Configure VMware ESXi 4.1 for Active Directory Integration

Posted by on July 24, 2010 in VMware, vSphere | 18 comments

By now you’re sure to have heard that vSphere 4.1 offers the ability to use Active Directory for authentication. This is something that has been on peoples wish lists for sometime now. There was some hacks to make this work on the previous versions, but they were a use at your own risk option. With AD integration you can use your normal domain user accounts that poses admin rights already to authenticate with your ESX servers. This will help keep things in sync and keep you from having to manually create local accounts on your ESX hosts. If you were just using Virtual Center or vCenter server the new name it has always been able to use Active Directory for authentication.

There are a couple of different ways that you can enable AD integration ( vSphere client, vCLI, scripting or Host Profiles). In this post I will cover the method through vSphere client.

Pre Step: On Active Directory you must create a new group called “ESX Admins”. It must be that exact spelling. The add users to this group and you can connect w/ AD credentials. You can also give permissions directly to someones user ID although this would not be the best way.

Step 1: Connect to your host directly with the vSphere client. You are also suppose to be able to do this same method when connecting to vCenter server, but I have heard mixed results. I will try once my console is updated to vCenter 4.1. You then need to click on the Configuration Tab. Then select the “Advanced Services” selection from the Software box on the lower left. Then you click on the “Properties” link that is shown in the picture below.

Step 2: You will be presented with a Directory Services Configuration window that is shown below. In the select “Service Type” drop down you will need to select “Active Directory”.  The in the Domain field you need to type in the name of your domain that you will be connecting to. Next step is to click the “Join Domain” button and you will be presented with an authentication window shown in the next step.

Step 3: In this part you need to enter in credentials that will allow you to connect and join the ESXi Host to the domain. You can enter your credentials in the format listed below (Domainuser) or use this format ( administrator@test.com). I had more luck using the second option.

Step 4: After successfully entering your logon ID your ESXi host is added to the Domain. You can see from the image below my host was added to the default computer container since I did not specify another OU for them to be placed into.

Step 5: Now that your VMware host was added to the domain you can now add users or groups to the Permissions tab. You can see below once on the Permissions area you right click and select “Add Permission”

Step 6: In this step the Assign Permissions window has opened and you need to select the Administrator role from the section pointed out in the image below. Then click the Add button on the left side to pick your User or Group from the Active Directory connection.

Step 7: You first must select your Domain from the domain drop down list at the top of the window shown below.

Step 8: Once you have select the Domain that you integrated with you will be presented with a list of Users and Groups. You should select your User/Group and press the Add button and then click OK.

Step 9:  Now that you have added your Domain account or group you will see it in the lists of users as shown below.

Step 10: Once you have completed the steps above you will now be able to close your vSphere Client connection and connect back using your newly configured Active Directory Integration. Again you have two ways to enter your Domain credentials ( Domainuser or user@domain.com)

Step 11: Once your have logged in with your domain credentials you will be able to see in the lower right corner of the vSphere Client that you have authenticated with a Domain account.

Step 12:  Now the next step was to see which ways I could all use the new AD integration. From the picture below you can see that I was able to use the Domain logon to authenticate to ESXi 4.1 TSM (Tech Support Mode) from the console and from a remote SSH connection. I was able to use my id in the format shown below to authenticate but did not have any luck use the Domainuser format for these type of logons. This have have just been something in my lab so your mileage may vary.

Step 13: Lastly I wanted to see if I could authenticate to the DCUI ( Direct Console User Interface) of ESXi 4.1 using a Domain account. I was not able to have any success logging into the DCUI with the AD account using either format listed earlier. Which is kind of weird since I was able to use the AD logon for the TSM login form the console. If you had different results form this leave me a comment with what you did different I would love to hear.

Lastly I will be trying some of the others methods that I listed at the beginning for setting up the AD integration when I have some time. I will be sure to link them to this article. If you are curious you can see a very simplified version of this in the VMware KB article.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

18 Comments

  1. great tutorial. This helped out immensely. One important point is that I would create a step 1a: Within Active Directory you must create a new group called “ESX Admins”. It must be that exact spelling. Add users to that group and you can connect w/ AD credentials.

  2. Thanks for the note Kendrick, it was on my list of things to do.

    I appreciate the kind words as I have read your blog many times also.

