"Errors in Active Directory operations" error adding the ESX/ESXi host to an Active Directory domain
search cancel

"Errors in Active Directory operations" error adding the ESX/ESXi host to an Active Directory domain

book

Article ID: 310608

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

  • Cannot add the ESX/ESXi host to an Active Directory domain
  • Adding the ESX/ESXi host to an Active Directory domain fails
  • You see the error:

    Errors in Active Directory operations
     
  • If netlogond is enabled on the host, you see entries similar to these in the netlogond.log:

    20100820075107:0xf7c74b90:DEBUG:[LWNetSrvGetCurrentDomain() /build/mts/release/bora-234910/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83] Error at /build/mts/release/bora-234910/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83 [code: 136]

    Note: For more information on enabling netlogond, see Enabling logging for Likewise agents on ESXi/ESX (1026554).


Symptoms 2:

  • Trying to join ESXI to domain fails with below error.
  • For more information on enabling netlogond, see Enabling logging for Likewise agents on ESXi/ESX (1026554).
  • In likewise logging you will see log similar to below. 
    • 240903101818:ERROR:Isass: Failed to run provide: specific request (request code = 8, provide: = 'lsa-activedirectory-provider') —> error = 40056, symbol = LW ERROR ACCOUNT DISABLED, client pid = 2100765

Environment

VMware ESXi 6.7.x
VMware ESX 4.1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 7.x
VMware ESXi 4.1.x Installable

Resolution

This issue may occur when the network firewall is blocking the required ports.
 
To resolve this issue, ensure that the following ports (both UDP and TCP) are open for communication between the ESX/ESXi host and Active Directory:
  • Port 88 - Kerberos authentication
  • Port 123 – NTP
  • Port 135 - RPC
  • Port 137 - NetBIOS Name Service
  • Port 139 - NetBIOS Session Service (SMB)
  • Port 389 - LDAP
  • Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
  • Port 464 - Kerberos - change/password changes
  • Port 3268- Global Catalog search
Note: This issue may also occur if you have entered the user credentials in the <domain\username> format. This issue is resolved in ESXi 5.0 and later.

In some cases, the issue can be resolved first by a restart of the lwsmd service with the following commands:

/etc/init.d/lwsmd stop

/etc/init.d/lwsmd start

 

 

To workaround this issue on earlier ESX/ESXi versions, enter the user credentials in the <username> or <username@fqdn_of_the_domain> format.

Follow below steps if similar log snippets from Symptoms 2:

  • Check with your AD team if ESXi computer object is disabled.
  • If it is disabled then enable it and retry the domain join.
  • If it is in enabled state, then delete the ESXi computer object in AD and then re try domain join.

Additional Information

Powered by Wolken Software