Blacklist Stale Domain Controller Entries Contacted by the vCenter
search cancel

Blacklist Stale Domain Controller Entries Contacted by the vCenter

book

Article ID: 375177

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The vCenter was earlier connected to the AD via LDAP.

Later, the identity source was deleted, however the connections to the domain were still being attempted and was checked from the firewall.

Environment

VMware vCenter Server

Cause

Possible registry stale entries or domain cache entry could cause this issue

Resolution

Check whether :

  • The vCenter is not added to the problematic AD domain
  • No identity source is configured on vCenter for the problematic AD domain
  • The problematic AD server IP should not be pingable from the vCenter
  • The problematic DC servers should not be used for NTP configurations

Workaround 1:

  • Take a vCenter VM snapshot
  • Take the back up of the below file /etc/krb5.conf and /etc/krb5-affinity.conf :

>> krb5.conf -----> run this command: cp krb5.conf krb5.conf.bck

>> krb5-affinity.conf ---------------> run this command: cp krb5-affinity.conf krb5-affinity.conf.bak

  • Remove the content in the file/ Empty the file and save it

 

Workaround  2:

  • To blacklist DCs, set the option, using the following commands:

# /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\netlogon\Parameters]' BlacklistedDCs DC_IP1,DC_IP2,...
# /opt/likewise/bin/lwsm restart lwreg

Workaround 3:

To confirm whether any additional ports are also sending outbound traffic, please check the below outcomes:


1. Execute the command for 15 minutes and type "Ctrl+C" keys to end command execution: tcpdump -i eth0 -s 150 -w /storage/core/eth0.pcap
2. Execute the command for 15 minutes and type "Ctrl+C" keys to end command execution: watch -n 2 'date >> /storage/core/netstat-output.txt; netstat -epvl >> /storage/core/netstat-output.txt; echo >> /storage/core/netstat-output.txt; echo >> /storage/core/netstat-output.txt'

From Packet Captures, check if the packets are getting resolved over DNS server for the Domain Controller that you are trying to blacklist:

  • Check in the dnsmasq.log we see traces of domain cache as below for example:10.xxx.x.32

Jul 10 11:00:46 dnsmasq[1886]: query[A] example.example.com from ##.##.##.##
Jul 10 11:00:46 dnsmasq[1886]: forwarded example.example.com to ##.##.##.##
Jul 10 11:00:46 dnsmasq[1886]: query[A] example.example.com from ##.##.##.##
Jul 10 11:00:46 dnsmasq[1886]: reply example.example.com is ##.##.##.##

  • The domain Cache Entry would be present under below file, validate if the IP is present in the below file:

/etc/vmware-sso/trusts_cache 

[{"dcInfo":{"domainName":"example.example.com","domainIpAddress":"##.##.##.##","domainFQDN":"example.example.com.......................}]

Perform the below steps to remove the domain cache entry:

  • Take a vCenter Snapshot
  • Backup the file: /etc/vmware-sso/trusts_cache
  • Stop the service (service-control --stop vmware-stsd)
  • Delete the on-disk cache /etc/vmware-sso/trusts_cache
  • Start the service (service-control --start vmware-stsd)

Note: If the above steps doesn't resolve the issue, reboot the vCenter Server.

Powered by Wolken Software