Cloud Assembly supports integration with Active Directory servers to provide out of the box creation of computer accounts in a specified Organizational Unit (OU) within an Active Directory server prior to provisioning a virtual machine. Active Directory supports an LDAP connection to the Active Directory server.
An Active Directory policy that is associated with a project is applied to all virtual machines provisioned within the scope of that project. Users can specify one or more tags to selectively apply the policy to virtual machines that are provisioned to the cloud zones with matching capability tags.
WORKSTATION_TRUST_ACCOUNT 0x1000 PASSWD_NOTREQD (No password is required) 0x0020
For on-premises deployments, Active Directory integration enables you to set up a health check feature that shows the status of the integration and the underlying ABX integration on which it relies, including the required extensibility cloud proxy. Prior to applying an Active Directory policy, Cloud Assembly checks the status of the underlying integrations. If the integration is healthy, Cloud Assembly creates the deployed computer objects in the specified Active Directory. If the integration is unhealthy, the deploy operation skips the Active Directory phase during provisioning.
Prerequisites
- Active Directory integration requires an LDAP connection to the Active Directory server.
- If you are configuring an Active Directory integration with vCenter on-premises, you must configure an ABX integration with an extensibility cloud proxy. Select and choose Extensibility Actions On Prem.
- If you are configuring an integration with Active Directory in the cloud, you must have a Microsoft Azure or Amazon Web Services account.
- You must have a project configured with appropriate cloud zones, and image and flavor mappings to use with the Active Directory integration.
- The desired OU on your Active Directory must be pre-created before you associated your Active Directory integration with a project.
- The user configured for the Active Directory integration must have permissions to create/delete/search for computer objects in the configured OU.
Procedure
Results
You can now associate the project with Active Directory integration to a cloud template. When a machine is provisioned using this cloud template, it is pre-staged in the specified Active Directory and Organizational Unit.
Initially, Active Directory integrations are deployed to a default OU with little user restrictions. The OU is set by default when you map an Active Directory integration to a project. You can add a property called FinalRelativeDN
to blueprints to change the OU for Active Directory deployments. This property enables you to specify the OU to use with an Active Directory deployment.
formatVersion: 1 inputs: {} resources: Cloud_vSphere_Machine_1: type: Cloud.vSphere.Machine properties: image: CenOS8 flavor: tiny activeDirectory: finalRelativeDN: ou=test securityGroup: TestSecurityGroup
As shown in the preceding YAML example, users can add a property to an Active Directory integration deployment that adds a computer account to the security group so that appropriate permissions are assigned to access the shared resource over a network. The Active Directory virtual machine is initially deployed to a fixed OU but when the machine is ready to release, it is moved to a different OU with the appropriate policy as applicable for users.
If a computer account is moved to a different OU after deployment, Cloud Assembly attempts to delete the accounts on the initial OU. Deletion of computer accounts succeeds only in the case of virtual machines moved to a different OU within the same domain.
You can also implement a tag-based health check for on-premises Active Directory integrations as follows.
- Create an Active Directory integration as described in the preceding steps.
- Click the Project tab to add a project to the Active Directory integration.
- Select a project name and a relative DN on the Add Projects dialog. The relative DN must exist within the specified base DN.
There are two switches on this dialog that enable you to control Active Directory configuration from cloud templates. Both switches are off by default.
- Override - This switch enables you to override Active Directory properties, specifically the relative DN in cloud templates. When switched on, you can change the OU specified in the
relativeDN
property in the cloud template. When provisioned the machine will be added to the OU specified in therelativeDN
property in the cloud template. The following example shows the cloud template hierarchy in which this property appears.activeDirectory: relativeDN: OU=ad_integration_machine_override
- Ignore - This switch enables you to ignore the Active Directory configuration for the project. When switched on, it adds a property to the cloud template called
ignoreActiveDirectory
for the associated virtual machine. When this property is set to true means that the machine is not added to the Active Directory when deployed.
- Override - This switch enables you to override Active Directory properties, specifically the relative DN in cloud templates. When switched on, you can change the OU specified in the
- Add appropriate tags. These tags are applicable to the cloud zone to which the Active Directory policy may apply.
- Click Save.
The Status of the Active Directory integration is displayed for each integration on the Cloud Assembly.
page inYou can associate the project with Active Directory integration with a cloud template. When a machine is provisioned using this template, it is pre-staged in the specified Active Directory and OU.