in VMware

Unable to Join The PSC to An Active Directory Domain

Some small things can have a big impact on the entire infrastructure. Time synchronization is one of those things, and this is why VMware recommend configuring an NTP server for your vSphere infrastructure (and generally it’s recommended,best practice/required for all the datacenter components).
In vSphere 6, before you can add an active directory as an identity source, you must join the Platform Service Controller (PSC) to the domain, this can be done using the Web Client or the command line.
If you get this kind of error

A vCenter Single Sign-On service error occurred’ faultDetail:’null’


A server error occurred.
[400] An error occurred while processing the authentication response from the vCenter Single Sign-On server. Details: Status: urn:oasis:names:tc:SAML:2.0:status:Requester, sub status: null.
Check the vSphere Web Client server logs for details.

The first thing to check is your time synchronization, as you should know, active directory is sensitive to this, in a Windows environnement, you can get differents kinds of errors and authentication failure if you don’t have time synchronized correctly.

Connect to the PSC using SSH and check the current domain join status

psc domain join query

As it is clearly stated, it’s a time synchronization error. If you check the current time you will definitely find a time difference between the domain controller and the PSC appliance.

This how we can correct this

Connect to the PSC using ssh and modify the time configuration as below:

Command>ntp.server.add --servers ","
Command>timesync.set --mode NTP
Command>services.restart --name ntp

Enable and access the shell

Command> shell.set --enabled True
Command> shell

Query the domain join status again

psc domainjoin

This is normal as we haven’t joined the domain yet.

Join the domain using the following command

psc join domain command

Reboot the PSC and check the domain join status

domain join status

You should now be able to add your domain as an identity source.

Find this useful ? be sociable share 😉

Share your thoughts


  1. Hi,

    Thanks for the article. Just wanted to ask you couple of questions

    To add AD as an Identity Source which is the preferred method is it AD as LDAP or as integrated?

    Also when you say Add PSC to domain — I understand that when you are trying to install PSC or VC, the server is joined to Domain and we install these services (PSC or VC) on them and they get joined to domain as well. Is my understanding not right?


    • Hi Vaibhav,

      Choosing an identity source depend on your need, but the recommended way is configuring AD (or a directory) service.
      In my case I’m using the VCSA appliance with a separate PSC instance, the two are Linux based appliance, I needed to add the PSC appliance to domain after installation.