You can configure a host to use a directory service such as Active Directory to manage users and groups.

When you add an ESXi host to Active Directory, the DOMAIN group ESX Admins is assigned full administrative access to the host if it exists. If you do not want to make full administrative access available, see VMware Knowledge Base article 1025569 for a workaround.

If a host is provisioned with Auto Deploy, Active Directory credentials cannot be stored on the hosts. You can use the vSphere Authentication Proxy to join the host to an Active Directory domain. Because a trust chain exists between the vSphere Authentication Proxy and the host, the Authentication Proxy can join the host to the Active Directory domain. See Using vSphere Authentication Proxy.

Note: When you define user account settings in Active Directory, you can limit the computers that a user can log in to by the computer name. By default, no equivalent restrictions are set on a user account. If you set this limitation, LDAP Bind requests for the user account fail with the message LDAP binding not successful, even if the request is from a listed computer. You can avoid this problem by adding the netBIOS name for the Active Directory server to the list of computers that the user account can log in to.

Prerequisites

  • Verify that you have an Active Directory domain. See your directory server documentation.
  • Verify that the host name of ESXi is fully qualified with the domain name of the Active Directory forest.

    fully qualified domain name = host_name.domain_name

Procedure

  1. Synchronize the time between ESXi and the directory service system.
    See Synchronize ESXi Clocks with a Network Time Server or the VMware Knowledge Base for information about how to synchronize ESXi time with a Microsoft Domain Controller.
  2. Ensure that the DNS servers that you configured for the host can resolve the host names for the Active Directory controllers.
    1. Browse to the host in the vSphere Client inventory.
    2. Click Configure.
    3. Under Networking, click TCP/IP configuration.
    4. Under TCP/IP Stack: Default, click DNS and verify that the host name and DNS server information for the host are correct.

What to do next

Join the host to a directory service domain. See Add a Host to a Directory Service Domain. For hosts that are provisioned with Auto Deploy, set up the vSphere Authentication Proxy. See Using vSphere Authentication Proxy. You can configure permissions so that users and groups from the joined Active Directory domain can access the vCenter Server components. For information about managing permissions, see Add a Permission to an Inventory Object.