How To Configure HA LDAP Server with the vRO Active Directory Plug-in Using F5 BIG-IP (SKKB1025)

In this post we will demonstrate how to configure a highly available (HA) LDAP server to use with the VMware vRealize Orchestrator Server (vRO) Active Directory Plug-in.We will accomplish this task using F5 BIG-IP. This approach can also be used to achieve LDAP load balancing (LB) not only HA.


Lab Environment

The logical design of this lab can be seen HERE.



The [Configure Active Directory Server] workflow part of the vRO Active Directory Plug-in allows you to configure a single active directory (AD) host via IP or URL. For example:

Q: What if we want to connect to multiple AD domain controller (DC) servers to achieve high availability?
A: One for the ways is to create additional DNS records for those servers with the same name and use that name when running the WF to add the AD server. DNS will return, based on round robin, any of the given AD servers.
Q: Will this prevent me from hitting a DC server which is down or unreachable?
A: No. No health checks will be performed to determine of a server is down.
Q: How can i implement a health checking mechanism to determine if a given AD DC server is down, so that this is not returned to vRO?
A: By using F5 BIG-IP Virtual Server configured for LDAP request.
Q: How can I configure that in F5?
A: Check next chapter.



We can configure an F5 BIG-IP device to listen and satisfy LDAP request the same way we configured that for vIDM in an earlier post .

To learn more on how to configure F5 BIG-IP Virtual Server to listen and satisfy LDAP requests , visit the How to set vIDM (SSO) LDAP Site-Affinity for vRA and read the Method 2: Using F5 BIG-IP chapter.

In this case we will use the same F5 BIG-IP Virtual Server (VS) which we created for the vIDM server.
Login to vRO and navigate to the Workflows tab.

Navigate to Library > Microsoft > Active Directory > Configuration and start the [Configure Active Directory Server] workflow.
In the Active Directory Host IP/URL field provide the FQDN of the VS you created.
Fill in the rest of the input parameters as per your AD requirements.
Click Submit.

Go to the inventory tab. You should see the LDAP server added. You should be able to expand and explore the inventory objects coming from that plug-in.

Now in my case I have 2 LDAP servers lying behind the VS.

I will shutdown the first one and see if vRO will continue to work as expected.

Right Click the LDAP server and select Reload.

Expand again and explore the LDAP server inventory. It should work as there is still 1 LDAP server that can satisfy requests.
Now let’s check what happens if all we simulate failure of all LDAP servers.

Right Click the LDAP server and select Reload.
You should see an error as there are no more LDAP servers available to satisfy queries.

Additional Resources

My dear friend Oliver Leech wrote a blog post on a similar/related topic. Make sure to check it at
vRealize Orchestrator – connecting to more than one domain using the Active Directory plugin


Final Step

If all went well, go grab a beer.

DISCLAIMER; This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to the blog owner and do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.
Unless stated, all photos are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. If used with watermark, no need to credit to the blog owner. For any edit to photos, including cropping, please contact me first.
Unless stated, all recipes are the work of the blog owner and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Please credit all recipes to the blog owner and link back to the original blog post.
Downloadable Files
Any downloadable file, including but not limited to pdfs, docs, jpegs, pngs, is provided at the user’s own risk. The owner will not be liable for any losses, injuries, or damages resulting from a corrupted or damaged file.
Comments are welcome. However, the blog owner reserves the right to edit or delete any comments submitted to this blog without notice due to
– Comments deemed to be spam or questionable spam
– Comments including profanity
– Comments containing language or concepts that could be deemed offensive
– Comments containing hate speech, credible threats, or direct attacks on an individual or group
The blog owner is not responsible for the content in comments.
This policy is subject to change at anytime.

Leave a Reply

Your email address will not be published. Required fields are marked *