Applying a host profile that specifies an Active Directory domain to join causes a compliance failure.

When you apply a host profile that specifies an Active Directory domain to join, but you do not enable the activeDirectoryAll rule set in the firewall configuration, a compliance failure occurs. The vSphere Client displays the error message Failures against the host profile: Ruleset activedirectoryAll does not match the specification. The compliance failure also occurs when you apply a host profile to leave an Active Directory domain, but you do not disable the activeDirectoryAll rule set in the host profile.

Active Directory requires the activeDirectoryAll firewall rule set. You must enable the rule set in the firewall configuration. If you omit this setting, the system adds the necessary firewall rules when the host joins the domain, but the host will be non-compliant because of the mismatch in firewall rules. The host will also be non-compliant if you remove it from the domain without disabling the Active Directory rule set.

1

In the vSphere Client inventory, right-click the host profile and select Edit Profile.

2

Expand the host profile in the left pane and select Firewall Configuration > Ruleset Configuration > activeDirectoryAll.

3

In the right panel, click Edit.

4

Select the Flag indicating whether ruleset should be enabled check box.

Deselect the check box if the host is leaving the domain.

5

Click OK.