vCAC – Adding VM’s to Specific AD OU’s

Continuing on from my last post on vCAC – Adding Domain Selection to IaaS Blueprints I thought I would post on a common request for adding virtual machines to specific Active Directory OU’s during the provisioning process.

The Problem?

Using a vCenter Customization allows a VM to join the domain, however how can we influence what OU the Computer object is placed into?

The Answer

Leverage the Runonce component of a vCenter Windows customization to move the computer object once the VM has joined the domain.
Like my previous post on vCAC there are actually dozens of ways to achieve this. One of the most common ways will be to leverage a vCO workflow as part of the vCAC provisioning process. This would be just as effective, however it requires vCO to have a domain connection for each domain you wish to add VMs to. For this reason, and the fact that I believe Runonce is a little simpler to setup so I will blog on this method.

The Solution

Now the advantage of leveraging the vCenter Runonce is that the command is automatically cleaned-up after the customization and as the command is run from the VM its self, communicating with the DC’s shouldn’t be an issue.
There are many scripts and commands that can be leveraged to perform the OU move. Around the web their are numerous VBscripts, Powershell scripts and other programs that can easily perform this function. However you are going to want a script/program that can accept the destination OU as a string as well as credentials for the operation. As the Windows OOTB customization is running as SYSTEM it will not have privileges in AD to perform the move.
The steps below are credited to a VMware Communities blog post by jonathanvm.

1. As such I would recommend dsMove.exe which is part of the Windows 2008 and later Active Directory Domain Services tools. This program is provided by Microsoft and accepts username and passwords as inputs. You can get dsMove from any server with the Windows Active Directory Domain Services tools installed (such as a DC). Simply copy the file dsMove.exe from C:\Windows\System32 to the same location on your template VM.
NOTE: You also need dsmove.exe.mui from the subfolder en-US.

2. Simply edit the vCenter Customization we created in the previous post. Under the Administrator Password section ensure that Automatically log on as the Administrator is checked for 1 logon.

3. Add the commands below into the Runonce configuration substituting the domain names and accounts etc… The AD account to perform the OU move will need the Account Operators or equivalent role in AD. I recommend a secvice account with simply these permissions.

cmd.exe /c dsmove -u account@domain.com CN=%computername%,CN=Computers,DC=domain,DC=com -d domain.com -newparent ou=servers,dc=domain,dc=com -p password

timeout 10

cmd.exe /c shutdown -r -t 00

The advantage putting the target OU in the customization is the template its self is not hard coded to a specific OU. Simply create more customization specifications if a choice in OU is required.

dsMove vCenter Customisation

That’s all for now folks. Chris Slater out.

Leave a Reply

Your email address will not be published. Required fields are marked *