I am deploying a multi-machine blueprint where by the users picks any number of web app and db servers and then sends the request. The request starts to run and using the AD integration plugin it tries to go out and pre-stage computer accounts for the machines in the specified OU. I am getting intermittent success. It is not consistent. When it fails it is due to a java.util.concurrent.TimeOut Exception. At first I considered it was due to me using the SPN of the name as the AD controller. So I changed that and am now pointing to a specific Domain controller. I still get the errors more often than not. I get a successful run about 1 out of 5 times. I know its not anything in the blueprint it has to be in the AD Plugin or there may be an issue on my clients AD Domain. Here is a failed workflow run showing that it fails at the PRESTAGE_COMPUTER_ACCOUNT. Any help troubleshooting would be appreciative.
Just FYI, I solved the issue by not using the AD integration Module. I created two separate workflows that created a machine in the OU that I wanted and then the other to destroy the computer account when the machine is destroyed. I created subscriptions on the pre allocate and the post removal and I was successfully able to run a multi machine blueprint numerous times without any failures. I deployed almost 600 VMs on three separate networks with 3 different images without any failures as a test. The computer objects were all created and destroyed based on the deployment.
Confirm the AD permissions of the service account used to connect the machine to AD. For testing, make the account an Domain Admin, and if successful remove the access and try to identify the exact permissions needed in the OUs you are using. VMware does list the AD Permissions, but I am currently unable to find that document.
The permissions are fine. As i stated about 1 in 5 times i get a successful run. The service account has full permissions to create object in a domain and join object in a domain.
I read that it was 1 in 5 success. I had a similar issue.
Again, I can't seem to find the exact AD permissions needed for this, but in troubleshooting we found that granting the service account DA permissions resolved it. I was just suggesting a troubleshooting process that would indicate whether it was a ad permissions issue or vRA. This is version 8.1 and there seem to be a lot of bugs still.
Just FYI, I solved the issue by not using the AD integration Module. I created two separate workflows that created a machine in the OU that I wanted and then the other to destroy the computer account when the machine is destroyed. I created subscriptions on the pre allocate and the post removal and I was successfully able to run a multi machine blueprint numerous times without any failures. I deployed almost 600 VMs on three separate networks with 3 different images without any failures as a test. The computer objects were all created and destroyed based on the deployment.
Hey siglert - I'm having the exact same issue. AD integration randomly stops working.
VRA appliance IP is in an appropriate subnet attributed to a site listed in AD sites and services
Giving service account DA temporarily did not help
Fully qualifying domain name and domain controller names didn't help (ie. ldap://company.com:389 OR ldap://comldapsrv01.company.com:389)
I can't locate the AD integration logs on the appliance itself to troubleshoot any further
Would you mind sharing the logic of your custom workflows/actions? I think I will need to go down the same path. Thanks
Thanks so much, siglert - I am hoping to get a chance to toy with this over the weekend.
Cheers
Let me know how it works out.