VMware Cloud Community
stowny
Contributor
Contributor
‎04-07-2022 01:25 AM

VCSA won't start if one domain controller is down...

Hi all,

Due to a series of circumstances we ended up with the following situation last night:
- One out of four domain controller was offline, within the same time period we had to restart the vCenter server (VCSA) without success.

To our surprise vCenter didn't came back up again, a whole bunch of services did not start. Restarted VCSA again... the same result again.
It took a while to figure out which service was the first one failing, turned out it was "lookupsvc".
Knowing that I was able to find the log to that paticular service. 

What I found in there was quite surprising to me, a lot of "Can't connatct LDAP Server" errors.

We then desided to move forward and take online the fourth domain controller again. (Which wasn't that easy w/o vCenter running.)
After doing that, vCenter started flawlessly.

We are running VCSA 7.0.2 Buid 18356314

Now, here is my question/concern:
How can it be that vCenter won't even start if only one domain controller is missing?
Or in other words, what do I need to change so that vCenter is not pointing to only one domain controller?

Any hint is very appreciated...

Cheers
Christian

Preview file
136 KB
0 Kudos
2 Replies
SchaalPatrick
Enthusiast
Enthusiast
‎04-07-2022 01:54 AM

@stowny 

1st of all Issues:
You can Logon into ESXi directly when vCenter not aviable. (IP of ESXi Host)
(Which wasn't that easy w/o vCenter running.)

Are any "Secondary server URL" for LDAP configured?
See: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-98B36135-CDC1-435C-8F27-5E0D01... 

We have vCenter within 2 AD Server (One was Physical and other was a VM[Autostart 5sek]), and no issue when one of these are not running or offline.

 

0 Kudos
stowny
Contributor
Contributor
‎04-07-2022 05:04 AM

Thank you @SchaalPatrick,

I know that one can logon directly to an ESXi host thats what I did but when you do not know to which host a VM is registered then "things are not that easy". Let's say it can get time consuming...

There is no "second server" when using Integrated Windows Authentication, there isn't even a primary server.
You just enter the domain name (infra.net), thats it.
And that is exactly where my question is comming from... I have never entered a LDAP Server by Name but vCenter is binding itself to one and unfortunatelly to only that one.

In my opinion even when there is no LDAP Server available vcenter should be able to start because LDAP or int.-authentication is just one identity provider among others... but my vcenter didn't.