You add an endpoint and configure the Active Directory plug-in to connect to a running Active Directory instance and manage users and user groups, Active Directory computers, organizational units, and so on.

After you add an Active Directory endpoint, you can update it at any time.


  • Verify that you have access to a Microsoft Active Directory instance. See the Microsoft Active Directory documentation.

  • Log in to the vRealize Automation console as a tenant administrator.


  1. Select Administration > Endpoints > OrchestratorEndpoints.
  2. Click the New icon (Add).
  3. In the Plug-in drop-down menu, select Active Directory.
  4. Click Next.
  5. Enter a name and, optionally, a description.
  6. Click Next.
  7. Configure the Active Directory server details.
    1. Enter the IP address or the DNS name of the host on which Active Directory runs in the Active Directory host IP/URL text box.
    2. Enter the lookup port of your Active Directory server in the Port text box.

      vRealize Orchestrator supports the Active Directory hierarchical domains structure. If your domain controller is configured to use Global Catalog, you must use port 3268. You cannot use the default port 389 to connect to the Global Catalog server. In addition to ports 389 and 3268, you can use 636 for LDAPS.

    3. Enter the root element of the Active Directory service in the Root text box.

      For example, if your domain name is, then your root Active Directory is dc=mycompany,dc=com.

      This node is used for browsing your service directory after entering the appropriate credentials. For large service directories, specifying a node in the tree narrows the search and improves performance. For example, rather than searching in the entire directory, you can specify ou=employees,dc=mycompany,dc=com. This root element displays all the users in the Employees group.

    4. (Optional) To activate encrypted certification for the connection between vRealize Orchestrator and Active Directory, select Yes from the Use SSL drop-down menu.

      The SSL certificate is automatically imported without prompting for confirmation even if the certificate is self-signed.

    5. (Optional) Enter the domain in the Default Domain text box.

      For example, if your domain name is, type

  8. Configure the shared session settings.

    The credentials are used by vRealize Orchestrator to run all the Active Directory workflows and actions.

    1. Enter the user name for the shared session in the User name for the shared session text box.
    1. Enter the password for the shared session in the Password for the shared session text box.
  9. Click Finish.


You added an Active Directory instance as an endpoint. XaaS architects can use XaaS to publish Active Directory plug-in workflows as catalog items and resource actions.

What to do next