No Theory Here: Adding ESXi Hosts to a Windows Domain

Here we go, round two for #Blogtober2018 – Tech Edition. The tricky thing about writing technical content for a blog is that most likely it has already been covered and covered in better detail. Today’s post is no different, so I’m going to post some links to great guides that go in depth on how to join an ESXi host to a domain. So if you want more detail or really want to know the “why” and “how”, check these out:

https://kb.vmware.com/s/article/2075361

https://www.altaro.com/vmware/how-to-join-esxi-to-active-directory-for-improved-management-and-security/

http://vcloud-lab.com/entries/esxi-installation-and-configuration/join-domain-esxi-to-an-active-directory-ou-powercli

But my goal in today’s post is function over depth. No theory, only practical application. I’m going to provide a script I wrote to join all the hosts in a specific cluster to my domain., focusing on providing something that quickly gets the job done, while avoiding theory if possible.

Part One: The Setup

There are two main things I needed to do in AD before adding ESXi hosts. First, I needed to create an AD Security group to hold accounts that will be used to log into ESXi. This is the group that users must be a part of to authenticate to the ESXi host once joined to the domain.

New-ADGroup -Name "VMware Admins" -Path "OU="VMware Admins",DC=domain,dc=root" -GroupScope Global -GroupCategory Security

Save the group name; it will be used as an argument for one of the parameters in the script we use.

The second thing I needed to do was get the canonical name where I wanted the newly created host computer accounts to land once it was created. I had previously created the OU, so all I needed now was to get the canonical name and save it:

Get-ADOrganizationalUnit -Filter "Name -eq 'ESXi Hosts OU you want to use'" -Properties canonicalname | Select-Object canonicalname

Same as before, save the canonical name since you will be using it as an argument later.

Finally, ensure the following are true before running the script to avoid any errors later on:

  • Ensure ESXi host and domain controllers share NTP source.
  • ESXi host must have an A record in the domain.
  • Proper firewall ports must be open on ESXi Hosts. If you have a restrictive setup, be sure to check that the appropriate ports are open.
  • Write down the canonical name and security group mentioned above.
  • Be sure to run this with both AD and vCenter permissions.
Part Two: Function Over Form

I used a function and mandatory parameters to help ensure we don’t forget anything. So to break it down:

  1. Connects to vCenter
  2. Loops through each host in cluster joining to domain
  3. Updates ESXi host advanced setting with the AD Security group
  4. Removes .domain.root for the Set-ADComputer cmdlet
  5. Updates AD description with the argument you passed to theĀ $DescriptionUseQuotes parameter
function Set-JSESXiDomainJoin {
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]$clusterName,

[Parameter(Mandatory=$true)]
[string]$domainInCanonicalNameFormat,

[Parameter(Mandatory=$true)]
[string]$user,

[Parameter(Mandatory=$true)]
[string]$password,

[Parameter(Mandatory=$true)]
[string]$descriptionUseQuotes,

[Parameter(Mandatory=$true)]
[string]$ADAdminGroup,

[Parameter(Mandatory=$true)]
[string]$VIServer

)
#Does check for required modules
#Requires -Modules ActiveDirectory
#Requires -Version 3
#Requires -Modules VMware.VimAutomation.Core

#Connecting to vCenter
Connect-VIServer -Server $VIServer

#Loop through each host in cluster
foreach ($esxiHost in (Get-Cluster $clusterName | Get-VMHost)){

#Join host to domain
Get-VMHostAuthentication -VMHost $esxiHost | Set-VMHostAuthentication -Domain $domainInCanonicalNameFormat -User $user -Password $password -JoinDomain -Confirm:$false

#Updates advanced settings with AD security group
Get-AdvancedSetting -Entity $esxiHost -Name Config.HostAgent.plugins.hostsvc.esxAdminsGroup | Set-AdvancedSetting -Value $ADAdminGroup -Confirm:$false

#Removes domain name from the host, leaving only hostname.
$esxiHostName = $esxiHost.Name.Split(".")[0]

#Updates description in Active Directory
Set-ADComputer -Identity $esxiHostName -Description $descriptionUseQuotes
}
}
Part Three: Success

It should look something like this when you run it:

 Set-JSESXiDomainJoin -ClusterName "ClusterName" -DomainInCanonicalNameFormat "domain.root/ou/ou" -User "jamey"-Password "secret stuff" -DescriptionUseQuotes "ESXi Host - VMware is the best" -ADAdminGroup "VMware people" -ViServer vcenter.domain.root

One thought on “No Theory Here: Adding ESXi Hosts to a Windows Domain”

Leave a Reply

Your email address will not be published. Required fields are marked *