You can configure a host to use a directory service such as Active Directory to manage users and groups.

When you add an ESXi host to Active Directory all user and group accounts are assigned full administrative access to the host if the group ESX Admins exists. If you do not want to make full administrative access available, see VMware Knowledge Base article 1025569 for a workaround.


When you define user account settings in Active Directory, you can limit the computers that a use can log in to by the computer name. By default, no equivalent restrictions are set on a user account. If you set this limitation, LDAP Bind requests for the user account fail with the message LDAP binding not successful, even if the request is from a listed computer. You can avoid this issue by adding the netBIOS name for the Active Directory server to the list of computers that the user account can log in to.

Verify that you have an Active Directory domain. See your directory server documentation.

Verify that the host name of ESXi is fully qualified with the domain name of the Active Directory forest.

fully qualified domain name = host_name.domain_name


Synchronize the time between ESXi and the directory service system using NTP.

See Configure a Windows NTP Client for Network Clock Synchronization or the VMware Knowledge Base for information about how to synchronize ESXi time with a Microsoft Domain Controller.


Ensure that the DNS servers you configured for the host can resolve the host names for the Active Directory controllers.


Browse to the host in the vSphere Web Client object navigator.


Click the Manage tab and click DNS and Routing under Networking.


Click Edit.


In the DNS and Routing Configuration dialog box, verify that the host name and DNS server information for the host are correct.

Use the vSphere Web Client to join a directory service domain.