You can join vCenter Server to an Active Directory domain. You can attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain. You can leave the Active Directory domain.

Important: Joining vCenter Server to an Active Directory domain with a read-only domain controller (RODC) is not supported. You can join vCenter Server only to an Active Directory domain with a writable domain controller.

If you want to configure permissions so that users and groups from an Active Directory can access the vCenter Server components, you must join the vCenter Server instance to the Active Directory domain.

For example, to enable an Active Directory user to log in to the vCenter Server instance by using the vSphere Client, you must join the vCenter Server instance to the Active Directory domain and assign the Administrator role to this user.

Prerequisites

  • Verify that the user who logs in to the vCenter Server instance in the vCenter Server Appliance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.

  • Verify that the system name of the appliance is an FQDN. If, during the deployment of the appliance, you set an IP address as a system name, you cannot join vCenter Server to an Active Directory domain.

Procedure

  1. Use the vSphere Client to log in as administrator@your_domain_name to the vCenter Server instance in the vCenter Server Appliance.
  2. On the vSphere Client navigation pane, click Administration > Single Sign On > Configuration.
  3. Select the Active Directory Domain tab, and click JOIN AD.
  4. Enter the Active Directory details.
    Option Description
    Domain Active Directory domain name, for example, mydomain.com. Do not provide an IP address in this text box.
    Organization Unit (optional) The full Organization Unit (OU) LDAP FQDN, for example, OU=Engineering,DC=mydomain,DC=com.
    Important: Use this text box only if you are familiar with LDAP.
    Username User name in User Principal Name (UPN) format, for example, [email protected].
    Important: Down-level login name format, for example, DOMAIN\UserName, is unsupported.
    Password Password of the user.
  5. Click JOIN to join the vCenter Server to the Active Directory domain.
    The operation silently succeeds and you can see the Join AD option turned to Leave AD.
  6. (Optional) To leave the Active Directory Domain, click LEAVE AD.
  7. Restart the vCenter Server to apply the changes. For information about restarting the vCenter Server, see Reboot or Shut Down the vCenter Server Appliance.
    Important: If you do not restart the vCenter Server, you might encounter problems when using the vSphere Client.
  8. Select Identity Sources tab, and click the ADD.
    1. In the Add Identity Source page, select Active Directory (Integrated Windows Authentication) as the Identity Source Type.
    2. Enter the identity source settings of the joined Active Directory domain, and click ADD.
      Table 1. Add Identity Source Settings
      Text Box Description
      Domain name FDQN of the domain. Do not provide an IP address in this text box.
      Use machine account Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine.
      Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user.
      Service principal name SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com.

      You might have to run setspn -S to add the user you want to use. See the Microsoft documentation for information on setspn.

      The SPN must be unique across the domain. Running setspn -S checks that no duplicate is created.

      Username Name of a user who can authenticate with this identity source. Use the email address format, for example, [email protected]. You can verify the User Principal Name with the Active Directory Service Interfaces Editor (ADSI Edit).
      Password Password for the user who is used to authenticate with this identity source, which is the user who is specified in User Principal Name. Include the domain name, for example, [email protected].

Results

On the Identity Sources tab, you can see the joined Active Directory domain.

What to do next

You can configure permissions so that users and groups from the joined Active Directory domain can access the vCenter Server components. For information about managing permissions, see the vSphere Security documentation.