vCenter

 View Only
  • 1.  vCenter - ad authentication with more than 2 domain controllers

    Posted Nov 05, 2019 11:51 PM

    Currently running vSphere 6.0 with plans to go to 6.7 shortly but is it possible to configure LDAP to connect to more than 2 domain controllers for authentication? We recently had an issue where the two domain controllers went down which just happen to be the ones vCenter uses for LDAP connectivity. It seems you can only put a primary & secondary server



  • 2.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Nov 06, 2019 12:00 AM

    In the 6.7 vcenter server appliance, they only give you the option to "join AD". Which to me, means it'll use any available DC to authenticate, so long as DNS is setup. Granted, you should take my opinion with a grain of salt, because I can't even get AD working in 6.7 right now. Some screenshots of 6.7 VCSA to backup my theory.



  • 3.  RE: vCenter - ad authentication with more than 2 domain controllers



  • 4.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Nov 06, 2019 09:42 PM

    So you can only have a max of two domain controllers for ldap authentication?



  • 5.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Nov 07, 2019 01:07 AM

    If you join the VCSA to the AD domain, why you should be worried about the number of DCs? you will need to mention only the Domain Name and it will handle your authentication request by any available DC. But if you want to add the AD as an LDAP server, you can add same alias name for all of your secondary DCs and round-robin will handle your concern about losing more than two DCs in the same time 



  • 6.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Nov 07, 2019 02:06 AM

    thanks for the reply. We have tried to use the alias of the domain but it doesnt work. We have a number of domains in this environment and each of them has around 6 domain controllers.

    Have you tried using the alias before? if so what did you have to do to make it work?



  • 7.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Mar 20, 2020 11:00 AM

    Hi,

    In our case, we added the AD as a LDAP Identity source as the vCenter doesn't belong to the domain. The identity source works when we add the entry below:

    ldap://our_domain.org:389

    But that's not the case when the traffic goes throguh ldaps and 636 port

    ldaps://our_domain.org:636

    This only works when we add a domain controllert:

    ldaps://our_DC.org:636

    Thank you.



  • 8.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Mar 20, 2020 03:35 PM

    You need to configure Identity source in vCenter as mentioned below steps.

    1. Login to the vSphere Web Client as administrator@vsphere.local

    2. From the home location, navigate to >>Administration >>Single Sign-on >>Configuration and select the Identity Sources tab

    3. Click the green + to add an Identity source

    4. In the Identity Source page, select Active Directory as a LDAP Server.

    5. Fill in the Identity Source Settings information for your Active Directory domain

    Name: Label for identification
    Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is domain.internal the DN for the entire directory is "DC=domain, DC=local".
    Domain name: Your domain name. Example: "domain.local"
    Domain alias: Your netbios name. Example: "XYZ"
    Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches.
    Primary server URL: AD Server URL. You can either query the local directory (Port 389), or the global catalog (Port 3268). Example: "ldap://snow.domain.local:3268"
    Secondary Server URL: “ldap://rain.domain.local:3268”
    Username: A user in the AD Domain with at least browse privileges. Example XZY\vcadmin

    6. Click Finish.

    7. After clicking Finish, this should add the domain to the list



  • 9.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Mar 20, 2020 03:40 PM

    or in short words: you must address the global catalog at port 3268 on two different domain controllers.

    please keep in mind that microsoft will soon stop support for ldap - so configure it to ldaps



  • 10.  RE: vCenter - ad authentication with more than 2 domain controllers

    Posted Mar 21, 2020 07:55 AM

    In short, in the case those two configured DCs are unavailable, vCenter authentication will fail for that Identity Source.