Skip to main content

ESXi Ad Integration: Something to watch out for

dips
Forum|alt.badge.img+7
  • dips
  • Veeam Legend
  • 808 comments

Hey Folks, 

An interesting configuration issue that recently popped up affecting:

  • VMware vSphere ESXi 7.0
  • VMware vSphere ESXi 8.0

If you have an AD Group called “ESX Admins” in your AD Environment, it is automatically given the VM Admin role when ESXi is joined to the AD domain. 

To mitigate:

  • Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd from true to false
  • Config.HostAgent.plugins.vimsvc.authValidateInterval from 1440 to 90
  • Config.HostAgent.plugins.hostsvc.esxAdminsGroup from "ESX Admins" to "" 

Resource: https://knowledge.broadcom.com/external/article/369707/

Be safe out there!

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader

13 comments

coolsport00
Forum|alt.badge.img+20
  • coolsport00
  • Veeam Legend
  • 4139 comments
  • July 30, 2024

Yeah... Saw that yesterday. Thanks for sharing this Dipen.

Out of all my years of using vSphere, I never understood having the Hosts bound to AD 🤷🏼‍♂️

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
dips
MarcoLuvisi
L
4 people like this
  • dips
    dips
  • MarcoLuvisi
    MarcoLuvisi
  • L
    Leonard.Pieper
  • Dynamic
    Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • July 30, 2024

Same, never saw the need for it especially when they were managed by vCenter. 

Mitigations are easy to apply anyway without downtime which is one saving grace I suppose.

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
coolsport00
MarcoLuvisi
L
4 people like this
  • coolsport00
    coolsport00
  • MarcoLuvisi
    MarcoLuvisi
  • L
    Leonard.Pieper
  • Dynamic
    Dynamic
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8494 comments
  • July 30, 2024

Our VMware team patched this yesterday and never saw it like I usually do before them. 😂

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dips
MarcoLuvisi
Dynamic
3 people like this
  • dips
    dips
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • July 30, 2024

They beat you to it @Chris.Childerhose ;) 

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
MarcoLuvisi
Dynamic
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8494 comments
  • July 30, 2024
dips wrote:

They beat you to it @Chris.Childerhose ;) 

Yes they did.  😜

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dips
MarcoLuvisi
Dynamic
3 people like this
  • dips
    dips
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic
L

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Chris.Childerhose
dips
MarcoLuvisi
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • July 30, 2024
Leonard.Pieper wrote:

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Yes, that is correct. However, it is worth applying the mitigations if you are on all versions prior to ESXi 8.0 U3.

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
MarcoLuvisi
L
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • MarcoLuvisi
    MarcoLuvisi
  • L
    Leonard.Pieper
  • Dynamic
    Dynamic
L
dips wrote:
Leonard.Pieper wrote:

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Yes, that is correct. However, it is worth applying the mitigations if you are on all versions prior to ESXi 8.0 U3.

Yeah, actually you’re absolutely right. I just applied the fix to all our ESX hosts. Thanks and have a nice day everybody!

Chris.Childerhose
dips
MarcoLuvisi
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • July 30, 2024
Leonard.Pieper wrote:
dips wrote:
Leonard.Pieper wrote:

Hey, thanks for the headsup! I just double-checked and our ESX hosts are not connected to AD. So I’m not affected, right? Our vCenter is connected to AD, but this is specifically only for the ESX hosts, correct?

Thank you!

Yes, that is correct. However, it is worth applying the mitigations if you are on all versions prior to ESXi 8.0 U3.

Yeah, actually you’re absolutely right. I just applied the fix to all our ESX hosts. Thanks and have a nice day everybody!

Welcome, glad we could help :) and welcome to the Community Forums!

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
MarcoLuvisi
L
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • MarcoLuvisi
    MarcoLuvisi
  • L
    Leonard.Pieper
  • Dynamic
    Dynamic
Dynamic
Forum|alt.badge.img+10
  • Dynamic
  • Veeam Vanguard
  • 383 comments
  • July 30, 2024

Thanks for this information @dips. We also would never join an ESXi to the AD. But this behaviour is difficult to understand how such a thing could be intentional. Also i sending your post to my colleagues, to be aware of that. 

Markus Hartmann | Veeam Vanguard | Veeam Legend 2024 | VMCA 2024 & VMCE 2024 | VMware Certified Implementation Expert - DCV 2024 | https://markushartmann.blog/
Chris.Childerhose
dips
MarcoLuvisi
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dips
    dips
  • MarcoLuvisi
    MarcoLuvisi
dips
Forum|alt.badge.img+7
  • dips
  • Author
  • Veeam Legend
  • 808 comments
  • July 31, 2024
Dynamic wrote:

Thanks for this information @dips. We also would never join an ESXi to the AD. But this behaviour is difficult to understand how such a thing could be intentional. Also i sending your post to my colleagues, to be aware of that. 

Welcome, glad it was of help.

I have been thinking about why an ESXi host would end up in AD and I think it may be at smaller places where they run just one host or prefer to login to the host via AD authentication. Just a thought

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
MarcoLuvisi
Dynamic
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic
DavideAbrigo
Forum|alt.badge.img+1
  • DavideAbrigo
  • Experienced User
  • 118 comments
  • July 31, 2024

Quick PowerCLI to change the settings on all hosts in a cluster:

Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd' | Set-AdvancedSetting -Value 'false' -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.vimsvc.authValidateInterval' | Set-AdvancedSetting -Value 90 -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' | Set-AdvancedSetting -Value "" -Confirm:$false

 

Chris.Childerhose
MarcoLuvisi
Dynamic
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8494 comments
  • July 31, 2024
DavideAbrigo wrote:

Quick PowerCLI to change the settings on all hosts in a cluster:

Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd' | Set-AdvancedSetting -Value 'false' -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.vimsvc.authValidateInterval' | Set-AdvancedSetting -Value 90 -Confirm:$false
Get-Cluster 'ClusterName' | Get-VMHost | Get-AdvancedSetting -Name 'Config.HostAgent.plugins.hostsvc.esxAdminsGroup' | Set-AdvancedSetting -Value "" -Confirm:$false

 

Thanks for sharing that one.  Love using PowerShell for automating things.  😎

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
MarcoLuvisi
Dynamic
2 people like this
  • MarcoLuvisi
    MarcoLuvisi
  • Dynamic
    Dynamic

Comment


Terms & Conditions