Setting up VMware user accounts for Active Directory integration

ESXi allows you to add custom VMware user accounts for authentication and host management. If you run Active Directory, you can also connect Active Directory user accounts to ESXi host

    Requires Free Membership to View

roles in vSphere so you don't have to manage accounts from two different locations.

Active Directory integration prerequisites
Normally, you have to create VMware user accounts in the vSphere Client first. But for Active Directory integration, you can simply connect an ESXi host to an Active Directory domain and specify permissions for the account. That means you don't have to create separate accounts for Active Directory users in the vSphere Client; you can just connect existing VMware user accounts with the hosts you want AD to manage.

Before you connect Active Directory user accounts to the ESXi host, you need to meet a few requirements. First, the Active Directory account that you want to add to the host needs to have the required privileges to join a computer in the Active Directory domain. Typically, the default Administrator account has sufficient privileges to do this. However, if you're using another Active Directory account to integrate with a host, you need to provide the required permissions to the account in the Active Directory environment.

Next, the ESXi host and the Active Directory controllers must have their time synchronized to the same host. You can usually use an NTP host such as pool.ntp.org for this purpose. To specify which NTP host should be used, select the Time Configuration option on the Configuration tab in the vSphere Client and enter the NTP host to synchronize with.

Last, you need to make sure that the ESXi host is using the DNS server provided by the Active Directory Domain Controller and that it has the same DNS suffix. For instance, if your Active Directory domain is in example.com, your ESXi host should be in example.com as well.

Connecting Active Directory with ESXi hosts
Once you've met the prerequisites for Active Directory integration, you're ready to connect the ESXi host to the Active Directory domain. Log in to the vSphere Client, select the ESXi host you want to connect to, and select the Authentication Services option from the Configuration tab. This should show you the current setting with Local Authentication as the Directory Services Type.

By default, ESXi authentication is handled locally. (Click image for an enlarged view.)

Now select the Properties link in the upper right part of the screen, and select Active Directory from the Select Directory Service Type dropdown list. You can now enter the name of the Active Directory domain that you want to connect to and click Join Domain. You will see a pop-up where you need to enter the name and password of a VMware user account that has permissions to connect this host to Active Directory. After specifying these, click Join Domain.

This is how to join the ESXi host to an Active Directory domain.

You have now connected the ESXi host with an Active Directory domain, and you can assign users permissions to manage an ESXi host from that domain. In the vSphere Client, select the host and click the Permissions tab. Right-click on the empty space in this tab and select Add Permission. In the next window, click Add and select the Active Directory users to whom you want to grant permissions. Next, click the role that you want to assign to the selected users or groups, and click OK to apply the changes. Now, Active Directory users can manage ESXi host tasks.

Click Add to assign the listed roles to users and groups from Active Directory.

Active Directory integration makes it easier to manage your VMware user accounts from one place, and you don’t have to create new, separate accounts for AD users.

This was first published in November 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.