一、问题现象
vcsa7.0加入AD域时提示“Idm client exception: Error trying to join AD, error code 2453”
二、处理过程
(一)检查是否DNS问题
查看dns是否设置正确,如下:
1. Enable SSH on VCSA.
2. Command> shell
3. # /opt/vmware/share/vami/vami_config_net
4. 重新设置 DNS
问题依然存在
(二)使用命令行检查
命令格式
# /opt/likewise/bin/domainjoin-cli join domainname username password
root@lhvc01 [ ~ ]# /opt/likewise/bin/domainjoin-cli join kf.tlmyt.petrochina administrator abc_123.com
Joining to AD Domain: kf.tlmyt.petrochina
With Computer DNS Name: lhvc01.kf.tlmyt.petrochina
Error: ERROR_GEN_FAILURE [code 0x0000001f]
Idm client exception: Error trying to join AD, error code [31], user [administrator], domain [kf.tlmyt.petrochina], orgUnit [LN]
错误依然存在
(三)检查是否为smb协议问题
参考以下官方文档,检查是否为SMB协议问题
Enabling vCenter Server Appliance to use SMB2 (2150832) (vmware.com)
1. 目的
- Enable vCenter Server Appliance to use SMB2 to overcome WannaCry caused by an SMB1 vulnerability
- Attempting to join the vCSA to AD domain fails with Error: ERROR_GEN_FAILURE [code 0x0000001f]
2. 处理过程
(1)Connect to the vCenter Server Appliance using SSH session.
(2)Run this command to enable the Bash shell:
shell.set --enabled true
(3)Run this command to access the Bash shell:
shell
(4)Set the SMB2Enabled flag in likewise's config:
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1
(5)Run this command to verify the values:
/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]'
(6)Restart likewise service:
/opt/likewise/bin/lwsm restart lwio
Note: If the value does not exist, the above may fail. To create the value in that instance, run:
/opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled REG_DWORD 1
按照以上步骤后,依然无法加入windows域
(四)检查是否为445端口的问题
检查445端口见官方文档ERROR_GEN_FAILURE [code 0x0000001f] error while adding VCSA to AD Domain (77531) (vmware.com)
检查过程如下:
root@lhvc01 [ ~ ]# openssl s_client -connect kf.tlmyt.petrochina:445
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 215 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1691466255
Timeout : 300 (sec)
Verify return code: 0 (ok)
445端口没有问题,可以正常访问
(五)检查时间同步问题
最终发现原因:DC的时间与vcenter的时间不一致,相差10分钟左右,手动更改DC的时间,顺利加入Windows AD域。