I'm having a permissions issue with a couple of my vCenter systems. First, this is how I got here. We are running a Windows domain. Our domain controllers were Windows 2003. A couple of weeks ago we added our first Windows 2012 domain controller and shortly afterwards started having some strange authentication issues. Microsoft recently added a TechNet article talking about authentication issues with mixed Windows 2003 & 2012 domain controllers. Since then I have added a couple more 2012 domain controllers and removed the 2003 domain controllers and we are now running in a native 2012 domain. During this transition the problem with the permissions on the two vCenter systems started and has not cleared up with the domain controller changes. Here's the issue I'm having on one of the vCenter systems.
It currently has nothing listed in the root of the vCenter tree and the add permissions is greyed out. On the rest of the tree including the Data Center and both hosts it has the permission of Domain\Domain Admins with the role of Administrator. When I try to add a permission I get the following:
Permission to perform this operation was denied.
You do not hold privilege “System > Read” on folder “Datacenters”
Call “UserDirectory.RetrieveUserGroups” for object “UserDirectory” on vCenter Server “Server Name.domain” failed.
Doesn’t matter what domain I choose including Vsphere.local, server or domain, I get the same error, and the Users and Groups section shows a greyed our “Loading…” message but never loads any users. Entering users manually gets a
“The following names were not found: User”
“The following errors occurred while checking the names:
User – Permission to perform this operation was denied”
I can logon to this system with the vSphere client using domain credentials though.
These hosts are running ESXi 5.5.0
The second vCenter system has both server Administrators & Domain\Domain Admins with the role of Administrator on the entire tree including the root vCenter. I get the same issue as above when trying to add a domain user but both Server Name.domain will let me add users.
I cannot logon to this system with domain credentials. I have to use the vCenter local administrator credentials.
This host is running ESXi 5.1.0
Both vCenter servers seem to have all of the normal domain access privileges.
What do I need to do to get these working again? FYI, I have a third vCenter system also and it is working as it should. It's host is also running ESXi 5.5.0.
Thanks,
John
