VMware Cloud Community
abugeja
Hot Shot
Hot Shot

vCenter - ad authentication with more than 2 domain controllers

Currently running vSphere 6.0 with plans to go to 6.7 shortly but is it possible to configure LDAP to connect to more than 2 domain controllers for authentication? We recently had an issue where the two domain controllers went down which just happen to be the ones vCenter uses for LDAP connectivity. It seems you can only put a primary & secondary server

Reply
0 Kudos
9 Replies
abutte
Contributor
Contributor

In the 6.7 vcenter server appliance, they only give you the option to "join AD". Which to me, means it'll use any available DC to authenticate, so long as DNS is setup. Granted, you should take my opinion with a grain of salt, because I can't even get AD working in 6.7 right now. Some screenshots of 6.7 VCSA to backup my theory.

Reply
0 Kudos
Alex_Romeo
Leadership
Leadership

Reply
0 Kudos
abugeja
Hot Shot
Hot Shot

So you can only have a max of two domain controllers for ldap authentication?

Reply
0 Kudos
NathanosBlightc
Commander
Commander

If you join the VCSA to the AD domain, why you should be worried about the number of DCs? you will need to mention only the Domain Name and it will handle your authentication request by any available DC. But if you want to add the AD as an LDAP server, you can add same alias name for all of your secondary DCs and round-robin will handle your concern about losing more than two DCs in the same time 

Please mark my comment as the Correct Answer if this solution resolved your problem
Reply
0 Kudos
abugeja
Hot Shot
Hot Shot

thanks for the reply. We have tried to use the alias of the domain but it doesnt work. We have a number of domains in this environment and each of them has around 6 domain controllers.

Have you tried using the alias before? if so what did you have to do to make it work?

Reply
0 Kudos
fedayn
Contributor
Contributor

Hi,

In our case, we added the AD as a LDAP Identity source as the vCenter doesn't belong to the domain. The identity source works when we add the entry below:

ldap://our_domain.org:389

But that's not the case when the traffic goes throguh ldaps and 636 port

ldaps://our_domain.org:636

This only works when we add a domain controllert:

ldaps://our_DC.org:636

Thank you.

Reply
0 Kudos
Nawals
Expert
Expert

You need to configure Identity source in vCenter as mentioned below steps.

1. Login to the vSphere Web Client as administrator@vsphere.local

2. From the home location, navigate to >>Administration >>Single Sign-on >>Configuration and select the Identity Sources tab

3. Click the green + to add an Identity source

4. In the Identity Source page, select Active Directory as a LDAP Server.

5. Fill in the Identity Source Settings information for your Active Directory domain

Name: Label for identification
Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is domain.internal the DN for the entire directory is "DC=domain, DC=local".
Domain name: Your domain name. Example: "domain.local"
Domain alias: Your netbios name. Example: "XYZ"
Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches.
Primary server URL: AD Server URL. You can either query the local directory (Port 389), or the global catalog (Port 3268). Example: "ldap://snow.domain.local:3268"
Secondary Server URL: “ldap://rain.domain.local:3268”
Username: A user in the AD Domain with at least browse privileges. Example XZY\vcadmin

6. Click Finish.

7. After clicking Finish, this should add the domain to the list

NKS Please Mark Helpful/correct if my answer resolve your query.
Reply
0 Kudos
berndweyand
Expert
Expert

or in short words: you must address the global catalog at port 3268 on two different domain controllers.

please keep in mind that microsoft will soon stop support for ldap - so configure it to ldaps

Reply
0 Kudos
fedayn
Contributor
Contributor

In short, in the case those two configured DCs are unavailable, vCenter authentication will fail for that Identity Source.

Reply
0 Kudos