IDM Connector joining to a Domain may fail if residing on an ESXi Host which is not Domain joined and NTP is not configured
Article ID: 325468
Updated On:
Products
Issue/Introduction
Creating an AD/IWA Directory will fail.
When creating an AD/IWA Directory the connector will automatically attempt to join the Domain.
Creating an AD/LDAP Directory may succeed because the connector joining the Domain is not mandatory.
All other features of IDM function as normal.
There have been no recent environmential recorded issues.
IDM Appliances are in good health.
All is ok with the Appliance(s) in vCenter
Recently there may have been an ESXi Host added to the ESXi Cluster.
Symptoms:
Attempting to create an AD/IWA Directory in IDM fails.
Joining the IDM connector to the Domain also fails.
Attempting to create an AD/LDAP Directory may succeed.
Environment
Cause
VMware Identity Manager was recently migrated to a new ESXi Host that is not Domain joined and/or does not have NTP configured.
As seen above the symptoms show that an AD/IWA Directory fails to create and the connector cannot join the Domain.
Via SSH to the IDM Appliance go to /opt/vmware/horizon/workspace/logs.
The connetcor.log shows the following error:
In the horizon.log the following can be seen:
Running /opt/likewise/bin/domainjoin-cli query shows the Appliance is not joined to the domain:
The system.journal file for the Appliance can be located in /var/log/<latest system file>
The file can be viewed by running - journalctl --no-pager --file system.journal
Resolution
To resolve this issue the IDM Appliance should be migrated to another ESXi Host in the Cluster that is Domain joined OR has Domain Access and has NTP configured.
Time across all ESXi Hosts in the cluster should be the same.
Creation of AD/IWA Directory succeeds:
SSH shows the Appliance is Domain joined:
Appliance shows as Domain joined in the system.journal file:
Connector is joined to the Domain:
Feedback
