How To Guy
Configuring the New vSphere 4.1 Active Directory Authentication
With the release of vSphere 4.1, VMware officially announced that this will be the last release that offers the company's full ESX Server hypervisor with a console operating system (COS). In the future, the hypervisor used by all vSphere installations will be the thin ESXi Server. In order to make this more palatable for VMware admins, VMware has made a number of improvements to ESXi around offering greater command-line options, officially supporting a thin console and allowing it to join a Windows Domain as a member server. This last new feature is officially called "Directory Services."
Before You Begin
If you were about to add a new Windows server to your AD Domain, you'd need to double-check a few things. These are the same prerequisites for adding an ESX Server to your AD Domain. They are:
- AD Domain Controller & DNS Server preconfigured
- ESX/ESXi has DNS preconfigured
- ESX Server can resolve its Fully Qualified Domain Name (FQDN)
- Network Time Protocol (NTP) Time Sync on ESX/ESXi
vSphere 4.1 Benefits
Once Directory Services is configured, you'll be able to use your Windows AD username and password to administer an ESXi or ESX server using the vSphere client (directly to the ESX/ESXi Server), SSH, direct console user interface (DCUI) with ESXi, and local console on ESX Server or Tech Support Mode (TSM) on an ESXi server. In the past, the administration of ESX and ESXi servers using these methods would call for the use of the root username and password. Due to the lack of knowledge in configuring other local Linux-like accounts, all too commonly the root account was generally used and the credentials could be too widely distributed to the server admin staff.
With these ESX/ESXi servers being able to join Windows AD, the account that would be used to log in is the user's real Windows account. The benefits to this are: The user logging into the ESX/ESXi server knows these credentials and they're his own, not a shared root account; no local user accounts need to be set up on the ESX/ESXi servers; and the actual Windows user account will be recorded in security logs on the server, which can be used for auditing.
Additionally, with the ESX/ESXi servers being members of the Windows domain, they can now be included in Windows-based inventory tools like other servers in the datacenter.
Configuring AD Authentication
Once the prerequisites are met, the actual configuration of Directory Services is simple, as it's similar to joining a Windows PC to a domain. To make the ESX or ESXi server a member server in Windows AD, use the vSphere client, go to the Configuration tab for the ESX/ESXi server, and click on Authentication Services under Software, then click on Properties. In the window that appears, add your Windows domain and the administrator credentials to join the domain.
Once joined, go to your AD domain controller and add a Windows group called "ESX Admins." This will be your new point of control for AD. It's here that you'll add or remove Windows users or groups that will be authorized to administer the virtual infrastructure. From here, you can start using Windows AD user accounts that are members of this special group to perform local management on the ESX/ESXi servers.
Quick and Easy
Using the new vSphere 4.1 Directory Services to join an ESX or ESXi server to a Windows domain is quick and easy. While it's a straightforward feature, it's also a long-awaited feature that I applaud VMware for adding. I believe this new feature will make ESXi much more appealing to Windows admins by allowing them to use the same credentials they already use and further solidifying the place of vSphere in the enterprise datacenter.
David Davis is a well-known virtualization and cloud computing expert, author, speaker, and analyst. David’s library of popular video training courses can be found at Pluralsight.com. To contact David about his speaking schedule and his latest project, go to VirtualizationSoftware.com.