A Detailed Guide to Performing Domain Join Operations for ESXi Hosts

VMware ESXi 6.x

VMware ESXi 7.x

VMware ESXi 8.x

Domain join operations on ESXi hosts are failing using both the Host Client and vCenter Server, resulting in generic error messages such as "Errors in Active Directory operations" or "ERROR_GEN_FAILURE [code 0x0000001f]"

This indicates a potential issue with the underlying network connectivity, Active Directory permissions, time synchronization, or the Likewise service.

This guide outlines the steps necessary to prepare an ESXi host for joining an Active Directory domain. While the steps can be performed in any order, it is crucial to complete each step before moving on to the next.

1. Establish Network Connectivity

• Open an SSH session to the ESXi host using the default root account.
  
  
• Verify Active Directory Reachability:
  • Ping Test: Use the ping command to check if the ESXi host can reach the domain controller. For example:# ping mydomain.com. Note that in environments where ICMP (ping) is disabled, this step should be skipped.
  • Name Resolution: Verify name resolution is working correctly using the nslookup command. For example:# nslookup mydomain.com.
    
    
• Check Network Ports: Ensure the required ports are open for communication between the ESXi host and the domain controllers.
  • TCP Ports: 88, 139, 389, 445, 464, 3268
  • UDP Ports: 88, 123, 137, 389, 464
    
    
• Test Connectivity: Use the nc (netcat) command to verify port connectivity.
  • TCP:# nc -z -vvv -w 2 domain-controller_ip  port_number  2>&1
  • UDP:# nc -z -vvv -u -w 2 domain-controller_ip  port_number  2>&1
  • For example: nc -z -vvv -w 2 10.10.10.10 88 2>&1  <===== To Test TCP Connectivity OR   nc -z -vvv -u -w 2 10.10.10.10 88 2>&1      <==== To Test UDP Connectivity

2. Configure Time Synchronization

• Verify Reliable Time Source: Ensure the ESXi host has a reliable time source configured. If not, configure NTP using a well-known NTP server. Refer to Broadcom's knowledge base article for detailed instructions.
• Test Time Synchronization: Verify the Time Configuration Test Service is working correctly. Navigate to the affected host in the vCenter UI, click "Configure," then "Time Configuration" under "System," and run the "Test Service." The test should indicate successful time synchronization.

3. Configure the ESXi Firewall

• Enable Active Directory Firewall Rule: Enable the ESXi firewall rule for Active Directory using the following command: # esxcli network firewall ruleset set --enabled true --ruleset-id=activeDirectoryAll

4. Configure and Manage the Likewise Service

• Check Likewise Service Status: To check the status of the Likewise service use the command /etc/init.d/lwsmd status .
• Start or Restart the Likewise Service: If the service is stopped, start it using:#  /etc/init.d/lwsmd start. If the service is already running, restart it using:#  /etc/init.d/lwsmd restart.

5. Prepare for Domain Join

• Query Domain Join Status: To check the current domain join status of the ESXi host use the command:  /usr/lib/vmware/likewise/bin/domainjoin-cli query 
• Leave Existing Domain (if necessary): If the ESXi host is already joined to a domain, or the configuration is incorrect, you need to leave the domain before removing the Computer Object from Active Directory. Use the command:#   /usr/lib/vmware/likewise/bin/domainjoin-cli leave.
• Remove Computer Object: Before adding the ESXi host back to the domain, ensure the corresponding Computer Object has been removed from Active Directory.

6. Join the ESXi Host to the Domain

• Use domainjoin-cli to join the ESXi host to the AD domain:#   /usr/lib/vmware/likewise/bin/domainjoin-cli join domain-fqdn username@domain-fqdn.
• Verify Permissions: Ensure the user account used to join the ESXi host to the domain has the necessary permissions in Active Directory to create computer objects.

In the event that the issue persists, please contact Broadcom Support and provide a reference to this article. Our team is available to assist you in resolving the issue.