In order to join a vCenter Server to an Active Directory domain, the vCenter requesting to join the domain must be able to communicate on TCP port 88 to the domain controllers for kerberos authentication. If port 88 is disabled or if Kerberos is not properly configured on the domain controller, domain join requests will fail.

VMware vCenter Server 8.x

VMware vCenter Server 7.x

Microsoft Active Directory domains

Assuming that the username and password used in the join request is correct, the account must have the following permissions in the AD domain (see below):

• Reset Password
• Read Account Restrictions
• Write Account Restrictions
• Validated write to DNS host name
• Validated write to service principal name
• Create Computer objects
• Delete Computer objects

If the above permissions are present, the vCenter appliance's ability to pass Kerberos traffic must be verified, and the Active Directory account must be verified to use Kerberos.

If a vCenter Server is failing to join an Active Directory domain:

• verify the vCenter Server can reach the domain (and all constituent Domain Controllers) on TCP port 88
  • SSH into the vCenter as root user and run curl -v <domainNameORdomainController>:88
• open the user account properties on the Active Directory domain controller(s)
  • verify the "Do not use Kerberos preauthentication" Account option is not checked (disabled) in Active Directory.

"Do not use Kerberos preauthentication" is a confusing setting, and disabling it leads to what can be interpreted as a double-negative. In this case, the account used to join vCenter must use Kerberos preauthentication, so the setting must be disabled ("Do not use" + "disabled" == use).