2010-07-15

ESXi 4.1 Active Directory Integration

The previous post about what was new in vSphere 4.1 was a general overview with some slide shots. For all ye of little faith thinking that I was only going to post those screenshots with no details Nuh-Uh! 
I prefer to lay down the basics with screen shots - and then go into the details. I mean you do have to cater for all spectrums of the public from basic to advanced.

So without further a due - let's go into how you can add you ESX/i server into the domain.

But why would you?

Well actually there is a very simple reason - Security. One of the biggest problems it providing a single mechanism to authenticate yourself with the same credentials to all components of your infrastructure. With vCenter it is easy - since it is a Domain Member - all authentication is done through active directory. But going directly into the ESXi host - that is a different story all together you will have either authenticate with Linux credentials - or configure the authentication to be done by active directory - but for that you need a valid Linux user on the ESXi box.

(** Small note - since the future version of ESX will only be ESXi I have decided - that I will be using ESXi exclusively in my posts - unless the issue is directly related to the full ESX version)

There are 4 ways of doing this

  1. ESXi Host directly
  2. Host Profiles
  3. CLI
  4. Script

Before starting you need to make sure of a few things

You have correct time synchronization with between your ESX host and the Domain controllers - this is a must. Kerberos is extremely picky when time difference off.

You have proper DNS resolution from the ESX Host, and that the name servers are correct.

Also your ESX host has to have a FQDN - for example:

Hostname: esx1
Domain: maishsk.local
FQDN: esx1.maishsk.local

On the ESXi Host


Log into your host directly - NOT through the vCenter. The documentation says

image

I have found that if you do this on the vCenter server - the Properties option is grayed out. and you cannot make the change.

2010-07-15_0923

Configuration Tab -> Authentication Services-> Properties

2010-07-15_0924[3]

Enter domain name (in one of two ways) maishsk.local (Default computer location) or maishsk.local/Computers/ESX (for putting the computer account in the ESXi OU under the computers container)

2010-07-15_0933

Click Join Domain - and you will be asked for domain credentials - this user has to have permissions to add computers to the domain. Format is either administrator@maishsk.local or MAISHSK\administrator or just plain administrator

Once that is done - you can see on the Active Directory Users and Computer Console that you now have a new computer account.

2010-07-15_0933_001

To allow the the user/group access to the ESXi host your will have to define the permissions.at the appropriate level.

In the case I gave the Domain Admins full access to the Host

Permissions -> Add Permission -> Administrators ->Add

2010-07-15_0934

From the Server field choose your domain and search for your user/group (reminds anyone of vCenter?)

2010-07-15_0935

2010-07-15_0936

The user can now login with their domain credentials

2010-07-15_0941[3]

2010-07-15_1006

*** Update ***

I would like to also point out the what Raphael Schitz posted on his blog regarding the ESX Admins group and how this group automatically has access to the host just added to the domain. Thanks for pointing this out

By default, the ESX host assigns the Administrator role to the “ ESX Admins ” group. By default, the ESX host assigns the Administrator role to the "ESX Admins" group. If the group does not exist when the host joins the domain, the host will not assign the role. If the group does not exist When the host joins the domain, the host Will not assign the role. In this case, you must create the “ESX Admins” group in the Active Directory. The host will periodically check the domain controller for the group and will assign the role when the group exists . In this box, you must create the "ESX Admins" group in the Active Directory. The host Will periodically check the domain controller for the group and Will assign the role When the group exists.

11 comments:

raphael schitz said...

I just found that ESXi automatically try to grant "ESX Admins" AD group : http://www.hypervisor.fr/?p=2292

Jason Boche said...

Great article!
Can you update your blog post with this caveat?
http://www.hypervisor.fr/?p=2292

Josian25 said...

I'm having same problem. I'm almost certain my problem is with our AD forrest using single-lable names.

GeorgeD said...

Does this allow you to login to SSH or the console via domain login? I have tried a few different formats with no success.
domain\username
username
username@domain

Hayes Whitt said...

How do you keep the root user from logging onto the host with VSphere? Set the root user account to read-only or disable?

Maish said...

I don't - the way to protect the root user is by securing the password, and giving on the people tat need to know.
There perhaps could be other ways that I am not aware of

Hayes Whitt said...

heh... so i locked myself out of the host.
I was able to log in for a while with my AD account, then vSphere Client started giving me a password error.  root account also had no control over the hypervisor host, but could run the VMs.  I got in with ssh and reset the passwords, tried unjoining the domain with the vCLI, all fail..  finally i had to reset the ESXi host to factory defaults from the host's keyboard.  easy enough to reconfigure the profile, but not sure what i did to cause a lock out, after i had been successively logging in....  AD is so sneaky...  i created a new ESX Admin account on the AD server.. following some online guide... any pointers you might have are appreciated!

Hayes Whitt said...

ah, i see the update now!

MB said...

i have a static entry created for the esx host like hostname.corp.xxx. when i tried to add the ESXi 5.0 host to domain getting the following error message "The specified domain either doesn't exist or could not be contacted". Can this host be add to AD domain without reconfiguring the static DNS entry

Tbennett said...

Yes, You can add the host to AD's DNS. When are you getting this error? From the ESXi host when trying to join the AD Domain or from the AD server? Looks like from the ESXi hosts. If from the ESXi host check the hosts file and the DNS setting to ensure no type o's.

Celia Cristaldo said...

Could the esxi server be add to vcenter inventory using an administrative credential of AD?