PowerCLI

 View Only
Back to discussions
Expand all | Collapse all

Script for ESXi Host AD Join

  • 1.  Script for ESXi Host AD Join

    Posted Jun 08, 2017 03:02 PM

    Hi All,

    I have frequently few esxi hosts goes out of domain or my AD group permissions will go away in my infrastructure..sometime its count will be more around 50+.

    To login each host add them in domain and add my AD group is lengthy process.

    Is there a script which can do it in single shot, for below requirement.

    Script should

    1. Connect all my vCenters

    2. Pick the host from Get-Content ( which will have my hosts which are out of domain)

    3. Should ask the default ESXi root password

    4. Should take host in Maintenance Mode

    5. Then it should join the esxi host in domain

    6. Then it should add my AD group

    7. Finally Exit from maintenance mode

    8. Export the output report in CSV which all host it could able to join domain and add AD group and exited it from Maintenance Mode.

    Thanks a Ton in Advance.



  • 2.  RE: Script for ESXi Host AD Join

    Posted Jun 08, 2017 04:26 PM

    For starters, have a look at Joining ESXi hosts to a domain and granting permissions with PowerCLI



  • 3.  RE: Script for ESXi Host AD Join

    Posted Jun 12, 2017 03:18 PM

    Thanks LucD for the link,

    But it looks too complicated I was just looking for the script to perform below task.

    1. Connect all my vCenters

    2. Pick the host from Get-Content ( which will have my hosts which are out of domain)

    3. Should ask the default ESXi root password

    4. Should take host in Maintenance Mode

    5. Then it should join the esxi host in domain

    6. Then it should add my AD group

    7. Finally Exit from maintenance mode

    8. Export the output report in CSV which all host it could able to join domain and add AD group and exited it from Maintenance Mode.



  • 4.  RE: Script for ESXi Host AD Join

    Posted Jun 12, 2017 04:26 PM

    Not sure what you mean with 6).
    Does the domain group (hard-coded?) need to have a Role on the ESXi node?

    If the ESXi node is already added to the vCenter (nothing to do with the AD join), that Role should be propagated.

    Or do you mean something else?



  • 5.  RE: Script for ESXi Host AD Join

    Posted Jun 13, 2017 08:13 AM

    Point 6 I was referring to the AD group which should have Admin role.

    example of AD group : -

    xyz-abc\virtualadmin     (xyz-abc is domain) (virtualadmin is AD group)



  • 6.  RE: Script for ESXi Host AD Join

    Posted Jun 13, 2017 10:07 AM

    Try something like this

    $esxNamesFile = 'C:\esxNames.txt'

    $csvReport = 'C:\report.csv'

    $domainName = 'xyz-abc.local'           # Must be FQDN domainname

    $domainAdmin = 'Administrator'

    $domainAdminPswd = 'Secret1!'

    $roleName = 'Admin'

    $groupName = 'virtualadmin'             # Only group, not domain

    # Connect vCenters (repeat for all vCenters you need)

    Connect-VIServer -Server xyz

    $report = @()

    # Read target ESXi nodes

    foreach($esxName in (Get-Content -Path $esxNamesFile)){

        # Read root password

        $pswd = Read-Host -Prompt "Enter root password for ESXi node $($esxName)"

        # Place ESXi node in maintenance mode

        Set-VMHost -VMHost $esxName -State Maintenance -Confirm:$false

        $esx = Get-VMHost -Name $esxName

        while($esx.State -ne 'maintenance'){

            sleep 5

            $esx = Get-VMHost -Name $esxName

        }

        # Join AD

        $esxSrv = Connect-VIServer -Server $esxName -User root -Password $pswd

        $adJoin = Get-VMHostAuthentication -VMHost $esxName -Server $esxSrv |

        Set-VMHostAuthentication -Domain $domainName -JoinDomain -Username $domainAdmin -Password $domainAdminPswd -Confirm:$false

        # Give group Admin permission

        $role = Get-VIRole -Server $esxSrv -Name $roleName

        $account = Get-VIAccount -Domain $domainName -Id $groupName -Group

        New-VIPermission -Principal $account -Role $role -Entity $esx -Confirm:$false

        # Take ESXi node out of maintenance mode

        Set-VMHost -VMHost $esxName -State Connected -Confirm:$false

        $esx = Get-VMHost -Name $esxName

        while($esx.State -ne 'connected'){

            sleep 5

            $esx = Get-VMHost -Name $esxName

        }

       

        # Add to report

        $report += New-Object PSObject -Property @{

            ESXi = $esxName

            Domain = $adJoin.Domain

        }

        Disconnect-VIServer -Server $esxSrv -Confirm:$false

    }

    $report | Export-Csv -Path $csvReport -UseCulture -NoTypeInformation



  • 7.  RE: Script for ESXi Host AD Join

    Posted Aug 02, 2017 07:59 AM

    Thanks LuCD for your help.

    But when I run the script am getting below given error.

    in $DomainName = mydomain.com

    $domainAdmin = myaccount id

    $DomainAdminpswd = myaccount password

    Is above given are correct or am I missing something.

    Set-VMHostAuthentication : Cannot validate argument on parameter 'Domain'. The

    argument is null or empty. Provide an argument that is not null or empty, and

    then try the command again.

    At C:\Users\myself\Desktop\ADESXiJoin\ADESXiJoin.ps1:61 char:38

    +     Set-VMHostAuthentication -Domain $domanName -JoinDomain -Username ...

    +                                      ~~~~~~~~~~

        + CategoryInfo          : InvalidData: (:) [Set-VMHostAuthentication], Par

       ameterBindingValidationException

        + FullyQualifiedErrorId : ParameterArgumentValidationError,VMware.VimAutom

       ation.ViCore.Cmdlets.Commands.Host.SetVMHostAuthentication



  • 8.  RE: Script for ESXi Host AD Join

    Posted Aug 02, 2017 08:06 AM

    There was a typo in the variable name ($domanName instead of $domainName).

    I corrected the code above, please try again.



  • 9.  RE: Script for ESXi Host AD Join

    Posted Nov 23, 2017 09:05 PM

    Hi Luc,

    I'm wondering do i need to connect-viserver directly to the host to join it to the domain, because i've tried doing just connected to the VC and it has worked on a couple of occasions but its not consistent?

    Get-VMHostAuthentication -VMHost $esxiserver | Set-VMHostAuthentication -Domain $ADdomain -Credential $dccreds -JoinDomain -Confirm:$false



  • 10.  RE: Script for ESXi Host AD Join

    Posted Nov 24, 2017 05:31 AM

    Yes, you need to connect to the VMHost before doing the Set-VMHostAuthentication, and pass the ESXi connection on the Server parameter, should you have multiple connections open.



  • 11.  RE: Script for ESXi Host AD Join

    Posted Sep 12, 2019 08:47 AM
    cool


  • 12.  RE: Script for ESXi Host AD Join

    Posted Oct 20, 2020 12:53 PM

    Hi Luc,

        First, . thanks a lot for sharing your knowledge, I learn so much from it.  THANKS  :-)

     

    Question, ...  if I need to remove over 400 ESXi HOST v6.5 and v6.7  from AD, can I use the same structure of your script  and do I need to put in maintenance mode ?

     

    thanks



  • 13.  RE: Script for ESXi Host AD Join

    Posted Oct 20, 2020 01:58 PM

    According to the procedure in Leave an Active Directory Domain you don't need to place the ESXi node in maintenance mode, but I would still do that (out of precaution).



  • 14.  RE: Script for ESXi Host AD Join

    Posted Aug 10, 2017 10:28 PM

    Hi All, I stumbled across this thread and this seems to do some of what I need. I have to add 200+ ESXi hosts to a Microsoft domain but I would like to put the host in an OU and assign user or group rights when adding it. Can anyone please help with this?