tuu0312
Contributor
Contributor

Unable to join vCenter 6.7 to Active Directory

Jump to solution

Hi everyone,

I have a VCSA 6.7 installed and want to join to domain Active Directory.

- When I try to join domain via UI, I got this error: Idm client exception: error trying to join ad, error code [40188]

- When I try to join domain via CLI, I got this error: Error: ERROR_MEMBER_NOT_IN_GROUP [code 0x00000529]

I found a lot of posts about failing to join vCenter to domain but none of them has the error code [40188] so I don't know how to resolve this problem.

Please help me with this. Thanks!

1 Solution

Accepted Solutions
daphnissov
Immortal
Immortal

If your vCSA hostname is photon-machine as it is indicated in your bash session, this indicates you did not deploy the vCSA correctly and is lonely the cause of the failures here. You will need to redeploy to fix this and use proper DNS and a FQDN during installation.

View solution in original post

0 Kudos
10 Replies

Hello,

if you please confirm that you followed the below steps:

  • Open vSphere HTML Client
  • Login as Single Sign-On Administrator or a user with global permissions.
  • Navigate to Administration >Configuration
  • From Identify Sources Tab you can verify available domain and by default Only SSO  and Localos will be available
  • Navigate to Tab Active Directory Domain and Click on Join AD
  • Add the Domain Name and Username and Password has permission to join to Active Directory and Click Join

Note:-  You have to reboot the Appliance to apply the changes

If yes, please specify in which step the error appear.

Please consider marking this answer "CORRECT" or "Helpful" if you think your question have been answered correctly.

Cheers,

VCIX6-NV|VCP-NV|VCP-DC|

@KakHassan

linkedin.com/in/hassanalkak


Cheers,
vExpert2020-2019||vExpert-NSX2020||VCIX6-NV||VCAP-NV-DCV||VCP-NV-DC-CMA||CCNA-R&S
Twitter: @KakHassan
LinkedIn: linkedin.com/in/hassanalkak
0 Kudos
tuu0312
Contributor
Contributor

Hi,

I followed extractly the same as your steps and the error appeared in the last step after adding username/password and clicking Join

0 Kudos
tuu0312
Contributor
Contributor

So as when I use CLI, here is the command:

root@photon-machine [ ~ ]# /opt/likewise/bin/domainjoin-cli join hict.local administrator@hict.local

Joining to AD Domain:   hict.local

With Computer DNS Name: photon-machine.hict.local

administrator@HICT.LOCAL's password:

Error: ERROR_MEMBER_NOT_IN_GROUP [code 0x00000529]

MikeStoica
Expert
Expert

How did you type the username?

User name in User Principal Name (UPN) format, for example, jchin@mydomain.com.

Important:

Down-level login name format, for example, DOMAIN\UserName, is unsupported.

Join or Leave an Active Directory Domain

0 Kudos

Yes sure as mentioned by MikeStoica ,

Confirm the username format please (administrator@hict.local).

And confirm that the OU is correct mapping to same location of administrator account on active directory and as following: OU=users,DC=hict,DC=local


Cheers,
vExpert2020-2019||vExpert-NSX2020||VCIX6-NV||VCAP-NV-DCV||VCP-NV-DC-CMA||CCNA-R&S
Twitter: @KakHassan
LinkedIn: linkedin.com/in/hassanalkak
0 Kudos
tuu0312
Contributor
Contributor

As MikeStoica​,

My user name format is administrator@hict.local

Last time I see that OU is optional so I leave it blank. But now when I set OU to: ' DC=hict,DC=local ', the error still appears.

0 Kudos

yes it is optional bu noting that like that DC=hict,DC=local is wrong because there no OU before.

But can you check the network connectivity between vCenter appliance and DC and ensure that all ports needed are accessible.


Cheers,
vExpert2020-2019||vExpert-NSX2020||VCIX6-NV||VCAP-NV-DCV||VCP-NV-DC-CMA||CCNA-R&S
Twitter: @KakHassan
LinkedIn: linkedin.com/in/hassanalkak
0 Kudos
daphnissov
Immortal
Immortal

If your vCSA hostname is photon-machine as it is indicated in your bash session, this indicates you did not deploy the vCSA correctly and is lonely the cause of the failures here. You will need to redeploy to fix this and use proper DNS and a FQDN during installation.

0 Kudos
tuu0312
Contributor
Contributor

Thanks. I found the prerequisites in this link:

Join or Leave an Active Directory Domain

"Verify that the system name of the appliance is an FQDN. If, during the deployment of the appliance, you set an IP address as a system name, you cannot join the vCenter Server Appliance to an Active Directory domain."

I have deployed VCSA and set the IP address as the system name so that I can't join AD domain. Now after I redeploy VCSA using FQDN, everything works.

0 Kudos
Guillermoctl
Contributor
Contributor

I was haven't the same problem. Below is what worked for me.

1. FQDN of the domain. [blah.example.com]

2. OU [balnk]

3. [username@blah.example.com]

3. [Password]

0 Kudos