ESXi Host - AD Authentication issues

PaulAdamFeB · ‎03-04-2016

Hi All,

I have a requirement to add AD Authentication to several standalone ESXi Hosts at various branch locations around the globe - i.e. no vCenter - so just the traditional join the host to AD via Configuration ->Authentication Services.

There are a mixture of ESXi 5.1, 5.5 and 6.0 hosts, but having the same problem with them all - so it potentially suggests something with the domain maybe?

Anyway - set up time sync as per VMware KB article (VMware KB: Synchronizing ESXi/ESX time with a Microsoft Domain Controller) and joined to domain successfully

We have an AD Group called ESX-Admins - and before joining to the domain I have modified the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" so it auto adds the correct group name to have permissions at the top level of the host.

Join the host to the domain at this point (and verified its there in AD and waited for replication to catch up as well) but I am just unable to log in with my AD user and I cannot work out why!

I just get the error "The vSphere Client could not connect to "<Hostname or IP>". You do not have permission to login to the server: <Hostname or IP>"

Thats it, thats all I get - the hosts have not been locked down (not connected to vCenter as I said) - most of which are clean builds with very little tweaking of any settings, the DC's at the sites are not RODC's or anything like that?

Any pointers.....its totally doing my head right in!!!!

Thanks

Paul

npadmani · ‎03-04-2016

there's a need to reboot the host after joining AD.

have you done it?

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

PaulAdamFeB · ‎03-04-2016

Oh god - really?!?

That would, of course, have been the obvious thing to do - but as its not documented on the KB article I was following that you need to do it, I never even gave it a thought that it would be required (doh!)

Well....I will get one of the hosts rebooted and let you know!

Thanks in advance

Paul (feeling slightly stupid)

JMachieJr · ‎12-02-2016

Paul,

Did rebooting the host work for you?

VCP-DCV | MCP | Linux+ Twitter: @James_Machie_Jr LinkedIn: https://www.linkedin.com/in/jmachiejr

UmeshAhuja · ‎12-02-2016

Hi,

Would like to know some few things to get you some answers to your problem

1) Are you able to connect to your ESXi with root credentials

2) How you are trying to connect to ESXi host via IP address or with FQDN. (If you are trying to connect via FQDN then is that FQDN is getting resolve by DNS , Are you able to get ping via DNS name of ESXi host.)

3) Can you check if the netlogond service can contact the domain through a chosen domain controller.

4) As a workaround to point 3 you can try doing below steps and check

Connect directly to the host using the vSphere Client.
Select ESXi Server > Configuration > Advanced Settings > UserVars.ActiveDirectoryPreferredDomainControllers.
Enter the IP address or FQDN of the preferred domain controller.
Click OK to apply the changes.

Thanks n Regards
Umesh Ahuja

If your query resolved then please consider awarding points by correct or helpful marking.

RAJ_RAJ · ‎12-04-2016

Hi ,

First you have to add the ESXi host to domain

Add the Domain Name to Preferred Domain Controller Entry

Provide the permission for the Group or User

You may get a error message some times you can ignore that after verifying host is in Domain or Not .

Also some time adding the host to Domain may fail with providing credentials format , so you have to follow both options ( admin@domain.com / domain\admin )

Reboot is not mandatory but if you are facing any trouble on login , first you can restart the services after that same issue go with reboot .

RAJESH RADHAKRISHNAN VCA -DCV/WM/Cloud,VCP 5 - DCV/DT/CLOUD, ,VCP6-DCV, EMCISA,EMCSA,MCTS,MCPS,BCFA https://ae.linkedin.com/in/rajesh-radhakrishnan-76269335 Mark my post as "helpful" or "correct" if I've helped resolve or answered your query!