From the VMware vSphere Client of your VMware vCenter Server (VCSA), you can join your VMware ESXi host to an Active Directory domain to benefit from Active Directory authentication for this host, but also be able to use Kerberos authentication in the case of an NFS 4.1 database.
However, joining a VMware ESXi host to an existing Active Directory domain requires some prerequisites.
So that the join to a domain can succeed the first time and the authentication can work correctly, it is strongly recommended to synchronize the clock of your VMware ESXi host with the time server (NTP) present by default on your controller. domain.
Important : if you have multiple Active Directory domain controllers, specify the IP address of the domain controller with the FSMO role "PDC emulator (Primary Domain Controller emulator)".
To do this, select your VMware ESXi host and go to “Configure -> System -> Time Configuration”.
Then, click: Edit.
In the “Edit Time Configuration” window that appears:
Then click OK.
Clock synchronization from your NTP server has been enabled.
If you go to "Configure -> System -> Services", you will see that your VMware ESXi host's "NTP Daemon" service is running and is configured to start and stop with the host.
For your host to find your Active Directory domain, it must use the IP address of your local DNS server as its preferred DNS server.
To do this, select your VMware ESXi host and go to "Configure -> Networking -> TCP/IP configuration".
Next, select the "Default" TCP/IP stack and verify that:
If not, make sure you have selected the "Default" TCP/IP stack and click "Edit".
In the "DNS configuration" section, specify:
By default, all VMware ESXi hosts are configured to grant administrator rights to the "ESX Admins" Active Directory group (if one exists).
To use this option, launch the "Active Directory Users and Computers" console on your Active Directory domain controller and right-click "New -> Group" on the "Users" folder.
Create a security group named "ESX Admins".
Warning : this name is important. Don't change it.
Once this group is created, add the desired Active Directory users to this group.
In our case, we add the Active Directory domain administrator.
Once the desired users have been added to this group, click OK.
Note that the Active Directory group name is a default found in the advanced settings of your VMware ESXi host.
To see it, select your host and go to: Configure -> System -> Advanced System Settings.
In the long list that appears, you will find in particular the advanced setting "Config.HostAgent.plugins.hostsvc.esxAdminsGroup".
As you can see, the default is "ESX Admins" and this setting is the name of the Active Directory group that is automatically assigned administrator privileges on the ESX.
Now that your VMware ESXi host is properly configured, go to "Configure -> System -> Authentication Services" and click: Join Domain.
In the "Join Domain" window that appears, enter the Active Directory domain name you want to join and select "Using credentials."
Next, specify the credentials of an account authorized to join machines to your Active Directory domain.
In our case, we will use the domain administrator:
Wait 30 seconds and your server will have joined your Active Directory domain.
You will see your domain name appear in this "Authentication Services" section and you will also see the tasks below appear in recent tasks:
If you go to "Configure -> System -> Services", you will see that the "Active Directory Services" service is running.
If you go to "Configure -> System -> Firewall", you will be able to find out the ports used by your VMware ESXi host for incoming and outgoing connections with Active Directory.
On your Active Directory domain controller, you will see that a new computer object (corresponding to your VMware ESXi host) has been created.
From the VMware vSphere Client, you can only manage permissions that refer to users created on your VMware vCenter Server (VCSA).
Because this is the host that you joined to your Active Directory domain, you can only configure permissions for Active Directory users from your VMware ESXi host.
If you want to add Active Directory permissions on VMware vCenter Server (VCSA), it is the VMware vCenter Server (VCSA) server that you must join to your Active Directory domain.
To do this, refer to our tutorial: VMware vSphere 6.7 - Join vCenter Server to an Active Directory domain.
Log in as "root" to the web interface of your VMware ESXi host and go to: Host -> Manage -> Security & users -> Authentication.
As you can see, your VMware ESXi host is joined to your Active Directory domain.
To manage permissions on your VMware ESXi host, go to "Host" and click: Actions -> Permissions.
In the "Manage Permissions" window that appears, you will see the Active Directory group "ESX Admins" appear under the name "[NETBIOS domain name]\esx^admins" with an "Administrator" role (if this group is Active Directory exists).
As previously stated, this will allow you to connect to the web interface of your VMware ESXi host with a user account from your Active Directory.
In our case, the domain "Administrator" account joins.
To manage users and permissions on your VMware ESXi host, refer to step "9. Configure permissions for Active Directory (AD) users" in our tutorial for joining a VMware ESXi host to an Active Directory domain.
VMware 8/24/2022
VMware 8/3/2022
VMware 9/2/2022
VMware 3/20/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment