Problem solve Get help with specific problems with your technologies, process and projects.

Recover an ESXi root password for stand-alone and vCenter hosts

A forgotten ESXi root password can stop you in your tracks. Avoid dodgy quick fixes and learn the proper way to recover a root password for vCenter-connected and stand-alone hosts.

Forgetting an ESXi root password can be a real problem, one that occurs all too often. If you go online in search...

of a quick fix, you'll find plenty of potential solutions, but many of these solutions, such as changing the bootbank files, are questionable at best. Fortunately, there are better, less risky ways to recover a forgotten root password for hosts connected to vCenter and stand-alone hosts.

If the affected host is connected to vCenter, you can use Host Profiles to recover the root password. If the host in question is stand-alone, the root password recovery process will be more involved.

Recover ESXi root password for a vCenter server

To recover an ESXI root password for a server connected to vCenter, first migrate all VMs to alternative hosts; this is a belt-and-brace security measure. Temporarily set Distributed Resource Scheduler to manual and then open the vSphere Web Client for vCenter and navigate to the Host Profiles icon. Next, select "Extract Host Profile," and choose the appropriate host to extract its profile settings.

Select a host to extract its profile.
Figure A. Locate the affected host from the Select Host menu to extract its profile settings.

On the next page, choose an appropriate name and then advance to the final page; click the Finish button. It will take a few minutes for the Web Client to create the profile. Once the profile is finished, edit it to change the default password and effectively apply it back to the problematic host.

Next, open the Host Profile page and click on the new profile. At the top of the page, click the Edit Host Profile button. Click through the first page and then, on the next page, you'll see a tree of settings like the one in Figure B.

Edit the Host Profile to change settings.
Figure B. You can easily change the settings of your newly created Host Profile.

Expand the Security and Services item group, then expand the Security Settings item group underneath that. Finally, expand the User Configuration item group and select root. To change the password, select the password drop-down menu and select "Fixed password configuration."

Set a new root password.
Figure C. Expand the Security and Services, Security Settings and User Configuration item groups until you reach root, and then change the root password.

Choose a new password for the ESXi server, enter it into the password field to confirm it and click Finish. You now have a profile that will apply the new password to the affected host. Now you need to attach the profile to the affected host and apply that profile; to do this, select "Attach/Detach Hosts and Clusters" from the Actions drop-down menu shown in Figure D.

Attach and apply the new profile to the affected host.
Figure D. From the Actions drop-down menu, select 'Attach/Detach Hosts and Clusters' to attach the new profile to the affected host.

Continue to click through this menu, select the appropriate host and click Finish to complete. The profile is now attached. Finally, go to the Hosts & VMs page, navigate to the affected host and select Remediate. Remediation will take a few minutes, but once it's complete open the host in the Web Client and try to log in with the root name and reset password to test it out.

Recover ESXi root password for a stand-alone host

Recovering an ESXi root password for a stand-alone host isn't quite as straightforward as the process for a vCenter-connected host. It requires you to reinstall ESXi on top of the affected host, which both removes all host configuration and network details from the host and allows you to access VMs that might otherwise be lost.

If you use [an ESXI reinstall] to recover root password, the VMs will still exist, but you'll have to manually re-enter the networks, port groups and other host-based configurations that the reinstall process overwrites.

Although you can mount Virtual Machine File System (VMFS) drives with special software to recover the password, that process is even more complex and time-consuming. An ESXi reinstall is easier, but still comes with some caveats. If you use this method to recover root password, the VMs will still exist, but you'll have to manually re-enter the networks, port groups and other host-based configurations that the reinstall process overwrites. The shutdown and reboot necessary to boot the ESXi install forces a dirty shutdown of VMs, but there's no way around this.

Start by booting from the ESXi CD-ROM installation media. Follow the installation media prompts until the installer reaches the screen for selecting a disk to install or upgrade. Select the appropriate disk and press Enter. Pay close attention because this next selection is critical. The installer will detect an installed ESXi setup and present options as shown below:

VMware ESXi 6.5.0 Installer options.
Figure E. Choose 'Install ESXi, preserve VMFS datastore' from the list of VMware ESXi 6.5.0 Installer options.

Select "Install ESXi, preserve VMFS datastore." Once you do, the installer will continue and configure the ESXi installation. When the configuration is complete, the installer will prompt you to reboot. The administrator should be able to log back into the server after the reboot, either directly or via the web interface.

The admin must now configure the network port groups and other components. Since the VMs are all still available, the admin must also recreate the port groups and all associated configurations. Fortunately, sorting out the VMs is easy enough. After he recreates the port groups, the admin must reattach the network to the appropriate port group. At this point, it should be simple to reboot.

Forgetting an ESXi root password is a relatively common mistake but, hopefully, it's a case of once bitten, twice shy. Make sure you type carefully and, if you use a stand-alone machine, consider using a second account and reserving the root account for emergencies.

Next Steps

Don't fall victim to a hacked AWS root account

Correct this common vCSA root lockout issue

The end is nigh for traditional authentication methods

This was last published in October 2017

Dig Deeper on Securing a VMware environment

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What method do you typically use to recover a lost or forgotten root password?