If I join esxi to an Active Directory domain, how does it choose which DC to authenticate to?

networking authentication active-directory vmware-esxi domain-controller

ESXi (just like any other system) will always allow local authentication (i.e. the local root user and any local user account you created) when other authentication methods are unavailable; if you have local credentials, you'll always be able to login to an ESXi server, even if vCenter, AD, or whatever else is not available.

Documentation:

http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-D7AEC653-EBC8-4573-B990-D8E58742F8ED.html


My experience with ESXi AD integration (actually Likewise) is it can be flaky. It's probably fine for small, simple topologies, but it can fall down with more complex, distributed topologies. In every case for me, a vanilla computer can join or authenticate with AD just fine using the same connection or network segment when ESXi is exhibiting issues.

Your best bet is to enable the logging for the Likewise components, otherwise you aren't going anywhere when there is an issue. And you can't do this through the UI, get the CLI.

Enabling logging for Likewise agents on ESXi/ESX (1026554)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1026554

Regarding the "how" is it should be doing exactly what a Windows client does, and follow the DC Locator process. I would suspect it is not, or is deviating in some way.

Domain Controller Location Process
http://technet.microsoft.com/en-us/library/cc978011.aspx


Notes Regarding ESX(i) AD Integration:

What i've discovered (on ESXi 5.0) is when joining the ESXi host to the domain (GUI) the process via Likewise agent (on host) enumerates the trusted domains and domain controllers at the time of the join and populates a file in /etc/likewise/krb5-affinity.conf with each child/domain and associated DC.

The process seems to only enumerate the domain at that single point in time. Examining the file showed me that the listed DC's were never automatically updated because there were many old DC IPs that were decommissioned or replaced and still in that list.

Related

Domain Controllers as internal DNS servers
Local php.ini not overriding main php.ini
Session lost in tomcat uing nginx as proxy
Complete Active Directory redesign and GPO application
How can you install puppet on CentOS 7
Redirect to HTTPS and Apex Domain with Nginx location Configuration
Will a Local System service notice changes to environment variables in Windows 2008 R2 without a reboot?
Postfix and compromised accounts
SFTP-server uploaded files having wrong rights
Allowing outgoing connections to a particular IP with ufw
Strange access requests
Can a PXE+DHCP server exist on one network and boot machines on another?