VMware vSphere: Join a vCenter VCSA Appliance to an Active directory domain by command line

Hi,

the vCenter GUI offers the ability to add an identity provider like Microsoft AD. In some cases this won’t work. For example if you are not a domain admin and you have to specify in which organisation unit the computer object should created. The computerobject should not exists. Delete an already exiting object, it would be created during the join process!

Lets do it. Login to the VCSA Appliance by ssh and start a root shell.

Command> shell
Shell access is granted to root
root@vCenter ~ # 

You need the distinguished name of the folder where the computer object should be created and a login which have the permissions to join the domain in that folder.

Also check the time of the VCSA and the domain. If time difference is > 5min an generic error ERROR_GEN_FAILURE language=”0x0000001f” could occur. In the WebGUI the error is error code [31].

The join command is domainjoin-cli

Command> shell
Shell access is granted to root
root@vCenter ~ # /opt/likewise/bin/domainjoin-cli join --advanced --ou "OU=MyComputers,OU=MyDepartment,DC=MyDomain,DC=org" MyDomain.org "myJoinLogin@MyDomain.org"
Joining to AD Domain:   MyDomain.org
With Computer DNS Name: myVCenter.MyDomain.org
myJoinLogin@MYDOMAIN.ORG's password:

SUCCESS

If joining fails, you can add –loglevel verbose –logfile /tmp/domain.log before the join parameter for a detailed output.

Command> shell
Shell access is granted to root
root@vCenter ~ # /opt/likewise/bin/domainjoin-cli --loglevel verbose --logfile /tmp/domain.log join --advanced --ou "OU=MyComputers,OU=MyDepartment,DC=MyDomain,DC=org" MyDomain.org "myJoinLogin@MyDomain.org"

The join state can be checked

root@vCenter ~ # /opt/likewise/bin/domainjoin-cli query

A get a list of all valid identity providers can retrieved by

root@vCenter ~ # /opt/vmware/bin/sso-config.sh -get_identity_sources

And adding the domain identity source by command line (previous join must succeded)

root@vCenter ~ # sso-config.sh -add_identity_source -type nativead MyDomain.org

vCenter can also create an DNS entry. Sometimes this doesn’t work. As a workaround it can be triggered by (replace the IP Address with your vCenters one)

root@vCenter ~ # /opt/likewise/bin/lw-update-dns --ipaddress 10.10.254.40

Add it to the crontab to daily (5 o’clock) refresh the entry

root@vCenter ~ # crontab -e

and add

0 5 * * * /opt/likewise/bin/lw-update-dns --ipaddress 10.10.254.40

Michael

Leave a Reply