This is another best security guideline to always join Esxi server into domin, most preferable is Active Directory Domain controller, One of the advantage is I can use domain-wide authentication with Domain joined ESXi, Means I don't have to use or share root or any local username to login, Creating local username and maintaining it will be tedious job on Esxi, Users can login with there own elevated domain account and auditors can review the logs for activities performed directly on esxi. Before starting make sure you have configured AD-DNS server IP correctly, check my previous article on how to configure DNS on esxi server for the same. To check whether my DNS is functioning properly or for further troubleshooting on esxi server do ssh putty, ping or netcat domain ports and name, in my case when I ping domain name it is resolving IP address.
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
Reset forgotten ESXi root password on Domain joined Esxi using vSphere web client and Powercli
Further you check telnet below AD ports whether they are reachable from ESXi.
Port 88 - Kerberos authentication
Port 123 – NTP
Port 135 - RPC
Port 137 - NetBIOS Name Service
Port 139 - NetBIOS Session Service (SMB)
Port 389 - LDAP
Port 445 - Microsoft-DS Active Directory, Windows shares (SMB over TCP)
Port 464 - Kerberos - change/password changes
Port 3268- Global Catalog search
Next in the vSphere web client, on Esxi server, click Configure tab on the right, Next from left pane, under services, select Authentication Services. On this summary page, my Directory services Type is Local Authentication. to change it click Join domain button. In the popup box type domain and use credentials who has rights to pull computers in the domain.
Once successful it changes directory services type to AD and Domain name.
Check the Advanced System Settings and search for esx admins or Config.HostAgent.plugins.hostsvc.esxAdminsGroup, here you see value ESX Admins, This Active directory group name that is automatically granted administrator privileges on the ESX. here I can change this group name if I want.
I will go ahead quickly on the Active directory users and computers mmc (dsa.msc) and create group name ESX Admins. Add few user members to it. Also notice there is Computer account got created with esxi name under Computers container (This location might be different in your environment)
Use embedded web esxi client using https://esxifqdn_or_Ip/ui and use your AD user account to login. No need to share root password with users now. Activities and Events are logged with user name.
Next for demostration. I have logged on to esxi with putty using domain account, It shows domain and username in the prompt, I fired up few commands, and they are logged - captured in /var/log/shell.log file, I will use tail or cat command to view content of file, and you can see the activities captured for root and user account.
VMWARE VSPHERE POWERCLI INSTALLATION AND CONFIGURATION STEP BY STEP
In this powercli session I am performing same steps used above. (before proceeding I have reverted settings and removed esxi from domain)
First I will see the ad group name in esxi advanced settings which need to created on domain. Value is ESX Admins, I can create it in AD domain and Add users as member to it (Same can be done using New-AdGroup command).
Get-AdvancedSetting -Entity Esxi001.vcloud-lab.com -Name Config.HostAgent.Plugins.hostsvc.esxAdminsGroup
Using below I get the authentication status, Domain and DomainMembershipStatus is blank, means this server is still not a part of domain.
Get-VMHostAuthentication -VMHost esxi001.vcloud-lab.com
Running below command will join esxi into domain, it prompts for username and password and shows the domain name and current membership status to Ok.
Get-VMHostAuthentication -VMHost esxi001.vcloud-lab.com | Set-VMHostAuthentication -Domain vcloud-lab.com -Credential (Get-Credential) -JoinDomain -Confirm:$false
This post first appeared on Tales From Real IT System Administrators World And Non-production Environment, please read the originial post: here