Add ESXi 6.5 Hosts to an Active Directory Domain

You have everything hooked up to AD, right?

There’s no better way to compromise your entire lab than having a SSO password for just about everything. I’m not (entirely) serious of course, but that’s a discussion for another day; So here’s a quick run down on adding ESXi 6.5 hosts to AD instead.

Create an AD Security Group

In Active Directory, open Active Directory Users and Computers

Select Users, then Create a new group in the current container. Give it a name that will make sense so that it isn’t accidentally deleted

Select an administrator that should have access to ESXi via AD, right click them and choose Add to a group. Enter the name of the group that was just created

Add Hosts to AD

Head to the new(ish) host client at https://HOST_IP/ui/

Navigate to Manage -> Security and Users -> Authentication the select Join Domain

Enter the domain name, an administrator user name and their password

It shouldn’t take long

The final task is to tell ESXi about the security group that was created initially. Head to Manage -> System -> Advanced settings, then look for plugins.hostsvc.esxAdminsGroup. Select Edit option, then enter the name of the security group created earlier

Propagation should take around a minute before you can log in with AD credentials.

Some things to check if joining fails

Enable SSH, then-

  • Ping the AD DC IP – failure indicates a connectivity issue
  • Ping the AD DC domain name – failure indicates a DNS issue
  • telnet DC_IP_ADDRESS 389 – failure indicates a firewall issue
  • Check time is synchronised between ESXi and the domain controller
  • /etc/init.d/lwsmd start – if errors include likewise service manager [failed to set memory reservation], free some physical memory then try again


    1. Sounds like a DNS problem but not one I’ve seen before. Are you using IPv4 or 6? Can you ping the domain name from the vCenter / each host?

  1. trying this with ESXi 6.0 but it task goes on forever, the task never completed and vsphere client hangs. once this state is achieved the host is unresponsive and needs a reboot. Any suggestions to why?

    1. I’ve never seen anything like this. A small hang points towards a service being blocked but completely locking up a host sounds like something much more sinister.

  2. There are 2 ESXi hosts that i am working with, 1 is 6.7 and one is 6.5. Same settings on each regarding DNS, gateway, NTP, services are both set the same and correct. I can join both of them to the domain successfully and are both pointing at ESX Admins security group that is populated with 2 test users. I am able to sign in with one of the test accounts on the 6.7 host, the 6.5 host fails stating incorrect username and password. Cannot find any logs indicating where the failure lies. I have unjoined, deleted the ESXi host from AD, rejoined and the same results. Performed a reboot of the esx host and performed the above steps and again no change. Looking for any possible items I may have overlooked.

    Confirmed the following
    ssh to host, can ping DC by IP and hostname, as well as ping domain
    NTP set and pointed at the same NTP server and clocks are synced correctly
    LWSMD service is running
    ActiveDirectoryAll is enabled in firewall rules ports 123, 137, 139, 3268, 389, 445, 464, 7476, 88
    DNS primary and secondary set
    No failures logging on the server for failed attempts for the account being used.

    1. Hmmm, very strange. You say you can’t see failed login attempts but can you see successful logins from AD?

  3. That is correct. I do see some periodic 1 second connections in the event viewer for the ESXi host ie sign in sign off within 1 second, but do not correlate whatsoever to the timing or quantity of failed attempts to the VMware host.

Leave a Reply

Your email address will not be published. Required fields are marked *