RCA 26: Unable to Join vCenter to AD Domain

User Trying to log in: abclab\f571111

Domain to which we connected the vCenter: abclab.adlab.gielab.abcde.net

 

root@abcdpiaas033031 [ ~ ]# date

Tue Jan 21 05:07:57 UTC 2020

 

 

 

SSO Admin Server

 

[2019-10-14T09:24:32.154Z pool-3-thread-5 opId=SsoAddGroupPrincipalsViewMediator-apply-30628-ngc:70006087 ERROR com.vmware.identity.token.impl.ValidateUtil] ‘domain’ value should not be empty
[2019-10-14T09:24:32.154Z pool-3-thread-5 opId=SsoAddGroupPrincipalsViewMediator-apply-30628-ngc:70006087 ERROR com.vmware.identity.admin.vlsi.PrincipalManagementServiceImpl] ‘domain’ value should not be empty
[2019-10-14T10:01:49.687Z pool-3-thread-5 opId=fa591144-6195-4b5c-8e4e-4af94eed992d WARN  com.vmware.identity.vlsi.SessionManagerImpl] Anonymous user logged out!
[2019-10-14T10:01:50.271Z pool-3-thread-5 opId=ead36473-b31c-4cd2-be57-038a64bd06ad ERROR com.vmware.identity.vlsi.RoleBasedAuthorizer] Saml token structure error
[2019-10-14T10:39:16.692Z pool-3-thread-2 opId=e11ce824-d4eb-4ea6-9e62-bf01545da0f0-33617-ngc WARN  com.vmware.identity.vlsi.SessionManagerImpl] Anonymous user logged out!
[2019-10-14T11:48:55.889Z pool-3-thread-3 opId=ActiveDirectoryLeaveFormMediator-apply-34055-ngc:70006368 ERROR com.vmware.identity.admin.server.ims.impl.SystemManagementImpl] Exception occurred: ‘com.vmware.identity.idm.ADIDSAlreadyExistException: There is already a native AD IDS or LDAP AD IDS registered’; stack=’com.vmware.identity.idm.ADIDSAlreadyExistException: There is already a native AD IDS or LDAP AD IDS registered
[2019-10-14T11:48:55.889Z pool-3-thread-3 opId=ActiveDirectoryLeaveFormMediator-apply-34055-ngc:70006368 ERROR com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] There is already a native AD IDS or LDAP AD IDS registered
[2019-10-14T11:57:25.250Z pool-3-thread-5 opId=ActiveDirectoryLeaveFormMediator-apply-34598-ngc:70006380 ERROR com.vmware.identity.admin.server.ims.impl.SystemManagementImpl] Exception occurred: ‘com.vmware.identity.idm.ADIDSAlreadyExistException: There is already a native AD IDS or LDAP AD IDS registered’; stack=’com.vmware.identity.idm.ADIDSAlreadyExistException: There is already a native AD IDS or LDAP AD IDS registered
[2019-10-14T11:57:25.250Z pool-3-thread-5 opId=ActiveDirectoryLeaveFormMediator-apply-34598-ngc:70006380 ERROR com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] There is already a native AD IDS or LDAP AD IDS registered
[2019-10-14T11:57:47.957Z pool-3-thread-1 opId=ActiveDirectoryLeaveFormMediator-apply-34644-ngc:70006385 ERROR com.vmware.identity.admin.server.ims.impl.SystemManagementImpl] Exception occurred: ‘com.vmware.identity.idm.ADIDSAlreadyExistException: There is already a native AD IDS or LDAP AD IDS registered’; stack=’com.vmware.identity.idm.ADIDSAlreadyExistException: There is already a native AD IDS or LDAP AD IDS registered
[2019-10-14T11:57:47.958Z pool-3-thread-1 opId=ActiveDirectoryLeaveFormMediator-apply-34644-ngc:70006385 ERROR com.vmware.identity.admin.vlsi.SystemManagementServiceImpl] There is already a native AD IDS or LDAP AD IDS registered
[2019-10-14T12:42:17.863Z pool-3-thread-1 opId=e11ce824-d4eb-4ea6-9e62-bf01545da0f0-36670-ngc WARN  com.vmware.identity.vlsi.SessionManagerImpl] Anonymous user logged out!
[2019-10-14T12:42:17.897Z pool-3-thread-1 opId=e11ce824-d4eb-4ea6-9e62-bf01545da0f0-36671-ngc WARN  com.vmware.identity.vlsi.SessionManagerImpl] Anonymous user logged out!
[2019-10-15T15:51:40.348Z pool-3-thread-5 opId=e11ce824-d4eb-4ea6-9e62-bf01545da0f0-45316-ngc:70006686 WARN  com.vmware.identity.vlsi.SessionManagerImpl] Anonymous user logged out!

