• After successfully joining ESXi hosts to an Active Directory (AD) domain and configuring domain groups for login, users who are members of the specified AD groups (e.g., "ESXi Admins") are unable to authenticate via group membership. Specifically, domain users cannot log in to the ESXi host web console or SSH using their group credentials and receive an error:
  “Error: Permission to perform this operation was denied.”
• However, if the domain user is added directly to the ESXi host permissions (not via group), login succeeds. This issue is not isolated to a single host but occurs across multiple ESXi hosts.

/var/log/messages/lwsmd/likewise.log 

2025-05-22T07:44:14.501Z 1wsmd[2100855]: [lsass] Transitioning domain 'yourdomain' to ONLINE state
2025-05-22T07:44:14.503Z 1wsmd[2100855]: [netlogon] Filtering list of 3 servers with list of 0 black listed servers
2025-05-22T07:44:29.505Z lwsmd[2100855]: [netlogon] CLDAP timed out: yourdomain.com
2025-05-22T07:44:29.506Z 1wsmd[2100855]: [netlogon] CLDAP timed out: yourdomain.2.com
2025-05-22T07:44:29.506Z 1wsmd[2100855]: [netlogon] CLDAP timed out: yourdomain.3.com
2025-05-22T07:44:29.506Z 1wsmd[2100855]: [lsass] Could not transition domain 'yourdomain' to ONLINE state. Error 2453
2025-05-22T07:44:29.506Z 1wsmd[2100855]: [lsass] Found domain 'yourdomain' to be offline while resolving its objects.

ESXi 7.0

ESXi 8.0

• The ESXi hosts have multiple offline domains configured, but errors are logged only for one domain.
• A domain controller for the domain yourdomain is offline, causing authentication failures related to that domain.
• Issue occurs if there are offline domain controller configured in the environment.
• The ESXi host’s cache initially recognizes group memberships, but after login attempts, group information disappears, preventing authentication via group membership.

• Validate network connectivity between ESXi hosts and all configured domain controllers, ensuring that offline domain controllers are either brought online or removed from the ESXi configuration. The ESXi host is unable to successfully join the Active Directory domain.
• Open the required ports on firewalls and network devices to allow ESXi hosts to communicate with domain controllers (e.g., LDAP, Kerberos, DNS). TCP and UDP ports required to access ESXi
• Clear the ESXi host’s cache related to AD group membership to refresh domain information.

/usr/lib/vmware/likewise/bin/lw-cache --delete-all

• Verify that the AD group configured in the ESXi advanced setting Config.HostAgent.plugins.hostsvc.esxAdminsGroup exists and has the correct permissions. Configuring the ESXi host with Active Directory authentication
• If the AD group was created after the host joined the domain, remove and rejoin the ESXi host to the AD domain to propagate group permissions properly.

/usr/lib/vmware/likewise/bin/domainjoin-cli leave
/usr/lib/vmware/likewise/bin/domainjoin-cli join <domain_name> <username>

• Ensure time synchronization between ESXi hosts and domain controllers is accurate to avoid authentication issues. Synchronizing ESXi/ESX time with a Microsoft Domain Controller