VMware Cloud Community
leadacid
Contributor
Contributor
‎07-23-2012 03:01 PM

ESXi 5 can't join Active Directory? No right to add hosts to the domain?

Hey folks, I'm trying to set up some of our ESXi 5 (632860) hosts with Active Directory authentication.  I was able to do this before when i was running v4.1, and now I'm having nothing but trouble.

Whenever I try to connect to our domain, I keep getting the error "User account has no right to add hosts to the domain."  I obviously find this odd as I'm trying to use a domain admin account.  I'm not sure I can go any higher permissions-wise.

Well, like I said, I'm using a domain admin account. I've tried two different accounts with no difference.

I'm using our domain name (which is the same as our internal DNS) with the format corp.<companyname>.com.  I then just use my user acount and password, without using the @ or the \ stuff.

I've turned the host firewall on and off and it doesn't seem to make any difference.

I've tried this on multiple hosts and get the same problem on all of them.

I have tried hosts that already have accounts created, and other that don't.  No difference.

I also have pulled the /var/log/hostd.log file and here's some relevant information:

2012-07-23T21:56:56.589Z [4EC15B90 info 'TaskManager' opID=D1173982-000000AC] Task Created : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomain-232620548
2012-07-23T21:56:56.633Z [4EC15B90 info 'SysCommandPosix' opID=D1173982-000000AC] ForkExec(/bin/sh)  679065
2012-07-23T21:56:56.710Z [4EC15B90 info 'SysCommandPosix' opID=D1173982-000000AC] ForkExec(/bin/sh)  679079
2012-07-23T21:56:56.810Z [4EC15B90 info 'SysCommandPosix' opID=D1173982-000000AC] ForkExec(/bin/sh)  679100
DJRunJoinProcess: 0x80047: 0x5 - Unknown error
Stack Trace:
        /build/mts/release/bora-578217/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:872
        /build/mts/release/bora-578217/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1218
2012-07-23T21:56:56.975Z [4EC15B90 error 'ActiveDirectoryAuthentication' opID=D1173982-000000AC] vmwauth AccessDeniedException: Exception 0x00000005: Access is denied.
2012-07-23T21:56:56.976Z [4EC15B90 info 'ha-eventmgr' opID=D1173982-000000AC] Event 240 : Join domain failed.
2012-07-23T21:56:56.976Z [4EC15B90 info 'TaskManager' opID=D1173982-000000AC] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomain-232620548 Status error

Can anyone help me with this problem?

Thanks!

0 Kudos
5 Replies
chriswahl
Virtuoso
Virtuoso
‎07-23-2012 08:12 PM

Have you tried it with a Domain Administrator account, or one with the appropriate level of authority to create objects in AD?

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
0 Kudos
leadacid
Contributor
Contributor
‎07-24-2012 02:55 PM

Yep, I've tried that.  Actually tried two different accounts.  These accounts are used to create new users and computers all the time in the domain, so I don't think that is directly the problem.

I do think its a permissions thing through.  I don't know where it would be.  Its not that the Vmware system is saying it couldn't find the server or anything, just that access was denied.

Weird...

0 Kudos
chriswahl
Virtuoso
Virtuoso
‎07-24-2012 03:04 PM

Is your host able to resolve the domain name - proper DNS servers are configured, you can do a ping from the host's console to corp.domain.com and it resolves OK? NTP configured and time is within 5 minutes of the domain controller?

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
0 Kudos
leadacid
Contributor
Contributor
‎07-26-2012 03:30 PM

Chris-

Thanks for your response!  On a lark I tried rebooting the host as well.  Hasn't seemed to help.  Just to be sure, this can be done on ESXi with the free license, right?

From my workstation I can ping the host "esx5.corp.<companyname>.com" to 192.168.10.223.

From my workstation I can nslookup the ip 192.168.10.223 to "esx5.corp.<companyname>.com".

On the host I can ping <primary AD server>.corp.<companyname>.com.  I can also do a nslookup of the same.

So I believe that DNS is properly configured.

As for NTP, I have that configured to talk to our primary AD server, and the time is certainly within a few seconds.  The host is displaying time in UTC though, rather than CDT.  That couldn't be part of it, right?

When I went into the Config->Security Profile->Services to enable SSH, I see that "Network Login Server" is disabled.  Should that be started?

I'm going to Configuration-> Authentication Services->Properties-> change to Active Directory-> enter "corp.<companyname>.com" (our NT Domain) -> click Join Domain -> enter my domain admin account credentials.

At that point I get the error.  I've attached a screenshot of the error.  Should it be saying the hostname under the target name?  Seems redundant to say it under Target and under ESXi...

I've checked the domain controller event logs (security) for that time period and I don't see anything immediately jumping out at me.

I wonder what this could be?  Talk about frustrating!

Preview file
29 KB
0 Kudos
danielcfox
Contributor
Contributor
‎07-31-2012 12:37 PM

I've been looking at exactly the same error message for two days now, with a curious exception: mine lists the 'Target' as the FQDN, and the 'ESXi' as the IP address...but of the same machine. Would love to see a solution posted to this one.

0 Kudos