While migrating Windows vCenter Server 5.5 to VCSA 6.5u2c this error was observed and corrected using the following steps.
Related KB: https://kb.vmware.com/s/article/2148010
All VMworld US sessions now available on-demand!
View videos of VMworld general sessions (main keynotes), showcase keynotes, and breakout sessions on demand.
Just a quick note on a recent discovery.
When using the vSphere Security Configuration policy in vRealize Operations Manager you may see an alert similar to the following.
RP 1,2,3 – vNetwork.reject-forged-transmit-dvportgroup – The Forged Transmits policy is not set to reject
Checked the config for the security policy on the port groups using:
Get-VDPortgroup | Get-VDSecurityPolicy
After some digging I found that Forged Transmits is enabled on uplink port groups by default but not on regular port groups. This is because the uplink ports will need to pass traffic (VM, management, etc…) for MACs that are not on the interface.
This alert is a false positive and should be excluded from the compliance checker. Time permitting I will follow up with info on how to do this.
tl;dr – don’t disable forged transmits on uplink port groups, something will break
Here is some good background info on forged transmits: http://wahlnetwork.com/2013/04/29/how-the-vmware-forged-transmits-security-policy-works/
Someone else with the same issue: https://communities.vmware.com/thread/577449
This method of resetting the root password does not require you to know the existing password and is a lot easier that setting up a host profile to change the passwords.
Original script source & writer – the best script is one someone else already wrote 🙂
# https://www.linkedin.com/pulse/reset-esxi-root-password-through-vcenter-esxcli-method-buschhaus
# First, setup $vmhosts. You can do this many ways.$vmhosts = Get-Cluster -Name ClusterWithUnknownPassword | Get-VMHost
# Just so it contains one or more VMHost objects.
# To reset all ESXi host passwords use
# $vmhosts = Get-VMHost
# $vmhosts = Get-Cluster -Name "Cluster Name" | Get-VMHost
# Since this only works on ESXi 6 and up I used this option to skip the 5.5 hosts that will error out. -AD
$vmhosts = get-vmhost |Where-Object {$_.Version -eq '6.0.0'}
# This will prompt for the new root password -AD
$NewCredential = Get-Credential -UserName "root" -Message "Enter an existing ESXi username (not vCenter), and what you want their password to be reset to."
Foreach ($vmhost in $vmhosts) {
$esxcli = get-esxcli -vmhost $vmhost -v2 #Gain access to ESXCLI on the host.
$esxcliargs = $esxcli.system.account.set.CreateArgs() #Get Parameter list (Arguments)
$esxcliargs.id = $NewCredential.UserName #Specify the user to reset
$esxcliargs.password = $NewCredential.GetNetworkCredential().Password #Specify the new password
$esxcliargs.passwordconfirmation = $NewCredential.GetNetworkCredential().Password
Write-Host ("Resetting password for: " + $vmhost) #Debug line so admin can see what's happening.
$esxcli.system.account.set.Invoke($esxcliargs) #Run command, if returns "true" it was successful.
}
Very excited to get an email this moring that my application to the vExpert program was approved!!!
Ariel Davenport 