Building an advanced lab using VMware vRealize Automation – Part 10: Configure tenants

20150630 - vRAIn part 9 we installed and configured the IaaS platform for our lab.

In this part we discuss tenants.  We configure the default tenant, and explain why you might need more than one.

Other posts in this series

  1. Intro
  2. Physical infrastructure – storage
  3. Physical infrastructure – networking
  4. Physical infrastructure – compute
  5. Authentication services
  6. Deploy and configure the vCenter Server Appliance
  7. Configure vCenter Server Appliance SSL certificates
  8. Deploy and configure the vRA Appliance
  9. Deploy and configure the IaaS platform
  10. Configure tenants
  11. Configure endpoint & fabric/business groups
  12. Configure blueprints (coming soon)
  13. Configure entitlements (coming soon)
  14. Configure policies (coming soon)
  15. Integration with vCloud Air (coming soon)
  16. Tidy up (coming soon)

Default Tenant

Every vRealize Automation installation comes with a default tenant.  A tenant is an organization unit inside vRealize Automation, and can either represent a business function in the enterprise, or an organization in a service provider environment.

Each tenant has it’s own configuration, although does inherit system-wide configuration settings too.  vRA supports both single and multiple tenant deployments.

During the installation of vRA a default tenant was created during the Single Sign-On (SSO) configuration stage.  During this stage a system administrator is configured (Administrator@vsphere.local), and is used to create and configure other tentants if necessary, as well as system-wide settings.

The default tenant is the only tenant that supports the use of native Active Directory authentication.  All other tenants must use Active Directory over LDAP or OpenLDAP authentication.

In our deployment, we will be using the default tenant.  Business functions making use of vRA will be classified into Business Groups, which we will cover at a later date.


On the lab domain controller, create a service account:

dsadd user cn=sa_vra,cn=users,dc=lab,dc=mdb-lab,dc=com -disabled no -pwd * -acctexpires never

Create two groups for the Tenant and IaaS Administrators and add the service account to both (substitute accordingly):

for %i in ("Tenant Admins","IaaS Admins") do dsadd group cn=%i,cn=users,dc=lab,dc=mdb-lab,dc=com -scope l yes -members

On your mail server, create a mailbox for the above service account.  In the lab, we use Microsoft Exchange hosted in a separate domain with linked mailboxes (again, substitute accordingly):

# variables

$db = "DB1"
$name = "vRealize Automation"
$linkedDc = ""
$linkedAccount = "LAB\sa_vra"
$ou = "Linked Mailboxes"
$upn = ""
$credential = (Get-Credential LAB\Administrator)

New-Mailbox -Database $db -Name $name -LinkedDomainController $linkedDc -LinkedMasterAccount $linkedAccount -OrganizationalUnit $ou -UserPrincipalName $upn -LinkedCredential $credential

Using a web browser, navigate to the vRA configuration page at (substitute accordingly) and login using Administrator@vsphere.local:

20150803 - 1

Click vsphere.local

20150803 - 2

Click the Administrators tab:

20150803 - 3
In the Tenant administrators search box, type Tenant Admins and press return:

20150803 - 4

Click the group that appears to add it.  In the Infrastructure administrators search box, type IaaS Admins and press return.

20150803 - 5

Select the group and click to add it.  Click Update.  Click the Email Servers tab:

20150803 - 6

Click Add, and then click Email – Inbound:

20150803 - 7

Add the details of your mail server (substitute accordingly):

20150803 - 8

Click Test Connection to verify your configuration works, and then click Add.

Click Add, and then click Email – Outbound.  Add the details of your mail server (substitute accordingly):

20150803 - 9

Click Add.

Click the Branding tab:

20150803 - 10

Uncheck Use default, and modify to suit your needs.

The default tenant is now configured.

Coming up

In this part we configured the default tenant for our vRealize Automation deployment.

In part 11 we configure an endpoint for our lab, along with fabric and business groups.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.