Set-VMHostAuthentication asks for -Domain -User -Password
However it appears that it expects the -User Account to ALWAYS be a member of the stated -Domain.
Therefore I can't get a user account in a Trusted Domain to be able to add an ESXi host across domains.
Anyone have any ideas on how to crack that nut?
How many hops are there between the 2 AD domains ?
Afaik there is some kind of limitation, see KB2064250, but I could be wrong on this one.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I am going to have a user in the other domain try the same procedure via the GUI to see if the error is the same, certainly an interesting thought, however, considering that the Set-VMHostAuthentication -User variable won't accept any domain reference, only account name, I'm not sure how this could be tested. ?
Did you already try with the Domain parameter ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Here is essentially how I am using it in a build script, I'll omit all the assorted error checking and variable assignment content to simplify reading, I think the $VariableNames speak for themselves.
Note $ADUserName and $ADDomain are correctly extracted from a $host.ui.PromptForCredential() call.
Get-VMHost -Server $HostFQDN -Name $HostFQDN | Get-VMHostAuthentication | Set-VMHostAuthentication -JoinDomain -Domain $ADDomain -User $ADUserName -Password $creds.GetNetworkCredential().password -Confirm:$false
All of this works perfectly for a user account in the same AD domain as target computer account for the ESXi host, but fails for a user in another domain. This user has rights to the OU and computer object set correctly. (Tested)
I have tried manually entering assorted variations for the Set-VMHostAuthentication -User variable
I.e.
Domain\Username
Username@Domain
"Domain\Username"
"Username@Domain"
These both fail as I know that you already know from reading other discussions here.
Only Set-VMHostAuthentication -User Username works (obviously including the other assorted variables as above, shown here for simplicity)
The only accepted variable for Set-VMHostAuthentication -User is a simple user account in the same domain as the variable provided for the Set-VMHostAuthentication -Domain variable.
It seems to me to be an opportunity for VMware to amend this commandlet, to facilitate usage in a multi-domain AD, Unless someone else has figured out how to do this.
I just realized that the same problem exists in the the GUI, when prompted for a Username to add the host to the domain, it will only accept a Username but no domain reference domain\Username or username@domain.
Seems VMware forgot that some companies use more than one domain.