Active Directory is used in creating user-based Identity Firewall rules.

Windows 2008 is not supported as an Active Directory server or RDSH Server OS.

You can register one or more Windows domains with an NSX Manager. NSX Manager gets group and user information and the relationship between them from each domain that it is registered with. NSX Manager also retrieves Active Directory (AD) credentials.

Once NSX Manager retrieves AD credentials, you can create security groups based on user identity, and create identity-based firewall rules.

Note: For Identity Firewall rule enforcement, Windows Time service should be on for all VMs using Active Directory. This ensures that the date and time is synchronized between Active Directory and VMs. Additionally, AD group membership changes, including enabling and deleting users, do not immediately take effect for logged in users. For changes to take effect, users must log out and then log back in. AD administrator's should force a log out when group membership is modified. This behavior is a limitation of Active Directory.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > Active Directory.
  3. Click Add Active Directory.
  4. Enter the name of the active directory.
  5. Enter the NetBios Name and Base Distinguished Name.
    To retrieve the netBIOS name for your domain, enter nbtstat /n in a command window on a Windows Workstation that is part of a domain, or on a domain controller. In the NetBIOS Local Name Table, the entry with a <00> prefix and type Group is the NetBIOS name.
  6. Set the Delta Synchronization Interval if necessary. A delta synchronization updates local AD objects that have changed since the last synchronization event.
    Any changes made in Active Directory are NOT seen on NSX Manager until a delta or full synchronization has been performed.
  7. Click Save.