You can join vCenter Server to an Active Directory domain. You can attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain. You can leave the Active Directory domain.

Important: Joining vCenter Server to an Active Directory domain with a read-only domain controller (RODC) is not supported. You can join vCenter Server only to an Active Directory domain with a writable domain controller.

If you want to configure permissions so that users and groups from an Active Directory can access the vCenter Server components, you must join the vCenter Server instance to the Active Directory domain.

For example, to enable an Active Directory user to log in to the vCenter Server instance by using the vSphere Client, you must join the vCenter Server instance to the Active Directory domain and assign the Administrator role to this user.

Prerequisites

  • Verify that the user who logs in to the vCenter Server instance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.

  • Verify that the system name of the appliance is an FQDN. If, during the deployment of the appliance, you set an IP address as a system name, you cannot join vCenter Server to an Active Directory domain.

Procedure

  1. Use the vSphere Client to log in as administrator@your_domain_name to the vCenter Server instance.
  2. On the vSphere Client navigation pane, click Administration > Single Sign On > Configuration.
  3. Select the Active Directory tab, and click Join AD.
  4. Enter the Active Directory details.
    Option Description
    Domain Active Directory domain name, for example, mydomain.com. Do not provide an IP address in this text box.
    Organizational unit Optional. The full OU LDAP FQDN, for example, OU=Engineering,DC=mydomain,DC=com.
    Important: Use this text box only if you are familiar with LDAP.
    User name User name in User Principal Name (UPN) format, for example, jchin@mydomain.com.
    Important: Down-level login name format, for example, DOMAIN\UserName, is unsupported.
    Password Password of the user.
  5. Click Join to join the vCenter Server to the Active Directory domain.
    The operation silently succeeds and you can see the Join AD option turned to Leave AD.
  6. (Optional) To leave the Active Directory Domain, click Leave AD.
  7. Restart vCenter Server so that the changes are applied.
    Important: If you do not restart, you might encounter problems when using the vSphere Client.
  8. Navigate to Administration > Single Sign-On > Configuration.
  9. On the Identity Sources tab, click the Add Identity Source icon.
  10. Select Active Directory (Integrated Windows Authentication), enter the identity source settings of the joined Active Directory domain, and click OK.
    Table 1. Add Identity Source Settings
    Text Box Description
    Domain name FDQN of the domain. Do not provide an IP address in this text box.
    Use machine account Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine.
    Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user.
    Service Principal Name (SPN) SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com.

    You might have to run setspn -S to add the user you want to use. See the Microsoft documentation for information on setspn.

    The SPN must be unique across the domain. Running setspn -S checks that no duplicate is created.

    User Principal Name (UPN) Name of a user who can authenticate with this identity source. Use the email address format, for example, jchin@mydomain.com. You can verify the User Principal Name with the Active Directory Service Interfaces Editor (ADSI Edit).
    Password Password for the user who is used to authenticate with this identity source, which is the user who is specified in User Principal Name. Include the domain name, for example, jdoe@example.com.

Results

On the Identity Sources tab, you can see the joined Active Directory domain.

What to do next

You can configure permissions so that users and groups from the joined Active Directory domain can access the vCenter Server components. For information about managing permissions, see the vSphere Security documentation.