Connecting a deployed Windows VM to an Active Directory domain is pretty easy, just apply an appropriately-configured customization spec and vCenter will take care of it for you. Of course, you’ll likely then need to move the newly-created computer object to the correct Organizational Unit so that it gets the correct Group Policy.

Fortunately, vRA 8 supports adding an Active Directory integration to handle staging computer objects in a designated OU. And vRA 8.3 even introduced the ability to let blueprints override the relative DN path.

Adding the AD integration
First connecting vRA to AD. I do this by opening the Cloud Assembly interface, navigating to Infrastructure > Connections > Integrations, and clicking the Add Integration button. I’m then prompted to choose the integration type so I select the Active Directory one, and then I fill in the required information: a name, my domain controller as the LDAP host (ldap://Server01.example.net:389), credentials for an account with sufficient privileges to create and delete computer objects, and finally the base DN to be used for the LDAP connection.

Clicking the Validate button quickly confirms that I’ve entered the information correctly, and then I can click Add to save my work.

I’ll then need to associate the integration with a project by opening the new integration, navigating to the Projects tab, and clicking Add Project. Now I select the project name from the dropdown, enter a valid relative OU (OU=ExampleOU), and enable the options to let me override the relative OU and optionally skip AD actions from the cloud template.

Customization specs
As mentioned above, I’ll leverage the customization specs in vCenter to handle the actual joining of a computer to the domain. I maintain multiple specs for Windows deployments (one to join the domain and one to stay on the workgroup), and I can let the vRA cloud template decide which should be applied to a given deployment.

It’s about as basic as can be, including using DHCP for the network configuration (which doesn’t really matter since the VM will eventually get a static IP assigned from VRA.

Cloud template
I want to make sure that users requesting a deployment are able to pick whether or not a system should be joined to the domain, so I’m going to add that as an input option on the template:

inputs:
  [...]
  adJoin:
    title: Join to AD domain
    type: boolean
    default: true
  [...]

This new adJoin input is a boolean so it will appear on the request form as a checkbox, and it will default to true, we’ll assume that any Windows deployment should be automatically joined to AD unless this option gets unchecked.

In the resources section of the template, I’ll set a new property called ignoreActiveDirectory to be the inverse of the adJoin input; that will tell the AD integration not to do anything if the box to join the VM to the domain is unchecked. I’ll also use activeDirectory: relativeDN to insert the appropriate site code into the DN where the computer object will be created. And, finally, I’ll reference the customizationSpec and use cloud template conditional syntax to apply the correct spec based on whether it’s a domain or workgroup deployment.

resources:
  Cloud_vSphere_Machine_1:
    type: Cloud.vSphere.Machine
    properties:
      [...]
      ignoreActiveDirectory: '${!input.adJoin}'
      activeDirectory:
        relativeDN: '${"OU=Servers,OU=Computers,OU=" + input.site + ",OU=ExampleOU"}'
      customizationSpec: '${input.adJoin ? "vra-win-domain" : "vra-win-workgroup"}'
      [...]