I have 3 domain controllers (Windows 2003R2) none virtualized and then 3x ESXi 4.1 Hosts which also have a virtualized vCenter VM. Access to vCenter is controlled via Active Directory.
I want to retire one of my old Domain Controllers so I moved all the roles from it etc as normal, then shut down it to see if anything failed. I still have 2 other DCs/GCs. All desktops/server/user services still work fine, but vSphere stopped accepting logons and gave me this in the event log.
The directory server has failed to update the ADAM serviceConnectionPoint object in the Active Directory. This operation will be retried.
Additional Data
SCP object DN:
CN={40130314-98b1-4511-977f-3c890bf33946},CN=VCENTRE,OU=Member Servers,DC=fal,DC=local
Error value:
58 The specified server cannot perform the requested operation.
Server error:
(n/a)
Internal ID:
3390067
ADAM service account:
NT AUTHORITY\NETWORK SERVICE
User Action
If ADAM is running under a local service account, it will be unable to update the data in the Active Directory. Consider changing the ADAM service account to either NetworkService or a domain account.
If ADAM is running under a domain user account, make sure this account has sufficient rights to update the serviceConnectionPoint object.
ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.
It sounds to me like it is only looking at the DC I had powered down ready to retire (called DC1 while my others are DC2 and DC3). How do I make sure vSphere is not tied to a specific DC as I guess this is what has happened here?
Thanks,
Andy
Hello.
Is DNS in order on the vCenter Server and in the domain? It might be an issue there.
Good Luck!
Hello.
Is DNS in order on the vCenter Server and in the domain? It might be an issue there.
Good Luck!
Hi,
can you log into your vCenter VM with RDP as a domain user? Is your vCenter VM computer account in the AD ok?
Regards
Hi AndyR8939
Could you please check below steps?
Go to the Properties of the SCP Publication Service, edit and add the DN on this msDS-DisableForInstance attribute.
vmroyale - That was it! I originally skimmed over your post as I have all my VMs on static setup and have been for nearly 2 years and all fine so I just assumed this was OK, so I looked at all the other options and couldn't find the cause, so I checked the DNS settings then and yep you were right. I had my prefered and alternate DNS on my vCenter VM still pointing to my old DCs which I am retiring. My prefered was my OLDDC2 which went a while ago and my alternate DNS was the OLDDC1 I powered down yesterday!! No idea why I had it set like that, so I changed to the correct DNS settings, rebooted vCenter VM for good measure, then powered down OLDDC1 again and touch wood seems OK now.
Thanks guys! Simplist answer was the right one.