1 2 Previous Next 29 Replies Latest reply on Jan 28, 2019 3:13 AM by dyspyra Go to original post
      • 15. Re: Adding VCSA 6.0 to domain fails
        greco827 Hot Shot

        OK, I'll keep trying to help you research and figure out what is wrong.   One question about your domain in general.  Do you have a single domain in your company, or do you have multiple domains?  If multiple, are they independent or is there a trust between them?  If there is a trust, are you joining the domain at the highest level of the hierarchy, or one of the sub-domains?

        • 16. Re: Adding VCSA 6.0 to domain fails
          ianc1990 Novice

          Thanks for all your help thus far

           

          We have a forest domain which is the parent for all child domains/countries (we split child domains by country) however, that doesn't come into anything here (be it the domain we are joining it to, or the credentials we are using to add it to the child)

           

          We are trying to add this VCSA to the child domain for the particular country that it sits in, and we are using the default Administrator account credentials of that specific child domain.

          • 17. Re: Adding VCSA 6.0 to domain fails
            greco827 Hot Shot

            Can you try to add it to the parent domain as a test?

            • 18. Re: Adding VCSA 6.0 to domain fails
              ianc1990 Novice

              I went back in to follow your suggestion, and the domain is now appearing in there!  This makes no sense!

               

              Anyway - biggest problem solved so thanks very much

               

              One query I have - The VCSA has joined the sub domain.  In SSO --> Configuration --> Identity sources, I selected Active Directory (Integrated Windows Authentication) and selected to use the machine account.  The box automatically fills with the child domain, but then once its added, it displays the parent domain.  Is this correct?

               

              I'm asking this because when I then go to Access Control --> Global Permissions --> Manage, then select the parent domain to add user permissions for the parent, I get an error message saying 'Cannot load users for the selected domain'.

               

              If the VCSA is in a child domain, and the administrator users are in the parent domain, whats the best way to get them added to the VCSA?  We do have a group within the child domain, containing all users from the parent domain, but adding this doesn't seem to work.

               

               

              Capture.PNG

              Capture2.PNG

              • 19. Re: Adding VCSA 6.0 to domain fails
                greco827 Hot Shot

                One query I have - The VCSA has joined the sub domain.  In SSO --> Configuration --> Identity sources, I selected Active Directory (Integrated Windows Authentication) and selected to use the machine account.  The box automatically fills with the child domain, but then once its added, it displays the parent domain.  Is this correct?

                          I would say yes, my experience with this type of domain set up resulted in the same thing.  Since you joined it to the parent domain, but used an account that is tied to the sub-domain (I presume) and/or pointing at a domain controller in the sub-domain.  This shouldn't be an issue. 

                I'm asking this because when I then go to Access Control --> Global Permissions --> Manage, then select the parent domain to add user permissions for the parent, I get an error message saying 'Cannot load users for the selected domain'.

                I am not an AD person, but my guess is that the trust between the domains is not set up properly.  I would add the identity source as "AD as an LDAP Server", rather than integrated.  You could also add the sub-domain as a separate identity source.  You shouldn't have to, but I have done this with success when dealing with our AD team brought no positive results.

                If the VCSA is in a child domain, and the administrator users are in the parent domain, whats the best way to get them added to the VCSA?  We do have a group within the child domain, containing all users from the parent domain, but adding this doesn't seem to work.

                Doing the above should resolve this.

                • 20. Re: Adding VCSA 6.0 to domain fails
                  unsichtbare Expert

                  What is the SSO domain name? It MUST be different from the AD domain name. For example, in vSphere 6 if I am setting up a new SSO domain for the domain acme.com, then I will create the SSO domain as acme.sso

                   

                  Also, as I have stated in previous posts, I feel that using AD LDAP is a superior, more extensible, and less problematic way to add an AD domain as an identity source.

                  • 21. Re: Adding VCSA 6.0 to domain fails
                    greco827 Hot Shot

                    The SSO domain is generally vsphere.local.

                    • 22. Re: Adding VCSA 6.0 to domain fails
                      ianc1990 Novice

                      I left the SSO domain as vsphere.local

                       

                      I added the identity source using 'Active Directory as an LDAP Server' and its all working fine now.

                       

                      Thanks guys.

                      • 23. Re: Adding VCSA 6.0 to domain fails
                        Sreekanth45 Enthusiast

                        Hi,

                         

                         

                        Step 1. Navigate to the vSphere Client Web Client https://FQDN/vsphere-client 

                        Step 2. Select Administration

                        3

                         

                        Step 3. Select Deployment -> System Configuration



                        Step 4. Click Nodes -> VCSA_Node -> Manage Tab -> Active Directory -> Join



                        Step 5. Enter your Active Directory Credentials -> OK (Note: You can specify an Organizational unit or leave it blank.)


