Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Provisioned desktops fail during virtual machine customization with an error "Failed to update the machine group policy (waited 25 seconds)". This can occur with multiple Active Directory sites environment where the virtual machine account creation and customization happen on different sites when the virtual machines are not yet fully replicated.During the instant clone provisioning process, virtual desktops are in the customization state for a long period of time and may experience one of the following symptoms:In Horizon View Administrator, the virtual machines error out with the error: Failed to update the machine group policy (waited 25 seconds). After about 10 minutes in the customization state, the virtual machine is deleted and a new machine is created to restart the process.Instant clone is in Ready state in View Administrator but when launching a session, you get an error similar to: The SAM database on the windows server does not have a computer account for this workstation trust relationship. In the instant clone logs, you see entries similar to: [LdapConnectionContextManager] Exception while discovering site for <customer.AD.domain—adminuser@customer.AD.domain-SASL>com.vmware.daas.cloneprep.ldap.LdapConnectionContextManager.discoverSite(LdapConnectionContextManager.java:636)com.vmware.daas.cloneprep.ldap.LdapException: unable to search, resultCode=4 (size limit exceeded), errorMessage=null Error during Provisioning Initial publish failed: Fault type is AD_FAULT_FATAL - com.vmware.daas.cloneprep.ldap.LdapException: unable to create connection pool, resultCode=82 (local error), errorMessage=An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: LoginException(Pre-authentication information was invalid (24)), ldapSDKVersion=5.1.3, revision=028e004da97e22a274a4116316a73d0a90526e4b Cause Horizon relies on API calls to the active directory to process jobs in a timely manner. Environmental Matters and Customization Issues can have varied causes, Please see these resources for additional context: Troubleshooting Vmware Horizon Machines that do not complete Customization (83985) Horizon View Best Practices: Parent Image Creation and Maintenance. (90152)
With Horizon 2309 and later, Customers facing instant-clone customization errors in their multi-site and multi-domain controller environments no longer have to configure site names manually to avoid such errors. The instant-clone provisioning workflow can now leverage Microsoft Sysprep customization to automatically select sites for computer account creation and to perform domain join in multi-site environments. See Enabling Sysprep Guest Customization (without pre-created computer account). See KB 2147129 for details of the original issue. To resolve this issue, follow the solutions one at a time. If the first Solution does not solve the issue, continue with the next Solution.Horizon has a built-in auto-discovery of the domain site mechanism However, in some cases, the auto-discovery might fail due to misconfigured DNS, sites and services or other reasons that you may not have direct control over. Note: Ensure to take a complete backup of the ADAM database before proceeding. For more information, see Performing an end-to-end backup and restore for View Manager (1008046). Solution 1: Use Sysprep Guest Customization (without pre-created computer account) to automatically select the correct domain site. This guest customization leverages Microsoft Sysprep to pre-create the computer accounts. See Guest Customization for Windows Instant Clones in VMware Horizon 8. To enable this guest customization, please follow the steps mentioned here - Enabling Sysprep Guest Customization (without pre-created computer account)You can enable this guest customization at a pool level to see if it fixes the problem. If the problem still persists, you can revert the above changes and try Solution 2 below. Solution 2: Set pae-AdDomainSite to manually specify the correct site. Connect to Adam DB on the connection server. For more information, see Connecting to the View ADAM Database (2012377).Go to OU=NgvcAdDomain,OU=Properties,DC=vdi,DC=vmware,DC=int and select the correct ADdomain object.Edit pae-AdDomainSite value to the correct Site. Note: Implementing pae-AdDomainSite will force Horizon to filter out any domain controllers that are in other sites to improve response time.If the problem persists after implementing and testing the above, remove the value and move on to Solution 3. Provisioning or Resync may fail with a single Active Directory site when the AD Objects are not yet fully replicated between Domain Controllers in a timely manner. To resolve this, please investigate and correct the root cause of the replication performance concern. As a workaround, you can follow Solution 3. Also when there is only a default site in the domain controllers (Default-First-Site-Name) ideally please follow Microsoft best practices in terms of Active Directory Sites and Services Understanding Active Directory Site Topology As a workaround, you can follow Solution 3. Solution 3: Set pae-AdDomainControllers to the local Domain Controllers only. Connect to Adam DB on the connection server.Go to OU=NgvcAdDomain,OU=Properties,DC=vdi,DC=vmware,DC=int and select the correct ADdomain object.Edit pae-AdDomainControllers to choose a READ/WRITE Domain Controller. LDAP Edit Solution Notes : Note 1: In a larger environment, if you have issues displaying content in the LDAP DB, Highlight "Default naming context", Click View and Filter. Set the "Max number of items per container:" to 9999999999Note 2: If your environment has more than one OU=NgvcAdDomain, then you must perform all the steps for each domain administrator. Move to Solution 4 if the problem persists after implementing and testing the above.Solution 4: Modify the krb5.conf file.Note: Starting from Horizon 2103. The below steps will disable the untrusted domains feature, Currently manually edited Kerberos configuration file are not supported with the untrusted domains feature. Modify the krb5.conf file located at C:\ProgramData\VMware\VDM\krb\krb5.conf. Here is an example of what the krb5.conf file looks like when you have 10 domain controllers in your environment: ----- # # Generated by NGVC, do not modify # [libdefaults] default_realm = NO_DEFAULT_REALM udp_preference_limit = 1 [realms] EXAMPLE.COM = { kdc = site-east-ad1.example.com:88 kdc = site-east-ad2.example.com:88 kdc = site-east-ad3.example.com:88 kdc = site-east-ad4.example.com:88 kdc = site-east-ad5.example.com:88 kdc = site-east-ad6.example.com:88 kdc = site-east-ad7.example.com:88 kdc = site-east-ad8.example.com:88 kdc = site-east-ad9.example.com:88 kdc = site-east-ad10.example.com:88 } [domain_realm] example.com = EXAMPLE.COM site-east-ad1.example.com = EXAMPLE.COM site-east-ad2.example.com = EXAMPLE.COM site-east-ad3.example.com = EXAMPLE.COM site-east-ad4.example.com = EXAMPLE.COM site-east-ad5.example.com = EXAMPLE.COM site-east-ad6.example.com = EXAMPLE.COM site-east-ad7.example.com = EXAMPLE.COM site-east-ad8.example.com = EXAMPLE.COM site-east-ad9.example.com = EXAMPLE.COM site-east-ad10.example.com = EXAMPLE.COM krb5.conf file edit solution Notes: 1. For [libdefaults] section, no change is required. 2. For [realms] section, specify the domain name which is case sensitive (e.g. EXAMPLE.COM), and list all the READ/WRITE domain controllers (e.g. site-east-ad1.example.com) of the same site where the Horizon Brokers reside (do not list the READ ONLY domain controllers). 3. For [domain_realm] section, specify your domain name line as specified above (e.g. example.com = EXAMPLE.COM), and then list all the domain controllers from 2). Copy the krb5.conf file to the same location on all brokers if there are multiple brokers.Connect to Adam DB on the connection server and modify pae-NameValuePair which is in this path CN=Common,OU=Global,OU=Properties,DC=vdi,DC=vmware,DC=int Add cs-useManualKrb5Conf=true.Restart all the brokers.
This is a child article of AD_FAULT_FATAL: An Index of Instant Clone Creation Errors returned by Active Directory (91065)