In this blog, we will focus on rotating the ESXi root password via Host profiles. One of the most common ways to reset the root password is via the DCUI but I prefer using an automated approach to rotating passwords everywhere possible as multi-region keyboard layout keys play a role in getting password combinations incorrectly.
Host profiles on an ESXi server are aimed at ensuring we maintain consistent system configuration across all our hosts in the environment. Provided that the ESXi host is attached to the vCenter, password reset via the host profile is the recommended way to reset the root password.
There can be only one host profile per host/cluster so ensure that you don’t detach the current one if it has a valid config on to add a new one.
1- Login to the vCenter and locate the Host profiles section under the Profiles and Policies tab.
2- Choose the option Extract Host Profile. All this does is it extract all the live configuration from the server into a file.
3- We will now need to pick a host as our Master host who has the correct password on it.
4- Give the name for the profile settings and click Finish to close the assistant.
5-. Now we have our host profile created as shown
6 – We will now edit the host profile by clicking Actions > Edit settings
7- Deselect all parts of the host profile except the Security configuration.
We will select a fixed administrator password option choose a new password for our root account and finish the wizard.
8- We will now just need to attach the host profile to the cluster as shown
9- Pick the host or the entire cluster or the host you wish to change the password
10- Run a precheck to check for any errors.
11-Â The summary will show us what we are about to alter
12- As expected, our passwords aren’t compliant now.
13 – Remediate the first host. I usually put the host in maintenance mode prior to doing password rotation however this is not required as per VMware.
14 – Untick the option to reboot the host
15 – Once the first host is compliant, login via https://host/UI as well as ssh and validate if you are able to login with the new password
16 – Once the host goes through and provided the password has been validated, we will hit remediate on all hosts now and wait for it to finish.
17 – Remove the host profile from the host
18 – Click yes to proceed
19 – Exit the host out of maintenance mode if you had followed the route of placing the host in maintenance mode.
Here is another way via powercli to do this task.
Get-VMHost EsxiName|Set-VMHostPassword -UserName root -Password Passw0rd1
References
Reset Root Passsword with Host Profile