Tuesday, October 18, 2016

Free VMware ESXi Active Directory Problems

I have several free license VMware ESXi servers where I use Active Directory (AD) authentication to log in via the vCenter client.  I frequently find AD credential don't work (usually invalid password or authentication failed).

When I look at the Host Configuration / Authentication Services Setting tab, I see:
Directory Service Type                    Active Directory
Domain                                            Mydomain.Com
Trusted Domain Controllers                        --

The "--"  for domain controllers means it isn't talking to my DC.  I've spend hours digging though DC and ESXi logs trying to figure out why with no clear reason found.  We have had to take drastic actions such as leaving the domain which causes all the defined permissions to be lost and have to be recreated.   Rebooting usually works but that is very disruptive. 

My star helper finally found a way to reconnect to AD that is fast, easy and non-disruptive.  Basically he kept searching through all the files on ESXi looking for anything to do with AD, domain and a dozen other keywords.  He found this gem!

/usr/lib/vmware/likewise/bin/domainjoin-cli 

This is the script that joins the domain or rejoins when disconnected for some reason.

The usage is: 

/usr/lib/vmware/likewise/bin/domainjoin-cli join

E.g. 
/usr/lib/vmware/likewise/bin/domainjoin-cli join mydomain.com jomebrew password

I have automated this using plink and a simple perl based web page where we can enter a number of IP addresses and iterate through the list issuing the command via plink.  It usually works but when it doesn't, we ssh to the host and issue the command manually.

Note:  We have experienced AD issues on Vmware 5.5 and 6.0.  These are not issues with vCenter or licenses hosts.  I imagine stand alone licensed hosts would experience the same issue.





No comments: