VMware Cloud Community
Almero
Enthusiast
Enthusiast
‎07-21-2014 10:31 AM

Update SSO identity Source when we fail over to DR site


Hi team , please may I have your assistance on SSO5.1

Been trying for 3 days to define a valid Active Directory identity source in DR site.

I must mention that this DR site is TOTALLY isolated from Prod .

All we have there is a copy of the Prod Luns

Once all VMs have been pulled into DR esxi Host and powered up I can only login with admin@system-domain using web access.

I found the obvious problem being that my PROD AD VM is not accessible from DR . Lets call the DC vm AD4 .

Our Windows team has built us AD1 in the DR site . Siezed no FSMO , but they tell me it does have a global catalog etc .

My question is >  What does the DR AD require to be able to be my new identify source?

Needless to say , my service account used to authenticate to the AD DC is there , and has same credentials as prod .

Tried many variants of online procedures to Edit , or totally remove and ADD new AD identity sources , with no luck .

A basic example of this procedure followed is givan here , but I have gone way past this . Extentive scrubbing of IMtrace , and VPXd has been done .

http://blog.clearpathsg.com/blog/bid/265188/

The only succesfull logins that can be made is admin@system-domain using vpshere web access .

No domain based accounts work , even if I add them manually after editing my new identity source . ( can search and find them in SSO config windows )

No VC inventory as it was in PROD in that VC is visible . No c# vSphere client logins work .

I have fixed this , after finding the error in logs .

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=205629...

Any guidance will be greatly appraciated . Also max points will be awareded.

Tags (1)
0 Kudos
2 Replies
henry857
Contributor
Contributor
‎07-21-2014 10:51 AM

Is the DR site still totally isolated? How is AD1 talking to the other domain controllers?

0 Kudos
Almero
Enthusiast
Enthusiast
‎07-22-2014 03:40 AM


Hi there , under normal operations , AD1 ( @ Dr site )  can route to production AD4 ( Prod Site )

During cut over ( where we are now ) , a copy of the luns where AD1 resides  , is presented do dedicated ESXi Hosts , and from there we mount , inventory , and power up .

At this stage , AD1 can no longer speak to AD4 . So to answer your question , in this scenario , AD1 can no longer talk to any other DCs .

I made some progess on this matter , and was able to change the SSO identity source to the correct AD , and it tested ok . ( not sure why that started working now )

I do this by using Web access while logging on with admin@system-domain .

Then add my domain account to _Administrators_  group . in the SSO window in web acces  .

I can now authenticate using my Domain account when using Web access , but still no vSphere client logins work .

No crit errors in vpxd or IMtrace logs .

0 Kudos