I am trying to use apply a host profile via powershell script that will add an esxi host to my active directory domain.
$vCenter = Read-Host "Enter vCenter"
$esxhost = Read-Host "Enter FQDN of the ESXi host"
$ADdomaincreds = $host.ui.PromptForCredential("Enter Credentials", "Please enter your Active Directory username and password.", "", "")
$hostprofile = Read-Host "Enter HostProfile to apply"
#CONVERT SECURESTRING
$CONVERT_AD_PASSWORD = http://System.Runtime.InteropServices.Marshal::SecureStringToBSTR($ADdomaincreds.Password)
$AD_PASSWORD = http://System.Runtime.InteropServices.Marshal::PtrToStringAuto($CONVERT_AD_PASSWORD)
Connect-VIServer $vCenter
$hostprof = Get-VMHostprofile -Name $hostprofile
$applyhost = Get-VMHost $esxhost
Set-VMHost -VMHost $applyhost -State "maintenance"
$additionalConfiguration = Apply-VMHostProfile -ApplyOnly -Profile $hostprof -Entity $applyhost -Confirm:$false
$additionalConfiguration = $ADdomaincreds.username
$additionalConfiguration= $AD_PASSWORD
$additionalConfiguration = Apply-VMHostProfile -Profile $hostprof -Entity $applyhost -Variable $additionalConfiguration -Confirm:$false
It runs with no errors but when I look at the esxi host it still says it is using Local Authentication. If I apply the host profile via the VI Client, it works with no issue. Is there anything else I need to set in the variable?
I have also tried using LucD's Set-VMHostADDomain function. That works, however, if I then apply my host profile to finish configuring the other components such as syslog, ntp, etc, the authentication gets reset to local authentication after a reboot.
Hi,
There is a bug in Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.
The issue is caused by using wrong version of the API(4.0) that doesn't have support for active directory operations.
Here are the possible workarounds:
1. Join the domain without using the host profile functionality. Here is a simple script that can do that for you:
function JoinDomainWithAD ($vmhost, $domainName, $domainUser, $domainPassword) { $vmhostView = Get-View -id $vmhost.ID $authenticationManagerView = Get-View $vmhostView.ConfigManager.AuthenticationManager $hostActiveDirectoryAuthenticationMoRef = $authenticationManagerView.SupportedStore | where { $_.Type -eq 'HostActiveDirectoryAuthentication' } $hostActiveDirectoryAuthentication = Get-View $hostActiveDirectoryAuthenticationMoRef $hostActiveDirectoryAuthentication.JoinDomain($domainName, $domainUser, $domainPassword) }
2. Implement host profiles solution with direct API calls (Get-View)
Let me know if you need anything else.
Regards,
Nedko Nedev
PowerCLI Development Team
The host profile you are using obviously was not created from a host that was already joined to an AD domain.
That is why you're back to local authorisation after you apply the profile.
The -Variable parameter on the Apply-VMHostProfile cmdlet should be used to pass values for any variables in the host profile. For example the name of the domain to join, the account and password to perform the join...
And this parameter expects a hash table, not a simple variable.
I have to admit that host profiles from PowerCLI are not completely clear to me yet
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
So I changed my script to use a hashtable
$additionalConfiguration = @{
'authentication.activeDirectory.ADUserNamePolicy.userName' = $ADdomaincreds.username
'authentication.activeDirectory.ADPasswordPolicy.password'= $AD_PASSWORD
}
$additionalConfiguration = Apply-VMHostProfile -Profile $hostprof -Entity $applyhost -Variable $additionalConfiguration -Confirm:$false
It still didnt add it to the domain. I then changed my host profile so that it would also need my vmotion IP because I wanted to see if any of these variables would work.
$additionalConfiguration = @{
'network.hostPortGroup.ipConfig.IpAddressPolicy.address' = '192.168.199.11'
'network.hostPortGroup.ipConfig.IpAddressPolicy.subnetmask' = '255.255.255.0'
'authentication.activeDirectory.ADUserNamePolicy.userName' = $ADdomaincreds.username
'authentication.activeDirectory.ADPasswordPolicy.password'= $AD_PASSWORD
}
When I ran it with this, it successfully set my VMotion IP but still no success with adding to the domain.
I have been playing with the ExecuteHostProfile method from the SDK to get the AD authentication configured, but to no avail.
Then I tried from the vSPhere client, while using Onyx, to see what methods were used. But even with the vSphere client setting up AD Authentication doesn't work.
I was prompted for a user/password to perform the join but the form just stayed there and nothing happened.
And in Onyx I saw the following method call coming through
$hostParam = New-Object VMware.Vim.ManagedObjectReference $hostParam.type = "HostSystem" $hostParam.value = "host-26622" $_this.ExecuteHostProfile($hostParam, $null)
which is definitely incorrect since the 2nd parameter should hold the values provided through the user prompt and not $null!
I'm pretty sure we're looking at a bug here.
____________
Blog: LucD notes
Twitter: lucd22
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi,
There is a bug in Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.
The issue is caused by using wrong version of the API(4.0) that doesn't have support for active directory operations.
Here are the possible workarounds:
1. Join the domain without using the host profile functionality. Here is a simple script that can do that for you:
function JoinDomainWithAD ($vmhost, $domainName, $domainUser, $domainPassword) { $vmhostView = Get-View -id $vmhost.ID $authenticationManagerView = Get-View $vmhostView.ConfigManager.AuthenticationManager $hostActiveDirectoryAuthenticationMoRef = $authenticationManagerView.SupportedStore | where { $_.Type -eq 'HostActiveDirectoryAuthentication' } $hostActiveDirectoryAuthentication = Get-View $hostActiveDirectoryAuthenticationMoRef $hostActiveDirectoryAuthentication.JoinDomain($domainName, $domainUser, $domainPassword) }
2. Implement host profiles solution with direct API calls (Get-View)
Let me know if you need anything else.
Regards,
Nedko Nedev
PowerCLI Development Team
Is this issue fixed in 5.1 ?
There is a bug in Apply-VMHostProfile cmdlet that is already filed in our bugtracking system. The fix will be available in a future release.
The issue is caused by using wrong version of the API(4.0) that doesn't have support for active directory operations.