Are you using the correct UPN in the username for the domain. I had a very similar error. It turned out to be incorrect UPN. Check if an AD object has been created. I noticed this. Since VCSA silently joins the domain, you will not get any notification for succesful join. The Join tabs remains enabled until the PSC or in your case the VCSA is rebooted. I faced this issue where the PSC had successfully joined the domain but since the join tab had not greyed out, we tried joining again and kept getting the error until we rebooted the PSC. Try these and let us know.

Thank for your replies.

I'm afraid still no luck - I'm getting the following error when trying to domain join through cli:

Error: Lsass Error [code 0x0000000b]

The OU format is invalid.

For confirmation, the VCSA name does include the domain in its name (vcsa@domain.com).  The VCSA can ping the domain controllers by name, and vice versa.  the VCSA is in the domains DNS, and a PTR is created (as per installation requirements)

Here's a screenshot of the error:

Yepp

Its the default domain administrator account in the domain (using it to make sure its not an account related issue)

Hi,

if I trust the KB article, an error similar to this should have been fixed in 5.5 U3:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=208561...

So if you don't use 6.0 U1 for your deployment it may still exist in that version.

Could you check if your NetBIOS Domain name is in all capital letters. Or does it contain small letters as well (or is maybe completely in small letters).

Then that could be your issue.

Regards,
Andreas

Thanks guys - I upgraded the VCSA just a few weeks ago to 6.0.0.b to see if there was any related fix, but of course there wasn't.

I'm currently downloading the upgrade pack for 6.0.0.U1 and I'll report back!

VCSA upgraded, and when I join the domain, I get a 'SUCCESS' message.

After this, I reboot the VCSA, but when it comes back up, in the web client under Settings--> Active Directory, it doesn't show any domain details, and I still have the Join option.

I tried joining the domain through the web client the first time, and using the CLI the second time, but this is till appearing this way.

Any ideas?

EDIT: Also mean to say that when I go to SSO--> users and groups, the AD domain still doesn't appear so I'm pretty certain that it hasn't actually joined the domain.

After the reboot, in Administration --> System Configuration --> Node --> Manage --> Active Directory, the domain is not displayed - empty fields.

Port 389 is open as its in the same network as the DCs.

You can see here that I'm getting the success message (tried with the domain in upper case this time)

After a reboot, this is the domain screen - not working properly.

Thanks for all your help thus far

We have a forest domain which is the parent for all child domains/countries (we split child domains by country) however, that doesn't come into anything here (be it the domain we are joining it to, or the credentials we are using to add it to the child)

We are trying to add this VCSA to the child domain for the particular country that it sits in, and we are using the default Administrator account credentials of that specific child domain.

I went back in to follow your suggestion, and the domain is now appearing in there!  This makes no sense!

Anyway - biggest problem solved so thanks very much

One query I have - The VCSA has joined the sub domain.  In SSO --> Configuration --> Identity sources, I selected Active Directory (Integrated Windows Authentication) and selected to use the machine account.  The box automatically fills with the child domain, but then once its added, it displays the parent domain.  Is this correct?

I'm asking this because when I then go to Access Control --> Global Permissions --> Manage, then select the parent domain to add user permissions for the parent, I get an error message saying 'Cannot load users for the selected domain'.

If the VCSA is in a child domain, and the administrator users are in the parent domain, whats the best way to get them added to the VCSA?  We do have a group within the child domain, containing all users from the parent domain, but adding this doesn't seem to work.