How to Join the vCSA 6.5 to an Active Directory Domain

In vSphere 6.5 the underlying operating system from the vCenter Server Appliance (vCSA) has been changed to VMwares PhotonOS. With the new OS, you can still join an Active Directory domain to comply with company policies, or if you want to use windows session authentication. Joining an Active Directory domain is included in the infrastructure node configuration which is part of the Platform Services Controller. Please verify standard AD requirements like time synchronization and naming prior to joining a domain.

If you want to log in with the "Windows session authentication" checkbox, you have to add the appliance running the Platform Services Controller (PSC) to the domain. For embedded deployments, join the appliance running both, the vCenter and the PSC to the domain.

Join AD Domain with the vSphere Web Client

  1. Open vSphere Web Client (https://[vcenter]/vsphere-client)
  2. Login as Single Sign-On Administrator or a user with global permissions.
  3. Navigate to Administration > Deployment > System Configuration

  4. Open Nodes and select the vCenter or external PSC
  5. Navigate to Manage > Settings > Advanced > Active Directory and click Join...
  6. Enter AD domain information
  7. Press OK
  8. You don't see the configured domain immediately, you have to reboot the Appliance.
    Hint: You can reboot infrastructure nodes from the context menu

    When the appliance is back online it is part of the Active Directory domain

 

Join AD Domain from the Command Line

  1. (optional) Enable SSH login
    vSphere Web Client > Administration > Deployment > System Configuration > Nodes > Manage > Settings > Access 
  2. Connect to the vCenter Server Appliance with SSH
  3. Activate the bash shell
    Command> shell
  4. Use the domainjoin-cli tool to join the domain
    # /opt/likewise/bin/domainjoin-cli join [domain] [user name] [password]

  5. Reboot the appliance
    # reboot

    When the appliance is back online it is part of the Active Directory domain

 

Verify Domain Status

Verify domain status from the domain controller

Verify domain status with the vSphere Web Client

Verify domain status from vCSA command line:


# /opt/likewise/bin/domainjoin-cli query

  1. Joining the VCSA to Active Directory is not required in order to use Windows Session Authentication. Did you find this in the documentation or a KB?

    • That's interesting. It never worked for me without joining the domain and it tells it as Prerequisites here.

      • You have to join the PSC to AD - not the vCenter Server. If you're running an embedded PSC well then by joining the machine (Windows or VCSA) to the domain you are also joining vCenter Server to the domain. But, if you're running an external PSC you don't need to also join the machine vCenter Server is running on. Does that make sense?

  2. How to add AD Authentication in vCenter 6.5 | Virten.net - pingback on January 8, 2017 at 6:45 pm
  3. Hi,
    I have deployed two VCSAs with two exteranl PSCs, and when open VCSA01 in web client i can see only one VCSA and when i open web client for VCSA02, i can both VCSAs here. Did all troubleshoot but no luck logged a case with VMware still no solution.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Trackbacks and Pingbacks: