VMware vSphere vCSA 5.5 Active Directory Woes

This week I have been doing some work with the VMware vSphere 5.5 vCenter Server Appliance (5.5.0.5100 Build 1312297). During this testing I ran into problems setting up AD Authentication with a Windows 2012 domain within vCSA.  The message displayed was Error: Enabling Active Directory failed.

I carried out the normal checks:

• Checked that  a FQDN(Fully Qualified Domain Name) for my vCSA hostname was being used.  E.g. VCSA.labdomain.local
• Checked that the domain was entered as a FQDN. E.g. labdomain.local
• Checked that DNS has a forward and reverse look up record for the vCSA.
• Pinged the AD server from the console of the vCSA to check DNS.

2013-09-25 12:37:28 20053: ERROR: Enabling active directory failed: Joining to AD Domain:   vCSA.labdomain.local
With Computer DNS Name: VCSA.labdomain.local

Error: Lsass Error [code 0x0000000b]

The OU format is invalid.
2013-09-25 12:37:29 20053: VC_CFG_RESULT=302

To find out what situations caused this error I tired different AD configurations with vCSA. For this first installation the Domain and Forest functional level was Windows Server 2012.

It would appear with the rewrite of SSO there are issues with Windows 2012 AD domains.

Update: 4th October 2013

VMware have now looked at the issue and reviewed the log bundle from the vCenter. It's now being passed to the VMware core engineers as there is no known workaround. I will update this article when I have any more information or a workaround.

For now I would recommend not using a Windows Server 2012 domain and forest. You can use a Windows 2008 domain and forest on a Windows Server 2012.

Update

This issue is fixed in VMware vCenter Server 5.5.0a.  This has been tested with Windows Server 2012 with a Windows Server 2012 Domain and Forest function level and now functions correctly.