VCAP-CMA Deploy – Objective 6.1

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 6 is to understand the tenant administration required.

Objective 6.1 – Manage Authentication Configuration to meet Business Requirements


There is plenty that can be said about authentication within vRA, but for the exam I think this will focus around adding & configuring an LDAP source for users & groups, probably Active Directory.

Key point to remember if you want to configure your tenant to use Active Directory, the default tenant will need to be configured first. I don’t know why this is, I should check it out.

There are three modes you can configure your vRA instance to communicate with Active Directory.

  • Active Directory over LDAP
  • Active Directory (Integrated Windows Authentication)
  • OpenLDAP

The difference between these is reasonably obvious. As for a use case – The AD (IWA) option should be used with multi-domain & multi-forest environments.

Let’s assume that’s done and we’ve got a newly created tenant. The requirements are that authentication should be done from Active Directory and that you should use integrated windows authentication.

Browse to Administration, Directories…


Select Active directory IWA and fill out the page that follows. All fairly straightforward. After you’ve clicked Save & Next you’ll be asked to select the domains you want to use. In my lab that’s just the one, but if you’ve child domains, trust relationships etc. there will be multiple here (assuming you’ve got access to them with the bind account you’ve specified).

Once you get this far, you’ll e asked for the Distinguished Name of an OU where the groups (and then the users) are located ready for synchronisation. I typically don’t bother with the users as they’re synchronised if they’re a member of the group.

Once all the details are configured, you’ll get a review page which displays the number of groups & users that will be synchronised.

VCAP-CMA Deploy – Objective 4.2/4.3

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 4 is to know where to start with troubleshooting various aspects of vRealize Automation.

Objective 4.2 – Troubleshoot Tenant Operations


What kind of issues might you run into with respect to tenant operations?

  • Users without access to the correct role
  • Approval policies not firing
  • Creating new tenants

Following my blog post from the VCP-CMA, I’d want to be very familiar with what access a single role grants. What does an IaaS administrator get different to a tenant administrator etc.

To check on an approval policy, first I’d double check it was linked to the correct item within the entitlement.


Then I’d just sanity check any conditions you’ve attached to the policy. I often see the less than/greater than the wrong way round.

When creating new tenants there are a number of items that will need to be created for it to be useful:

  • New directory connector to AD
  • New business groups
  • New reservations
  • Roles will need (re)allocating

Exactly the same as creating them for the first tenant.

Objective 4.3 – Troubleshoot Provisioning Issues

In addition to the references at the top of the post, I want to point out this awesome post over at on troubleshooting provisioning –

Well worth a read if you want in depth detail on where to look for any issues with provisioning.

Before you get to that level of trawling logs, it’s worth checking on the reservations (as mentioned in the previous post):

  • Does the reservation have enough free capacity to accommodate the request?
  • Does the reservation have access to the capabilities required by the blueprint?

It’s also always worth checking the endpoint is configured correctly and that data collection is occurring.

That covers the IaaS requests, but what if an XaaS request is failing?

  • Is vRO running?
  • Did the workflow start?
  • Is there any logs on the failed workflow?

Check within vRO, under the task to see the instances that have run, check the date. The icon next to the runtime will tell you if it’s been successful or otherwise. If you select the run itself, you can then browse the logs to find out what’s happening during execution.


I’d expect you to need to be able to read enough Javascript to understand what the workflow is doing. Nothing more than a basic understanding.


VCAP-CMA Deploy – Objective 4.1

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 4 is to know where to start with troubleshooting various aspects of vRealize Automation.

Objective 4.1 – Troubleshoot Infrastructure Issues


I’m going to break this down into user troubleshooting (think permissions, blueprints, business group etc.) & compute troubleshooting (Endpoints, SQL, IaaS etc.). For both of these sections you’ll need to know where to find what the issue is and how to interpret that information. I suspect this will be fixing stuff that was working and now isn’t, rather than a failed deployment. Although it could be either.

Infrastructure – Compute

For infrastructure issues think along these lines:

  • Endpoints
  • DEM Orchestrator
  • DEM Agent
  • SQL

When checking for issues, the first place I go to is the Log within the vRA console – Infrastructure, Monitoring, Log. This is the place where you would see if vRA can’t connect to the endpoint, and likely why. The error below is because the vCenter endpoint was offline.


While you’re in the monitoring section, the other useful tab is DEM Status. The error below shows that I’ve stopped the DEM service on the IaaS server.


This can be verified from the vRA appliance VAMI on the Services tab. This is a good place to check for any services that aren’t responding.


While we’re in this console, it’s worth having a look on the Cluster tab. This will show you if any servers in the vRA installation haven’t contacted vRA in a while. Also on the cluster tab you can generate & download the support bundle.

Once these have all been checked, the remaining place is the IaaS node. Login and check the Windows services & IIS AppPools have started. If everything is running, check Event Viewer, this tends to be where I find if the SQL database is available or not. Or if there is generally anything wrong with the Windows box. It’s also worth running through the list of pre-requisites (the automated check when installing). These could have changed through the application of a GPO or even manually.


