Posts Tagged ‘active directory’

LDAPS Identity Source for VMware vCenter Single Sign On 5.1

May 21, 2013

ldap-logo

Once you are done with installation of VMware vCenter 5.1; you will notice that vSphere 5.1 client wont let you login into your vCenter Server. Either you will need to configure a local admin ID on your vCenter Server or if you have an active directory (AD) running in your environment; you will need to link that to your vCenter Server i.e. by configuring an identity source.

During installation of vCenter Single Sign On 5.1; it tries to add the identity source but in my case resulted in error (Error 29155.Identity source discovery error). I then found out its the case with other users as well and also was pointed out in VMware in their KB articles. The workaround for the issue given was to add the identity source manually. Doing so I got the following errors.

[LDAP: error code 8 – 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]

and

simple bind failed:yourdomain:636

These errors are due to the fact that your AD is configured to communicate over LDAPS SSL connection. Hence to register your identity source; you will need the X.509 certificate of your AD domain controller (DC). For that export the certificate of your AD but make sure its the Base-64 X509 Certificate.

Cert 03

Once imported; again add the identity source as demonstrated below.

LDAPS

Once you chose the certificate from Choose Certificate tab; make sure you get the following confirmation. If not there must be something wrong with your certificate.

certsucc

You can click on Test Connection to verify your AD connectivity.

connecsucc

If you are still facing problems in adding the identity source; make sure of he following things:

  • Your vCenter, vSphere, vSphere Web Client, vCenter SSO etc must all be installed in the same default directories.
  • Do add the port 3269 with your FQDN.
  • There must a proper forward and reverse pointer entry on your DNS for your vCenter Server.
  • Enter the complete user name for authentication e.g. user@domain.com
  • If your domain controller is behind a firewall; make sure you have configured a policy to allow vCenter traffic.

Windows Domain Controller and their Roles

December 10, 2011

I really favour Linux/Unix working environmental but sadly commercialism has engulfed our societies as the likes of Windows platforms while the former one doesn’t matter how much is rated high still lives in the shadows. And now I have to grasp the Windows lingo all along to fit in an organization. So lets learn something about Windows Domain Controller and their roles.

Before going into any details first its important to understand the differences between the following terms.

  • Active Directory: is a directory service that serves as a central location for network administration and security which is responsible for authenticating and authorizing all users and computers within a network of windows domain.
  • Forest: is the top-level container of Active Directory (AD) infrastructure. Can contain one or more domains. These domains are interconnected trough a transitive trust. A forest shares a single schema database.
  • Domain: is one level below AD forest. Can consist of one or more Organizational Units (OU). A domain shares a single administrator group and same set of objects.
  • Domain Controller: A domain can consists one or more domain controllers (DC). A DC holds a directory DB of its perspective domain. The directory DB consists of user, objects, computer objects or more.
  • Organizational Unit: is a container within a domain and is used to organize set of users and computers. It is helpful in implementing set of policies to a group, user or computer within a domain.
  • Windows DC: A server running the version of Windows Server OS and has AD installed on it and is responsible for allowing host access to Windows Domain resources.

Now coming to the roles; there are specialized DC roles that perform specific roles in Active Directory Domain Services (AD DS) environment. The specialized roles are:

  • Global Catalog Servers: A DC designated as a global catalog server stores the objects from all domains in a forest. This is usually the first DC in a forest. Later on other DC can be specified as global catalog servers.
  • Operations Master: This is a DC that is designated to perform specific tasks to ensure consistency and to eliminate the potential for conflicting entries in the AD DB.

AD DS defines five operation master roles called:

  1. Schema Master: Responsible for propagating changes to all DCs within a forest. Changes regarding schemas required throughout forest should be made on DC serving as schema master. There can be only one schema master in a forest at any time.
  2. Domain Naming Master: It is required to keep track of all the domains within an AD forest. The DC with domain naming master is accessed whenever domains are address/removed from a tree or forest. There can be only one domain naming master per forest. It ensures that no two domains have the same name existing in the same tree.
  3. Relative Identifier (RID): Allocates blocks of RIDs to each DC in a domain. When a DC creates a new security principal (user, group etc.) it assigns the object a unique security identifier SID. The SID contains a domain SID which us same for all the security principals created in the domain and a RID which uniquely identifies each security principal created in the domain.
  4. Primary Domain Controller (PDC) Emulator: PDC receives prefential replication of password changes that are performed by other DCs in the domain and is the source for latest password information. It’s also the default time source.
  5. Infrastructure Master: is responsible for updating object references in the domain that point to object in another domain. It updates object references locally and uses replication to being all other replicas of domain up to date. Object reference contains GUID global unique identifier, distinguished name and possible a SID. The distinguished name and SID on object reference are periodically updated to reflect changes made to actual object.

– Schema Master and Domain Naming Master performs operations that must occur on only one DC in the forest.

– PDC, RID, Infrastructure Master perform operations that must occur on only one DC in a domain.


%d bloggers like this: