Active Directory Domain Controllers and VMware Tools Shared Folders. Grrrrrrr

Don’t you wish there was an easier way to discover faults? Rather than (what seems like) continuously wasting hours of the day figuring out problems… Software should be more intelligent… For instance running dcdiag and getting ‘RPC replication errors’ should be reported as ‘RPC replication errors due to VMware Tools Shared Folders’ would save everyone a lot of time…. This leads me to my next post.

I had an issue recently where I was trying to create a domain trust between two domains to no avail and came across KB1012140 ‘Unable to create a trust relationships between Domain Controllers’. The error manifests itself as ‘The local security authority is unable to obtain an RPC connection to the Domain controller.’

Although I was grateful to come across a quick fix for this issue (Just remove the Shared Folders component from VMware Tools which requires a reinstall in 2008 R2), I don’t think the VMware KB article covers the full scope of the issue.

Even if you are not planning on creating any domain trusts, VMware Tools Shared Folders should be removed from all domain controllers.

I kept on getting odd RPC replication errors with Shared folders enabled, even when building new domains to eliminate any other possible causes. Active Directory is the core service of the application layer. Pretty much every other application has a dependency on AD. In an Enterprise environment a low risk approach should always be taken to avoid potential future issues that could result in down time of your core services, especially when the benefit is minimal (i.e. to help lazy support staff). This is especially true if you are virtualising all your domain controllers (a fairly common scenario nowadays) as all your domain controllers will potentially be at risk, guarenteeing a total loss of service.

I have gone a step further and standardised the unattended VMware Tools install for 2008 R2 and removed VMware Tools Shared Folders from all 2008 R2 virtual machines. By extension this needs to include the Thinprint component as well as it seems to have a dependency on Shared Folders. The unattended install is shown here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s