Skip to content

How to Join the vCSA 6.5/6.7 to an Active Directory Domain

In vSphere 6.5 the underlying operating system from the vCenter Server Appliance (vCSA) has been changed to VMwares PhotonOS. With the new OS, you can still join an Active Directory domain to comply with company policies, or if you want to use windows session authentication. Joining an Active Directory domain is included in the infrastructure node configuration which is part of the Platform Services Controller. Please verify standard AD requirements like time synchronization and naming prior to joining a domain.

If you want to log in with the "Windows session authentication" checkbox, you have to add the appliance running the Platform Services Controller (PSC) to the domain. For embedded deployments, join the appliance running both, the vCenter and the PSC to the domain.

Join AD Domain with the vSphere Web Client

  1. Open vSphere Web Client (https://[vcenter]/vsphere-client)
  2. Login as Single Sign-On Administrator or a user with global permissions.
  3. Navigate to Administration > Deployment > System Configuration

  4. Open Nodes and select the vCenter or external PSC
  5. Navigate to Manage > Settings > Advanced > Active Directory and click Join...
  6. Enter AD domain information
  7. Press OK
  8. You don't see the configured domain immediately, you have to reboot the Appliance.
    Hint: You can reboot infrastructure nodes from the context menu

    When the appliance is back online it is part of the Active Directory domain

 

Join AD Domain from the Command Line

  1. (optional) Enable SSH login
    vSphere Web Client > Administration > Deployment > System Configuration > Nodes > Manage > Settings > Access 
  2. Connect to the vCenter Server Appliance with SSH
  3. Activate the bash shell
    Command> shell
  4. Use the domainjoin-cli tool to join the domain
    # /opt/likewise/bin/domainjoin-cli join [domain] [user name] [password]

  5. Reboot the appliance
    # reboot

    When the appliance is back online it is part of the Active Directory domain

 

Verify Domain Status

Verify domain status from the domain controller

Verify domain status with the vSphere Web Client

Verify domain status from vCSA command line:


# /opt/likewise/bin/domainjoin-cli query

13 thoughts on “How to Join the vCSA 6.5/6.7 to an Active Directory Domain”

      1. You have to join the PSC to AD - not the vCenter Server. If you're running an embedded PSC well then by joining the machine (Windows or VCSA) to the domain you are also joining vCenter Server to the domain. But, if you're running an external PSC you don't need to also join the machine vCenter Server is running on. Does that make sense?

          1. I think that clarification at the top of the post that you are talking about an embedded deployment would be valuable. I didn't see anywhere that you were specifically talking about embedded.

          2. Hi Adam

            We are running vSphere 6.5U1C. Two external PSCs in each site with two Vcenter servers in each site.

            Can you please verify we only need to add the PSCs to the domain only? I did both the vCSA and PSCs. Will this cause us any issues? Should I back out and set the vCSA back so it is not set up using Integrated source AD?

    1. Pingback: How to add AD Authentication in vCenter 6.5 | Virten.net

    2. Hi,
      I have deployed two VCSAs with two exteranl PSCs, and when open VCSA01 in web client i can see only one VCSA and when i open web client for VCSA02, i can both VCSAs here. Did all troubleshoot but no luck logged a case with VMware still no solution.

    3. I am having an issue attempting to join a v U1 PSC to the domain,.

      I get the following error:

      Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN [code 0x0000a309]

      Client not found in Kerberos database

      I am using a service account which I have checked exists and this is a brand new 2012 AD and a brand new v6.5 U1 PSC

    4. I did have this problem when my account with which i was joining my PSC didn`t have the right domain. We have users with domain @company.com but the domain is @company.loc

    Leave a Reply to Basha Cancel reply

    Your email address will not be published. Required fields are marked *