Hi,
I am having problems getting my esxi hosts to authenticate via AD.
I have read many blogs, documents and posts and believe I have set things up correctly.
Both of my hosts have their DNS set to the domain and both have joined my domain.
I have created the ESX Admins group and put my users in it.
Something a bit curious, someone in their blog said you have to connect viclient directly to the host and add permissions... but when i do that I can't add users/permissions, it can't seem to find the domain. Also when I look at the host Authentication configuration when connected directly to it, the host says it is doign local authentication, not domain. But when I look at my host configuration through the Vcenter server, it appears that it is doing AD authentication and the domain is listed and the optoin Leave Domain is there. I am unsure about this discrepency.
Should I be connecting directly to the host to configure host AD authentication?
In any case I can't login to my host using the VI client and a domain login that is in the ESX Admins. I have also added other users directly in the permissions and they dont' work either.
Also I can not SSH into the host using a domain login. There at least I an see in the auth.log that it is an unknown user. I am not sure if addition configuration needs to be done in PAM to allow SSH? But as the VI Client can't login, surely something is wrong to start with.
I would appreciate any guidance on this subject - I have never run into this in the past as my old datacenter only used AD authentication to Vcenter server that was on a domain server and it just worked. My new place of work uses AD host authentication and I'm just trying to get my head around how it works
I have read many blogs, documents and posts and believe I have set things up correctly.
Have you seen and read through this blog (it's really useful);
http://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html
Hi Jon, yes I did...
It seems so simple, but something is wrong.
The first half, joining the domain went fine. Both hosts are joined when I look at them in the vcenter server.
It's the next bit where you say to connect the viclient directly to the host. When I connect directly to the host, the hosts say local auth under configuration and when I try to add permissions either the domain isn't there at all... how does the host find the DC? they can ping the DC by name, but perhaps they aren't aren't able to determine who the DC is? But then how could then join the domain when I joined the from the Vcenter server??? I seem to be having multiple problems along this line.
One thig to note, these hosts have been autodeployed. The domain is joined via the host profile, not sure if there could be any issues there, but the hosts are compliant and after reboot they are members of the domain accourding to the configuation tab ->Authentication setting
Both hosts can resolve the domain controller fine by name. thanks for your reponse, it is an excellent blog and easy to follow but I must have something slightly wrong in my domain I guess.
Are your hosts fully qualified and have you checked your DNS zones - both forward and reverse lookups?
From the DCUI, run these commands;
~ # esxcli system hostname get
Domain Name: my.domain.com
Fully Qualified Domain Name: esx01.my.domain.com
Host Name: esx01
~ # esxcli network ip dns search list
DNSSearch Domains: my.domain.com
~ # esxcli network ip dns server list
DNSServers: xx.xx.xx.xx, xx.xx.xx.xx
Do you get the domain list in you dropdown if you try and add permissions to the host through vCenter?
Hi Jon, thank you for the quick reply.
Yes the hosts are all fully qualifed and have forward and reverse in DNS.
All three commands return the correct information.
Yes I do get the domain dropdown when I add permissions via the vcenter server, and I can add permissons. I have added several users as administrators, yet none can login to the hosts themselves via viclient or ssh. As stated when I try to ssh to the host using a domain name:
ssh -l BILLD\\administrator esxi1.billd.pvt
I get this in the auth log:
Have a look at this blog;
http://rcmtech.wordpress.com/2012/08/21/active-directory-authentication-for-esxi-host-management/
In the domain field I had to use the full path to the computer object in AD. For Example: domain.com/XX/Site/Servers/VMware . After this everything worked as expected.
Also have a PowerCLI command that might help:
get-vmhostauthentication
-vmhost $item.host | set-VMHostAuthentication -domain $item.domain -User $User -Password $Password -JoinDomain