Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Unable to add ESXi host to the Active Directory domain (2008408)

Symptoms

  • You cannot add an ESXi host to the Active Directory (AD) domain
  • When attempting to join an ESXi 5.0 host to an AD environment via the vSphere Client, the task fails after five minutes
  • You see the error:
Could not join <domainname>: The specified domain either does not exist or could not be contacted.
  • This issue occurs when vSphere Client is connected to vCenter Server or directly to the host
  • You cannot join the host to the domain using the vicfg-authconfig command in the Virtual Management Appliance (vMA)
  • Disabling the ESXi firewall allows the host to connect to the AD domain
  • The following messages may be found in netlogd.log with verbose logging enabled.

    DJRunJoinProcess: 0x80047: 0x251E - Unknown error
    Stack Trace:
            /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:872
            /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1218
    2012-01-24T14:29:40.008Z [27E9EB90 error 'ActiveDirectoryAuthentication' opID=05990A3A-0000294B-fa] vmwauth NoSuchDomainException: Exception 0x0000054b: The specified domain either does not exist or could not be contacted.
    2012-01-24T14:29:40.009Z [27E9EB90 info 'ha-eventmgr' opID=05990A3A-0000294B-fa] Event 237 : Join domain failed.
    2012-01-24T14:29:40.009Z [27E9EB90 info 'TaskManager' opID=05990A3A-0000294B-fa] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomain-2740465 Status error
    2012-01-24T14:29:40.010Z [27640B90 warning 'Locale'] FormatField: Invalid (vim.vm.Message.1)


  • Messages similar to the following are reported in lwiod.log

    20120124144255:0xff9d5b90:ERROR:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1185] DNS lookup for '_ldap._tcp.dc._msdcs.abc.xyz.com' failed with errno 110, h_errno = 2
    20120124144255:0xff9d5b90:DEBUG:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1187] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1187 [code: 9502]
    20120124144255:0xff9d5b90:DEBUG:[LWNetDnsSrvQuery() /build/mts/release/bora-3

Cause

DNS lookups are required during the Active Directory join process.
 
If a DNS lookup returns a packet greater than 512 bytes over UDP port 53, the command may fail. DNS queries are then sent over TCP port 53 for a reliable response.
 
By default, TCP port 53 is not open in the ESXi 5.0 firewall. Therefore, any communications (such as AD domain joins) that require DNS communication may fail.
 
Packets over 512 bytes may show as malformed during tcpdump captures on the ESXi host.

Resolution

This issue has been resolved in ESXi 5.0 Update 1. For further information see the Resolved Issues in the ESXi 5.0 Update 1 Release Notes. To download this version, see VMware Download Center.

If you are unable to upgrade, the following patch also resolves this issue, see You cannot add an ESXi host to the Active Directory (AD) domain in KB 2012672.

To work around this issue, determine whether packets received have more than 512 bytes, or whether they are malformed. To verify, use a tool such as Wireshark or tcpdumps.

Note: VMware does not endorse or recommend any particular third party utility.
 
In addition, verify that DNS is operating properly with appropriate customer network resources.

If packets are larger than 512 bytes, DNS may be operating properly in the environment. If packets are malformed, then there may be environmental networking issues that should be resolved first.
 
If the malformed packets are unable to be resolved or packets are larger than 512 bytes:
  • Temporarily disable the ESXi firewall and join the ESXi host to the domain. This can be disabled with the following command:

    esxcli network firewall unload

    Note: This will destroy filters and unload the firewall modules. For more information on disabling the firewall, see About the ESXi 5.0 firewall (2005284).

  • Configure a custom rule set for the ESXi firewall that opens TCP port 53. For more information, see Rule Set Configuration Files in the VMware Security Guide
Note: Custom firewall port configurations are not persistent across reboots. For more information, see User defined xml firewall configurations are not persistent across ESXi host reboots (2007381).

Impact/Risks

You may need to alter the ESXi 5.0 firewall to adjust for complex DNS environments.
 
Verify that DNS is functioning properly in the environment. If underlying DNS issues exist, these steps only mask the issues.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 5 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 5 Ratings
Actions
KB: