Joining VMware Hosts to Active Directory Domains: Good Idea?
In most cases, the answer is yes.
VMware has long given its customers the ability to add hosts to an Active Directory (AD) forest, but is doing so a good idea? Like anything else in the world of IT, there can be pros and cons associated with domain-joining VMware hosts.
The biggest advantage to domain-joining VMware hosts is that it allows you to perform AD-based authentication. This allows a common set of user accounts to be used within both the Microsoft and VMware environments. This isn't just a convenience feature; it can also help with security and the auditing of administrative actions.
Another benefit to using the AD is guaranteeing that server clocks are synchronized across both Windows and VMware environments. AD authentication is based on the Kerberos protocol, which is time sensitive. As such, Windows servers are synchronized to an authoritative time source (a network time server) using the NTP protocol. When a VMware server is joined to a domain, its clocks can be synchronized to the same time source as the Windows servers, thereby ensuring consistency across both environments (it is also possible to sync clocks without joining a domain).
One potential disadvantage to domain-joining VMware servers is that doing so breaks down isolation boundaries. If an organization's AD is compromised, the VMware hosts could conceivably be compromised as well.
In most cases, the benefits of domain-joining VMware servers outweigh any potential disadvantages. In practice, some organizations find it helpful to create two separate AD forests. One forest makes up the AD environment used by the users, devices and applications users need to do their jobs.
The second forest is a lower-level forest that exists solely for administrative purposes. Such a forest might contain the organization's virtualization hosts and management tools. This approach can be especially beneficial to organizations that operate a heterogeneous collection of virtualization hosts, because it brings all of the hosts and management tools together within a common AD forest.
Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.