Posted inVMware

Guide to Joining VMware ESXi to Active Directory: Centralized Management and Professional Permissions

VMware tutorial - IT technology blog
VMware tutorial - IT technology blog

A Familiar Scene: The Nightmare of Using Local Accounts

If you only manage 1-2 ESXi servers, using the root account might be fine. However, look at the reality as systems scale. In the environment I operate, we have 12 ESXi hosts. Every time a password policy changes or a new IT staff member joins, I have to log into each host to perform manual tasks. This is a repetitive and time-consuming process.

From a security perspective, sharing a single root account among multiple users is a major vulnerability. If an incident occurs, such as an important virtual machine (VM) being accidentally deleted, you won’t be able to trace who did it. That’s why joining ESXi hosts to Windows Active Directory (AD) is a mandatory task. It allows you to manage identities from a single location and leverage your organization’s existing security policies.

The “Handshake” Mechanism between ESXi and Active Directory

When joining a domain, ESXi offloads authentication to the Windows Domain Controller (DC) via the Kerberos protocol. Instead of looking up passwords in internal files, ESXi asks the DC if the credentials are valid.

This brings two major changes to the administrative workflow:

  • Authentication: Log in directly using the user@domain format (e.g., [email protected]) on both the Web Client and SSH.
  • Authorization: Assign permissions based on Groups. For example: the SA_Admins group has full permissions, while the App_Dev group can only power on/off specific virtual machines.

Practical experience shows that if you don’t carefully prepare the DNS and NTP infrastructure, this process will fail instantly with very cryptic error codes.

3 Prerequisites to Check Before You Start

Don’t rush to click the Join Domain button. Spend 5 minutes checking the list below to avoid wasting hours troubleshooting errors later.

1. Time Synchronization (NTP)

Kerberos is extremely strict regarding time drift. If the time on ESXi and the DC differs by more than 300 seconds (5 minutes), authentication requests will be rejected. Point both to the same reliable NTP Server source.

2. Domain Name Resolution (DNS)

ESXi needs to know the Domain Controller’s IP through its domain name. You must configure DNS on ESXi to point to the DC IPs. More importantly, ensure you have created an A record and a reverse record (PTR) for the ESXi host on the Windows DNS Server.

3. Prepare Groups in Active Directory

Instead of assigning permissions to individuals, create a dedicated Group, such as ESXi_Full_Admins. Then, simply add the technical accounts to this group.

Hands-on: Joining ESXi to the Domain

Method 1: Using the Web Interface (ESXi Host Client)

This is the most popular choice for those who prefer a visual interface.

  1. Access the ESXi Web UI with root privileges.
  2. In the Manage menu, select the Security & users tab and go to Authentication.
  3. Click Join domain.
  4. Enter the domain FQDN (e.g., itfromzero.vn) and the credentials for an account with Domain Join permissions.
  5. Wait about 30 seconds. If the status changes to “Leave domain”, you’ve succeeded halfway.

Method 2: Using the Command Line (CLI) for Pros

If you want to automate via scripts, use esxcli. Basic commands include:

# Set standard Hostname and FQDN
esxcli system hostname set --host=esxi-01 --fqdn=esxi-01.itfromzero.vn

# Add DNS Server
esxcli network ip dns server add --server=192.168.1.10

# Domain Join Command
esxcli system auth-domain join --domain=itfromzero.vn --user=administrator --password='Your_Password_Here'

Note: After running these, clear your command history or be careful with passwords displayed on the screen if others are nearby.

Permissions: The Final Step for Operations

Many wonder why they still can’t log in after joining the domain. It’s because you haven’t granted permissions to AD users on ESXi yet.

  1. In the Web UI, go to Actions -> Permissions.
  2. Select Add user.
  3. Enter the exact AD group name using the format: DOMAIN\Group_Name (e.g., ITFROMZERO\ESXi_Full_Admins).
  4. Select the Administrator role and remember to check Propagate to all children so this permission applies to all resources on the host.

Now, use an incognito browser to test. Log in with your personal AD account; if everything goes smoothly, congratulations—you’ve escaped the mess of local accounts.

Troubleshooting Common “Headache” Errors

From practical management experience, I’ve identified the 3 most common errors:

  • Firewall blocking ports: ESXi needs to communicate with the DC via ports 88 (Kerberos), 389 (LDAP), and 445 (SMB). If there’s a firewall in between, ensure these ports are open.
  • lwsmd service hanging: Likewise Service Manager (lwsmd) is the heart of the domain connection. If the connection is lost, SSH in and restart it using the command: /etc/init.d/lwsmd restart.
  • Clock Skew error: This is the time drift error mentioned earlier. Sometimes even a 6-minute difference can keep you struggling all afternoon.

Conclusion

Joining ESXi to Active Directory isn’t just a convenience; it’s a professional standard. It makes your system more transparent, secure, and incredibly easy when auditing is required. If your system has 3 or more hosts, don’t hesitate to implement this now to free up your own workload.

Share:
Tags: