Version: 6.5.0
Build: 9451637
I know there are already a lot of discussions about this topic and I also tried their solutions but it still does not work. I had already three Webex sessions with VMware support without any success.
We also reinstalled a fresh vCSA together but getting the same error as before. DNS records and NTP are working correctly.
When i try to join the domain in cli i get the following error.
root@vcenter [ ~ ]# /opt/likewise/bin/domainjoin-cli join domain.local administrator password
Joining to AD Domain: domain.local
With Computer DNS Name: vcenter.domain.local
Error: ERROR_GEN_FAILURE [code 0x0000001f]
SMB2 is also activated in vCenter and Windows Firewall is temporary disabled.
root@vcenter [ ~ ]# /opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]'
+ "Smb2Enabled" REG_DWORD 0x00000001 (1)
We have an other test DC with SMB1 still enabled and joining this DC worked fine. I activated SMB1 on our productive DC and rebooted just to test this but it still did not work.
DC/AD is Windows Server 2012.
Maybe some of you had the same problem or any helpful tips. I dont want to use smb1 if possible....
I was able to solve the problem.
We had unnecessary Records in our AD DNS which caused multiple trust issues with vCenter. It was a second A Record who pointed to our dc which i changed to a CNAME Record. After that i was able to join the domain but randomly got an error while configuring the permissions for AD groups. Then i found another A Record with the FQDN of our DC and not only the hostname as it should be.
After deleting this Record everything works fine now.
Curious situation.
Are you sure your NTP and DNS are correct? It's usually the main problem of it but if you created the A record and said that the NTP is correct or without delay between devices...
All services from VCSA are started?
Did you try to join it from the GUI?
Yes, I am sure they work properly, DNS and NTP services are running on the DC which i try to join. Forward and reverse DNS look-ups working fine on both sides.
All services from vCSA are running and yes I also tried it from the GUI, where i get the error "Error trying to join AD, error code [31]"...
All right, thanks for the information.
Did tou check the /var/log/messages from the VCSA?
Also, did you try to, create the VCSA AD object on the AD and then try to join it?
Yes, the /var/log/messages shows the following:
2018-10-22T13:03:21.227471+02:00 vcenter lwiod[1170]: 0x7f894a501700: GSS-API error calling gss_init_sec_context: 851968 (Unspecified GSS failure. Minor code may provide more information)
2018-10-22T13:03:21.227916+02:00 vcenter lwiod[1170]: 0x7f894a501700: GSS-API error calling gss_init_sec_context: 100007 (Server not found in Kerberos database)
2018-10-22T13:03:21.228835+02:00 vcenter lsassd[1188]: 0x7fad4dffb700:Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 10228
Creating the object manually does not help. Sometimes the object gets created when i try to join but still with the same error message. After a vcenter reboot the Active Directory menu in GUI is still empty and i am not able to search for ad groups/users. In this cases the command line also says that the vcenter is in a domain (/opt/likewise/bin/domainjoin-cli query) but it does not work as it should.
Hi,
Quite curious those errors.
Anyway perform the domainjoin-cli leave and then domainjoin-cli query.
It should appear only the name of your vcsa without domain (empty), something like: name: vcsa Domain:
Just to know, the administrator account that are you using has the same suffix as the domain (for example admin@local and the VCSA is joined in local domain)?
Also, did you try the process after rebooting the VCSA?
Hi,
Thanks for your help. I already tried different users and created new domain useres with domain admin permissions.
Anytime i start a new test i perform domainjoin-cli leave and then domainjoin-cli query to make sure im not in a domain, check if there is already an object in ad and reboot the vcenter.
All the useres i created and the administrator are from the same domain and like i said also in the domain administrator group and bultin administrator group of the dc.
I was able to solve the problem.
We had unnecessary Records in our AD DNS which caused multiple trust issues with vCenter. It was a second A Record who pointed to our dc which i changed to a CNAME Record. After that i was able to join the domain but randomly got an error while configuring the permissions for AD groups. Then i found another A Record with the FQDN of our DC and not only the hostname as it should be.
After deleting this Record everything works fine now.