Microsoft AD Endpoint Configuration (Jump Host / WinRM)

Overview

In this how to, we will cover how to configure a jump host to be used as the Microsoft AD End point and the pre requisites you need to configure to be successful.  

We will cover:

• VMware tools connection method
• WinRM connection method
• Microsoft Tools that need to be installed
• Folders for scripts to be executed on

Considerations

• Have licensed the Microsoft AD module
• Have a Microsoft Windows Server available as a Jump Server
• Have configured an account with the appropriate rights in AD to write to the appropriate OU
  • This could be the same account used for vRA/vRO or a new account specifically created for this
• If you plan to use the WinRM method, you have enabled WinRM on your domain (both domain controllers and clients / See Additional Information for links)

Scenario

Scenario 1

Configure your Microsoft Endpoint to use a jump host and VMWare tools to execute the Active Directory Module.

I will assume you have already configured a vCenter endpoint so this will not be covered in this how to.

Scenario 2

Configure your Microsoft Endpoint to utilise WinRM to execute the Active Directory Module

Procedure

Installing RSAT components for Active Directory management

1. On your server, in your server manager dash board, click on Manage → Add Roles and Features
   1. 
2. Click on Next
   1. 
3. Click on Next
   1. 
4. Click on Next
   1. 
5. Click on Next
   1. 
6. Scroll down until you see Remote Server Administrator Tools
   1. 
7. Click the little arrow next to this hen drop down next to Role Administration Tools
   1. 
8. Place a check in AD DS and AD LDS tools and click Next
   1. 
9. You can opt to have the server restarted as required.  I have left this unchecked, click on install
   1. 
10. Click on Close
    1. 
11. Once the installation completes, you can click the flag and confirm this
    1. 
12. If you click on Tools, you will now see a set of Active Directory modules.  
    1. 

Scenario 1

Creating a Microsoft endpoint utilizing VMware tools (To create this for WinRM, go to Scenario 2)

1. In your catalog, search for Microsoft Endpoint and click Request on Add Microsoft Endpoint – SovLabs Modules
   1. 
2. Next to Configuration Label, provide a meaningful name
   1. 
3. In the connection type drop down, select vmware-tools
   1. 
4. in the vCenter Endpoint drop down, select your existing vCenter you will be using the jump box in
   1. 
5. in the VM name as it appears in vCenter, enter the name of the vm (as it appears in vcenter) and place a check in Is a jump server?
   1. 
6. In he Remote Server field, enter your Active Directory Domain Controller DNS Name, IP Address or domain name
   1. 
7. Under credential configuration for microsoft endpoint, if you are creating a new account,  Type in a meaningful label, the username of an account that has sufficient rights in AD and the password. If you have an existing account, you can opt to select this.
   1. 
8. Under advanced configuration, if you want to specify a share on the Jump Server so that the account as you don’t want to give admin rights, please enter that path.  If you are going to create a folder for these scripts. We recommend naming the folder Sovlabs eg; C:Sovlabs and providing the service account full rights to this share/folder. (NOTE: This is optional and you must configure the share appropriately on the Jump server)
   1. 
9. Click on Submit
   1. 

Add Active Directory Configuration

1. In your catalog, search for activedirectory and click on request in Add ActiveDirectory Configuration – SovLabs Modules
   1. 
2. Next to Configuration Label, enter a meaningful name
   1. 
3. Next to Microsoft endpoint(s), select the endpoint you created earlier
   1. 
4. In the Computer name case Drop Down, select if you want the computer to be created with upper case, lower case or none (Will use your naming standard case)
   1. 
5. Under build OU, you can opt to place the VM into an OU during build time that may have different Policies applied. If you check the box, you will need to specify the build OU, I will be leaving this unchecked
   1. 
6. Next to OU, enter the OU you wish to deploy your VM to (NOTE:  This can be templated so you can select different OU’s based on your requirements). You can also place a checkbox to create the OU if it does not exist, or, to delete the OU if it is empty.
   1. 
7. In AD Security Group(s) you can opt to add the computer to a/many specific security group(s).
   1.   
8. Under Advanced next to delete computer accounts based on computer name? if you leave the check box, it will delete accounts based on matches, you can opt to uncheck this, however, i recommend leaving this checked.
   1. 
9. Click on Submit
   1. 

Add AD configuration to your blueprint

1. In your blueprint click on Properties → Property Groups and click on Add
   1. 
2. In the pop up, scroll through and find the listing starting with SovLabs-AD-<tenant>_<ConfigurationName>, place a check next to it and click OK
   1. 
3. Click on Finish
   1. 
4. When deploying the new AD configuration.  You will see the following
   1. Powershell script and logs will get created during build to add to AD on your jump server
      1. 
   2. In Active Directory, you will see in the OU your specified the Machine will have been built matching your settings (upper case/lower case)

Scenario 2

Creating a Microsoft endpoint utilizing WinRM (See additional information on a script to enable WinRM and WinRM Requirements)

1. In your catalog search for Microsoft Endpoint and click on request in Add Microsoft Endpoint – SovLabs Modules
   1. 
2. Next to Configuration Label, enter a meaningful name
   1. 
3. Next to the connection type drop down, select winrm
   1. 
4. Next to Hostname, enter a Domain Controller by DNS Name, IP or the domain
   1. 
5. In the credentials, if you leave Create credential checked ensure you enter a description, username and password of an account with sufficient rights in AD (you could also use your previous account).
   1. 
6. Under advanced configuration, if you want to specify a share on domain controllers so that the account as you don’t want to give admin rights, please enter that path.  (NOTE: This is optional and you must configure the share appropriately on the Jump server).  I will be using an account that has admin rights on a DC so this will be left as blank.
   1. 
7. Click on Submit
   1. 
8. To complete the setup, follow the steps for Add Active Directory Configuration

Add AD configuration to your blueprint

1. In your blueprint click on Properties → Property Groups and click on Add
   1. 
2. In the pop up, scroll through and find the listing starting with SovLabs-AD-<tenant>_<ConfigurationName>, place a check next to it and click OK
   1. 
3. Click on Finish
   1. 
4. When deploying the new AD configuration.  You will see the following
   1. Powershell script and logs will get created during build to add to AD on your nominated domain controller (Or if you have opted to select domain, it should be your sites domain controller)
   2. In Active Directory, you will see in the OU your specified the Machine will have been built matching your settings (upper case/lower case)

Additional information

• AD Jump Server Pre Reqs: https://docs.sovlabs.com/latest/vRA/7.6/modules/platform-extensions/microsoft-ad/prerequisites/
• Enabling WinRM
  • https://support.microsoft.com/en-us/help/555966
  • https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management
• Activating WinRM on a server: https://sovlabs.freshdesk.com/a/solutions/articles/6000139730
• WinRM requires the following ports open:
  • HTTP   | 5985
  • HTTPS | 5986