sofakng
Contributor
Contributor

ESXi 6.0 - Can't join active directory (ERROR_INVALID_PARAMETER?)

I'm using ESXi 6.0 and I'm trying to connect to a Windows Server 2012 R2 Active Directory server.

When I'm trying to join the domain using the vSphere Client, the error message is: Errors in Active Directory operations.

I've enabled the likewise logs (using a knowledgebase article) and here is what it shows:

20150812124326:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 869737) to open LsaIpcServer

20150812124326:VERBOSE:lsass-ipc: (session:60b127d4613799e1-3c9943b0bcec2f2b) Accepted association 0x50101808

20150812124326:ERROR:lsass: Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 869737

20150812124326:VERBOSE:lsass-ipc: (assoc:0x50101808) Dropping: Connection closed by peer

20150812124326:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 869740) to open LsaIpcServer

20150812124326:VERBOSE:lsass-ipc: (session:bb3a890fae016a35-83383dea7cf6647f) Accepted association 0x50101808

20150812124326:ERROR:lsass: Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 869740

20150812124326:VERBOSE:lsass-ipc: (assoc:0x50101808) Dropping: Connection closed by peer

20150812124326:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 34569) to open LsaIpcServer

20150812124326:VERBOSE:lsass-ipc: (session:e816176c70a6971e-1f6ec440991e966c) Accepted association 0x50101808

20150812124326:VERBOSE:lsass-ipc: (assoc:0x50101808) Dropping: Connection closed by peer

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbOpenKey() finished

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbUpdateRegValues_inlock() finished

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbSetKeyValue() finished

20150812124326:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 34569) to open LsaIpcServer

20150812124326:VERBOSE:lsass-ipc: (session:644ad0b359c08392-9fc0c84aba95f82b) Accepted association 0x50101808

20150812124326:VERBOSE:lsass-ipc: (assoc:0x50101808) Dropping: Connection closed by peer

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbOpenKey() finished

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbUpdateRegValues_inlock() finished

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbSetKeyValue() finished

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbOpenKey() finished

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbUpdateRegValues_inlock() finished

20150812124326:VERBOSE:lwreg: Registry::sqldb.c RegDbSetKeyValue() finished

20150812124326:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 34569) to open LsaIpcServer

20150812124326:VERBOSE:lsass-ipc: (session:612362b005f0c432-f795e5852d5aad3b) Accepted association 0x50101808

20150812124326:INFO:netlogon: Looking for a DC in domain 'AD.EXAMPLE.COM', site '<null>' with flags 10

20150812124326:VERBOSE:lsass: Affinitized to DC 'DC01.ad.example.com' for join request to domain 'AD.EXAMPLE.COM'

20150812124326:INFO:netlogon: Determining the current time for domain 'AD.EXAMPLE.COM'

20150812124326:INFO:netlogon: Looking for a DC in domain 'AD.EXAMPLE.COM', site '<null>' with flags 10

20150812124326:INFO:netlogon: Looking for a DC in domain 'AD.EXAMPLE.COM', site '<null>' with flags 1001

20150812124326:INFO:netlogon: Filtering list of 1 servers with list of 0 black listed servers

20150812124326:VERBOSE:lwio: GSS-API error calling gss_init_sec_context: 1 (The routine must be called again to complete its function)

20150812124326:ERROR:lsass: Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 87, symbol = ERROR_INVALID_PARAMETER, client pid = 34569

20150812124326:VERBOSE:lsass-ipc: (assoc:0x50101808) Dropping: Connection closed by peer

(NOTE: I've redacted my real domain in the logs and changed it to example.com)

My workstations are connecting to Active Directory without any problems including an OS X machine so I don't think the problem is my AD server or DNS...

Thanks for any help.

0 Kudos
2 Replies
npadmani
Virtuoso
Virtuoso

see this KB, might be applicable for ESXi 6 too

VMware KB: Adding the ESX/ESXi host to an Active Directory domain fails with the error: Errors in Ac...

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
0 Kudos
tayfundeger
Hot Shot
Hot Shot

Can you check port pre-request? below ports are disabled firewall?

  • Port 88  - Kerberos authentication
  • Port 123 – NTP
  • Port 135 - RPC
  • Port 137 - NetBIOS Name Service
  • Port 139 - NetBIOS Session Service (SMB)
  • Port 389 - LDAP
  • Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
  • Port 464 - Kerberos - change/password changes
  • Port 3268- Global Catalog search
--
Blog: https://www.tayfundeger.com
Twitter: https://www.twitter.com/tayfundeger

vBlogger, vExpert, Cisco Champions

Please, if this solution helped your problem, "Helpful" if it solves your problem "Correct Answer" to mark.
0 Kudos