Adding an ESXi host to a domain using Set-VMHostAuthentication cmdlet completes successfully, but if Get-VIAccount cmdlet is called immediately after that to check the status, it throws a "Can't bind to LDAP server for domain" error.

Symptoms:
The issue is with Get-VIAccount/New-VIPermission shortly after running Set-VMHostAuthentication, particularly for the first time after a host has had the OS installed. Get-VIAccount will throw a “Can't bind to LDAP server for domain” error and New-ViPermission will throw a “Cannot find an Active Directory group object with identity“ error.

VMware ESXi 6.7.x
VMware ESXi 6.5.x
VMware ESXi 6.0.x

Synchronization with an active directory needs some time after a host is joined to the domain using Set-VMHostAuthentication cmdlet.

Workaround:
We need to implement a retry-wait mechanism for retrieving domain users

# Get a domain account

$viAccount=$null

$retryCount= 5

while ((-not $viAccount) -and ($retryCount -ge 0)) {

      try {

            $viAccount= Get-VIAccount -Domain $domainAlias -User -Id $userNameToGrantPermissions

      } catch {

            Write-Error “Getting VIAccount with Id ‘$userNameToGrantPermissions’ failed with the following error: rn $_”

            Write-Host “Next attempt in 5 seconds”

            Start-Sleep -Seconds 5

      }

$retryCount--

}

Please note that the number of retries($retryCount =5) and sleep intervals(Start-Sleep -Seconds 5) in the sample script may need to be adjusted according to the individual environment performance.

Impact/Risks:
Shortly after running Set-VMHostAuthentication, particularly for the first time after a host has had the OS installed, Get-VIAccount/New-VIPermission will experience the specified errors.


“Can't bind to LDAP server for domain” error and “Cannot find an Active Directory group object with identity“ error.