An attempt to join an ESXi host to an Active Directory domain fails with "Errors in Active Directory operations."

/var/run/log/syslog.log shows entries similar to 

<timestamp>Z In(30) lwsmd[2529914]: [lsass] Affinitized to DC 'host.domain.tld' for join request to domain 'DOMAIN.TLD'
<timestamp>Z In(30) lwsmd[2529914]: [netlogon] Filtering list of 3 servers with list of 0 black listed servers
<timestamp>Z Er(27) lwsmd[2529914]: [lwio] GSS-API error calling gss_init_sec_context: 851968 (Unspecified GSS failure.  Minor code may provide more information)
<timestamp>Z Er(27)[+] lwsmd[2529914]:
<timestamp>Z Er(27) lwsmd[2529914]: [lwio] GSS-API error calling gss_init_sec_context: 100005 (Clock skew too great)

VMware vSphere ESXi 7.x

VMware vSphere ESXi 8.x

This tells us that the difference between the time set on ESXi host and that of the Active Directory domain controller is more than 5 minutes, due to which Kerberos is failing with "Clock skew too great" error

To fix this, make sure you adjust the time on your Active Directory domain controller (host.domain.tld) to be within the range of ±5 minutes of the current time or better to be set with the exact timestamp.

Otherwise, you are required to run the following commands before initiating the domain join operation on the ESXi host:

1. /etc/init.d/lwsmd start
2. /usr/lib/vmware/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]' SyncSystemTime 1