With the VMware vSphere 4.1 release there are lots of new features to talk about! One of those features that caught my eye is the ability for ESX/ESXi servers to “join” a Windows Active Directory (AD) domain. That’s right, an ESX server can be a member server in AD. That means that you can then login to that ESX host using your Winodws AD username and password. This applies when connecting to the server using the vSphere Client, going to the console, or connecting via SSH. This is also a nice security function because instead of logging on locally as “root”, now each user can login as themselves (and that entry will be made in the associated security logs).
Here’s a new video I created on how to configure this cool new vSphere 4.1 feature – Windows Active Directory Authentication.
Found out how to do this eventually – just need to do an ‘id’ command on the host to see the way the AD groups you are a member of are listed, then add the AD group to the sudoers file.
To answer the questions one at a time…
1. Doug – Thanks for your comment and follow up on how to configure this! Glad you liked the video!
2. Kenneth – No, I don’t think that this has any anything to do with DC’s really… This just allows an ESX or ESXi server to be an AD member server and it allows you to use your AD credentials when administering the server locally.
3. Rich – According to VMware, YES, it works with ESX AND ESXi. I had some issues with ESXi in my beta and that was why I didn’t demo it with ESXi or mention it too much but, according to VMware, it should be working with ESXi and the GA version of 4.1
Does this work if you are using a standalone box with just vi client? I was ale to join my domain but I didn’t see where I could add my domain users or group
Hi Kenneth,
Thanks for your post!
Great Question!
I need to test this with a standalone ESXi server. The default group for authentication that should be created when you join the ESXi host is “ESX Admins”. Check your AD DC to see if that group was created. From there, you would just add the appropriate AD users to that group to make them ESXi admins on the standalone server (that’s the THEORY at least).
I’ll do some more testing on this.
Thanks!
-David
Hi David,
Thanks for this video, whcih guide throgh how to AD Authentication works with ESX 4.1. I just down loaded ESXi 4.1 and follow the same steps as you shown in video and it works perfectly. Once again thankyou so much for sharing such informative video.
Thanks for the video! Hope you can advise/help me on this one: when i use a AD account to login with VI it works, when i login with putty/ssh the machine crashes. Somebody any ideas?
I have the exact same problem as berry does. Authenticate with userid@domain.com it crashes. If I just use userid without the domain.com it says access denied.
VMWare tech support directed me to this KB article. This is a known problem if your AD id is a member of more the 32 groups. They have a fix but have not released it to the general public. Trying to get the patch now. http://kb.vmware.com/kb/1026321
Hi Davis,
Great video. Do we really need to explicityly call the group as ESX admins? (Security-folks don’t like that?)
Is ESX Admins, hardcoded in ESX 4.1 host? It’s not listed in local groups of the host (while connected via vsphere), yet it’s displayed under the permissions tab even without manually adding the group.
If I created a group called anything else(eg:hostadmins) other than ‘ESX Admins’, that group needs to be explicity added to the local host.
Though, creating ESX admins or any other group, the connection experience is same, the difference would be adding the group explicityly to the host (hostadmins)
Good stuff, is it still possible to use the root login to access an ESX host if AD is unavailable, when directory services is configured as the default authentication method?
I would like to also point out the what Raphael Schitz posted on his blog regarding the ESX Admins group and how this group automatically has access to the host just added to the domain. Thanks for pointing this out
By default, the ESX host assigns the Administrator role to the “ESX Admins” group.
If the group does not exist when the host joins the domain, the host will not assign the role.
In this case, you must create the “ESX Admins” group in the Active Directory.
The host will periodically check the domain controller for the group and will assign the role when the group exists.
Graham,
Yes, even though the host cannot reach the Domain controller you can still login with the root account or other accoutns which are local to the host.(obviously AD accounts cannot be used,unless they are cached on)
Is the information about this stored in some file ? I want to get the collect the data if the active directory is configured.Is it stored in some variable or file from which I can read the setting information ?
