VMWare vCenter 5.5 Active Directory Join/Disjoin

I had a vCenter 5.5 joined to the domain had its computer object deleted from Active Directory and therefore authentication/single sign-on would no longer work.

Initially I tried to remove it from the domain by un-ticking the “Active Directory Enabled” checkbox in VMware vCenter Server Appliance Web Console but I would always get the “Enabling Active Directory failed” error:

After some time searching, I tried the following commands to join the domain but without any luck:

# /opt/likewise/bin/domainjoin-cli join labdomain.local
# /usr/sbin/vpxd_servicecfg ad write PASSWORD labdomain.local

A quick look at vpxd_cfg.log (cat /var/log/vmware/vpx/vpxd_cfg.log) revealed the issue and this time a not so vague error message:

2015-01-12 10:31:46 3565: START locking... /usr/sbin/vpxd_servicecfg ad write
2015-01-12 10:31:46 3568: [3565]BEGIN execution of: /usr/sbin/vpxd_servicecfg 'ad' 'write' '' CENSORED 'labdomain.local'
2015-01-12 10:31:46 3568: Testing domain (labdomain.local)
2015-01-12 10:31:46 3568: Enabling active directory: 'labdomain.local' ''
2015-01-12 10:31:47 3568: ERROR: Enabling active directory failed: Joining to AD Domain:  labdomain.local
With Computer DNS Name: vCentervAPP01.labdomain.local

Error: ERROR_MEMBER_NOT_IN_GROUP 
2015-01-12 10:31:48 3568: VC_CFG_RESULT=302
2015-01-12 10:31:48 3568: END execution

I did not want to rebuild vCenter as I configured on it vCOps and Update Manager so I thought I would try one last time to force join:

Create the missing vCenter computer object in AD
Logon to vSphere Web Client
1. Go to Home > Configuration >Identity Sources tab
  - Remove any current domain identity sources that exist
2. Click the green cross
3. Select as Identity source type Active Directory as a LDAP Server
  - Complete the relevant fields with the required information

6 Comments to “VMWare vCenter 5.5 Active Directory Join/Disjoin”

Andrew

December 30, 2015 at 1:05 am · Edit

Thank you for your post, this lead me to a major issue and resolution for adding VCSA 5.5 to a Windows 2012R2 domain. When adding VCSA 5.5 to the domain it fails if the AD server doesn’t reply with SMBv1 (SRV.sys). By default that is disabled in 2012R2 and SRV2.sys is the only SMB service. My fix was to add the “SMB 1.0/CIFS File Sharing Support” feature. Once added the joindomain-cli command worked perfectly.
VideoPortal

March 22, 2017 at 12:37 pm · Edit

The group is not created in active directory by default. An administrator must manually create the group, but once created by default all users that are members of this group get full admin access to all vSphere hosts added to the domain.
1. Mike
  
  April 11, 2017 at 5:59 pm · Edit
  
  What group needs to be created?
2. Dave Potter
  
  September 16, 2017 at 4:59 am · Edit
  
  What group, please? It’s not mentioned in this thread, nor is it intuitive with the logs.
RTHOMAS

September 6, 2017 at 8:39 am · Edit

Thank you so much.

Your post helps me to solve this problem.
The reason was SMB1 disabled on my domain controller.
1. Rob C
  
  November 28, 2017 at 11:03 am · Edit
  
  This also fixed my issue

Related Posts

How To: Upgrade VMware vSphere ESXi 6.5 to 6.7 via CLI

“The module XYZ cannot be installed because the catalog signature in ZYX does not match the hash generated from the module.”

Expand VM Hard-Disk with PowerShell

6 Comments to “VMWare vCenter 5.5 Active Directory Join/Disjoin”

Leave a Comment Cancel reply