VMware ESXi 7.x
VMware ESXi 8.x

This guide outlines the steps necessary to prepare an ESXi host for joining an Active Directory domain. While the steps can be performed in any order, it is crucial to complete each step before moving on to the next.

1. Establish Network Connectivity

• Open an SSH session to the ESXi host using the default root account.
  
  
• Verify Active Directory Reachability:
  • Ping Test: Use the ping command to check if the ESXi host can reach the domain controller. For example:# ping <Domain-Controller-IP>. Note that in environments where ICMP (ping) is disabled, this step should be skipped.
  • Name Resolution: Verify name resolution is working correctly using the nslookup command. For example:# nslookup <Domain-Controller-name>.
    
    
• Check Network Ports: Ensure the required ports are open for communication between the ESXi host and the domain controllers.
  • TCP Ports: 88, 139, 389, 445, 464, 3268
  • UDP Ports: 88, 123, 137, 389, 464
    
    
• Test Connectivity: Use the nc (netcat) command to verify port connectivity.
  • TCP:# nc -z -vvv -w 2 <Domain-Controller-IP>  port_number  2>&1
  • UDP:# nc -z -vvv -u -w 2 <Domain-Controller-IP>  port_number  2>&1

2. Configure Time Synchronization

• Verify Reliable Time Source: Ensure the ESXi host has a reliable time source configured. If not, configure NTP using a well-known NTP server. For detailed instructions, refer to the KB article - Configure Network Time Protocol (NTP) on the ESXi
• Test Time Synchronization: Verify the Time Configuration Test Service is working correctly. Navigate to the affected host in the vCenter UI, click "Configure," then "Time Configuration" under "System," and run the "Test Service." The test should indicate successful time synchronization.

3. Configure the ESXi Firewall

• Enable Active Directory Firewall Rule: Enable the ESXi firewall rule for Active Directory using the following command: # esxcli network firewall ruleset set --enabled true --ruleset-id=activeDirectoryAll

4. Configure and Manage the Likewise Service

• Check Likewise Service Status: To check the status of the Likewise service use the command /etc/init.d/lwsmd status .
• Start or Restart the Likewise Service: If the service is stopped, start it using:#  /etc/init.d/lwsmd start. If the service is already running, restart it using:#  /etc/init.d/lwsmd restart.
• You might notice that, Likewise Service might fail to start and it would throw below error, then please due to ESXi host’s firewall module was not running or loaded. This prevented the necessary firewall rules (e.g., activeDirectoryAll) from being applied, resulting in the domain join operation failing.
  [root@Host_name:~] /etc/init.d/lwsmd start
Starting Likewise Service Manager
[memory reservation set]
Enabling activeDirectoryAll firewall ruleset
Errors: Failed refresh FirewallRuleset ., Failed to enable activeDirectoryAll firewall ruleset ...failed
Unable to complete Sysinfo operation. Please see the VMkernel log file for more details.: Vmkernel module necessary for this vsi call not loaded: VSI node (5007:)
• Load the ESXi firewall module manually by running esxcli network firewall load, followed by starting the Likewise service using /etc/init.d/lwsmd start.

5. Prepare for Domain Join

• Query Domain Join Status: To check the current domain join status of the ESXi host use the command:  /usr/lib/vmware/likewise/bin/domainjoin-cli query 
• Leave Existing Domain (if necessary): If the ESXi host is already joined to a domain, or the configuration is incorrect, you need to leave the domain before removing the Computer Object from Active Directory. Use the command:#   /usr/lib/vmware/likewise/bin/domainjoin-cli leave.
• Remove Computer Object: Before adding the ESXi host back to the domain, ensure the corresponding Computer Object has been removed from Active Directory.

6. Join the ESXi Host to the Domain

• Use domainjoin-cli to join the ESXi host to the AD domain:#   /usr/lib/vmware/likewise/bin/domainjoin-cli join <Domain-FQDN-username@Domain>.
• Verify Permissions: Ensure the user account used to join the ESXi host to the domain has the necessary permissions in Active Directory to create computer objects.

When attempting to join an ESXi host or Linux client to the a domain, the process may fail with error "NERR_DCNotFound [code 0x00000995] ". The likewise.log or system logs show multiple CLDAP timed out messages for various Domain Controllers.

Log entries may look similar to:

Likewise.log:


2025-12-08T15:42:53.058 INFO lsass: Domain join request:
{
    pszHostname = "XXXXX"
    pszHostDnsDomain = "XXXXX.net"
    pszDomain = "XXXXXXX"
    pszOU = <null>
    pszUsername = "XXXXXXXX"
    pszPassword = <sensitive>
    pszOSName = "unknown"
    pszOSVersion = "unknown"
    pszOSServicePack = "Likewise Open 8.0.3"
    dwFlags = 1
}
YYYY-MM-DDTHH:MM:SS.058 INFO lsass: Joining domain xxxxxxxxxx.CORP
YYYY-MM-DDTHH:MM:SS.061 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS061 ERROR netlogon: CLDAP ping to cached DC xxxxxxxxxxx.corp (X.X.X.X) failed, new DC will be looked up
YYYY-MM-DDTHH:MM:SS.077 INFO netlogon: Filtering list of 46 servers with list of 0 black listed servers
YYYY-MM-DDTHH:MM:SS.079 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx
YYYY-MM-DDTHH:MM:SS.079 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.079 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.079 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.079 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.079 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: CLDAP timed out:xxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.080 ERROR netlogon: Timed out after waiting for 5 seconds while performing CLDAP pings
YYYY-MM-DDTHH:MM:SS.081 ERROR lsass: Failed to find DC for domain xxxxxx.CORP
YYYY-MM-DDTHH:MM:SS.081 ERROR lsass: Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 2453, symbol = NERR_DCNotFound, client pid = 2120184
YYYY-MM-DDTHH:MM:SS.686 ERROR lsass: Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 2120311
YYYY-MM-DDTHH:MM:SS.692 ERROR lsass: Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, likewise.log
YYYY-MM-DDTHH:MM:SS.072 INFO lsass: AD_JoinDomain():provider-main.c:2244: Joining domain xxxxxxxxx.CORP
YYYY-MM-DDTHH:MM:SS.072 DEBUG netlogon: LWNetSrvGetDCName():dcinfo.c:134: Looking for a DC in domain 'xxxxxxxCORP', site '<null>' with flags 10
YYYY-MM-DDTHH:MM:SS.074 ERROR netlogon: LWNetSrvPingCLdapProcessConnections():lwnet.c:488: CLDAP timed out: xxxxxxxxxxxxxxxxxxxxxxxx.corp
YYYY-MM-DDTHH:MM:SS.074 DEBUG netlogon: LWNetSrvPingCLdapArray():lwnet.c:630: Error at ../netlogon/server/api/lwnet.c:630 [code: 2453]
YYYY-MM-DDTHH:MM:SS.074 ERROR netlogon: LWNetSrvGetDCName():dcinfo.c:281: CLDAP ping to cached DC xxxxxxxxxxxxxxxxxw.corp (X.X.X.X) failed, new DC will be looked up
YYYY-MM-DDTHH:MM:SS.074 DEBUG netlogon: LWNetGetPreferredDcList():lwnet-plugin.c:184: Error at ../netlogon/server/api/lwnet-plugin.c:184 [code: 2453]
YYYY-MM-DDTHH:MM:SS.074 DEBUG netlogon: LWNetSrvGetDCNameDiscoverInternal():lwnet.c:897: Error at ../netlogon/server/api/lwnet.c:897 [code: 2453]
YYYY-MM-DDTHH:MM:SS.083 VERBOSE netlogon: LWNetDnsGetAddressArrayForServer():lwnet-dns.c:1113: Getting address for 'xxxxxxxxxxxxxxxxxxx.corp'
YYYY-MM-DDTHH:MM:SS.084 VERBOSE netlogon: LWNetDnsGetAddressArrayForServer():lwnet-dns.c:1113: Getting address for 'xxxxxxxxxxxxxxxxxxx.corp'
YYYY-MM-DDTHH:MM:SS.084 VERBOSE netlogon: LWNetDnsGetAddressArrayForServer():lwnet-dns.c:1113: Getting address for 'xxxxxxxxxxxxxxxxxxx.corp'
YYYY-MM-DDTHH:MM:SS.084 VERBOSE netlogon: LWNetDnsGetAddressArrayForServer():lwnet-dns.c:1113: Getting address for 'xxxxxxxxxxxxxxxxxxx.corp'
YYYY-MM-DDTHH:MM:SS.084 VERBOSE netlogon: LWNetDnsGetAddressArrayForServer():lwnet-dns.c:1113: Getting address for 'xxxxxxxxxxxxxxxxxxx.corp'
YYYY-MM-DDTHH:MM:SS.085 VERBOSE netlogon: LWNetDnsGetAddressArrayForServer():lwnet-dns.c:1113: Getting address for 'xxxxxxxxxxxxxxxxxxx.corp'
YYYY-MM-DDTHH:MM:SS.085 VERBOSE netlogon: LWNetDnsGetAddressArrayForServer():lwnet-dns.c:1113: Getting address for 'xxxxxxxxxxxxxxxxxxx.corp'

The logs indicate that the lsass (Likewise) service is successfully resolving DC hostnames via DNS, but it is failing the CLDAP (Connectionless LDAP) ping.

 Ensure UDP Port 389 is bi-directionally open between the ESXi Management Network and the  Domain Controllers