This article provides steps to ensure the proper permissions are assigned to the Active Directory account that is used to join the vCenter Server Appliance to the domain. During the migration process the Join AD Domain page will prompt for a user account which will be used to join the vCenter Server Appliance to the domain. If this account fails to join the vCenter Server Appliance to the domain the installer will display this warning message with a Yes\No selection:
During the migration process the ‘Join AD Domain’ page will prompt for a domain user account which will be used to join the vCenter Server Appliance to the domain. Ensure the account has the correct permissions to join the vCenter Server Appliance to the domain with these steps:
Verifying Active Directory (AD) Account Permissions
Migrating the Source Windows vCenter Server to the vCenter Server Appliance requires the account used to join the vCenter Server Appliance to the domain to be verified.
If the AD account used to perform the join operation during migration is different than the original AD account that was used to join the Windows vCenter Server machine to domain, the join may fail if the provided AD account has insufficient privileges.
To determine if the account has sufficient rights to modify the existing computer account.
Using MMC Tools: Active Directory Users and Computers or ADSI Edit.
- From Active Directory Users and Computers or ADSI Edit select the computer object.
- Select Properties.
- Select the Security tab.
- Click Advanced.
- Select the Effective Access tab.
- In Select a user enter the name of the user to be used to join the vCenter Server Appliance to the domain.
- Click View effective access.
- The account should have permissions for Write all properties and Delete for the join to domain to succeed.
This method requires the ActiveDirectory PowerShell module.
From a Windows PowerShell prompt, run these commands:
PS> $hostname = “vCenter_Server_FQDN” # set $hostname to hostname of desired machine PS> $credential = “AD_User” # set $credential to the desired account name PS> Get-ADComputer -Identity $hostname -Credential $credential -Properties Description
Note: If the account has read access for the computer object then some system information will be displayed. For example:
Description : DistinguishedName : CN=vCenter_Server_FQDN,CN=Computers,DC=test,DC=com DNSHostName : vCenter_Server_FQDN.test.com Enabled : True Name : vCenter_Server_FQDN ObjectClass : computer ObjectGUID : ff1dcbd0-fbc1-47ce-a65f-93fdeddbef7e SamAccountName : vCenter_Server_FQDN$ SID : S-1-5-21-3071954166-2807646293-1681621958-14598 UserPrincipalName :
PS> Set-ADComputer -Identity $hostname -Credential $credential -Description “sample description”
If modify access is not permitted, you will see this error:
Set-ADComputer : Insufficient access rights to perform the operation At line:1 char:15 + Set-ADComputer <<<< -Identity $hostname -Credential $credential -Description “sample description" + CategoryInfo : NotSpecified: (CL01:ADComputer) [Set-ADComputer], ADException + FullyQualifiedErrorId : Insufficient access rights to perform the operation,Microsoft.ActiveDirectory.Management .Commands.SetADComputer This error is displayed if the account does not have sufficient privileges to re-join the migration machine to Active Directory. The Windows vCenter Server to vCenter Server Appliance migration will not succeed with this account. Another account will need to be used for the migration.
Proceeding with the installation after receiving a warning message
Selecting Yes or No on this prompt has these effects:
Selecting Yes will cancel the migration process. This option does not affect the source vCenter Server. Powering off the vCenter Server Appliance is required prior to powering on the source vCenter Server. The vCenter Server Appliance will have the same network settings as the source vCenter Server, both cannot be powered on at the same time.
Selecting No will continue with the migration process bypassing the join to domain for the vCenter Server Appliance. To join the vCenter Server Appliance to the domain after the migration ensure the user meets the requirements in the Verifying AD Account Permissions section, then run this command using the same Active Directory user used in the migration on the vCenter Server Appliance:
/opt/likewise/bin/domainjoin-cli join --disable hostname domain.com username password
Note: The vCenter Server Appliance needs to be rebooted after this process.