VMWare‎ > ‎

Can't join VMware 5.5 VCSA to Active Directory - Error: Invalid Active Directory Domain

posted 21 Jan 2016, 04:11 by Tristan Self
When attempting to add a VMWare vCenter Server Appliance to our Active Directory I encountered this error message: "Error: Invalid Active Directory Domain".

Within the /var/log/vmware/vpx/vpxd_cfg.log log file I was seeing the following:

START locking... /usr/sbin/vpxd_servicecfg ad write
2016-01-21 09:31:32 18457: [18454]BEGIN execution of: /usr/sbin/vpxd_servicecfg 'ad' 'write' 'username@domain.com' CENSORED 'DOMAIN.COM'
2016-01-21 09:31:32 18457: Testing domain (DOMAIN.COM)
2016-01-21 09:31:32 18457: ERROR: Failed to ping: 'DOMAIN.COM'
2016-01-21 09:31:32 18457: VC_CFG_RESULT=301
2016-01-21 09:31:32 18457: END execution

It would seem that the root record for the domain is missing, this should resolve to a domain controller, so it has something to bind to.

So within the /etc/hosts I added a record for domain.com that pointed to the IP address of one of our domain controllers.    domain.com    domain

Then tried again now with success:

2016-01-21 09:45:05 23284: START locking... /usr/sbin/vpxd_servicecfg ad write
2016-01-21 09:45:05 23287: [23284]BEGIN execution of: /usr/sbin/vpxd_servicecfg 'ad' 'write' 'username' CENSORED 'DOMAIN.COM'
2016-01-21 09:45:05 23287: Testing domain (DOMAIN.COM)
2016-01-21 09:45:05 23287: Enabling active directory: 'DOMAIN.COM' 'username'
2016-01-21 09:45:11 23287: VC_CFG_RESULT=0
2016-01-21 09:45:11 23287: END execution

Reboot the VCSA.

Then login as the administrator@vsphere.local user account and then configure the VCSA with the active directory identity source.

Administration->Single Sign-On->Configuration->Identity Sources

Then add the Active Directory identity source.

You should then be able to remove this line from the hosts file and the AD authentication should continue to work OK. Once you have added permissions to the various AD groups or users you want to have access.