Unable to add ESXi host to Active Directory because 'the user or group does not exist'
search cancel

Unable to add ESXi host to Active Directory because 'the user or group does not exist'

book

Article ID: 372425

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When attempting to join an ESXi host to an Active Directory domain, the operation fails. The error message states that a specific user or group does not exist. Additionally, attempts to leave the domain also fail with a similar error.

Environment

- VMware ESXi 7.0 or newer
- Active Directory domain
- vSphere environment

Cause

This issue typically occurs when:

  • The user or group name has been mis-typed
  • When there's an invalid character in the group name specified for domain join operations.
    • Specifically, special characters like the caret symbol (^) are not allowed in Active Directory group names.

Resolution

To resolve this issue, follow these steps:

1. Log in to the vSphere Client.

2. Select the affected ESXi host in the inventory.

3. Go to the "Configure" tab.

4. Under "System", select "Authentication Services".

5. Click "Edit" in the "Active Directory" section.

6. Check the "User/Group" field:
   a. If it is mis-typed or contains invalid characters (e.g., 'DOMAIN\group^name'), change it to a valid group name (e.g., 'DOMAIN\group_name').
   b. Click "OK" to save the changes.

7. Leave the current domain:
   a. In the "Authentication Services" section, click "Leave Domain".
   b. Confirm the action when prompted.

8. Rejoin the domain:
   a. Click "Join Domain".
   b. Enter the domain name.
   c. Provide the username and password of an account with permissions to join computers to the domain.
   d. In the "User/Group" field, enter the correct group name.
   e. Click "OK" to join the domain.

9. Verify time synchronization:
   a. In the "Configure" tab, under "System", select "Time Configuration".
   b. Ensure that the host is using correct NTP servers.
   c. If changes are needed, click "Edit" and update the NTP servers.

10. Check DNS configuration:
    a. In the "Configure" tab, under "Networking", select "TCP/IP configuration".
    b. Verify that the DNS servers are correctly set.
    c. If changes are needed, click "Edit" and update the DNS server information.

Additional Information

- Ensure that the account used for domain join operations has the necessary permissions in Active Directory.
- Double-check that the ESXi host's hostname is correctly set in both vSphere and the host's /etc/hosts file.
- If issues persist, you may need to restart the Likewise service on the ESXi host using the following commands via SSH:
  ```
  /etc/init.d/lwsmd restart
  /usr/lib/vmware/likewise/bin/domainjoin-cli join DOMAIN username
  ```
  Replace "DOMAIN" and "username" with appropriate values.

Powered by Wolken Software