- Advertisement -
HomeSystemsActive DirectoryJoining an ESXi host to a Windows Active Directory

Joining an ESXi host to a Windows Active Directory

Joining ESXi host to a Windows Active Directory (domain) will enable a centralized security authority in your vSphere environment. The active directory improves authentication, authorization, and accounting.

Before joining the ESXi to a domain, you must check some prerequisites and configure your environment, including Network, Windows Active Directory Server, and ESXi host.

Firewall Access

Ensure that the following ports (both UDP and TCP) are open for communication between the ESXi host and the Windows Active Directory.

  • Port 88 - Kerberos authentication
  • Port 123 – NTP
  • Port 135 - RPC
  • Port 137 - NetBIOS Name Service
  • Port 139 - NetBIOS Session Service (SMB)
  • Port 389 - LDAP
  • Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
  • Port 464 - Kerberos - change/password changes
  • Port 3268- Global Catalog search

@Windows Server

DNS resolution:

The Active Directory must have the DNS Server role installed.

  1. From Server Manager, go to Tools / DNS
  2. Expand Your_computer _name (DOMAIN) / Forward Lookup Zones
Joining ESXi host to a Windows Active Directory
  1. Add an “A” record of your ESXi. Right-click on Your_Domain (home.lab) name and select New Host (A or AAAA)...
Joining ESXi host to a Windows Active Directory
  1. Enter your ESXi hostname and IP address. Click Add Host.
Joining ESXi host to a Windows Active Directory
  1. The new ESXi record is now saved.
19.57 Image04

ESX Admins group

This step is not a-must for joining the ESXi to the domain.

  1. From Server Manager, go to Tools / Active Directory Users and Computers
  2. Expand Your_Domain (home.lab). Right-click on Users, go to New / Group.
Joining ESXi host to a Windows Active Directory
  1. In Group name enter “ESX Admins” (must be this exact name). Make sure Security is selected in Group type. Click OK.
Joining ESXi host to a Windows Active Directory
  1. Righ-click on the newly added group and click Properties.
  2. Go to the Members tab, click Add… and place the user accounts that should be permitted to authenticate with an ESXi host.
Joining ESXi host to a Windows Active Directory

@ESXi Host

NTP Configuration

- Advertisement -

The time of the ESXi must be synchronized with the Active Directory Server.

  1. Using the ESXi Client; under Host, go to Manage / System / Time & date / Edit Settings.
Joining ESXi host to a Windows Active Directory
  1. Select Use Network Time Protocol (enable NTP client). Select Start and stop with host. Input the IP address of your Domain Controller Server. Click Save.
Joining ESXi host to a Windows Active Directory

Active Directory Firewall Rule

This rule is enabled by default.

  1. Using the ESXi Client; Go to Networking / Firewall Rule. Make sure the Active Directory All rule is enabled. If not (is grayed-out), right-click and enable it.
Joining ESXi host to a Windows Active Directory

DNS Configuration

  1. Using the ESXi DCUI; hit F2 and type your ESXi root password.
  2. Go to Configure Management Network / DNS Configuration
  3. In Primary DNS Server, enter the IP address of your Domain Controller Server. Enter Alternate DNS Server if you have. (Note: For a home lab you can use Google DNS here). In Hostname, enter the same name of the record we used in the Active Directory Server. Hit Enter to save.
Joining ESXi host to a Windows Active Directory

Join the ESXi to the Domain

Via ESXi Client

  1. Under Host, go to Manage / Security & users / Authentication / Join domain.
Joining ESXi host to a Windows Active Directory
  1. Enter the domain name and administrator credentials (same format as the image).
Joining ESXi host to a Windows Active Directory
  1. The ESXi will be joined to the domain.
Joining ESXi host to a Windows Active Directory

Via CLI

Use the following command to join the ESXi to the domain:

/usr/lib/vmware/likewise/bin/domainjoin-cli join [your_domain] [user] [password]

[[email protected]:~] /usr/lib/vmware/likewise/bin/domainjoin-cli join home.lab administrator
Joining to AD Domain: home.lab
With Computer DNS Name: esxia.home.lab
[email protected]'s password:
SUCCESS

Resources

https://kb.vmware.com/s/article/52984
https://kb.vmware.com/s/article/1026538
https://kb.vmware.com/s/article/1035833
Juan Mulford
Juan Mulford
I have been active in IT for over fourteen years now. I am a solutions architect, working with storage, virtualization, and VDI solutions. For the past ten years, I have been living and working in Taiwan.

Leave a Reply

- Advertisement -

Popular Articles

mulcas.com-Raspberry-Pi

Raspberry Pi OS in a Virtual Machine with VMware

4
Although the Raspberry Pi OS is designed and optimized for the Raspberry Pi module, it is possible to test and use it without its hardware, with VMware. This solution can be useful if you are a developer (or just a curious guy) and don't have a Raspberry Pi module with you
Unable to delete inaccessible datastore

Unable to delete an "inaccessible" datastore

4
I was switching my storage array, so I migrated the VMs from that old datastore/storage to a new datastore/storage. The old datastore was shared by 3 ESXi hosts, no cluster. After migrating the VMs and unmount/delete the datastore, it was still presented in two of the ESXi hosts and was marked as inaccessible.
mulcas.com-VMware-OVF-Tool

How to export a Virtual Machine using the VMware OVF Tool

8
The VMware OVF Tool is implemented by VMware for easily importing and exporting virtual machines in Open Virtualization Format (OVF) standard format. Here, I want to show you how to download and install it, and then how to use it from a Windows machine.
This is not a valid source path / URL

This is not a valid source path / URL - SourceTree and Gitlab

0
I have been working on a project with a friend who set up a repository in Gitlab but even though I was able to view all projects on it, I couldn’t really join the repository. I was using SourceTree and Gitlab.
WinSCP VCSA

Unable to Access the VCSA 6.7 via WinSCP

8
One of the many and easiest ways to get the logs from the ESXi hosts and vCenter Server Appliance (VCSA), is accessing directly to the files directory using tools such as WinSCP, which helps to transfer the files between a local and a remote computer ( Ex. VCSA). I never have had issues with the ESXi hosts and WinSCP, however, trying to access the VCSA is a different story.
- Advertisement -

Recent Comments