Cynomus
Contributor
Contributor

Any way to use Set-VMHostAuthentication in a Multi-domain AD?

Set-VMHostAuthentication asks for -Domain -User -Password

However it appears that it expects the -User Account to ALWAYS be a member of the stated -Domain.

Therefore I can't get a user account in a Trusted Domain to be able to add an ESXi host across domains.

Anyone have any ideas on how to crack that nut?

0 Kudos
5 Replies
LucD
Leadership
Leadership

How many hops are there between the 2 AD domains ?

Afaik there is some kind of limitation, see KB2064250, but I could be wrong on this one.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Cynomus
Contributor
Contributor

I am going to have a user in the other domain try the same procedure via the GUI to see if the error is the same, certainly an interesting thought, however, considering that the Set-VMHostAuthentication  -User variable won't accept any domain reference, only account name, I'm not sure how this could be tested. ?

0 Kudos
LucD
Leadership
Leadership

Did you already try with the Domain parameter ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Cynomus
Contributor
Contributor

Here is essentially how I am using it in a build script, I'll omit all the assorted error checking and variable assignment content to simplify reading, I think the $VariableNames speak for themselves.

Note $ADUserName and $ADDomain are correctly extracted from a $host.ui.PromptForCredential()  call.

Get-VMHost -Server $HostFQDN -Name $HostFQDN | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain $ADDomain -User $ADUserName -Password $creds.GetNetworkCredential().password -Confirm:$false

All of this works perfectly for a user account in the same AD domain as target computer account for the ESXi host, but fails for a user in another domain. This user has rights to the OU and computer object set correctly. (Tested)

I have tried manually entering assorted variations for the Set-VMHostAuthentication -User variable

I.e.

Domain\Username

Username@Domain

"Domain\Username"

"Username@Domain"


These both fail as I know that you already know from reading other discussions here. 


Only Set-VMHostAuthentication -User Username  works (obviously including the other assorted variables as above, shown here for simplicity)

The only accepted variable for Set-VMHostAuthentication -User is a simple user account in the same domain as the variable provided for the Set-VMHostAuthentication -Domain variable.


It seems to me to be an opportunity for VMware to amend this commandlet, to facilitate usage in a multi-domain AD, Unless someone else has figured out how to do this.


0 Kudos
Cynomus
Contributor
Contributor

I just realized that the same problem exists in the the GUI, when prompted for a Username to add the host to the domain, it will only accept a Username but no domain reference domain\Username or username@domain.

Seems VMware forgot that some companies use more than one domain.

0 Kudos