VCSA7.0加入Windows AD域失败的处理过程

一、问题现象

vcsa7.0加入AD域时提示“Idm client exception: Error trying to join AD, error code 2453”

二、处理过程

（一）检查是否DNS问题

查看dns是否设置正确，如下：

1. Enable SSH on VCSA.

2. Command> shell

3.  # /opt/vmware/share/vami/vami_config_net

4. 重新设置 DNS

问题依然存在

（二）使用命令行检查

命令格式

 # /opt/likewise/bin/domainjoin-cli join domainname username password

root@lhvc01 [ ~ ]# /opt/likewise/bin/domainjoin-cli join kf.tlmyt.petrochina  administrator abc_123.com

Joining to AD Domain:   kf.tlmyt.petrochina

With Computer DNS Name: lhvc01.kf.tlmyt.petrochina

Error: ERROR_GEN_FAILURE [code 0x0000001f]

Idm client exception: Error trying to join AD, error code [31], user [administrator], domain [kf.tlmyt.petrochina], orgUnit [LN]

错误依然存在

（三）检查是否为smb协议问题

参考以下官方文档，检查是否为SMB协议问题

Enabling vCenter Server Appliance to use SMB2 (2150832) (vmware.com)

1. 目的

• Enable vCenter Server Appliance to use SMB2 to overcome WannaCry caused by an SMB1 vulnerability
• Attempting to join the vCSA to AD domain fails with Error: ERROR_GEN_FAILURE [code 0x0000001f]

2. 处理过程

（1）Connect to the vCenter Server Appliance using SSH session.
（2）Run this command to enable the Bash shell:

shell.set --enabled true
（3）Run this command to access the Bash shell:

shell
（4）Set the SMB2Enabled flag in likewise's config:

/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled 1

（5）Run this command to verify the values:

/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]'
（6）Restart likewise service:
/opt/likewise/bin/lwsm restart lwio

Note: If the value does not exist, the above may fail. To create the value in that instance, run:

/opt/likewise/bin/lwregshell add_value '[HKEY_THIS_MACHINE\Services\lwio\Parameters\Drivers\rdr]' Smb2Enabled REG_DWORD 1

按照以上步骤后，依然无法加入windows域

（四）检查是否为445端口的问题

检查445端口见官方文档ERROR_GEN_FAILURE [code 0x0000001f] error while adding VCSA to AD Domain (77531) (vmware.com)

检查过程如下：

root@lhvc01 [ ~ ]# openssl s_client -connect kf.tlmyt.petrochina:445

CONNECTED(00000003)

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 215 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1691466255

    Timeout   : 300 (sec)

Verify return code: 0 (ok)

445端口没有问题，可以正常访问

（五）检查时间同步问题

最终发现原因：DC的时间与vcenter的时间不一致，相差10分钟左右，手动更改DC的时间，顺利加入Windows AD域。