After deploying a new VCSA 6.0u1 I was seeing some weird errors while trying to retrieve AD- users/groups (or anything from the esod.local domain):
After some serious head scratching, it dawned on me after checking the DNS records for the DC in the domain, from the vCenter Appliance itself:
dig +noall +answer +search dc1.esod.local dc1.esod.local. 3600 IN A 10.0.1.201
So far so good, the DNS lookup works as expected.
dig +noall +answer +search -x 10.0.1.201
The Solution #
Add reverse lookup zone to DNS and update the DC PTR record.
Once that it done, it works as expected:
dig +noall +answer +search -x 10.0.1.201 22.214.171.124.in-addr.arpa. 3600 IN PTR dc1.esod.local.
Re-checking the domain in the vCenter Web Client, and AD-information is retrieved correctly.
It turns out that in VC6.0u1 reverse PTR records are required for SSO and Active Directory authentication to function properly.
- ESXi5.5 to 6.0 Upgrade From Local HTTP Daemon —
- Automatically Name Datastores in vSphere? —
- Can you combine vSphere Host Cache and vFlash on a single SSD? —
- VMware vCenter Server Appliance Error: VPXD must be stopped to perform this operation —
- Adding a secondary NIC to the vCenter 5.1 Appliance (VCSA) —