Virtualization, Cloud, Infrastructure and all that stuff in-between
My ramblings on the stuff that holds it all together
Joining an ESX host to the domain without rebooting
Posted by on December 8, 2014
I found recently that despite the KB article saying no reboot is required that my ESX hosts would not authenticate AD users unless they were rebooted.
to work around this you can use the following PowerShell code to restart the relevant services without rebooting.
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lwiod”} | Restart-VMHostService -Confirm:$false
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “netlogond”} | Restart-VMHostService -Confirm:$false
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lsassd”} | Restart-VMHostService -Confirm:$false
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lbtd”} | Restart-VMHostService -Confirm:$false
Feel free to reuse the whole script, but do so at your own risk. (Download file (rename to .ps1)
# http://vinf.net Simon Gallagher (@vinf_net)
# Script to join all ESX hosts in a vCenter to the domain, adding a specific group into a vSphere advanced setting to add the YOUR_AD_GROUP group to the local ESX admins group on the ESX host#Version 1.0
function ESXDomainJoin ([STRING]$doVC)
{
connect-viserver $doVC -credential $vCenterAcct
#connect to vCenter using the credentials we stored earlier$esxHosts = get-VMHost #list all the hosts in this vCenter, then do something with them
foreach ($esx in $esxHosts) {
Write-Host “Doing domain join on $esx” -ForegroundColor Green
$esxParam = “Config.HostAgent.plugins.hostsvc.esxAdminsGroup” # the advanced setting we want to change to the AD group
$esxValue = “YOUR_AD_GROUP” #the name of the group we want to add to the setting
Get-VMHost $esx | Get-AdvancedSetting -Name $esxParam | Set-AdvancedSetting -value $esxValue -Confirm:$false #-WhatIf # set it and don’t ask 1st
#set DNS domain name (required for domain join)
Get-VMHostNetwork -VMHost $esx | Set-VMHostNetwork -DomainName your.domain.com #-WhatIf
#join domain using build account
Get-VMHostAuthentication -VMHost $esx | Set-VMHostAuthentication -domain your.domain.com -user $buildAcct.getNetworkCredential().Username -password $buildAcct.getNetworkCredential().Password -JoinDomain -Confirm:$false #-WhatIf
#Restart services so that the YOUR_AD_GROUP group gets automatically ACLd on local host without a reboot
# takes 2-5mins to apply from AD after services are restarted, but then you should be able to logon using VI client/SSH to an individual ESX host using your AD creds
Write-Host “Restarting services on $esx..” -ForegroundColor Green
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lwiod”} | Restart-VMHostService -Confirm:$false
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “netlogond”} | Restart-VMHostService -Confirm:$false
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lsassd”} | Restart-VMHostService -Confirm:$false
Get-VMHost $esx | Get-VMHostService | where {$_.Key -eq “lbtd”} | Restart-VMHostService -Confirm:$false
write-host “Completed restarting services, domain logon should be available in 5mins on $esx” -ForegroundColor Green
}
disconnect-viserver * -Force #disconnect from all vCenters to be safe (get-VMhost connects to all vCenters you are connected to)
Write-Host “Done!” -ForegroundColor Green
} #end of function#———–Start
write-host “Disconnecting from all current vCenter servers, just to be safe” – -ForegroundColor Green
disconnect-viserver * -Force # disconnect from everything at the start, just to be safe#build password list to work with
$vCenterAcct = Get-Credential -Message “Please enter credentials for vCenter administrator account”
$buildAcct = Get-Credential -Message “Please enter credentials to join machines to domain”#now call the function for each vCenter in-turn
ESXDomainJoin(“FQDN_OF_YOUR_VCENTER”)
Virtualization, Cloud, Infrastructure and all that stuff in-between 