VMware Cloud Community
thinks2much2
Contributor
Contributor
‎09-07-2009 02:31 AM
Jump to solution

Unable to Add Permissions for Active Directory users - error accessing directory

Hi all,

Running vCenter, logged in as an Active Directory user with Administrator priviliges to the server, I am usable to Add Permissions for domain accounts, and just get errors:

Right click on Datacenter > Add Permission > Select Read-only > Add users and groups > Select Domain > (list is NOT populated with users)

In Users box enter my AD user account > Click Check Names > "The following names were not found: xxx"

Enter AD user account in Search box > Click Search > "A general system error occurred: error accessing directory"

The only KB articles or threads i can find relate to changing the Active Directory timeout. I've done this but it didn't help.

http://communities.vmware.com/thread/14150

http://kb.vmware.com/kb/1010094

Any ideas why i can't delegate permissions? I don't believe we have any Group Policies that are resticting access, but i'm not sure which log files I should i be looking in to find the real problem.

Thanks,

Kevin

Windows Server 2003 R2 Standard Edition, vSphere Client 4.0.0 build 162856, vCenter Server 4.0.0 build 162856, ESXi 4.0.0 build 181792

Reply
0 Kudos
1 Solution

Accepted Solutions
thinks2much
Enthusiast
Enthusiast
‎09-25-2009 09:15 PM
Jump to solution

The problem i had was related to which service the vCenter services were running as. Presumably during installation (for some reason that escapes me now) i had configured the VMware VirtualCenter Server and VMware VirtualCenter Management Webservices to be running as the local Administrator account. Changing these so they ran as Local System fixed the problem, and i was then able to list domain users and assign them permissions.

Kevin

View solution in original post

Reply
0 Kudos
11 Replies
dtracey
Expert
Expert
‎09-07-2009 03:39 AM
Jump to solution

Hi Kevin,

Is your vCenter server physical or virtual? Have you got any errors in the windows event logs either on the vC or the DC? Can you connect to the NETLOGON share of a DC from the VC server? I think it's more likely going to be an AD problem than a VMware one.

Cheers,

Dan

Reply
0 Kudos
thinks2much2
Contributor
Contributor
‎09-07-2009 03:53 AM
Jump to solution

Hi Dan,

The vCenter server is physical. I don't see any errors in the Windows event logs, unfortunately due to the delegation of roles in our organisation I can't check the DC for errors, but i'm not seeing errors in any other Active Directory functions. And yes i can get to the netlogon share of the site DC.

Kevin

Reply
0 Kudos
dtracey
Expert
Expert
‎09-07-2009 03:59 AM
Jump to solution

Hi Kevin,

If you are not even seeing the list of domain users in the 'Select Users' screen then it could be permissions. The account you are logged in as - is this a member of domain admins? I'm assuming not, as then you would be able to see the DC event logs!

Can you add AD users to a local group on that server? e.g Backup Operators or whatever?

Dan

Reply
0 Kudos
bulletprooffool
Champion
Champion
‎09-07-2009 04:05 AM
Jump to solution

If no users are being listed then I am guessing 1 of 2 things,

either, you do not have access to ports 389 or 636 on your AD servers (test this by going: telnet <server.domain.local> 389) (alos try for 636)

alternatively, the account logged onto the VC is not an AD user and has not access rights to your AD?

One day I will virtualise myself . . .
Reply
0 Kudos
thinks2much2
Contributor
Contributor
‎09-07-2009 04:25 AM
Jump to solution

I'm not a domain admin, but my admin account does have admin permissons on the server, and with that logged in user i can add other AD users to the local admin group, so at least from the Windows side of things, i don't see any permission problems - I can browse the directory properly, and now have a number of AD users in the local Admin group.

k.

Reply
0 Kudos
thinks2much2
Contributor
Contributor
‎09-08-2009 05:45 AM
Jump to solution

That's not the problem, i can connect to the LDAP ports on the DC without problem, and as i mentioned before I'm logged in with my Active Directory user.

k.

