Hello Team,
we are trying to integrate esxi host with AD and was able to successfully join with AD.
================================================================================================================
[root@esxi:/usr/lib/vmware/likewise/bin] ./domainjoin-cli --loglevel verbose join --ou OU=Servers,OU=test,DC=net dc.test.net testuser password
Joining to AD Domain: dc.test.net
With Computer DNS Name: esxi.dc.test.net
SUCCESS
================================================================================================================
But i am unable to login to host via ssh or gui , Can someone tell me the the next step to give privilege to user
By default, ESXi will allow admin users from a group in AD called "ESX Admins". Do you have this set up already?
can we change this group, i tried to use different group, but its not working
You can change the group by changing the advanced ESXi host parameter called Config.HostAgent.plugins.hostsvc.esxAdminsGroup.
And make sure the Active Directory firewall rule is enabled.
this is already enabled in my environment
So what group are you using as admins then?
created ESX Admin and added user to the group as member
And so you're saying even after creating ESX Admins you still can't login?
yes , i am not able to login , i am getting access denied error
And have you tried rebooting the host?
yes i rebooted , is there any log that we can check ?
Yes, netlogond.log and lsassd.log.
thanks let me check. but one more question I am using 6.5 webclient so I don't see the ad users or group in esxi webclient. in this case how we can assagin permission to user ? I tried via vc but that' also not working
You won't see those users in the web client unless you want them to have permissions inside vCenter to the applicable host. They're two different levels of permissions: One for root access to ESXi; the other for vCenter access.
I tried all but still ad auth failing I opened support ticket also but same result. please provide if some doc available for ad integration
I struggled also with web client not showing any AD users or groups even though I was joined to the domain. Solved it by removing original Identity source (WIns auth) and replacing with LDAP ID source and it was able to show all AD users and groups.