In the final part of a three-part series, Chris Wolf outlines how to customize the Active Directory schema with...
computer object attributes to help identify virtual machines. Customizing Active Directory attributes means you can better identify and manage virtual machines to suit your infrastructure.
In the first two articles in the series, I described a method of tracking virtual machine properties to identify physical and virtual computers, and detecting the virtual machine location by using the computer object Description Active Directory attributes. In this article, I'm going to cover taking the Active Directory schema a step further, and look at customizing Active Directory to support new virtualization attributes.
In this article, I outline the steps necessary for customizing Active Directory attributes: isVirtual and vmType. The isVirtual attribute is a Boolean value that identifies a computer as either virtual or physical. When isVirtual is set to "true," the computer object would be identified as a virtual machine. If you would like additional granularity when identifying virtualized computers, then you could also add the vmType Active Directory attributes. vmType is a string value that can be used to identify a VM's virtualization platform, using the same naming convention that was described in part one of this series on identifying VMs through the virtual machine properties.
Please note that the procedures for customizing Active Directory attributes in this article require Active Directory schema modifications, which are irreversible. If this is a concern, then you should evaluate the solution described in the first two parts of this article series before you try customizing Active Directory attributes.
Keep in mind that all steps toward customizing Active Directory attributes should first be evaluated in a test environment before being applied to a production domain.
Before you start customizing Active Directory attributes, you will need to secure an object identifier (OID) for your organization if you do not have one already. If your organization does not have an OID, you can request one at the MSDN Active Directory Naming Registration site. Also, while left out of this article for the sake of being generic, a best practice is to use your organization's assigned Active Directory schema prefix in the common name and LDAP display name.
For example, my Active Directory schema prefix is cwolf. So instead of using the common name "isVirtual," a best practice is to use the name "cwolf-isVirtual." For more information on Active Directory schema naming rules, see the Application Specification for Microsoft Windows Server 2003. Note that if you want to test these procedures in a lab environment, then you can use the values that reference my OID in this article's examples.
To create the new isVirtual and vmType attributes, you will need to register the Active Directory Schema MMC snap-in. To register the snap-in, log in to a domain controller and run the command regsvr32 schmmgmt.dll. Note that only users that are members of the Schema Admins group will be able to make changes to the Active Directory schema.
Next, you will need to run the mmc command to open an empty MMC shell and add the Active Directory Schema snap-in to the shell. To create a custom Active Directory attributes, follow these steps:
- In the Active Directory Schema MMC, right-click on the Attributes container and select Create Attribute.
- You should now see the Schema Object Creation warning dialog box. Click Continue. Keep in mind that the attribute addition will result in a permanent change to the Active Directory schema.
- As shown in Figure 1, enter the following values:
Common Name: isVirtual
LDAP Display Name: isVirtual
Unique X500 Object ID: Prefix value associated with organization's OID, followed by a unique attribute identifier. For example, 1.2.840.113556.1.8000.2522.2.1.
Description: Identifies a computer as virtual
- Once the required values are entered in the Create New Attribute dialog box, click OK to create the attribute.
- Next, you will need to create the vmType attribute. To do this, right-click on the Attributes container and select Create Attribute.
- In the Schema Object Creation warning dialog box, click Continue.
- In the Create New Attribute dialog box (see Figure 2), enter the following values:
Common Name: vmType
LDAP Display Name: vmType
Unique X500 Object ID: Prefix value associated with organization's OID, followed by a unique attribute identifier. For example, 1.2.840.113556.1.8000.2522.2.2.
Description: Identifies the VM's virtualization platform
Syntax: Case-insensitive string
- To view the new Active Directory attributes, you will need to refresh the Active Directory schema. To do this, right-click on the Active Directory Schema object and select Reload the Schema.
- Next, click on the Attributes container and then locate the isVirtual attribute. When you find the isVirtual attribute, right-click on it and select Properties.
- In the isVirtual Properties dialog box, check the "Index this Attribute in the Active Directory" checkbox and click OK. Note that the Attribute is Active box should also be checked.
- Repeat steps 9-10 for the vmType attribute.
- Now that the Active Directory attributes are created, they must be associated with the computer class. To do this, expand the Classes container and locate the "computer" class. Then right-click on the "computer" class and select Properties.
- In the "computer Properties" dialog box, click the Attributes tab and then click the Add button.
