How To: Configure vSphere 4.1 Active Directory Authentication

By Arne Fokkema - ICT-Freak.nl

In this post I will show you how to setup Active Directory Authentication in vSphere 4.1.

What do we need to do:

- Before you start. Please make sure that DNS and NTP are fully functional.
- Create an AD group called "ESX Admins" on a Windows Domain Controller
- Add users to that group
- Configure ESX/ESXi server’s "Directory Services"

If your ESX hosts and Active Directory Domain controllers are able to find each other via DNS, you’re ready to go to the next step of this setup. We need to create a group called “ESX Admins” and add the users with administrator permissions in vCenter to this group. When you choose a different name for the group, you will not be able to use Active Directory Authentication. I found this in the vsp_41_esx_server_config.pdf:

vCenter Server registers any selected Windows domain user or group through the process of assigning permissions. By default, all users who are members of the local Windows Administrators group on vCenter Server are granted the same access rights as any user assigned to the Administrator role. Users who are members of the Administrators group can log in as individuals and have full access.
Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.

After creating the ESX Admins group it’s now time to join the ESX host to the Windows Domain. When you’re managing a small environment, you can do this with five a six mouse clicks per ESX host. Log on to vCenter en select a host from the Hosts and Clusters view. Click on the Configuration tab en select Authentication Services. You can change the setting via Properties:

Now select Active Directory in the Select Directory Service Type. Enter the Domain details and click on Join Domain:

Enter the Administrator credentials and click again on Join domain:

The ESX host is now joined to the domain. You can verify this by opening Active Directory Users and Computers. Now you will see the ESX hosts under the Computers folder.

The configuration steps are finished. Now you’re able to use Active Directory authentication to logon directly via the vSphere client on an ESX host in your Cluster.

Or you can logon through SSH via your Active Directory credentials:

You can see the logon process in you logs. In my case you see Splunk:

Instead of configuring all the host via the five a six mouse clicks. You can also use LucD22 his PowerCLI Set-VMHostADDomain function. You can find this function here: http://www.lucd.info/2010/07/25/script-vsphere-4-1-ad-authentication/ The best way to use this function is to add it to your Powershell Profile (more info about this subject can be found here: http://msdn.microsoft.com/en-us/library/bb613488(VS.85).aspx). When you added this function to your profile, you’re able to configure all your ESX hosts to authenticate via Active Directory, You can do this by running the following PowerCLI one-liner:

Get-VMHost | Set-VMHostADDomain -ADJoin:$true -Domain ‘ict-freak.local’ -Credential (Get-Credential)

To get an overview of all the ESX hosts and their configuration. You can run the following PowerCLI one-liner. You also need LucD22 his function mentioned above to run this one-liner:

get-vmhost | % {Get-VMHostAuthentication $_} | ft

The following output will be generated:

Sources: