changing of ESXi root password : need downtime & sync with vSphere client/vCenter ?

We're on ESXi V6.1.

Our sysadmins told me it's not feasible to periodically (say every 60 days) change the root password
as the new password need to be sync'ed to vCenter & a reboot is needed.   Is this true?

As I'm a former Unix admin, all I know is the command 'passwd root' in UNIX to change its root
password does not require a reboot nor downtime, so how is it they told me downtime/reboot
is needed?  Or what other impacts/dependencies they are talking about?  I tend to compare with Unix
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

serialbandCommented:
I don't recall needing a reboot when changing the password.
http://www.mustbegeek.com/change-root-password-of-esxi-server-using-vsphere-client/
It is a modified linux after all.

VCenter is separate and usually has a separate domain password for access if joined to the domain.  If you change the ESX password through VCenter, you shouldn't lose any access to the ESX server.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul SolovyovskySenior IT AdvisorCommented:
I have never performed a reboot of vCenter, the vpx agent sync automatically if I recall.  You can't change the root password through vCenter, you will need to either login to the ESXi host directly via console or SSH if you're taking about the root password.
0
Pallavi GodseSr. Digital Marketing ExecutiveCommented:
The only supported method to change the password for ESXi is to reinstall -

Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode do not apply.

If you have two hosts and they have the resources to support it, you could vMotion (and/or storage vMotion) the servers all onto a single host, remove and rebuild the empty host, add it back into the cluster. Then move all the guests onto the rebuilt host and remove/rebuild the remaining host. This would allow you to rebuild without incurring any downtime on the guests. Depending on your infrastructure and depending on the number of virtual machines to move, the two hosts should take less than a day to rebuild unless you have extraordinarily large or complex host configuration.

Also, if you are on an older version of ESXi, this would also be a good time to check your current hardware against the HCL and move up to the latest version if supported (After upgrading your vCenter server first of course).

Regarding non-supported methods that I will mention but don't necessarily advise.

Use vCenter to join each host to an AD Domain and setup and configure an AD user as an admin to the host and allow AD authentication. Use the vSphere client to connect directly to the host using AD credentials to login. Once connected this way, you should be able to change the password for the root account through the vSphere client connected directly to the host. I've used this in a pinch and it does work.
   
Generate a host profile that specifies the password and attach it to the host. This can be done but still requires the host to be put into maintenance mode. Haven't used this method myself personally.
1
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

tfewsterCommented:
@Pallavi Godse - That's resetting a lost password. If you really can't change the root password from the install default, why does the passwd command exist?

Changing an ESXi/ESX host root password; https://kb.vmware.com/s/article/1004659  - though it lists VMware ESXi 6.0.x and 6.5.x, but not 6.1 explicitly

We've recently enforced automated root password rotation on ESXi hosts (v5/6?) via an external mechanism (CyberArk API, though I hear that PowerCLI can do it), and there was no impact. My understanding is that the vCenter "application" uses a different account to manage hosted clients.
1
Pete LongTechnical ConsultantCommented:
jeez just set a 32 character complex password and then DONT change it?

I work for defence contractors, and government agencies that have stupidly secure systems and I don't know one that revolves ESXi root passwords?


P
0
compdigit44Commented:
I may be mistake but once you chance the root password on the ESXi host don't you have to reconnect to the host back to vcenter with the new root password?
0
sunhuxAuthor Commented:
Thanks, I'll take it that Pallavi refers to recovering ESXi root password & not changing/resetting the root password.

What about compdigit44's comment?  Do we need too reconnect the ESXi host back to vCenter?
0
serialbandCommented:
If you didn't like my previous link with the GUI.  Here's the official VMWare Vsphere/Vcenter link that describes how to change the password.
https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsa.doc_10%2FGUID-11FB8048-C511-4B37-9E87-22B40F8B1C86.html


If you change the password through the direct ESX interface, you will probably have to reconnect it.  If you change through the VCenter/VSphere client, you should not have to do any reconnecting.
1
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- serialband (https:#a42411424)
-- serialband (https:#a42420370)
-- tfewster (https:#a42411662)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.