Today I was playing around with the new vCenter5 appliance. While setting up AD authentication, I had to include 'administrator' information. I tried using my own AD credentials with quite some AD permissions, but I'm not a domain admin. (standard security policy)
After trying to save this authentication information, I receive following error:
I can't get my vCSA to connect to Active Directory at all. I have tried both domain administrator credentials as well as personal credientials. I keep getting the message "Error: Enabling Active Directory failed." Any ideas?
Hi,
I had the same error even with Domain Admin rights.
RGrds,
jarek
I have the same issue. Either I'm unable to join esxi to domain, I suspect that it maybe domain issue related to some specific rights or configuration.
I'm now digging the esx logs, if I'll find something I'll post an update.
This is kind of weird but I had the same problem.
My domain is a child domain off of a forest root. When I changed the domain to the root and used my regular unprivileged user AD configured successfully.
After I restarted Virtual center I was able to add users and groups from the root or child domain to VCenter.
The downside is that in my case this is not the desired behavior. I should be able to add the server to the child domain as I have all my other VCenter servers. That could especially be a problem for multi-domain implementations or an empty root deployment.
AL
command line. Login to vCenter with ssh
domainjoin-cli join (domain) user (with permissions to join domain)
domainjoin-cli join vmware.com adadmin
I could get it to work via command line worked perfect! Try it..
Changed spelling domainjoin_cli isn't correct. Message was edited by: RParker
When I try that command from within an SSH session I get this error:
i get command not found how you running this.
There's a typo in the command its domainjoin-cli
I just ran it and it worked perfectly.
illiterate poster can't spell.. :smileysilly:
It should be domainjoin-cli Were you able to get it to work?
I was able to correct the typo on my own, but I still get the odd error. I think I should probably open a case with VMware about this one.
Just for grins, double check your DNS settings. It might not be able to find the Domain Controller.
welll i was able to get my vcenter to join the domain along with my Vma this is what i used but with my esxi host it stil a no go see my other post i think it a bug in 5.
Just for everyones benefit I got my problem solved. With the help of vmware support we made two changes and got my problem solved. I am running IPv6 on our LAN. First there was not IPv6 DNS entry for the vCSA so we set a static IPv6 address and added a DNS entry, also we added entries for my DNS/AD servers in the HOSTS file on the vCSA. Its hard to say which was the fix since we did it at the same time.
I have the same issue.
My AD is windows 2008R2
Win2008 R2 AD
I get this error:
Error: Lsass Error [code 0x00080047]
0x3B - Unknown error
Which logfile could i check?
thx, P.
Added:
Verbose logging reports this:
20111130134202:INFO:File /tmp/centeristmpUH00UC/etc/krb5.conf modified
20111130134202:INFO:Finishing krb5.conf configuration
Error: Lsass Error [code 0x00080047]
0x3B - Unknown error
20111130134244:ERROR:Lsass Error [CENTERROR_DOMAINJOIN_LSASS_ERROR]
0x3B - Unknown error
Stack Trace:
main.c:921
main.c:465
djmodule.c:323
djauthinfo.c:872
djauthinfo.c:1218
krb5.conf is gone when program finishes.
Hi, i just figured out that the AD service does not support SSL/TLS. Is there a way to run without SSL/TLS?
thx,Peter
From my expirience try to look in your AD if there is a Computer registered with this name already. Delete it first. Then try
using /opt/likewise/bin/domainjoin-cli --loglevel verbose --log . join <domain> <account> <password>.
If necessary take a look at
http://www.virtuallyghetto.com/2010/06/how-to-configure-likewise-open-ad.html
Also check your connectivity to AD. The domainjoin script has a parameter --firewall which can help you by checking connectivity to the AD.
good luck others...
Radomil
The cmd to join worked perfect! Wonder what stops the web interface from working.
Let me describe this in detail. There seems to be a "well known behaviour" of the linux appliance of Vcenter 5.0 that's causing trouble.
Once there is a machine in the Active Diretory that is out of time sync it causes the authentivation to fail completely for all Vcenter 5 appliances.
This can cause problems at the time of joining the domain or after you've successfully joined the domain and you run for some time.
In both of these cases if any of the windows domain controllers detects a server with time skew - the integrated authentication of the Vcenter stops working.
Symptom: your web interface tells you you've joined the domain, but you can't use it. Once you log in via ssh to the appliance you can use the command
/opt/likewise/bin/lw-get-status
If it tells you -> local provider only you are having issues with the domain. I can't speak for all reasons arround the world, but here my expirience:
You have to go through your whole acive directory. Make sure all your servers are synchronized. The easiest way is to run this command on your domain controller: w32tm /monitor this should tell you if all servers are in sync.
Also make sure all servers in your trusted zones are synchonized. For this just use w32tm /monitor /domain xxxx.xxx
In some cases this might be a pain. It is not unusual to have 20 trusted domains and in many cases you don''t have priviledges to check the time synchonization. Now what can you do?
Deactivate your domain membership in the linux vcenter appliance. Delete your server from windows active directory users and computers.
Login to the vcenter appliance via ssh and make yourself ready for doing the whole join procedure again.
Before you do that you need to start a sinffer in background to log all activity. Run this command on the vcenter appliance
tcpdump -s 1514 -i eth0 -w /tmp/join.cap not host <notebook> change the address <notebook> to whatever you are logged in from, to the appliance
Keep this program running untill you finish the join procedure. Now try to join the windows domain again. It will produce the same output and it won't
work the same way as before. Once the web server stops and tells you to restart, stop the sniffer tcpdump command ctrl c.
The sniffer produced the file /tmp/join.cap . Now download this file to your PC and open this file in wireshark (free program).
Go through all packets and look for a packet containing an error message krb5krb_ap_err_skew.
Analyze the packets and the server sending this message most likely causes the trouble.
Synchonize this server and try again. You need to repeat this whole procedure untill you get it done.
I asked vmware people to fix this. There are multiple ways how they could do it. Upgrade likewise, use an option to ignore trusts etc.
This has been ignored although it is well known.
regards Radomil in Prague