vCenter / SSO unable to retrieve AD-information | Error while extracting local SSO users

Published · Read in about 1 min (155 words)

After deploying a new VCSA 6.0u1 I was seeing some weird errors while trying to retrieve AD- users/groups (or anything from the esod.local domain):

After some serious head scratching, it dawned on me after checking the DNS records for the DC in the domain, from the vCenter Appliance itself:

dig +noall +answer +search dc1.esod.local
dc1.esod.local. 3600 IN A 10.0.1.201

So far so good, the DNS lookup works as expected.

dig +noall +answer +search -x 10.0.1.201
That’s right, the reverse lookup returns exactly zilch, zero, zippo, nil, nada and null.

The Solution #

Add reverse lookup zone to DNS and update the DC PTR record.

Once that it done, it works as expected:

dig +noall +answer +search -x 10.0.1.201
201.1.0.10.in-addr.arpa. 3600 IN PTR dc1.esod.local.

Re-checking the domain in the vCenter Web Client, and  AD-information is retrieved correctly.

It turns out that in VC6.0u1 reverse PTR records are required for SSO and Active Directory authentication to function properly.

Post last updated on July 23, 2018: Fix the esod.

About

vNinja.net is the digital home of Christian Mohn and Stine Elise Larsen.

The primary focus is on IT architecture and data center technologies like virtualization and related topics, but other content also pops up from time to time.

Sponsors