VMware Cloud Community
Mike_Gray
Enthusiast
Enthusiast

Esxi 6.5 Active Directory Integration

Hello Team,

we are trying to integrate esxi host with AD and was able to successfully join with AD.

================================================================================================================

[root@esxi:/usr/lib/vmware/likewise/bin]  ./domainjoin-cli --loglevel verbose join --ou OU=Servers,OU=test,DC=net dc.test.net testuser password

Joining to AD Domain:   dc.test.net

With Computer DNS Name: esxi.dc.test.net

SUCCESS

================================================================================================================

But i am unable to login to host via ssh or gui , Can someone tell me the the next step to give privilege to user

Reply
0 Kudos
17 Replies
daphnissov
Immortal
Immortal

By default, ESXi will allow admin users from a group in AD called "ESX Admins". Do you have this set up already?

Reply
0 Kudos
Mike_Gray
Enthusiast
Enthusiast

can we change this group, i tried to use different group, but its not working 

Reply
0 Kudos
daphnissov
Immortal
Immortal

You can change the group by changing the advanced ESXi host parameter called Config.HostAgent.plugins.hostsvc.esxAdminsGroup.

Reply
0 Kudos
daphnissov
Immortal
Immortal

And make sure the Active Directory firewall rule is enabled.

pastedImage_0.png

Reply
0 Kudos
Mike_Gray
Enthusiast
Enthusiast

this is already enabled in my environment Smiley Sad

Reply
0 Kudos
daphnissov
Immortal
Immortal

So what group are you using as admins then?

Reply
0 Kudos
Mike_Gray
Enthusiast
Enthusiast

pastedImage_0.png

created ESX Admin and added user to the group as member

pastedImage_1.png

Reply
0 Kudos
daphnissov
Immortal
Immortal

And so you're saying even after creating ESX Admins you still can't login?

Reply
0 Kudos
Mike_Gray
Enthusiast
Enthusiast

yes ,  i am not able to login , i am getting access denied error

Reply
0 Kudos
daphnissov
Immortal
Immortal

And have you tried rebooting the host?

Reply
0 Kudos
Mike_Gray
Enthusiast
Enthusiast

yes i rebooted , is there any log that we can check ?

Reply
0 Kudos
daphnissov
Immortal
Immortal

Yes, netlogond.log and lsassd.log.

Reply
0 Kudos
Mike_Gray
Enthusiast
Enthusiast

thanks let me check. but one more question I am using 6.5 webclient so I don't see the ad users or group in esxi webclient. in this case how we can assagin permission to user ? I tried via vc but that' also not working

Reply
0 Kudos
daphnissov
Immortal
Immortal

You won't see those users in the web client unless you want them to have permissions inside vCenter to the applicable host. They're two different levels of permissions: One for root access to ESXi; the other for vCenter access.

Reply
0 Kudos
Mike_Gray
Enthusiast
Enthusiast

I tried all but still ad auth failing I opened support ticket also but same result.  please provide if some doc available for  ad integration

Reply
0 Kudos
jchilton
Enthusiast
Enthusiast

I struggled also with web client not showing any AD users or groups even though I was joined to the domain. Solved it by removing original Identity source (WIns auth) and replacing with LDAP ID source and it was able to show all AD users and groups.

Reply
0 Kudos