VMware Cloud Community
kwg66
Hot Shot
Hot Shot
‎07-30-2018 05:52 AM
Jump to solution

vCenter and Active Directory 2016

The follow KB shows that even the most recent versions of vCenter are not compatible with Active Directory 2016. 

https://kb.vmware.com/s/article/2071592

Our Active Directory architect is chomping at the bit to upgrade our Domain to 2016 for various reasons, yet this incompatibility has become a blocking concern.  

Do any VMware gurus with strong AD experience have any solutions for this issue?   Is it possible to leave some DCs behind at the older domain level that I can point the Platform service controller at so that we can move forward with an AD upgrade to 2016? 

Reply
0 Kudos
1 Solution

Accepted Solutions
engedib
Contributor
Contributor
‎08-10-2018 02:57 AM
Jump to solution

I have upgraded a client to AD 2016 domain and forest functional level recently, they even use the SAC release channel for Windows Server where possible and there are no issues at all with vCenter 6.5.

Currently they run 2x DCs on Windows Server (SAC) 1803 build and one Windows Server 2016 Standard DC with GUI.

It is just a support thing, technically there is very minimal change between AD 2012 R2 and 2016, so it just works Smiley Happy

View solution in original post

Reply
12 Replies
msripada
Virtuoso
Virtuoso
‎07-30-2018 06:08 AM
Jump to solution

Hello kwq66,

If you have windows 2016 with 2012 domain functionality level, it would still work. With 2016 domain functionality level, the current vsphere versions does not support.

You can point PSC to any of the DC with 2012 domain functionality level however you might have to use the AD as an LDAP as Intergrated authentication will pick any domain controller in the domain if the dns entries exist which can lead to the problem..

Thanks,

MS

Reply
diegodco31
Leadership
Leadership
‎07-30-2018 07:00 AM
Jump to solution

How many domains do you have in your forest Active directory?

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego
Reply
0 Kudos
diegodco31
Leadership
Leadership
‎07-30-2018 07:10 AM
Jump to solution

Other details, the difference between domain 2016 and 2012r2 is few.

Níveis funcionais do Windows Server 2016 | Microsoft Docs

Diego Oliveira
LinkedIn: http://www.linkedin.com/in/dcodiego
Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
‎07-31-2018 06:23 AM
Jump to solution

Not sure how many domains we have in our forest, what are you getting at?  

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
‎07-31-2018 06:26 AM
Jump to solution

@ msripada -  this is what I was thinking, that we could leave a DC at the older functional level and point the PSC directly at it.   But this is the very reason I opened this post, so I could find out if this is possible based on the experience and usage of others.  Certainly our organization can't be the only one looking to upgrade to AD 2016 that uses vCenter.. I would think just about every organization out there is facing this at the moment.. 

Reply
0 Kudos
msripada
Virtuoso
Virtuoso
‎07-31-2018 06:42 AM
Jump to solution

At this moment, 2016 is not supported so we have to go with the above options. I am sure VMware would be working on this but unsure of the ETA for the compatibility perspective.

Thanks,

MS

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
‎08-07-2018 05:35 AM
Jump to solution

I am being informed by our acting AD SME that in order to fully upgrade to 2016 you must bring all DCs to this same level.. 

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
‎08-07-2018 05:37 AM
Jump to solution

I would ask whether an LDAP to AD integration would work rather than the Bind method that uses the vCenter machine account, they are 2 different methods.. are both of them incompatible with AD 2016 integration? 

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
‎08-09-2018 12:50 PM
Jump to solution

Follow up -

I opened a case with VMware support to get more details on this and perhaps determine if the LDAP to AD connection method would still work after upgrading to AD 2016.   Support could only regurgitate what was in the KB stating its not compatible without any further details or explanations.  Their answer to my inquiry as that no method, integrated machine account or the LDAP to AD, would work.

How is it that MS can upgrade to AD 2016 and not break all the existing apps out there that leverage AD, but VMware says it will break vCenter permissions..

@VMware vCenter team - how about some details and due diligence, and a reply to this post please.

Reply
0 Kudos
engedib
Contributor
Contributor
‎08-10-2018 02:57 AM
Jump to solution

I have upgraded a client to AD 2016 domain and forest functional level recently, they even use the SAC release channel for Windows Server where possible and there are no issues at all with vCenter 6.5.

Currently they run 2x DCs on Windows Server (SAC) 1803 build and one Windows Server 2016 Standard DC with GUI.

It is just a support thing, technically there is very minimal change between AD 2012 R2 and 2016, so it just works Smiley Happy

Reply
kwg66
Hot Shot
Hot Shot
‎08-15-2018 12:55 PM
Jump to solution

This is very helpful, and it will turn into the "Correct Answer" after we upgrade our AD test infrastructure and test it all out.    I won't forget about you don't worry Smiley Happy  

Reply
0 Kudos
daphnissov
Immortal
Immortal
‎08-15-2018 03:21 PM
Jump to solution

Just keep in mind this is UNSUPPORTED. So should you encounter any problems in the future that come down to AD, VMware GSS have the right to tell you they can't help you until you achieve a supported posture. I've experienced this firsthand so as long as you are aware and accept the risk, proceed.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
Reply
0 Kudos