Currently running vSphere 6.0 with plans to go to 6.7 shortly but is it possible to configure LDAP to connect to more than 2 domain controllers for authentication? We recently had an issue where the two domain controllers went down which just happen to be the ones vCenter uses for LDAP connectivity. It seems you can only put a primary & secondary server
In the 6.7 vcenter server appliance, they only give you the option to "join AD". Which to me, means it'll use any available DC to authenticate, so long as DNS is setup. Granted, you should take my opinion with a grain of salt, because I can't even get AD working in 6.7 right now. Some screenshots of 6.7 VCSA to backup my theory.
Hi,
Active Directory LDAP Server and OpenLDAP Server Identity Source Settings
ARomeo
So you can only have a max of two domain controllers for ldap authentication?
If you join the VCSA to the AD domain, why you should be worried about the number of DCs? you will need to mention only the Domain Name and it will handle your authentication request by any available DC. But if you want to add the AD as an LDAP server, you can add same alias name for all of your secondary DCs and round-robin will handle your concern about losing more than two DCs in the same time
thanks for the reply. We have tried to use the alias of the domain but it doesnt work. We have a number of domains in this environment and each of them has around 6 domain controllers.
Have you tried using the alias before? if so what did you have to do to make it work?
Hi,
In our case, we added the AD as a LDAP Identity source as the vCenter doesn't belong to the domain. The identity source works when we add the entry below:
ldap://our_domain.org:389
But that's not the case when the traffic goes throguh ldaps and 636 port
ldaps://our_domain.org:636
This only works when we add a domain controllert:
ldaps://our_DC.org:636
Thank you.
You need to configure Identity source in vCenter as mentioned below steps.
1. Login to the vSphere Web Client as administrator@vsphere.local
2. From the home location, navigate to >>Administration >>Single Sign-on >>Configuration and select the Identity Sources tab
3. Click the green + to add an Identity source
4. In the Identity Source page, select Active Directory as a LDAP Server.
5. Fill in the Identity Source Settings information for your Active Directory domain
Name: Label for identification
Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is domain.internal the DN for the entire directory is "DC=domain, DC=local".
Domain name: Your domain name. Example: "domain.local"
Domain alias: Your netbios name. Example: "XYZ"
Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches.
Primary server URL: AD Server URL. You can either query the local directory (Port 389), or the global catalog (Port 3268). Example: "ldap://snow.domain.local:3268"
Secondary Server URL: “ldap://rain.domain.local:3268”
Username: A user in the AD Domain with at least browse privileges. Example XZY\vcadmin
6. Click Finish.
7. After clicking Finish, this should add the domain to the list
or in short words: you must address the global catalog at port 3268 on two different domain controllers.
please keep in mind that microsoft will soon stop support for ldap - so configure it to ldaps
In short, in the case those two configured DCs are unavailable, vCenter authentication will fail for that Identity Source.