"obtainDcInto for domain [domain name] failed Cannot determine <DC name> is valid domain controller", unable to list AD domain users from vSphere Client
search cancel

"obtainDcInto for domain [domain name] failed Cannot determine <DC name> is valid domain controller", unable to list AD domain users from vSphere Client

book

Article ID: 387239

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

  • Unable to add permission for AD users from vSphere UI when identify source is configured as Integrated Windows Authentication (IWA)
  • Selecting AD Domain from Administration -> Users and Groups fails with error "A vCenter Single Sign-On service error occurred"
  • SSO logs (/var/log/vmware/sso/ssoAdminServer.log) will show similar to below snippets :

    YYYY-MM-DDTHH:MM:SSZ INFO ssoAdminServer[thread-5] [OpId=<opid>] [com.vmware.identity.admin.vlsi.PrinctpalDiscoveryServiceImpl] [User {Name:username, Domain: vsphere_domain) with role 'rolename'] Find at most 200 person users by criterta searchString=, domain:example.com
    YYYY-MM-DDTHH:MM:SSZ WARN ssoAdminServer[thread-5] [opId=OpId=<opid>] [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider] obtainDcInto for domain [example.com] failed Cannot determine <dcname.example.com> is valid domain controller
    YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[thread-5] [OpId=OpId=<opid>] [com.vmware.identity.idm.server.IdentityManager] Failed to find person users [Criteria : searchString=, domain=example.com] in tenant [vsphere domain name]
    YYYY-MM-DDTHH:MM:SSZ ERROR ssoAdminServer[thread-5] [OpId=OpId=<opid>] [com.vmware.identity.idm.server.ServerUtils] Exception 'java.lang.NullPointerException'

  • Nslookup to AD domain name (nslookup example.com) doesn't list the IP of the domain controller shown in the error logs mentioned above.
  • Likewise service lw-get-dc-name shows that, VC is trying to contact the domain controller mentioned in the error logs.

    /opt/likewise/bin/lw-get-dc-name example.com 

Cause

This issue is observed when Read-Only Domain controllers (RODCs) are configured in the environment and those DCs are not listed in nslookup against the domain name.

Resolution

Add the IP Address of the failing domain controllers in Likewise BlacklistedDCs list by following below steps:

  • SSH to the vCenter Server

  • Add the IP address of Domain Controllers to BlacklistedDCs by executing below command:

    /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\netlogon\Parameters]' BlacklistedDCs "IP_of_Problematic_ReadOnly_DC_1,IP_of_Problematic_ReadOnly_DC_2"

    Note: It is comma separated values, likewise service on VCSA will not try to contact these domain controllers when IWA is configured on vCenter Server.

  • Restart the likewise and SSO services (this involves downtime as vmafd/vmdird and SSO services will be restarted)

    /opt/likewise/bin/lwsm restart lwreg

    service-control --restart vmware-stsd

Powered by Wolken Software