Re: unable to add ESXI host to Active directory do...

Richita · ‎06-23-2015

I am unable to add ESXI host to Active directory domain. Checked lsassd service on host, it is stopped. And when tried to start service, am getting error as "Starting Likewise Identity and authentication Servicetouch: /var/lock/subsys/lsassd: No such file

Anjani_Kumar · ‎06-23-2015

This is a quite known issue in esxi 5 . There is an workaround for this issue. Have a look in to that.

VMware KB: Manually restarting Active Directory related services on ESXi 5.5 displays the message: /...

Please consider marking this answer "correct" or "helpful" if you found it useful. Anjani Kumar | VMware vExpert 2014-2015-2016 | Infrastructure Specialist Twitter : @anjaniyadav85 Website : http://www.Vmwareminds.com

Richita · ‎06-23-2015

Thanks. Upon following steps as mentioned in KB article, I managed to start lsassd service.

But still original issue is not resolved. Upon adding host to domain, it shows error as "Specified domain doesn't exist or could not be contacted".

Issue started last week only. Previously hosts were working fine.

Anjani_Kumar · ‎06-23-2015

are you able to ping your host from the computers to make sure its pinging the AD host.

For the issue : This issue occurs when TCP port 53 is not open in the ESXi 5.0 firewall.

Did you configured any firewall rules in your host?

Fix : You can Temporarily disable the ESXi firewall and join the ESXi host to the domain. This can be disabled with the following command:

esxcli network firewall unload

Note :this will destroy any rules configured in the firewall . if not configured any then its okay to go ahead and try this way out.

Please consider marking this answer "correct" or "helpful" if you found it useful. Anjani Kumar | VMware vExpert 2014-2015-2016 | Infrastructure Specialist Twitter : @anjaniyadav85 Website : http://www.Vmwareminds.com

UmeshAhuja · ‎06-23-2015

Hi,

Have you tried first making the directory path inside the AD and then adding ESXi host into domain.

Set up AD Authentication, join host to AD domain CompanyName.com
1. Go to the configuration tab for the host
2. Click on Authentication Services, click on Properties in the upper right corner, you should see this box
  Select Active Directory from the Select Directory Service Type drop down box
  Enter CompanyName.com/servers/enterprise in the domain box (this will create the computer account in the correct AD OU)
3. Click the Join Domain button and enter your admin credentials to join the host to AD like name@CompanyName.com and password

This will create an account in AD and complete the join. Now that this host has been joined to AD, when logging into an SSH session on the host, you should use your AD admin account

Thanks n Regards
Umesh Ahuja

If your query resolved then please consider awarding points by correct or helpful marking.

Richita · ‎06-23-2015

I had already tried these option based on below KB:

VMware KB: Unable to add ESXi host to the Active Directory domain

But still no success in adding host to AD domain.

Anjani_Kumar · ‎06-23-2015

Seems like there is the issuse in time zone sync .

Are your Domain Controllers Virtual, and if so where is the PDC Emulator syncing its time from?

always have my PDC Emulator syncing from a known good time source. Like below.

ESX Hosts ----> NTP Time source

PDC Emulator -----> NTP Time source

DC's and Members -----> Domain time from PDC emulator

Please consider marking this answer "correct" or "helpful" if you found it useful. Anjani Kumar | VMware vExpert 2014-2015-2016 | Infrastructure Specialist Twitter : @anjaniyadav85 Website : http://www.Vmwareminds.com

Richita · ‎06-23-2015

Issue occured just a week ago.

Till the time hosts were authenticating to AD.

And no such changes are made in last 1 week.

Also other hosts are authenticating to AD.

Not getting how suddenly issue occured.

Anjani_Kumar · ‎06-23-2015

It's happen, thats why we are hired to fix these issues.

If nothing works try to update your esxi host to a step upper version .5.1 u1 or whatever applicable. I believe that will fix the issue.

Please consider marking this answer "correct" or "helpful" if you found it useful. Anjani Kumar | VMware vExpert 2014-2015-2016 | Infrastructure Specialist Twitter : @anjaniyadav85 Website : http://www.Vmwareminds.com

Richita · ‎06-24-2015

ESXI host version is already 5.1.0 update 1. Even other hosts are also on same version and they are not having any issue.

Being production host we can't upgrade it.

UmeshAhuja · ‎06-24-2015

Hi,

Here you go....

There might be a possibility of port 53 is not open in the firewall , but that thing you have already checked and you have also mention that your ESXi is 5.1.0 update 1 so this issue is automatically resolved with the update.

Includes TCP port for DNS in ESXi firewall

You cannot add an ESXi host to the Active Directory (AD) domain. When you attempt to join an ESXi 5.0 host to an AD environment through the vSphere Client, the task fails with an error message similar to the following:

Could not join <domainname>: The specified domain either does not exist or could not be contacted.

This issue is resolved in this release. Now the outbound TCP port 53 on the firewall of the ESXi host is enabled by default. VMware ESXi 5.0 Update 1 Release Notes

Now let cross check with

1) Check if NFS client in the firewall is enable or not, If not Enable it.

2) Check if you have properly configured DNS IP address with ESXi host

3) Check if you are able to ping to ESXi host with the DNS name you have given , Else re-create the entry in DNS server

4) And finally this issue may also occur if you have entered the user credentials in the <domain\username> format.

To workaround this issue on earlier ESX/ESXi versions, enter the user credentials in the <username> or <username@fqdn_of_the_domain> format.

I entered my user name (without the leading domain\ ) and it worked.

VMware KB: Adding the ESX/ESXi host to an Active Directory domain fails with the error: Errors in Ac...

Thanks n Regards
Umesh Ahuja

If your query resolved then please consider awarding points by correct or helpful marking.

Richita · ‎06-25-2015

Hi,

I tried above options.

NFS client wan not set in ESXI firewall which I have enabled.

DNS entries are correct only.

Tried credentials in both formats mentioend above.

Still issue persists.

UmeshAhuja · ‎06-25-2015

Hi,

Can you try adding the host once again and full the /var/log/syslog.log and upload , which will help us to solve the issue

Thanks n Regards
Umesh Ahuja

If your query resolved then please consider awarding points by correct or helpful marking.

mannygarcia20 · ‎06-26-2015

Please upload/paste the syslog from the host. Looks like some of the configuration already posted above have been checked. Now,it might sound stupid but, check that the IP you are using for this host is actually slated for it and not held somewhere else.

Dreex · ‎12-30-2015

Hello

I had the same issues and this is what worked for me:

- Enabled NFS client on the Firewall;

- Checked if "Active Directory All" was on the Outgoing Connections list (it was);

- Changed the DNS from external (8.8.8.8) to the DNS on the PDC (192.168.x.x);

- On "DNS and Routing" added the domain name on the "Host Identification", and also filled with my domain name on "Look for hosts in the following domains";

- For the Domain (on the Directory Services Configuration), filled with <fqdn_of_the_domain/XXX/Servers> format;

- For login, used in the <username@fqdn_of_the_domain> format;

Many thanks Umesh.

Best

André

benkeprashant · ‎01-06-2016

Hi,

I was facing this issue for ESXi 6.0 U1, that got resolved after removing duplicate Domain name in "DNS and Routing Configuration" - "Look the hosts in following domains "

This duplicate entry might be added due to host profile.

Thanks,

Prashant.