Joining ESXi host to a Windows Active Directory (domain) will enable a centralized security authority in your vSphere environment. The active directory improves authentication, authorization, and accounting.
Before joining the ESXi to a domain, you must check some prerequisites and configure your environment, including Network, Windows Active Directory Server, and ESXi host.
Ensure that the following ports (both UDP and TCP) are open for communication between the ESXi host and the Windows Active Directory.
- Port 88 - Kerberos authentication
- Port 123 – NTP
- Port 135 - RPC
- Port 137 - NetBIOS Name Service
- Port 139 - NetBIOS Session Service (SMB)
- Port 389 - LDAP
- Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
- Port 464 - Kerberos - change/password changes
- Port 3268- Global Catalog search
The Active Directory must have the DNS Server role installed.
- From Server Manager, go to Tools / DNS
- Expand Your_computer _name (DOMAIN) / Forward Lookup Zones
- Add an “A” record of your ESXi. Right-click on Your_Domain (home.lab) name and select New Host (A or AAAA)...
- Enter your ESXi hostname and IP address. Click Add Host.
- The new ESXi record is now saved.
ESX Admins group
This step is not a-must for joining the ESXi to the domain.
- From Server Manager, go to Tools / Active Directory Users and Computers
- Expand Your_Domain (home.lab). Right-click on Users, go to New / Group.
- In Group name enter “ESX Admins” (must be this exact name). Make sure Security is selected in Group type. Click OK.
- Righ-click on the newly added group and click Properties.
- Go to the Members tab, click Add… and place the user accounts that should be permitted to authenticate with an ESXi host.
The time of the ESXi must be synchronized with the Active Directory Server.
- Using the ESXi Client; under Host, go to Manage / System / Time & date / Edit Settings.
- Select Use Network Time Protocol (enable NTP client). Select Start and stop with host. Input the IP address of your Domain Controller Server. Click Save.
Active Directory Firewall Rule
This rule is enabled by default.
- Using the ESXi Client; Go to Networking / Firewall Rule. Make sure the Active Directory All rule is enabled. If not (is grayed-out), right-click and enable it.
- Using the ESXi DCUI; hit F2 and type your ESXi root password.
- Go to Configure Management Network / DNS Configuration
- In Primary DNS Server, enter the IP address of your Domain Controller Server. Enter Alternate DNS Server if you have. (Note: For a home lab you can use Google DNS here). In Hostname, enter the same name of the record we used in the Active Directory Server. Hit Enter to save.
Join the ESXi to the Domain
Via ESXi Client
- Under Host, go to Manage / Security & users / Authentication / Join domain.
- Enter the domain name and administrator credentials (same format as the image).
- The ESXi will be joined to the domain.
Use the following command to join the ESXi to the domain:
/usr/lib/vmware/likewise/bin/domainjoin-cli join [your_domain] [user] [password]
[root@esxia:~] /usr/lib/vmware/likewise/bin/domainjoin-cli join home.lab administrator Joining to AD Domain: home.lab With Computer DNS Name: esxia.home.lab [email protected]'s password: SUCCESS