You have everything hooked up to AD, right?
There’s no better way to compromise your entire lab than having a SSO password for just about everything. I’m not (entirely) serious of course, but that’s a discussion for another day; So here’s a quick run down on adding ESXi 6.5 hosts to AD instead.
Create an AD Security Group
In Active Directory, open Active Directory Users and Computers
Select Users, then Create a new group in the current container. Give it a name that will make sense so that it isn’t accidentally deleted
Select an administrator that should have access to ESXi via AD, right click them and choose Add to a group. Enter the name of the group that was just created
Add Hosts to AD
Head to the new(ish) host client at https://HOST_IP/ui/
Navigate to Manage -> Security and Users -> Authentication the select Join Domain
Enter the domain name, an administrator user name and their password
It shouldn’t take long
The final task is to tell ESXi about the security group that was created initially. Head to Manage -> System -> Advanced settings, then look for plugins.hostsvc.esxAdminsGroup. Select Edit option, then enter the name of the security group created earlier
Propagation should take around a minute before you can log in with AD credentials.
Some things to check if joining fails
Enable SSH, then-
- Ping the AD DC IP – failure indicates a connectivity issue
- Ping the AD DC domain name – failure indicates a DNS issue
- telnet DC_IP_ADDRESS 389 – failure indicates a firewall issue
- Check time is synchronised between ESXi and the domain controller
- /etc/init.d/lwsmd start – if errors include likewise service manager [failed to set memory reservation], free some physical memory then try again
not work, error:
The host failed to join the domain dvtmh.local: The host does not have a suitable FQDN.
please, help!
Sounds like a DNS problem but not one I’ve seen before. Are you using IPv4 or 6? Can you ping the domain name from the vCenter / each host?
trying this with ESXi 6.0 but it task goes on forever, the task never completed and vsphere client hangs. once this state is achieved the host is unresponsive and needs a reboot. Any suggestions to why?
I’ve never seen anything like this. A small hang points towards a service being blocked but completely locking up a host sounds like something much more sinister.
Thanks,helpfull!
Thanks for this tips. Especially the last part. It helped me resolved my problem. DNS entry in my lab were old. Cheers
There are 2 ESXi hosts that i am working with, 1 is 6.7 and one is 6.5. Same settings on each regarding DNS, gateway, NTP, services are both set the same and correct. I can join both of them to the domain successfully and are both pointing at ESX Admins security group that is populated with 2 test users. I am able to sign in with one of the test accounts on the 6.7 host, the 6.5 host fails stating incorrect username and password. Cannot find any logs indicating where the failure lies. I have unjoined, deleted the ESXi host from AD, rejoined and the same results. Performed a reboot of the esx host and performed the above steps and again no change. Looking for any possible items I may have overlooked.
Confirmed the following
ssh to host, can ping DC by IP and hostname, as well as ping domain
NTP set and pointed at the same NTP server and clocks are synced correctly
LWSMD service is running
ActiveDirectoryAll is enabled in firewall rules ports 123, 137, 139, 3268, 389, 445, 464, 7476, 88
DNS primary and secondary set
No failures logging on the server for failed attempts for the account being used.
Hmmm, very strange. You say you can’t see failed login attempts but can you see successful logins from AD?
That is correct. I do see some periodic 1 second connections in the event viewer for the ESXi host ie sign in sign off within 1 second, but do not correlate whatsoever to the timing or quantity of failed attempts to the VMware host.