4 Replies Latest reply on Jul 29, 2020 9:40 PM by vGuy

    Joining VCSA to AD vs add as Identity Source

    andvm Enthusiast

      Hi,

       

      In VCSA I can add an Active Directory Identity Source which would allow me to set permissions to specific Active Directory Users to the vSphere environment.

       

      Therefore what are the reasons why one would join the VCSA to the Active Directory Domain? And what about the hosts managed by the VCSA?

       

      Undoubtedly, this would bring in disadvantages...such as what happens if Active Directory is down, will everything fallback to local authentication?

       

       

      Thanks

        • 1. Re: Joining VCSA to AD vs add as Identity Source
          AlessandroRomeo68 Master

          HI,

          I believe that if your Active Directory is inactive, you have more problems than thinking that you cannot access VCSA with an AD user.

           

          ARomeo

          • 2. Re: Joining VCSA to AD vs add as Identity Source
            NicolasAlauzet Hot Shot

            You add vCenter to AD to use the integration for users and be able to assign permission in your vmware environment to those users. Thats the main reason (regular users or service users maybe)

             

            If the AD server is not accesible you are always able to log in with @vsphere.local domain. In vCenter you can have multiple domain and always the default domain is there even if you integrate with AD.

            For the ESXi is usefull also, but if you dont have any security regulation or compliance to follow, keep the root account for the esxi (also avoid having user performing tasks directly to the esxi when you have a vcenter server) but even if you add the esxi to AD, is the same, local account will be there.

             

            Hope that helps

            Cheers

            N

            1 person found this helpful
            • 3. Re: Joining VCSA to AD vs add as Identity Source
              andvm Enthusiast

              By adding Active Directory Identity Source (rather than joining AD) you are also able to assign permission in your vmware environment to those users right?

               

               

              • 4. Re: Joining VCSA to AD vs add as Identity Source
                vGuy Expert

                That's right. If you have not joined the VCSA to domain then you will select AD over LDAP as an identity source and provide an account with read perms on active directory.

                 

                If you have joined the VCSA to domain then you can use AD integrated authentication wherein you do not need to provide a service account. VCSA machine account will be used to query AD.