Configure VMware ESXi 4.1 for Active Directory Integration
By now you’re sure to have heard that vSphere 4.1 offers the ability to use Active Directory for authentication. This is something that has been on peoples wish lists for sometime now. There was some hacks to make this work on the previous versions, but they were a use at your own risk option. With AD integration you can use your normal domain user accounts that poses admin rights already to authenticate with your ESX servers. This will help keep things in sync and keep you from having to manually create local accounts on your ESX hosts. If you were just using Virtual Center or vCenter server the new name it has always been able to use Active Directory for authentication.
There are a couple of different ways that you can enable AD integration ( vSphere client, vCLI, scripting or Host Profiles). In this post I will cover the method through vSphere client.
Pre Step: On Active Directory you must create a new group called “ESX Admins”. It must be that exact spelling. The add users to this group and you can connect w/ AD credentials. You can also give permissions directly to someones user ID although this would not be the best way.
Step 1: Connect to your host directly with the vSphere client. You are also suppose to be able to do this same method when connecting to vCenter server, but I have heard mixed results. I will try once my console is updated to vCenter 4.1. You then need to click on the Configuration Tab. Then select the “Advanced Services” selection from the Software box on the lower left. Then you click on the “Properties” link that is shown in the picture below.
Step 2: You will be presented with a Directory Services Configuration window that is shown below. In the select “Service Type” drop down you will need to select “Active Directory”. The in the Domain field you need to type in the name of your domain that you will be connecting to. Next step is to click the “Join Domain” button and you will be presented with an authentication window shown in the next step.
Step 3: In this part you need to enter in credentials that will allow you to connect and join the ESXi Host to the domain. You can enter your credentials in the format listed below (Domainuser) or use this format ( email@example.com). I had more luck using the second option.
Step 4: After successfully entering your logon ID your ESXi host is added to the Domain. You can see from the image below my host was added to the default computer container since I did not specify another OU for them to be placed into.
Step 5: Now that your VMware host was added to the domain you can now add users or groups to the Permissions tab. You can see below once on the Permissions area you right click and select “Add Permission”
Step 6: In this step the Assign Permissions window has opened and you need to select the Administrator role from the section pointed out in the image below. Then click the Add button on the left side to pick your User or Group from the Active Directory connection.
Step 7: You first must select your Domain from the domain drop down list at the top of the window shown below.
Step 8: Once you have select the Domain that you integrated with you will be presented with a list of Users and Groups. You should select your User/Group and press the Add button and then click OK.
Step 9: Now that you have added your Domain account or group you will see it in the lists of users as shown below.
Step 10: Once you have completed the steps above you will now be able to close your vSphere Client connection and connect back using your newly configured Active Directory Integration. Again you have two ways to enter your Domain credentials ( Domainuser or firstname.lastname@example.org)
Step 11: Once your have logged in with your domain credentials you will be able to see in the lower right corner of the vSphere Client that you have authenticated with a Domain account.
Step 12: Now the next step was to see which ways I could all use the new AD integration. From the picture below you can see that I was able to use the Domain logon to authenticate to ESXi 4.1 TSM (Tech Support Mode) from the console and from a remote SSH connection. I was able to use my id in the format shown below to authenticate but did not have any luck use the Domainuser format for these type of logons. This have have just been something in my lab so your mileage may vary.
Step 13: Lastly I wanted to see if I could authenticate to the DCUI ( Direct Console User Interface) of ESXi 4.1 using a Domain account. I was not able to have any success logging into the DCUI with the AD account using either format listed earlier. Which is kind of weird since I was able to use the AD logon for the TSM login form the console. If you had different results form this leave me a comment with what you did different I would love to hear.
Lastly I will be trying some of the others methods that I listed at the beginning for setting up the AD integration when I have some time. I will be sure to link them to this article. If you are curious you can see a very simplified version of this in the VMware KB article.
About Brian Suhr
Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design