A nice little enhancement that I recently came across in ESXi 6.0 is the inclusion of the Likewise utility called domainjoin-cli which allows you to join a system to an Active Directory Domain. Previously, if you wanted to automate the process of joining an ESXi host to an Active Directory Domain, you had to either manually configure it using the vSphere Web/Client, using Host Profiles or creating an external script using the vSphere APIs.
All of these options were mostly executed during the post-provisioning process and if you wanted to include Active Directory configuration as part of the provisioning process, you may have had to resort to something like calling into the vSphere MOB within a Kickstart script as I had shown back in 2011 in this article here. The solution I came up with was not ideal but it worked for those that did not want to have additional steps after initial provisioning.
With the domainjoin-cli utility now included in the ESXi Shell of ESXi 6.0, you easily automate the joining an Active Directory Domain with just a couple of lines added to your Kickstart or provisioning scripts. Before you can use the command-line utility, you will need to ensure the Likewise Service Manager Daemon is running by running the following two commands which will start the service and also ensure the service automatically starts up:
/etc/init.d/lwsmd start
chkconfig lwsmd on
Next, to join to your Active Directory Domain, you will need to specify the following 3 parameters:
- join - Specifying the operation is a join versus a leave
- AD Domain Name - Active Directory Domain to join
- AD Username - Active Directory username to join to the domain
- AD Password - Active Directory password to join to the domain (optional as you will be prompted if it is not specified)
Here is an example of what the command looks like joining my Active Directory Domain in my lab:
/usr/lib/vmware/likewise/bin/domainjoin-cli join primp-industries.com administrator [PASSWORD]
You should see a success message if the ESXi host was successfully joined to the Active Directory Domain and you will want to reboot your ESXi host for the changes to take full effect. This is definitely a simpler method to include into an ESXi Kickstart script to automate the joining of an Active Directory Domain and hopefully you will find this handy when using ESXi 6.0.
CrazySteve5575 says
ive been using powercli to do this, does this do something different?
Get-VMHost -Name $HostName | get-vmhostauthentication | Set-VMHostAuthentication -Domain "$domain -User $dadmin -Password $dpass -JoinDomain -Confirm:$false
William Lam says
This is just another way and specifically during the provisioning process if you're doing a scripted install via Kickstart versus doing it as a post-provision operation. The end result is the same
jimi1508 says
do you have a sample kickstart where you have this working? I’ve been testing it out and can’t get the Likewise services to start without rebooting the server. I’ve tried the following code in %pre, %post, and %firstboot in varying configurations with no success
%firstboot --interpreter=busybox
/etc/init.d/lwsmd start
chkconfig lwsmd on
/usr/lib/vmware/likewise/bin/domainjoin-cli join --ou "Our_OU/OU" "Domain" Username Password
i can however run the commands after the server is built and they work fine..
Marcel says
I ran into the same problem and solved it with a 30sec sleep after enabling the services. Kickstart doesn't seem to wait for the services to start and the join fails...
BlueArcher says
This is driving me crazy... we are using effectively this same code in our 6.0 migration, and we get errors well over half the time. when you have many hundreds of hosts, this doesn't fly.
"Bad user name and password" even though it enables the computer object and joins the domain fine..
"Active directory authentication store is not supported for VMHost"
and there is another one that I am not remembering.
Even though using the HTML5 UI on the host joins fine the first time every time. Powershell and even usually joining from vCenter fails most of the time.
And yes lwsmd is started.
Jeff Couch says
I am seeing this as well. About to open a case.
Gene Yazgur says
https://kb.vmware.com/s/article/52929 the following minimum custom delegations tasks and permissions are needed, but it's not complete. we had the same issues, joining hosts to domain. hosts would joing, but could not bind to LDAP or poll AD, could not add delegated users from domain groups to the host. Bad username and password when logging in with AD credentials. Tweaking the delegated group permissions solved the issue
• Reset Password
• Read and write Account Restrictions
• Validated write to DNS host name
• Validated write to service principal name
• Create and Delete Computer objects
-----
From KB 25929:
Microsoft has documented minimally required permissions.
• Reset Password
• Read and write Account Restrictions
• Validated write to DNS host name
• Validated write to service principal name
• Create and Delete Computer objects
The additional permission required is Read/Write public information and Description.
CrystalF says
I have this working in my kickstart however when I go to add the host to vcenter it does not see the AD authentication type. Vcenter still sees local. Anyone else seeing the same?
Hawkeye999 says
Hi, is there a way to hash out/encrypt the password. Save it being in plain text?