Information Technology Reference
In-Depth Information
Enabling Active Directory Integration
You've already seen how, by default, ESXi uses local users and groups to assign permissions to
directories and i les. The presence of these local users and groups is the key to the ESXi security
model, as you'll see in the section “Managing ESXi Host Permissions.” Although these local
users and groups form the foundation of the ESXi security model, managing them locally on
every ESXi host in the enterprise can create a great deal of administrative overhead and has
some security challenges, as we've already described.
What if you were able to continue to accommodate the need for local access to an ESXi host
but in a way that avoided some of the security challenges of managing users and groups locally?
One answer to these security challenges is to use a centralized security authority. In vSphere
you can use Microsoft Active Directory, a widely deployed directory service, as the centralized
security authority for ESXi hosts. As you'll see in the section “Authenticating Users with Single
Sign-On,” the Windows-based version of vCenter Server can already leverage Active Directory,
so allowing your ESXi hosts to leverage the same security authority makes sense.
Before you can join your ESXi hosts into Active Directory, you need to satisfy four
prerequisites:
You must ensure that the time on your ESXi hosts is synchronized with the time on the
Active Directory domain controllers. ESXi supports NTP, and in Chapter 2, “Plan ning and
Installing VMware ESXi,” we showed you how to coni gure NTP on your ESXi hosts.
◆
You must ensure that your ESXi hosts can resolve the Active Directory domain name and
locate the domain controllers via DNS. Typically, this means coni guring the ESXi hosts to
use the same DNS servers as the Active Directory domain controllers, and just like NTP,
this is covered in Chapter 2.
◆
The fully qualii ed domain name (FQDN) of the ESXi host must use the same domain suf-
i x as the Active Directory domain.
◆
You must create an ESX Admins group in Active Directory. Put the user accounts that
should be permitted to connect to an ESXi host in this group. You can't use any other group
name; it must be named ESX Admins.
◆
Once you've satisi ed these prerequisites, you can coni gure your ESXi host to authenticate to
Active Directory.
Perform these steps to coni gure your ESXi host to use Active Directory as its centralized
security authority:
1.
Log into the ESXi host using the vSphere Client and authenticating with the root account
(or an equivalent account).
2.
Select the ESXi host from the inventory and click the Coni guration tab.
3.
From the Software section, select Authentication Services.
4.
Click Properties in the upper-right corner.
