Hi All,
I have a requirement to add AD Authentication to several standalone ESXi Hosts at various branch locations around the globe - i.e. no vCenter - so just the traditional join the host to AD via Configuration ->Authentication Services.
There are a mixture of ESXi 5.1, 5.5 and 6.0 hosts, but having the same problem with them all - so it potentially suggests something with the domain maybe?
Anyway - set up time sync as per VMware KB article (VMware KB: Synchronizing ESXi/ESX time with a Microsoft Domain Controller) and joined to domain successfully
We have an AD Group called ESX-Admins - and before joining to the domain I have modified the "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" so it auto adds the correct group name to have permissions at the top level of the host.
Join the host to the domain at this point (and verified its there in AD and waited for replication to catch up as well) but I am just unable to log in with my AD user and I cannot work out why!
I just get the error "The vSphere Client could not connect to "<Hostname or IP>". You do not have permission to login to the server: <Hostname or IP>"
Thats it, thats all I get - the hosts have not been locked down (not connected to vCenter as I said) - most of which are clean builds with very little tweaking of any settings, the DC's at the sites are not RODC's or anything like that?
Any pointers.....its totally doing my head right in!!!!
Thanks
Paul
there's a need to reboot the host after joining AD.
have you done it?
Oh god - really?!?
That would, of course, have been the obvious thing to do - but as its not documented on the KB article I was following that you need to do it, I never even gave it a thought that it would be required (doh!)
Well....I will get one of the hosts rebooted and let you know!
Thanks in advance
Paul (feeling slightly stupid)
Paul,
Did rebooting the host work for you?
Hi,
Would like to know some few things to get you some answers to your problem
1) Are you able to connect to your ESXi with root credentials
2) How you are trying to connect to ESXi host via IP address or with FQDN. (If you are trying to connect via FQDN then is that FQDN is getting resolve by DNS , Are you able to get ping via DNS name of ESXi host.)
3) Can you check if the netlogond service can contact the domain through a chosen domain controller.
4) As a workaround to point 3 you can try doing below steps and check
Hi ,
First you have to add the ESXi host to domain
Add the Domain Name to Preferred Domain Controller Entry
Provide the permission for the Group or User
You may get a error message some times you can ignore that after verifying host is in Domain or Not .
Also some time adding the host to Domain may fail with providing credentials format , so you have to follow both options ( admin@domain.com / domain\admin )
Reboot is not mandatory but if you are facing any trouble on login , first you can restart the services after that same issue go with reboot .