Configuring Active Directory settings fails when enabling vSAN File Services

search cancel

Configuring Active Directory settings fails when enabling vSAN File Services

book

Article ID: 386521

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Enabling vSAN File Services may fail when configuring the Active Directory settings.

You will see the following error message

"Cannot complete the operation. See the event log for details. User does not have required permission in this Organizational Unit. If no OU is entered, the system attempts to register these file servers with default OU computers. User should have following permissions: 1. Create and delete Computer Objects. 2. Read and Write ms-DS-PrincipleName. 3. Read and Write uPNSuffixes."

Environment

vCenter 7.x

VCenter 8.x

Cause

This issue is caused by having incorrect Active Directory settings entered. These settings will include some or all of the following.

Option	Description
Directory service	Configure an Active Directory domain to vSAN File Service for authentication. If you are planning to create an SMB file share or an NFSv4.1 file share with Kerberos authentication, then you must configure an AD domain to vSAN File Service.
AD domain	Fully qualified domain name joined by the file server.
Preferred AD Server	Enter the IP address of the preferred AD server. In case of multiple IP addresses, ensure that they are separated by comma.
Organizational unit (Optional)	Contains the computer account that the vSAN File Service creates. In an organization with complex hierarchies, create the computer account in a specified container by using a forward slash mark to denote hierarchies (for example, organizational_unit/inner_organizational_unit).
AD username	User name to be used for connecting and configuring the Active Directory service. This user name authenticates the active directory on the domain. A domain user authenticates the domain controller and creates vSAN File Service computer accounts, related SPN entries, and DNS entries (when using Microsoft DNS). As a best practice, create a dedicated service account for the file service. A domain user in the directory service with the following sufficient privileges to create and delete computer objects: (Optional) Add/Update DNS entries
Password	Password for the user name of the Active Directory on the domain. vSAN File Service use the password to authenticate to AD and to create the vSAN File Service computer account.

Resolution

To confirm that one or all of the above settings are incorrect, when implementing vSAN File Services, choose not to configure the Active Directory settings.

When the wizard complete successfully, this will confirm that the Active Directory settings are incorrect and would henceforth need to be confirmed/verified within the specific environment.

Additional Information

https://techdocs.broadcom.com/us/en/vmware-cis/vsan/vsan/8-0/vsan-administration/expanding-and-managing-a-vsan-cluster/vsan-file-service/configure-vsan-file-service.html

Feedback

thumb_up Yes

thumb_down No