Hey Jared,

I ran into the same thing with mine originally. Did you upgrade/convert an older vCenter to 6.7u2, or is this a fresh install?

Regardless, I found it better to use the command-line tools located in /opt/likewise/bin to get a better readout for how vCenter was connected to AD. My issue was that I had converted from a previous vCenter and the computer account associated in AD needed to be completely removed and re-added.

Also, check your websso.log and ssoAdminServer.log files in /var/log/vmware/sso to see what errors are popping up.

leave the domain (PSC) and reboot

then add back reboot

it will work

UPDATE: Turns out I just need to delete the computer that was already in active directory to get it to connect again. Sorry, I'm still learning my way around vCenter. It's connected again, but the original problem still persists. Disconnecting and reconnecting did not fix the issue.

Oof,

I tried RajeevVCP4's solution first. After removing my vCenter from the domain and restarting it it can no longer find the domain.

The cli give me the error message "Error: NERR_DCNotFound [code 0x00000995]" and the web client gives me the error "ldm client exception: Error trying to join AD, error code [2453], user [DomainName], domain [domain.com] orgUnit[]"

Now, I've made sure I've opened ports 123, 135, 137, 139, 3268, 389, 445, 464, 88 using both tcp and udp as per this guide (https://www.altaro.com/vmware/how-to-join-esxi-to-active-directory-for-improved-management-and-secur... ) , I've created a host record and a ptr record in my DNS using the ip address of the vCenter, I've configured my vCenter to use my DC as an NTP service so their times are synced, but according to my firewall logs the vCenter server makes one query to my DC using port 53 which I've read is the DNS port and then fails.

I'll continue to search those logs that Gidrakos mentioned, and if it matters the answer to their first question is that this was an upgrade from an older version of vCenter (5.5 I believe), but was rebuilt a few months ago because it wasn't working correctly. Any other ideas welcomed and appreciated.

Jared Keyes

FURTHER UPDATE:

After digging through the logs I found this error code "Native platform error [code: 851968]". After a quick bit of googling I found a solution on an older post here on the community forum which was to.....leave the domain, delete the computer account on Active Directory, and rejoin the domain... pretty much exactly what was suggested earlier (After upgrade to 6.5 update 1 broken AD authentication). After trying this twice I'm still having the same error.

Thoughts?

Jared Keyes

I ran into the same thing in the web interface and couldn't get around it.

Try using the CLI for managing groups as well. Everything you need (domain join, group management, etc) can be found in /usr/lib/vmware-vmafd/bin

Those give you much more direct control without the overhead of HTML5 (and better logging).

Hey D3m4dm,

I think you may have clicked on the wrong topic. I don't think our problems are related and I don't want people getting confused as to what troubleshooting steps have or have not been performed.

As for my original problem, I do use the cli for most things as I don't like the web client all that much.

When I run: /opt/likewise/bin/domainjoin-cli query It returns:

Name = photon-machine

Domain = CORP.DOMAIN.COM

Distinguished Name = CN=PHOTON-MACHINE,OU=Servers,OU=HQ,OU=Locations,DC=Corp,DC=Domain,DC=com

(My domain is not actually called domain.com, I'm just erasing the actual name and replace it for privacy reasons)

All that looks correct to me though.

I will try to clean up AD and the remove and re-add it. Hopefully that helps.

Alright, so, I'm pretty new to the organization, so if cleaning up AD is all that's necessary it's going to take me a little while to deep dive into it and figure out what everything is and what we don't need. In the mean time I have to questions, one related and one only semi-related.

I was reading through some VMware KBs (specifically this one: Unable to Log In Using Active Directory Domain Authentication ). I ran the commands they suggested, I'm not a VMware expert, but all of the output LOOKED correct. Step 3 is to leave the domain and rejoin the domain, which we have established isn't the solution for me, at least, not yet. Step 4 says to restart all the services. The command they give (/bin/service-control --restart --all) isn't a valid one, but I was wondering if there was a valid command to cycle the services or if people had recommendations for which services I should try restarting.

The other question I have is: We have a disabled users folder in our AD. The HTML 5 Web Client can only display 200 users for some reason and currently it is 75% full with disabled users or users from our contractor folder who have no reason to access our vCenter. Is there a way to make vCenter ignore certain folders in AD?

Thanks,

Jared Keyes

Quick Update:

I've been working on getting my AD cleaned up like suggested. However, in the meantime I decided that I would just have people log on using the "Use Windows Session" checkbox, however it doesn't work for them! The keep being told that they have no permission to anything on the vCenter even though I've added them to my server admin group in AD. I then decided to remove my account from any admin group on vCenter including the one on my active directory and see if my account gets the same error, however I did not. So now I'm thinking that my AD is not actually replicating to my vCenter. Anybody else have that issue before?

Thanks,

Jared Keyes

Hello

Did You find any solution for this problem. I have exactly the same issue.

Regards

Rafal