vCenter Server Appliance 5.0 (based on SLES 11) joined to AD domain. I have added the domain's Domain Admins group at the vCenter object level in Permissions tab (Propagate: yes, shows up as DOMAIN\domain^admins) and am able to log in with the vSphere client to the vCenter Server Appliance using my Windows session credentials.
However, if the appliance VM reboots, the DOMAIN\domain^admins entry is missing and I can only log in as root. If I add the group back, then I can log in using Windows session credentials like any other vCenter server.
On the vCenter Server Appliance management webpage (https://hostname:5480), Authentication tab, Status sub-tab, AD Status is Enabled with the correct AD Domain. "Active Directory" sub-tab has the check box for "Active Directory Enabled" checked, even after reboot.
The appliance does not lose its domain membership or AD settings, just the permission within vCenter does not persist across a reboot. I have rebooted the appliance several times and noticed this each time (guest OS reboot, not hard VM reset).
Anybody else notice this? Why is this happening?
So after it boots up and starts vCenter service, it looks at its permissions and removes any invalid ones. And these are being flagged as invalid. I wonder why? They are valid to add after it has booted etc.
Interesting, this KB talks about the opposite, if I read it correctly that is, it's getting late: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102556...