VMware Cloud Community

Install vCenter in a Workgroup instead of joining a Domain cause warning and problem?

I am having the following problem on our Virtual Center, if you know how to solve this, please kindly let me know, many many thanks in advance!

EventID 1000[VpxdLdap] Failed to search OU=Instances container. This may indicate a problem with LDAP permissions for the account running VirtualCenter, or that the schema is not compatible with this version of VirtualCenter.

The error occur on the clock and every 15 mins after the clock (ie, 9am, then 9:15am, then 10am, then 10:15am)

It only happens when

1. Running vSphere Client and leave it on (1-3 times a day)

2. Occur 24 times a day if we have vSphere Client on as well as Veeam Monitor on, seem Veeam Monitor is competing with vSphere Client for pulling resources, so that’s why the error occurs more often.

Then vCenter server alarm section will periodically produce alerts saying vCenter Health Status is in YELLOW due to LDAP server cannot be contacted because I am not joining an AD Domain, this sounds ridiculous.

Btw, the vCenter server DID NOT JOIN A DOMAIN, only using the same server’s Workgroup, I know it’s not right or the best way according to vCenter setup guide, but I really want to keep it simple. (ie, do not want to have another physical server just for AD), I really wish VMware will release a patch for vCenter that allow us to select Domain or Workgroup model during installation or even better allow us to change the option on the fly.

I suspect it’s a client pulling problem and/or the client can’t search through AD/LDAP, so it reports such error?

It’s just a warning error, nothing really affecting operation, so I think I can safely ignore it, but do appreciate if someone came across and solved this strange problem.


From vCenter Error Log:

2010-10-24 04:19:24.791 05976 error 'App' Failed to poll search: 0×0 (The call completed successfully.)

2010-10-24 04:19:24.791 05976 warning 'App' Reinitializing search -1 (ou=Licenses,ou=Licensing,dc=virtualcenter,dc=vmware,dc=int)

2010-10-24 04:19:24.791 05976 error 'App' Failed to perform asynchronous search for base DN = ou=Licenses,ou=Licensing,dc=virtualcenter,dc=vmware,dc=int: 0×51 (Cannot contact the LDAP server.)

2010-10-24 08:11:56,116 Timer-4 INFO com.vmware.vim.jointool.util.ldaphealth.LdapHealthMonitor Encountered an error when checking domain trust health : error code: $@, result: 1717

From vCenter Health Check:

Ldap domain trust change monitor – Warning – encountered an an error when checking domain trust health: error code: 1717


From VMware Communities:

The message “Encountered an eror when checking domain trust health: error code 1717″ is simply an informational message in Virtual Center. The “vCenter Service Status plugin for Virtual Center 4″ runs some LDAP checks including checking for the possibility to perform domain trust lookups. When it cannot perform this domain trust lookup then it will show this message.

This message is simply an informational message and should have no major impact on the running of the Virtual Center Server. The only ways to stop this message from appearing would be joining vCenter Server to a AD Domain. Btw, you CANNOT install AD Domain Controller on the same machine with vCenter, it will not work. Because vCenter 4.1 will install an instance of ADAM (Active Directory Application Mode). It uses this when you use vCenter Linked Mode and ADAM will conflict with its’ own AD services if the server is also a Domain Controller.

From ESX 4.1 vCenter Installation Guide:

The system that you use for your vCenter Server installation must belong to a domain rather than a

workgroup. If assigned to a workgroup, the vCenter Server system is not able to discover all domains and

systems available on the network when using such features as vCenter Guided Consolidation Service. To

determine whether the system belongs to a workgroup or a domain, right-click My Computer and click

Properties and the Computer Name tab. The Computer Name tab displays either a Workgroup label or

a Domain label.

Seemed there is no workaround for running vCenter on standalone Workgroup, but why would I use an extra physical machine for the sole purpose of running an AD Domain Controller? It’s TOTALLY AGAINST VIRTUALIZATION and it’s not Green at all, most of all if I have a small enviornment with less than 5 ESX Host, why would I bother to setup a AD?

My own solution would be disable vCenter Health Check alarm or just simply remove the part saying Health Check changed to Yellow should be fine.

Finally, some people may install vCenter on Windows Server 2008 R2 and encounter the following problem, according to VMware KB1025668.

Installing vCenter Server 4.1 on a Windows 2008 R2 system fails


•Cannot install vCenter Server 4.1 on a Windows 2008 R2 system

•Installing vCenter Server 4.1 on a Windows 2008 R2 system fails

•You see on of these errors:

◦The trust relationship between this workstation and the primary domain failed in the jointool-0.log

◦Setup cannot create vCenter Server directory Services Instance


This issue may occur if the Active Directory in your environment is hosted by a Windows 2000 domain controller (THAT’S OLD!!!). This issue occurs because vCenter Server 4.1 is unable to retrieve the security identifier (SID) for an account.

To resolve this issue, you must apply a Microsoft hotfix. For more information and to download the hotfix, see the Microsoft Knowledge Base article 976494.

Note: You must reboot the system before installing vCenter Server again.

0 Kudos
5 Replies

Push, anyone encountered this before?

0 Kudos

Easiest solution I can think of would be to create a VM (in the cluster or on the host) that's a DC for use of that cluster... You can go with a Server 2003 DC with a isolated domain (same effect as workgroup, but fully supporting what you're doing)... OR just add it to the domain that has the accounts you're looking to authenticate. Depending on how things are done, you could add trusts between the domain on the isolated domain and the actual (production) level domain.

IF you want the functionality of vCenter, then you need to provide what it requires to function properly. I've never tried using a vCenter Server in an environment without an AD DC in place (even in my home test lab).

VMware VCP4

Consider awarding points for "helpful" and/or "correct" answers.

0 Kudos
Hot Shot
Hot Shot


This is really an annoying issue, i have installed vcenter on windows server 2008 R2 64bit and installed vcenter 5.0 , it was working good from last 2 months but suddenly after a reboot i am getting the same error.

""2012-01-12T12:54:33,473+05:30 [00584 error "Default"] [VpxdLdap] Failed to search OU=Instances container. The may indicate a problem with LDAP permissions for the account running Virtual Center, or that the schema is not compatible with this version of VirtualCenter.

i did every thing to troubleshoot it and resolve the issue, raised call with VMware support took almost a day no results they raised hands and asked to reinstall vcenter 5.0.

am really breaking my head on this issue. does any one know exact solution for this.


Raju Gunnal

Raju Gunnal VCP 4, VCP 5, VTSP 4, VTSP 5, ITIL V3 http://www.techtosolution.com
0 Kudos

We just encountered the same problem here.  We're running v5.0 on a Server 2008 (not R2) server.  I had just applied a round of updates on the server and was unable to log in after the required reboot.  Turns out the issue for us was not VMware related, but Windows related (no big shock there).  Turns out that a reg key was modified which prevented Active Directory authentication.  Anyway, check out the following reg key

HKLM\System\CurrentControlSet\Services\ADAM_VMwareVCMSDS\Parameters and look for Port SSL.  This is supposed to be a REG_DWORD with a value of 636, but it was changed to a Reg_SZ with no value.  Delete the bad entry, and re-create Port SSL as a REG_DWORD with a value of 636.  Reboot, and make sure all your services come back up.

Good luck!

Below is the link on the internet that solved it for me:



Joe Krisanda

0 Kudos

Smiley Happy Thanks for the linkage to my blog. Glad it helped

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful". Gregg http://thesaffageek.co.uk
0 Kudos