IDP Error [31] when trying to join to domain

So today I spent a couple of hours troubleshooting an issue that I've dealt with (and resolved in the same way) a number of times before. As such, this is a reminder to myself rather than anyone else however if it helps you out then... all the better!

I built a domain recently based on Windows Server 2012R2, joined the VCSA (v6) in with no issues and the continued the build.

I then get to the point where the core infrastructure was in situ, and I started to harden the environment. I ran the BPA on the domain controller, which advised that

"srv.sys should be set to start on demand"

I followed the BPA and ran

sc config srv start=demand

A few days later I hit on some authentication issues and removed the VCSA from the domain. I couldn't re-add it, with IDP error 31 reported at every turn.

The cause is documented at https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2134063 - in my opinion this is a weakness in the coding of the VCSA, and there should be work done to ~~allow~~ force the VCSA to use SMB2 at a minimum. Until this happens you can work around (assuming your security team allow it...) this by running

sc config srv start=auto

Future Kev - this one's on me!

IDP Error [31] when trying to join to domain

Kev Johnson

Kev Johnson

Replacing vCenter SSL machine certificates in a multi-tier PKI environment - Part 2

Replacing vCenter SSL machine certificates in a multi-tier PKI environment - Part 1

Charity begins at GIVING ME YOUR MONEY

Logs 101, or how I learned to stop worrying and love the log