WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Easily automate ESXi 6.0 Active Directory join using domainjoin-cli

Easily automate ESXi 6.0 Active Directory join using domainjoin-cli

04.06.2015 by William Lam // 9 Comments

A nice little enhancement that I recently came across in ESXi 6.0 is the inclusion of the Likewise utility called domainjoin-cli which allows you to join a system to an Active Directory Domain. Previously, if you wanted to automate the process of joining an ESXi host to an Active Directory Domain, you had to either manually configure it using the vSphere Web/Client, using Host Profiles or creating an external script using the vSphere APIs.

All of these options were mostly executed during the post-provisioning process and if you wanted to include Active Directory configuration as part of the provisioning process, you may have had to resort to something like calling into the vSphere MOB within a Kickstart script as I had shown back in 2011 in this article here. The solution I came up with was not ideal but it worked for those that did not want to have additional steps after initial provisioning.

With the domainjoin-cli utility now included in the ESXi Shell of ESXi 6.0, you easily automate the joining an Active Directory Domain with just a couple of lines added to your Kickstart or provisioning scripts. Before you can use the command-line utility, you will need to ensure the Likewise Service Manager Daemon is running by running the following two commands which will start the service and also ensure the service automatically starts up:

/etc/init.d/lwsmd start
chkconfig lwsmd on

esxi6_active_domain_join_1
Next, to join to your Active Directory Domain, you will need to specify the following 3 parameters:

  1. join - Specifying the operation is a join versus a leave
  2. AD Domain Name - Active Directory Domain to join
  3. AD Username - Active Directory username to join to the domain
  4. AD Password - Active Directory password to join to the domain (optional as you will be prompted if it is not specified)

Here is an example of what the command looks like joining my Active Directory Domain in my lab:

/usr/lib/vmware/likewise/bin/domainjoin-cli join primp-industries.com administrator [PASSWORD]

esxi6_active_domain_join_2
You should see a success message if the ESXi host was successfully joined to the Active Directory Domain and you will want to reboot your ESXi host for the changes to take full effect. This is definitely a simpler method to include into an ESXi Kickstart script to automate the joining of an Active Directory Domain and hopefully you will find this handy when using ESXi 6.0.

More from my site

  • UEFI PXE boot is possible in ESXi 6.0
  • How to Netboot install ESXi onto Apple Mac Hardware?
  • Remotely query an ESXi host without adding it to vCenter Server
  • How to create custom ESXi boot menu to support multiple Kickstart files?
  • Log filtering capability in ESXi 6.0

Categories // Automation, ESXi, vSphere 6.0 Tags // active directory, domainjoin-cli, ESXi 6.0, kickstart, lwsmd, vSphere 6.0

Comments

  1. *protectedCrazySteve5575 says

    04/14/2015 at 2:10 pm

    ive been using powercli to do this, does this do something different?

    Get-VMHost -Name $HostName | get-vmhostauthentication | Set-VMHostAuthentication -Domain "$domain -User $dadmin -Password $dpass -JoinDomain -Confirm:$false

    Reply
    • William Lam says

      04/14/2015 at 3:08 pm

      This is just another way and specifically during the provisioning process if you're doing a scripted install via Kickstart versus doing it as a post-provision operation. The end result is the same

      Reply
      • *protectedjimi1508 says

        04/16/2015 at 6:52 pm

        do you have a sample kickstart where you have this working? I’ve been testing it out and can’t get the Likewise services to start without rebooting the server. I’ve tried the following code in %pre, %post, and %firstboot in varying configurations with no success

        %firstboot --interpreter=busybox
        /etc/init.d/lwsmd start
        chkconfig lwsmd on
        /usr/lib/vmware/likewise/bin/domainjoin-cli join --ou "Our_OU/OU" "Domain" Username Password

        i can however run the commands after the server is built and they work fine..

        Reply
        • *protectedMarcel says

          11/03/2015 at 8:43 am

          I ran into the same problem and solved it with a 30sec sleep after enabling the services. Kickstart doesn't seem to wait for the services to start and the join fails...

          Reply
    • *protectedBlueArcher says

      07/07/2016 at 8:30 pm

      This is driving me crazy... we are using effectively this same code in our 6.0 migration, and we get errors well over half the time. when you have many hundreds of hosts, this doesn't fly.

      "Bad user name and password" even though it enables the computer object and joins the domain fine..
      "Active directory authentication store is not supported for VMHost"
      and there is another one that I am not remembering.

      Even though using the HTML5 UI on the host joins fine the first time every time. Powershell and even usually joining from vCenter fails most of the time.

      And yes lwsmd is started.

      Reply
      • *protectedJeff Couch says

        07/12/2016 at 8:54 am

        I am seeing this as well. About to open a case.

        Reply
  2. *protectedGene Yazgur says

    03/30/2018 at 6:25 am

    https://kb.vmware.com/s/article/52929 the following minimum custom delegations tasks and permissions are needed, but it's not complete. we had the same issues, joining hosts to domain. hosts would joing, but could not bind to LDAP or poll AD, could not add delegated users from domain groups to the host. Bad username and password when logging in with AD credentials. Tweaking the delegated group permissions solved the issue
    • Reset Password
    • Read and write Account Restrictions
    • Validated write to DNS host name
    • Validated write to service principal name
    • Create and Delete Computer objects
    -----

    From KB 25929:

    Microsoft has documented minimally required permissions.
    • Reset Password
    • Read and write Account Restrictions
    • Validated write to DNS host name
    • Validated write to service principal name
    • Create and Delete Computer objects
    The additional permission required is Read/Write public information and Description.

    Reply
  3. *protectedCrystalF says

    06/20/2018 at 11:13 am

    I have this working in my kickstart however when I go to add the host to vcenter it does not see the AD authentication type. Vcenter still sees local. Anyone else seeing the same?

    Reply
  4. *protectedHawkeye999 says

    08/24/2023 at 5:34 am

    Hi, is there a way to hash out/encrypt the password. Save it being in plain text?

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...