                        Note: One interesting thing I noticed is that the domain never populated in the field until after I rebooted the server.

                         

                        Step 6. Reboot the VCSA server

                         

                        After this is complete you can go in and add an identity source the same way you would in previous versions (Administration -> Configuration)



                        • 24. Re: Adding VCSA 6.0 to domain fails
                          David_Y Novice

                          Did anyone every figure out the actual issue or a resolution to this problem?  I have the exact error code 11 message and cannot get this thing to join the domain.  I've been down the NETBIOS rabbit hole, I've tried typing the domain name in every possible way I can think of (caps, lowercase), I've tried typing the username in every combo domain\username, username, DOMAIN\username, etc.  I've elevated my account to enterprise admin on the forest.  No matter what I can't get this thing to join.  I've found a few posts, like this one, with the same problem but never a clear solution to the problem.  Seems everyone just stumbles upon it suddenly working and calls it good.

                           

                          Please HELP!

                          • 25. Re: Adding VCSA 6.0 to domain fails
                            David_Y Novice

                            Well, count me in the group that this suddenly "magically" started working.  I waited an hour or 2 after deploying this and attempting to join it to the domain.  Suddenly it just worked.  So if you run across this problem and thread in your quest to resolve it (Error code 11) you might just reboot the appliance and let it sit for a while

                            • 26. Re: Adding VCSA 6.0 to domain fails
                              MickeyShowers Lurker

                              That's pretty ridiculous isn't it?  I'm having the same issue only with a much less complicated domain than the OP.  Using a domain admin account, nada.  "user cannot access domain"

                               

                              Anyone have an idea?

                               

                              Thanks!

                               

                               

                              EDIT:

                               

                              Just discovered that from the cli, if I join with JUST my user name, it prompts me for my password.  It will not, however, take my password.  Could it have something to do with special characters in my password?

                               

                               

                              EDIT:

                               

                              Believer it or not, the problem was a special character in my password!  HELLO VMWARE!!!  Why isn't this mentioned anywhere?

                              • 27. Re: Adding VCSA 6.0 to domain fails
                                Simplicit Lurker

                                If it helps... had the same issue with error code 40087 turned out to be a time sync issue. The reason some of you just "took time for it to get Fixed" is because the time finally synced up. Once I fixed that and got the time to sync (SSH in and run Date to check the time RCNTP stop/start and then Date again to make sure it doesn’t change) it joined the domain no problem. had an old DC with more than 5 minutes difference and was the cause.

                                • 28. Re: Adding VCSA 6.0 to domain fails
                                  tlopes Lurker

                                  I read through and tried all the hints in this thread, but nothing worked.  VCSA 6.5 would not join my 2012 AD.

                                   

                                  Here are some things I did and got it working:

                                   

                                  - Enable "Active Directory All" in the firewall rules of each ESXi host via the web client

                                  - Change all DNS settings (ESXi hosts and VCSA) to point to the AD DNS and not some other DNS.  Apparently there is something in the AD DNS that enables the connection.  My other DNS is standard BIND DNS.

                                  - Reboot all hosts and VCSA

                                  - From VCSA web client, go to Administration/Deployment/System Configuration

                                  - Click Nodes, then click the VCSA entry

                                  - Click Manage on the right, then Settings tab and Active Directory pane.  Join AD from here.

                                  - Go to Administration/Single Sign-On/Configuration, then Identity Sources tab.

                                  - Click the '+' symbol to add a Source, select AD, click Next.  At this point my AD was pre-filled here

                                  - Continue with the wizard for successful AD Identity Source.

                                   

                                  I'm sure not all of the above was necessary, but these steps worked for me.  Hope it helps someone...

                                  • 29. Re: Adding VCSA 6.0 to domain fails
                                    dyspyra Lurker

                                    Couldn't make it work on the UI no matter what I tried although the whole it doesn't show until reboot may have been relevant, I kept getting a different error depending on whether I put the username @domain or added the OU.

                                     

                                    However just using the cli as per

                                     

                                    https://www.virtualizationhowto.com/2017/01/vmware-vcsa-65-error-code-42500-joining-active-directory-domain/

                                     

                                    Worked first time and I'm now on the domain

                                     

                                    However this is the computer domain join there's a bunch more to do to make SSO work and it's really poorly documented.

                                    1 2 Previous Next