ESXi allows you to add custom VMware user accounts for authentication and host management. If you run Active Directory, you can also connect Active Directory user accounts to ESXi host roles in vSphere so you don't have to manage accounts from two different locations.
Active Directory integration prerequisites
Normally, you have to create VMware user accounts in the vSphere Client first. But for Active Directory integration, you can simply connect an ESXi host to an Active Directory domain and specify permissions for the account. That means you don't have to create separate accounts for Active Directory users in the vSphere Client; you can just connect existing VMware user accounts with the hosts you want AD to manage.
Before you connect Active Directory user accounts to the ESXi host, you need to meet a few requirements. First, the Active Directory account that you want to add to the host needs to have the required privileges to join a computer in the Active Directory domain. Typically, the default Administrator account has sufficient privileges to do this. However, if you're using another Active Directory account to integrate with a host, you need to provide the required permissions to the account in the Active Directory environment.
Next, the ESXi host and the Active Directory controllers must have their time synchronized to the same host. You can usually use an NTP host such as pool.ntp.org for this purpose. To specify which NTP host should be used, select the Time Configuration option on the Configuration tab in the vSphere Client and enter the NTP host to synchronize with.
Last, you need to make sure that the ESXi host is using the DNS server provided by the Active Directory Domain Controller and that it has the same DNS suffix. For instance, if your Active Directory domain is in example.com, your ESXi host should be in example.com as well.
Connecting Active Directory with ESXi hosts
Once you've met the prerequisites for Active Directory integration, you're ready to connect the ESXi host to the Active Directory domain. Log in to the vSphere Client, select the ESXi host you want to connect to, and select the Authentication Services option from the Configuration tab. This should show you the current setting with Local Authentication as the Directory Services Type.
Now select the Properties link in the upper right part of the screen, and select Active Directory from the Select Directory Service Type dropdown list. You can now enter the name of the Active Directory domain that you want to connect to and click Join Domain. You will see a pop-up where you need to enter the name and password of a VMware user account that has permissions to connect this host to Active Directory. After specifying these, click Join Domain.
You have now connected the ESXi host with an Active Directory domain, and you can assign users permissions to manage an ESXi host from that domain. In the vSphere Client, select the host and click the Permissions tab. Right-click on the empty space in this tab and select Add Permission. In the next window, click Add and select the Active Directory users to whom you want to grant permissions. Next, click the role that you want to assign to the selected users or groups, and click OK to apply the changes. Now, Active Directory users can manage ESXi host tasks.
Active Directory integration makes it easier to manage your VMware user accounts from one place, and you don’t have to create new, separate accounts for AD users.
More on VMware and Active Directory
- VMware strives to fill Active Directory support gaps
- VMware embraces Active Directory
- Active Directory integration in ESXi 4.1