The other day I logged into my vCloud Automation Center web client and discovered that I was getting HTTP 503 errors in a number of different places and Java errors thrown in my Home dashboard. After a bit of digging around I determined that the password expired on the Active Directory user account that’s acting as a service account. The vCloud Automation Center IaaS services run as a domain user, and if the password expires the services won’t start and everything breaks.
The fix is, of course, to change the password on the user account in Active Directory, change the password on the services, and start everything back up. It’s possible (I think) to use an Active Directory managed service account for those services, but that doesn’t help all the places that use that service account, since they’re not “smart” enough to do so. Note: My hesitation about whether or not those Windows services can use a managed service account isn’t because of Windows, but because I don’t know if the IaaS installer would object to dollar signs in the user name. I haven’t had a chance to try it as I’d need to spin up another VM for IaaS install and… /sigh.
So where does that leave us? Back to the ol’ user account pretending to be a service account. Yay! Everyone loves manually managing password rotations, change management windows to bounce services, or applying group policies to an OU in order to make a domain password policy exception, right? 😉
You’ll need to change the password on the following services: VMware DEM-Orchestrator, VMware DEM-Worker, VMware vCloud Automation Center Agent, and VMware vCloud Automation Center Service. Be sure to change the password on the following IIS Application Pools: RepositoryAppPool, vCACAppPool, and WapiAppPool.
Moral of the story: if IT was easy, it wouldn’t pay so well.
- vCloud Application Director 18.104.22.168 Build 1571033
- vCloud Automation Center 6.0.1 Build: 1571033, using vCenter’s SSO
- vCenter Server Appliance 22.214.171.12400 Build 1750781