Joining the VMWare vCenter Server Appliance or VMware vRealize Automation Identity Appliance to a domain fails with the error: Error trying to join AD, error code [31]
Article ID: 316624
Updated On:
Products
VMware Aria Suite
VMware vCenter Server
Issue/Introduction
Symptoms:
- Joining the vCenter Server Appliance to a Domain fails with the error:
Idm client exception: Error trying to join AD, error code [31], user...
- Joining vRealize Automation Identity Appliance to a Domain fails with the error:
Error invoking Active Directory tools
- In the ssoAdminServer.log file in the vCenter Server Appliance, you see entries similar to:
[YYYY-MM-DDTHH:MM:SS.xxxx pool-12-thread-4 opId=cebe1692-a4e4-4dd8-9922-e57217646849 ERROR com.vmware.identity.admin.server.ims.impl.SystemManagementImpl] Exception occurred: 'com.vmware.identity.idm.IDMException: Error trying to join AD, error code [31], user [administrator], domain [domain.local], orgUnit []'; stack='com.vmware.identity.idm.IDMException: Error trying to join AD, error code [31], user [administrator], domain [domain.local], orgUnit []
at com.vmware.identity.idm.server.IdentityManager.joinActiveDirectory(IdentityManager.java:9925)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
- In the /var/log/messages file in the vRealize Automation server, you see entries similar to:
2015-11-10T15:22:30-08:00 localhost lsassd[5933]: 0x7fe831aec700:Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 31, symbol = ERROR_GEN_FAILURE, client pid = 15446
Note: These log excerpts are an example. Date, time, and environmental variables may vary depending on your environment.
For more information on log file locations, see:
Environment
VMware vCenter Server Appliance 6.x
VMware vCenter Server Appliance 7.x
VMware vCenter Server Appliance 8.x
VMware vRealize Automation 6.2.x
Cause
This issue occurs when Windows 2012 uses Server Message Block version 2 (SMB2) and, by default, SMB1 is disabled.
This issue can also be seen if the AD Domain Functional Level is not supported by the version of vCenter
Example: AD is Windows Server 2003 and vCenter is 6.7 - this is unsupported.
Reference - Versions of Active Directory supported in vCenter Server (Domain Functional Level)
This issue can also be seen if the AD Domain Functional Level is not supported by the version of vCenter
Example: AD is Windows Server 2003 and vCenter is 6.7 - this is unsupported.
Reference - Versions of Active Directory supported in vCenter Server (Domain Functional Level)
This error is also seen if there is any firewall blocks observed from vCenter to AD servers over port 445 (used for SMB protocol).
(Run command on vCenter --->: curl -v telnet://<IP-of-AD-server>:445)
Resolution
This issue is resolved in vCenter Server Appliance 6.0 Update 3c, available at Broadcom support portal
To work around this issue if you are unable to upgrade at this time, enable the SMBv1.0 by running this command from an elevated command prompt on all Windows 2012 Domain Controllers:
sc config srv start=auto
For more information on enabling and disabling SMBv1.0, see the Microsoft Knowledge Base article 2696547.
Additionally, please ensure that port 445 is open when vCenter is trying to communicate to AD server. (i.e. vCenter to AD server)
Additional Information
Feedback
Yes
No
Powered by
