A resolution is being planned for a future vSphere release.
Workaround:
This workaround only applies if the domain join is failing due to the below error code 5 in
vmcamd-syslog.log:
2021-03-25T12:12:30.983777+00:00 info vmcamd t@139792763303680:
VmCamSrvCreateMachineAccount failed. (5)Below steps needs to be performed to assign permissions to AD user in the domain in order for the user to join an ESXi host to an Active Directory domain with vSphere Authentication proxy.
This is only an example:
- Click Start, click Run, type dsa.msc, and then click OK.
- In the task pane, expand the domain node.
- Locate and right-click the OU that needs to be modified, and then click Delegate Control.
- In the Delegation Control Wizard, click Next.
- Click Add to add a specific user or a specific group to the Selected users and groups list, and then click Next.
- In the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
- Click Only the following objects in the folder, and then from the list, click to select the Computer objects check box. Then, select the check boxes below the list, Create selected objects in this folder and Delete selected objects in this folder.
- Click Next.
- In the Permissions list, select the option "Full Control".
- Click Next, and then click Finish.
- Close the Active Directory Users and Computers MMC snap-in.
This will let the user add the ESXi host to their AD domain without having Domain Admins privileges as they will have full access for the attributes of the Computer Object.