I have been struggling with joining an ESXi 4.1.0 host (build 260247) to an Active Directory Domain.
The Domain consists of 1 Domain Controller running Windows Server 2003 Enterprise R2 SP2 32-bit. Active Directory is running at Windows Server 2003 Domain Functional level.
When trying to join the domain I am getting "Errors in Active Directory operations."
I’ve tried numerous variations of naming conventions for credentials as described in KB Article 1026538 and at the blog post here http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html. I cannot find the netlogond log described in the KB article when I export system logs.
DNS - I have configured the ESXi host to use the Domain Controller as its preferred DNS server. It has a unique hostname, and is configured with the domain that is identical to the AD Domain Name. The search domain is configured as the AD Domain name. I have verified that DNS lookups are working correctly (see connectivity section below).
Time synchronization - I have configured NTP on the ESXi host to use the Domain Controller as its time source. Time seems to be synchronized to the second, and the Kerberos Authentication seems to be working as demonstrated in the network trace.
Connectivity and Trace - Windows Firewall on the AD Domain Controller is completely disabled. Using NetCap, I have traced the network traffic between the ESXi host and Domain Controller during the entire operation. The following summarizes the trace in chronological order with timestamps to correlate to the log files below.
16:05:19 DNS lookups and responses for domain controller ‘A’ record.
16:05:19 Connectionless ldap search request and response to <ROOT> for attribute “currentTime”
16:05:19 KRB5 AS-Req from ESXi host. Response from DC is KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
16:05:19 DNS lookups and responses for SRV records for kerberos-master.udp.domain.com and kerberos-master.tcp.domain.com. Responses were for DNS name of domain controller for UDP, and “No Such Name” for TCP.
16:05:19 KRB5 AS-REQ and AS-REP for the name that I authenticated as.
16:05:51 DNS lookups and responses for SRV records for ldap.tcp.dc._msdcs.infpts.com. Response was for DNS name of Domain Controller.
16:05:51 Connectionless ldap search request and response to <ROOT> with filter (&(DnsDomain=domain.com)(NtVer=0x80000006)) for attribute Netlogon. Response returned 1 result, blank objectname, type netlogon
Log Events from messages:
Oct 18 16:05:18 Hostd: 2010-10-18 16:05:18.935 32CF0B90 info 'TaskManager' opID=F68B3BB5-00003914 Task Created : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomain-2455
Oct 18 16:05:18 Hostd: 2010-10-18 16:05:18.937 32D72B90 verbose 'App' opID=F68B3BB5-00003914 Looking up object with name = "firewallSystem" failed.
Oct 18 16:05:18 Hostd: 2010-10-18 16:05:18.997 32D31B90 verbose 'SysCommandPosix' opID=F68B3BB5-00003914 ForkExec '/bin/sh', pid 694417, rc 0
Oct 18 16:05:19 Hostd: 2010-10-18 16:05:19.076 32D31B90 verbose 'SysCommandPosix' opID=F68B3BB5-00003914 ForkExec '/bin/sh', pid 698527, rc 0
Oct 18 16:05:19 Hostd: 2010-10-18 16:05:19.176 32D31B90 verbose 'SysCommandPosix' opID=F68B3BB5-00003914 ForkExec '/bin/sh', pid 698541, rc 0
Oct 18 16:06:11 Hostd: 2010-10-18 16:06:11.009 32D72B90 verbose 'Cimsvc' Ticket issued for CIMOM version 1.0, user root
Oct 18 16:06:19 Hostd: 2010-10-18 16:06:19.697 32F40B90 verbose 'Proxysvc Req02296' New proxy client TCP(local=10.40.20.249:17649, peer=10.10.20.10:80)
Oct 18 16:06:24 Hostd: DJRunJoinProcess: 0x80047: 0x3B - Unknown error
Oct 18 16:06:24 Hostd: Stack Trace:
Oct 18 16:06:24 Hostd: /build/mts/release/bora-234910/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:872
Oct 18 16:06:24 Hostd: /build/mts/release/bora-234910/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1218
Oct 18 16:06:24 Hostd: 2010-10-18 16:06:24.380 32D31B90 error 'ActiveDirectoryAuthentication' opID=F68B3BB5-00003914 vmwauth Exception: Exception 0xffff0000: Unknown exception
Oct 18 16:06:24 Hostd: 2010-10-18 16:06:24.380 32D31B90 info 'TaskManager' opID=F68B3BB5-00003914 Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomain-2455 Status error
Additional Information / Questions:
I have experimented with 2 different AD accounts with enterprise admin rights, including the original administrator account. I have also tried enabling / disabling pre-auth for these accounts in AD users and computers and this hasn’t made a difference.
I was able to join Windows 7 workstations and another identical ESXi host to this domain in the past. This may or may not have been before raising the domain functional level, I cannot remember.
I have been disappointed that I haven’t found any significant amount of log information related to this problem. Are there additional log files that I am
missing? Is there a way to enable verbose logging in ESXi to get more information? I haven’t found any relevant information in the Windows 2003 event logs. What am I missing there?Does anyone have a network trace / capture of what a good join operation looks like to compare with the trace above? I would expect to see some SMB traffic during the join operation.
I appreciate any help that anyone can offer, as I am pretty much out of ideas.