“It is common sense to take a method and try it. If it fails, admit it frankly and try another. But above all, try something.” – Franklin D. Roosevelt
“Errors in Active Directory operations” sounds familiar?
Did you check that the following ports (both UDP and TCP) are open for communication between the ESX/ESXi host and Active Directory:
Port 88 – Kerberos authentication
Port 123 – NTP
Port 135 – RPC
Port 137 – NetBIOS Name Service
Port 139 – NetBIOS Session Service (SMB)
Port 389 – LDAP
Port 445 – Microsoft-DS Active Directory, Windows shares (SMB over TCP)
Port 464 – Kerberos – change/password changes
Port 3268- Global Catalog search
Did you follow the steps from KB2075361?
To add an ESXi host to the Active Directory using vSphere Web Client:
1. Browse to the host in the vSphere Web Client inventory.
2. Click the Manage tab and click Settings.
3. Under System, select Authentication Services.
4. Click Join Domain.
5. Enter a domain.
Use the form domain.com or domain.com/OU1/OU2.
6. Enter the user name and password of a directory service user who has permissions to join the host to the domain, and click OK.
7. Click OK to close the Directory Services Configuration dialog box.
Did you try various KBs and articles and nothing seems to work? Even worst, refreshing web client you get your ESXi as joined to domain and you can see the computer account in AD but actually authentication with your AD account is not working?
Well, in this case I have the following recipe for you:
Don’t be afraid to remove (Leave Domain) the host with issues
Fig. 1 – Leave Domain
In host Settings -> Security Profile -> Services section, you check if Active Directory Service is running.
If not, start it. You might get timeout error but eventually, the service will appear as started.
Fig. 2 – Active Directory Service status
Now, you are ready to try again
Fig. 3 – Join Domain (again)
And here you are: the host is successfully joined to Windows Domain.
Fig. 4 – Task Completed
