Tintri Knowledge Base > 002 Knowledge Article Database > TGC domain join via Active Directory failed due to constraint violation

TGC domain join via Active Directory failed due to constraint violation

Applies To




Tintri Global Center




The domain join request from Tintri Global Center (TGC) via Active Directory (AD) failed because the user did not have privileges necessary to join the domain. 



TGC domain join via Active Directory (AD) failed due to constraint violation error messages.

TGC computer account was not created on the Domain Controller at the time of the join request.






When authenticating using Active Directory, the process involves a domain join. Required information prior to joining includes the DNS domain name of the domain and the username and password of an administrative user with the privileges necessary to perform a domain join. The domain join process involves the creation of a computer account, which the TGC appliance will use for all subsequent operations or queries against the domain. The administrative credentials are not stored in the appliance. Apart from the machine account creation and periodic password changes, no changes are made to Active Directory.


As per the error messages on TGC, the supplied administrative user account does not have the correct privileges to complete the join action.


The administrative user account to be used for the domain join while configuring TGC requires the following permissions:

  • Read user principal name
  • Write user principal name
  • Change password
  • Reset password
  • Read and write account restrictions
  • Validate write to DNS host name
  • Validated write to service principal name



After the correct privileges are added to the administrative account, perform the following actions in TGC in order to join the domain:

  • Log into the TGC UI, click on Explore and click Edit all settings in the Settings pane
  • Click AD & LDAP in the Settings display
  • Select the AD (Active Directory) option
  • Enter the Domain Name
  • Enter the Username
  • Enter the Password
  • Save the details
  • Click on the "Verify saved domain join" to verify the tests complete without any errors.


 See related VMstore article - Active Directory Authentication vs LDAP Authentication

Last modified



This page has no classifications.