Joining your ESXi host to a Windows Domain
It’s important to join your ESXi host to a Windows domain if there is one present in your architecture. Why? For one, you can use your Active Directory (AD) credentials to log into the host if you have to directly. That, in and of itself, is worth joining the host to the domain.
Aside from allowing your AD credentials to authenticate you, it’s a good process of hardening your ESXi host. If you join the host to the domain you can eliminate the need to constantly change the root password of your host every time one of your administrators leaves your company.
By allowing AD to authenticate, you can simply delegate permissions based on your AD groups such as the ‘Domain Admins’ group. Everyone in the domain admin group will essentially have root access to the host.
Joining a Windows Server or workstation to the domain is a relatively simple process; however, joining an ESXi host to a Windows domain requires a bit more complexity.
The first step is to audit whom has/had root level access to your host. If you find that there have been some employees that have left recently and the password hasn’t changed, it’s probably a good idea to go ahead and change your root password on your host. You can do this at the command line (should you have SSH running on your host and access to putty or another SSH client), or by being directly logged into the host in the data center.
Once you’ve reset the root password, you can move on to actually joining it to your Windows domain.
Use your vSphere Client to directly access your ESXi host. Do not use vCenter for this process; you need to be directly logged into your ESXi host.
In the configuration view, you will see along the left hand side several options; you want to select the “Authentication Services” link.
Once you click on the link, select “Properties” which will launch the “Directory Services Configuration” wizard. You’ll want to “Set Directory Service Type” to “Active Directory.” Enter the name of the AD domain you want to join and click “Join Domain.”
You will be prompted for credentials of an AD domain admin account that has rights to join objects to the domain. Then click “Ok”, and it will join the host to the domain.
The host will be added by default to the “Computers” OU where you can right-click on it and move it to whatever OU it should belong to in order for Group Policy to kick in.
There seems to be two recurring issues when trying to join an ESXi host to a Windows domain. They don’t always occur, but should you come across any errors they will most likely be related to either port blockage at the firewall or lack of a current patch for the host. Here’s how to troubleshoot either problem:
Possible Port Blockage
With any VMware related install or upgrade you are bound to come across some sort of firewall issue sooner or later. When joining a host to the domain, you will most likely be confronted with this issue if the key ports are blocked at the firewall.
The ports that you must have opened before joining ESXi hosts to a Windows domain are as follows:
- Port 88 – Kerberos authentication
- Port 123 – NTP
- Port 135 – RPC
- Port 137 – NetBIOS Name Service
- Port 139 – NetBIOS Session Service (SMB)
- Port 389 – LDAP
- Port 445 – Microsoft-DS Active Directory, Windows shares (SMB over TCP)
- Port 464 – Kerberos – change/password changes
- Port 3268- Global Catalog search
Should any one of those ports be blocked at the firewall, you will get an error. After entering in your domain and the administrator credentials with rights to make domain changes, you will see the clock icon in the events tray at the bottom of your vSphere client that will read “In Progress”. It will read, “In Progress for about 15 minutes before finally giving you the error, “Error in Active Directory Operations” and it will cancel the domain join.
Check to make sure those ports are open and try again, you will have better luck I promise. For more information on this issue, read the VMware KB Article written about it.
Possible Patch Issue
The “Error in Active Directory Operations” error will also rear its ugly head if you are missing a crucial ESXi host patch for version 5.0.
Let me state right off the bat that if you are running ESXi 5.1 or later you will not need to use this patch, as this issue is corrected in version 5.1 .
Should you run into this issue, here are the steps you want to take to fix the error and join the host to the domain:
1. Copy all patches to the root of the ESXi Host. To do this you need to use the vSphere client to connect to your host’s datastore. Navigate to your host’s datastore, right-click it and browse datastore. You’ll get a new window where you can click “upload files” to place your patch in the root folder of the datastore. Make sure to upload the files to the root which is represented by a folder with a after it.
2. vMotion all VMs on the host you are patching to another host. If you can’t vMotion the VMs, shut them off and put the host into maintenance Mode.
3. Putty into the ESXi host you want to patch. Enter the IP address of your Host, then click open.
4. At the command prompt enter the command below:
esxcli software vib update –d “/vmfs/volumes/esx2:storage1”/ESXi500-2012107001.zip
5. A reboot is required for this patch to take effect. After you apply the patch, type “reboot” at the command prompt. When the system comes back online, follow steps 3 and 4.
6. Disable the firewall. At the command prompt enter the following command:
esxcli network firewall set –e false
7. Verify the disabled firewall. Type the following command:
esxcli network firewall get
8. Log into the ESXi host directly with VMware vSphere client (not vCenter)
9. Configure you Active Directory information for the host. After you have configured the AD and verified, re-enable the firewall from the command line:
esxcli network firewall set –e true
10. Verify the enabled firewall: Type the following command:
esxcli network firewall get
11. Disable SSH on your host. Once you set everything, log in to your host directly via vSphere client and disable SSH to prevent any further remote connections.
12. Take the host out of maintenance mode; start all VMs. This should be your last step; if you don’t take your host out of maintenance mode nothing will work; it’s hard to bypass this step. Simply right-click on your host and select “Exit maintenance mode”. After you exit maintenance mode you need to restart all of your VMs.
Pass It On
Now that you’ve fixed any errors you met while joining your ESXi host to your Windows domain, pass this article on to someone who doesn’t know how to do it, or that’s struggling with the evil “Error in Active Directory Operations” error.
This is what being in the IT field is all about, helping out our fellow admins so they don’t have to relive the same head-banging that we did for a whole day trying to figure it out.
Thanks go out to Danny Ryan for brainstorming this issue with me, couldn’t have figured it out without him.