vCSA and trusted AD sources

Just a quick write up for my own convenience. Large organizations tend to have a lot of everything, from buildings and employees to Domain Controllers.
In times were Domain Controllers undergo maintenance, like an upgrade or relocation, dependent services may be impacted.
The way identity sources are configured differs per product, fortunately less often hard-coded by specifying a single domain controller, usually more flexible by specifying the AD domain.

For a vCenter Server Appliance (vCSA), additional identity sources can be configured, one commonly used is the Active Directory (Integrated Windows Authentication).


BTW, As a prerequisite, the vCSA should be joined to the Windows domain.

If you are curious which domain controllers are actually in use by the vCSA, do the following:

Open a SSH session to the vCSA.

Switch to the Bash shell, see this post for more information.

cd to /var/lib/likewise.

and read the content of file krb5-affinity.conf using the cat command.

Depending on your configuration it should look something like this:


Per Windows domain, the IP addresses of all connected domain controllers are shown. From here, you can lookup the names of the DC’s.

If your environment is configured with one or more external platform Services Controller(s), you must log on to a PSC instead of the vCSA!

VMware does not provide much information regarding the selection process. In “FAQ: VMware Platform Services Controller in vSphere 6.0 (2113115)”, I found this quote:

“When using the Active Directory (Integrated Windows Authentication) identity source, pair the PSC as close to the local Active Directory Domain Controller(s) (DC) as possible, with minimal hop count to reach them. The PSC, both Windows-based and Appliance-based, have improved logic to allow for SAML token creation, requests as well as User and Group querying that will leverage the nearest DC within the environment to provide the best performance for log-in. additionally, depending on the complexity of your Active Directory environment, there are known limitations.”

As always, I thank you for reading.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: