Hi team , please may I have your assistance on SSO5.1
Been trying for 3 days to define a valid Active Directory identity source in DR site.
I must mention that this DR site is TOTALLY isolated from Prod .
All we have there is a copy of the Prod Luns
Once all VMs have been pulled into DR esxi Host and powered up I can only login with admin@system-domain using web access.
I found the obvious problem being that my PROD AD VM is not accessible from DR . Lets call the DC vm AD4 .
Our Windows team has built us AD1 in the DR site . Siezed no FSMO , but they tell me it does have a global catalog etc .
My question is > What does the DR AD require to be able to be my new identify source?
Needless to say , my service account used to authenticate to the AD DC is there , and has same credentials as prod .
Tried many variants of online procedures to Edit , or totally remove and ADD new AD identity sources , with no luck .
A basic example of this procedure followed is givan here , but I have gone way past this . Extentive scrubbing of IMtrace , and VPXd has been done .
http://blog.clearpathsg.com/blog/bid/265188/
The only succesfull logins that can be made is admin@system-domain using vpshere web access .
No domain based accounts work , even if I add them manually after editing my new identity source . ( can search and find them in SSO config windows )
No VC inventory as it was in PROD in that VC is visible . No c# vSphere client logins work .
I have fixed this , after finding the error in logs .
Any guidance will be greatly appraciated . Also max points will be awareded.
Is the DR site still totally isolated? How is AD1 talking to the other domain controllers?
Hi there , under normal operations , AD1 ( @ Dr site ) can route to production AD4 ( Prod Site )
During cut over ( where we are now ) , a copy of the luns where AD1 resides , is presented do dedicated ESXi Hosts , and from there we mount , inventory , and power up .
At this stage , AD1 can no longer speak to AD4 . So to answer your question , in this scenario , AD1 can no longer talk to any other DCs .
I made some progess on this matter , and was able to change the SSO identity source to the correct AD , and it tested ok . ( not sure why that started working now )
I do this by using Web access while logging on with admin@system-domain .
Then add my domain account to _Administrators_ group . in the SSO window in web acces .
I can now authenticate using my Domain account when using Web access , but still no vSphere client logins work .
No crit errors in vpxd or IMtrace logs .