"Errors in Active Directory operations" error adding the ESX/ESXi host to an Active Directory domain
Article ID: 310608
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- Cannot add the ESX/ESXi host to an Active Directory domain
- Adding the ESX/ESXi host to an Active Directory domain fails
- You see the error:
Errors in Active Directory operations
- If netlogond is enabled on the host, you see entries similar to these in the netlogond.log:
20100820075107:0xf7c74b90:DEBUG:[LWNetSrvGetCurrentDomain() /build/mts/release/bora-234910/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83] Error at /build/mts/release/bora-234910/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83 [code: 136]
Note: For more information on enabling netlogond, see Enabling logging for Likewise agents on ESXi/ESX (1026554).
Environment
VMware ESXi 6.7.x
VMware ESX 4.1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 7.x
VMware ESXi 4.1.x Installable
VMware ESX 4.1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 7.x
VMware ESXi 4.1.x Installable
Resolution
This issue may occur when the network firewall is blocking the required ports.
To resolve this issue, ensure that the following ports (both UDP and TCP) are open for communication between the ESX/ESXi host and Active Directory:
- Port 88 - Kerberos authentication
- Port 123 – NTP
- Port 135 - RPC
- Port 137 - NetBIOS Name Service
- Port 139 - NetBIOS Session Service (SMB)
- Port 389 - LDAP
- Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
- Port 464 - Kerberos - change/password changes
- Port 3268- Global Catalog search
Note: This issue may also occur if you have entered the user credentials in the <domain\username> format. This issue is resolved in ESXi 5.0 and later.
In some cases, the issue can be resolved first by a restart of the lwsmd service with the following commands:
/etc/init.d/lwsmd start
/etc/init.d/lwsmd start
Additional Information
Feedback
Yes
No
Powered by
