I was at a customer site recently where they had issues with ESXi hosts reverting to local authentication after joining an Active Directory domain. On further investigation, it transpired that the ESXi hosts can only communicate with some of the AD domain controllers as the majority are behind firewalls. As far as I’m aware, ESXi hosts are not AD site aware so when a query is made to the AD integrated DNS, any of the domain DCs could be returned, including those not accessible behind firewalls.
I was not provided with any further details on the ESXi hosts reverting to local authentication but this appeared to be a good use case for setting preferred domain controllers the ESXi host advanced settings. You can configure UserVars.ActiveDirectoryPreferredDomainControllers with preferred domain controllers, separated by comma, for the ESXi host to use for AD communication.
To specify the preferred domain controller(s):
- Select ESXi Server > Configuration > Advanced Settings > UserVars.ActiveDirectoryPreferredDomainControllers
- Enter the IP address or FQDN of the preferred domain controller ( I opted for IP Address as the domain controller is also the DNS server)
- Click OK to apply the changes
I recommend configuring values for more than one domain controller to avoid a single point of failure. If all the domain controllers are not contactable, the AD user authentication will fail.