Re: Cannot join ESXi 5.0 Host to AD

tjcooper · ‎09-16-2011

I cant join my ESXi 5.0 host to the domain. Its not currently being managed by vSphere. The error: The specified domain either does not exist or could not be contacted.

It doesnt make sense. DNS is good, I can ping from the server and to the server.

Any help is greatly appricated.

-tjcooper

Dave_Mishchenko · ‎09-16-2011

Some others have had this issue when joining a domain via the GUI.

Do you have the time synced up on the host with the domain?

You can try the vCLI command vicfg-authconfig

http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.upgrade.doc_50/GUID-18B7B4BB-C...

http://blogs.vmware.com/esxi/2010/10/top-five-new-vcli-commands-in-vsphere-41.html

The vCenter appliance and I beleive the vMA also have the domainjoin-cli command to use.

djtalleks · ‎09-28-2011

tjcooper,

Did you ever figure out what the problem was or how to get the host to join to AD? I have the same problem on a host we recently upgraded to ESXi 5 for testing and no matter what approach I take, the host will not join to AD. I have tried all GUI options and have also tried Dave's suggestion from the vMA with vicfg-authconfig and all produce the error you listed.

-djtalleks

RParker · ‎09-28-2011

djtalleks wrote:
tjcooper,
Did you ever figure out what the problem was or how to get the host to join to AD? I have the same problem on a host we recently upgraded to ESXi 5 for testing and no matter what approach I take, the host will not join to AD. I have tried all GUI options and have also tried Dave's suggestion from the vMA with vicfg-authconfig and all produce the error you listed.
-djtalleks

After researching this, sometimes the obvious escapes us.. AD will not let a machine join if it's more than 60 seconds off in time. So first you may need to add the NTP settings on the host, synch the time (also ensuring the AD is using the same time source) and then try again.

What error are you getting?

tjcooper · ‎09-28-2011

I think there is a port that is blocked or something along those lines. A previous poster said it worked if he disabled the firewall at the ESX host.

The error is:

The specified domain either does not exist or could not be contacted. I can ping the DC. The time is set to the DC. If I entere incorrect credentials I get an different error. Therefore, it is talking to the DC at some level.

vcpguy · ‎09-28-2011

Here the steps that I followed and it worked for me

Created the computer object in AD
Connected to the vCenter Server via VI Clinet
configured the NTP settings and restarted the ntp server
Under the Domain type for Authentication Services for ESXi - Typed - FQDN
For username used the following syntex - username@FQDN
Typed the password and it worked

I tried the same step with the vCenter Server applicance, I am getting following error message - "The host does not have suitable FQDN". need to work on that.

----------------------------------------------------------------------------- Please don't forget to reward Points for helpful hints; answers; suggestions. My blog: http://vmwaredevotee.com

RParker · ‎09-28-2011

tjcooper wrote:
I think there is a port that is blocked or something along those lines. A previous poster said it worked if he disabled the firewall at the ESX host.
The error is:
The specified domain either does not exist or could not be contacted. I can ping the DC. The time is set to the DC. If I entere incorrect credentials I get an different error. Therefore, it is talking to the DC at some level.

OK, your logic is flawed then, because if you can talk to the DC at some level, it must NOT be the firewall.. it's obviously getting TO the DC, so that can't be it either....

The fact that you can contact the DC is irrelevant. The error returned may not match what is ACTUALLY going on, programmers are notorious for simply returning a bad code because it wasn't what they were expecting.

So if you login and it's getting SOME error level other than -1 (meaning there is an "error") the code will simply reply "bad password or user name" because that is the part in the code that is doing security log in, so if you login and it expects an "OK" from the DC and doesn't get it, it ASSUMES it must be your password rather than replying with an error message properly, because some programmers are not thorough.. they dont' want to figure out ALL the codes, just the ones they can control.

The time is set to the DC, isn't a proper configuration for AD, your client can't get the time from the DC if it can't login to the DC, doesn't that make sense as well? That's why I said SET the time on the host BEFORE you login to the DC, the DC will reject you (even if you have the right name and password) because you are not in synch....

djtalleks · ‎09-28-2011

Here is what I have done to try and get this working:

I have verified NTP is configured and has the correct time.
NTP has been restarted.
Host was also rebooted since it is a test box
Deleted and recreated the computer object in AD
I type domain.name in for the domain
Enter my username and password

Despite these, I still cannot join the host to the domain.

tjcooper · ‎09-28-2011

I did all that as well and I get the same results. I read a post where the person disabled the firewall and was able to join. I will try that and see what happens.

Additionaly, I believe a DC will respond to NTP request regardless of AD membership.

vcpguy · ‎09-28-2011

did you used the following format to add your username ?

username@fqdn

If you dont use the above format, I have seen it gived error message.

----------------------------------------------------------------------------- Please don't forget to reward Points for helpful hints; answers; suggestions. My blog: http://vmwaredevotee.com

RParker · ‎09-28-2011

tjcooper wrote:
I did all that as well and I get the same results. I read a post where the person disabled the firewall and was able to join. I will try that and see what happens.
Additionaly, I believe a DC will respond to NTP request regardless of AD membership.

Depends on policy, if an object on your network is NOT a member server, or a workstation therefore no trust, the AD probably won't let it access any resource, even time. But you could have changed your policy to allow ANY unauthenticated server from getting time.

Another side note it's a BAD idea to make your AD the time source, because if the AD is somehow set wrong ALL of your servers, workstations, desktops, laptops will change their time as well.. It's still better to use an external NTP server separately that your non-AD servers get their time from.

tjcooper · ‎09-28-2011

yes. I even double checked it with AD.

tjcooper · ‎09-28-2011

I set it to AD and too our Core switch. Neither worked. I dont think its not a time issue.

djtalleks · ‎09-28-2011

I ran this from PowerCLI as a test: (already connected to the host of course)

PowerCLI G:\PowerCLIScripts> $firewall = Get-VMHostFirewallDefaultPolicy

PowerCLI G:\PowerCLIScripts> Set-VMHostFirewallDefaultPolicy -Policy $firewall -AllowOutgoing $true -AllowIncoming $true

VMHostId IncomingEnabled OutgoingEnabled

-------- --------------- ---------------

HostSystem-ha-host True True

Once I did this, I was able to join the host to the domain. Still not totally out of the woods as I'm still blocked from connecting directly to the host with the viclient...even with these set to true above. Looks to be a firewall issue but I don't have the full details on what else needs to be changed and why.

Hope this helps.

steffen_richter · ‎09-29-2011

Hey guys,

we have the same issue here. I am a VCI and currently teaching a vSphere 5 class. We have 4 absolutely identic pods (1 DC, 2 ESXi 5 hosts, 1 vCVA, 1 client desktop). In one of the pods I successfully added one of the hosts to the domain for demonstratoin purposes. Afterwards I removed it from the domain and the host was rebooted several times (students were doing labs). Now, none of the 2 hosts is able to be added to the domain anymore. We get the same error like everyone else here. Things that were checked (most right upfront):

- time in sync on all components (hosts, vCenter, DC, client desktop)

- tried different naming schemes while adding the host (administrator, administrator@vmware.loca, vmware\administrator...)

- firewalls are turned off (DC, client desktop), only ESXi 5 firewall is running, but ports for AD are opened, no physical firewall in between

- no "old" computer account from the first host-add left in DC

Even when trying the domain join via vMA, it does not work:

vi-admin@localhost:~[esx1.vmware.local]> vicfg-authconfig --authscheme AD --joindomain vmware.local --adusername=administrator --adpassword=vmware
Could not join vmware.local: The specified domain either does not exist or could not be contacted.

Very strange issue. As mentioned, we have 4 pods here. All other 3 pods are working just fine. Domain join works, domain leave works, with or without reboot. All pods are configured the absolute same way and was also checked several times now by myself. Maybe it is really a bug?

BR

Steffen

Update:

we tried a little bit more, and... now the 2nd ESXi host was able to be added to the domain, without ANY configuration change. The 1st host can still not be added to the same domain, in the same network, with the same configuration. The 2nd host was tried to add just 20 minutes before, and it failed. Do I need to understand that?

VCI since 2009

jarauzo · ‎10-12-2011

I'm having the same problem. The workaround is to edit the Firewall properties of the ESXi host and enable the NFS client. Enabling the NFS client enables outgoing TCP on ports 0 - 65535. Attempting to join the domain, after configuring the Firewall as described, completes successfully everytime.

Joe Arauzo

patm521 · ‎10-18-2011

Enabling NFS in the Security Profile of the ESXi host worked for me as well. However, since it is not a best practice for us to have all the outgoing firewall ports open, I went back in and unchecked NFS after joining the domain. AD connectivity with the host is still working just fine.

Feltrek · ‎11-07-2011

I had a similar issue. Before I was getting "the specified domain doesn't exist in vCenter UI"

What resolved it for me was first looking at /var/log/syslog.log

I saw:

011-11-07T23:47:37Z netlogond[4801]: [LWNetDnsQueryWithBuffer() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1185] DNS lookup for '_ldap._tcp.dc._msdcs.my.domain.com' failed with errno 0, h_errno = 1

I resolved it by adding the domain controller as the primary DNS server to /etc/resolve.conf

syslog showed then showed this:

2011-11-07T23:53:15Z nssquery: Group lookup failed for 'MY\ESX Admins'

This must be the default Admin group it looks to. This is good because before a standalone server for VC the administrators group all = ESX admin access.

So added this group as well on the AD.

Note varibles:

Already added the host object to AD

I am tranversing firewalls.

I connected with the FQDN for both the domain and the user@FQDN

This is a single ESXi 5.0 server environment. No vCenter yet--- untill we migrate over from 35.

Before I was getting "the specified domain doesn't exist in vCenter UI"

FROGGYJ · ‎11-25-2011

Thanks Joe that did the trick for me as well! I unchecked after it joined the domain and everthing still works.

AndrewJ24 · ‎02-02-2012

Hi everyone,

Not sure if this is very obvious but after also seeing this problem for awhile in my home lab, I realized that I did not have the DC IP address as the Primary DNS server. It was set as the alternate. Given I just have the home lab setup behind a router and my domain is not actually pointed at a public IP address, vCenter kept throwing this error at me. Beginner's mistake I hope, but just in case someone is overlooking something obvious I wanted to post this.

Andrew