Connecting VCSA to AD

If you want to do any sort of user authentication, then connecting your vCenter to a domain controller is the best way. No one wants to manage another user set by having vSphere.local logins. Here is how I have it configured in my lab.

  1. Log into vSphere. Should be an obvious one here ūüôā
  2. Wait, before we begin, lets log into the VCSA (and also PSC if external) and take a backup. I have had this go wrong and completely trash my PSC.
    1. Log into VCSA: https://<vcsa FQDN or IP>:5480   as root
    2. On the left side, you will find “Backup”, then as an activity, “Backup Now”.
    3. Now here is where things get stupid. It will ONLY backup to “FTPS, HTTPS, SCP, FTP and HTTP” and you cannot just download it from there. It HAS to be sent to a server. For this, I am just using OpenFiler as I also use it for iSCSI and NFS shares for my lab.
    4. You should then be able to watch the activity bar status progress until its Complete. Lets hope that we don’t have to use it!
  3. OK, now lets go back into vSphere, as administrator@vsphere.local (or whatever you set your local domain to). Hover over the home icon, then go to Administration > Single Sing-On > Configuration.
  4. No under the Identity Sources tab, click the green + symbol, I am using windows AD, so I will leave that option selected and hit next.
  5. Now, if your vCenter is not joined to AD, it will give you a warning message. Click the link for it to take you to “Active Directory Management”.
    1. Now click on “Join”, and fill out the particulars. Make sure your User name has permissions to add computes to your domain. I just use a Domain Admin account. Also make sure there is an OU created to land the computer object into. In my case, I created a “vmware” OU for my “vmware_svc” service account, as well as computer objects.
        
    2. If you give it some time, the VCSA / PSC should should up in AD. After that, you will need to reboot the node. It will take a while for the reboot to kick in so be patient! It takes my slightly under-powered NUC about 6 minutes to reboot and be functional again. You will need to log back in as admin, and go to Home > System Configuration (under the Administration section) > your VCSA name (left side). From there the Manage tab > Settings > Active Directory, and it should show you the domain that its its tied to.
    3. OK, Now back to  what we were doing before!
  6.  If needed, navigate back to: Home > Administration > Single Sign-On > Configuration, then Identity Sources, and the green + symbol, Next.
  7. The domain name should be pre-populated
  8. Next. and done!!
  9. You will still need to apply permission as per whatever your needs are, but thats particular to your environment. Personally, I add Domain Admins to the global permissions while I am on that Administration page.
    1. On the left side, look to the top for¬† “Access Control” > Global Permissions. Then the Manage tab, and hit the¬†green¬†+¬†symbol. make sure Administrators is selected on the right side then on the left under Users and Groups, hit Add, then change the domain to your domain, and in the seach field on the right, type in what your looking for, select it and hit Add. OK, OK. Hopefully my illustration is clear as mud.
    2. This should give everyone in the Domain Admins group administrator to everything in your environment.

Leave a Reply

Your email address will not be published. Required fields are marked *