David Davis (CCIE #9369, vExpert, VCP, VCAP-DCA) has been in the IT industry for 20+ years. He has authored hundreds of articles, 10+ video training courses, and co-authored one book. Learn about David's certifications, video courses, and where you can find his content on our About Us page.
David Davis (CCIE #9369, vExpert, VCP, VCAP-DCA) has been in the IT industry for 20+ years. He has authored hundreds of articles, 10+ video training courses, and co-authored one book. Learn about David's certifications, video courses, and where you can find his content on our 
{ 18 comments… read them below or add one }
Great new feature & great video on how to configure it. How do you configure sudo for domain users to save everyone knowing the root password?
Found out how to do this eventually – just need to do an ‘id’ command on the host to see the way the AD groups you are a member of are listed, then add the AD group to the sudoers file.
Do you think this new feature will impact the decision of having physical or virtual domain controllers? or should that be a non issue?
Does this feature work on ESX and ESXi 4.1?
Hi All,
Thanks for the comments!
To answer the questions one at a time…
1. Doug – Thanks for your comment and follow up on how to configure this! Glad you liked the video!
2. Kenneth – No, I don’t think that this has any anything to do with DC’s really… This just allows an ESX or ESXi server to be an AD member server and it allows you to use your AD credentials when administering the server locally.
3. Rich – According to VMware, YES, it works with ESX AND ESXi. I had some issues with ESXi in my beta and that was why I didn’t demo it with ESXi or mention it too much but, according to VMware, it should be working with ESXi and the GA version of 4.1
Thanks for watching!
-David
Does this work if you are using a standalone box with just vi client? I was ale to join my domain but I didn’t see where I could add my domain users or group
Hi Kenneth,
Thanks for your post!
Great Question!
I need to test this with a standalone ESXi server. The default group for authentication that should be created when you join the ESXi host is “ESX Admins”. Check your AD DC to see if that group was created. From there, you would just add the appropriate AD users to that group to make them ESXi admins on the standalone server (that’s the THEORY at least).
I’ll do some more testing on this.
Thanks!
-David
Thank you for the video. I enjoyed it.
Hi David,
Thanks for this video, whcih guide throgh how to AD Authentication works with ESX 4.1. I just down loaded ESXi 4.1 and follow the same steps as you shown in video and it works perfectly. Once again thankyou so much for sharing such informative video.
Thanks for the video! Hope you can advise/help me on this one: when i use a AD account to login with VI it works, when i login with putty/ssh the machine crashes. Somebody any ideas?
I have the exact same problem as berry does. Authenticate with userid@domain.com it crashes. If I just use userid without the domain.com it says access denied.
VMWare tech support directed me to this KB article. This is a known problem if your AD id is a member of more the 32 groups. They have a fix but have not released it to the general public. Trying to get the patch now.
http://kb.vmware.com/kb/1026321
Hi Davis,
Great video. Do we really need to explicityly call the group as ESX admins? (Security-folks don’t like that?)
Is ESX Admins, hardcoded in ESX 4.1 host? It’s not listed in local groups of the host (while connected via vsphere), yet it’s displayed under the permissions tab even without manually adding the group.
If I created a group called anything else(eg:hostadmins) other than ‘ESX Admins’, that group needs to be explicity added to the local host.
Though, creating ESX admins or any other group, the connection experience is same, the difference would be adding the group explicityly to the host (hostadmins)
Cheers
Prashanth
Good stuff, is it still possible to use the root login to access an ESX host if AD is unavailable, when directory services is configured as the default authentication method?
About the “ESX Admins” group, let me offer some clarification from Maishsk over at Technodrone and from Rapael Schitz at Hypervizor.fr:
Graham,
Yes, even though the host cannot reach the Domain controller you can still login with the root account or other accoutns which are local to the host.(obviously AD accounts cannot be used,unless they are cached on)
cheers
Prashanth
Thanks for the Video David. You always do a great job
Around 2:04 you said entry for ESX on the domain controller whereas its in the DNS 🙂
just wanted to mention to avoid confusion it might cause to some folks.
Is the information about this stored in some file ? I want to get the collect the data if the active directory is configured.Is it stored in some variable or file from which I can read the setting information ?