Cross domain-repoint fails when local SSO domain is the same name as Active Directory domain name
Article ID: 316446
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Local SSO domain matches Active Directory domain name
- To check local SSO domain name from Appliance:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
Example: testlab.com
Example: testlab.com
- To check hostname:
hostname -f
Example: vcenter.testlab.com
Example: vcenter.testlab.com
- During a domain-repoint process, it fails at "Starting all services"
All Repoint configuration settings are correct; proceed? [Y|y|N|n]: y
Starting License export ... Done
Starting Tagging Data export ... Done
Starting Authz Data export ... Done
Export Service Data ... Done
Uninstalling Platform Controller Services ... Done
Stopping all services ... Done
Updating registry settings ... Done
Re-installing Platform Controller Services ... Done
Registering Infra services ... Done
Updating Service configurations ... Done
Starting License import ... Done
Starting Tagging Data import ... Done
Starting Authz Data import ... Done
Applying target domain CEIP participation preference ... Done
Starting all services ... Failed
Starting License export ... Done
Starting Tagging Data export ... Done
Starting Authz Data export ... Done
Export Service Data ... Done
Uninstalling Platform Controller Services ... Done
Stopping all services ... Done
Updating registry settings ... Done
Re-installing Platform Controller Services ... Done
Registering Infra services ... Done
Updating Service configurations ... Done
Starting License import ... Done
Starting Tagging Data import ... Done
Starting Authz Data import ... Done
Applying target domain CEIP participation preference ... Done
Starting all services ... Failed
Environment
VMware vCenter Server 6.7.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Cause
The domain-repoint failure is expected in this scenario. With vSphere 6.0 and later, the local SSO domain must be a unique name and should differ from the Active Directory domain name to prevent authentication conflicts.
Understanding vSphere Domains, Domain Names, and Sites
"With vSphere 6.0 and later, you can give your vSphere domain a unique name. To prevent authentication conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory services."
Understanding vSphere Domains, Domain Names, and Sites
"With vSphere 6.0 and later, you can give your vSphere domain a unique name. To prevent authentication conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory services."
Resolution
There is no resolution as this is by design.
Please defer to the below workaround.
Workaround:
Please defer to the below workaround.
Workaround:
- Take powered-off snapshots of all PSC/vCenter nodes in both source and destination SSO domain
- On the source node where we want to perform the repoint from, SSH to the source node and backup the following file to root:
cp /usr/lib/vmware/site-packages/cis/service_command_utils.py /root/service_command_utils.py
- Edit line 225 of /usr/lib/vmware/site-packages/cis/service_command_utils.py and modify as below:
225 s = s.replace(input_data['source_domain'], input_data['dest_domain'])
TO
225 s = s.replace('@'+input_data['source_domain'], '@'+input_data['dest_domain'])
TO
225 s = s.replace('@'+input_data['source_domain'], '@'+input_data['dest_domain'])
- Save the file
- Perform the cross domain-repoint
Feedback
Yes
No
Powered by
