When you join a host to a directory service domain, you can use the vSphere Authentication Proxy server for authentication instead of transmitting user-supplied Active Directory credentials.
You can enter the domain name in one of two ways:
- name.tld (for example, domain.com): The account is created under the default container.
- name.tld/container/path (for example, domain.com/OU1/OU2): The account is created under a particular organizational unit (OU).
Verify that the vSphere Client is connected to the host.
If ESXi is configured with a DHCP address, set up the DHCP range as described in the vSphere Security documentation..
If ESXi is configured with a static IP address, verify that its associated profile is configured to use the vSphere Authentication Proxy service to join a domain so that the authentication proxy server can trust the ESXi IP address.
If ESXi is using a self-signed certificate, verify that the host has been added to vCenter Server. This allows the authentication proxy server to trust ESXi.
If ESXi is using a CA-signed certificate and is not provisioned by Auto Deploy, verify that the CA certificate has been added to the local trust certificate store of the authentication proxy server as described in the vSphere Security documentation.
Authenticate the vSphere Authentication Proxy server to the host as described in the vSphere Security documentation.
- In the vSphere Client inventory, select the host.
- Select the Configuration tab and click Authentication Services.
- Click Properties.
- In the Directory Services Configuration dialog box, select the directory server from the drop-down menu.
- Enter a domain.
Use the form name.tld or name.tld/container/path.
- Select the Use vSphere Authentication Proxy check box.
- Enter the IP address of the authentication proxy server.
- Click Join Domain.
- Click OK.