Resetting an ESXi root password
For ESXi, the only supported method to change the password is to reinstall.
Reinstalling the ESXi host is the only supported way to reset a password on ESXi. Any other method may lead to a host failure or an unsupported configuration due to the complex nature of the ESXi architecture. ESXi does not have a service console and as such traditional Linux methods of resetting a password, such as single-user mode do not apply.
If you have two hosts and they have the resources to support it, you could vMotion (and/or storage vMotion) the servers all onto a single host, remove and rebuild the empty host, add it back into the cluster. Then move all the guests onto the rebuilt host and remove/rebuild the remaining host. This would allow you to rebuild without incurring any downtime on the guests. Depending on your infrastructure and depending on the number of virtual machines to move, the two hosts should take less than a day to rebuild unless you have extraordinarily large or complex host configuration.
Also, if you are on an older version of ESXi, this would also be a good time to check your current hardware against the HCL and move up to the latest version if supported (After upgrading your vCenter server first of course).
Regarding non-supported methods that I will mention but don't necessarily advise.
- Use vCenter to join each host to an AD Domain and setup and configure an AD user as an admin to the host and allow AD authentication. Use the vSphere client to connect directly to the host using AD credentials to login. Once connected this way, you should be able to change the password for the root account through the vSphere client connected directly to the host. I've used this in a pinch and it does work.
- Generate a host profile that specifies the password and attach it to the host. This can be done but still requires the host to be put into maintenance mode. Haven't used this method myself personally.
There are methods to reset an ESXi host's root password, provided you have physical or out-of-band access to the server.
- I've done this with Host Profiles by reapplying the profile gleaned from another host to the affected server. But you likely don't have the licensing to support this.
- I've also have to use the boot CD/Live CD approach (also here), which assumes some Linux knowledge and involves setting an empty password or a known encrypted password in the shadow file.
As to how this can happen... Poor documentation, evil terminated administrators, a data center technician who left CAPS-LOCK on when building the servers, my bad memory, etc, :)
The ESXi root password is encrypted and stored in a file named /ect/shadow. Just as this article explains you can remove the root password with the following steps:
- Boot your server from Ubuntu Live CD.
- Unpack the state.tgz and then local.tgz, delete the password hash inside the shadow file, and re-pack the archive.
- After that you can log on ESXi host as the root account without a password.