So today I spent a couple of hours troubleshooting an issue that I've dealt with (and resolved in the same way) a number of times before. As such, this is a reminder to myself rather than anyone else however if it helps you out then... all the better!
I built a domain recently based on Windows Server 2012R2, joined the VCSA (v6) in with no issues and the continued the build.
I then get to the point where the core infrastructure was in situ, and I started to harden the environment. I ran the BPA on the domain controller, which advised that
"srv.sys should be set to start on demand"
I followed the BPA and ran
sc config srv start=demand
A few days later I hit on some authentication issues and removed the VCSA from the domain. I couldn't re-add it, with IDP error 31 reported at every turn.
The cause is documented at https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2134063 - in my opinion this is a weakness in the coding of the VCSA, and there should be work done to
allow force the VCSA to use SMB2 at a minimum. Until this happens you can work around (assuming your security team allow it...) this by running
sc config srv start=auto
Future Kev - this one's on me!