Cross domain-repoint fails when local SSO domain is the same name as Active Directory domain name
search cancel

Cross domain-repoint fails when local SSO domain is the same name as Active Directory domain name

book

Article ID: 316446

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

During a cmsso-util domain-repoint process, the task fails during the "Registering Infra services" or "Starting all services" phase.

Specific Errors:

  • UI/CLI Error: Registering Infra services ...Failed

    /var/log/vmware/vmon/vmon.log: AttributeError: 'NoneType' object has no attribute 'serviceId'

    /var/log/vmware/vpxd-svcs/vpxd-svcs.log: Shows solution users attempting to authenticate with the old domain (e.g., Domain: old-domain.local).

  • Local SSO domain matches Active Directory domain name

  • To check local SSO domain name from Appliance:
    /usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost

    Example: testlab.com

  • To check hostname:
    hostname -f

    Example: vcenter.testlab.com

  • During a domain-repoint process, it fails at "Starting all services"

  • All Repoint configuration settings are correct; proceed? [Y|y|N|n]: y

    Starting License export ... Done
    Starting Tagging Data export ... Done
    Starting Authz Data export ... Done
    Export Service Data ... Done
    Uninstalling Platform Controller Services ... Done
    Stopping all services ... Done
    Updating registry settings ... Done
    Re-installing Platform Controller Services ... Done
    Registering Infra services ... Done
    Updating Service configurations ... Done
    Starting License import ... Done
    Starting Tagging Data import ... Done
    Starting Authz Data import ... Done
    Applying target domain CEIP participation preference ... Done
    Starting all services ... Failed

Environment

  • vCenter 6.x
  • vCenter 7.x
  • vCenter 8.x
  • vCenter 9.x

Cause

This is by design. Starting with vSphere 6.0, the local SSO domain name must be unique. If the SSO domain name is identical to the Active Directory (AD) or LDAP domain name, vCenter cannot distinguish between the local and external identity authorities, leading to authentication and service start failures (Split-Brain Identity).
 
The domain-repoint failure is expected in this scenario. With vSphere 6.0 and later, the local SSO domain must be a unique name and should differ from the Active Directory domain name to prevent authentication conflicts.

Understanding vSphere Domains and Domain Names

Resolution

There is no resolution as this is by design, since the SSO domain name and AD domain must be unique. 
 
The supported resolution is to redeploy the vCenter Server with a unique SSO domain (e.g., the default vsphere.local).

Additional Information

For more information refer - Understanding vSphere Domains and Domain Names

Powered by Wolken Software