VMware Cloud Community
jlove2
Contributor
Contributor
‎02-01-2018 08:14 AM

Unable to join VCSA 6.5 to a WIndows Server 2012 R2 Domain

I have seen a few different discussions but no real solutions

I verified SMB1, hostname, time sync and DNS on the VCSA. Here is what ssoAdminServer.log gives when it fails:

[2018-01-31T16:29:37.496-06:00 pool-4-thread-3 opId=ActiveDirectoryJoinFormMediator-apply-646-ngc:70000180 ERROR com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] user [admin user] cannot access domain [citygov]

com.vmware.identity.admin.server.ims.ServerConfigurationException: user [admin user] cannot access domain [citygov]

        at com.vmware.identity.admin.server.ims.impl.SystemManagementImpl.mapException(SystemManagementImpl.java:133) ~[sso-adminserver.jar:?]

        at com.vmware.identity.admin.server.ims.impl.SystemManagementImpl.joinActiveDirectory(SystemManagementImpl.java:85) ~[sso-adminserver.jar:?]

        at com.vmware.identity.admin.vlsi.SystemManagementServiceImpl$2.call(SystemManagementServiceImpl.java:92) ~[sso-adminserver.jar:?]

        at com.vmware.identity.admin.vlsi.SystemManagementServiceImpl$2.call(SystemManagementServiceImpl.java:81) ~[sso-adminserver.jar:?]

        at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:160) [sso-adminserver.jar:?]

        at com.vmware.identity.admin.vlsi.SystemManagementServiceImpl.joinActiveDirectory(SystemManagementServiceImpl.java:81) [sso-adminserver.jar:?]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_141]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_141]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141]

        at com.vmware.vim.vmomi.server.impl.InvocationTask.run(InvocationTask.java:65) [vlsi-server.jar:?]

        at com.vmware.vim.vmomi.server.common.impl.RunnableWrapper$1.run(RunnableWrapper.java:47) [vlsi-server.jar:?]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_141]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_141]

        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141]

Caused by: com.vmware.identity.idm.IdmADDomainException: user [admin user] cannot access domain [citygov]

        at com.vmware.identity.idm.server.IdentityManager.joinActiveDirectory(IdentityManager.java:11604) ~[?:?]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_141]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_141]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141]

        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141]

        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357) ~[?:1.8.0_141]

        at sun.rmi.transport.Transport$1.run(Transport.java:200) ~[?:1.8.0_141]

        at sun.rmi.transport.Transport$1.run(Transport.java:197) ~[?:1.8.0_141]

        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]

        at sun.rmi.transport.Transport.serviceCall(Transport.java:196) ~[?:1.8.0_141]

        at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:568) ~[?:1.8.0_141]

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:826) ~[?:1.8.0_141]

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:683) ~[?:1.8.0_141]

        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]

        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682) ~[?:1.8.0_141]

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_141]

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_141]

        at java.lang.Thread.run(Thread.java:748) ~[?:1.8.0_141]

        at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283) ~[?:1.8.0_141]

        at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260) ~[?:1.8.0_141]

        at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161) ~[?:1.8.0_141]

        at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:227) ~[?:1.8.0_141]

        at java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:179) ~[?:1.8.0_141]

        at com.sun.proxy.$Proxy78.joinActiveDirectory(Unknown Source) ~[?:?]

        at com.vmware.identity.idm.client.CasIdmClient.joinActiveDirectory(CasIdmClient.java:3483) ~[vmware-identity-idm-client.jar:?]

        at com.vmware.identity.admin.server.ims.impl.SystemManagementImpl.joinActiveDirectory(SystemManagementImpl.java:77) ~[sso-adminserver.jar:?]

        ... 13 more

0 Kudos
10 Replies
daphnissov
Immortal
Immortal
‎02-01-2018 08:17 AM

What is your vCenter topology here? Is this embedded PSC or external?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
jlove2
Contributor
Contributor
‎02-06-2018 08:16 AM

it's the Embedded PSC Appliance

0 Kudos
daphnissov
Immortal
Immortal
‎02-06-2018 08:22 AM

Need more information about your configuration if you can provide it.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
RAJ_RAJ
Expert
Expert
‎02-06-2018 11:25 AM

Could you please try command line ,  domainjoin-cli , refer below link .

Join  ESXi 6.x to Active Directory Using domainjoin-cli - VMARENA

RAJESH RADHAKRISHNAN VCA -DCV/WM/Cloud,VCP 5 - DCV/DT/CLOUD, ,VCP6-DCV, EMCISA,EMCSA,MCTS,MCPS,BCFA https://ae.linkedin.com/in/rajesh-radhakrishnan-76269335 Mark my post as "helpful" or "correct" if I've helped resolve or answered your query!
0 Kudos
jlove2
Contributor
Contributor
‎02-07-2018 06:18 AM

The commands that are in that article give me

bash: ./lwsmd: No such file or directory

bash: /usr/lib/vmware/likewise/bin/domainjoin-cli: No such file or directory:

Edit: After relooking at that article, it is for individual ESXi Hosts and not the VCSA

0 Kudos
bbiandov
Enthusiast
Enthusiast
‎02-07-2018 08:00 AM

If I could ask - is joining the domain required so that domain users can authenticate to the vCenter server appliance? If yes then SSO is easier to accomplish and works just fine with 2012 R2 domain functional level:

SSO.png

0 Kudos
jlove2
Contributor
Contributor
‎02-07-2018 09:14 AM

From my understanding yes, it is required for users to utilize their domain credentials to log in with SSO.

Edited

0 Kudos
jlove2
Contributor
Contributor
‎02-07-2018 09:23 AM

Sorry, Boyan i had to reread your post to get what you were asking. I can configure it as just an LDAP connection no issue. Its when I configure it for using AD Integration is that it requires it to be part of the domain.

0 Kudos
bbiandov
Enthusiast
Enthusiast
‎02-07-2018 09:44 AM

jlove​ no worries; I'm curious nonetheless, if LDAP would allow domain users to login with their AD credentials then what else does "AD integration" give you? I'm comparing my environment where VCSA is setup as LDAP for SSO and the AD users part of particular AD groups assigned as vCenter admins login using their AD credentials. I never even knew there's "AD integration" other than LDAP and more importantly what is it that it provides if SSO can be achieved without it?

Thanks

0 Kudos
jlove2
Contributor
Contributor
‎02-07-2018 11:20 AM

I'm guessing the AD Integration is for the Client integration plugin but i'm not sure

0 Kudos