Error "Cannot contact any KDC for realm" prevents ESXi Host from joining Active Directory Domain
search cancel

Error "Cannot contact any KDC for realm" prevents ESXi Host from joining Active Directory Domain

book

Article ID: 389135

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When attempting to join an ESXi host to an Active Directory domain through vCenter Server or PowerCLI, the operation fails with one of these errors:

  • - "Errors in Active Directory operations"
  • "LW_ERROR_DOMAIN_IS_OFFLINE [code 0x00009cb9] - The domain is offline"
  • "Cannot contact any KDC for realm"

    ESXi host syslog.log may show entries similar to:
yyyy-mm-ddThh:mm:ss.mssZ In(30) lwsmd[process_id]: [lsass] Domain join request:
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]: {
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszHostname = "esxi-host01"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszHostDnsDomain = "example.com"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszDomain = "example.com"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOU = <null>
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszUsername = "[email protected]"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszPassword = <sensitive>
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOSName = "unknown"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOSVersion = "unknown"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     pszOSServicePack = "Likewise Open 6.2.0"
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]:     dwFlags = 1
yyyy-mm-ddThh:mm:ss.mssZ In(30)[+] lwsmd[process_id]: }
yyyy-mm-ddThh:mm:ss.mssZ In(30) lwsmd[process_id]: [lsass] Joining domain EXAMPLE.COM
yyyy-mm-ddThh:mm:ss.mssZ In(30) lwsmd[process_id]: [lsass] Affinitized to DC 'dc01.example.com' for join request to domain 'EXAMPLE.COM'
yyyy-mm-ddThh:mm:ss.mssZ Wa(28) lwsmd[process_id]: [LwKrb5GetTgtImpl ../lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328228 (Message: Cannot contact any KDC for realm 'EXAMPLE.COM')
yyyy-mm-ddThh:mm:ss.mssZ Er(27) lwsmd[process_id]: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 40121, symbol = LW_ERROR_DOMAIN_IS_OFFLINE, client pid = process_id

Environment

  • ESXi 7.0 or later
  • Multiple domain controllers in different physical locations or sites
  • Host on the same network/subnet as other hosts that successfully joined the domain

Cause

The ESXi host attempts to connect to a domain controller that is either:

  1. Not accessible from the host's network location
  2. In a different Active Directory site than the host's physical location
  3. Not the preferred domain controller for the host's network location

This occurs because ESXi uses DNS to locate domain controllers when joining a domain and cannot natively specify which domain controller to use during the join process.

Resolution

Method 1: Temporarily Configure DNS to Target a Specific Domain Controller

  1. Identify the appropriate domain controller for the host's physical location.

  2. Log in to the ESXi host using SSH or the Direct Console User Interface (DCUI).

  3. Temporarily modify the host's DNS configuration to use only the preferred domain controller as its DNS server:

       esxcli network ip dns server add --server=<domain_controller_ip>
       esxcli network ip dns server remove --server=<current_dns_server_ip>

  4. Perform the domain join operation through vCenter Server or PowerCLI:
    • In vCenter Server: Navigate to the host, select Configure > Authentication Services > Join Domain
    • In PowerCLI: Use the `Set-VMHostAuthentication` cmdlet

  5. Once joined successfully, restore the original DNS configuration:

       esxcli network ip dns server add --server=<original_dns_server_ip>
       esxcli network ip dns server remove --server=<domain_controller_ip>


Method 2: Check for and Resolve Network Connectivity Issues

  1. Verify DNS resolution to the domain controller:

       nslookup <domain_controller_fqdn>

  2. Test connectivity to required Active Directory ports:

       nc -zv <domain_controller_fqdn> 88
       nc -zv <domain_controller_fqdn> 389

  3. Verify time synchronization between ESXi host and domain controllers (time difference should be less than 5 minutes).

  4. Ensure the ESXi host firewall allows Active Directory traffic:

       esxcli network firewall ruleset list | grep activeDirectory


Method 3: Verify and Correct Active Directory Site Configuration

If multiple ESXi hosts at the same location have this issue:

  1. Work with the Active Directory Administrator to verify the Active Directory site configuration.

  2. Ensure that the subnet where the ESXi hosts reside is properly associated with the correct Active Directory site.

  3. Confirm that site link costs are appropriately configured to prefer local domain controllers.

Additional Information

  • This issue typically occurs in environments with multiple domain controllers across different physical locations.
  • The error "Cannot contact any KDC for realm" in the logs indicates Kerberos authentication failures, usually due to network connectivity or DNS resolution problems.
  • If MTU is set to 9000 (Jumbo Frames) on the management network, consider testing with standard MTU (1500) to rule out MTU mismatch issues.
Powered by Wolken Software