If you join your vCenter Server to Active Directory Domain and experience a very long time waiting for authentication for login to vCenter, probably you have an issue with DNS, misconfiguration, or a corrupted Domain controller in your environments.
For that reason, first of all, check the path in your vCenter for identified IPs of DC, you can find which one of your DC responses: VAR\LOG\Messages
There is 2 option for fixing this issue:
01. Put the corrupted DC on the blacklist
02. Remove the corrupted DC from the krb5-affinity.conf file
01-1. The fix provides the option to blacklist selected domain controllers in case of infrastructure issues.
To set the option, use the following commands:
# /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\netlogon\Parameters]' BlacklistedDCs DC_IP1,DC_IP2,...
# /opt/likewise/bin/lwsm restart lwreg
To revert to the default settings, use the following commands:
# /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\netlogon\Parameters]' BlacklistedDCs ""
# /opt/likewise/bin/lwsm restart lwreg
service-control --stop --all
service-control --start --all
02-1. You can edit the file in this path with editors like vi /var/lib/likewise/krb5-affinity.conf
If the problematic DC IP is listed here, try to delete it from configuration manually and save the file.
Important!!!
In the end, there are also important hints here, you have to double-check your Active Directory Site and Services configuration to assign the right IP address range to the correct site.
If there is a misconfiguration in your AD Site and Services, the Problematic DC IP address will be registered in the configuration file again.
Update1
after all TSHOOT, if you have the same issue, try to lookup the SRV record from DNS, with command like:
nslookup -type=srv _ldap._tcp.DOMAINNAME
the result is like the pic below:
you have to choose the right IP address of the SRV record and put it in the LDAP configuration of vCenter.
Good luck!
© 2020 cloudhba.com