I was recently reminded of the importance of Active Directory Sites and Services as it relates to micro-segmentation. I was working on an engagement where an organization wanted to implement a zero-trust / micro-segmentation policy by default. As part of this effort, they created a new network with default deny/any firewall rules. The first system to be deployed to this network was a vCenter Server 6.7 system using Integrated Windows Authentication (IWA). Note: IWA is deprecated in vCenter Server 7.0 and will be removed in a future release per https://kb.vmware.com/s/article/78506.
When using IWA, a vCenter Server is joined to the domain, similar to a Windows client system. To support this configuration, a firewall rule was added to allow the client (vCenter Server) to access Active Directory servers in the local site (and remote domain controller hosting the PDC Emulator role, to support password changes). All ports documented at http://ports.vmware.com were included in the rule, but for ‘Active Directory Domain Controllers’ only a subset of the environment was listed.
Attempts to join the domain were failing with a generic error message. We attempt to join from the command line instead, with syntax similar to:
/opt/likewise/bin/domainjoin-cli join domain.com Domain_Administrator Password
Which returned an error that indicated the domain was not reachable. As part of troubleshooting, all domain controllers from the necessary domains were added to the domain controller rule on the firewall. This attempt was successful — indicating that a non-local domain controller was being contacted for our domain join. We checked the status of our vCenter Server Likewise configuration with this command:
Which confirmed that the domain controller in use was not part of the local site. That’s when we checked Active Directory Sites and Services. Remember how I said this was a new network? The subnet had not been defined in AD Sites and Services, so the client didn’t know which site to use. A new subnet was created in AD Sites and Services and properly mapped to the correct/local site. The temporary firewall rule was reverted (so we again only listed local DCs and the PDC emulator role) and a domain join was retried — SUCCESS!
A few other relevant settings came up while investigating this issue, but were not required for this specific engagement. I’m including them below as I believe they could be relevant depending on the micro-segmentation project.
- DomainManagerExcludeTrustList — https://kb.vmware.com/s/article/79649
- BlacklistedDCs — https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3b-release-notes.html