VMware Cloud Community
vmjoe
Enthusiast
Enthusiast

vCenter permissions are "temporarily forgotten" upon reboot

Hi

I have an odd problem with vCenter server (current version: 6.0U3d, build 7462484 - but it happens since some previous v6 builds).

vCenter and all it components runs on a single Windows server in a large AD domain. It has been upgraded several times since some v5 release.

When I reboot the vCenter server, most permissions are "temporarily forgotten". I myself can still login, because I'm member of VSPHERE.LOCAL\Administrators.

However, all accounts that have permissions set one level lower (a folder containing datacenters) cannot, because all these permissions are somehow "gone".

But now the odd thing: Once I grant one single account a permission, all the others will suddenly show up!

Maybe I should take a video of this... before you call me crazy or something. :winking_face:

All 2-3 dozen permissions will be "restored" in a matter of a few seconds... I literally can see them "flowing in" in vSphere Client.

(The permissions are set mainly for AD user accounts, but also for an AD group.)

I have the same phenomenon on two separate vCenter instances (production and pre-production).

Any ideas?

--

Johannes

Reply
0 Kudos
2 Replies
srodenburg
Expert
Expert

Couple of things:

- Does it happen with local SSO accounts as well?  (non AD)

- Are you sure there aren't any problems with fetching AD objects from domain-controllers? I've seen very slow enumeration of accounts because the AD controllers where quite slow in very large AD environments.

- How fast do users and groups appear when you try to give some VM a permission to a user. From the drop-down, select your AD domain. How fast are users and groups displayed?

- It's a Windows based vCenter so you are not using LDAP but still, anything funky visible in Windows eventlogs and vCenter logs in general?

Reply
0 Kudos
vmjoe
Enthusiast
Enthusiast

I think you're on the right track... it's a fairly large AD. The resource domain, where the vCenter server is located: 7,500 groups and 10k+ (technical) users, user domain (trusted): 46k+ users and 115k+ groups... plus 40 other domains which are not used in vCenter. :smileyshocked:

Since the problem emerged some months ago, maybe a certain "threshold" of users/groups was exceeded.

When I seleect a domain in the permissiosn dialogue, it takes like 7 seconds until users and groups are listed... that's now on the weekend, it might be a bit slower during weekdays.

Can there anything be done to automatically "re-trigger" that AD object fetching at server startup (instead of manually adding a permission, which 'solves' the problem only until the next reboot)? Delayed start of a certain service maybe?

Reply
0 Kudos