How to add VCSA to the Microsoft domain control environment, and implement Microsoft domain account login to vCenter, vcsavcenter

How to add VCSA to the Microsoft domain control environment, and implement Microsoft domain account login to vCenter, vcsavcenter
Environment:

VCSA version 5.5U2

Microsoft AD domain version Windows Server 2012 R2

Why do we do this:

In Versions later than VMware VCSA6.0, PSC is built in. In this environment, it is very convenient to integrate Microsoft domain control, you can use your Microsoft domain account to log on to vCenter without complicated settings.

In the existing environment, there are several VCSA 5.5 versions. To achieve single-point logon, multiple VCSA instances must use Microsoft domain control accounts, which is necessary for unified security management accounts.

Procedure:

After understanding the basic information above, we need to use the Microsoft Domain Controller account to get through these VCSA. There are many pictures below, and the picture below is an annotation.

Figure 1 log on to the backend Management Terminal of VCSA through https: // <VCSAIP>: 5480/# network. Address to set the Host Name and DNS, and then save the configuration

 

Figure 2 log on to the authorization settings of VCSA through https: // <VCSAIP>: 5480/# virtualcenter. authentication, enter the authentication information of the domain, and then save

 

Figure 3 restart the service in the vCenter service domain instance through https: // <VCSAIP>: 5480/# virtualcenter. Summary to complete the final operation in the domain

 

After completing the VCSA operation on Figure 4, we came to the AD user and computer interface and we can see that the corresponding computer has logged in.

 

Figure 5 use a browser to log on to https: // <VCSAIP>: 9443/vsphere-client webclient, you need to use an account with SSO permissions, such as the administrator@vsphere.local default password is vmware

 

In Figure 6, find the identification source tab in SSO configuration, and click the green plus sign to add an identification source.

 

Figure 7 because the Identification name (DN) needs to be used in the identification source, we need to use the AD browser tool of sysinternals to get myUserDNAndGroupDN

 

Figure 8, for example, myUserDNIf the corresponding OU is vcuser, double-click distinguishedName and copy the values content.

 

Figure 9User's basic DNCopy From Figure 8,Basic GroupDNFrom a user group, you can enter port 3268 of the Microsoft Global Catalog service for the master server URL. After the test, click OK.

 

Figure 10 switches to the newly added domain under the SSO user and group content to verify the user information synchronization. This display is the same as the information in the AD domain.

 

Figure 11 grant permissions to vCenter objects

 

Figure 12 select the newly added domain, select the user, and click Add. The final result is OK.

 

Figure 13 implements vCenter management through the newly added users.

 

Summary:

1.The environment of VCSA5 is much more complex than that of VCSA6 in the input domain. Fortunately, this operation is supported after VCSA5.5, but it is not supported in versions earlier than 5.5.

2.AD has many advantages. In this scenario, it uses its function as an "account book ".

3.Exchange "Account" information using port 3268 of Microsoft Global Catalog instead of port 389 of ldap

4.For special information such as DN, we need to use the AD browser to read and use

5.As an infrastructure, Microsoft products are not just operating systems, but logical information of a group.

 

 

-= EOB =-