Latest posts by Vladan Seget (see all)
- Back up VMware ESXi configurations via PowerCLI - Fri, Jun 9 2017
- Windows Server 2016 VM with a VMware Paravirtual SCSI controller - Thu, May 18 2017
- Upload files to VMware vSphere datastore - Tue, May 9 2017
Admins often use VMware ESXi hypervisor within an enterprise environment. I have come across a few environments that replaced the IT staff and left the new admin without a password to unlock access to ESXi.
There are cases where the administrator can still access the VMware virtualized architecture through vCenter server but does not have access to the individual hosts visible through the vCenter server console. In such cases, the admin can still manage all the hosts and all the network and storage configuration of those hosts, including virtual machines (VMs) running on those hosts. However, the admin may not have shell access (via SSH) and may not have access to the local root account of each individual ESXi host. This root account is also necessary when configuring backup or monitoring solutions within the VMware environment. So this password is something every admin has to have.
Note that there's only support for Active Directory via LDAP. VMware does not support generic LDAP systems such as OpenLDAP.
Via VMware Host Profiles ^
First of all, VMware Host Profiles requires an Enterprise Plus License. Think of a host profile as a blueprint that you can apply to a host to change its configuration. You can have part of the host profile unselected to apply to only certain parts or to modify certain configuration parameters. In our case we'll apply just the new root password.
The process starts with extracting a host profile from a host. This way you'll have all the configuration of a host in one file.
Connect to your vSphere installation via the vSphere web client. On the home page, click Host profiles, and then click the plus sign (+) to extract a profile from a host.
Follow the steps in the assistant. On the second page, it will ask you to enter some meaningful name. Please do that and then click Finish to save and close the assistant. The process takes about one minute to extract and create a host profile.
Select the newly created host profile on the left then click on the Configure tab and the Edit Host Profile button.
A new assistant window appears. Click Next to get to the second page of the assistant. Then type "root" in the search box to populate the settings for the root password only.
Click Finish to save and close the assistant.
However, if we leave the host profile like this now, we can only use it on a single host—the host we extracted the host profile from.
Let's go back and click the Edit host profile option once again, and then deselect all the other branches except Security > User Configuration > root.
Click Finish to save and close the assistant.
Now we can apply the profile to our hosts, as the only value that will be set is the root password.
Select the host profile, and then select the Actions > Attach/Detach Hosts and Clusters menu options.
Next, we need to check compliance.
We'll also quickly mention other vSphere components, such as the VMware vCenter Server Appliance (VCSA) and VMware Single Sign-On (SSO) reset possibilities.
Once done, we can Remediate our host(s).
That's it; we have reset the host(s) with a new root password.
Joining the host to Active Directory ^
VMware also supports this method. I assume that you still have access to the vCenter server that manages this host, but perhaps you lost local root access to the host, so you're unable to connect via SSH.
Step 1: Connect to your domain controller server and create a global security group called "ESX Admins." Type this exactly as is.
Add the domain administrator to this group and any other account that will be able to connect to each individual ESXi host.
Step 2: Connect to the vCenter server via the vSphere web client and select your ESXi host, then click Configure > System > Authentication Services > Join Domain.
Once done, you should see the Directory Service Type field changed.
Now you should be able to log in to your ESXi host as a domain admin and change the local root password.
You can log in either as "domain\administrator" or in the "administrator@domain" style.
Mount the host file system from a second OS ^
In some environments with unmanaged ESXi hypervisors, there's no vCenter server for central management available. If an admin did not previously join these ESXi systems to Active Directory, only the local root account remains for authentication. There is no other way to connect to these hosts other than via the root account. And if this root password is lost, then you're pretty much left in the dark.
In these cases, the method explained below can be helpful. Note VMware does not officially support this procedure. Also note that you have to reboot the ESXi host, so be prepared for certain downtime for your VMs.
Basically you have to boot the host from a Linux CD and then mount the file systems and replace certain files. Depending on the installation, you first should check the partition scheme with GParted after you boot Linux.
Then you'll need to find the state.tgz file and copy it to a temp directory (for instance /tmp). Untar state.tgz, which will create a file called local.tgz.
Go to the "etc" directory and edit the file called shadow using the vi text editor. You'll need to clear the current root password, which is encrypted. After that, copy the updated state.tgz file to /mnt (where you mounted the VMware ESXi root). Unmount /mnt and reboot the ESXi host. You should be able to log in without a root password the first time, and then you can set a new password.
VMware supports the first two methods but not the third. VMware clearly does not want us to go and modify files on ESXi installations. VMware says that the only supported way to reset an ESXi password is by reinstalling the host. This way you can preserve the local datastore with some VMs running there if you wish. However, you'll lose every other configuration setting, such as networking, storage, and so on.
After a quick reinstallation and configuration, you'll regain access to such a host, and you can add this host to Active Directory just in case you lose the root password in the future.