VMware Cloud Community
admin
Immortal
Immortal
‎03-15-2007 06:38 AM

Can't start VC service due to failed permission on PDC

Hi,

I just installed Virtual Center 2.0.1 patch 2 on a Windows 2000 server SP4 that is PDC.

When I start the VIrtualCenter Service, the service start and stop just after.

I got those error, in the VPX logs:

\[2007-03-15 11:53:04.117 'BaseLibs' 3764 info] \[ADS] Failed to lookup account DOMAIN\Domain Admins (err: 1332, \[16, 256])

\[2007-03-15 11:53:04.117 'App' 3764 error] Failed to add default permission: user DOMAIN\Domain Admins found

\[2007-03-15 11:53:04.117 'App' 3764 error] Cannot start authorize - system has no access rules

\[2007-03-15 11:53:04.117 'App' 3764 error] \[Auth] Failed to initialize:

\[2007-03-15 11:53:04.132 'App' 3764 error] Failed to initialize security

\[2007-03-15 11:53:04.132 'App' 3764 info] Shutting down VMware VirtualCenter...[/i]

I think it's permissions to create VC admin group in AD, maybe I could create it manually. Does someone, knows the name and properties of this group? Or Someone knows was cause this error?

Reply
0 Kudos
3 Replies
bister
Expert
Expert
‎03-15-2007 06:44 AM

That was an issue here earlier. Seems like you cannot install VC on a Domain Controller. Isn't recommended anyways.

Reply
0 Kudos
admin
Immortal
Immortal
‎03-15-2007 09:31 AM

this help to pass the trouble, except that it isn't best-pratice for DC (less security) =>

http://www.vmware.com/community/thread.jspa?messageID=372030&#372030

Reply
0 Kudos
XModem
Enthusiast
Enthusiast
‎06-16-2009 07:30 AM

Actually I just did install the VC on a DC:

Point is, that it does not recognize the local "Administrators" group in order to add it to the access list, and the error in the vpxd.log also suggests that it might not resolve the AD Group "Domain Admins" since it might not have enough rights, or it is even a localization issue, since in german domains this group is called "Domänen-Admins" rather.

At any rate, it is too lazy to add the "BUILTIN\Administrators" (or german: "BUILTIN\Administratoren") to the access list, which in fact would enable the service to start and in turn you to log in.

You will need to manually hack the table "dbo.VPX_ACCESS" using the SQL Management Studio (Express). I took the values for an entry from an existing, working VC and it will look something like:

ID, PRINCIPAL, ROLE_ID, ENTITY_ID, FLAG

1, BUILTIN\Administrators, -1, 1, 3

Just make sure above group name fits your domain language.

Reply
0 Kudos