Solved: Unable to join Domain (vCSA 6.5 U2)

mstsys · ‎10-19-2018

Version: 6.5.0

Build: 9451637

I know there are already a lot of discussions about this topic and I also tried their solutions but it still does not work. I had already three Webex sessions with VMware support without any success.

We also reinstalled a fresh vCSA together but getting the same error as before. DNS records and NTP are working correctly.

When i try to join the domain in cli i get the following error.

root@vcenter [ ~ ]# /opt/likewise/bin/domainjoin-cli join domain.local administrator password

Joining to AD Domain: domain.local

With Computer DNS Name: vcenter.domain.local

Error: ERROR_GEN_FAILURE [code 0x0000001f]

SMB2 is also activated in vCenter and Windows Firewall is temporary disabled.

root@vcenter [ ~ ]# /opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]'
+  "Smb2Enabled"      REG_DWORD       0x00000001 (1)

We have an other test DC with SMB1 still enabled and joining this DC worked fine. I activated SMB1 on our productive DC and rebooted just to test this but it still did not work.

DC/AD is Windows Server 2012.

Maybe some of you had the same problem or any helpful tips. I dont want to use smb1 if possible....

mstsys · ‎11-12-2018

I was able to solve the problem.

We had unnecessary Records in our AD DNS which caused multiple trust issues with vCenter. It was a second A Record who pointed to our dc which i changed to a CNAME Record. After that i was able to join the domain but randomly got an error while configuring the permissions for AD groups. Then i found another A Record with the FQDN of our DC and not only the hostname as it should be.

After deleting this Record everything works fine now.

View solution in original post

dbalcaraz · ‎10-21-2018

Curious situation.

Are you sure your NTP and DNS are correct? It's usually the main problem of it but if you created the A record and said that the NTP is correct or without delay between devices...

All services from VCSA are started?

Did you try to join it from the GUI?

-------------------------------------------------------- "I greet each challenge with expectation"

mstsys · ‎10-22-2018

Yes, I am sure they work properly, DNS and NTP services are running on the DC which i try to join. Forward and reverse DNS look-ups working fine on both sides.

All services from vCSA are running and yes I also tried it from the GUI, where i get the error "Error trying to join AD, error code [31]"...

dbalcaraz · ‎10-22-2018

All right, thanks for the information.
Did tou check the /var/log/messages from the VCSA?

Also, did you try to, create the VCSA AD object on the AD and then try to join it?

-------------------------------------------------------- "I greet each challenge with expectation"

mstsys · ‎10-23-2018

Yes, the /var/log/messages shows the following:

2018-10-22T13:03:21.227471+02:00 vcenter lwiod[1170]: 0x7f894a501700: GSS-API error calling gss_init_sec_context: 851968 (Unspecified GSS failure. Minor code may provide more information)

2018-10-22T13:03:21.227916+02:00 vcenter lwiod[1170]: 0x7f894a501700: GSS-API error calling gss_init_sec_context: 100007 (Server not found in Kerberos database)

2018-10-22T13:03:21.228835+02:00 vcenter lsassd[1188]: 0x7fad4dffb700:Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 10228

Creating the object manually does not help. Sometimes the object gets created when i try to join but still with the same error message. After a vcenter reboot the Active Directory menu in GUI is still empty and i am not able to search for ad groups/users. In this cases the command line also says that the vcenter is in a domain (/opt/likewise/bin/domainjoin-cli query) but it does not work as it should.

dbalcaraz · ‎10-23-2018

Hi,

Quite curious those errors.

Anyway perform the domainjoin-cli leave and then domainjoin-cli query.

It should appear only the name of your vcsa without domain (empty), something like: name: vcsa Domain:

Just to know, the administrator account that are you using has the same suffix as the domain (for example admin@local and the VCSA is joined in local domain)?

Also, did you try the process after rebooting the VCSA?

-------------------------------------------------------- "I greet each challenge with expectation"

mstsys · ‎10-23-2018

Hi,

Thanks for your help. I already tried different users and created new domain useres with domain admin permissions.

Anytime i start a new test i perform domainjoin-cli leave and then domainjoin-cli query to make sure im not in a domain, check if there is already an object in ad and reboot the vcenter.

All the useres i created and the administrator are from the same domain and like i said also in the domain administrator group and bultin administrator group of the dc.

mstsys · ‎11-12-2018

I was able to solve the problem.

We had unnecessary Records in our AD DNS which caused multiple trust issues with vCenter. It was a second A Record who pointed to our dc which i changed to a CNAME Record. After that i was able to join the domain but randomly got an error while configuring the permissions for AD groups. Then i found another A Record with the FQDN of our DC and not only the hostname as it should be.

After deleting this Record everything works fine now.