You can add ESXi hosts to an Active Directory domain by using vSphere Authentication Proxy instead of adding the hosts explicitly to the Active Directory domain.

You only have to set up the host so it knows about the domain name of the Active Directory server and about the IP address of vSphere Authentication Proxy. When vSphere Authentication Proxy is enabled, it automatically adds hosts that are being provisioned with Auto Deploy to the Active Directory domain. You can also use vSphere Authentication Proxy with hosts that are not provisioned by using Auto Deploy

By default, ESXi hosts require explicit verification of the vSphere Authentication Proxy certificate. If you are using vSphere Auto Deploy, the Auto Deploy service takes care of adding the certificate to hosts that it provisions. For other hosts, you must add the certificate explicitly.


For more information, please check

• For vSphere 7.0: https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/vsphere-security-7-0.html

VMware vCenter Server 7.x
VMware vCenter Server 8.x

1. Start the VMware vSphere Authentication Proxy Service

• In vSphere Client navigate to Host and Clusters, select the vCenter, Click on Configure, Authentication Proxy (under Settings) and then press "ENABLE"

• Alternatively you can go to the VAMI (https://<vcenterFQDN>:5480, Services, locate VMware vSphere Authentication Proxy Service and start it.

2. Once that the service is started, Go to vCenter -> Configure -> Authentication Proxy, press Edit, fill in the Domain details and press Save
   

3. Import the certificate into the ESXi host

Note: as stated previously by default, ESXi hosts require explicit verification of the vSphere Authentication Proxy certificate. If you are using vSphere Auto Deploy, the Auto Deploy service takes care of adding the certificate to hosts that it provisions. For other hosts, you must add the certificate explicitly.

• • Upload the certificate to one of the datastores that the host can access to, preferred if they are shared by all the ESXi hosts that you want to add to the domain
  • The certificate can be found in the below locations for the vCenter Appliance and the Windows vCenter Server.
    •  vCenter Server Appliance: /var/lib/vmware/vmcam/ssl/rui.crt
    •  vCenter Server Windows: C:\ProgramData\VMware\vCenterServer\data\vmcamd\sslui.crt
  • In the example below the certificate is uploaded to iSCSI-FreeNAS datastore. Take note of the path where you are uploading the certificate as you will need it in the next step

• Now the certificate can be imported to the ESXi host by navigating to  Configure > Authentication Services > Import Certificate
  

• The task will be updated in the vCenter recent tasks pane. Wait for completion
  
  
  
• Click on Configure > Authentication Services > Join Domain. Provide the Domain Name and IP address of the vCenter Server on which the service on enabled in the previous step
  
  
  
• If the process has completed it will show that the certificate has been imported and the host is now joined to the Active Directory

• Check the same in the vmcamd-syslog.log (eg for vCSA under /var/log/vmware/vmcamd). a Machine account for the host will be created in the AD

root@vcsa [ /var/log/vmware/vmcamd ]# tail -f vmcamd-syslog.log
info vmcamd  t@140640079820544: Creating machine account for Host 'esxi01.###.###', OU ''
info vmcamd  t@140640079820544: Machine account for Host 'esxi01.###.###', OU '' created
info vmcamd  t@140640079820544: Created Machine account is 'ESXI01$'

• Create a group in the Active Directory domain called "ESX Admins" and add the user/group of the user you want to use for login to the group "ESX Admins". Please refer to https://knowledge.broadcom.com/external/article?legacyId=1025569 for more information
  • Note: if you don't grant the permissions for the Active Directory in the host, when you try to login you will be presented with "Permission to perform this operation was denied"