Windows worker node fails to join AD domain with errorCode 2202
search cancel

Windows worker node fails to join AD domain with errorCode 2202

book

Article ID: 420264

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • VKS cluster deployment contains Windows worker node which is required to join AD domain to use gMSA. See Using gMSAs in Kubernetes
  • Windows worker node fails to join AD domain with the following error in C:\Program Files\Cloudbase Solutions\cloudbase-init\log\cloudbase-init.txt

    [YYYY-MM-DDTHH:MM:SS].9415755-08:00", "level":"ERROR", "msg":"error applying: error applying task domain-join: failed to join domain: unable to join domain: errorCode 2202: unknown"}

  • Windows worker node can manually join AD domain with same credentials in PowerShell:

    Add-Computer -DomainName "Domain-Name" -Credential (Get-Credential) -OUPath "OU-Full-Path"

Environment

vSphere Kubernetes Service

Cause

Windows worker nodes utilize Cloudbase-init to join the Active Directory (AD) domain, leveraging credentials retrieved from a Secret defined in VKS. However, the domain join process is failing because the Base64 encoding of these credentials is incorrect.

Resolution

To resolve the issue:

  1. Manually create a new secret from literal plain text in namespace of VKS. 

    kubectl create secret generic -n <namespace> <new-windows-join-domain-secret-name> --from-literal username=<username> --from-literal password=<password>

  2. Update the VKS cluster with new secret name and scale in the Windows worker nodes

    kubectl edit cluster -n <namespace> <vks-cluster-name>

    For example:

      workers:
        machineDeployments:
          - class: node-pool
            name: node-pool-photon
            replicas: 1
          - class: node-pool
            name: node-pool-windows
            metadata:
              annotations:
                run.tanzu.vmware.com/resolve-os-image: os-type=windows
            replicas: 0    <<<--- scale in Windows work node
            variables:
              overrides:
              - name: vmClass
                value: best-effort-large
              - name: osConfiguration
                value:
                  directoryJoin:
                    credentialSecretRef: <new-windows-join-domain-secret-name>   <<<--- specify the new secret name
                    domain: <domain-name>

    VKS yaml sample is from Create an Active Directory Domain-Joined Windows Node Pool

  3. Scale out the Windows worker node which will use the credentials from new secret to join AD domain.

Additional Information

Install Windows gMSA Webhook
Configuring a Windows Node Pool to Use Group Managed Service Accounts

Powered by Wolken Software