The domain account must have AD read permission for all objects in the domain tree. The event log reader account must have read permissions for security event logs.


  1. In the vSphere Web Client, navigate to Networking & Security > System > Users and Domains.
  2. Click the Domains tab, and then click the Add domain (Add domain) icon.
  3. In the Add Domain dialog box, enter the fully qualified domain name (for example, and netBIOS name for the domain.
    To retrieve the netBIOS name for your domain, type nbtstat -n in a command window on a Windows workstation that is part of a domain or on a domain controller. In the NetBIOS Local Name Table, the entry with a <00> prefix and type Group is the netBIOS name.
  4. When adding a child domain, select Auto Merge.
  5. During sync, to filter out users that no longer have active accounts click Ignore disabled users .
  6. Click Next.
  7. In the LDAP Options page, specify the domain controller that the domain is to be synchronized with and select the protocol. See Identity Firewall Tested and Supported Configurationsfor more information about supported domain synchronization options.
  8. Edit the port number, if required.
  9. Enter the user credentials for the domain account. This user must be able to access the directory tree structure.
  10. Click Next.
  11. (Optional) In the Security Event Log Access page, select either CIFS or WMI for the connection method to access security event logs on the specified AD server. Change the port number if required. This step is used by Active Directory Event Log Scraper. See Identity Firewall Workflow.
    Note: The event log reader looks for events with the following IDs from the AD Security event log: Windows 2008/2012: 4624, Windows 2003: 540. The event log server has a limit of 128 MB. When this limit is reached you may see Event ID 1104 in the Security Log Reader. See for more information.
  12. Select Use Domain Credentials to use the LDAP server user credentials. To specify an alternate domain account for log access, un-select Use Domain Credentials and specify the user name and password.
    The specified account must be able to read the security event logs on the Domain Controller specified in step 10.
  13. Click Next.
  14. In the Ready to Complete page, review the settings you entered.
  15. Click Finish.
    • If an error message appears stating that the Adding Domain operation failed for the entity because of a domain conflict, select Auto Merge. The domains will be created and the settings displayed below the domain list.


The domain is created and its settings are displayed below the domain list.

What to do next

Verify that login events on the event log server are enabled.

You can add, edit, delete, enable, or disable LDAP servers by selecting the LDAP Servers tab in the panel below the domain list. You can perform the same tasks for event log servers by selecting the Event Log Servers tab in the panel below the domain list. Adding more than one Windows server (Domain Controllers, Exchange servers, or File Servers) as an event log server improves the user identity association.

Note: If using IDFW, only AD Servers are supported.