Shares

When you're in front of a host where the ESXi root password has been lost, how to reset an ESXi root password might be the first question you're asking, right? A while back we have posted a way of doing it via VMware Host profiles. But not everyone has Enterprise Plus licensing which includes host profiles.

This post will teach you how to reset the ESXi root password, but there is one condition. The host is managed via vCenter server and you still have an access to your vCenter. You can gain administrative access to your ESXi host via Microsoft AD by adding the host to the AD and we'll show you how (plus some troubleshooting tips).

If the host is not managed via vCenter then the only supported way is to reinstall your host. I know that there are other methods (with Linux boot CD) but remember that the only official way to reset the ESXi root password, according to VMware KB1317898, is reinstalling the ESXi host.

Let's continue with today's post where we'll show the steps for ESXi Password Reset via Microsoft AD. Without further wait, here are the steps:

Step 1: First, log in to your vCenter with the vSphere Web Client and Select your ESXi host > Configure > System > Authentication Services > Join Domain.

Enter the domain name and user credentials for your environment > click OK

The window looks like this.

Note: At this moment your host should appear in the default computer account in your AD. You can check your Microsoft AD console on your domain controller for that. Make sure that you refresh your view.

If you're experiencing problems, verify that you have configured correctly your DNS settings, such as Domain, preffered DNS server or Search Domains. You can find those settings by selecting your host > Configure > TCP/IP configuration > DNS tab

You should also make sure that on your DNS server you have created static forward AND reverse DNS records for your host. DNS can be a pain if configured wrong. A good DNS resolution is a good start on healthy vSphere setup.

NTP is also an important configuration step. ESXi should use, when possible, an external source of time.

TIP: How to configure ESXi 6.5 Network Time Protocol (NTP) via Host Client?

Let's get back to our article where we originally discussed the possibility to reset ESXi root password via Microsoft AD.

Step 2: Go to your Domain controller and create a Global Security group called “ESX Admins” > Make a domain administrator part of this group.

Note: The name of this group can be changed (for security purposes). I'll show you at the end of the post….

Step 3: Login directly the host using vSphere client or vSphere Host client and use the domain admin account for that. Then go to the Users TAB > Right click > Edit > Check the box “Change password” and change the local root password.

We have successfully changed a root password.

Use different name than the default “ESX Admins”

For some environments yo might need to use a different name than the default one – “ESX Admins”. To use different group name, before joining the host to a domain, go to your Microsoft AD and Create the group with the name you want. Then login to your vCenter server via vSphere Web client > Select your host > Configure < Advanced system Settings > Edit.

Enter this to the search box to filter:

Config.HostAgent.plugins.hostsvc.esxAdminsGroup

Change the name.

Troubleshooting

It may happen that the ESX Admins group does not show up through the Permissions TAB on the ESXi host. I had an issue on one fo my lab hosts. I had to add this permission manually. Right-click the white space > Add > select your domain from the drop-down menu > Seek for the group in your AD.

I have also recorded a short video to document the process. Best to watch in Full Screen and HD (1080p). Thanks for watching.

Check more articles from ESX Virtualization:

Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)

Shares