Home > Tintri Global Centerâ„¢ > Knowledge Base > TGC domain join via Active Directory failed due to constraint violation

TGC domain join via Active Directory failed due to constraint violation

Applies To

 

Product(s)

Version(s)

Tintri Global Center

All

Description

 

The domain join request from Tintri Global Center (TGC) via Active Directory (AD) failed because the user did not have privileges necessary to join the domain. 

Symptoms

 

TGC domain join via Active Directory (AD) failed due to constraint violation error messages.

TGC computer account was not created on the Domain Controller at the time of the join request.

 

 

 

Resolution

 

When authenticating using Active Directory, the process involves a domain join. Required information prior to joining includes the DNS domain name of the domain and the username and password of an administrative user with the privileges necessary to perform a domain join. The domain join process involves the creation of a computer account, which the TGC appliance will use for all subsequent operations or queries against the domain. The administrative credentials are not stored in the appliance. Apart from the machine account creation and periodic password changes, no changes are made to Active Directory.

 

As per the error messages on TGC, the supplied administrative user account does not have the correct privileges to complete the join action.

 

The administrative user account to be used for the domain join while configuring TGC requires the following permissions:

  • Read user principal name
  • Write user principal name
  • Change password
  • Reset password
  • Read and write account restrictions
  • Validate write to DNS host name
  • Validated write to service principal name

 

 

After the correct privileges are added to the administrative account, perform the following actions in TGC in order to join the domain:

  • Log into the TGC UI, click on Explore and click Edit all settings in the Settings pane
  • Click AD & LDAP in the Settings display
  • Select the AD (Active Directory) option
  • Enter the Domain Name
  • Enter the Username
  • Enter the Password
  • Save the details
  • Click on the "Verify saved domain join" to verify the tests complete without any errors.

 

 See related VMstore article ::KB

Viewing 2 of 2 comments: view all
Technical review complete. Minor formatting changes. Minor rewrite of resolution paragraph for clarification. 13/02/2017
Posted 02:18, 13 Feb 2017
Final Review underway removing blog link and will add internal link https://knowledge.tintri.com/001_Tintri_VMstore%E2%84%A2/Knowledge_Base/Active_Directory_Authentication_vs_LDAP_Authentication

Defined by article :: http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
Posted 03:59, 17 Feb 2017
Viewing 2 of 2 comments: view all
You must to post a comment.
Last modified
19:27, 9 May 2017

Tags

Classifications

This page has no classifications.