Joining an ESXi host to Active Directory fails with the error: User Account has no right to add hosts to the domain
search cancel

Joining an ESXi host to Active Directory fails with the error: User Account has no right to add hosts to the domain

book

Article ID: 309316

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

  • When you attempt to join an ESXi host to Active Directory, the process fails with the error:

    User account has no right to add hosts to the domain.

  • The user account you are using to join the host to the domain has the appropriate permissions to join hosts to the domain.
  • The user account you are using to join the host to the domain has the permission Do not require Kerberos preauthentication enabled.
  • A Wireshark capture between the host and domain controller contains the entries similar to:

    312 25.077946 <ESXi HOST IP> <DOMAIN CONTROLLER / DSN IP> LSARPC 241 lsa_OpenPolicy2 request
    315 25.078793 <DOMAIN CONTROLLER / DSN IP> <ESXi HOST IP> LSARPC 178 lsa_OpenPolicy2 response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED



Environment

VMware vSphere ESXi

Cause

This issue occurs when the user account that is being used to join the host to the domain does has the permission Do not require Kerberos preauthentication enabled.

Resolution

To resolve this issue, remove the Do not require Kerberos preauthentication permission from the user account that is being used to join the host to the domain.

Additional Information

Powered by Wolken Software