1.) Enable firewall rule activeDirectoryA
[root@kb-e01:~] esxcli network firewall ruleset set -r activeDirectoryA
[root@kb-e01:~] esxcli network firewall ruleset list
Name Enabled
---------------- -------- -------
sshServer true
sshClient false
..snip..snip..
webAccess true
webAccess true
vMotion true
vSphereClient true
activeDirectoryA ll true
NFC true
...snip..snip...
2.) Change the default ESX Admins group to custom one kblnrz_esx_admins (this group needs to be created in Active Directory before esxi joined AD domain!):
[root@kb-e01:~] vim-cmd hostsvc/advopt/update "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" string "kblnrz_esx_admins"
[root@kb-e01:~] vim-cmd hostsvc/advopt/view "Config.HostAgent.plugins.hostsvc.esxAdminsGroup"
(vim.option.OptionValue) [
(vim.option.OptionValue) {
key = "Config.HostAgent.plugins.hostsvc.esxAdminsGroup",
value = "kblnrz_esx_admins"
}
]
3.) Start lwsmd daemon:
[root@kb-e01] /etc/init.d/lwsm
Starting Likewise Service Manager [memory reservation set] [starting lsass service] Starting service dependency: netlogon
Starting service dependency: lwio
Starting service dependency: rdr
Starting service: lsass
...ok
[root@kb-e01] /etc/init.d/lwsm d status
running
4.) Enable lwsmd deamon after reboot:
[root@kb-e01] chkconfig lwsmd on
5.) Check Domain Controller accessibility:
[root@kb-e01:/us r/lib/vmware/lik ewise/bin] ./lw-get-dc-name kblnrz.lab
Printing LWNET_DC_INFO fields:
================ ===============
dwDomainControll erAddressType = 23
dwFlags = 62461
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControl lerName = kb-w01.kblnrz.la b
pszDomainControl lerAddress = 10.6.4.179
pucDomainGUID(he x) = 98 19 7A 57 BF F4 78 41 9D E2 DC 3A D7 F7 F3 C9
pszNetBIOSDomain Name = KBLNRZ
pszFullyQualifie dDomainName = kblnrz.lab
pszDnsForestName = kblnrz.lab
pszDCSiteName = Default-First-Si te-Name
pszClientSiteNam e = Default-First-Si te-Name
pszNetBIOSHostNa me = KB-W01
pszUserName = <EMPTY>
6.) Now join the esxi host to AD domain :
[root@kb-e01:~] cd /usr/lib/vmware/ likewise/bin/
[root@kb-e01:/us r/lib/vmware/lik ewise/bin] ./domainjoin-cli join kblnrz.lab Administrator
Joining to AD Domain: kblnrz.lab
With Computer DNS Name: kb-e01.kblnrz.la b
Administrator@KB LNRZ.LAB's password:
SUCCESS
7.) We can see that the AD group 'kblnrz_esx_admins' was automatically added.
[root@kb-e01:~] esxcli system permission list
Principal Is Group Role Role Description
------------------------ -------- ----- ------------------
KBLNRZ\kblnrz_esx_admins true Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
8.) If the firewall rule activeDirectoryA ll is not set you can receive following error:
[root@kb-e01:/us r/lib/vmware/lik ewise/bin] ./domainjoin-cli --loglevel verbose join kblnrz.lab Administrator
[root@kb-e01:~] esxcli system permission list
Principal Is Group Role Role Description
------------------------ -------- ----- ------------------
KBLNRZ\kblnrz_esx_admins true Admin Full access rights
dcui false Admin Full access rights
root false Admin Full access rights
vpxuser false Admin Full access rights
[root@kb-e01:/us
Joining to AD Domain: kblnrz.lab
With Computer DNS Name: kb-e01.kblnrz.la b
Administrator@KB LNRZ.LAB's password:
Error: NERR_DCNotFound [code 0x00000995]
9.) Enable likewise logging : http://kb.vmware.com/kb/1026554
the end...
9.) Enable likewise logging : http://kb.vmware.com/kb/1026554
the end...
No comments:
Post a Comment