If you joining your freshly installed ESXi 5 to the Active Directory, you might run into a difficulties and receive an error.  This error is due to a ESXi 5.à firewall default settings. ESXi 5.0 has a new firewall engine that is not based on iptables. The firewall is service oriented, and is a stateless firewall. For remote hosts, you can specify the IP addresses or range of IP addresses that are allowed to access each service.

You can get an error like this:

Could not join <domainname> The specified domain either does not exist or could not be contacted.

Why is that happening?

The DNS lookup queries are sent through the TCP port 53 which is not open by default on the ESXi 5.0 firewall. So in order for the request to succeed, the firewall (or the port) must be temporarily disabled (opened).

The firewall sits between the ESXi host management interface and the management network on the local area network. You can configure it by using the vSphere Client. Go to Host Configuration > Software > Security Profile.

You can use host profiles for the ESXi 5.0 firewall configuration as well.

Update: On the screenshot bellow the UDP port is opened, but If a DNS lookup returns a packet greater than 512 bytes over UDP port 53, the command may fail. Sot that’s why (if it happens) you must disable the firewall temporarily…  DNS queries are then sent over TCP port 53 for a reliable response.

ESXi 5.0 Firewall - Port 53 for DNS requests

In addition, you can also use a new esxcli interface (esxcfg-firewall) is available in ESXi 5.0.
Source: KB article 2008226

 

Advertisements