When attempting to join an ESXi host to an Active Directory domain through vCenter Server or PowerCLI, the operation fails with one of these errors:

• - "Errors in Active Directory operations"
• "LW_ERROR_DOMAIN_IS_OFFLINE [code 0x00009cb9] - The domain is offline"
• "Cannot contact any KDC for realm"
• "Cannot find KDC for realm"
• "LW_ERROR_KRB5_REALM_UNKNOWN (Error 41887)"
  
  ESXi host syslog.log may show entries similar to:

yyyy-mm-ddThh:mm:ss.mssZ In(30) lwsmd[process_id]: [lsass] Domain join request:
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]: {
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszHostname = "<esxi-host-name>"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszHostDnsDomain = "example.com"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszDomain = "example.com"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOU = <null>
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszUsername = "[email protected]"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszPassword = <sensitive>
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOSName = "unknown"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOSVersion = "unknown"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOSServicePack = "Likewise Open 6.2.0"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     dwFlags = 1
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]: }
yyyy-mm-ddThh:mm:ss.mssZ In(30) lwsmd[process_id]: [lsass] Joining domain EXAMPLE.COM
yyyy-mm-ddThh:mm:ss.mssZ In(30) lwsmd[process_id]: [lsass] Affinitized to DC 'dc01.example.com' for join request to domain 'EXAMPLE.COM'
yyyy-mm-ddThh:mm:ss.mssZ Wa(28) lwsmd[process_id]: [LwKrb5GetTgtImpl ../lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328228 (Message: Cannot contact any KDC for realm 'EXAMPLE.COM')
yyyy-mm-ddThh:mm:ss.mssZ Er(27) lwsmd[process_id]: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 40121, symbol = LW_ERROR_DOMAIN_IS_OFFLINE, client pid = process_id

• ESXi 7.0 or later
• Multiple domain controllers in different physical locations or sites
• Host on the same network/subnet as other hosts that successfully joined the domain

The ESXi host attempts to connect to a domain controller that is either:

1. Not accessible from the host's network location
2. In a different Active Directory site than the host's physical location
3. Not the preferred domain controller for the host's network location

This issue occurs because ESXi relies on DNS to discover domain controllers during the domain join process and does not support specifying a particular domain controller explicitly. During the join operation, the host queries DNS for SRV records to locate the appropriate Key Distribution Center (KDC) required for Kerberos pre-authentication.

Note:

Although the host successfully established affinity with a domain controller in the target domain, the user credentials provided belong to a different Kerberos realm. The DNS infrastructure was unable to return the necessary service (SRV) records to resolve and route authentication requests to the appropriate KDC for that realm. As a result, the operation may fails with the error LW_ERROR_KRB5_REALM_UNKNOWN.

Method 1: Temporarily Configure DNS to Target a Specific Domain Controller

1. Identify the appropriate domain controller for the host's physical location.
   
   
2. Log in to the ESXi host using SSH or the Direct Console User Interface (DCUI).
   
   
3. Temporarily modify the host's DNS configuration to use only the preferred domain controller as its DNS server:
   
      esxcli network ip dns server add --server=<domain_controller_ip>
   esxcli network ip dns server remove --server=<current_dns_server_ip>
   
   
4. Perform the domain join operation through vCenter Server or PowerCLI:
   • In vCenter Server: Navigate to the host, select Configure > Authentication Services > Join Domain
   • In PowerCLI: Use the `Set-VMHostAuthentication` cmdlet
     
     
5. Once joined successfully, restore the original DNS configuration:
   
      esxcli network ip dns server add --server=<original_dns_server_ip>
   esxcli network ip dns server remove --server=<domain_controller_ip>

Method 2: Check for and Resolve Network Connectivity Issues

1. Verify DNS resolution to the domain controller:
   
      nslookup <domain_controller_fqdn>
   
   
2. Test connectivity to required Active Directory ports:
   
      nc -zv <domain_controller_fqdn> 88
   nc -zv <domain_controller_fqdn> 389
   
   
3. Verify time synchronization between ESXi host and domain controllers (time difference should be less than 5 minutes).
   
   
4. Ensure the ESXi host firewall allows Active Directory traffic:
   
      esxcli network firewall ruleset list | grep activeDirectory

Method 3: Verify and Correct Active Directory Site Configuration

If multiple ESXi hosts at the same location have this issue:

1. Work with the Active Directory Administrator to verify the Active Directory site configuration.
   
   
2. Ensure that the subnet where the ESXi hosts reside is properly associated with the correct Active Directory site.
   
   
3. Confirm that site link costs are appropriately configured to prefer local domain controllers.

• This issue typically occurs in environments with multiple domain controllers across different physical locations.
• The error "Cannot contact any KDC for realm" in the logs indicates Kerberos authentication failures, usually due to network connectivity or DNS resolution problems.
• If MTU is set to 9000 (Jumbo Frames) on the management network, consider testing with standard MTU (1500) to rule out MTU mismatch issues.