everything on the migration worked except the joining to ad I think it is because we use 2 factor authentication and it looks like the permission didn't come over what can be done?
I joined the appliance to the domain through the console and it joined fine. But none of my AD groups or users migrated. So I added them manually, the groups do not work but the users do
Do I just need to start over and to the migration from scratch?
Why not build out a new VCSA? and then just move your host into that vCenter and retire the old? That way everything is clean and you are not bringing any potential baggage with you.
This is a brand new VCSA and I did the migration but the AD join failed and the plan is to retired the old vCenter
What is the error you are getting?
That is can't show a list of the AD accounts and when I add the user name manually in this fashion AD\username that user can login but has minimal access even as a administrator. When I remove the individual user account and try to use an AD security group it says I do not have permissions
I when I say permission, I mean even to log into the console at all
Is this an embedded configuration or do you have an External PSC?
It is the embedded configuration
Can you verify from the VCSA that you can resolve DNS? SSH into the VCSA
enable the shell and do the following below.
nslookup fqdn and then nslookup ip address
cat /etc/resolve.conf
nameservers: <DNS servers>
Yes it is resolving DNS and I am connected to it using the FQDN, and the nslookup show it is resolving
Can you try joining the domain from the command line in VCSA, so I would leave the domain through the UI and ssh into VCSA
[ ~ ]# /opt/likewise/bin/domainjoin-cli join <Username>
and Password
Yes I am going to remove the users I manually added, leave the domain from the UI, delete the machine from AD, rejoin the domain and then reboot, What about the identity source, does that need to be removed?
Yes, remove the identity source also.
The identity source was there even after it failed to join the domain, and I never removed it before I manually joined the domain. I would assume it is necessary to remove the machine account from AD as well
You can keep the computer object in AD
Just to verify, when you do the domainjoin-cli that is joining the vcsa to the domain. You will need to still join the vcsa to AD and then add the identity source.
I did all that and it still not working right
Did you try using ldap instead of AD authentication for your identity source?