I am doing a deployment of VRA 7.2
I have used windows 2012 R2 standard as AD and Windows 2008 R2 for Iaas server
All the service in VRA and Iaas server are up and running and i am able to login successfully
I face issue when i try to add the directory from Administration > directory .
I am using the Active Directory ( Integrated Windows Authentication ) and logged in to tenant using Tenant Administrator
I know my domain admin is correct because same i used to add other computers to domain.
But in this case when i try to add the directory i am getting the error
"Could not join domain: Error occurred while joining domain. Verify Domain Admin username and password is correct, and the username is the sAMAccountName."
I know the credentials are correct and have the the required priveledge
Any specific AD config i need to do here
My apologies. I had indicated that my error was the same, but I suppose it is helpful if I show what I've entered. See below:
I'm also seeing the following errors in the connector.log:
2017-08-01 14:42:25,073 ERROR (tomcat-http--24) [3002@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.connector.rest.DomainRestController - Error occurred while joining domain.
com.vmware.horizon.connector.domain.DomainJoinException: Failed to join domain. Error Code: ERROR_GEN_FAILURE.
2017-08-01 14:46:24,767 ERROR (tomcat-http--14) [3002@VSPHERE.LOCAL;configurationadmin@VSPHERE.LOCAL;127.0.0.1] com.vmware.horizon.connector.domain.DomainJoinServiceImpl - Failed to join domain.
com.vmware.horizon.common.utils.exceptions.CommandException: exitCode = 1, stdOut = Joining to AD Domain: domain.COM
With Computer DNS Name: oma-ilesxv0003.domain.COM
Error: ERROR_GEN_FAILURE [code 0x0000001f]
There are a couple things to check. First, and I'm assuming you're already doing this or else a different message would be displayed, you can only join the vRA front end appliance to AD from the master tenant. You have to be logged in as a tenant admin to do so. Second, make sure that in your AD there is no object for it already if you've pushed/pulled it multiple times. I don't know your vRA architecture, but the Sync Connector field should be one of your front ends. Check no firewalls are in the way. As stated, the user you're attempting with this must be a domain admin with join permissions. And also make sure the account name you're passing corresponds to the sAMAccountName attribute. If you have something different in there, it must match.
Thanks for the reply daphnissov. My responses:
1. First, and I'm assuming you're already doing this or else a different message would be displayed, you can only join the vRA front end appliance to AD from the master tenant. You have to be logged in as a tenant admin to do so.
- Yes, I'm logged into the vsphere.local tenant using the configurationadmin account that was initially created during setup. I have also tried using a manually created account that was added to both Tenant Admins and IaaS Admins
2. Second, make sure that in your AD there is no object for it already if you've pushed/pulled it multiple times.
- It has not yet successfully been joined to AD, so there is no object. We do have a static dns entry for name resolution.
3. I don't know your vRA architecture, but the Sync Connector field should be one of your front ends. Check no firewalls are in the way.
- I'm not sure I understand the statement about the Sync Connector. Can you clarify this? I have verified that there is no blocked traffic coming to/from the vRA appliance IP
4. As stated, the user you're attempting with this must be a domain admin with join permissions. And also make sure the account name you're passing corresponds to the sAMAccountName attribute
- I'm using a service account that is a member of Domain Admins. I have logged in locally to the IaaS box with it to verify credentials. Here's a screenshot of the account:
1. What version of vRA?
- 7.3 (latest build)
2. What is your vRA architecture? Is it minimal, distributed, or redundant distributed?
- Enterprise build with the vRA appliance, a single IaaS server and a single SQL server. The plan is to build in HA down the road, but currently just trying to get this implemented.
3. Have you verified you can add AD as an LDAP source using those same credentials to verify the account has no connection issues?
- Yes, I have added AD as an LDAP source using the same credentials.
4. Do you have many trust relationships with other domains in your environment?
- None. This is a greenfield environment segmented from our production environment
5. Try the attempt again and post the resulting messages from /var/log/messages and /storage/log/vmware/horizon/horizon.log.
- Will do. I will post this in a separate response.
6. Is SMBv1 disabled on your domain controller(s)?
Thanks again for the responses!
One last thing, have you tried simply rebooting the appliance? In 7.3 and 7.2, sometimes "weird" things happen when the system has not been rebooted at least once since initial deployment and configuration. If you've not already done so, hit the reboot button for good measure.
The reboot did appear to clear up the rabbit errors that I was seeing, but unfortunately it did not fix the AD join issue. I was hoping this would be a simple fix, but alas, it was not! I will open a ticket with support, and will update this thread once a resolution is (hopefully) found.
Thanks again for your assistance, it is much appreciated!
Do let us know in this thread the outcome of your SR. My only thought is that SMBv1 could be the blocker, but I can't test that for you currently. I know in previous versions SMBv1 was required or else issues would result. You might directly ask the engineer assigned if that is still a requirement.
Could you please share what is the support said to resolve this issue ?
Because i have same problem, cannot sync to directory using AD with IWA. So i'm using AD over LDAP but when tried to find group there is some error :
Prolem querying for query telnet.
So, i was having this problem right now.
Authetication Over LDAP went ok, but IWA didn't work. I keep getting the "Operation can only be performed by an admin of the master tenant". Tried over 5 times and no success.
Then, I did a test putting the wrong password in my Bind User ( just to see the a different error. Of course it told me the password was wrong) and then i tried again with the right password and IT WORKED.
So i don't know why it worked, but i know how frustrating it is to solve these kind of problems, so why not share it right?
Hope it can help someone!
In the 'Connectors' do you see the vRA node connected to AD domain. If not can you join that node to domain first and then try creating the IWA.