As a system administrator, you need to configure a multi domain or multi forest Active Directory link.

About this task

The procedure for configuring a multi domain or multi forest Active Directory link is essentially the same. For a multi forest link, bi-directional trust is required between all applicable domains.

Prerequisites

  • Install a distributed vRealize Automation deployment with appropriate load balancers. See Installing vRealize Automation 7.1.

  • Log in to the vRealize Automation console as a tenant administrator.

  • Configure the appropriate domains and Active Directory forests for your deployment.

Procedure

  1. Select Administration > Directories Management > Directories.
  2. Click Add Directory.
  3. On the Add Directory page, specify a name for the Active Directory server in the Directory Name text box.
  4. Select Active Directory (Integrated Windows Authentication) under the Directory Name heading.
  5. Configure the connector that synchronizes users from the Active Directory to the VMware Directories Management directory in the Directory Sync and Authentication section.

    Option

    Description

    Sync Connector

    Select the appropriate connector to use for your system. Each vRealize Automation appliance contains a default connector. Consult your system administrator if you need help in choosing the appropriate connector.

    Authentication

    Click the appropriate radio button to indicate whether the selected connector also performs authentication.

    Directory Search Attribute

    Select the appropriate account attribute that contains the user name.

    Depending on your deployment configuration, you will have one or more connectors available for use.

  6. Enter the appropriate join domain credentials in the Domain Name, Domain Admin User Name, and Domain Admin Password text boxes.

    As an example, you might enter something like the following: Domain Name: hs.trcint.com, Domain Admin Username: devadmin, Domain Admin Password: xxxx.

  7. In the Bind User Details section, enter the appropriate Active Directory (Integrated Windows Authentication) credentials to facilitate directory synchronization.

    Option

    Description

    Bind User UPN

    Enter the User Principal Name of the user who can authenticate with the domain. For example, UserName@example.com.

    Bind DN Password

    Enter the Bind User password.

  8. Click Save & Next.

    The Select the Domains page appears with the list of domains.

  9. Click the appropriate check boxes to select the desired domains for your system deployment.
  10. Click Next.
  11. Verify that the Directories Management directory attribute names are mapped to the correct Active Directory attributes.

    If the directory attribute names are mapped incorrectly, select the correct Active Directory attribute from the drop-down menu.

  12. Click Next.
  13. Click Add to select the groups you want to sync from Active Directory to the directory.

    When you add an Active Directory group, if members of that group are not in the Users list, they are added.

    Note:

    The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require a significant amount of time depending on the number of groups and users being added. To minimize the potential for delays or problems, limit the number of groups and users to only those required for vRealize Automation operation. If your system performance degrades or if errors occur, close any unneeded applications and ensure that your system has appropriate memory allocated to Active Directory. If problems persist, increase the Active Directory memory allocation as needed. For systems with large numbers of users and groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.

  14. Click Next.
  15. Click Add to add additional users. For example, enter as CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com.

    To exclude users, click Add to create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.

  16. Click Next.
  17. Review the page to see how many users and groups are syncing to the directory.

    If you want to make changes to users and groups, click the Edit links.

  18. Click Push to Workspace to start the synchronization to the directory.

What to do next