Configure VMware vRealize Log Insight to use specific domain controllers
search cancel

Configure VMware vRealize Log Insight to use specific domain controllers

book

Article ID: 343790

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

When VMware vRealize Log Insight is configured to use Active Directory integration for authentication, Log Insight makes TCP connections to Active Directory domain controllers.

By default, Log Insight sends a DNS lookup query to find available domain controllers, querying for a record of the form _LDAP._TCP.dc._msdcs.example.com.

Log Insight will attempt to authenticate with any domain controller found within the specified domain forest. This may result in authentication requests being sent over a WAN and may lead to authentication delays or timeouts.

It is recommended that Log Insight be configured to connect to local domain controllers. This article provides a method to configure Log Insight to connect to a specific set of domain controllers.


Environment

VMware vRealize Log Insight 3.0.x
VMware vRealize Log Insight 2.5.x
VMware vRealize Log Insight 3.3.x
VMware vCenter Log Insight 2.x

Resolution

To configure Log Insight to connect to a specific domain controller:

  1. Open a console or SSH session to the Log Insight virtual appliance and login as root.

  2. Validate the auto-discovered domain controllers for a specific domain using the dig command. For example:

    # dig _LDAP._TCP.dc._msdcs.example.com any +noadditional

    ;; ANSWER SECTION:
    _ldap._tcp.dc._msdcs.example.com. 30 IN SRV 0 100 389 ns1.site1.example.com.
    _ldap._tcp.dc._msdcs.example.com. 30 IN SRV 0 100 389 ns2.site1.example.com.
    _ldap._tcp.dc._msdcs.example.com. 30 IN SRV 0 100 389 ns1.site1.example.com.
    _ldap._tcp.dc._msdcs.example.com. 30 IN SRV 0 100 389 ns2.site2.example.com.


  3. Follow the steps in Custom Active Directory configuration for VMware vRealize Log Insight (2079763) and Changing internal configuration options in VMware vRealize Log Insight (2123058) to customize the configuration. Add or modify two configuration options, <ad-domain-servers> and <krb-domain-servers>.

    These configuration options contains a colon-delimited list of domain controllers that will be used. The default of blank results in the auto-discovery method being used.

    <authentication>
    <ad-domain-servers value="<i>ns1.example.com:ns2.example.com" />

    <krb-domain-servers value="<i>ns1.example.com:ns2.example.com" />
    </authentication>




Additional Information