You can configure ESXi hosts to use Active Directory, which can then be used to manage users and groups. You can join a host to the domain using an AD account that has the necessary permissions. Other pre-requisites are that DNS should be configured correctly for your hosts, and time synchronisation should be in place for the host(s) and the directory servers.
You can add a host to a domain either by specifying the fully qualified domain name alone, in which case the host’s computer object will be created in the default container in Active Directory, or you can specify the OU. For example: vmlab.loc/hosts/esxi.
Joining an ESXi Host to Active Directory
To add a host, navigate to the host’s configuration tab, then Authentication Services. Click the properties link under the ‘Directory Services Configuration’ section. Change the drop down menu from ‘Local Authentication’ to ‘Active Directory’ and enter the other necessary details:
When ready, click the Join Domain button, and enter the details of an account with permissions to join the host to AD:
Once added, a computer object for the host will be created in Active Directory:
When a host is joined to Active Directory you can assign AD users and groups permissions on the host. For example, on this host I have added ‘administrator@vmlab.loc’ to the host, with administrator permissions:
The ‘ESX Admins’ Group
By default, when you add an ESXi 5 host to Active Directory, the host will query AD for the existence of a group called ‘ESX Admins’. If this group exists it will be given administrator permissions on the host, by extension granting administrator permissions to all users that are members of the group.
The ESX Admins group is not created automatically. If it doesn’t exist the host will be joined to AD but then accounts/groups will have to be granted permissions manually.
Leaving a Domain
To set the host back so that it will use local authentication only, click the ‘Leave Domain’ button in the ‘Directory Services Configuration’ window. You will be given a warning that all AD permissions will be removed from the host:
Joining a Host to a Domain using PowerCLI
It’s possible to script joining hosts to a domain using PowerCLI. The cmdlet for joining a domain is the Set-VMHostAuthentication cmdlet:
Get-VMHostAuthentication -VMHost | Set-VMHostAuthentication -Domain -User -Password -JoinDomain -Confirm:$false