Hi,
i tried to join a domain with my ESX Hosts in our Production. It won't work and i don't know why.
Here is the Case, probabyl someone has got an answer, that will work for me.
Production:
ESX6 Version 4600944
Windows Active Directory 2012
AD Account: User -> See all Computer Objects, Can create computer objects, Can delete computer objects
Output:
[root@esx4:~] /usr/lib/vmware/likewise/bin/domainjoin-cli join DOMAIN.COM administrator@DOMAIN.COM
Joining to AD Domain: DOMAIN.COM
With Computer DNS Name: esx4.DOMAIN.COM
administrator@DOMAIN.COM's password:
Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN [code 0x0000a309]
Client not found in Kerberos database
LDAP Paths:
DC=DOMAIN DC=COM OU=Server OU= Test OU=Infrastruktur
LAB:
ESX6 Version 4600944
Windows Active Directory 2012
AD Account: Administrator
AD Account: User -> All rights
Output:
[root@esx4:~] /usr/lib/vmware/likewise/bin/domainjoin-cli join DOMAIN.COM administrator@DOMAIN.COM
Joining to AD Domain: DOMAIN.COM
With Computer DNS Name: esx4.DOMAIN.COM
administrator@DOMAIN.COM's password:
SUCCESS
LDAP Paths:
1st way:
DC=DOMAIN DC=COM OU=Computers
2nd Way:
DC=DOMAIN DC=COM OU=Server OU= Test OU=Infrastruktur
Ways i tried:
Update:
Maybe some rights are missing, do you know, which rights i need, for joining the domain.
This happens when the account was deleted from AD.
Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN [code 0x0000a309]
client not found in Kerberos database
Try this LINK:
vGeek: Manage vCenter server appliance AD authetication from commandline
Raul.
VMware VDI Administrator
Hi Raul,
the account and the computer object are in AD.
I deleted nothing.
Do you know, how "/usr/lib/vmware/likewise/bin/domainjoin-cli " works?
Because our active directory is hardend.
You say that the Active Directory is hardened.
Are you able to replicate the hardening in the lab?
By hardening I take it to mean certain Group Policy settings are set.
It could be any of the Group Policy Settings and sometimes people responsible for the security realm just go with some recommendation without understanding the actual implications. It could be any of those hardened settings. Many years ago I have seen that GPO hardening setting that tend to be network related and/or encryption related tend to break things between servers and clients (client including other running server OSs). One of the most notorious one is "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.”
In case you need some help in justifying to undo this GPO setting ->> Why We’re Not Recommending “FIPS Mode” Anymore – Microsoft Security Guidance
NoTr3x, maybe this can help!
what's the benefit of having your ESXi in AD? Personally I don't see any
Raul.
VMware VDI Administrator
If AD is down and the Host is connected to AD what is the impact?
No impact! Everything will be working normally with vSphere, just users with AD accounts won't be able to access vCenter, but usually there is always a Primary DC with 2,3,4,5,6,10 and more secondaries\replicas AD DC, same for vCenter with many replicas/instances, remember vSphere got its own domain "vSphere.Local". So primarily, is all about how you configure your network infrastructure.
Raul.
VMware VDI Administrator
Personally I don't see the benefit of adding them to AD. Just another configuration you need to be mindful of if they are joint to AD. Keep it simple Each to there own
Sure!
but, nobody knows which requirements are needed for joining the active directory, right?
Hi
Adding your vSphere hosts to Active Directory can simplify user management and help improve security. It’s relatively easy to add local users to a hosts and to assign them administrative privileges, but if you have a lot of administrators the steps to configure each account will need to be repeated multiple times on each host.
You can simplify the local user configuration by using AD groups. With groups, rather than repeating the setup for multiple user accounts you only need to configure the group account once on each host. Once privileges have been assigned to the group you control who has access to the host by adding and removing users to/from the AD group.
how many people need access directly to the esxi host? Also what work are you doing that needs access to the host that you cant do via the vsphere client?
NoTr3x did you ever find the cause of your issue? We're seeing the same error/issue. In our case, we see that the computer account gets created, but the authentication/kerberos setup portion doesn't seem to complete successfully.
Hey stacycarter , i have open a ticket and our BCS team and I will follow up and i can send you a report what we made.
Thanks NoTr3x, can you provide the case number as well?
Hi NoTr3x - Can you provide the case number?
Hi,
after a long journey with the support team from Cork.
Their engeeniering told me, that it will be fixxed in Patch 6.