Solved: Re: Idm client exception: Error trying to join AD,...

nettech1 · ‎10-27-2018

Trying to join a VCSA 6.5 build 8815520 to an AD 2016 domain getting error code [31]

What log file would provide more details on the error?

Thanks

nettech1 · ‎10-29-2018

If anyone else runs in to this problem the solution was to allow TCP 445 from the VCenter appliance to the Domain Controller.

As of this writing vmware KB does not list 445 as one of the ports for vCenter Server and Platform Services Controller, however it's required to join the domain

Required Ports for vCenter Server and Platform Services Controller

View solution in original post

daphnissov · ‎10-27-2018

Active Directory 2016 is only supported with vCSA 6.7 Update 1 at this time.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

nettech1 · ‎10-27-2018

Using domainjoin-cli shows the error ERROR_GEN_FAILURE [code 0x0000001f]

do i have to enable smb1 to join?

VMware Knowledge Base

Looks like SMB1 issue was resolved back in 6.0u3

daphnissov · ‎10-27-2018

No, SMB1 isn't needed, but again, what you're attempting is unsupported even to begin with, so it may not work at all in that version.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

nettech1 · ‎10-27-2018

Just checked the our VC at the HQ site. It's build 9451637 and it's joined to the 2016 domain.

sk84 · ‎10-27-2018

The error code 31 seems to come from Windows. At least I can find exactly this error message "ERROR_GEN_FAILURE [code 0x0000001f]" on the Windows system error list:

System Error Codes (0-499) | Microsoft Docs

But the description of this error does not help much:

A device attached to the system is not functioning.

However, I would suggest that you investigate the error on the Active Directory system further. Maybe you can find more information in the Windows Event Log.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.

nettech1 · ‎10-27-2018

Seeing a response from the DC KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

Similar issue mentioned here, but on the older vcsa

Authentication Failure in vSphere 6.0 - Peter D. Jorgensen

nettech1 · ‎10-27-2018

Another post with the similar issue

KDC reports inconsistent supported encryption types after AS-REQ

nettech1 · ‎10-28-2018

According to the 6.x diagram TCP 445 to the DC isn't required from the vcsa, but I am seeing TCP requests from VCSA 6.5 to the DC.

Captured with TCPDUMP on the vcsa.

https://benjaminulsamer.files.wordpress.com/2017/02/2131180_networkportdiagram-vsphere-6x-referencet...

nettech1 · ‎10-29-2018

If anyone else runs in to this problem the solution was to allow TCP 445 from the VCenter appliance to the Domain Controller.

As of this writing vmware KB does not list 445 as one of the ports for vCenter Server and Platform Services Controller, however it's required to join the domain

Required Ports for vCenter Server and Platform Services Controller

tahmad · ‎11-25-2018

Have you mentioned the OU ( where server will be populated) .Also verify DNS,NTP,reverse DNS,Time sync. My AD level is 2008R2 and we successfully configured it ,

MCSE ,EMCPA

FaiselFaizee · ‎12-21-2022

I am also facing the same issue with vCenter 7.0.3. I followed the below reference.

https://www.gerjon.com/error-31-trying-to-join-vcenter-to-ad/

Hope, it will help you.

Shant_Ramtirth · ‎01-25-2023

For me neither port thing nor the link have helped. It was a very simple issue.

The domain I specified had couple of characters in upper case, changing them to lower case has immediately accepted without any errors.

All

Idm client exception: Error trying to join AD, error code [31], user [admin@corp.local], domain [corp.local], orgUnit []