- In the Select Schema Object dialog box, scroll down and click on the isVirtual attribute and then click OK.
- Under the Attributes tab of the "computer Properties" dialog box, click the Add button again.
- Now click the vmType attribute and click OK.
- You should now see that the isVirtual and vmType attributes are listed as optional attributes in the "computer Properties" dialog box. Click OK to save the changes.
Figure 1: Creating the isVirtual attribute
Figure 2: Creating the vmType attribute
Remember that by customizing Active Directory attributes, you will modify the Active Directory schema. Changes made to the Active Directory schema will affect the entire forest, so be sure to have proper sign-off on these changes before attempting to customize Active Directory attributes.
Now that the Active Directory attributes are added to the schema, it's time to configure them. You can set the isVirtual attribute on a computer using the setvirtual.vbs vbscript:
strComputerDN = "CN=reyes,CN=Computers,DC=virtual,DC=net" Set objComputer = GetObject("LDAP://" & strComputerDN) objComputer.Put "isVirtual" , true objComputer.SetInfo
Note that you will need to edit the strComputerDN variable to equal the distinguished name of the computer you wish to edit. The following queryvirtual.vbs script can be used to query the isVirtual attribute status of a computer:
strComputerDN = "CN=reyes,CN=Computers,DC=virtual,DC=net" Set objComputer = GetObject("LDAP://" & strComputerDN) isVirtual = objComputer.get("isVirtual") wscript.echo(strComputerDN & " isVirtual = " & isVirtual)
If you need to set the isVirtual and vmType attributes for numerous computers, the setvirtualattributes.vbs script available from my site should help.
Note that in the script you will need to modify the following variables:
blnIsVirtual should always be set to true to when using the script to identify computer objects as virtual machines.
strVMtype identifies the virtual machine type code to assign to each computer's vmType attribute. For example, for ESX VMs, you can set strVMtype to "Vesx."
strDomainTarget must be set to the distinguished name of the container in which the target computers reside. For example, if the computers objects reside in the Computers container of the TechTarget.com domain, the strDomainTarget variable would have to be set to "cn=computers,dc=techtarget,dc=com". If the computers were in the Development OU in the TechTarget.com domain, the strDomainTarget variable would have to be set to "ou=development,dc=techtarget,dc=com". Note that the script is limited to work with one Active Directory container at a time, so if you need to modify computer objects in multiple containers, you will need to run the script once for each Active Directory target container.
strSourceFile identifies the text file that contains a list of computer names to modify. Each line of the file should list a computer's host name. Here is a sample file: computers.txt.
Finally, to locate all of the virtual machines in a particular domain, you could run the QueryVirtualAttributes.vbs script, which you can download in text format from my site. To use the script in your environment, there are three variables that you will need to edit:
strVMtype identifies the VM platform type that you would like to query. For example, setting strVMtype to "Vxen" would output a list of all Xen VMs. Using "V" as the vmType variable would output a list of all computers whose IsVirtual attribute is set to "true," along with the value of their vmType attribute.
strDomainTarget is used to specify the distinguished name of the domain that you wish to query, and should be set to match your domain name. So if you managed the searchservervirtualization.com domain, strDomainTarget would need to be set to "dc=searchservervirtualization,dc=com." Note that you could also limit the scope of the connection to a single OU by adding to the distinguished name. For example, to connect to the "Web" OU in the TechTarget.net domain, strDomainTarget would need to be set to "ou=web,dc=techtarget,dc=net."
The last variable that may require modification is strLogFile. strLogFile identifies the location of where the script's output log file will be stored. By default, it is set to save to the root directory of the C drive. Here is a sample of what the resultant log file will display:
The following computers have the Vesx vmType attribute Name VM Type ==== ======= Reyes Vesx Maine Vesx Wagner Vesx WS86 Vesx
As with the methodology shown in parts one and two of this article series, it will be important to assign values to the isVirtual and vmType custom AD attributes each time a new computer object is created.
Integrating virtualization management with Active Directory will allow you to have greater control over the auditing and management of VMs across your enterprise. Hopefully, one of the solutions described in this article series will provide the level of Active Directory integration and management that you have been looking for. If not, please let me know what else is needed to simply the management of your virtual environments.
About the author
Chris Wolf is a Microsoft MVP for Windows Server – File System/Storage and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, enterprise storage, and network infrastructure management.