I ran into 2 issues while using the vCenter Server Appliance and integrating it with AD and what I found I figured might help some of you in the future. Here goes:
Issue 1: vCSA fails to join the AD domain.
On the initial deployment of my vCSA I got an error while attempting to join my AD Domain that says “Error: Enabling Active Directory failed”. That’s it… nothing useful…
When this happens you can run the process manually and if it fails you will at least get an error code. To do so run /usr/sbin/vpxd_servicecfg with the following syntax:
vpxd_servicecfg ad write <username> <password in ‘single’ quotes> <domain name>
vpxd_servicecfg ad write caleb ‘myTopSecretPa$$’ caleb.com
If it is successful the return code will be “VC_CFG_RESULT=0”. If that is the case you need to reboot your vCSA and you are ready to roll.
Issue 2: Configuring vCSA to use AD for user authentication with LDAPS.
1: Login to the web client (NGC) on your vCSA (https://<vCSA>:9443/vsphere-client.)
2. Go to Administration > Sign-On and Discovery > Configuration and click on the little green plus to add an identity source. Now you should see a screen like the below:
For the most part it is all pretty simple, the gotcha is the primary server URL and the “Choose Certificate” button. For additional useful information look at the vmware documentation at http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-B23B1360-8838-4FF2-B074-71643C4CB040.html.
Next I need to get a certificate so I can talk to the DC. This part is pretty easy once you think about it for a minute. From my Windows workstation I open up MMC and add a Certificates snap-in for the Local Computer account. Next expand you certificates and navigate to the “Trusted Root Certification Authorities” folder and find the certificate that was issued by your Domain’s Certificate Authority. That is the certificate that we will use.
Right click on the proper certificate and go to All Tasks > Export. Change the format to Base-64 encoded X.509 .cer and save to your local desktop. Next from the vCSA “Add Identity Source” window click on the “Choose Certificate” and point it at the cert you just exported. Congratulations your domain logins will now work, just don’t forget you still need to assign them permissions.
So here is the scenario:
All of my DNS static entries are going to get nuked and changed to a completely different IP space (yes, the computers too). However since this is such a massive task and we have minimal time to make the change we would like to complete as much ahead of time as we can. All of my DNS servers are DCs running AD-Integrated Zones. The only way I can think of to do this ahead of time is by creating a spreadsheet and filling in the hostnames and the new IPs and then on the day of the IP change import the new records into DNS. So, the question is how exactly can I update the DNS tables on an AD Integrated Zone using a script or file import?
Here is what I found:
The simple answer is you can’t 🙂 However there is a workaround…
1. Export your DNS information to a CSV File
2. Modify the DNS information to show the correct IP information. I acomplished this by using Excel Spreadsheets sent to users to be filled in with the new IPs. Then using SQL I imported the Spreadsheets into a database and then scripted a massive UPDATE statement on the master DNS list. Then exported the updated master DNS list as a TAB DELIMITED file.
3. Next I needed to remove all my DNS Servers except one. Pick one to keep, uninstall DNS on all others.
4. On the remaining DNS Server I changed all my zones from Active-Directory Integrated Zones to Primary using the following: (right click on each zone) > Properties > General > Change Type > (Uncheck) “Store the zone in Active Directory”
5. Repeat for all zones
6. Keep the “Load Zone Data on Startup” at “From Active Directory and registry”
7. Open the DNS zone files (
8. Modify the DNS zone file with your new information keeping the proper TAB Delimited format.
9. Reboot the DNS server, this is gonna take a while but if you don’t you are going to get an error like “the specified directory partition does not exist”.
10. Open DNS Manager again and move all of your zones back to AD-Integrated Zones. Steps are the reverse of Step 4.
11. Reinstall DNS on all the other DNS Servers that we uninstalled on Step 3.
12. Once DNS is installed on all the other DNS Servers check to make sure that they have the latest DNS entries. They should and at this point you are done.
Piece of cake 🙂