VMware Cloud Community
bakerjw
Contributor
Contributor

ESXi V6.5 Fresh install unable to join existing domain

I have a fresh install of ESXi V6.5.

This ESXi server is on a network segment where we maintain a Windows Domain. We do not have to go across any firewalls.

I already have an ESXi server on this network segment and it is in the domain. I had to fight it a bit back when I added it too.

We do not control the DHCP on the network segment but we do maintain our own DNS servers.

Other Windows servers and computers work very well in the environment.

esci

When the ESXi box first comes up, it gets an IP address, subnet mask, DNS servers and a domain suffix from the DHCP server.

I assign the ESXi server the name that I want it to have when it goes into the domain.

I convert the network configuration to static using the assigned IP address and then change the DNS entries to our DNS servers.

I also set the DNS suffix to use the suffix of our domain e.g. bob.business.com

For some reason, it keeps our corp.business.com suffix that gets sent down.

Using tools on the console, I am able to ping our DNS servers by fqdn. i.e. dc1.bob.business.com

Using the web interface, I have tried to add this ESXi server to the domain many times using both username formats. I constructed the domain and am using my domain admin account, so I know that I have rights out there in the domain.

i.e. DomainName\UserName and UserName@bob.business.com

I then get a very nondescript error message Failed - Errors in Active Directory operations.

This is darned frustrating. Any ideas?

Tags (1)
Reply
0 Kudos
5 Replies
NickPNAP
Contributor
Contributor

My first thought is NTP. Make sure the host and the AD DC are syncing to the same time source. It's not a permissions issue with your account, any standard AD user can domain join computers.

You may also want to enable logging for the Likewise agent on the host. Likewise is the agent that facilitates domain functions (joining the domain, user login, etc.) in ESXi. Here's a KB on how to do that: VMware Knowledge Base

Good luck,

Nick

Reply
0 Kudos
AndreTheGiant
Immortal
Immortal

Do you have set also reverse resolution for all ESXi hosts?

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
Reply
0 Kudos
mgulinski
Contributor
Contributor

Wait for Update 2, we had an issue and beta code fixed it, which should come in the next patch cycle, assuming you have disabled smbv1......

Reply
0 Kudos
MikeStoica
Expert
Expert

Can you ping the ESXi host by the IP?

What are the steps you are following when trying to add it to the domain?

Reply
0 Kudos
bakerjw
Contributor
Contributor

Started trying to crack this nut once again.

nslookup bob.business.com

shows me my domain and associated domain controllers.

Both of my DCs are resolving and able to be pinged.

DNS resolution for other members of the domain works as expected and they are able to be pinged.

The time in the VMWare ESXi web browser management page appears to be correct. It is current domain time.

I have tried joining with domainname\Adminaccount and Adminaccount@domainname.com

The likewise log is providing this error

20171121135640:VERBOSE:lsass: Permission granted for (uid = 0, gid = 0, pid = 68496) to open LsaIpcServer

20171121135640:VERBOSE:lsass-ipc: (session:13dfb5b1bb482302-5831135e719b83f0) Accepted association 0x837ef20

20171121135640:ERROR:lsass: Failed to run provider specific request (request code = 12, provider = 'lsa-activedirectory-provider') -> error = 2692, symbol = NERR_SetupNotJoined, client pid = 68496

I'm currently executing my Update Manager against this box to ensure that it is at the latest level of updates.

Thanks for all of the feedback

I've also been running down some of these items

ESXi and Likewise – troubleshooting guide – part 2 – Virtual Village

Reply
0 Kudos