After upgrading a vSphere host from ESXi 5.0 to ESXi 5.1u1 I attempted to create an new host profile and was surprised when it failed with the error: “Firewall rule activeDirectoryAll must be enabled for the service lwiod”.
This caught me by surprise because I used this same host as the reference host for my 5.0 host profile with no problems. Fortunately, in this case the error message left little doubt as to the cause of the failure – the service “lwiod” was running which requires the firewall rule “activeDirectoryAll“, which was disabled. However, it was still puzzling why things worked with 5.0 and suddenly became an issue following the upgrade.
I did some research and learned that the lwiod daemon is part of the Likewise agents that are responsible for communication between the vSphere host and the Active Directory domain controller (see http://kb.vmware.com/kb/1026554). This made the error even more puzzling as the host was configured to use local authentication and not active directory.
I then remembered that a while back, prior to the upgrade, I had temporarily joined the host to an Active Directory domain as part of some testing and later removed it. Obviously, this created the situation where the activeDirectoryAll firewall rule was disabled while the lwiod daemon was left running. This misconfiguration went unnoticed until I tried to create a new host profile following the upgrade.
To work around the error I initially tried logging onto the ESXi Shell and manually stopping the lwiod daemon and disabling the auto start so it wouldn’t get restarted when the host reboots:
Unfortunately, this didn’t work. Next, I decided to simply enabled the AD firewall ports on the host.
This worked and I was able to create the host profile. After which I then cleaned things up by editing the host profile to disable the lwiod daemon and disable the activeDirectoryAll firewall rule:
After that I was good to go. I still need to do some research to better understand exactly how my host got into the situation, but I’m glad it was an easy fix.
