Posted by & filed under Active Directory, Server Admin, Virtualization, VMWare.

Attempting to join a freshly deployed VCSA server to a AD domain can be problematic if SMB1 is disabled. In my case it was 5.5 but I believe this issue persists in 6.x. SMB1 was disabled on the DC as it should be as it is broken and insecure. The problem lies in the fact that VCSA doesn’t support SMB2 and this causes the error. The VAMI (web interface) might report something like the following when attempting to join the domain:

Error: Enabling Active Directory failed.

Additionally, on the VCSA, /var/log/vmware/vpx/vpxd_cfg.log contains entries like the following:

2017-08-16 14:30:07 26987: ERROR: Enabling active directory failed: Joining to AD Domain:   domain.lan
With Computer DNS Name: vcenter-server.domain.lan


Error: ERROR_GEN_FAILURE [code 0x0000001f]
2017-08-16 14:30:07 26987: VC_CFG_RESULT=302

Of course DNS resolution of the VCSA’s hostname should be validated before continuing, but assuming everything else is in working order, the fix is to enable SMB2 on the VCSA.

Verify SMB2 is disabled (note the Smb2Enabled key is 0:

vc-01:~ # /opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]'
   "EchoInterval"     REG_DWORD       0x0000012c (300)
   "EchoTimeout"      REG_DWORD       0x0000000a (10)
   "IdleTimeout"      REG_DWORD       0x0000000a (10)
   "MinCreditReserve" REG_DWORD       0x0000000a (10)
   "Path"             REG_SZ          "/opt/likewise/lib64/librdr.sys.so"
   "ResponseTimeout"  REG_DWORD       0x00000014 (20)
   "SigningEnabled"   REG_DWORD       0x00000001 (1)
   "SigningRequired"  REG_DWORD       0x00000000 (0)
   "Smb2Enabled"      REG_DWORD       0x00000000 (0)

Enable SMB2:

vc-01:~ # /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1

Restart the lwio service:

vc-01:~ # /opt/likewise/bin/lwsm restart lwio

Log out of VAMI web interface, log back in and retry joining to the domain.

Leave a Reply

You must be logged in to post a comment.