ESXi 4.1 Active Directory Integration
Before starting you need to make sure of a few things
You have correct time synchronization with between your ESX host and the Domain controllers – this is a must. Kerberos is extremely picky when time difference off.
You have proper DNS resolution from the ESX Host, and that the name servers are correct.
Also your ESX host has to have a FQDN – for example:
Hostname: esx1
Domain: maishsk.local
FQDN: esx1.maishsk.local
On the ESXi Host
Log into your host directly – NOT through the vCenter. The documentation says
I have found that if you do this on the vCenter server – the Properties option is grayed out. and you cannot make the change.
Configuration Tab -> Authentication Services-> Properties
Enter domain name (in one of two ways) maishsk.local (Default computer location) or maishsk.local/Computers/ESX (for putting the computer account in the ESXi OU under the computers container)
Click Join Domain – and you will be asked for domain credentials – this user has to have permissions to add computers to the domain. Format is either administrator@maishsk.local or MAISHSKadministrator or just plain administrator
Once that is done – you can see on the Active Directory Users and Computer Console that you now have a new computer account.
To allow the the user/group access to the ESXi host your will have to define the permissions.at the appropriate level.
In the case I gave the Domain Admins full access to the Host
Permissions -> Add Permission -> Administrators ->Add
From the Server field choose your domain and search for your user/group (reminds anyone of vCenter?)
The user can now login with their domain credentials
*** Update ***
I would like to also point out the what Raphael Schitz posted on his blog regarding the ESX Admins group and how this group automatically has access to the host just added to the domain. Thanks for pointing this out
By default, the ESX host assigns the Administrator role to the » ESX Admins » group. By default, the ESX host assigns the Administrator role to the « ESX Admins » group. If the group does not exist when the host joins the domain, the host will not assign the role. If the group does not exist When the host joins the domain, the host Will not assign the role. In this case, you must create the « ESX Admins » group in the Active Directory. The host will periodically check the domain controller for the group and will assign the role when the group exists . In this box, you must create the « ESX Admins » group in the Active Directory. The host Will periodically check the domain controller for the group and Will assign the role When the group exists.
0 commentaire