For user type issues think along these lines:

  • User role
  • Entitlements
  • Reservations
  • Blueprints

If the user needs to perform either an administrative function or a design function but isn’t able to, this is often down to the role of the user. Do they have the relevant tab available? The tabs each role should have available is detailed on my blog post from the VCP7-CMA, linked at the top.

If the user is attempting to provision an item but it isn’t available in the catalogue you might want to think of these:

  • Are they a member of the correct business group?
  • Is the blueprint published?
  • Is the blueprint part of a service?
  • Is the service and/or blueprint entitled correctly?

If a user is a member of multiple business groups, the business group the catalogue item is assigned from is shown in the catalogue.


If provisioning is failing, the request will usually give you a reason why. This can quite often be something to do with the reservation. Such as:

  • Reservation capacity
    • Is there any remaining in the allocated quota?
  • Reservation capability
    • Can the reservation support the infrastructure requirements of the blueprint?
      • Quote often network related (for me anyway!)



VCAP-CMA Deploy – Objective 3.2/3.3

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 3 is to understand how to build governance into your vRA installation.

Objective 3.2 – Implement a Governance Model that Maps to Given Business Needs


This is very much around approval policies so we need to think about how to define a policy & how to consume said policy.

Define a policy:

  • Policy Type
  • Pre
  • Post
  • Conditional
  • Levels
  • Approvers

Consume a policy:

  • Catalogue item
  • Resource action

Policy Definition

Go to Administration, Approval Policies and hit the New button. You’ll be presented with the policy type box. These are fairly self explanatory but in essence they’re split into two categories – Resource Action & Catalogue Item – with the resource type after. In this case I’m firing up a policy for Catalog Item. Give your policy a name & set the status.

Quick note on status. Active & assigned policies cannot be edited to preserve them for auditing. Recommendation if you need to change a policy is to clone the policy & create a new policy. Again to preserve the integrity of the auditing.

Underneath this you can see two tabs, one to define ‘Pre’ approvals & the other to define ‘post’ approvals. The difference between these is:

  • PRE: Approval is required before the item is provisioned
  • POST: Approval is required before the item is presented back to the user

Once you’ve made the decision on when you need your approval to take place, you’ll need to decide if you want to have all requests approved (which may defeat the purpose of building a cloud platform) or if you wish to have items approved if they meet certain criteria such as cost or resource usage.

I’m configuring a fairly typical policy that will request approval before provisioning if a user is requesting more than xGB memory or if more than x CPUs are requested. When doing multiple conditions these can be configured in an AND/OR scenario. I’m doing an OR, so more than 2047MB memory OR more than/equal to 2 CPUs. (Lab environment values :-))

Your next step is to define the approvers. This can be any of the below:

  • Specific Users/Groups (pretty self explanatory)
  • Determine from request (I tend to use this to get the approval from the business group managers)
  • Use an event subscription (Tend to be when the approval will come in from another workflow, Service Now for example)

In this example I’ve gone for the business group manager, and set to anyone can approve (a single approval is enough for this example).


Next on the System Properties tab you can set the items that can be changed by the approver. So I could put CPU & memory on this to allow the approver to drop them down to under the threshold if they chose. I try to avoid this if possible, most people have a reason they’ve requested x, y & z. A conversation tends to be the best way to resolve these things! 🙂

You can also add custom properties to the approval, I’m not at this stage.

Once you’ve created the approval, you can then add another level. This doesn’t take effect until the first level has been approved. Using our example here, the manager approves of the additional resources usage but this means that finance need to approve the additional spend. For this example we’ll leave it at a single level.

Policy Consumption

To enable the approval policy against specified items, edit the entitlement where you need it to take effect.

An approval policy can only be set against a catalogue item or a resource action, not against a service. When you first add the policy to the item, the drop down will only show you policies that are of the same type, but you can change to show all to see all the policies. Often you find that the blueprints you’ve created are composite blueprints and you want to configure an approval policy against say, a virtual machine.

That’s the way to create and consume an approval policy, now onwards to actually approving!

Objective 3.3 – Configure notifications to allow approvers to respond via email

This is split up into two parts:

  • Configure the mail server (inbound & outbound)
  • Activate/Deactivate notification scenarios

The email side of approvals is needed to remove some of the friction from the approval process. Instead of relying on an approver logging into the vRA portal and actioning the approval, they receive an email from which they can click either an approve link or a reject link. This generates an email to the inbound mailbox, which vRA will process. Below is how to configure, although it won’t work in my lab as I haven’t got access to a mail server (Note to self, configure mail server…)

Configure Mail Server

Go to Administration, Notifications, Email Servers and hit the Add button. vRA will then ask if you want to configure the inbound or outbound mail server. The settings underneath are pretty much what you’d expect. I wouldn’t have the inbound mailbox as an account that users can login to, just to ensure that any approvals don’t go MIA.

Notification Scenarios

Once the mail server is configured, click on Scenarios. You’ll notice that they’re all active by default, you can go through and Suspend the notifications that you don’t want to send out. Suspending certain notifications is just as valid as ensuring they are active.

VCAP-CMA Deploy – Objective 3.1

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 3 is to understand how to build governance into your vRA installation.

Objective 3.1 – Manage Multiple Reservations to Meet Business Needs


To reiterate again we need to think about what could be involved end to end so in a scenario where multiple reservations are the answer, what else could be involved?

  • Business Groups
    • Members – Support, Manager, Users
    • Infrastructure – Machine prefixes, AD Config
  • Reservations
    • Business Group
    • Reservation Policy
    • Resources
    • Network
    • Priority

Let’s start with creating a new machine prefix, I like to set each business group up with a default prefix.

Go to Infrastructure, Administration, Machine Prefixes & hit the New button. Fill in the details and remember to click the green tick.

You may also want to consider using an Active Directory Policy. This defines where machine accounts are created when a IaaS machine are deployed. Go to Administration, Active Directory Policies & hit the New button. Fill in the details and hit ok. Once created this can be allocated to a business group.

Then create the business group, Goto Administration, Users & Groups, Business Groups. Fill in the details on each page and hit Finish.

Quick reminder of the business group roles:

Role Name Permissions
Business Group Manager
  • Add/Delete users to the group
  • Assign user roles for the group
  • Create/manage entitlements for group
  • Request/manage items on behalf of other group users
  • Monitor resource usage for group
  • Change machine owner
Business Group Support User
  • Request/manage items on behalf of other group users
  • Change machine owner
Shared Access Role
  • Use/Run actions on resources provisioned by another user
Business User
  • Request catalogue items
  • Manage their own resources

Next up we’re creating the reservation policy, this is basically a tag that can be used to link a blueprint & a particular reservation. Often used if a blueprint has specific hardware requirements or if a tiering strategy is implemented. Go to Infrastructure, Reservations, Reservation Policies & hit the New button. Fill in the details and click OK.

Now all the foundations are in, let’s create the reservation itself. Go to Infrastructure, Reservations, Reservations and hit the New button. You’ll get some options as to what type of reservation you want to create, choose the most appropriate, here we’re going for vSphere.

If you already have a reservation created, you’ll get a drop down at the top to copy the settings across so you can just make the necessary changes. Complete the pages as you would normally for creating a reservation.

If you’ve got multiple reservations assigned to the same business group vRA will use the below list to select which to use first.

  • Does the reservation satisfy the requirements of the blueprint?
    • Hardware
    • Quota remaing
    • Location
    • Platform
    • etc.
  • Lowest priority first
  • If have multiple with same priority – reservation with lowest percentage of quota allocated
  • If multiple reservations have same priority and same quote usage – distributed between reservations using round-robin





VCAP-CMA Deploy – Objective 2.3

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 2 is to understand how to configure vRA to be able to consume resources.

Objective 2.3 -Configure vRealize Automation to consume NSX resources


First thing you’re going to need to do if you want to setup NSX within vRA is confirm that NSX is healthy. Now we won’t be going into depth as this is a vRA exam, but you’ll need to check the basics. For me this is just the dashboard.


Once this is confirmed, next step is to add the NSX endpoint (assuming the vCenter endpoint is already added). Within the endpoint section, add a Networking & Security endpoint, fill in NSX details:


Then you’ll need to associate the NSX endpoint with the vCenter endpoint. You can do this from either the vCenter endpoint or the NSX endpoint. vRA will populate the reverse fixture. However, when removing the association, you’ll need to remove it on both ends.


Once all this is complete, it’s worth checking the data collection to make sure that everything was successful.

vRA allows you to perform a number of different functions with NSX built in. However if you want to do anything out side of these function you’ll need to configure NSX as an endpoint within vRO. Easily enough to achieve this, simply run the Create NSX Endpoint workflow.


Once run, verify in the inventory.



VCAP-CMA Deploy – Objective 2.2

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for the whole of section 2 is to understand how to configure vRA to be able to consume resources.

Objective 2.2 – Create and Manage Storage Profiles


This would seem to cover off two key parts of a storage profile.

  • Where to configure storage reservation policy
  • How to consume those policies

Where to configure storage reservation policy

Infrastructure, Reservations, Reservation Policies. Hit the new button, you can change the type of reservation policy under the ‘Type’ drop down.


Once you’ve created the policy, you can allocate it to a datastore. This means that any disk that is created using that policy, will be created on that datastore.

To assign this, go to Infrastructure, Compute Resources, Edit your resource. Once on this edit page, go to the Configuration tab and edit the datastore you want to assign the policy to.


How to consume those policies

Browse to the blueprint you want to enforce the storage reservation policy on. Under the Storage tab on the Virtual Machine object, you can select the policy.


Hey presto! Not a great deal to this one really, but need to remember that this knowledge is likely to be part of a wider task you’re being asked to do.