Hi,
In VCSA I can add an Active Directory Identity Source which would allow me to set permissions to specific Active Directory Users to the vSphere environment.
Therefore what are the reasons why one would join the VCSA to the Active Directory Domain? And what about the hosts managed by the VCSA?
Undoubtedly, this would bring in disadvantages...such as what happens if Active Directory is down, will everything fallback to local authentication?
Thanks
That's right. If you have not joined the VCSA to domain then you will select AD over LDAP as an identity source and provide an account with read perms on active directory.
If you have joined the VCSA to domain then you can use AD integrated authentication wherein you do not need to provide a service account. VCSA machine account will be used to query AD.
HI,
I believe that if your Active Directory is inactive, you have more problems than thinking that you cannot access VCSA with an AD user.
ARomeo
You add vCenter to AD to use the integration for users and be able to assign permission in your vmware environment to those users. Thats the main reason (regular users or service users maybe)
If the AD server is not accesible you are always able to log in with @vsphere.local domain. In vCenter you can have multiple domain and always the default domain is there even if you integrate with AD.
For the ESXi is usefull also, but if you dont have any security regulation or compliance to follow, keep the root account for the esxi (also avoid having user performing tasks directly to the esxi when you have a vcenter server) but even if you add the esxi to AD, is the same, local account will be there.
Hope that helps
Cheers
N
By adding Active Directory Identity Source (rather than joining AD) you are also able to assign permission in your vmware environment to those users right?
That's right. If you have not joined the VCSA to domain then you will select AD over LDAP as an identity source and provide an account with read perms on active directory.
If you have joined the VCSA to domain then you can use AD integrated authentication wherein you do not need to provide a service account. VCSA machine account will be used to query AD.