Unable to add ESXi host to the Active Directory domain
search cancel

Unable to add ESXi host to the Active Directory domain

book

Article ID: 328394

calendar_today

Updated On:

Products

VMware

Issue/Introduction

Symptoms:
  • You cannot add an ESXi host to the Active Directory (AD) domain
  • When attempting to join an ESXi 5.0 host to an AD environment via the vSphere Client, the task fails after five minutes
  • You see the error:
Could not join <domainname>: The specified domain either does not exist or could not be contacted.
  • This issue occurs when vSphere Client is connected to vCenter Server or directly to the host
  • You cannot join the host to the domain using the vicfg-authconfig command in the Virtual Management Appliance (vMA)
  • Disabling the ESXi firewall allows the host to connect to the AD domain
  • In the netlogd.log file with verbose logging enabled, you see entries similar to:

    DJRunJoinProcess: 0x80047: 0x251E - Unknown error
    Stack Trace:
    /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:872
    /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1218
    2012-01-24T14:29:40.008Z [27E9EB90 error 'ActiveDirectoryAuthentication' opID=05990A3A-0000294B-fa] vmwauth NoSuchDomainException: Exception 0x0000054b: The specified domain either does not exist or could not be contacted.
    2012-01-24T14:29:40.009Z [27E9EB90 info 'ha-eventmgr' opID=05990A3A-0000294B-fa] Event 237 : Join domain failed.
    2012-01-24T14:29:40.009Z [27E9EB90 info 'TaskManager' opID=05990A3A-0000294B-fa] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomain-2740465 Status error
    2012-01-24T14:29:40.010Z [27640B90 warning 'Locale'] FormatField: Invalid (vim.vm.Message.1)

  • In the lwiod.log file, you see entries similar to:

    20120124144255:0xff9d5b90:ERROR:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1185] DNS lookup for '_ldap._tcp.dc._msdcs.abc.xyz.com' failed with errno 110, h_errno = 2
    20120124144255:0xff9d5b90:DEBUG:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1187] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1187 [code: 9502]
    20120124144255:0xff9d5b90:DEBUG:[LWNetDnsSrvQuery() /build/mts/release/bora-3

Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.


Cause

This issue occurs when TCP port 53 is not open in the ESXi 5.0 firewall.
DNS lookups are required during the Active Directory join process. If a DNS lookup returns a packet greater than 512 bytes over UDP port 53, the command may fail. DNS queries are then sent over TCP port 53 for a reliable response. By default, TCP port 53 is not open in the ESXi 5.0 firewall. Therefore, any communications (such as AD domain joins) that require DNS communication may fail.
Packets over 512 bytes may show as malformed during tcpdump captures on the ESXi host.

Resolution

This issue has been resolved in ESXi 5.0 Update 1. For further information see the Resolved Issues in the ESXi 5.0 Update 1 Release Notes. To download this version, see VMware VMware Download.

If you are unable to upgrade, the following patch also resolves this issue, see You cannot add an ESXi host to the Active Directory (AD) domain in VMware ESXi 5.0 Patch Image Profile ESXi-5.0.0-20120302001-no-tools (2012672)

To work around this issue, determine whether packets received have more than 512 bytes, or whether they are malformed. To verify, use a tool such as Wireshark or tcpdumps.

Note: VMware does not endorse or recommend any particular third party utility.
In addition, verify that DNS is operating properly with appropriate customer network resources.

If packets are larger than 512 bytes, DNS may be operating properly in the environment. If packets are malformed, then there may be environmental networking issues that should be resolved first.
If the malformed packets are unable to be resolved or packets are larger than 512 bytes:
  • Temporarily disable the ESXi firewall and join the ESXi host to the domain. This can be disabled with the following command:

    esxcli network firewall unload

    Note: This will destroy filters and unload the firewall modules. For more information on disabling the firewall, see About the ESXi 5.0 firewall (2005284).

  • Configure a custom rule set for the ESXi firewall that opens TCP port 53. For more information, see Rule Set Configuration Files in the VMware Security Guide
Note: Custom firewall port configurations are not persistent across reboots. For more information, see User defined xml firewall configurations are not persistent across ESXi host reboots (2007381).


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.
About the ESXi 5.x and 6.x firewall
Adding a third-party firewall extension to ESXi 5.0
User defined xml firewall configurations are not persistent across ESXi host reboots
Creating custom firewall rules in VMware ESXi 5.x
VMware ESXi 5.0 Patch Image Profile ESXi-5.0.0-20120302001-no-tools
ESXi ホストを Active Directory ドメインに追加できない
无法向 Active Directory 域中添加 ESXi 主机

Impact/Risks:
You may need to alter the ESXi 5.0 firewall to adjust for complex DNS environments.
Verify that DNS is functioning properly in the environment. If underlying DNS issues exist, these steps only mask the issues.


Powered by Wolken Software