User prevented login, slow access to the vCenter

VMware vCenter server

Because Primary Domain Controller did not fail completely, vCenter AD auth service did not notice any change and therefore did not automatically fall over to Secondary Domain Controller.

Choosing Domain Controller from the domain, vCenter uses the domain's DNS and Active Directory infrastructure to dynamically discover and connect to any available Domain Controller in the domain. It will automatically balance the load and will provide redundancy.

If one Domain Controller is down or unreachable, vCenter can connect to another available Domain Controller.

When vCenter is configured to use "any Domain Controller from the domain," it performs the following:

• It queries DNS to find the list of Domain Controllers available for the domain.

Random or Round-Robin Selection:

It may select a Domain Controller randomly or in a round-robin fashion for each authentication request.

If the initially selected Domain Controller becomes unavailable, vCenter will attempt to connect to another Domain Controller listed in DNS.

What you need to make sure here is the correct DNS configuration and that all Domain Controllers are properly registered in DNS.

Note:

vCenter detects if domain controller is down if for example LDAP queries to DC fail or timeout (when authenticating users, retrieving information), or if DNS resolution fails vCenter might consider DC to be unavailable.

There are other situations like network connectivity like pinging DC which results in failure in response, Kerberos tickets not obtained/validated, and any timeouts and errors with interacting with DC.

You could minimize the risks of vCenter failing to switch during partial failovers of DC by increasing LDAP timeout and retries in vCenter Advanced Settings: config.vpxd.ldap.timeout, and config.vpxd.ldap.maxRetries.

You could also use some networking monitoring tools to detect and alert on network issues, regularly patch vCenter and DC to avoid known issues etc.