Note: This procedure uses vCenter 8.0 Update 2, (the process is the same for vSphere 7).
When you setup your VCSA you will have configured SSO, in most cases accepting the default SSO domain of vsphere.local. But If you want to log into VMware you probably want your identify source to be AD (to use you existing usernames and passwords).
Note: In this example I will grant administrative access to the domain admins group, in production you probably will want to create some new AD groups and look at the principles of least privilege.
Solution: vCenter Domain Authentication
Once logged into vCenter, changing views is done by clicking the ‘three lines’ at the top left of the screen, navigate to Administration > Single Sign On > Configuration > Identity Provider > Active Directory Domain > Join AD.
Supply the domain name and some credentials that have the rights to join a machine to the domain > Join.
Nothing Happens! Don’t worry that’s normal, nothing will change (and you can’t’ progress) until you’ve rebooted the VCSA.
While its rebooting you can check in you AD and you will see the computer object has been created for the VCSA.
Have some patience, once the VCSA has rebooted and all the services are back online you will see the display has changed to show the domain information, you can now proceed.
Identity Source > Add.
Change the drop down to Active Directory over LDAP.
Enter the details to join the domain, the account you use to ‘bind’ to active directory can be a simple ‘domain user’. Fill in the fields and select ‘Add’.
Now select the domain you just added and ‘set as default > confirm by pressing ‘OK’.
Users and Groups > Groups > Select Administrators > Edit.
Change the domain to your AD domain > Search for Domain Admins > Add that group.
You can now authenticate into the VCSA with an account thata is a member of that AD group.
Related Articles, References, Credits, or External Links
User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:
The processing of Group Policy failed. Windows could not locate the directory object OU=Top-Level,OU=computers,DC=PeteNetLive,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.
To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Note: You may also see Event ID 1101
Event ID 1101
Log Name: System Source: Microsoft-Windows-GroupPolicy Event ID: 1101 Task Category: None Level: Error Keywords: User: SYSTEM Computer: PNL-PROD-WIN10.pnl.com Description:
The processing of Group Policy failed. Windows could not locate the directory object OU=PNL,DC=pnl,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.
Solution
Strangely the OU that this computer was in, needed to have the ‘Read‘ right, granting to ‘Authenticated Users’ group, not sure how that got removed! Note: Remember start at the OU that’s directly on the root of the domain, of you have nested OUs.
After that everything was peachy!
Related Articles, References, Credits, or External Links
If your’e logging on as a new user and Internet Explorer has not yet been ran, then it wants to run the “Setup Windows Internet Explorer Wizard”.
On just one machine with one user that’s fine, but if you are logging in all over the place, with multiple credentials, this can get quite annoying. Also you might not want your domain users having to do this at all, for security reasons.
Solution
On a Single (stand alone) machine.
1. Click start and in the run/search box type gpedit.msc{enter}
2. Navigate to > Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Prevent Running First Run wizard.
Note: In older versions of Windows its called, ‘Prevent Performance of First Run Customize settings‘
3. If you enable the policy you can set it to either:
a. Go directly to home page.
b. Go to the “Welcome to Internet Explorer” Web page.
1. On one of your domain controllers > Start > Administrative Tools > Group Policy Management Console > Either select and existing policy or create and link one to the COMPUTERS you want this policy to affect. Then edit the policy.
2. Navigate to > Computer Configuration Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent Running First Run wizard.
Note: On older Windows Platforms this is called ‘Prevent Performance of First Run Customize settings.‘
3. If you enable the policy you can set it to either:
a. Go directly to home page.
b. Go to the “Welcome to Internet Explorer” Web page.
I noticed some shiny Aruba switches on the bench today, they were for a job my colleague is working on. (Note: Each switch in a stack should be the same model, so these will need two stacks!)
I work on the occasional HP/Aruba core switch, but it’s been a while since I did any work on distribution switches like these. The first thing I learned, was there’s no dedicated stacking cable for them. They simply use a 10Gb (Twinax / DAC) cable. Which I suppose is pretty straight forward, but it means you lose an SFP+ port (which is a bit pants).*
*Note: You can stack with 1GB cables, but you can’t mix and match!
So I said “Give me a shoult when you stack them and I’ll take a nosey!”
Solution
In the ‘land of Aruba’ this is called creating a VSF (Virtual Switching Fabric). As you can see from the photo, these are 2930F Switches, and you can stack up to four switches in a VSF. The same stacking method is used on the 5400R (v3) and 5412, where you can link two 5400R or 5412’s).
Also this method is NOT to be confused with ‘Fabric Stacking’ which is available on the 2920,2930M,3800,3810M models, (that is more like Cisco FlexStack, with a dedicated 100Gb stack cable).
So, assuming you have your switch new and fresh, connect in with your console cable, and dedicate a port to use for VSF.
[box]
Aruba-2930F-24G-PoEP-4SFPP# conf t
Aruba-2930F-24G-PoEP-4SFPP(config)# vsf member 1 link 1 ethernet 25
All configuration on this port has been removed and port is placed in VSF mode.
[/box]
Then place the switch into a VSF domain
[box]
Aruba-2930F-24G-PoEP-4SFPP(config)# vsf enable domain 1
This will save the current configuration and reboot the switch.
[/box]
The switch will ask for a reboot, let it do so.
Repeat the procedure on the second switch, (but this will be member 2).
[box]
Aruba-2930F-24G-PoEP-4SFPP# conf t
Aruba-2930F-24G-PoEP-4SFPP(config)# vsf member 1 link 1 ethernet 25
All configuration on this port has been removed and port is placed in VSF mode.
Aruba-2930F-24G-PoEP-4SFPP(config)# vsf enable domain 1
This will save the current configuration and reboot the switch.
[/box]
Once again let the switch reboot.
Post reboot you will see the ports are ‘re-numbered’ 1/{port-number} on vsf member 1, 2/{port-number} on vsf member 2 etc.
[box]
Aruba-2930F-24G-PoEP-4SFPP# show interfaces
Status and Counters - Port Counters
Flow Bcast
Port Total Bytes Total Frames Errors Rx Drops Tx Ctrl Limit
------------ -------------- -------------- --------- --------- ---- -----
1/1 0 0 0 0 off 0
1/2 0 0 0 0 off 0
1/3 0 0 0 0 off 0
1/4 0 0 0 0 off 0
<---------------Output Removed For The Sake Of Brevity-------------->
1/10 0 0 0 0 off 0
1/11 0 0 0 0 off 0
1/12 0 0 0 0 off 0
1/13 0 0 0 0 off 0
<---------------Output Removed For The Sake Of Brevity-------------->
1/19 0 0 0 0 off 0
1/20 0 0 0 0 off 0
1/21 0 0 0 0 off 0
1/25 1,496,823,949 23,354,845 0 0 off 0
<---------------Output Removed For The Sake Of Brevity-------------->
2/1 0 0 0 0 off 0
2/2 0 0 0 0 off 0
2/3 0 0 0 0 off 0
2/4 0 0 0 0 off 0
<---------------Output Removed For The Sake Of Brevity-------------->
2/22 0 0 0 0 off 0
2/23 0 0 0 0 off 0
2/24 0 0 0 0 off 0
2/25 1,536,016,322 23,966,915 0 0 off 0
2/26 0 0 0 0 off 0
2/27 0 0 0 0 off 0
2/28 0 0 0 0 off 0
[/box]
If you need to Stack 3 or 4 Switches then you need to add a second link, and create a ring;
i.e.
Switch 2 (2nd link now to switch 3) vsf member 2 link 2 ethernet 26
Switch 3 (1st link to switch 2 ) vsf member 2 link 1 ethernet 25
Switch 3 (2nd link to switch 4 ) vsf member 2 link 2 ethernet 26
Switch 4 (1st link to switch 3 ) vsf member 4 link 1 ethernet 25
Switch 4 (2nd link to switch 1 ) vsf member 4 link 2 ethernet 26
Useful Aruba VSF Commands
show vsf or show vsf detail : Shows the list of provisioned chassis members.
show vsf link or show vsf link detail : Shows the state of vsf links for all members.
show vsf lldp-mad status : Shows LLDP MAD (Multi-Active Detection).
show vsftrunk-designated-forwarder : Shows designated forwarders for each trunk.
Related Articles, References, Credits, or External Links
I needed to work out how to bulk disable some domain users from a .CSV file this week, so I thought I’d write it up.
Disable Domain Users in Bulk from CSV
Well firstly, you need to have your users in a CSV file. For the live job I just exported all the SamAccountNames to a CSV, but here for testing I just loaded a few in manually;
When attempting to connect to a remote machines registry;
Error
The program cannot open the required dialog box because no locations can be found. Close this message and try again.
Solution
The ultimate cause of this problem is, that the machine you are on cannot see Active Directory, either because there are no domain controllers are online, or its DNS settings are incorrect.
Related Articles, References, Credits, or External Links
About a month ago I was with a client to do some investigation/consultancy, they were a large company with their head office in the UK and a number of other offices around the world. They had a number of domains and sub domains and wanted to consolidate them all into a new domain.
Well that’s all OK, but the UK company has been purchased by a large American company, who were putting a lot of pressure on them to ‘get this done’.
So what was the problem? Well the American company had a domain called olduscomp.com, and were undergoing their own migration (not yet started) to newuscomp.com. The UK company wanted to use ukcomp.newuscomp.com
Me: Thats OK once newuscomp.com is built, we will make ukcomp a child domain of that, that’s not a problem.
Client: Well that might not be built for quite some time, the guys in the states have problems of their own.
Me: OK we will build it here, then build our child domain, then we can then give them the root domain?
Client: That probably wont fly either, can we just build ukcomp.newuscomp.com here, them make it a child domain later?
Me: No, (the fist DC in a child domain needs to be a member of the parent domain).
Client: OK can we build ukcomp.newuscomp.com, and then when the US guys build newuscomp.com, can we get the domains to trust each other?
Me: I dont think so, (they have a similar namespace), I don’t think that will work? I would need to test it to see if it was possible.
The problem was dancing about on my mental ‘back-burner’ for the next few weeks, so in my free time, I thought I would investigate if it was possible.
Solution
Well I built both the domains, my usual procedure to creating a domain trust is;
Create a conditional DNS forwarder in domain A for domain B
Create a conditional DNS forwarder in domain B for domain A
Go to Active Directory Domains and Trusts and setup the trust
As you can see from the diagram above I used subdomain.domain.com for the first domain, and I used domain.com for the second domain. So when I started, the only thing these domains shared is some namespace.
Creating a conditional forwarder in subdomain.domain.com for domain.com went without a hiccup.
However when I tried to create a conditional forwarder in domain.com for subdomain.domain.com this happened;
A problem occurred when trying to add the conditional forwarder. A zone configuration problem has occurred.
However it does say I can delegate the namespace to another DNS server, would that work? If you don’t know what a delegation is read this article.
Then I setup the trust, and validated it.
So yes it does work, but you need to remember that these are two different domains that trust each other they just share a common piece of namespace. If it was a parent and child domain then when you were assigning permissions you would see something like this;
But instead, in our case when assigning permissions you will see;
So yes it works and it looks like a sub domain, you can even call is a subdomain, but it isn’t, it’s just another domain that you can trust.
Related Articles, References, Credits, or External Links
When promoting a server to be a domain controller, you might see the following error,
“A delegation for this DNS server cannont be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are intergrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “{zone-name}“, Otherwise, no action is required”.
Or if you are on older domain controllers;
I’ve clicked past this error many thousands of times, because I know its safe to do so, but what does it mean? And why (in most cases), can you simply ignore it?
Solution
Quick Answer:
If you’re here because you have just Googled the error and don’t really care, because you have work to do, then in 99% of cases this error can be ignored. Unless you need assets within your internal domain DNS to to addressable, or look-upable, (if those are words!) From the public internet.
But I’m creating a child domain? If you are creating a child domain, then the machine you are promoting to be a domain controller in the new child domain, should be a member of the root domain first! Also you need to be logged on with a member of the enterprise administrators group. When creating a child domain you should NEVER see this error because a DNS delegation is created for you automatically in the root domain. The only error you may see is;
Could not log into the domain with the specified credentials. Supply a valid credential and try again.
Make sure you are a member of the root domains enterprise admin group and that the root domain is contactable.
The Long Answer:
It’s complaining because it can’t make a ‘delegation’ in the domain that’s directly above you, what does that mean? Well a delegation is (as the name implies) a method of delegating authority for a DNS zone somewhere else, to another DNS server to be precise. so for the following;
AD domaindomain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail.
AD Domainsubdomain.domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail. NOTE this domain might look like a subdomain/child domain but if you selected new domain in a new forest, it isn’t (this can be confusing that’s why I’m mentioning it).
AD Child Domainsubdomain.domain.com This will look to the DNS servers responsible for domain.com (the root domain in your forest) and it will create a delegation for you. For this to work you will have selected “Add a new domain to an existing forest”.
Providing you are an enterprise administrator the delegation will be created for you in the domain ‘above’ you.
If you open the delegation, you will see that the name server entry for your child domain has been created;
The domain ‘Above’ me isn’t a Windows domain, or it’s a public domain?
Then, if you need to have your domain assets addressed by their DNS name from the internet, you need to do the following.
Allow DNS access to your internal DNS Server(s) from the Internet, (via UDP and TCP port 53).
Create an A (or AAAA) record for each of your DNS servers, with a public name i.e. ns1.yourdomain.com etc.
Create an NS (name server) record that points to each of your DNS servers A (or AAAA) records.
Related Articles, References, Credits, or External Links
You see the following error in your event log (seen here in the system log on a domain controller).
Log Name: System
Source: NETLOGON
Date: 15/11/2012 06:00:35
Event ID: 5719
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Servername.Domain-Name.com
Description:
This computer was not able to set up a secure session with a domain controller in domain (domain-name) due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
Solution
Note: In this case the domain it could not contact was NOT my live domain name it was a different domain name. If your error is referencing your live domain name then you have a different problem.
Cause: In my case the problem was being caused because I had a domain trust to a domain that was no longer contactable, (one of my colleagues has set it up in the past to do some testing). So I simply needed to remove the trust.
Warning: In this case that trust is no longer required – Check!
1. On a domain controller > Windows Key+R > domain.msc {enter}
2. Right click the domain name > Properties > Trusts > Select the problem domain > Remove > Yes > OK.
Related Articles, References, Credits, or External Links
Note: I’ve had the same problem on a freshly installed vCenter 5.1 as well.
I upgraded my Virtual Center from 5.0 to 5.1 yesterday, and post upgrade I could no longer login, it would tell me “Unknown user or bad password”.
During the upgrade I did see this error, but after that the install completed successfully.
Error 29155.Identity source discovery error
As it turns out this was the root cause of my problem.
Solution
1. Firstly install the ‘Web Client’ on the Virtual Center. Note: You will need Adobe flash installing for this to work. (Sometimes this needs a reboot, and the firewall turning off, and/or adding to trusted sites in IE, before it works).
Note: The Web Client is on the Virtual Center install CD.
2. Connect to the the server on https://localhost:9443 log on (Note: Use the username of admin@System-Domain and the password you used when you installed Single Sign on earlier). Expand Sign on and Discovery > Configuration > Select the ‘Add’ icon.
3. Supply your domain details as follows, those ldapURL’s simply point to the domain controller(s).
4. Scroll down and enter the domain logon credentials, then select ‘Test Connection’.
5. It should say connected successfully, if not check the comms and the details you entered are correct.
6. Click the ‘Add to Default Domains’ Icon.
7. Finally save the changes by selecting the ‘Save’ icon, you should now be able to authenticate to the vCenter with your domain credentials.
Related Articles, References, Credits, or External Links