Indicators include:

• NSX Logs: errorCode="MP403", Authentication validation failed.
• vIDM Logs: HTTP 500 Internal Server Error or Error communicating with connector.
• Active Directory: Accounts may show as locked due to repeated failed attempts initiated by the vIDM connector targeting an unreachable DC.

NSX 4.x

NSX 9.x

This issue occurs when vIDM attempts to communicate with a stale or invalid Domain Controller. If a DC was removed from Active Directory but remains in the vIDM cache or the domain_krb.properties file, the synchronization process fails. vIDM uses DNS Service Location (SRV) record lookups to build this list; if old metadata exists in AD, vIDM re-adds the invalid DC during every sync.

To resolve this, you must ensure the stale DC is fully removed from Active Directory and then force vIDM to rebuild its domain controller list.

1. Verify Active Directory Cleanliness

• Confirm that the decommissioned Domain Controller has been fully removed from Active Directory Sites and Services.
• Verify that no stale DNS SRV records (e.g., _ldap._tcp.dc._msdcs.<domain>) point to the old DC IP/Hostname.

2. Modify vIDM domain_krb.properties

The domain_krb.properties file specifies which DCs are used for directories. Forcing a re-creation or manually editing this file ensures only valid DCs are targeted.

1. Log in to the vIDM appliance as root.
2. Navigate to the configuration directory:
   cd /usr/local/horizon/conf
3. Edit the file domain_krb.properties to ensure only valid DCs are listed for your domain:
   Format: domain=host:port,host2:port
4. Set correct permissions:
   chown horizon:www /usr/local/horizon/conf/domain_krb.properties
5. Restart the workspace service to apply changes:
   service horizon-workspace restart

3. Verification

• Monitor connector.log and horizon.log for successful LDAP binds.
• Validate the connection from the integration vIDM to NSX Manager.

Editing the domain_krb.properties file