Hi folks,

we are talking about an envirinment with more than ten vCenter Servers (on Windows and VCSA as well). All vCenters are member of an AD domain partly the same and partly in different domains. All vCenter are installed with version 6.0 ore later The newst ist version 6.5 Update 1.

The AD structure is very complex but there are two way trusts between the ADs. Installing a new VCSA, bringing it up to a domain and configuring the identity source shows me all AD and I'm able to use different AD accounts for permissions. Older vCenter are not able to see the new trusted domains.

Searching the internet and having a deeper look at the vcsa brings up some information. There are some files with the initial structure of the ad tree maybe from the time adding the vcsa to the ad or configuring the identity source. You can find the files at /etc/krb5.conf, /etc/vmware/service-state/likewise/krb4.conf and /var/lib/likewise/krb5_affinity.conf. Making any changes to that files don't change anything at the behavior.

Im my test environment I can delete the identity source, all permissions are still visible, but the affected user are not able to login. After reconnecting everything works fine again. But I don't want to do that in an productive environment.

Does anyone know a way to syncronize the vCenter with the domain to find the new trusted domains or removed domains?

Cheers,

Bertram