Time to read:
In this post, we are going to go over a common issue that you may run into when trying to add a VMware ESXi1 host to a Microsoft Active Directory2 (AD) domain.
SECTION I – Errors in Active Directory Operations
When trying to add the ESXi host to a Microsoft AD domain using the web Graphical User Interface (GUI) the host may fail to join the AD domain and give you a red banner with the warning message saying ‘Failed to join Active Directory: Errors in Active Directory Operations’. This is by far and away one of the most useless error messages because it doesn’t easily point you to the issue.
You can use the Command Line Interface (CLI) to try and join the AD domain. Manually trying to join the domain may give you a better error message that will help you narrow down and fix the fault. Or in some cases you may just get a general error which again, isn’t the most useful message in the world. Use the following command to try and manually join the ESXi host to the AD domain:
/usr/lib/vmware/likewise/bin/domainjoin-cli join AD_Domain_Name AD_Username
SECTION II – Solutions
In this section we will go through some common solutions that I have come across while working with ESXi. For the most part all of these solutions have been the causes of ESXi not wanting to join the AD domain.
SECTION II – A – Remove Old AD Object
The first solution we shall go through will potentially apply to you if you are in the situaiton what you scale up and down your ESXi host infrastrucutre often. If it is the case that you have had an ESXi host with the exact same hostname joined to the domain before then the first thing to check is that the original AD object for the ESXi host isn’t still present in the AD domain.
In order to check this connect to your Domain Controller (DC) and then open up the Users and Computers application. Right click on the top level of your domain and select the ‘Find’ option. Make sure from the drop down of what to search you select the ‘Computers’ option and then search for your ESXi hostname. If the AD object is still there then make sure to delete it from the domain.
SECTION II – B – Allow through Firewall
The next most common issue that can stop you from being able to add an ESXi host to the AD domain is that the host cannot talk to the DC on the correct ports.
If you are running a network firewall in your architecture then you need to make sure that the following destination ports are allowed through from the ESXi host to the DC:
- 53 – User Datagram Protocol (UDP)
- 88 – UDP/Transmission Control Protocol (TCP)
- 389 – UDP/TCP
- 636 – TCP
With these ports allowed through any network firewalls in your infrastructure your ESXi host should be able to communicate with the DC on the correct ports it requires.
A good way to test this is to use the CLI of the ESXi host and use the netcat tool.
nc (dest IP) (dest port)
SECTION II – C – Check Hosts Time
The final potential solution I have for you is to make sure that the time between the ESXi host and DC is correct. Time plays a huge factor in all computer systems and especially when talking about an AD domain. If your infrastructure has a Network Time Protocol (NTP) server then make sure that the ESXi host is configured to point to that server and that the ntpd service is running.
If the ESXi host and DC are out of time by over 5 minutes then it will not be able to join the domain. This is because the Windows kerberos3 default maximum time tolerance is 5 minutes.
SECTION III – Footnotes
- VMware ESXi – ESXi is a type 1 bare metal hypervisor from VMware. This is an operating system used to host virtual machines. ↩︎
- Microsoft Active Directory – AD is a hierarchical shared directory service that keeps a track of multiple workstations and servers joined within a single infrastrucutre. AD is a central administrative system for all of the devices allowing you to enforce policies as well as control user permissions. ↩︎
- Kerberos – kerberos is an authentication protocol used within a Windows domain. Kerberos uses a ticket system with a central ticket server that is used to verify user identity. ↩︎
Knowledge Addict 
Leave a comment