Home VCAP-DCA 5 Manage Active Directory Integration for ESXi
VCAP-DCA 5VMware

Manage Active Directory Integration for ESXi

by admin

You can configure ESXi hosts to use Active Directory, which can then be used to manage users and groups. You can join a host to the domain using an AD account that has the necessary permissions. Other pre-requisites are that DNS should be configured correctly for your hosts, and time synchronisation should be in place for the host(s) and the directory servers.

You can add a host to a domain either by specifying the fully qualified domain name alone, in which case the host’s computer object will be created in the default container in Active Directory, or you can specify the OU. For example: vmlab.loc/hosts/esxi.

Joining an ESXi Host to Active Directory

To add a host, navigate to the host’s configuration tab, then Authentication Services. Click the properties link under the ‘Directory Services Configuration’ section. Change the drop down menu from ‘Local Authentication’ to ‘Active Directory’ and enter the other necessary details:

directory-services-integration-esxi

When ready, click the Join Domain button, and enter the details of an account with permissions to join the host to AD:

esxi-join-domain

Once added, a computer object for the host will be created in Active Directory:

esxi-ad-computer-object

When a host is joined to Active Directory you can assign AD users and groups permissions on the host. For example, on this host I have added ‘administrator@vmlab.loc’ to the host, with administrator permissions:

local-permissions-ad-esxi

The ‘ESX Admins’ Group

By default, when you add an ESXi 5 host to Active Directory, the host will query AD for the existence of a group called ‘ESX Admins’. If this group exists it will be given administrator permissions on the host, by extension granting administrator permissions to all users that are members of the group.

The ESX Admins group is not created automatically. If it doesn’t exist the host will be joined to AD but then accounts/groups will have to be granted permissions manually.

Leaving a Domain

To set the host back so that it will use local authentication only, click the ‘Leave Domain’ button in the ‘Directory Services Configuration’ window. You will be given a warning that all AD permissions will be removed from the host:

esxi-leave-domain

Joining a Host to a Domain using PowerCLI

It’s possible to script joining hosts to a domain using PowerCLI. The cmdlet for joining a domain is the Set-VMHostAuthentication cmdlet:

Get-VMHostAuthentication -VMHost | Set-VMHostAuthentication -Domain  -User  -Password  -JoinDomain -Confirm:$false

Useful Links and Resources

https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc_50%2FGUID-A61A8FA4-A4AF-475C-860E-3FD8947F0D0B.html

https://blogs.vmware.com/PowerCLI/2013/04/joining-esxi-hosts-to-a-domain-and-granting-permissions-with-powercli.html

https://blog.pluralsight.com/esxi-host-windows-domain

0 comment
0
FacebookTwitterPinterestEmail

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More