By default, you can create local user accounts and roles on your VMware ESXi hypervisor to grant permissions to them on various objects (host, virtual machines, ...) of it.
However, if you are in a Microsoft environment, you most likely have Active Directory infrastructure in your company network with users and groups already created.
Rather than also managing local user accounts on your VMware ESXi hypervisor, you can link it to your Active Directory infrastructure and thus grant permissions to various Active Directory users and/or groups.
Joining a VMware ESXi hypervisor to an Active Directory infrastructure will allow you to :
To get started, you will need an Active Directory domain controller.
To do this, refer to our "WS 2016 - AD DS - Create an Active Directory domain controller (new AD domain)" tutorial.
In our case, we have a domain controller (DC) whose NETBIOS name is "ad" and the Active Directory domain is "informatiweb.lan".
With VMware products, it's recommended that you also create the reverse lookup zone on your DNS server.
For example, with "VMware vCenter Server Appliance" (VCSA), if its installer is not able to know the associated DNS name (FQDN) from its IP address, the installation will fail.
Source : DNS Requirements for the vCenter Server Appliance and Platform Services Controller Appliance.
If your DNS server was installed automatically by installing the "Active Directory Domain Services" role, this zone doesn't exist by default.
So, you will have to create it.
To do this, refer to our procedure : Create a reverse lookup zone (IP address -> domain).
For the steps concerning the replication of this reverse DNS zone through the Active Directory, you can leave the options selected by default (if you don't know which option to select).
Once the reverse lookup zone is created, this is what you will have.
To have all reverse lookup zone pointers (PTRs) created for the DNS records in your forward lookup zone, double-click each one.
Note that you can only create pointers (PTRs) for DNS type "A" (IPv4) and "AAAA" (IPv6) records.
Check the "Update associated pointer (PTR) record" box and click OK.
If the box is already checked, uncheck this box, click "Apply", then check this box again and click OK.
Now, the associated pointer (PTR) has been created in the reverse lookup zone.
Now, the pointers corresponding to the type "A" or "AAAA" records of the forward lookup zone have been created in the reverse lookup zone.
To avoid authentication problems, it's strongly recommended to synchronize the time of your hypervisor(s) with the NTP server present in your Active Directory infrastructure.
When you install Active Directory Domain Services (AD DS), a time server is automatically installed on your domain controller.
To configure the date and time synchronization of your VMware ESXi hypervisor with your NTP server, go to "Host -> Manage -> System -> Time & date" and click "Edit settings".
Select "Use Network Time Protocol (enable NTP client)", select "Start and stop with host" and specify the IP address of the domain controller in your Active Directory infrastructure, then click Save.
Important : if you have multiple domain controllers in your Active Directory infrastructure, be sure to provide the IP address of the domain controller with the "PDC emulator (Primary Domain Controller emulator)" FSMO role.
Once the IP address of the NTP server has been added, you will see it appear in the "NTP servers" line.
However, as you can see, the NTP service is currently stopped.
In order for your VMware ESXi hypervisor to automatically synchronize its clock from your NTP server, you will need to start the "ntpd" service (NTP Daemon) from the "Services" tab.
The "The service ntpd was successfully started" message appears.
Now, if you go back to the "System -> Time & date" tab, you will see that the NTP service is running.
In order for your VMware ESXi hypervisor to find the Active Directory domain that you want to join, you must change the DNS configuration of it.
To do this, go to : Networking -> TCP/IP stacks.
Then, select the "Default TCP/IP stack" and click "Edit settings".
By default, your hypervisor host name is "localhost" and probably only one DNS server is configured.
To join an Active Directory domain, edit the following information :
Then, click on : Save.
The "Successfully updated configuration for Default TCP/IP stack" message appears.
If you go to the "Host" menu, you will see that your hypervisor is now called "esxi.informatiweb.lan".
Note that if you refresh the page, this name will also appear in the tab name.
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment