Fixing “Errors in Active Directory operations” when adding an ESXi host to Active Directory
This is just a quick blogpost on a small issue I encountered during a VMware Validated Design (VVD) deployment. As part of the VVD deployment, all ESXi hosts need to be added to Active Directory. This allows for Role-Based Access Control (RBAC) over the ESXi hosts.. Following the planning and preparation guidelines, the customer nicely prepared an AD service account that I could use to join the ESXi hosts to the domain.
Everything went fine with the Region A deployment but when I started deploying the second region, I was presented the following error in the vSphere Web Client when joining the Region B hosts to AD:
Errors in Active Directory operations
Looking up this error brought me to VMware Knowledge Base article KB1026538, but the issue didn’t appear to be firewall related in my case. Doing some deeper digging brought me to VMware KB52984. This article explains how to perform the AD join from the command-line of the ESXi host using the domainjoin-cli command.
VMware is using the Likewise Agent so we first need to ensure the service is running and that it is started automatically with the host:
/etc/init.d/lwsmd start chkconfig lwsmd on /usr/lib/vmware/likewise/bin/domainjoin-cli join AD_Domain_Name AD_Username
This command finally brought some clarity on the underlying issue:
Error: Lsass Error [code 0x00000718] The account's computer join limit has been exceeded. Talk to your Windows administrators about the limits assigned to your account.
Apparently, the customer did not delegate the permission to add computer accounts to AD to this specific service account, so we’re hitting the default limit of 10 workstations a user can join to the domain.
Doh! Why didn’t I check this first? On the other hand, why the vSphere Web Client doesn’t provide a clear and descriptive error message on this issue (just like the domainjoin-cli command) is beyond me.
Anyway, fix it by either getting your AD admins to delegate the permission to create and delete computer accounts to your service account (nice solution), or let them globally increase ms-DS-MachineAccountQuota using Adsiedit.