Virtualization, Cloud, Infrastructure and all that stuff in-between

My ramblings on the stuff that holds it all together

Joining an ESX host to the domain without rebooting

I found recently that despite the KB article saying no reboot is required that my ESX hosts would not authenticate AD users unless they were rebooted.

to work around this you can use the following PowerShell code to restart the relevant services without rebooting.

Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lwiod”} | Restart-VMHostService -Confirm:$false
        Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “netlogond”} | Restart-VMHostService -Confirm:$false
        Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lsassd”} | Restart-VMHostService -Confirm:$false
        Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lbtd”} | Restart-VMHostService -Confirm:$false

Feel free to reuse the whole script, but do so at your own risk. (Download file (rename to .ps1)

# http://vinf.net Simon Gallagher (@vinf_net)
# Script to join all ESX hosts in a vCenter to the domain, adding a specific group into a vSphere advanced setting to add the YOUR_AD_GROUP group to the local ESX admins group on the ESX host

#Version 1.0

function ESXDomainJoin ([STRING]$doVC)
{
connect-viserver $doVC -credential $vCenterAcct
#connect to vCenter using the credentials we stored earlier

$esxHosts = get-VMHost #list all the hosts in this vCenter, then do something with them

    foreach ($esx in $esxHosts) {

        Write-Host “Doing domain join on $esx” -ForegroundColor Green
        $esxParam = “Config.HostAgent.plugins.hostsvc.esxAdminsGroup” # the advanced setting we want to change to the AD group
        $esxValue = “YOUR_AD_GROUP” #the name of the group we want to add to the setting
        Get-VMHost $esx | Get-AdvancedSetting -Name $esxParam | Set-AdvancedSetting -value $esxValue -Confirm:$false #-WhatIf # set it and don’t ask 1st
        #set DNS domain name (required for domain join)
        Get-VMHostNetwork -VMHost $esx  | Set-VMHostNetwork -DomainName your.domain.com  #-WhatIf
        #join domain using build account
        Get-VMHostAuthentication -VMHost $esx | Set-VMHostAuthentication -domain your.domain.com -user $buildAcct.getNetworkCredential().Username     -password $buildAcct.getNetworkCredential().Password -JoinDomain -Confirm:$false  #-WhatIf
        #Restart services so that the YOUR_AD_GROUP group gets automatically ACLd on local host without a reboot
        # takes 2-5mins to apply from AD after services are restarted, but then you should be able to logon using VI client/SSH to an individual ESX host using your AD creds
        Write-Host “Restarting services on $esx..” -ForegroundColor Green
        Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lwiod”} | Restart-VMHostService -Confirm:$false
        Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “netlogond”} | Restart-VMHostService -Confirm:$false
        Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lsassd”} | Restart-VMHostService -Confirm:$false
        Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lbtd”} | Restart-VMHostService -Confirm:$false
        write-host “Completed restarting services, domain logon should be available in 5mins on $esx” -ForegroundColor Green
    }
disconnect-viserver * -Force #disconnect from all vCenters to be safe (get-VMhost connects to all vCenters you are connected to)
Write-Host “Done!” -ForegroundColor Green
} #end of function

#———–Start

write-host “Disconnecting from all current vCenter servers, just to be safe” –  -ForegroundColor Green
disconnect-viserver * -Force # disconnect from everything at the start, just to be safe

#build password list to work with
$vCenterAcct = Get-Credential -Message “Please enter credentials for vCenter administrator account”
$buildAcct = Get-Credential -Message “Please enter credentials to join machines to domain”

#now call the function for each vCenter in-turn
ESXDomainJoin(“FQDN_OF_YOUR_VCENTER”)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: