ESX and ESXi AD Integration

If, like me, you make your ESX / ESXi server passwords nice and complex you end up having to dig them out of a password safe every time you want to connect directly to one of them. Or you have an SSH connection manager of some sort perhaps. Even then, there will come a time when you want to connect directly and that 16 character, random, mixed case password just isn't memorable enough for you to use it.

Luckily if you're running vSphere 4.1 or later you can configure your hosts to use AD authentication. Hooray!

Obviously there are security implications to doing this. Each environment is different and any risks should be considered before implementing this.

So, let's deal with the pre-requisites first. There are three of those:

  1. Time synchronisation – Your ESX / ESXi hosts must be synchronised to a time source and they should be in sync with the domain controllers in your AD domain. The authentication mechanisms in AD are very sensitive to time differences. Actually, that's a delicate way to put it. It won't work if the time is wrong.
  2. Name resolution – The ESX / ESXi hosts will use DNS to locate domain controllers for whichever domain you configure them to use. Therefore each host must have a working DNS configuration.
  3. An AD group – Sadly there is a limitation here. AD users that you wish to grant administrative access of your hosts to have to be a specific group in AD called “ESX Admins”. This is not obvious in the documentation however.

The same document then talks you through configuring each host. It's fairly simple.

Just find the “Authentication Services” option on the “Configuration” tab for each host. By default it will look like this:

Click on the properties link to edit the “Authentication Services Settings”. In the windows that opens, select “Active Directory” as the service type. Then enter the FQDN of your AD domain into the domain field and click the “Join Domain” button.

Finally you just need to enter the credentials of an account permitted to join the ESX host to the AD domain.

Once the task in vCenter completes (it can take a little while), just refresh the “Authentication Services” page and you'll be able to see that the host is now joined to the AD domain.

All good unless you have a lot of hosts to work through. In which case, you might want to check out LucD's very handy PowerCLI script to join hosts to an AD domain.