 

 

 

/opt/likewise/bin/domainjoin-cli query

 

 

Machine generated alternative text: root@gie2piaas033131 — $ / opt/ likewise/bin/domainjoin—cli query Name = gie2piaas033131 Damain = NAELAB.ÄDIAB.GIEBS.JPUCHÄSE.NEI Distinguished Name — OC—IAAS,

 

Timeline to reproduce the issue:

9:55 PM EST

10:09 PM EST

 

IaaS_ESXi_ADOnboard@ABCLAB.ADLAB.GIELAB.ABCDE.NET

 

 

 

2020-01-28T03:00:06.404285+00:00 abcdpiaas033131 lsassd[1398]: 0x7fa5fe54e700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 1791
2020-01-28T03:00:06.407957+00:00 abcdpiaas033131 netlogond[1361]: 0x7f18a7fff700: Missing client site name from DC response from abcdelab02.abclab.adlab.gielab.abcde.net (10.100.168.43)
2020-01-28T03:00:06.410110+00:00 abcdpiaas033131 lsassd[1398]: 0x7fa6157fa700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 1791
2020-01-28T03:00:06.450339+00:00 abcdpiaas033131 lsassd[1398]: 0x7fa5fe54e700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 1791
2020-01-28T03:00:06.455223+00:00 abcdpiaas033131 netlogond[1361]: 0x7f18a7fff700: Missing client site name from DC response from abcdelab02.abclab.adlab.gielab.abcde.net (10.100.168.43)
2020-01-28T03:00:06.457407+00:00 abcdpiaas033131 lsassd[1398]: 0x7fa6157fa700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 1791
2020-01-28T03:00:28.243631+00:00 abcdpiaas033131 lsassd[1398]: 0x7fa5fe54e700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 1791
2020-01-28T03:00:28.247218+00:00 abcdpiaas033131 netlogond[1361]: 0x7f18a7fff700: Missing client site name from DC response from abcdelab02.abclab.adlab.gielab.abcde.net (10.100.168.43)
2020-01-28T03:00:28.249615+00:00 abcdpiaas033131 lsassd[1398]: 0x7fa6157fa700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 1791
2020-01-28T03:00:28.311460+00:00 abcdpiaas033131 lsassd[1398]: 0x7fa5fe54e700:Failed to run provider specific request (request code = 12, provider = ‘lsa-activedirectory-provider’) -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 1791

 

STS-IDMD Logs:

 

 

[2020-01-28T03:03:06.957Z vsphere.local        905389f1-96d1-40c4-a9f2-b558091ca600 WARN ] [ServerUtils] cannot bind connection: [ldap://abcdelab02.abclab.adlab.gielab.abcde.net, null]
[2020-01-28T03:03:06.957Z vsphere.local        905389f1-96d1-40c4-a9f2-b558091ca600 ERROR] [ServerUtils] cannot establish connection with uri: ldap://abcdelab02.abclab.adlab.gielab.abcde.net
[2020-01-28T03:03:06.957Z vsphere.local        905389f1-96d1-40c4-a9f2-b558091ca600 ERROR] [ActiveDirectoryProvider] Failed to get non-GC connection to domain abclab.adlab.gielab.abcde.net in retry
com.vmware.identity.interop.idm.IdmNativeException: Native platform error [code: 136][ERROR_NOT_JOINED][]
    at com.vmware.identity.interop.idm.LinuxIdmNativeAdapter.LdapSaslBind(LinuxIdmNativeAdapter.java:353) ~[vmware-identity-platform.jar:?]
    at com.vmware.identity.interop.ldap.OpenLdapClientLibrary.ldap_sasl_bind_s(OpenLdapClientLibrary.java:735) ~[vmware-identity-platform.jar:?]
    at com.vmware.identity.interop.ldap.LdapConnection.bindSaslConnection(LdapConnection.java:148) ~[vmware-identity-platform.jar:?]
    at com.vmware.identity.idm.server.ServerUtils.getLdapConnection(ServerUtils.java:376) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.ServerUtils.getLdapConnectionByURIs(ServerUtils.java:253) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.BaseLdapProvider.getConnection(BaseLdapProvider.java:379) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.BaseLdapProvider.getConnection(BaseLdapProvider.java:165) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.getLdapConnection(ActiveDirectoryProvider.java:1942) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.getAdConnection(ActiveDirectoryProvider.java:1970) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.getNonGcConnToDomain(ActiveDirectoryProvider.java:1960) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findGroupByLdap(ActiveDirectoryProvider.java:1863) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findGroup(ActiveDirectoryProvider.java:465) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.IdentityManager.findGroup(IdentityManager.java:4283) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.IdentityManager.findGroup(IdentityManager.java:10938) ~[vmware-identity-idm-server.jar:?]
    at sun.reflect.GeneratedMethodAccessor33.invoke(Unknown Source) ~[?:?]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_212]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_212]
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357) ~[?:1.8.0_212]
    at sun.rmi.transport.Transport$1.run(Transport.java:200) ~[?:1.8.0_212]
    at sun.rmi.transport.Transport$1.run(Transport.java:197) ~[?:1.8.0_212]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_212]
    at sun.rmi.transport.Transport.serviceCall(Transport.java:196) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688) ~[?:1.8.0_212]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687) [?:1.8.0_212]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_212]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_212]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]

[2020-01-28T03:03:06.958Z vsphere.local        905389f1-96d1-40c4-a9f2-b558091ca600 INFO ] [ActiveDirectoryProvider] Failed to find group ABCCLAB-vCO-Admins@abclab.adlab.gielab.abcde.netFailed to establish server connection via ldap search 
[2020-01-28T03:03:06.959Z vsphere.local        905389f1-96d1-40c4-a9f2-b558091ca600 ERROR] [IdentityManager] Failed to find group [ABCCLAB-vCO-Admins@abclab.adlab.gielab.abcde.net] in tenant [vsphere.local]
[2020-01-28T03:03:06.959Z vsphere.local        905389f1-96d1-40c4-a9f2-b558091ca600 ERROR] [ServerUtils] Exception ‘com.vmware.identity.idm.InvalidPrincipalException: Principal id ABCCLAB-vCO-Admins@abclab.adlab.gielab.abcde.net does not exist’
com.vmware.identity.idm.InvalidPrincipalException: Principal id ABCCLAB-vCO-Admins@abclab.adlab.gielab.abcde.net does not exist
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findGroupByAcctAdapter(ActiveDirectoryProvider.java:1843) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findGroup(ActiveDirectoryProvider.java:470) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.IdentityManager.findGroup(IdentityManager.java:4283) ~[vmware-identity-idm-server.jar:?]
    at com.vmware.identity.idm.server.IdentityManager.findGroup(IdentityManager.java:10938) ~[vmware-identity-idm-server.jar:?]
    at sun.reflect.GeneratedMethodAccessor33.invoke(Unknown Source) ~[?:?]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_212]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_212]
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357) ~[?:1.8.0_212]
    at sun.rmi.transport.Transport$1.run(Transport.java:200) ~[?:1.8.0_212]
    at sun.rmi.transport.Transport$1.run(Transport.java:197) ~[?:1.8.0_212]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_212]
    at sun.rmi.transport.Transport.serviceCall(Transport.java:196) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688) ~[?:1.8.0_212]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_212]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687) [?:1.8.0_212]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_212]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_212]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]
Caused by: com.vmware.identity.interop.accountmanager.AccountManagerNativeException: Native platform error [code: 40012][LW_ERROR_NO_SUCH_GROUP][No such group]
    at com.vmware.identity.interop.accountmanager.LinuxAccountAdapter.lookupByGroupName(LinuxAccountAdapter.java:384) ~[vmware-identity-platform.jar:?]
    at com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider.findGroupByAcctAdapter(ActiveDirectoryProvider.java:1813) ~[vmware-identity-idm-server.jar:?]

[2020-01-28T03:03:06.986Z vsphere.local        67f1692d-cc1c-4d37-a186-c0fdcbfb8422 WARN ] [ActiveDirectoryProvider] There may be a domain join status change since native AD is configured. ActiveDirectoryProvider can function properly only when machine is properly joined
[2020-01-28T03:03:06.988Z vsphere.local        67f1692d-cc1c-4d37-a186-c0fdcbfb8422 INFO ] [ActiveDirectoryProvider] Failed to retrieve default UPN for principal ABCCLAB-vCO-Admins@abclab.adlab.gielab.abcde.net 

 

Conclusion:

https://kb.vmware.com/s/article/2150114

 

  1. Verify that the required ports are open. For more information, see the Required Ports for vCenter Server and Platform Services Controller section in the vSphere 6.5 Upgrade Guide.
  2. Log in to the PSC appliance through SSH session.
  3. Run this command to check the status of likewise daemon in the appliance:

    /etc/init.d/lwsmd status
     service-control –status lwsmd

 

  1. If the daemon is not running, start it by running this command.

    /etc/init.d/lwsmd start
     
  2. To ensure it starts up automatically as a startup service, run this command.

    chkconfig lwsmd on
     
  3. Re-try adding the PSC to the domain.

 

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.

Leave a Reply