Connecting vMA to Active Directory (Troubleshooting)

Posted on by

Recently I set upon a quest, one of grand scope and sure to bring honor to my family. Well, maybe. This quest you ask? This quest was to attach the VMware vSphere Management Appliance to Active Directory. Like any good quest, this was not without it’s challenges.

First, Connect vMA to Active Directory:

This is actually the easy part. You’ll need both an AD user with rights to join machines to the domain, and an account on vMA with sudo access. Then you’ll need to do the following:

sudo domainjoin-cli join provmware.local user@provmware.local
Joining to AD Domain:   provmware.local
With Computer DNS Name: vma02.provmware.local
user@PROVMWARE.LOCAL’s password:
Error: Lsass Error [code 0x00080047]
Error [code=-1] occurred.

Troubleshooting vMA and Active Directory:

Check your networking:

Mostly this consists of making sure DNS and IP connectivity are working between your vMA appliance and your AD Domain Controllers.

  1. Check DNS
    • nslookup provmware.local
    • nslookup -q=srv _ldap._tcp.gc._msdcs.provmware.local
  2. Check connectivity
    • ping provmware.local
    • telnet to the results of the SRV query above on 3268
  3. Time!
    • It’s marching on…
    • sudo ntpdate -d -u dc.provmware.local

Crank up the logging:

Sometimes the error message you get, is not the one you need. Thankfully, domainjoin-cli gives us a few logging levels to work with:

sudo domainjoin-cli –loglevel verbose –log ./itsbroken.log join provmware.local user@provmware.local

The example sets logging to verbose, and then dumps the logs to a file:

20101118110609:VERBOSE:Adding child ‘reverse_mappings’ to ‘httpd’
20101118110609:INFO:Writing krb5 file /tmp/centeristmpNcJxKO/etc/krb5.conf
20101118110609:INFO:File /tmp/centeristmpNcJxKO/etc/krb5.conf modified
20101118110609:INFO:Finishing krb5.conf configuration
20101118110704:ERROR:Lsass Error [CENTERROR_DOMAINJOIN_LSASS_ERROR]

Error [code=-1] occurred.

Stack Trace:
main.c:885
main.c:455
djmodule.c:307
djauthinfo.c:803
djauthinfo.c:1741

In this particular case, it’s still less than helpful, but gives us a starting point for further research. In my specific case, well, it seems to be a bug in the software, so I’m off to upgrade it.

Resources:

  • Likewise troubleshooting guide here.
  • Dealing with that pesky Lsass error.
  • Relevant VMware KB post.
  • Installing/Upgrading Likewise here.

2 thoughts on “Connecting vMA to Active Directory (Troubleshooting)

Comments are closed.