Hi Raul,

the account and the computer object are in AD.

I deleted nothing.

Do you know, how "/usr/lib/vmware/likewise/bin/domainjoin-cli " works?

Because our active directory is hardend.

You say that the Active Directory is hardened.

Are you able to replicate the hardening in the lab?

By hardening I take it to mean certain Group Policy settings are set.

It could be any of the Group Policy Settings and sometimes people responsible for the security realm just go with some recommendation without understanding the actual implications. It could be any of those hardened settings. Many years ago I have seen that GPO hardening setting that tend to be network related and/or encryption related tend to break things between servers and clients (client including other running server OSs). One of the most notorious one is "System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.”

In case you need some help in justifying to undo this GPO setting ->> Why We’re Not Recommending “FIPS Mode” Anymore – Microsoft Security Guidance

NoTr3x, maybe this can help!

LINK: Unintended Consequences of Server Hardening :: Active Directory :: Admin Tips :: Windows Server 2008...

• The benefit to adding a vSphere host to the domain would be the additional ability to access to your host via an AD account instead of the host root account. This way if you have multiple users that require it you no longer have to manage the root or user credentials on each host, let AD figure that out for you.

• Also, you can allow the system administrators to login to the vSphere Client, the vMA and the Direct Console User Interface with an Active Directory account, this then removes the need to divulge the root user password.

• Aside from allowing your AD credentials to authenticate you, it's a good process of hardening your ESXi host. If you join the host to the domain you can eliminate the need to constantly change the root password of your host every time one of your administrators leaves your company.

• Even-more, you can configure ESXi hosts to use Active Directory, which can then be used to manage users and groups. You can join a host to the domain using an AD account that has the necessary permissions. Other pre-requisites are that DNS should be configured correctly for your hosts, and time synchronization should be in place for the host(s) and the directory servers.

Raul.

VMware VDI Administrator

http://ITCloudStream.com/

If AD is down and the Host is connected to AD what is the impact?

No impact! Everything will be working normally with vSphere, just users with AD accounts won't be able to access vCenter,  but usually there is always a Primary DC with 2,3,4,5,6,10 and more secondaries\replicas AD DC, same for vCenter with many replicas/instances, remember vSphere got its own domain "vSphere.Local". So primarily, is all about how you configure your network infrastructure. 

Raul.

VMware VDI Administrator

http://ITCloudStream.com/

Personally I don't see the benefit of adding them to AD. Just another configuration you need to be mindful of if they are joint to AD. Keep it simple Each to there own

Sure!

Hi

Adding your vSphere hosts to Active Directory can simplify user management and help improve security.  It’s relatively easy to add local users to a hosts and to assign them administrative privileges, but if you have a lot of administrators the steps to configure each account will need to be repeated multiple times on each host.

You can simplify the local user configuration by using AD groups.  With groups, rather than repeating the setup for multiple user accounts you only need to configure the group account once on each host.  Once privileges have been assigned to the group you control who has access to the host by adding and removing users to/from the AD group.

how many people need access directly to the esxi host? Also what work are you doing that needs access to the host that you cant do via the vsphere client?

Hey stacycarter  , i have open a ticket and our BCS team and I will follow up and i can send you a report what we made.

Thanks NoTr3x​, can you provide the case number as well?

Hi NoTr3x​ - Can you provide the case number?

Hi,

after a long journey with the support team from Cork.

Their engeeniering told me, that it will be fixxed in Patch 6.