Error: "ERROR_NOT_ENOUGH_QUOTA" and "NERR_SetupNotJoined" when joining ESXi hosts to Active Directory in VCF
Article ID: 430600
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
- Attempts to join multiple ESXi hosts to an Active Directory domain fail sequentially after a specific number of successful joins.
- The
/var/run/log/syslog.logon the failing ESXi hosts contains the following `lwsmd` provider errors:YYYY-MM-DDTHH:MM:SSZ Er(27) lwsmd[6687114]: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider' ) -> error = 1816, symbol = ERROR_NOT_ENOUGH_QUOTA, client pid = 2100753YYYY-MM-DDTHH:MM:SSZ Er(27) lwsmd[6687114]: [lsass] Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 6696820
Environment
- VMware Cloud Foundation 9.x
- VMware vSphere ESXi 9.x
Cause
- The Active Directory user account performing the domain join has reached the
ms-DS-MachineAccountQuota - By default, Active Directory permits standard authenticated users to create a maximum of 10 computer objects. Once this limit is reached, subsequent join attempts using the same credentials will fail with
ERROR_NOT_ENOUGH_QUOTA.
Resolution
- To resolve this issue, reach out to the Active Directory Administrator to increase the global
ms-DS-MachineAccountQuota attributeand then re-try joining the ESXi host to the domain.
Additional Information
- Modifying
ms-DS-MachineAccountQuotaalters the default security posture of the Active Directory domain. Reaching out to Microsoft/AD administrator is recommended.
Feedback
Yes
No
Powered by
