Hi All,
I have frequently few esxi hosts goes out of domain or my AD group permissions will go away in my infrastructure..sometime its count will be more around 50+.
To login each host add them in domain and add my AD group is lengthy process.
Is there a script which can do it in single shot, for below requirement.
Script should
1. Connect all my vCenters
2. Pick the host from Get-Content ( which will have my hosts which are out of domain)
3. Should ask the default ESXi root password
4. Should take host in Maintenance Mode
5. Then it should join the esxi host in domain
6. Then it should add my AD group
7. Finally Exit from maintenance mode
8. Export the output report in CSV which all host it could able to join domain and add AD group and exited it from Maintenance Mode.
Thanks a Ton in Advance.
For starters, have a look at Joining ESXi hosts to a domain and granting permissions with PowerCLI
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LucD for the link,
But it looks too complicated I was just looking for the script to perform below task.
1. Connect all my vCenters
2. Pick the host from Get-Content ( which will have my hosts which are out of domain)
3. Should ask the default ESXi root password
4. Should take host in Maintenance Mode
5. Then it should join the esxi host in domain
6. Then it should add my AD group
7. Finally Exit from maintenance mode
8. Export the output report in CSV which all host it could able to join domain and add AD group and exited it from Maintenance Mode.
Not sure what you mean with 6).
Does the domain group (hard-coded?) need to have a Role on the ESXi node?
If the ESXi node is already added to the vCenter (nothing to do with the AD join), that Role should be propagated.
Or do you mean something else?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Point 6 I was referring to the AD group which should have Admin role.
example of AD group : -
xyz-abc\virtualadmin (xyz-abc is domain) (virtualadmin is AD group)
Try something like this
$esxNamesFile = 'C:\esxNames.txt'
$csvReport = 'C:\report.csv'
$domainName = 'xyz-abc.local' # Must be FQDN domainname
$domainAdmin = 'Administrator'
$domainAdminPswd = 'Secret1!'
$roleName = 'Admin'
$groupName = 'virtualadmin' # Only group, not domain
# Connect vCenters (repeat for all vCenters you need)
Connect-VIServer -Server xyz
$report = @()
# Read target ESXi nodes
foreach($esxName in (Get-Content -Path $esxNamesFile)){
# Read root password
$pswd = Read-Host -Prompt "Enter root password for ESXi node $($esxName)"
# Place ESXi node in maintenance mode
Set-VMHost -VMHost $esxName -State Maintenance -Confirm:$false
$esx = Get-VMHost -Name $esxName
while($esx.State -ne 'maintenance'){
sleep 5
$esx = Get-VMHost -Name $esxName
}
# Join AD
$esxSrv = Connect-VIServer -Server $esxName -User root -Password $pswd
$adJoin = Get-VMHostAuthentication -VMHost $esxName -Server $esxSrv |
Set-VMHostAuthentication -Domain $domainName -JoinDomain -Username $domainAdmin -Password $domainAdminPswd -Confirm:$false
# Give group Admin permission
$role = Get-VIRole -Server $esxSrv -Name $roleName
$account = Get-VIAccount -Domain $domainName -Id $groupName -Group
New-VIPermission -Principal $account -Role $role -Entity $esx -Confirm:$false
# Take ESXi node out of maintenance mode
Set-VMHost -VMHost $esxName -State Connected -Confirm:$false
$esx = Get-VMHost -Name $esxName
while($esx.State -ne 'connected'){
sleep 5
$esx = Get-VMHost -Name $esxName
}
# Add to report
$report += New-Object PSObject -Property @{
ESXi = $esxName
Domain = $adJoin.Domain
}
Disconnect-VIServer -Server $esxSrv -Confirm:$false
}
$report | Export-Csv -Path $csvReport -UseCulture -NoTypeInformation
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LuCD for your help.
But when I run the script am getting below given error.
in $DomainName = mydomain.com
$domainAdmin = myaccount id
$DomainAdminpswd = myaccount password
Is above given are correct or am I missing something.
Set-VMHostAuthentication : Cannot validate argument on parameter 'Domain'. The
argument is null or empty. Provide an argument that is not null or empty, and
then try the command again.
At C:\Users\myself\Desktop\ADESXiJoin\ADESXiJoin.ps1:61 char:38
+ Set-VMHostAuthentication -Domain $domanName -JoinDomain -Username ...
+ ~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Set-VMHostAuthentication], Par
ameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutom
ation.ViCore.Cmdlets.Commands.Host.SetVMHostAuthentication
There was a typo in the variable name ($domanName instead of $domainName).
I corrected the code above, please try again.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi All, I stumbled across this thread and this seems to do some of what I need. I have to add 200+ ESXi hosts to a Microsoft domain but I would like to put the host in an OU and assign user or group rights when adding it. Can anyone please help with this?
Hi Luc,
I'm wondering do i need to connect-viserver directly to the host to join it to the domain, because i've tried doing just connected to the VC and it has worked on a couple of occasions but its not consistent?
Get-VMHostAuthentication -VMHost $esxiserver | Set-VMHostAuthentication -Domain $ADdomain -Credential $dccreds -JoinDomain -Confirm:$false
Yes, you need to connect to the VMHost before doing the Set-VMHostAuthentication, and pass the ESXi connection on the Server parameter, should you have multiple connections open.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi Luc,
First, . thanks a lot for sharing your knowledge, I learn so much from it. THANKS 🙂
Question, ... if I need to remove over 400 ESXi HOST v6.5 and v6.7 from AD, can I use the same structure of your script and do I need to put in maintenance mode ?
thanks
According to the procedure in Leave an Active Directory Domain you don't need to place the ESXi node in maintenance mode, but I would still do that (out of precaution).
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference