Re: Active Directory and vSphere 4.1u1

algaspar · ‎03-22-2011

I'm new to VMware, and I am just beginning to set up our environment. Experimentally, I brought up an ESXi host and added it to one of our domains. It is working fine, and I have successfully installed a VM on it. So far so good.

We are eventually going to be installing vCenter and bringing up a total of six ESXi hosts, but for now, I wanted to set up AD authentication for administerig the host using my vSphere client. I can go to the Permissions tab for my ESXi host, pick Add Permission, pick Add, and I can see the list of our domains (we have quite a few). The odd thing is that in one domain I can find users and groups; however, in the domain where the ESXi host is located (and where the users and groups are that I want to use), the search finds nothing at all. I can go into AD in both domains, and I can see the groups and users just fine, but a search in vSphere only finds groups and users in the one domain. Does anyone have an idea what my problem could be?

Thanks--

Al Gaspar

EXO3AW · ‎03-23-2011

Hi Algaspar and welcome 🙂

Although i never experienced such an issue, it might be worthwile to check the following:

- Is the OS hosting the vCenter Server properly joined to the domain ?

- Are all DNS settings correct ?

- Do you have the correct AD rights to browse all domains ?

- Does the following workaround pull off:

"Put <Domain\User> into a NEW LOCAL group <SYSTEM\vCenterAdmins>"

"Give <SYSTEM\vCenterAdmins> the necessary vCenter rights" ?

Furthermore you might check if the problem is the same the other way round, which means some reconfiguration of the system and the vCenter service.

Please report back with your outcomes

algaspar · ‎03-23-2011

I thought I added a comment to my original message, but it seems to be gone. In any case, here it is again...

When I manage the Windows VM that I created on my ESXi host with my vSphere client, I can go to the permission tab, and search on either of the domains and get results. It is only when I try to manage the ESXi host permissions that I can only see results in one domain and that domain isn't even the one to which I joined the host. Please note, that I am NOT using vCenter at this time. I will be, but for now I am just working in vSphere.

The server appeared to join the domain properly (at least, when I look at the Directory Services Configuration, it indicates that the Directory Service Type is Active Directory, the domain is set to the one that I asked to join, and there is a "Leave Domain" button).
DNS and routing appear to be correct.
I can browse all of the domains in the AD client, and AD accepted my login and password to add the ESXi host to the domain.

I'm not sure that I understand the workaround that you suggest. I can create a local group, but I don't see how to add <domain\User> to that group. It only seems to allow me to add local users to local groups

Thanks for the suggestions!.

EXO3AW · ‎03-23-2011

Hi Algaspar,

i didn't realize that you're not using vCenter at this time, the workaround described what you might try when it has been a vCenter issue.

To be honest, i did never join an ESXi directly to a domain, since i almost always have a vCenter installed and there have never been such strict security enforcements that leaving the default was inacceptable.

If there aren't any compelling reasons to integrate the ESXi directly to your AD (which shouldn't be run purely as VMs then) i'd advise you to leave the default authentication as it is and configure everything through the vCenter then. This might save you lots of trouble.

Anyhow i found the following info about this, maybe they're worth a look:

http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html

http://www.virtualizetips.com/2010/07/configure-vmware-esxi-4-1-for-active-directory-integration/

maybe this one:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102653...

It might also be possible, that the two domains are somehow different (supported Auth Modes, Domain levels and so on) ...

algaspar · ‎03-25-2011

Well, I've reviewed the articles, and I've tried leaving and rejoining the domain. While everything indicates that I am properly joined to the domain, I still can't see anything in that domain. Earlier the permissions tab for my two VMs worked with both domains I was testing, while it didn't work with the host. Now it doesn't work with the VMs or the host... I guess I need to wait until we get our vCenter license and see if that solves the problem...

I have noticed one thing. The domain to which I cannot get the search to work is in this format: www.xxx.yyy.zzz. That domain, the xxx domain, and the yyy domain are shown in the drop down, but a search returns nothing. There are several other domains in the drop down. They are all in the format xxx.yyy.zzz. They are all shown as xxx, and a search on any of them returns results. Could I have a problem with how that one domain is 'constructed' in AD?

Thanks--

Al

EXO3AW · ‎03-25-2011

Hi Algaspar and thanks for the update.

Certainly it might be possible that there is a problem how your domains are set up, but i don't think this one can be resolved remotely.

You could simply download the vCenter software as a full-function trial and check the issue again.

If you get your key afterwards, just paste it in and you're good to go.

algaspar · ‎03-25-2011

OK. I can try that. Do you have a link for the trial download for vCenter?

Thanks--

Al

EXO3AW · ‎03-25-2011

You should find everything there: http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0

It might be possible that you'll have to request trial access, since no key has been linked to you vmware account then, but im not sure, since i do not have a "virgin" vmware account here.

Good Luck and have a nice weekend

All

Active Directory and vSphere 4.1u1