Virtual Geek

Tales from real IT system administrators world and non-production environment


July 26, 2017 09:22AM

This is another best security guideline to always join Esxi server into domin, most preferable is Active Directory domain controller, One of the advantage is I can use domain-wide authentication with Domain joined ESXi, Means I don't have to use or share root or any local username to login, Creating local username and maintaining it will be tedious job on Esxi, Users can login with there own elevated domain account and auditors can review the logs for activities performed directly on esxi. Before starting make sure you have configured AD-DNS server IP correctly, check my previous article on how to configure DNS on esxi server for the same. To check whether my DNS is functioning properly or for further troubleshooting on esxi server do ssh putty, ping or netcat domain ports and name, in my case when I ping domain name it is resolving IP address.

Reset forgotten ESXi root password on Domain joined Esxi using vSphere web client and Powercli

vmware vsphere esxi vcenter putty ping, telnet and nc, netcat

Further you check telnet below AD ports whether they are reachable from ESXi.
Port 88 - Kerberos authentication
Port 123 – NTP
Port 135 - RPC
Port 137 - NetBIOS Name Service
Port 139 - NetBIOS Session Service (SMB)
Port 389 - LDAP
Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
Port 464 - Kerberos - change/password changes
Port 3268- Global Catalog search

Next in the vSphere web client, on Esxi server, click Configure tab on the right, Next from left pane, under services, select Authentication Services. On this summary page, my Directory services Type is Local Authentication. to change it click Join domain button. In the popup box type domain and use credentials who has rights to pull computers in the domain.

VMware esxi vsphere vcenter configure Authentication services, directory services configuration, Join domain, leave domain, active directory, Trusted domain controllers

Once successful it changes directory services type to AD and Domain name.

Check the Advanced System Settings and search for esx admins or Config.HostAgent.plugins.hostsvc.esxAdminsGroup, here you see value ESX Admins, This Active directory group name that is automatically granted administrator privileges on the ESX. here I can change this group name if I want.

VMware vsphere esxi, Configure, Advanced system settings, config.hostagent.plugins.hostsvc.esxAdminsGroup, ESX Admins, active directory ad group

I will go ahead quickly on the Active directory users and computers mmc (dsa.msc) and create group name ESX Admins. Add few user members to it. Also notice there is Computer account got created with esxi name under Computers container (This location might be different in your environment)

vmware esxi computer account in active directory users and Computers, domain controllers, dsa.msc, Esx admins group properties members.png

Use embedded web esxi client using https://esxifqdn_or_Ip/ui and use your AD user account to login. No need to share root password with users now. Activities and Events are logged with user name.

esxi web client ui, login using ad domain account

Next for demostration. I have logged on to esxi with putty using domain account, It shows domain and username in the prompt, I fired up few commands, and they are logged - captured in /var/log/shell.log file, I will use tail or cat command to view content of file, and you can see the activities captured for root and user account.

vmware esxi active directory login ssh putty, ad user, /var/log var log, esxi log location, shell.log capture keyboard, linux tail command logs.png

In this powercli session I am performing same steps used above. (before proceeding I have reverted settings and removed esxi from domain)

First I will see the ad group name in esxi advanced settings which need to created on domain. Value is ESX Admins, I can create it in AD domain and Add users as member to it (Same can be done using New-AdGroup command).
Get-AdvancedSetting -Entity -Name Config.HostAgent.Plugins.hostsvc.esxAdminsGroup

Using below I get the authentication status, Domain and DomainMembershipStatus is blank, means this server is still not a part of domain.
Get-VMHostAuthentication -VMHost

vmware esxi powercli esx admins ad domain group, Get-AdvancedSetting -Entity Config.HostAgent.Plugins.hostsvc.esxAdminsGroup, Get-VMhostAuthentication vmhost domainmembershipstatus, TrustedDomains

Running below command will join esxi into domain, it prompts for username and password and shows the domain name and current membership status to Ok.
Get-VMHostAuthentication -VMHost | Set-VMHostAuthentication -Domain -Credential (Get-Credential) -JoinDomain -Confirm:$false

vmware vsphere esxi join domain Get-vmhostauthentication, set-vmhostauthentication, domain, credential, get-credential, joindomain confirm.png

Go Back