nettech1
Expert
Expert

Idm client exception: Error trying to join AD, error code [31], user [admin@corp.local], domain [corp.local], orgUnit []

Jump to solution

Trying to join a VCSA 6.5 build 8815520 to an AD 2016 domain getting error code [31]

What log file would provide more details on the error?

Thanks

0 Kudos
1 Solution

Accepted Solutions
nettech1
Expert
Expert

If anyone else runs in to this problem the solution was to allow TCP 445 from the VCenter appliance to the Domain Controller.

As of this writing vmware KB does not list 445 as one of the ports for vCenter Server and Platform Services Controller, however it's required to join the domain

Required Ports for vCenter Server and Platform Services Controller

View solution in original post

0 Kudos
10 Replies
daphnissov
Immortal
Immortal

Active Directory 2016 is only supported with vCSA 6.7 Update 1 at this time.

0 Kudos
nettech1
Expert
Expert

Using domainjoin-cli shows the error ERROR_GEN_FAILURE [code 0x0000001f]

do i have to enable smb1 to join?

VMware Knowledge Base

Looks like SMB1 issue was resolved back in 6.0u3

0 Kudos
daphnissov
Immortal
Immortal

No, SMB1 isn't needed, but again, what you're attempting is unsupported even to begin with, so it may not work at all in that version.

0 Kudos
nettech1
Expert
Expert

Just checked the our VC at the HQ site. It's build 9451637 and it's joined to the 2016 domain.

0 Kudos
sk84
Expert
Expert

The error code 31 seems to come from Windows. At least I can find exactly this error message "ERROR_GEN_FAILURE [code 0x0000001f]" on the Windows system error list:

System Error Codes (0-499) | Microsoft Docs

But the description of this error does not help much:

A device attached to the system is not functioning.

However, I would suggest that you investigate the error on the Active Directory system further. Maybe you can find more information in the Windows Event Log.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
nettech1
Expert
Expert

Seeing a response from the DC KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

Similar issue mentioned here, but on the older vcsa

Authentication Failure in vSphere 6.0 - Peter D. Jorgensen

0 Kudos
nettech1
Expert
Expert
0 Kudos
nettech1
Expert
Expert

According to the 6.x diagram TCP 445 to the DC isn't required from the vcsa, but I am seeing TCP requests from VCSA 6.5 to the DC.

Captured with TCPDUMP on the vcsa.

pastedImage_1.png

https://benjaminulsamer.files.wordpress.com/2017/02/2131180_networkportdiagram-vsphere-6x-referencet...

0 Kudos
nettech1
Expert
Expert

If anyone else runs in to this problem the solution was to allow TCP 445 from the VCenter appliance to the Domain Controller.

As of this writing vmware KB does not list 445 as one of the ports for vCenter Server and Platform Services Controller, however it's required to join the domain

Required Ports for vCenter Server and Platform Services Controller

0 Kudos
tahmad
Contributor
Contributor

Have you mentioned the OU ( where server will be populated) .Also verify DNS,NTP,reverse DNS,Time sync. My AD level is 2008R2 and we successfully configured it ,

MCSE ,EMCPA
0 Kudos