VMware Cloud Community
ianc1990
Enthusiast
Enthusiast

Adding VCSA 6.0 to domain fails

Hi Guys,

Hopefully something you can assist me with to stop me from ripping anymore of my hair out Smiley Happy  For the last few days, I have been trying to add our VCSA to our domain so that I can setup the SSO domain.

This is a brand new deployment - 6.0 all around.  We are using the embedded VCSA with an embedded deployment.  When I go to join the domain, I get the following error:

Idm client exception: Error trying to join AD, error code [11], user [Administrator@mydomain], domain [mydomain], orgUnit []

I have replaced our domain name with 'mydomain' above - any ideas?

29 Replies
unsichtbare
Expert
Expert

What is the SSO domain name? It MUST be different from the AD domain name. For example, in vSphere 6 if I am setting up a new SSO domain for the domain acme.com, then I will create the SSO domain as acme.sso

Also, as I have stated in previous posts, I feel that using AD LDAP is a superior, more extensible, and less problematic way to add an AD domain as an identity source.

+The Invisible Admin+ If you find me useful, follow my blog: http://johnborhek.com/
Reply
0 Kudos
greco827
Expert
Expert

The SSO domain is generally vsphere.local.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
Reply
0 Kudos
ianc1990
Enthusiast
Enthusiast

I left the SSO domain as vsphere.local

I added the identity source using 'Active Directory as an LDAP Server' and its all working fine now.

Thanks guys.

Reply
0 Kudos
Sreekanth45
Enthusiast
Enthusiast

Hi,

Step 1. Navigate to the vSphere Client Web Client https://FQDN/vsphere-client 

Step 2. Select Administration

3

Step 3. Select Deployment -> System Configuration



Step 4. Click Nodes -> VCSA_Node -> Manage Tab -> Active Directory -> Join



Step 5. Enter your Active Directory Credentials -> OK (Note: You can specify an Organizational unit or leave it blank.)


Note: One interesting thing I noticed is that the domain never populated in the field until after I rebooted the server.

 

Step 6. Reboot the VCSA server

After this is complete you can go in and add an identity source the same way you would in previous versions (Administration -> Configuration)



Reply
0 Kudos
David_Y
Enthusiast
Enthusiast

Did anyone every figure out the actual issue or a resolution to this problem?  I have the exact error code 11 message and cannot get this thing to join the domain.  I've been down the NETBIOS rabbit hole, I've tried typing the domain name in every possible way I can think of (caps, lowercase), I've tried typing the username in every combo domain\username, username, DOMAIN\username, etc.  I've elevated my account to enterprise admin on the forest.  No matter what I can't get this thing to join.  I've found a few posts, like this one, with the same problem but never a clear solution to the problem.  Seems everyone just stumbles upon it suddenly working and calls it good.

Please HELP!

Reply
0 Kudos
David_Y
Enthusiast
Enthusiast

Well, count me in the group that this suddenly "magically" started working.  I waited an hour or 2 after deploying this and attempting to join it to the domain.  Suddenly it just worked.  So if you run across this problem and thread in your quest to resolve it (Error code 11) you might just reboot the appliance and let it sit for a while

Reply
0 Kudos
MickeyShowers
Contributor
Contributor

That's pretty ridiculous isn't it?  I'm having the same issue only with a much less complicated domain than the OP.  Using a domain admin account, nada.  "user cannot access domain"

Anyone have an idea?

Thanks!

EDIT:

Just discovered that from the cli, if I join with JUST my user name, it prompts me for my password.  It will not, however, take my password.  Could it have something to do with special characters in my password?

EDIT:

Believer it or not, the problem was a special character in my password!  HELLO VMWARE!!!  Why isn't this mentioned anywhere?

Reply
0 Kudos
Simplicit
Contributor
Contributor

If it helps... had the same issue with error code 40087 turned out to be a time sync issue. The reason some of you just "took time for it to get Fixed" is because the time finally synced up. Once I fixed that and got the time to sync (SSH in and run Date to check the time RCNTP stop/start and then Date again to make sure it doesn’t change) it joined the domain no problem. had an old DC with more than 5 minutes difference and was the cause.

Reply
0 Kudos
tlopes
Contributor
Contributor

I read through and tried all the hints in this thread, but nothing worked.  VCSA 6.5 would not join my 2012 AD.

Here are some things I did and got it working:

- Enable "Active Directory All" in the firewall rules of each ESXi host via the web client

- Change all DNS settings (ESXi hosts and VCSA) to point to the AD DNS and not some other DNS.  Apparently there is something in the AD DNS that enables the connection.  My other DNS is standard BIND DNS.

- Reboot all hosts and VCSA

- From VCSA web client, go to Administration/Deployment/System Configuration

- Click Nodes, then click the VCSA entry

- Click Manage on the right, then Settings tab and Active Directory pane.  Join AD from here.

- Go to Administration/Single Sign-On/Configuration, then Identity Sources tab.

- Click the '+' symbol to add a Source, select AD, click Next.  At this point my AD was pre-filled here

- Continue with the wizard for successful AD Identity Source.

I'm sure not all of the above was necessary, but these steps worked for me.  Hope it helps someone...

Reply
0 Kudos
dyspyra
Contributor
Contributor

Couldn't make it work on the UI no matter what I tried although the whole it doesn't show until reboot may have been relevant, I kept getting a different error depending on whether I put the username @domain or added the OU.

However just using the cli as per

https://www.virtualizationhowto.com/2017/01/vmware-vcsa-65-error-code-42500-joining-active-directory...

Worked first time and I'm now on the domain

However this is the computer domain join there's a bunch more to do to make SSO work and it's really poorly documented.

Reply
0 Kudos