VMware Cloud Community
blackrhino488
Contributor
Contributor
‎02-04-2016 01:49 PM

ESXi 5.5 virtualizing Windows Server 2012 R2 w/AD DS

Hello everyone,

I am working on a research project at the moment.  I am attempting to setup Active Directory to authenticate ESXi 5.5 users.

Our environment is as follows:

Private Switch <--Firewall Server -->WWW<-- VPN <-- vSphere Client <-- ESXi user / admins

Below are the servers in the private network connected to the private switch:

-ESXi 5.5 Update2 physical host (We will host virtualized system services here)

    -We have 4 ESXi admin accounts

    VMs:

    -Monitoring Server

    -Workstation

    -Windows Server 2012 R2 [Active Directory service]

The following are 3 ESXi physical host machines

-Each have 3 admin accounts

-ESXi 5.5 Update2 physical host - 3 users to be authenticated by Active Directory

-ESXi 5.5 Update2 physical host- 3 users to be authenticated by Active Directory

-ESXi 5.5 Update2 physical host- 3 users to be authenticated by Active Directory

Each user is able to create their own VMs within their assigned ESXi host.

I have already began to set this up, but I would hate to hit a dead-end that someone may have some insight about.

I have searched for Windows Server 2012 R2 virtualized installation examples, but have only found migration examples (already running physical AD DS to virtual).  Does anyone know of any guides I can follow to set this up from scratch? Or have any first-hand account input for my situation? I know there are specific settings I must have when creating the VM in order for AD DS to work properly.  I have followed those from Windows Server 2012 Best Practices.  I am putting this out so I can maybe get some feedback from those who have already tackled something very similar to this. 

Any input is welcome.  Thank you in advance.

0 Kudos
8 Replies
Nick_Andreev
Expert
Expert
‎02-04-2016 07:27 PM

Configuring ESXi hosts for Active Directory Authentication is a well documented process. All you will need to do is assign admin permissions to specific users on particular hosts. What exactly are your concerns?

---
If you found my answers helpful please consider marking them as helpful or correct.
VCIX-DCV, VCIX-NV, VCAP-CMA | vExpert '16, '17, '18
Blog: http://niktips.wordpress.com | Twitter: @nick_andreev_au
0 Kudos
diteshmeher
Contributor
Contributor
‎02-04-2016 07:52 PM

Please find the below link it may help you

http://wojcieh.net/vmware-esxi-5-5-active-directory-authentication-step-by-step/

Also let us know what do you exactly looking out for..?

0 Kudos
blackrhino488
Contributor
Contributor
‎03-04-2016 03:08 AM

Thanks guys for the replies.

My concerns were about the issues surrounding virtualizing AD.  After some research I found out that Microsoft took care of many of the issues that virtualization caused in Windows Server 2012.  By issues I mean things like time keeping etc.

Now, I've already deployed a single DC in an ESXi 5.5 host, I've also joined another ESXi host to the Active Directory domain.  I am having a problem.  I am able to log into the ESXi host using Active Directory credentials ONLY if the AD users are in the ESX Admins group.  I have created an AD group called 'students', added 3 test users to that group, added a permissions role in the ESXi host named 'student-role', and finally added the 'students' (AD) group to the 'student-role' (in ESXi).  I attempted to log into ESXi Client with the test users' credentials from the 'students' group and it will not authenticate.  It tells me I have the wrong username/password.

Why is it that only AD users in the ESX Admins group are able to log into the host through ESXi Client?

Important side note?  The 'Trusted Domain Controllers' field is empty in my Authentication Services info.  It shows the following: Trusted Domain Controllers     --

I have attempted a suggested solution.  I have tried adding the domain using both IP and FQDN in the Advanced Settings > UserVars > set preferred domain controller.

After this I have attempted to restart services via the esxcli and even a reboot to see if the Trusted Domain Controllers field populated.  I have not found whether or not this is a problem at all though.  Should I worry about this?

Thanks for any replies.  Looking forward to some interaction.  I've Googled my self to death with these issues now and have not solved them.

0 Kudos
blackrhino488
Contributor
Contributor
‎03-09-2016 04:08 PM

:smileyconfused: Not sure if replying to a forum post bumps my thread post onto the main forum list, but this is an attempt at that.

Hope someone can give me a hand here.  Thanks in advance.

0 Kudos
Nick_Andreev
Expert
Expert
‎03-15-2016 12:52 AM

If you can authenticate using ESX Admins group, that means AD authentication is working.

Did you try to give permissions to a user instead of group and assign a pre-defined role such as Read-only?

---
If you found my answers helpful please consider marking them as helpful or correct.
VCIX-DCV, VCIX-NV, VCAP-CMA | vExpert '16, '17, '18
Blog: http://niktips.wordpress.com | Twitter: @nick_andreev_au
blackrhino488
Contributor
Contributor
‎03-15-2016 04:16 PM

I assigned a role I created named 'student-role' and gave those permissions to a group.  The reason it wasn't letting me log in with any of the users in the 'student' AD group was because the 'change password at first login' check box was checked.

After unchecking this box I was able to log in with the AD 'student' group (which is assigned my 'student-role' permissions within ESXi).

My new problem is that I need for users of this 'student' group to change their passwords at first log in.

I have not found a solution to this problem.

Thanks for your input!

0 Kudos
blackrhino488
Contributor
Contributor
‎03-15-2016 04:18 PM

*clarification

Just wanted to make a clarification for anyone else running into this issue.  The checkbox I am talking about is located in the 'group' profile in AD users & groups not in ESXi.

0 Kudos
Nick_Andreev
Expert
Expert
‎03-15-2016 04:22 PM

If you want users to change the password before the first logon they'll have to do this using native Windows mechanisms, such as logging in to a Windows host and changing the password in the authentication prompt. You can't do that in vSphere.

---
If you found my answers helpful please consider marking them as helpful or correct.
VCIX-DCV, VCIX-NV, VCAP-CMA | vExpert '16, '17, '18
Blog: http://niktips.wordpress.com | Twitter: @nick_andreev_au
0 Kudos