VMware Cloud Community

Wrong information in VMware 6.0 documentation vCSA 6.0

If people want to join a vCSA to a Active Directory domain, then the documentation of VMware is not correct (vsphere-esxi-vcenter-server-60-appliance-configuration-guide.pdf)

Ok here is wat the documentation tells us:

Join the vCenter Server Appliance to an Active Directory Domain After you deploy the vCenter Server Appliance, you can log in to the vSphere Web Client and join the vCenter Server Appliance to an Active Directory domain. You can join only a Platform Services Controller or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain.

Prerequisites Verify that the user name you use to log in to the vCenter Server instance in the vCenter Server Appliance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.


1 Use the vSphere Web Client to log in as administrator@your_domain_name to the vCenter Server instance in the vCenter Server Appliance. The address is of the type http://appliance-IP-address-or-FQDN/vsphere-client.

This is correct, you log in with the adminstrator account of the vcenter appliance (remember, do not use the root account of the vCSA but use the administrator account you give with installation.

2 Navigate to Administration > Single Sign-On > Configuration.

Wrong, Go to Adminstration > Systemconfiguration > Nodes > "your-vCSA.domain name" > tab "manage" and then "Active directory" and click "Join"  (this is step 5/6/7/8/9 in the manual and please reboot vCSA after step 9)

3 On the Identity Sources tab, click the Add Identity Source icon.

Wrong, you cannot Join the domain in this part of the configuration (see my comment on step 2)

4 Add the Active Directory domain as an identity source, enter the identity source settings, and click OK.

Wrong, you can only add AD (intergrated Windows Authentication)  after you join the vCSA node to AD (See comment step 2),

5 Under Deployment, click System Configuration.

Wrong this must be step 2!

6 Under System Configuration, click Nodes.

This must be step 3

7 Under Nodes, select a node and click the Manage tab.

This must be step 4

8 Under Advanced, select Active Directory, and click Join.

This must be step 5

9 Type the Active Directory details.

This is step 6, add your AD stuff here (remember to use administrator@yourdomain settings and not yourdomain\administrator!) You must reboot the vCSA after you done this step.

After reboot you login again to your vCSA webclient and go to step:  Navigate to Administration > Single Sign-On > Configuration.

Then: On the Identity Sources tab, click the Add Identity Source icon.

Then use the option Active Directory (intergrated Windows Authentication) fill in your domain name and use "Use machine account" or a SPN account.

Then Add your AD group to the a group from Single Sign-on (SSO): Go to Administration > Single Sign-on > Users and Groups > tab groups > choose a group (lets say Administrators) in field group members click on the icon "Add Member" (its a user Icon).

Then select the AD domain and add your AD group (I made a group vSphere_Admins).

Now you must add the same AD group to a Global Permision under "Access Control".

When you add users to the AD group they get the permissions you configured under "Access Control"

I noticed that the SSO group Administrators does not have rights to manage vcenter, you must add a AD group to SystemConfiguration group in SSO groups.

Also other SSO roles are under different groups in SSO (such as licenses management).

I hope VMware changes the manual: vsphere-esxi-vcenter-server-60-appliance-configuration-guide.pdf

0 Kudos
0 Replies