vCenter / SSO unable to retrieve AD-information | Error while extracting local SSO users

by Espen Ødegaard · Read in about 1 min (154 words)

After deploying a new VCSA 6.0u1 I was seeing some weird errors while trying to retrieve AD- users/groups (or anything from the esod.local domain):

After some serious head scratching, it dawned on me after checking the DNS records for the DC in the domain, from the vCenter Appliance itself:

dig +noall +answer +search dc1.esod.local
dc1.esod.local. 3600 IN A 10.0.1.201

So far so good, the DNS lookup works as expected.

dig +noall +answer +search -x 10.0.1.201
That’s right, the reverse lookup returns exactly zilch, zero, zippo, nil, nada and null.

The Solution #

Add reverse lookup zone to DNS and update the DC PTR record.

Once that it done, it works as expected:

dig +noall +answer +search -x 10.0.1.201
201.1.0.10.in-addr.arpa. 3600 IN PTR dc1.esod.local.

Re-checking the domain in the vCenter Web Client, and  AD-information is retrieved correctly.

It turns out that in VC6.0u1 reverse PTR records are required for SSO and Active Directory authentication to function properly.

Post last updated on July 23, 2018: Fix the esod.

About the author

Christian Mohn works as a Chief Technologist SDDC for Proact in Norway.

See his About page for more details, or find him on Twitter.

Sponsors