I am having the following problem on our Virtual Center, if you know how to solve this, please kindly let me know, many many thanks in advance!

EventID 1000[VpxdLdap] Failed to search OU=Instances container. This may indicate a problem with LDAP permissions for the account running VirtualCenter, or that the schema is not compatible with this version of VirtualCenter.

The error occur on the clock and every 15 mins after the clock (ie, 9am, then 9:15am, then 10am, then 10:15am)

It only happens when

1. Running vSphere Client and leave it on (1-3 times a day)

2. Occur 24 times a day if we have vSphere Client on as well as Veeam Monitor on, seem Veeam Monitor is competing with vSphere Client for pulling resources, so that’s why the error occurs more often.

Then vCenter server alarm section will periodically produce alerts saying vCenter Health Status is in YELLOW due to LDAP server cannot be contacted because I am not joining an AD Domain, this sounds ridiculous.

Btw, the vCenter server DID NOT JOIN A DOMAIN, only using the same server’s Workgroup, I know it’s not right or the best way according to vCenter setup guide, but I really want to keep it simple. (ie, do not want to have another physical server just for AD), I really wish VMware will release a patch for vCenter that allow us to select Domain or Workgroup model during installation or even better allow us to change the option on the fly.

I suspect it’s a client pulling problem and/or the client can’t search through AD/LDAP, so it reports such error?

It’s just a warning error, nothing really affecting operation, so I think I can safely ignore it, but do appreciate if someone came across and solved this strange problem.

Update:

From vCenter Error Log:

2010-10-24 04:19:24.791 05976 error 'App' Failed to poll search: 0×0 (The call completed successfully.)

2010-10-24 04:19:24.791 05976 warning 'App' Reinitializing search -1 (ou=Licenses,ou=Licensing,dc=virtualcenter,dc=vmware,dc=int)

2010-10-24 04:19:24.791 05976 error 'App' Failed to perform asynchronous search for base DN = ou=Licenses,ou=Licensing,dc=virtualcenter,dc=vmware,dc=int: 0×51 (Cannot contact the LDAP server.)

2010-10-24 08:11:56,116 Timer-4 INFO com.vmware.vim.jointool.util.ldaphealth.LdapHealthMonitor Encountered an error when checking domain trust health : error code: $@, result: 1717

From vCenter Health Check:

Ldap domain trust change monitor – Warning – encountered an an error when checking domain trust health: error code: 1717

Solution:

From VMware Communities:

The message “Encountered an eror when checking domain trust health: error code 1717″ is simply an informational message in Virtual Center. The “vCenter Service Status plugin for Virtual Center 4″ runs some LDAP checks including checking for the possibility to perform domain trust lookups. When it cannot perform this domain trust lookup then it will show this message.

This message is simply an informational message and should have no major impact on the running of the Virtual Center Server. The only ways to stop this message from appearing would be joining vCenter Server to a AD Domain. Btw, you CANNOT install AD Domain Controller on the same machine with vCenter, it will not work. Because vCenter 4.1 will install an instance of ADAM (Active Directory Application Mode). It uses this when you use vCenter Linked Mode and ADAM will conflict with its’ own AD services if the server is also a Domain Controller.

From ESX 4.1 vCenter Installation Guide:

The system that you use for your vCenter Server installation must belong to a domain rather than a

workgroup. If assigned to a workgroup, the vCenter Server system is not able to discover all domains and

systems available on the network when using such features as vCenter Guided Consolidation Service. To

determine whether the system belongs to a workgroup or a domain, right-click My Computer and click

Properties and the Computer Name tab. The Computer Name tab displays either a Workgroup label or

a Domain label.

Seemed there is no workaround for running vCenter on standalone Workgroup, but why would I use an extra physical machine for the sole purpose of running an AD Domain Controller? It’s TOTALLY AGAINST VIRTUALIZATION and it’s not Green at all, most of all if I have a small enviornment with less than 5 ESX Host, why would I bother to setup a AD?

My own solution would be disable vCenter Health Check alarm or just simply remove the part saying Health Check changed to Yellow should be fine.

Finally, some people may install vCenter on Windows Server 2008 R2 and encounter the following problem, according to VMware KB1025668.

Installing vCenter Server 4.1 on a Windows 2008 R2 system fails

Symptoms

•Cannot install vCenter Server 4.1 on a Windows 2008 R2 system

•Installing vCenter Server 4.1 on a Windows 2008 R2 system fails

•You see on of these errors:

◦The trust relationship between this workstation and the primary domain failed in the jointool-0.log

◦Setup cannot create vCenter Server directory Services Instance

Resolution

This issue may occur if the Active Directory in your environment is hosted by a Windows 2000 domain controller (THAT’S OLD!!!). This issue occurs because vCenter Server 4.1 is unable to retrieve the security identifier (SID) for an account.

�

To resolve this issue, you must apply a Microsoft hotfix. For more information and to download the hotfix, see the Microsoft Knowledge Base article 976494.

�

Note: You must reboot the system before installing vCenter Server again.