VMWare vCenter 5.5 Active Directory Join/Disjoin

I had a vCenter 5.5 joined to the domain had its computer object deleted from Active Directory and therefore authentication/single sign-on would no longer work.

Initially I tried to remove it from the domain by un-ticking the “Active Directory Enabled” checkbox in VMware vCenter Server Appliance Web Console but I would always get the “Enabling Active Directory failed” error:
Enabling Active Directory failed
After some time searching, I tried the following commands to join the domain but without any luck:

# /opt/likewise/bin/domainjoin-cli join labdomain.local administrator@labdomain.local
# /usr/sbin/vpxd_servicecfg ad write administrator@labdomain.local PASSWORD labdomain.local

A quick look at vpxd_cfg.log (cat /var/log/vmware/vpx/vpxd_cfg.log) revealed the issue and this time a not so vague error message:

2015-01-12 10:31:46 3565: START locking... /usr/sbin/vpxd_servicecfg ad write
2015-01-12 10:31:46 3568: [3565]BEGIN execution of: /usr/sbin/vpxd_servicecfg 'ad' 'write' 'administrator@labdomain.local' CENSORED 'labdomain.local'
2015-01-12 10:31:46 3568: Testing domain (labdomain.local)
2015-01-12 10:31:46 3568: Enabling active directory: 'labdomain.local' 'administrator@labdomain.local'
2015-01-12 10:31:47 3568: ERROR: Enabling active directory failed: Joining to AD Domain:  labdomain.local
With Computer DNS Name: vCentervAPP01.labdomain.local

2015-01-12 10:31:48 3568: VC_CFG_RESULT=302
2015-01-12 10:31:48 3568: END execution

I did not want to rebuild vCenter as I configured on it vCOps and Update Manager so I thought I would try one last time to force join:

  1. Create the missing vCenter computer object in AD
  2. Logon to vSphere Web Client
    1. Go to Home > Configuration >Identity Sources tab
      • Remove any current domain identity sources that exist
    2. Click the green cross
    3. Select as Identity source type Active Directory as a LDAP Server
      • Complete the relevant fields with the required information




6 Comments to “VMWare vCenter 5.5 Active Directory Join/Disjoin”

  1. Andrew

    Thank you for your post, this lead me to a major issue and resolution for adding VCSA 5.5 to a Windows 2012R2 domain. When adding VCSA 5.5 to the domain it fails if the AD server doesn’t reply with SMBv1 (SRV.sys). By default that is disabled in 2012R2 and SRV2.sys is the only SMB service. My fix was to add the “SMB 1.0/CIFS File Sharing Support” feature. Once added the joindomain-cli command worked perfectly.

  2. The group is not created in active directory by default.  An administrator must manually create the group, but once created by default all users that are members of this group get full admin access to all vSphere hosts added to the domain.


Leave a Comment

Your email address will not be published. Required fields are marked *