After upgrading to ESXi 8.0 Update 3 or 9.0.x, you experience the following symptoms:

• Users cannot log in to the ESXi host via SSH using Active Directory (AD) credentials.
• The "ESX Admins" domain group does not appear to have administrative permissions on the host.
• Attempts to authenticate result in "Access Denied" or timeout errors.
• The syslog or Likewise logs (/var/log/syslog.log) may contain LW_ERROR_DOMAIN_IS_OFFLINE (Error 40121) or indicate the host is disconnecting from the domain during login.

VMware ESXi 8.0.x, VMware ESX 9.0.x 

This issue occurs due to two primary factors introduced in recent releases:
1. Secure Default Changes: In ESXi 8.0 Update 3 and later, the advanced setting Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd is set to false by default. This prevents the "ESX Admins" AD group from being automatically assigned the Administrator role.
2. Known AD Component Issue: An issue in the Active Directory component causes the host to disconnect from the domain during certain login sequences, particularly in environments with a large number of trusted domains or intermittent connectivity to Domain Controllers.

This issue is resolved in VMware ESX 9.1. To download the latest version, visit the Broadcom Support Portal.

Related Information

• For steps on how to gather ESXi log bundles, see Collecting diagnostic information for VMware ESX/ESXi using vm-support command
• For details on Active Directory integration requirements, see the vSphere product documentation.