VMware Cloud Community
andvm
Hot Shot
Hot Shot
‎07-28-2020 10:27 PM
Jump to solution

Joining VCSA to AD vs add as Identity Source

Hi,

In VCSA I can add an Active Directory Identity Source which would allow me to set permissions to specific Active Directory Users to the vSphere environment.

Therefore what are the reasons why one would join the VCSA to the Active Directory Domain? And what about the hosts managed by the VCSA?

Undoubtedly, this would bring in disadvantages...such as what happens if Active Directory is down, will everything fallback to local authentication?

Thanks

0 Kudos
1 Solution

Accepted Solutions
vGuy
Expert
Expert
‎07-29-2020 09:40 PM
Jump to solution

That's right. If you have not joined the VCSA to domain then you will select AD over LDAP as an identity source and provide an account with read perms on active directory.

If you have joined the VCSA to domain then you can use AD integrated authentication wherein you do not need to provide a service account. VCSA machine account will be used to query AD.

View solution in original post

0 Kudos
4 Replies
Alex_Romeo
Leadership
Leadership
‎07-29-2020 01:05 AM
Jump to solution

HI,

I believe that if your Active Directory is inactive, you have more problems than thinking that you cannot access VCSA with an AD user.

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
NicolasAlauzet
Expert
Expert
‎07-29-2020 03:41 AM
Jump to solution

You add vCenter to AD to use the integration for users and be able to assign permission in your vmware environment to those users. Thats the main reason (regular users or service users maybe)

If the AD server is not accesible you are always able to log in with @vsphere.local domain. In vCenter you can have multiple domain and always the default domain is there even if you integrate with AD.

For the ESXi is usefull also, but if you dont have any security regulation or compliance to follow, keep the root account for the esxi (also avoid having user performing tasks directly to the esxi when you have a vcenter server) but even if you add the esxi to AD, is the same, local account will be there.

Hope that helps

Cheers

N

-------------------------------------------------------------------
Triple VCIX (CMA-NV-DCV) | vExpert | MCSE | CCNA
andvm
Hot Shot
Hot Shot
‎07-29-2020 12:45 PM
Jump to solution

By adding Active Directory Identity Source (rather than joining AD) you are also able to assign permission in your vmware environment to those users right?

0 Kudos
vGuy
Expert
Expert
‎07-29-2020 09:40 PM
Jump to solution

That's right. If you have not joined the VCSA to domain then you will select AD over LDAP as an identity source and provide an account with read perms on active directory.

If you have joined the VCSA to domain then you can use AD integrated authentication wherein you do not need to provide a service account. VCSA machine account will be used to query AD.

0 Kudos