Install vCenter in a Workgroup instead of joining a Domain cause warning and problem?

By admin, October 16, 2010 10:03

I am having the following problem on our Virtual Center, if you know how to solve this, please kindly let me know, many many thanks in advance!

EventID 1000[VpxdLdap] Failed to search OU=Instances container.  This may indicate a problem with LDAP permissions for the account running VirtualCenter, or that the schema is not compatible with this version of VirtualCenter.

The error occur on the clock and every 15 mins after the clock (ie, 9am, then 9:15am, then 10am, then 10:15am)

It only happens when
1. Running vSphere Client and leave it on (1-3 times a day)
2. Occur 24 times a day if we have vSphere Client on as well as Veeam Monitor on, seem Veeam Monitor is competing with vSphere Client for pulling resources, so that’s why the error occurs more often.

Then vCenter server alarm section will periodically produce alerts saying vCenter Health Status is in YELLOW due to LDAP server cannot be contacted because I am not joining an AD Domain, this sounds ridiculous.

Btw, the vCenter server DID NOT JOIN A DOMAIN, only using the same server’s Workgroup, I know it’s not right or the best way according to vCenter setup guide, but I really want to keep it simple. (ie, do not want to have another physical server just for AD), I really wish VMware will release a patch for vCenter that allow us to select Domain or Workgroup model during installation or even better allow us to change the option on the fly.

I suspect it’s a client pulling problem and/or the client can’t search through AD/LDAP, so it reports such error?

It’s just a warning error, nothing really affecting operation, so I think I can safely ignore it, but do appreciate if someone came across and solved this strange problem.

 

Update:

From vCenter Error Log:

[2010-10-24 04:19:24.791 05976 error 'App'] [LDAP Client] Failed to poll search: 0×0 (The call completed successfully.)
[2010-10-24 04:19:24.791 05976 warning 'App'] [LDAP Client] Reinitializing search -1 (ou=Licenses,ou=Licensing,dc=virtualcenter,dc=vmware,dc=int)
[2010-10-24 04:19:24.791 05976 error 'App'] [LDAP Client] Failed to perform asynchronous search for base DN = ou=Licenses,ou=Licensing,dc=virtualcenter,dc=vmware,dc=int: 0×51 (Cannot contact the LDAP server.)

[2010-10-24 08:11:56,116 Timer-4  INFO  com.vmware.vim.jointool.util.ldaphealth.LdapHealthMonitor] Encountered an error when checking domain trust health : error code: $@, result: 1717
From vCenter Health Check:

Ldap domain trust change monitor – Warning – encountered an an error when checking domain trust health: error code: 1717

 

Solution:

From VMware Communities:

The message “Encountered an eror when checking domain trust health: error code 1717″ is simply an informational message in Virtual Center. The “vCenter Service Status plugin for Virtual Center 4″ runs some LDAP checks including checking for the possibility to perform domain trust lookups. When it cannot perform this domain trust lookup then it will show this message.

This message is simply an informational message and should have no major impact on the running of the Virtual Center Server. The only ways to stop this message from appearing would be joining vCenter Server to a AD Domain. Btw, you CANNOT install AD Domain Controller on the same machine with vCenter, it will not work. Because vCenter 4.1 will install an instance of ADAM (Active Directory Application Mode). It uses this when you use vCenter Linked Mode and ADAM will conflict with its’ own AD services if the server is also a Domain Controller.

 

From ESX 4.1 vCenter Installation Guide:

The system that you use for your vCenter Server installation must belong to a domain rather than a
workgroup. If assigned to a workgroup, the vCenter Server system is not able to discover all domains and
systems available on the network when using such features as vCenter Guided Consolidation Service. To
determine whether the system belongs to a workgroup or a domain, right-click My Computer and click
Properties and the Computer Name tab. The Computer Name tab displays either a Workgroup label or
a Domain label.

 

Seemed there is no workaround for running vCenter on standalone Workgroup, but why would I use an extra physical machine for the sole purpose of running an AD Domain Controller? It’s TOTALLY AGAINST VIRTUALIZATION and it’s not Green at all, most of all if I have a small enviornment with less than 5 ESX Host, why would I bother to setup a AD?

My own solution would be disable vCenter Health Check alarm or just simply remove the part saying Health Check changed to Yellow should be fine.

 

Finally, some people may install vCenter on Windows Server 2008 R2 and encounter the following problem, according to VMware KB1025668.

Installing vCenter Server 4.1 on a Windows 2008 R2 system fails

Symptoms
•Cannot install vCenter Server 4.1 on a Windows 2008 R2 system
•Installing vCenter Server 4.1 on a Windows 2008 R2 system fails
•You see on of these errors:

◦The trust relationship between this workstation and the primary domain failed in the jointool-0.log
◦Setup cannot create vCenter Server directory Services Instance
Resolution
This issue may occur if the Active Directory in your environment is hosted by a Windows 2000 domain controller (THAT’S OLD!!!). This issue occurs because vCenter Server 4.1 is unable to retrieve the security identifier (SID) for an account.

To resolve this issue, you must apply a Microsoft hotfix. For more information and to download the hotfix, see the Microsoft Knowledge Base article 976494.

Note: You must reboot the system before installing vCenter Server again.

4 Responses to “Install vCenter in a Workgroup instead of joining a Domain cause warning and problem?”

  1. Tom says:

    In my case vRealize Operations Manager gives a critical alert: Ldap domain trust change monitor – Encountered an error when checking domin truste health: error code: 1722

    Have no clue how to stop/suppress the error from occurring.

  2. admin says:

    Another scenario that requires an AD is VMware View, but again, you can setup an AD server easily with a VM, so I still prefer to run vCenter without AD for simplicity and easy management.

  3. Bud says:

    I been running vCenter in a workgroup and no domain for years with no problem at all. One of the very reason why add VC to AD? is because, this give power to the administrator control to give permission / role of users to the vCenter (confinient as users can login using their domain credential). I do not need those feature since I am the sole Vmware administrator (and I do not need to delegate privileges to user).

    You do need to seperate AD and VC, to avoid complication, for example when you DCpromo Windows, it will disable the local admin, if you would install VC on the same VM or machine, then you would not be able to login as local admin anymore to VC(for troubleshooting for example). So this interdependent can be avoided if you separate above.

  4. Harold says:

    In response to you AD Question and the necessity of a physical DC, you could always create 2 virtual DCs on an ESX host before the installation of vCenter, instead of 2 physical DCs.

Leave a Reply