You can configure ESXi to use a directory service such as Active Directory to manage users.

Creating local user accounts on each host presents challenges with having to synchronize account names and passwords across multiple hosts. Join ESXi hosts to an Active Directory domain to eliminate the need to create and maintain local user accounts. Using Active Directory for user authentication simplifies the ESXi host configuration and reduces the risk for configuration issues that could lead to unauthorized access.

When you use Active Directory, users supply their Active Directory credentials and the domain name of the Active Directory server when adding a host to a domain.

Configure an ESXi Host to Use Active Directory

You can configure an ESXi host to use a directory service such as Active Directory to manage users and groups.

When you add an ESXi host to Active Directory, the DOMAIN group ESX Admins is assigned full administrative access to the host if it exists. If you do not want to make full administrative access available, see VMware Knowledge Base article 1025569 for a workaround.

If a host is provisioned with Auto Deploy, Active Directory credentials cannot be stored on the hosts. You can use the vSphere Authentication Proxy to join the host to an Active Directory domain. Because a trust chain exists between the vSphere Authentication Proxy and the host, the Authentication Proxy can join the host to the Active Directory domain. See Using vSphere Authentication Proxy.

Note: When you define user account settings in Active Directory, you can limit the computers that a user can log in to by the computer name. By default, no equivalent restrictions are set on a user account. If you set this limitation, LDAP Bind requests for the user account fail with the message LDAP binding not successful, even if the request is from a listed computer. You can avoid this problem by adding the netBIOS name for the Active Directory server to the list of computers that the user account can log in to.

Prerequisites

  • Verify that you have an Active Directory domain. See your directory server documentation.
  • Verify that the host name of ESXi is fully qualified with the domain name of the Active Directory forest.

    fully qualified domain name = host_name.domain_name

Procedure

  1. Synchronize the time between ESXi and the directory service system.
    See Synchronize ESXi Clocks with a Network Time Server or the VMware Knowledge Base for information about how to synchronize ESXi time with a Microsoft Domain Controller.
  2. Ensure that the DNS servers that you configured for the host can resolve the host names for the Active Directory controllers.
    1. Browse to the host in the vSphere Client inventory.
    2. Click Configure.
    3. Under Networking, click TCP/IP configuration.
    4. Under TCP/IP Stack: Default, click DNS and verify that the host name and DNS server information for the host are correct.

What to do next

Join the host to a directory service domain. See Add an ESXi Host to a Directory Service Domain. For hosts that are provisioned with Auto Deploy, set up the vSphere Authentication Proxy. See Using vSphere Authentication Proxy. You can configure permissions so that users and groups from the joined Active Directory domain can access the vCenter Server components. For information about managing permissions, see Add a Permission to an Inventory Object.

Add an ESXi Host to a Directory Service Domain

To have your ESXi host use a directory service, you must join the host to the directory service domain.

You can enter the domain name in one of two ways:

  • name.tld (for example, domain.com): The account is created under the default container.
  • name.tld/container/path (for example, domain.com/OU1/OU2): The account is created under a particular organizational unit (OU).

To use the vSphere Authentication Proxy service, see Using vSphere Authentication Proxy.

Procedure

  1. Browse to a host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, select Authentication Services.
  4. Click Join Domain.
  5. Enter a domain.

    Use the form name.tld or name.tld/container/path.

  6. Enter the user name and password of a directory service user who has permissions to join the host to the domain, and click OK.
  7. (Optional) If you intend to use an authentication proxy, enter the proxy server IP address.
  8. Click OK to close the Directory Services Configuration dialog box.

What to do next

You can configure permissions so that users and groups from the joined Active Directory domain can access the vCenter Server components. For information about managing permissions, see Add a Permission to an Inventory Object.

View Directory Service Settings for an ESXi Host

You can view the type of directory server, if any, that the ESXi host uses to authenticate users and the directory server settings.

Procedure

  1. Browse to the host in the vSphere Client inventory.
  2. Click Configure.
  3. Under System, select Authentication Services.
    The Authentication Services page displays the directory service and domain settings.

What to do next

You can configure permissions so that users and groups from the joined Active Directory domain can access the vCenter Server components. For information about managing permissions, see Add a Permission to an Inventory Object.