Wednesday, 30 November 2016

VCAP-DCV :: Configure and manage Active Directory integration from CLI

Before we join the esxi host into Active Directory domain we need to check firewall settings:

1.) Enable firewall rule activeDirectoryAll :


[root@kb-e01:~] esxcli network firewall ruleset set -r activeDirectoryAll --enabled 1

[root@kb-e01:~] esxcli network firewall ruleset list
Name Enabled
------------------------ -------
sshServer true
sshClient false
..snip..snip..

webAccess true
vMotion true
vSphereClient true
activeDirectoryAll true
NFC true
...snip..snip...


2.) Change the default ESX Admins group to custom one kblnrz_esx_admins (this group needs to be created in Active Directory before esxi joined AD domain!):

[root@kb-e01:~] vim-cmd hostsvc/advopt/update "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" string "kblnrz_esx_admins"

[root@kb-e01:~] vim-cmd hostsvc/advopt/view "Config.HostAgent.plugins.hostsvc.esxAdminsGroup"
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.hostsvc.esxAdminsGroup",
      value = "kblnrz_esx_admins"
   }

]

3.) Start lwsmd daemon:


[root@kb-e01] /etc/init.d/lwsmd start

Starting Likewise Service Manager [memory reservation set] [starting lsass service] Starting service dependency: netlogon
Starting service dependency: lwio
Starting service dependency: rdr
Starting service: lsass
...ok
[root@kb-e01] /etc/init.d/lwsmd status
running
4.) Enable lwsmd deamon after reboot:
[root@kb-e01] chkconfig lwsmd on

5.) Check Domain Controller accessibility:
[root@kb-e01:/usr/lib/vmware/likewise/bin] ./lw-get-dc-name kblnrz.lab
Printing LWNET_DC_INFO fields:
===============================
dwDomainControllerAddressType = 23
dwFlags = 62461
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = kb-w01.kblnrz.lab
pszDomainControllerAddress = 10.6.4.179
pucDomainGUID(hex) = 98 19 7A 57 BF F4 78 41 9D E2 DC 3A D7 F7 F3 C9
pszNetBIOSDomainName = KBLNRZ
pszFullyQualifiedDomainName = kblnrz.lab
pszDnsForestName = kblnrz.lab
pszDCSiteName = Default-First-Site-Name
pszClientSiteName = Default-First-Site-Name
pszNetBIOSHostName = KB-W01
pszUserName = <EMPTY> 

6.)  Now join the esxi host to AD domain :
[root@kb-e01:~] cd /usr/lib/vmware/likewise/bin/
[root@kb-e01:/usr/lib/vmware/likewise/bin] ./domainjoin-cli join kblnrz.lab Administrator
Joining to AD Domain: kblnrz.lab
With Computer DNS Name: kb-e01.kblnrz.lab
Administrator@KBLNRZ.LAB's password:
SUCCESS
7.) We can see that the AD group 'kblnrz_esx_admins' was automatically added.

[root@kb-e01:~] esxcli system permission list
Principal                 Is Group  Role   Role Description  
------------------------  --------  -----  ------------------
KBLNRZ\kblnrz_esx_admins      true  Admin  Full access rights
dcui                         false  Admin  Full access rights
root                         false  Admin  Full access rights

vpxuser                      false  Admin  Full access rights

8.) If the firewall rule activeDirectoryAll is not set you can receive following error:

[root@kb-e01:/usr/lib/vmware/likewise/bin] ./domainjoin-cli --loglevel verbose join kblnrz.lab Administrator

Joining to AD Domain: kblnrz.lab
With Computer DNS Name: kb-e01.kblnrz.lab
Administrator@KBLNRZ.LAB's password:
Error: NERR_DCNotFound [code 0x00000995]

9.) Enable likewise logging : http://kb.vmware.com/kb/1026554


the end...












No comments:

Post a Comment