ESXi Preferred Domain Controllers

I was at a customer site recently where they had issues with ESXi hosts reverting to local authentication after joining an Active Directory domain. On further investigation, it transpired that the ESXi hosts can only communicate with some of the AD domain controllers as the majority are behind firewalls. As far as I’m aware, ESXi hosts are not AD site aware so when a query is made to the AD integrated DNS, any of the domain DCs could be returned, including those not accessible behind firewalls.

I was not provided with any further details on the ESXi hosts reverting to local authentication but this appeared to be a good use case for setting preferred domain controllers the ESXi host advanced settings. You can configure UserVars.ActiveDirectoryPreferredDomainControllers with preferred domain controllers, separated by comma, for the ESXi host to use for AD communication.

To specify the preferred domain controller(s):

  1. Select ESXi Server > Configuration > Advanced Settings > UserVars.ActiveDirectoryPreferredDomainControllers
  2. Enter the IP address or FQDN of the preferred domain controller ( I opted for IP Address as the domain controller is also the DNS server)
  3. Click OK to apply the changes

1.4.1

I recommend configuring values for more than one domain controller to avoid a single point of failure. If all the domain controllers are not contactable, the AD user authentication will fail.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s