Centrally manage account security by joining ESXi hosts to Active Directory

VMware host servers require advanced software to manage them en masse. Admins can restrict access using AD services to authenticate and manage user account security.

istock-913641826.jpg
Image: metamorworks, Getty Images/iStockphoto

As is the case with much of IT these days, the times point to doing more with less. Fewer, but more powerful servers that can consolidate the large server farm into a lighter, more efficient data center is one example of this philosophy, which has evolved into part of IT's core DNA. There's simply no good reason not to leverage existing infrastructure to make another part of it work smoother. The one caveat usually being a higher price point.

Such is the case with the VMware ESXI hypervisor (free) and the vSphere management suite (not free). But there are things IT departments can do to provide a more centralized management experience, and joining your ESXI hosts to an existing Microsoft AD environment is a great start. Leveraging Active Directory Domain Services (AD DS) allows IT departments on a budget to shore up security and access control through central management of user accounts and authentication.

SEE: Information security policy template download (Tech Pro Research)

Luckily, the process is intuitive and ESXI natively supports AD integration. Though there are a few requirements to make a note of before starting:

  • Server running Windows Server 2008 (or newer) with the following roles installed:
    • Active Directory Domain Services
    • DHCP
    • DNS
  • Active Directory populated with user accounts and computer objects
  • Bare-Metal server running ESXi Hypervisor v5.5 (or newer)
  • Switched Network
  • Broadband ISP (Optional; Recommended)
  • Administrative credentials to ESXi and Windows Server
  • Domain Admin rights (or delegated access) to Active Directory

Join ESXi host to Active Directory

Log in to ESXi host server to verify the hostname. This should be named according to what the computer object in AD will be called (Figure A).

Figure A

2019xxfigure-a.jpg

Click on Manage under Host in the Navigator, then click on Security & users | Certificates to verify the hostname matches the name in the first step. These need to match or the joining process will fail (Figure B).

Figure B

2019xxfigure-b.jpg

With the hostnames verified, click on Authentication | Join domain. You will be prompted for the name of the domain, and the domain admin credentials used to bind it to AD. The process can take several minutes, but once completed successfully, it will display the name of the domain joined and any trusted domains associated with it, as well (Figure C).

Figure C

2019xxfigure-c.jpg

While optional, by checking the properties of the computer object in AD User's and Computers, click on the Operating System tab. It is common for "unknown" to be displayed for both Name and Version. However, it should state "Likewise Open 6.2.0" for Service pack. This verifies that the host has bind itself successfully to the AD computer object (Figure D).

Figure D

2019xxfigure-d.jpg

Configure Active Directory authentication

Before the ESXi host will process authentications from AD, we must first make some changes to the default security settings.

Log in to the ESXi host with the local admin account, click on Manage, then the System Tab | Advanced settings. Scroll down through the list of configurable settings until you locate the one titled Config.HostAgent.plugins.hostsvc.esxAdminsGroup. By default, any Active Directory groups added to the ESX Admins group will automatically be provided access to ESXi as an admin. However, AD does not contain such a group, so we can provide our own and configure this setting by highlighting the setting and clicking the Edit option button (Figure E).

Figure E

2019xxfigure-e.jpg

In the window that's open, delete the default group and enter the name of a security group contained in AD that has the member accounts configured, which will manage the ESXi host. As an example, if the Domain Admins group will need access to the ESXi host, then enter that group's name in the box. Multiple group names may be entered, separated by a comma. Press the Save button to save (Figure F).

Figure F

2019xxfigure-f.jpg

Next, we will verify that the setting titled Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd is set to true. This is the default setting on newer versions and ensures that accounts, which are members of the group entered in the second step above will be administrators on the ESXi host (Figure G).

Figure G

2019xxfigure-g.jpg

Last, log out as the local user and attempt to authenticate using your domain credentials. Users may typically log in with just the username and password, however, if an error is displayed, try entering the username in the format of "username"@"domain"."TLD" (Figure H)(Figure I).

Figure H

2019xxfigure-h.jpg

Figure I

2019xxfigure-i.jpg

You should now be able to authenticate to the ESXi host via AD accounts, and the account tested above should be an administrator as well. Access can be restricted granularly if necessary, by creating multiple security groups in AD and re-configuring the settings in steps one through three accordingly.

Also see

By Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...