KnowledgeBase: ERROR_GEN_FAILURE [0x0000001f] when attempting to join VMware vCenter Server Appliance 6 U1 to a Windows Server 2012 R2-based Active Directory domain

An issue has been identified when you try and join a VMware vCenter Server Appliance (VCSA) version 6 Update 1 to a Windows Server 2012 R2-based Active Directory domain. You receive an error and the VCSA is not joined to the domain.

  

The situation

The VMware vCenter Server Appliance (VCSA) is a virtual installation that you can download from VMware. It comes pre-installed with vCenter Server to centrally manage a VMware-based hypervisor environment.

It is a common practice in environments with Microsoft virtual machines and an Active Directory implementation to join the vCenter Server to Active Directory, This way, admins can log on to the vCenter Server with their Windows credentials and, optionally, delegate rights to other accounts.

   

The issue

When you try and join a VMware vCenter Server Appliance (VCSA) running version 6 with Update 1 to an Active Directory domain running Windows Server 2012 R2-based Domain Controllers, you experience an error.

This error is caused by Windows Server 2012 R2-based Domain Controllers. These installations have the SMB version 1 protocol enabled, but because there is a race condition between the SMB version 1 Service driver loading and the Server service initialization, the SMB version 1 service driver is not loaded correctly.

   

The resolution

To join the VMware vCenter Server Appliance (VCSA) running version 6 with Update 1 to the Active Directory domain, you will need to configure the SMB version 1 protocol on the Domain Controllers you want to VMware vCenter Server Appliance (VCSA) to be able to communicate to.

The best way to resolve this issue is by installing 2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 on your Windows Server 2012 R2-based Domain Controllers.

A workaround

Alternatively, you can configure the SMB version 1 service driver by making the following registry changes on Domain Controllers:

Navigate to the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer

Change  the value for DependOnService from "SamSS Srv2" to "SamSS Srv". After this reboot the Domain Controllers to make them use the compatible settings.

After this change, when you join the VMware vCenter Server Appliance (VCSA) version 6 Update 1 to a Windows Server 2012 R2-based Active Directory domain, you will be successful.

Related Microsoft Knowledgebase Articles

2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 
2976994 Shared folder in Windows Server 2012 R2 or Windows 8.1 cannot be accessed by using SMB version 1 protocol

Further reading

VCSA 6U1 unable join 2012 R2 domain. [code 0x0000001f] 
Windows Server 2012 R2 will not communicate with or accept traffic from older operating systems (126004)

5 Responses to KnowledgeBase: ERROR_GEN_FAILURE [0x0000001f] when attempting to join VMware vCenter Server Appliance 6 U1 to a Windows Server 2012 R2-based Active Directory domain

  1.  

    As this site comes up on searches related to the vCSA joining the domain, I thought posting how to turn SMB2 support on the VCSA would be useful to here:

    How to turn SMB2 on the vCSAs:

    SSH into the vCSA and run:
    /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINEServiceslwioParametersDriversrdr]’ Smb2Enabled 1

    You can verify the values with the following command:
    /opt/likewise/bin/lwregshell list_values ‘[HKEY_THIS_MACHINEServiceslwioParametersDriversrdr]’

    Then restart likewise:
    /opt/likewise/bin/lwsm restart lwio

    Now it talks to AD with SMB2

  2.  

    This is a terrible business practice. Obviously with the recent rash of ransomware that leveraged SMB1 it’s more of an underscored issue.

    Mac OS 10, newer Linux distro, and most modern MF printer manufacturers all have at least upgraded to SMB2. SMB1 is insecure, circa 1990’s irrelevancy.

    • Agreed.

       
  3.  

    SMB 1 is insecure. The DOD has actually banned its use entirely and is enforcing it via Group policy.

    • aka.ms/stillneedssmb1 lists known SMB1-using products.
      VMware vSphere 6.0 is on this list.

      It is a problem that this specific version of the vCenter Appliance still uses SMB1. Yet, it is also a problem to not be able to manage the VMware vSphere infrastructure when you disable SMB1 entirely.

       

leave your comment