ianc1990
Enthusiast
Enthusiast

Adding VCSA 6.0 to domain fails

Hi Guys,

Hopefully something you can assist me with to stop me from ripping anymore of my hair out Smiley Happy  For the last few days, I have been trying to add our VCSA to our domain so that I can setup the SSO domain.

This is a brand new deployment - 6.0 all around.  We are using the embedded VCSA with an embedded deployment.  When I go to join the domain, I get the following error:

Idm client exception: Error trying to join AD, error code [11], user [Administrator@mydomain], domain [mydomain], orgUnit []

I have replaced our domain name with 'mydomain' above - any ideas?

29 Replies
dineshgoundar
Enthusiast
Enthusiast

Are you using the correct UPN in the username for the domain. I had a very similar error. It turned out to be incorrect UPN. Check if an AD object has been created. I noticed this. Since VCSA silently joins the domain, you will not get any notification for succesful join. The Join tabs remains enabled until the PSC or in your case the VCSA is rebooted. I faced this issue where the PSC had successfully joined the domain but since the join tab had not greyed out, we tried joining again and kept getting the error until we rebooted the PSC. Try these and let us know.

TusharGhate
Contributor
Contributor

Login to CLI and try joining using following command,

/opt/likewise/bin/domainjoin-cli join DOMAIN.NAME.COM domain.user

When prompted provide password.

reboot VCS and you should be joined to AD

ianc1990
Enthusiast
Enthusiast

Thank for your replies.

I'm afraid still no luck - I'm getting the following error when trying to domain join through cli:

Error: Lsass Error [code 0x0000000b]

The OU format is invalid.

For confirmation, the VCSA name does include the domain in its name (vcsa@domain.com).  The VCSA can ping the domain controllers by name, and vice versa.  the VCSA is in the domains DNS, and a PTR is created (as per installation requirements)

Here's a screenshot of the error:

Vmware Join.PNG

0 Kudos
greco827
Expert
Expert

Basic question, but is the account you are using to join the server to the domain a domain admin account?

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos
ianc1990
Enthusiast
Enthusiast

Yepp Smiley Happy

Its the default domain administrator account in the domain (using it to make sure its not an account related issue)

0 Kudos
AndreasKlausing
Contributor
Contributor

Hi,

if I trust the KB article, an error similar to this should have been fixed in 5.5 U3:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=208561...

So if you don't use 6.0 U1 for your deployment it may still exist in that version.

Could you check if your NetBIOS Domain name is in all capital letters. Or does it contain small letters as well (or is maybe completely in small letters).

Then that could be your issue.

Regards,
Andreas

greco827
Expert
Expert

It should be fixed in 6.0 U1.  I deployed a VCSA with this version last week and our domain is entirely in small letters.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos
ianc1990
Enthusiast
Enthusiast

Thanks guys - I upgraded the VCSA just a few weeks ago to 6.0.0.b to see if there was any related fix, but of course there wasn't.

I'm currently downloading the upgrade pack for 6.0.0.U1 and I'll report back!

0 Kudos
ianc1990
Enthusiast
Enthusiast

VCSA upgraded, and when I join the domain, I get a 'SUCCESS' message.

After this, I reboot the VCSA, but when it comes back up, in the web client under Settings--> Active Directory, it doesn't show any domain details, and I still have the Join option.

I tried joining the domain through the web client the first time, and using the CLI the second time, but this is till appearing this way.


Any ideas?

EDIT: Also mean to say that when I go to SSO--> users and groups, the AD domain still doesn't appear so I'm pretty certain that it hasn't actually joined the domain.

0 Kudos
greco827
Expert
Expert

So after the reboot, when you go to Administration --> System Configuration --> Node --> Manage --> Active Directory, the domain is still not displayed?

     If it does, have you added the Identity Source via Administration --> SSO / Configuration --> Identity Sources?

    

          If so, which method did you use to add the identity source?

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos
ianc1990
Enthusiast
Enthusiast

After the reboot, in Administration --> System Configuration --> Node --> Manage --> Active Directory, the domain is not displayed - empty fields.

0 Kudos
greco827
Expert
Expert

Even though it is supposedly resolved, and worked fine for me, when you do the join, add the domain in all uppercase letters, and don't specific an OU.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
greco827
Expert
Expert

Also check to make sure LDAP port 389 is open.  I'm not sure if you would even get the SUCCESS message if it wasn't, but might be worth checking.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos
ianc1990
Enthusiast
Enthusiast

Port 389 is open as its in the same network as the DCs.

You can see here that I'm getting the success message (tried with the domain in upper case this time)

Capture.PNG

After a reboot, this is the domain screen - not working properly.

Capture.PNG

0 Kudos
greco827
Expert
Expert

OK, I'll keep trying to help you research and figure out what is wrong.   One question about your domain in general.  Do you have a single domain in your company, or do you have multiple domains?  If multiple, are they independent or is there a trust between them?  If there is a trust, are you joining the domain at the highest level of the hierarchy, or one of the sub-domains?

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos
ianc1990
Enthusiast
Enthusiast

Thanks for all your help thus far Smiley Happy

We have a forest domain which is the parent for all child domains/countries (we split child domains by country) however, that doesn't come into anything here (be it the domain we are joining it to, or the credentials we are using to add it to the child)

We are trying to add this VCSA to the child domain for the particular country that it sits in, and we are using the default Administrator account credentials of that specific child domain.

0 Kudos
greco827
Expert
Expert

Can you try to add it to the parent domain as a test?

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos
ianc1990
Enthusiast
Enthusiast

I went back in to follow your suggestion, and the domain is now appearing in there!  This makes no sense!

Anyway - biggest problem solved so thanks very much Smiley Happy

One query I have - The VCSA has joined the sub domain.  In SSO --> Configuration --> Identity sources, I selected Active Directory (Integrated Windows Authentication) and selected to use the machine account.  The box automatically fills with the child domain, but then once its added, it displays the parent domain.  Is this correct?

I'm asking this because when I then go to Access Control --> Global Permissions --> Manage, then select the parent domain to add user permissions for the parent, I get an error message saying 'Cannot load users for the selected domain'.

If the VCSA is in a child domain, and the administrator users are in the parent domain, whats the best way to get them added to the VCSA?  We do have a group within the child domain, containing all users from the parent domain, but adding this doesn't seem to work.

Capture.PNG

Capture2.PNG

0 Kudos
greco827
Expert
Expert

One query I have - The VCSA has joined the sub domain.  In SSO --> Configuration --> Identity sources, I selected Active Directory (Integrated Windows Authentication) and selected to use the machine account.  The box automatically fills with the child domain, but then once its added, it displays the parent domain.  Is this correct?

          I would say yes, my experience with this type of domain set up resulted in the same thing.  Since you joined it to the parent domain, but used an account that is tied to the sub-domain (I presume) and/or pointing at a domain controller in the sub-domain.  This shouldn't be an issue. 

I'm asking this because when I then go to Access Control --> Global Permissions --> Manage, then select the parent domain to add user permissions for the parent, I get an error message saying 'Cannot load users for the selected domain'.

I am not an AD person, but my guess is that the trust between the domains is not set up properly.  I would add the identity source as "AD as an LDAP Server", rather than integrated.  You could also add the sub-domain as a separate identity source.  You shouldn't have to, but I have done this with success when dealing with our AD team brought no positive results.

If the VCSA is in a child domain, and the administrator users are in the parent domain, whats the best way to get them added to the VCSA?  We do have a group within the child domain, containing all users from the parent domain, but adding this doesn't seem to work.

Doing the above should resolve this.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos