MonEmp
asked on
Integrate ESX with AD
Hi Guys,
Here is a sample script that I found, is this all I need to integrate a ESX 3.5 host to an AD server?
Also, how can I test if the script is working? I know I need to create the same user from AD on the ESX host that I want to test but do I need to set up the password for that user on the ESX host?
#Configure AD Authentication
/usr/sbin/esxcfg-firewall -e activeDirectorKerberos
/usr/sbin/esxcfg-auth --enablead --addomain=test.com.au --addc=audc01.test.com.au
/usr/sbin/esxcfg-auth --enablekrb5 --krb5realm=test.com.au --krb5kdc=audc01.test.com.
echo "auth sufficient /lib/security/pam_unix_aut
cat > /etc/krb5.conf << KRB5
# Autogenerated by /usr/sbin/esxcfg-auth
[domain_realm]
.test.com.au = TEST.COM.AU
test.com.au = TEST.COM.AU
[libdefaults]
default_realm = TEST.COM.AU
[realms]
TEST.COM.AU = {
admin_server = audc01.test.com.au:749
default_domain = test.com.au
kdc = audc01.test.com.au:88
kdc = audc02.test.com.au:88
}
KRB5
Here is a sample script that I found, is this all I need to integrate a ESX 3.5 host to an AD server?
Also, how can I test if the script is working? I know I need to create the same user from AD on the ESX host that I want to test but do I need to set up the password for that user on the ESX host?
#Configure AD Authentication
/usr/sbin/esxcfg-firewall -e activeDirectorKerberos
/usr/sbin/esxcfg-auth --enablead --addomain=test.com.au --addc=audc01.test.com.au
/usr/sbin/esxcfg-auth --enablekrb5 --krb5realm=test.com.au --krb5kdc=audc01.test.com.
echo "auth sufficient /lib/security/pam_unix_aut
cat > /etc/krb5.conf << KRB5
# Autogenerated by /usr/sbin/esxcfg-auth
[domain_realm]
.test.com.au = TEST.COM.AU
test.com.au = TEST.COM.AU
[libdefaults]
default_realm = TEST.COM.AU
[realms]
TEST.COM.AU = {
admin_server = audc01.test.com.au:749
default_domain = test.com.au
kdc = audc01.test.com.au:88
kdc = audc02.test.com.au:88
}
KRB5
this is not a script this is a Linux commands.
if your esx envior. based on linux then you can use this script.
if your esx envior. based on linux then you can use this script.
Hi
First VMware do not recommend that you integrate your VMware(or Virtual Center) in the AD
Second, for security reasons you do not want to create user AD/VMware or VMware/AD
This must be different and independent.
Can you explain what you need to do? So that we can give you a workaround, or another way to work
Jail
First VMware do not recommend that you integrate your VMware(or Virtual Center) in the AD
Second, for security reasons you do not want to create user AD/VMware or VMware/AD
This must be different and independent.
Can you explain what you need to do? So that we can give you a workaround, or another way to work
Jail
ASKER
Hi Jail,
"First VMware do not recommend that you integrate your VMware(or Virtual Center) in the AD
Second, for security reasons you do not want to create user AD/VMware or VMware/AD
This must be different and independent."
Last time I check, integrating AD with ESX is actually what most people doing in a datacenter environment. But if you are correct, can you please refer me to the VMware documentation that support the above statement? If that is the case I need to prove it to the customer. Also, for a datacenter environment, do vmware expect people to create all the AD accounts by hand and redefine all the permission??
"First VMware do not recommend that you integrate your VMware(or Virtual Center) in the AD
Second, for security reasons you do not want to create user AD/VMware or VMware/AD
This must be different and independent."
Last time I check, integrating AD with ESX is actually what most people doing in a datacenter environment. But if you are correct, can you please refer me to the VMware documentation that support the above statement? If that is the case I need to prove it to the customer. Also, for a datacenter environment, do vmware expect people to create all the AD accounts by hand and redefine all the permission??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Has anyone seen this problem? VM kernel port that uses for Vmotion change itself to Virtual Machine port after I turn on HA/DRS in the cluster. Or this is not a problem? Can someone explain this???
Here is the set up:
I have 3 ESXi 3.5 Embedded configured. All three hosts are in a cluster. Each of the host at Vswitch 0 have two VMkernel ports.
Before I turn on HA/DRS, the network configurtion look like this:
ESX 1 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion) and VLAN tag 101
ESX 2 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion) and VLAN tag 101
ESX 3 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion)and VLAN tag 101
After I turned on the HA/DR, the VMkernel ports at two of the hosts changed to Virtual Machine port and the configuration changed to this:
ESX 1 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion) and VLAN 101
ESX 2 -- Vswitch 0
VMkernel port (Mgt network)
Virtual Machine port (Vmotion) and VLAN tag 101 (I went in to check the properties and it still have Vmotion enable, its just changed the Port Group type)
ESX3 Vswitch0
VMkernel port (Mgt network)
Virtual Machine port (Vmotion)
and VLAN tag 101 (I went in to check the properties and it still have
Vmotion enable, its just changed the Port Group type)
The Vmotion VMernel port uses the Mgt VMkernel port default gateway. (I figured since they are the same port group type within in the same Vswitch, it will only allow one default gateway).
Vmotion still works, I have no problem migrating machines between hosts
Here is the set up:
I have 3 ESXi 3.5 Embedded configured. All three hosts are in a cluster. Each of the host at Vswitch 0 have two VMkernel ports.
Before I turn on HA/DRS, the network configurtion look like this:
ESX 1 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion) and VLAN tag 101
ESX 2 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion) and VLAN tag 101
ESX 3 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion)and VLAN tag 101
After I turned on the HA/DR, the VMkernel ports at two of the hosts changed to Virtual Machine port and the configuration changed to this:
ESX 1 -- Vswitch 0
VMkernel port (Mgt network)
VMkernel port (Vmotion) and VLAN 101
ESX 2 -- Vswitch 0
VMkernel port (Mgt network)
Virtual Machine port (Vmotion) and VLAN tag 101 (I went in to check the properties and it still have Vmotion enable, its just changed the Port Group type)
ESX3 Vswitch0
VMkernel port (Mgt network)
Virtual Machine port (Vmotion)
and VLAN tag 101 (I went in to check the properties and it still have
Vmotion enable, its just changed the Port Group type)
The Vmotion VMernel port uses the Mgt VMkernel port default gateway. (I figured since they are the same port group type within in the same Vswitch, it will only allow one default gateway).
Vmotion still works, I have no problem migrating machines between hosts
ASKER