚ÄĒor if you find yourself unexpectedly thrust into that role‚ÄĒyou need to get a handle on Active Directory quickly. This is the book for you.

Learn Active Directory Management in a Month of Lunches is a practical, hands-on tutorial designed for IT pros new to Active Directory. It skips the theory and concentrates on the day to day administration tasks you need to know to keep your network running smoothly. Just set aside an hour a day for a month‚ÄĒlunchtime would be perfect‚ÄĒand you’ll be comfortable and productive with Active Directory before you know it.

This book makes no assumptions about your background and starts by introducing Active Directory and walking you through its basic features. You’ll learn how to administer AD both from the GUI tools built into Windows and by using PowerShell and the AD cmdlets. Along the way, you’ll touch on best practices for managing user access, setting good group policies, automating backup processes, and more. The examples in the book use Windows Server 2012 version of Active Directory and point out any important differences from earlier versions.

SAP Single Sign On Issues with Windows Server 2008 R2 Domain Controllers

By default, Data Encryption Standard (DES) encryption for Kerberos authentication is disabled  in Windows Server 2008 R2, this is a change from Windows Server 2003. If you are running an application which uses DES encryption for Kerberos application, such as SAP, then you may see issues authenticating users against 2008 R2 DCs. You will see errors in the System Log like the below for the users in question:

“While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.”

To resolve this issue you need to make the Group Policy change to allow DES encryption for Kerberos authentication on the DCs, documented in this KB http://support.microsoft.com/kb/977321.

  1. In the Group Policy Management Console (GPMC), locate the following location:
    Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options
  2. Click to select the Network security: Configure encryption types allowed for Kerberos option.
  3. Click to select Define these policy settings and all the six check boxes for the encryption types.
  4. Click OK. Close the GPMC.

To be able to make this change, you need to have first installed the following hotfix, http://support.microsoft.com/kb/978055 . This fix is included in Windows Server 2008 R2 SP1, so if you have installed that you are already good to go.

A good discussion of this issue and further steps you may need to take with service accounts can be found here:

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/ecf15eb9-26cf-483b-b1e3-1b1c7e4901e8/

Running AD Schema Update for 2008 R2 in a 32-bit DC Environment

To upgrade Active Directory from Windows Server 2003 to Windows Server 2008 R2 requires the usual AD schema upgrade first of all. Windows Server 2008 R2 is 64-bit only, so if you try running the usual command to upgrade the schema from a 32-bit Domain Controller:

adprep /forestprep

you get the following result, “adprep.exe is valid, but if for a machine type other than the current machine.”:

An alternative is to try running it from a 64-bit machine that is not a DC, but then you discover that this process absolutely must be run from a DC:

So what do you do? The answer is that you run adprep32.exe, a 32-bit version of adprep, which is included in the same folder:

adprep32 /forestprep

Active Directory: How do you solve a problem like Maria? Or John Smith?

The larger your organisation gets so do the number of users within your Active Directory and consequently the chances of employing people with the same name. Unless you have good naming policies from the start you may well end up with an untidy directory and if you are using Exchange an address book where it is hard to distinguish between people with the same Display Name.

The below script will generate you a report listing all users whose Display Name matches that of somebody else and for instance what a new Display Name would look like if you added their department field in brackets after their name – of course you could use another field entirely to distinguish them.

Note: that it is using the Quest AD cmdlets.

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}
$myCol = @()

foreach ($user in $users){

    foreach ($duplicateuser in $user.group){

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"

    $MYInfo = ‚Äú‚ÄĚ | Select-Object UserID,CurrentDisplayName,newDisplayName,Department
    $MYInfo.UserID = $duplicateuser.Name
    $MYInfo.CurrentDisplayName = $duplicateuser.DisplayName
    $MYInfo.NewDisplayName = $NewDisplayName
    $MYInfo.Department = $duplicateuser.Department
    $myCol += $MYInfo
   }
}

$myCol | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

After reviewing the report and deciding to fix everyone on the list you could do it with the very similar code below:

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}

foreach ($user in $users){

    foreach ($duplicateuser in $user.group){

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"
    Set-QADUser $duplicateuser -DisplayName $NewDisplayName

   }
}

Of course you might be in a scenario where some people already have brackets after their name and you wish to create a report of those. The below one liner will give you those results.

Get-QADUser -ldapfilter '(&(displayname=*(*)*)(mail=*))' -DontUseDefaultIncludedProperties | Select-Object name,displayname,department | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

UK PowerShell User Group Events in Jan and Feb 2010

The first two sessions of the UK PowerShell User Group for 2010 will be online sessions.

The first event will take place on Tuesday 26th Jan 2010 7.30pm GMT. We will be looking at the Windows 2008 R2 cmdlets and provider for Active Directory.

Sign up details are available on Richard Siddaway’s blog.

The second event will take place on Tuesday 9th Feb 2010 7.30pm GMT. We will be looking at WMI and WQL.

Details again on Richard Siddaway’s blog.