Highlighted
Contributor
Contributor

Script for ESXi Host AD Join

Hi All,

I have frequently few esxi hosts goes out of domain or my AD group permissions will go away in my infrastructure..sometime its count will be more around 50+.

To login each host add them in domain and add my AD group is lengthy process.

Is there a script which can do it in single shot, for below requirement.

Script should

1. Connect all my vCenters

2. Pick the host from Get-Content ( which will have my hosts which are out of domain)

3. Should ask the default ESXi root password

4. Should take host in Maintenance Mode

5. Then it should join the esxi host in domain

6. Then it should add my AD group

7. Finally Exit from maintenance mode

8. Export the output report in CSV which all host it could able to join domain and add AD group and exited it from Maintenance Mode.

Thanks a Ton in Advance.

13 Replies
Highlighted
User Moderator
User Moderator

For starters, have a look at Joining ESXi hosts to a domain and granting permissions with PowerCLI


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Highlighted
Hot Shot
Hot Shot

Thanks LucD for the link,

But it looks too complicated I was just looking for the script to perform below task.

1. Connect all my vCenters

2. Pick the host from Get-Content ( which will have my hosts which are out of domain)

3. Should ask the default ESXi root password

4. Should take host in Maintenance Mode

5. Then it should join the esxi host in domain

6. Then it should add my AD group

7. Finally Exit from maintenance mode

8. Export the output report in CSV which all host it could able to join domain and add AD group and exited it from Maintenance Mode.

Raju Gunnal VCP 4, VCP 5, VTSP 4, VTSP 5, ITIL V3 http://www.techtosolution.com
Highlighted
User Moderator
User Moderator

Not sure what you mean with 6).
Does the domain group (hard-coded?) need to have a Role on the ESXi node?

If the ESXi node is already added to the vCenter (nothing to do with the AD join), that Role should be propagated.

Or do you mean something else?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Hot Shot
Hot Shot

Point 6 I was referring to the AD group which should have Admin role.

example of AD group : -

xyz-abc\virtualadmin     (xyz-abc is domain) (virtualadmin is AD group)

Raju Gunnal VCP 4, VCP 5, VTSP 4, VTSP 5, ITIL V3 http://www.techtosolution.com
0 Kudos
Highlighted
User Moderator
User Moderator

Try something like this

$esxNamesFile = 'C:\esxNames.txt'

$csvReport = 'C:\report.csv'

$domainName = 'xyz-abc.local'           # Must be FQDN domainname

$domainAdmin = 'Administrator'

$domainAdminPswd = 'Secret1!'

$roleName = 'Admin'

$groupName = 'virtualadmin'             # Only group, not domain

# Connect vCenters (repeat for all vCenters you need)

Connect-VIServer -Server xyz

$report = @()

# Read target ESXi nodes

foreach($esxName in (Get-Content -Path $esxNamesFile)){

    # Read root password

    $pswd = Read-Host -Prompt "Enter root password for ESXi node $($esxName)"

    # Place ESXi node in maintenance mode

    Set-VMHost -VMHost $esxName -State Maintenance -Confirm:$false

    $esx = Get-VMHost -Name $esxName

    while($esx.State -ne 'maintenance'){

        sleep 5

        $esx = Get-VMHost -Name $esxName

    }

    # Join AD

    $esxSrv = Connect-VIServer -Server $esxName -User root -Password $pswd

    $adJoin = Get-VMHostAuthentication -VMHost $esxName -Server $esxSrv |

    Set-VMHostAuthentication -Domain $domainName -JoinDomain -Username $domainAdmin -Password $domainAdminPswd -Confirm:$false

    # Give group Admin permission

    $role = Get-VIRole -Server $esxSrv -Name $roleName

    $account = Get-VIAccount -Domain $domainName -Id $groupName -Group

    New-VIPermission -Principal $account -Role $role -Entity $esx -Confirm:$false

    # Take ESXi node out of maintenance mode

    Set-VMHost -VMHost $esxName -State Connected -Confirm:$false

    $esx = Get-VMHost -Name $esxName

    while($esx.State -ne 'connected'){

        sleep 5

        $esx = Get-VMHost -Name $esxName

    }

   

    # Add to report

    $report += New-Object PSObject -Property @{

        ESXi = $esxName

        Domain = $adJoin.Domain

    }

    Disconnect-VIServer -Server $esxSrv -Confirm:$false

}

$report | Export-Csv -Path $csvReport -UseCulture -NoTypeInformation


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Highlighted
Hot Shot
Hot Shot

Thanks LuCD for your help.

But when I run the script am getting below given error.

in $DomainName = mydomain.com

$domainAdmin = myaccount id

$DomainAdminpswd = myaccount password

Is above given are correct or am I missing something.

Set-VMHostAuthentication : Cannot validate argument on parameter 'Domain'. The

argument is null or empty. Provide an argument that is not null or empty, and

then try the command again.

At C:\Users\myself\Desktop\ADESXiJoin\ADESXiJoin.ps1:61 char:38

+     Set-VMHostAuthentication -Domain $domanName -JoinDomain -Username ...

+                                      ~~~~~~~~~~

    + CategoryInfo          : InvalidData: (:) [Set-VMHostAuthentication], Par

   ameterBindingValidationException

    + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutom

   ation.ViCore.Cmdlets.Commands.Host.SetVMHostAuthentication

Raju Gunnal VCP 4, VCP 5, VTSP 4, VTSP 5, ITIL V3 http://www.techtosolution.com
0 Kudos
Highlighted
User Moderator
User Moderator

There was a typo in the variable name ($domanName instead of $domainName).

I corrected the code above, please try again.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Hot Shot
Hot Shot

Hi All, I stumbled across this thread and this seems to do some of what I need. I have to add 200+ ESXi hosts to a Microsoft domain but I would like to put the host in an OU and assign user or group rights when adding it. Can anyone please help with this?

Nicholas VCP6
0 Kudos
Highlighted
Hot Shot
Hot Shot

Hi Luc,

I'm wondering do i need to connect-viserver directly to the host to join it to the domain, because i've tried doing just connected to the VC and it has worked on a couple of occasions but its not consistent?

Get-VMHostAuthentication -VMHost $esxiserver | Set-VMHostAuthentication -Domain $ADdomain -Credential $dccreds -JoinDomain -Confirm:$false

Nicholas VCP6
0 Kudos
Highlighted
User Moderator
User Moderator

Yes, you need to connect to the VMHost before doing the Set-VMHostAuthentication, and pass the ESXi connection on the Server parameter, should you have multiple connections open.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

cool
0 Kudos
Highlighted
Contributor
Contributor

Hi Luc,

    First, . thanks a lot for sharing your knowledge, I learn so much from it.  THANKS  🙂

 

Question, ...  if I need to remove over 400 ESXi HOST v6.5 and v6.7  from AD, can I use the same structure of your script  and do I need to put in maintenance mode ?

 

thanks

Highlighted
User Moderator
User Moderator

According to the procedure in Leave an Active Directory Domain you don't need to place the ESXi node in maintenance mode, but I would still do that (out of precaution).


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference