Forgetting an ESXi root password can be a real problem, one that occurs all too often. If you go online in search...
of a quick fix, you'll find plenty of potential solutions, but many of these solutions, such as changing the bootbank files, are questionable at best. Fortunately, there are better, less risky ways to recover a forgotten root password for hosts connected to vCenter and stand-alone hosts.
If the affected host is connected to vCenter, you can use Host Profiles to recover the root password. If the host in question is stand-alone, the root password recovery process will be more involved.
Recover ESXi root password for a vCenter server
To recover an ESXI root password for a server connected to vCenter, first migrate all VMs to alternative hosts; this is a belt-and-brace security measure. Temporarily set Distributed Resource Scheduler to manual and then open the vSphere Web Client for vCenter and navigate to the Host Profiles icon. Next, select "Extract Host Profile," and choose the appropriate host to extract its profile settings.
On the next page, choose an appropriate name and then advance to the final page; click the Finish button. It will take a few minutes for the Web Client to create the profile. Once the profile is finished, edit it to change the default password and effectively apply it back to the problematic host.
Next, open the Host Profile page and click on the new profile. At the top of the page, click the Edit Host Profile button. Click through the first page and then, on the next page, you'll see a tree of settings like the one in Figure B.
Expand the Security and Services item group, then expand the Security Settings item group underneath that. Finally, expand the User Configuration item group and select root. To change the password, select the password drop-down menu and select "Fixed password configuration."
Choose a new password for the ESXi server, enter it into the password field to confirm it and click Finish. You now have a profile that will apply the new password to the affected host. Now you need to attach the profile to the affected host and apply that profile; to do this, select "Attach/Detach Hosts and Clusters" from the Actions drop-down menu shown in Figure D.
Continue to click through this menu, select the appropriate host and click Finish to complete. The profile is now attached. Finally, go to the Hosts & VMs page, navigate to the affected host and select Remediate. Remediation will take a few minutes, but once it's complete open the host in the Web Client and try to log in with the root name and reset password to test it out.
Recover ESXi root password for a stand-alone host
Recovering an ESXi root password for a stand-alone host isn't quite as straightforward as the process for a vCenter-connected host. It requires you to reinstall ESXi on top of the affected host, which both removes all host configuration and network details from the host and allows you to access VMs that might otherwise be lost.
Although you can mount Virtual Machine File System (VMFS) drives with special software to recover the password, that process is even more complex and time-consuming. An ESXi reinstall is easier, but still comes with some caveats. If you use this method to recover root password, the VMs will still exist, but you'll have to manually re-enter the networks, port groups and other host-based configurations that the reinstall process overwrites. The shutdown and reboot necessary to boot the ESXi install forces a dirty shutdown of VMs, but there's no way around this.
Start by booting from the ESXi CD-ROM installation media. Follow the installation media prompts until the installer reaches the screen for selecting a disk to install or upgrade. Select the appropriate disk and press Enter. Pay close attention because this next selection is critical. The installer will detect an installed ESXi setup and present options as shown below:
Select "Install ESXi, preserve VMFS datastore." Once you do, the installer will continue and configure the ESXi installation. When the configuration is complete, the installer will prompt you to reboot. The administrator should be able to log back into the server after the reboot, either directly or via the web interface.
The admin must now configure the network port groups and other components. Since the VMs are all still available, the admin must also recreate the port groups and all associated configurations. Fortunately, sorting out the VMs is easy enough. After he recreates the port groups, the admin must reattach the network to the appropriate port group. At this point, it should be simple to reboot.
Forgetting an ESXi root password is a relatively common mistake but, hopefully, it's a case of once bitten, twice shy. Make sure you type carefully and, if you use a stand-alone machine, consider using a second account and reserving the root account for emergencies.
Don't fall victim to a hacked AWS root account
Correct this common vCSA root lockout issue
The end is nigh for traditional authentication methods