introduction
Most IT administrators use built-in administrative account root to manage their ESXI host or even to connect from Vcenter
VMware give you the ability to add hosts to an Active Directory (AD) forest, as effective central administration
Advantages of Join ESXI to AD
This approach has some advantages like
- allows you to perform AD-based authentication. This allows a common set of user accounts to be used within both the Microsoft and VMware environments.
- also help with security and the auditing of administrative actions.
- guaranteeing that server clocks are synchronized across both Windows and VMware environments. With Net Time Protocol NTP
Potential Disadvantages
some IT administrators argue that join ESXI to AD domain has One potential disadvantage that breaks down isolation boundaries.
Which means If an organization’s AD is compromised >> the VMware hosts could be compromised as well.
For best practice >> some organizations find it helpful to create two separate AD forests.
- One forest makes up the AD environment used by the users, devices and applications users need to do their jobs.
- The second forest is a lower-level forest that exists for administrative purposes. This a forest might contain the organization’s virtualization hosts and management tools.
This approach can be especially beneficial to organizations that operate a heterogeneous collection of virtualization hosts, because it brings all of the hosts and management tools together within a common AD forest
Network Diagram
to best understad the situation , please have a look to netwrok diagram above
we have domain controller DC101.pioneer.lab with the following
- IP address : 172.16.100.101
- services : DC for AD pioneers.lab
- DNS for domain Pioneers.lab
- NTP server to synchronize time with other environment servers
also we 3 ESXI servers
- ESXI151 with IP address 172.16.100.151
- ESXI152 with IP address 172.16.100.152
- ESXI153 with IP address 172.16.100.153
step 01 : verify ESXI network Configuraqtion
before join ESXI to AD : we have to make sure ESXI are configured properly to avoid any error when join AD
we can use Vcenter web client or ESXI web client to configure ESXI host
here : we will use ESXI web client to configure
Step02 : Sync time between ESXI and DC
Time synchronization is required between ESXI and AD domain Controller , so ESXI is able to join AD
Server DC101.pioneers.lab run NTP services
Now we have to configure ESXI151 to synch time to DC101
Step03 : create DNS record
we hihgky recommend to create A Host record in DNS server manually rather than auto registration to avoid any DNS issue could raised later
Step04 : Join ESXI to Active Directory
Now it’s time to join ESXI host to Active N
Step05: Verify Join ESXI to AD
to verify Join ESXI to Active Directory
open console Active Directory Users and Computers > computer container
Post Join ESXI to AD
Now ESXI host has joined Active Directory successfully ,
BUT ,,,,
NON of domain users [even administrator ] are able to manage or access ESXI host >> since we have to configure permission and RBAC [Role Based Access Control
next article we will discuss how to join Vcenter to Active Directory before see how to configure domain users to access and manage ESXI host
thank you for joining us
