I use

esxcfg-auth --enablead --addomain domain.com --addc domain.com

useradd domainuser

that works.

Not to forget configuring NTPD properly.

Not to forget configuring NTPD properly.

I think that gets lost in the shuffle more times than not.. proper time keeping for both the ESX hosts and guests is important in an Active Directory environment, as Kerberos has a +/- 5 minute leeway in time between the DC and the system trying to authenticate...

Correct.

You do not need to do that and it is better to specify the domain and not a specific DC

As a side note: Because ESX is not site aware as Windows server are and if you have DC in different locations which are protected by firewalls it's possible that you receive the IP address of a DC behind a firewall when trying to use --addc=domain.com. We solved this by manually creating a DNS entry for the site with all DC of that site: site-dc.domain.com resp. --addc=site-dc.domain.com ... Now we got ESX sort of site aware

If my testing for stuff that I have done... I had ESX setup to look for the domain and then DNS would return the closest DC for ESX to authenticate to

Are you using MS-DNS? How did you configure this?

Yes I am using MS DNS and really did not do anything at all to make it work. Set up this way any time I ping the domain name I get a reply from a DC is the same site as the ESX server

Lucky you

I'll push my DNS-guys to check that...

Regards,

Christian

You would have to have the special SRV resource records in your DNS that domain controllers create for themselves for what Steve is describing to work. These records are in the _msdcs, _sites, _tcp and _udp folders in DNS and include _kerberos, _ldap, _gc & _kpasswd entries. These records are what member workstations use to find out where domain controllers are located. DC's automatically create them when the Netlogon server starts if they do not already exist.

http://www.petri.co.il/active_directory_srv_records.htm

Also if you do not have them in your DNS you can specify multiple domain controllers for ESX to use. Use the --addc switch multiple times to add more domain controllers to the list.

Time looks good, it was one of the first things I set up correctly before installing any VMs. What I get is

Cannot resolve network address for KDC in requested realm (-1765328164)

So is it DNS or Kerberos? I can ping all DCs.

Oh, I got it working and I am prepared for the thrashing....I had a typo in the domain name. I disabled and re-enabled and TA-DA it works.....

Rule 1-check logs

Rule 2- check typing.....:)

DOH!!!!! I hate it when that happens

Quick question to clearify: You have multiple sites definded and the PAM module gets only responses from the DCs in its site? I ask because our DNS is configured by default and all the SRV records are creaetd and present and when connecting to ESX by SSH it receives responses from DCs in other sites.