Trying to join an ESXi 5 host to a 2008R2 domain and get the error "Errors in Active Directory Operations". It is connecting to the DC and peforming a LDAP query.
I enabled debug logging per http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=1026554
The only logs that appear to be pertinant are from netlogond. Specifically the line in red.
20111204162220:0xffdf9b90:DEBUG:[LWNetSrvGetDCTimeFromDC() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:557] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:557 [code: 40286]
20111204162220:0xffdf9b90:INFO:[LWNetSrvGetDCName() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:97] Looking for a DC in domain 'example.com', site '<null>' with flags 11
20111204162220:0xffdf9b90:DEBUG:[LWNetPreferredDcPluginBuildServerArray() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:244] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:244 [code: 2453]
20111204162220:0xffdf9b90:DEBUG:[LWNetGetPreferredDcList() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:201] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:201 [code: 2453]
20111204162220:0xffdf9b90:DEBUG:[LWNetSrvGetDCNameDiscoverInternal() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet.c:751] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet.c:751 [code: 2453]
20111204162220:0xffdf9b90:INFO:[LWNetFilterFromBlackList() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet.c:588] Filtering list of 1 servers with list of 0 black listed servers
20111204162220:0xffdf9b90:ERROR:[LWNetSrvGetDCTimeFromDC() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:555] Failed ldap search on DC1.example.com error=40286
20111204162220:0xffdf9b90:DEBUG:[LWNetSrvGetDCTimeFromDC() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:557] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:557 [code: 40286]
20111204162220:0xffdf9b90:DEBUG:[LWNetSrvGetDCTime() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:470] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/dcinfo.c:470 [code: 40286]
20111204162222:0xffe0ab90:DEBUG:[LWNetSrvGetCurrentDomain() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83 [code: 136]
20111204162228:0xffe1bb90:DEBUG:[LWNetSrvGetCurrentDomain() /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83] Error at /build/mts/release/bora-396388/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-pstore.c:83 [code: 136]
Per the error, an LDAP search is failing which makes me thing the issue is on my domain but I am not sure what the query is or what the expected answer is to further troubleshoot.
Any suggestions?
EDIT: Running network monitor on the DC, I captured the LDAP query looking like this:
Filter: (&(DnsDomain=example.com)(NtVer=06:00:00:00))
The response returns:
SearchResultDone: Status: Success, MatchedDN: NULL, ErrorMessage: NULL
Which means there was no match.
Running the query directly n the DC with ldp I get this:
***Searching...
ldap_search_s(ld, "(&(DnsDomain=example.com)(NtVer=06:00:00:00))", 0, "(objectClass=*)", attrList, 0, &msg)
Error: Search: Invalid DN Syntax. <34>
Server error: 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
'(&(DnsDomain=example.com)(NtVer=06:00:00:00))'
Error 0x208F The object name has bad syntax.
Result <34>: 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
'(&(DnsDomain=example.com)(NtVer=06:00:00:00))
Trying again with just (DnsDomain=example.com) I get:
***Searching...
ldap_search_s(ld, "(DnsDomain=example.com)", 0, "(objectClass=*)", attrList, 0, &msg)
Error: Search: Operations Error. <1>
Server error: 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0
Error 0x20D6 No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest.
Result <1>: 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0
Getting 0 entries:
Curious if this was caused by something wrong with my domain, I spun up a new DC with a new forrest and got the same results.
I am at a bit of a loss here now. Either I have mis-read the packet captures or there is an issue with ESXi that I am missing.
JBane - added details after the edit line.
I have 2008 R2 domain and ESXi5 joining domain successfully.
1. Double Check the if the DNS resolves esxi host and AD server FQDN prefectly.( from the esxi5 to AD server and from the AD to esxi5 host use nslookup).
2.ensure that the following ports (both UDP and TCP) are open for communication between the ESX/ESXi host and Active Directory:
•Port 88 - Kerberos authentication
•Port 123 – NTP
•Port 135 - RPC
•Port 137 - NetBIOS Name Service
•Port 139 - NetBIOS Session Service (SMB)
•Port 389 - LDAP
•Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
•Port 464 - Kerberos - change/password changes
•Port 3268- Global Catalog search
2. Create computer object before you add host to AD.
3. Connect host via vsphere client directly and not via vcenter.
refer below step by step how to add esxi host to AD.
http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html
Award points for the helpful and correct answer by clicking the below tab
Virtualinfra,
Thanks for the reply.
1. Verfied DNS. It was working in both directions.
2. I had tried disabling the firewall all together per these steps.
http://communities.vmware.com/message/1842319#1842319
3. Pre-created the object as a standard Domain Computer.
4. I was using the vSphere client. No vCenter at this time.
Is there a licensing requirement for ESXi 5 to join a domain? Just using the free license. Assuming not since I don't get an error stating as much.
Bump. Any one else have ideas?
I also bump, tried every tip I found in the net, no way.
Just to double check you have created an AD group named ESX Admins and put yourself into this group e.g domain\username and when you join domain use the upn yourusername@domain.com
Cheers
Yes, "ESX Admins" exists, no Firewall/IDS, specified domain upper and lower case, tried multiple Domains Admin Accounts, tried different (complex and non-complex) passwords, have one physical DC (not only virtual), ...
I had the ESXi running 4.1 before and it also failed to join. Re-Installed it with 5.0, still no success. Domain consists of 2 Domain Controllers, both running 2008R2, nothing unusual. The ESXi has (both 4.1 and 5.0 had) a public IPv6 address configured, does that matter?! And one DC also hosts a self-signed CA. These are the only things that are "non-default".
I had this same issue on 4.1, for me I did not pre-stage the Active directory account before I joined it:
I made sure the account was a domain admin which is in the ESX Admins group
created the ESX Admins group which is case sensitive as it uses Likewise Agent
Use the domain admin user to join name@domain.local
Use the dns only of the server that does not have the certificate and vice versa
You do not use nested OU's for the computer accounts?
Have you tried without the ip v6 that might be it I did not have that...
Merry xmas!
I had this same problem. I loaded up WireShark on my DC to find the problem. It indicated that Checksum Offload on my Broadcom NIC might be causing a problem. I unloaded all of the "offload" functions on the NIC and rebooted - this solved the problem for me.