Reply
0 Kudos
mohitkshirsagar
Contributor
Contributor
‎09-25-2009 06:43 PM
Jump to solution

Hi

I am trying to enable Active directory for vSphere but I get the error which guess you all are talking about here. I checked the port 389 and 636 using telnet. I just see a blank screen. does that mean i connected succesfully to the AD. i tried connectin from the vcenter to AD and vice versa. I still cant enable active directory for vcenter. By the way i used my active directory login to manage vcenter.

please advice.

Mohit

Reply
0 Kudos
thinks2much
Enthusiast
Enthusiast
‎09-25-2009 09:15 PM
Jump to solution

The problem i had was related to which service the vCenter services were running as. Presumably during installation (for some reason that escapes me now) i had configured the VMware VirtualCenter Server and VMware VirtualCenter Management Webservices to be running as the local Administrator account. Changing these so they ran as Local System fixed the problem, and i was then able to list domain users and assign them permissions.

Kevin

Reply
0 Kudos
contemac
Contributor
Contributor
‎07-22-2010 12:30 PM
Jump to solution

We were experiencing the same problem with the added feature that we have the virtual center server separate from the database server. We solved the situation by adding first a domain account as dbowner of the specific virtual center, through logins and users and second by using that same domain account as the logon for the virtualcenter server service. This way, the service starts using the domain account that connects to the database. After that, when you try to add permissions to the virtualcenter it is possible to select accounts and groups from the domain.

Reply
0 Kudos
khasragy
Contributor
Contributor
‎08-14-2011 02:27 AM
Jump to solution

In some cases, people try to install and test VMware vSphere suit in virtualization environment.

After they decide to install ESX's and other ESXi's component on the VMware workstaition or Virtualbox or other virtualization product, they decide to install Windows 2008.

After they install windows 2008 they try to fully update it and make a clone of this virtual machine to speed up their work. But in this section must of the time they make a big mistake.

What is this mistake? Really they don't know how to do that. They think they can clone the runnig windows 2008 and after that all the things will work well. But unfortunantly they cause a big problem. and what is that? They don't know two windows 2008 with same SID's will not work properly.

So, in this case for do this work well you must try to do this:

1) Install winodws 2008 on product such as VMware workstation.

2) Fully Update the windwos 2008 (optional) for performance, robustness, and security issues.

3) Fully Clone this Virtual Machine.

4) In the cloning windows 2008, use tools called "Sysprep" for changing your new windows 2008 SID. You can find step by step guide in the following URL

http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-...

5) Download tools named "PsGetSID" and make sure your windows 2008 SID's are not same. You can download it from the following URL:

http://technet.microsoft.com/en-us/sysinternals/bb897417

6) And after that try to install Active Directory in one windows 2008 or Windows 2003 and Choose "windows 2000 functional level native" in domain and forest functional level.

7) Join second windows 2008 to your domain and install vCenter on that with the user with domain administrator credential, not local administrator credential.

And that's it. All the thing will work very well!!!

Reply
0 Kudos
khasragy
Contributor
Contributor
‎08-14-2011 02:28 AM
Jump to solution

Still have the same problem. It's another solution for this.

As you know vmware vcenter using LDAP. What is that mean? mean's that you are using lightweight directory services. but why this is important? anybody know?

Maybe you know, maybe not. But this is really a problem. and what is that?

I remember when I have and domain controller with windows 2003, I decide to have second domain controller with windows 2008 runnig on that. But when I tried to do that what was happend? I try to make windows 2008 as second domain controller but it don't let me. Why? because you need to use some command-line tools to update you domain and forest functioning process. Yes that is a issue when you try to add second domain controller with windows 2008 runnig on that to a mian domian controller with windows 2003.

Here is the link that can help you to do that:

http://technet.microsoft.com/en-us/library/cc733027(WS.10).aspx

By the way, you must using addprep tools on the windows 2003, however the full process is demonstrate on that link. Same process can help you in situation you have. You have an domain controller that running on windows 2003 installed on it, and try to have communication between it and second domain controller with windows 2008 ldap. and what will happen? It will not work if you forget to proper the windows 2003.

And that's it!!!

Reply
0 Kudos