Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

How to join VMware vCenter server appliance (VCSA) 6.5 to the Microsoft Active Directory (AD) Domain

  • August 1, 2017
  • 7 min read
IT and Virtualization Consultant. Vladan is the founder, and executive editor of the ESX Virtualization Blog at vladan.fr. He is a VMware VCAP-DCA and VCAP-DCD, and has been a vExpert from 2009 to 2023.
IT and Virtualization Consultant. Vladan is the founder, and executive editor of the ESX Virtualization Blog at vladan.fr. He is a VMware VCAP-DCA and VCAP-DCD, and has been a vExpert from 2009 to 2023.

VMware Photon OS has been the latest OS used for vCenter Server Appliance 6.5. This is the latest move from SUSE Linux Enterprise Server (SLES) as VMware wants to own the Operating system (OS) and manage its development cycles and patches releases.

Things that aren’t possible on Windows OS or SLES. That’s why VMware used Photon Linux and continues to develop Photon OS which is optimized for VMware platforms.

After the first deployment, the system creates a default PSC domain vsphere.local which is usually managed by the administrator@vsphere.local account.

To understand, you have to join the Platform service controller (PSC) to AD – not the vCenter Server. If you’re running an embedded PSC well then by joining the machine (Windows or VCSA) to the domain you are also joining vCenter Server to the domain. But, if you’re running an external PSC you don’t need to also join the machine vCenter Server is running on. Only the PSC.

What’re the advantages of joining VCSA to Microsoft AD?

If you managing larger enterprise environments you would probably want to reuse existing security groups present in Microsoft AD to give rights and permissions to manage VMware vCenter, right?

That’s exactly why would you want to join VCSA to AD. To allow central management for existing domain users. Like this, you don’t have to manually create users just to manage vSphere environment.

What’re the requirements for joining to Microsoft Active Directory (AD) domain?

  • First, you’ll need to use the vCSA administrator@vsphere.local account and the vCSA server instance has to be a member of SystemConfiguration.Administrators group within the vCenter Single Sign-On (SSO)
  • You have to be sure that the system name of the appliance is in Fully Qualified Domain Name (FQDN) format. You can’t use IP address as system name during the deployment. If that’s not the case you won’t be able to join the VCSA to Microsoft AD.

The steps

Login via vSphere web client into the VCSA. By default, you’ll use https://IP_of_VCSA/vsphere-client/

Administration > Deployment System Configuration

Joining VCSA to Microsoft AD

Then open Nodes and click to select the vCenter (or external Platform service controller – PSC).

Joining VCSA to Microsoft AD - click System

As on the screen below

Joining VCSA to Microsoft AD - join

Manage > Settings > Advanced > Active Directory and click the Join button.

Join VMware VCSA 6.5 in Microsoft AD - click the join.

You need to right-click the node you edited and select Reboot to restart the appliance so that the changes are applied. (This is a required step).

Verify Domain Status

You can verify the domain status by checking the “computer” container on your domain controller in Active Directory Users and computers management console.

Verify domain status from the domain controller

Verify the domain status

From the command line

You can also use command line (via Putty) to check the status.

Check Domain Join via CLI

Wrap Up:

Adding a Platform Service controller (PSC) running on VCSA or as an external one, to Microsoft AD will allow central management for existing users and groups within Microsoft AD. You’ll continue to manage only a single directory.

While the process is pretty straight forward, it’s important to mention that only the platform service controller has to be joined into a Microsoft AD, not the vCenter itself (if those two components are NOT running on the same VM).

You can then attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain. You will need to configure permissions for users and groups from an Active Directory domain to access the vCenter Server.

Found Vladan’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!