如果由于任何可能的网络或 Active Directory 服务器问题而无法访问 Active Directory,则 vCenter Server 在此期间尝试验证域用户和组时,将从 vCenter Server > 权限选项卡中移除域组。
如果域用户是单独添加的,则不会移除。
按照记录的行为,应同时移除两者(域组和域用户),但是据观察,仅移除域组。
在 %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vpxd\vpxd.log 中,您会看到类似以下内容的条目: [08728 error '[SSO]'] [UserDirectorySso] GetUserInfo exception: class Vmacore::Authorize::AuthUserNotFoundException(Group Test1\Domain Admins) [08728 error '[SSO]'] [UserDirectorySso] NormalizeUserName(WIN\Domain Admins, true) exception: class Vmacore::Authorize::AuthUserNotFoundException(Group Test1\Domain Admins) [08728 error 'Default'] Bad group WIN\Domain Admins, removing [08728 info '[SSO]'] [UserDirectorySso] GetUserInfo(WIN\Domain Admins, true) [08728 info '[SSO][SsoAdminFacadeImpl]'] [Lookup]
在 /var/log/vmware/sso/vmware-sts-idmd.log 中,您会看到类似以下内容的条目: WARN [ActiveDirectoryProvider] There may be a domain join status change since native AD is configured.ActiveDirectoryProvider can function properly only when machine is properly joined WARN [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.WinLdapClientLibrary, error code: 81 WARN [ServerUtils] cannot bind connection: [ldap://addc.Test1.local, null] ERROR [ServerUtils] cannot establish connection with uri: [ldap://addc.Test1.local] INFO [ActiveDirectoryProvider] Failed to find group Domain [email protected] to establish server connection via ldap search ERROR [IdentityManager] Failed to find group [Domain [email protected]] in tenant [vsphere.local] ERROR [ServerUtils] Exception 'com.vmware.identity.idm.InvalidPrincipalException: Principal id Domain [email protected] does not exist' com.vmware.identity.idm.InvalidPrincipalException: Principal id Domain [email protected] does not exist