I’m trying to spin up a new vCenter server for our new domain. I am having problems getting it to fully join to the domain.
Details:
I installed the server via the web installer. Lovely program..
I turned on debug logging via the console as I have been trying to figure this out for a while, and this is a fresh install..
I log into the web interface with the SSO administrator ID
I try to join the domain, using my ID in the user@domain form.
Joining completely fails
Logs show «ldm client exception: Error trying to join AD, error code [40705]
I perform the fix in this KB Opens a new window Opens a new window
I restart the server
I log in, try to join the domain. I get a warning.
Idm client exception: Error trying to join AD, error code [40315], user [user@domain], domain [domain], orgUnit [] (some details left out but correct)
Also in the logs I get another message:
lsassd[4902]: 0x7f2a3a7fc700: Failed to run provider specific request (request code = 8, provider = ‘lsa-activeirectory-provider’) -> error = 40315, symbol = LW_ERROR_LDAP_CONSTRAINT_VIOLATION, client pid = 4948
The new computer object is, however, created in AD before it errors out. No details (OS or whatnot) were populated.
I reboot the appliance.
The appliance shows that it was joined to the domain once I log in and look at the AD page under the node. That said, nothing was populated in the AD object information. It never finished properly joining.
To further muddy the waters, if I try to add the domain under identity sources so I can work on user and group permissions, I type in the domain, I’ll call it my.domain and use integrated authenticaton (top option). I hit OK, it adds an entry for the top level domain, I’ll call it root.domain.
I reboot the server
I can add permissions for users or groups in my.domain, but I am completely unable to log into the web client or application with the ID or an id in the group. It keeps saying incorrect user id or password. These are my ID’s, I know they are correct.
Let’s make it even murkier. I spent 3.5 hours on the phone yesterday with VMWare. The guy on the other line was to the point where he was googling error codes because they don’t have any information on them, so he asked me to delete the VM and try it fresh since we had already made a whole ton of changes to the one we were working with. I did yesterday just before I left, performed the above steps, and that’s where I am at.
Here’s part of the problem. I have very limited access to this new domain. Sadly, the higher ups at corporate are unwilling to give SENIOR SYSTEM ADMINS proper administrator creds unless they work in corporate IT. This is a new development and part of the new domain, I unfortunately have little more access then a lot of L1 helpdesk techs. That said, anything in our OU’s I have complete control over.
I’m unsure where to go on this, I need to get a vCenter server joined to the new domain so we can back up the VM’s on it (no i’m not looking for backup help or advice here) but VMWare seems completely lost on it at this point..
I also did try the solution from this thread Opens a new window Opens a new window but no joy.
Help 
Подключаем vCenter 7 к домену и даём возможность логиниться под доменными учётками.
Подключение vCenter 7 к AD
Заходим в vCenter 7 под учётной записью administrator@vsphere.local. Переходим в раздел Administration > Single Sign ON > Configuration > Active Directory Domain. Нажимаем кнопку JOIN AD.
Вводим учётные данные администратора домена, JOIN. Просят перезагрузить vCenter.
У меня при этом выскочила ошибка:
Error trying to join AD, error code [40315]
Но учётная запись сервера vCenter создалась. После перезагрузки в vCenter отображается, что он присоединён к домену. Возможно, это из-за того, что vCenter пытается себя прописать в DNS и не может, поскольку его домен обслуживается в отдельном от AD сервере DNS, не разбирался.
Переходим в раздел Administration > Single Sign ON > Configuration > Identity Sources.
Нажимаем кнопку ADD.
Можно использовать Active Directory (Integrated Windows Authentication, однако, данная опция скоро не будет поддерживаться, вместо неё рекомендуют использовать AD over LDAP:
https://kb.vmware.com/s/article/78506
Указываю в Identity Source Type опцию Active Directory over LDAP.
Заполняю поля:
- Identity source name — любое название
- Base distinguished name for users — путь DN к пользователям AD
- Base distinguished name for groups — путь DN к группам AD
- Domain name — FQDN домена
- Domain alias — NETBIOS имя домена
- Username — сервисный пользователь для просмотре LDAP
- Password — пароль сервисного пользователя
- Connect to — куда стучаться, я указываю конкретный URL для корпоративного LDAPS
- Primary server URL — URL LDAP(S)
- Secondary server URL — альтернативны2й URL LDAP(S), я не указываю
- Certificates — загружаю цепочку из корпоративного центра сертификации P7B, сконвертированную в PEM
ADD.
В Identity Sources появляется домен. Выделяем, нажимаем кнопку SET AS DEFAULT. Это нужно для того, чтобы вводить логин как v.pupkin, иначе придётся писать v.pupkin@mydomainname.local.
OK.
Настройка доступа к vCenter 7 из AD
Создаём в AD группу, например, vcenter-admins. В UI vCenter 7 выделяем слева vCenter, Permissions.
Нажимаем кнопку +.
- Domain — выбираем в выпадающем списке домен
- User/Group — в поиске ищем название группы vcenter-admins
- Role — Administrator
- Propagate to children — галка для наследования
OK.
Готово. Осталось через AD добавить в группу пользователей, которым разрешено администрировать vCenter.
This post was originally published on this site
I am having issues joining vCenter to Active Directory, and I can’t figure out what the issue is. I was able to join vCenter on a test lab environment at home, but in production I don’t know what the issue is. I have created the Active Directory computer object with the FQDN and specified correct join rights. There are static A and PTR records that I can confirm by performing nslookups on. My account credentials can join other servers to the domain.
I am using the latest version of vCenter 6.7 Update 3j (6.7.0.45000)
I don’t have rights over the domain controller which makes troubleshooting more difficult, but I have done the following:
Verified NTP servers are synced
I ran test-netconnection from a Windows workstation targeting the domain controller and verified that TCP 53, 88, 389, 443, and 445 are all open. https://communities.vmware.com/thread/599423. I can perform an nslookup from the vCenter console and resolve the domain controller name. I added an allow firewall rule for the domain controllers in the VAMI.
When I ran tcpdump on the vCenter console while joining to AD, I could see syn and acknowledgement packets from the vCenter to domain controller on the above listed ports. The last connections seem to be at port 53 of the domain controller when it errors out. I tried installing another instance of vCenter with a different FQDN and receive the same error.
I was able to add Active Directory over LDAP as an identity source and view all the users/groups in the domain. However, I was unable to get smart card authentication to work (main reason I am integrating vCenter with AD); I could only sign in with username/password. When I sign in with my smart card, I receive the error “Unable to validate submitted credentials”.
I honestly can’t figure out what the issue is with joining vCenter to Active Directory. Do you guys have any ideas or clues like what logs I can read to possibly find out the issue? Thanks for taking the time to read.