Using vicfg-authconfig for Active Directory Configuration

vSphere 5.0 is tightly integrated with Active Directory. Active Directory provides authentication for all local services and for remote access through the vSphere Web Services SDK, vSphere Web Client, PowerCLI, and vSphere CLI. You can configure Active Directory settings with the vSphere Web Client, as discussed in the vCenter Server and Host Management documentation, or use vicfg-autconfig.

vicfg-authconfig allows you to remotely configure Active Directory settings on ESXi hosts. You can list supported and active authentication mechanisms, list the current domain, and join or part from an Active Directory domain. Before you run the command on an ESXi host, you must prepare the host.

Important All hosts that join Active Directory must also be managed by an NTP Server to avoid issues with clock skews and Kerberos tickets.

To prepare ESXi hosts for Active Directory Integration

1	Make sure the ESXi system and the Active Directory server are using the same time zone by configuring ESXi and AD to use same NTP server.

The ESXi system’s time zone is always set to UTC.

2	Configure the ESXi system’s DNS to be in the Active Directory domain.

You can run vicfg-authconfig to add the host to the domain. A user who runs vicfg-authconfig to configure Active Directory settings must have the appropriate Active Directory permissions, and must have administrative privileges on the ESXi host. You can run the command directly against the host or against a vCenter Server system, specifying the host with --vihost.

To set up Active Directory

1	Install the ESXi host, as explained in the vSphere Installation and Setup documentation.

2	Install Windows Active Directory on a Windows Server that runs Windows 2000, Windows 2003, or Windows 2008. See the Microsoft Web site for instructions and best practices.

3	Synchronize time between the ESXi system and Windows Active Directory (AD).

4	Test that the Windows AD Server can ping the ESXi host by using the host name.

ping <ESX_hostname>

5	Run vicfg-authcofig to add the host to the Active Directory domain.

vicfg-authconfig --server=<ESXi Server IP Address>

--username=<ESXi Server Admin Username>

--password=<ESXi Server Admin User's Password>

--authscheme AD --joindomain <AD Domain Name>

--adusername=<Active Directory Administrator User Name>

--adpassword=<Active Directory Administrator User's Password>

The system prompts for user names and passwords if you do not specify them on the command line. Passwords are not echoed to the screen.

6	Check that a Successfully Joined <Domain Name> message appears.

7	Verify the ESXi host is in the intended Windows AD domain.

vicfg-authconfig --server XXX.XXX.XXX.XXX --authscheme AD -c

You are prompted for a user name and password for the ESXi system.