ESXi Active Directory Integration

Worked with a customer today to setup AD authentication providers for ESXi access. Every time he tried to login into the server using his AD credentials he received an error stating his username or password invalid. At first I just thought he couldn't type, but after the third and fifth try I figured there had to be something wrong.

I popped into the Authentication Providers and everything looked good. The server was configured to use Active Directory and I confirmed in ADUC that the computer account had been created.

ESX Authentication Services

I then popped into the DNS and Routing section to ensure the domain and DNS was setup properly. It looked something like this.

ESX DNS and Routing - No Domain

You will notice in the figure above that the Domain setting is empty. The admin guide states that this needs be configured in order for the host to join the domain (http://pubs.vmware.com/vsphere-esxi-4-1-installable/server_config/t_configure_directory_service.html ). A quick jump into the properties to update the domain field (you will need to remove the server from the domain before changing this) and it was populated. 

ESX DNS and Routing - With a Domain

Sorry about the graphic (had to remove the names to protect the innocent?), but if you look closely you will see there are now a few letters in the Domain field. 

Ok, so we fixed the settings to make it compliant with the admin guide settings and then we opened the vSphere and client, punched in the host name, clicked the box (should have done this the first time) to pass the session credentials to the host and......

Unknown username or bad password!

What gives? The host is configured correctly and successfully joined the domain. I took a look at how he was logged in and noticed that the Windows 2000 domain name was different than the FQDN for the domain (ie: domain\username and the FQDN was domain.somewhere.com). On a whim I said, try this, domain.somewhere.com\username, and bada-bing, we were in. So, it seems linux is linux and doesn't know about the NetBIOS name, go figure, and the FQDN that is used in host DNS and Routing settings needs be used to successfully pass the credentials through. The nice little check box for passing credentials is out, but at least you can login with your AD account. Of course you will really hate your really.long.domain.that.normally.is.just.one.word. Have fun!

BTW, you can add a host to any Organization Unit in your domain by specifying "domain.com/ou name/another ou" (without the quotes) as the Domain in the Domain Settings section of the Directory Services Configuration dialog box.