Latest posts by Jim Jones (see all)
- Removing a corrupted Canon print driver - Fri, Apr 8 2016
- VMware vSphere licensing update 2016 - No love for the little guy - Fri, Mar 25 2016
- Veeam releases free Endpoint Backup 1.5 - Fri, Mar 18 2016
This past July, version 4.1 of VMWare’s vSphere enterprise virtualization platform was released. Among the patches and performance fixes (full list of new features here) support, Active Directory administrative authentication was added.
So why would you want to do this? After completing the process described here, authentication will be centralized and you will have control over access to the ESX hosts much in the same way you do any other Windows server or desktop.
The only caveat regarding this procedure depends on how you are handling your Windows Server Client Access Licenses, or CALs. Because your ESX/ESXi hosts will be added to Active Directory, if you are using a Device CAL licensing model, these servers would each require a CAL. Most enterprises I’ve seen tend to lean towards the User CAL method, so in that case this would be a nonissue. For more information this is covered in greater depth by Rick Vanover over at Virtualization Review.
The first step of enabling this feature is to create a security group in your Active Directory named “ESX Admins.” You must use this exact name or the process doesn’t work. Once created populate this group with the users you wish to have the capability to manage your ESX hosts. For smaller shops you can cheat by just adding the Domain Admins group.
Next you need to go ahead and open your VMware VI Client. Before joining our servers to the domain first we need to verify that DNS and NTP are both configured properly, pointing both back to the sources for your Windows Active Directory infrastructure.
Now in the left menu, click the host you want to add to AD, and then click on the configuration tab. Once in configuration, choose “Authentication Services” from the Software submenu. Once there first notice that the current Directory Services type is Local Authentication, meaning it is using the local user groups.
To join the host to the domain, you need to click the Properties link in the top right corner, launching the Directory Services Configuration dialog. At this point it should feel much like joining a workstation to the domain. Set the Directory Service type to Active Directory and supply your domain name, making sure you use the FQDN rather than the NetBIOS version. Now when you click “Join Domain”, you will be prompted for Active Directory credentials capable of writing to AD. Finally, click Join Domain again and you’re done!
As you can see above, once completed, the VI Client will report that it is joined to the domain and authenticating to the domain. Looking further in to the Active Directory of Users and Computers, the host will be shown with a computer account in the directory.
The end result: Your IT staff and other users who access Virtual Machines can now use your centrally managed Active Directory credentials to authenticate to ESX or ESXi. This greatly enhances the security of the system because it makes password policy much more enforceable and the staff will be happy because it is one less password that needs to be memorized.