The domain account must have AD read permission for all objects in the domain tree. The event log reader account must have read permissions for security event logs.
- Log in to the vSphere Web Client.
- Click Networking & Security and then click NSX Managers.
- Click an NSX Manager in the Name column and then click the Manage tab.
- Click the Domain tab and then click the Add domain () icon.
- In the Add Domain dialog box, enter the fully qualified domain name (for example, eng.vmware.com) and netBIOS name for the domain.
To retrieve the netBIOS name for your domain, type nbtstat -n in a command window on a Windows workstation that is part of a domain or on a domain controller. In the NetBIOS Local Name Table, the entry with a <00> prefix and type Group is the netBIOS name.
- During sync, to filter out users that no longer have active accounts click Ignore disabled users .
- Click Next.
- In the LDAP Options page, specify the domain controller that the domain is to be synchronized with and select the protocol.
- Edit the port number if required.
- Enter the user credentials for the domain account. This user must be able to access the directory tree structure.
- Click Next.
- (Optional) In the Security Event Log Access page, select either CIFS or WMI for the connection method to access security event logs on the specified AD server. Change the port number if required. This step is used by Active Directory Event Log Scraper. See Identity Firewall Workflow.
The event log reader looks for events with the following IDs from the AD Security event log: Windows 2008/2012: 4624, Windows 2003: 540. The event log server has a limit of 128 MB. When this limit is reached you may see Event ID 1104 in the Security Log Reader. See https://technet.microsoft.com/en-us/library/dd315518 for more information.
- Select Use Domain Credentials to use the LDAP server user credentials. To specify an alternate domain account for log access, un-select Use Domain Credentials and specify the user name and password.
The specified account must be able to read the security event logs on the Domain Controller specified in step 10.
- Click Next.
- In the Ready to Complete page, review the settings you entered.
- Click Finish.
If an error message occurs stating that the Adding Domain operation failed for the entity because of a domain conflict, the workaround is to is to select Auto Merge.
The domain is created and its settings are displayed below the domain list.
What to do next
Verify that login events on the event log server are enabled.
You can add, edit, delete, enable, or disable LDAP servers by selecting the LDAP Servers tab in the panel below the domain list. You can perform the same tasks for event log servers by selecting the Event Log Servers tab in the panel below the domain list. Adding more than one Windows server (Domain Controllers, Exchange servers, or File Servers) as an event log server improves the user identity association.
If using IDFW, only AD Servers are supported.