Configuring Active Directory Authentication and Permissions for ESXi from UI
search cancel

Configuring Active Directory Authentication and Permissions for ESXi from UI

book

Article ID: 316623

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides steps to add an ESXi host to an Active Directory domain and to provide permissions to AD users. 

Environment

ESXi

Resolution


To add an ESXi host to the Active Directory using vSphere Client (HTML5):

  1. Confirm the ESXi host is synchronizing time with the Active Directory Domain controller. For more information, see Synchronizing ESXi/ESX time with a Microsoft Domain Controller.
  2. From the vCenter Server vSphere Client, select the host that will be added to the Active Directory.
  3. Click the Configure tab.
  4. Click the Authentication Services.
  5. Click the Join Domain... link at the top right pane.
  6. In the Join Domain dialog, enter a domain. Use the form example.com or example.com/OU1/OU2.
  7. Enter the username (in [email protected] format) and password of a directory service user account that has permission to join the host to the domain and click OK.
  8. Click OK.
  9. Click the Configure tab and click Advanced System Settings.
  10. Under the Key column, click the filter icon and search for Config.HostAgent.plugins.hostsvc.esxAdminsGroup
  11. Confirm the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting matches the Administrator group that will be used in the Active Directory. These settings take effect within a minute and no reboot is required. To edit, click the top right EDIT... link.
Note:
  • If the Config.HostAgent.plugins.hostsvc.esxAdminsGroup setting is changed, ensure to remove any invalid users from the Permissions tab of the ESXi host.

To add the permissions to the group AD users:

  • Right Click on the Host and Select Permissions.
  • Right-click anywhere in the Permissions area and Choose Add Permission (or click the + Add button).
  • In the Add Permission dialog:
  • Click Add to search for the user or group.
  • Enter the name of the AD user or group (e.g., DOMAIN\UserName or GROUPNAME) and click Check Name.
  • Select the user/group from the results and click Add, then OK.
  • In the Add Permission dialog, select the desired Role (e.g., Administrator, Read-only, or a Custom Role) from the
  • Assigned Role dropdown.
  • Click OK to apply the permission.



Additional Information

Note: For information regarding required ports that need to be open between the ESXi hosts and the Active Directory domain controller, see the VMware Ports and Protocols guide (Filter for "Microsoft Active Directory Domain Controllers")

Note: Joining an ESXi hosts to an Active Directory domain with a read-only domain controller (RODC) is unsupported. ESXi hosts only can join an Active Directory domain with a writable domain controller.

When an ESXi host is joined to Active Directory, a corresponding computer account is created in the domain.

By default, the Likewise authentication service automatically rotates the computer account password every 30 days. This process requires successful communication with a Read-Write Domain Controller (RWDC).

If communication between the ESXi host and an RWDC is unavailable, the password rotation will fail. This is because a Read-Only Domain Controller (RODC) maintains a strictly read-only copy of the Active Directory database and cannot process write operations such as password updates.

If the ESXi host communicates only with an RODC, the password rotation request will be rejected. As a result, the domain trust relationship will break, causing the ESXi host to lose its domain membership. Consequently, Active Directory users will no longer be able to authenticate to the host.

Reference:

Error: "LW_ERROR_PASSWORD_MISMATCH" during ESXi AD authentication

Powered by Wolken Software