  3. Would have been slick if single-sign-on worked with the Virtuacl Infrastructure client

  4. thanks a lot.. this article was great help.. have been trying this from 2 days..

  5. Hello, thank you for a good information. One thing I haven’t still found out is whether we can cache the authentication information for remote scripting. For instance, if we use ssh-agent to cache ssh passphrase, I could run a script from my system against so many ESX hosts to pull information automatically assuming all the ssh keys are set up properly.
    I would like to find out if we can do something similar with AD/Kerberos authentication. Can we run a script from my system using AD authentication without getting prompted for AD password against many ESX hosts who are part of AD? I really haven’t tried anything yet with ESX 4.1 and AD, but I thought some of you might have already tried it…. Any info would be appreciated. Thanks!

  6. I have the ESX Admins and it was automatically added to the ESXi host. I can login with the AD account Tech Support Mode, but cannot execute any commands. It is like logging in as a user level. I can see that ESX Admins has Administrator rights on the ESXi host?

    Also have you found a way to get the DCUI to work with the AD integration?

    • did you ever get this resolved cuz I have the same issue.

  7. Have 2 Host Servers. The first joined the Domain just as outlined no problems. The second keeps failing and generating the following error:
    “Errors in Active Directory operations”. Cannot seem to get past this.
    What am I doing wrong?

    • Do the servers have the time synchronized?

      Maybe one of the ESXi had the time similar to the DC, and the other one had a different time, preventing  the AD authentication.

  8. I was able to login to the DCUI after everything rebooted.

  9. I have not run into that error. You have probably checked these already.

    DNS is working properly for the 2nd host
    It has a unique name?
    Could try creating the object in AD first then try to join it

  10. I used to use the esxcfg-auth command to get AD working on my ESX Hosts right up to ESX 4.0 (esxcfg-auth –enablead -addomain=(FQDN) –addc=(FQDN)), it seems that the ad commands are now gone in ESX 4.1. I was able to use esxcfg-auth –enablekrb5 –krb5realm=(put FQDN of your AD domain here) –krb5kdc=(put ad server name fully qualified here) –krb5adminserver=(put ad server name fully qualified here I used my PDC emulator role domain controller here). Check the krb5.conf file under etc. I create local accounts without passwords in my automated build script using the useradd command (useradd -m account name -g wheel -G adm).Once I add these users to the admin role I can login locally at the console using AD passwords on ESX 4.1
    I would rather use the method you have listed above but initial testing has not allowed me to get to the console using putty or directly to the console maybe I need to take out the local users that were added by the script and add in domain users.

  11. Sorry my post is for ESX not ESXI but I am still looking to authticate to AD from the console using the new AD authentication packaged with ESX4.1 If anyone has a link I can go to that would be great. As I posted earlier I have it working using kerberos5 but I would rather do it directly through AD if possible.

  12. Just FYI:
    When joining a domain you have to mask special characters, like the with a . Probably because this is handled by a low level kernel function?
    Hence testadministrator will work, but no testadministrator.

  13. I connect fine without needed a user to be in a group called ESX Admins. I added a Test group with a Test use in it and it worked wonderfully.

    Nice presentation at the San Fran VMworld, btw :)

  14. this good article ESXi and AD point view for the Integration….

  15. I’m like most server admins too busy and not enough time to configure the small things! I got around to this and I appreciate your guide. It has helped me out a lot and I appreciate it. Thank you for taking the time to put together this guide.

  16. I realize this is an old post, however I wanted to confirm that by rebooting I am now able to access the DCUI using my domain credentials. Thanks Brian for this tip!

Trackbacks/Pingbacks

  1. Implementing the HyTrust Appliance – Part 2 « Notes from a Sysadmin - [...] VMware’s hypervisor can be joined to Active Directory, assuming you have a domain handy (see here and here for …
  2. Unable To Log Into VMware ESXi with Windows Credentials « Deobfuscate - [...] log into it with my Active Directory credentials. However, after setting it up per the following blog post I …
  3. ESXi Active Directory Integration « windowsmasher - [...] Configure VMware ESXi 4.1 for Active Directory Integration Like this:LikeBe the first to like this post. [...]

Leave a Reply

%d bloggers like this: