sunhux
asked on
changing of ESXi root password : need downtime & sync with vSphere client/vCenter ?
We're on ESXi V6.1.
Our sysadmins told me it's not feasible to periodically (say every 60 days) change the root password
as the new password need to be sync'ed to vCenter & a reboot is needed. Is this true?
As I'm a former Unix admin, all I know is the command 'passwd root' in UNIX to change its root
password does not require a reboot nor downtime, so how is it they told me downtime/reboot
is needed? Or what other impacts/dependencies they are talking about? I tend to compare with Unix
Our sysadmins told me it's not feasible to periodically (say every 60 days) change the root password
as the new password need to be sync'ed to vCenter & a reboot is needed. Is this true?
As I'm a former Unix admin, all I know is the command 'passwd root' in UNIX to change its root
password does not require a reboot nor downtime, so how is it they told me downtime/reboot
is needed? Or what other impacts/dependencies they are talking about? I tend to compare with Unix
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Paul Solovyovsky
I have never performed a reboot of vCenter, the vpx agent sync automatically if I recall. You can't change the root password through vCenter, you will need to either login to the ESXi host directly via console or SSH if you're taking about the root password.
The only supported method to change the password for ESXi is to reinstall -
Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode do not apply.
If you have two hosts and they have the resources to support it, you could vMotion (and/or storage vMotion) the servers all onto a single host, remove and rebuild the empty host, add it back into the cluster. Then move all the guests onto the rebuilt host and remove/rebuild the remaining host. This would allow you to rebuild without incurring any downtime on the guests. Depending on your infrastructure and depending on the number of virtual machines to move, the two hosts should take less than a day to rebuild unless you have extraordinarily large or complex host configuration.
Also, if you are on an older version of ESXi, this would also be a good time to check your current hardware against the HCL and move up to the latest version if supported (After upgrading your vCenter server first of course).
Regarding non-supported methods that I will mention but don't necessarily advise.
Use vCenter to join each host to an AD Domain and setup and configure an AD user as an admin to the host and allow AD authentication. Use the vSphere client to connect directly to the host using AD credentials to login. Once connected this way, you should be able to change the password for the root account through the vSphere client connected directly to the host. I've used this in a pinch and it does work.
Generate a host profile that specifies the password and attach it to the host. This can be done but still requires the host to be put into maintenance mode. Haven't used this method myself personally.
Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode do not apply.
If you have two hosts and they have the resources to support it, you could vMotion (and/or storage vMotion) the servers all onto a single host, remove and rebuild the empty host, add it back into the cluster. Then move all the guests onto the rebuilt host and remove/rebuild the remaining host. This would allow you to rebuild without incurring any downtime on the guests. Depending on your infrastructure and depending on the number of virtual machines to move, the two hosts should take less than a day to rebuild unless you have extraordinarily large or complex host configuration.
Also, if you are on an older version of ESXi, this would also be a good time to check your current hardware against the HCL and move up to the latest version if supported (After upgrading your vCenter server first of course).
Regarding non-supported methods that I will mention but don't necessarily advise.
Use vCenter to join each host to an AD Domain and setup and configure an AD user as an admin to the host and allow AD authentication. Use the vSphere client to connect directly to the host using AD credentials to login. Once connected this way, you should be able to change the password for the root account through the vSphere client connected directly to the host. I've used this in a pinch and it does work.
Generate a host profile that specifies the password and attach it to the host. This can be done but still requires the host to be put into maintenance mode. Haven't used this method myself personally.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jeez just set a 32 character complex password and then DONT change it?
I work for defence contractors, and government agencies that have stupidly secure systems and I don't know one that revolves ESXi root passwords?
P
I work for defence contractors, and government agencies that have stupidly secure systems and I don't know one that revolves ESXi root passwords?
P
I may be mistake but once you chance the root password on the ESXi host don't you have to reconnect to the host back to vcenter with the new root password?
ASKER
Thanks, I'll take it that Pallavi refers to recovering ESXi root password & not changing/resetting the root password.
What about compdigit44's comment? Do we need too reconnect the ESXi host back to vCenter?
What about compdigit44's comment? Do we need too reconnect the ESXi host back to vCenter?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- serialband (https:#a42411424)
-- serialband (https:#a42420370)
-- tfewster (https:#a42411662)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- serialband (https:#a42411424)
-- serialband (https:#a42420370)
-- tfewster (https:#a42411662)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer