• In the HTML5 Client, navigating to Administration > Single Sign On > Configuration > Active Directory Domain > Leave AD, the node fails to leave the domain.

Idm client exception: Error trying to leave AD, error code [11], user [domain\user]

• /opt/likewise/bin/domainjoin-cli leave command via ssh session fails with error

root@vcsa[~]# /opt/likewise/bin/domainjoin-cli leave
Leaving AD Domain:
<domain name>
Error: ERROR MEMBER NOT IN GROUP [code 0x00000529]

• Querying the domain status using the command /opt/likewise/bin/domainjoin-cli query may give below output:

• vCenter Server 7.x
• vCenter Server 8.x

This issue occurs when stale or orphaned registry entries in the Likewise identity service prevent the standard unjoin workflow from validating group membership

Below steps will make changes in Likewise registry, Hence ensure to take a snapshot of the appliance. Refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

Note: The below steps would require a planned downtime as reboot of the appliance is necessary post domain unjoin operation

1. SSH to the PSC or vCenter node as root.
2. Execute the below command to list the Domain details

/opt/likewise/bin/lwregshell list_values "HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin"

Sample Output:

​​​​​+  "Default" REG_SZ          "<Domain Name>"

3. Delete all entries using the delete commands

/opt/likewise/bin/lwregshell delete_tree "HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin"

4. Restart the likewise service:

/opt/likewise/bin/lwsm restart lwreg

5. Confirm with domainjoin-cli query command that the PSC/vCenter node no longer references the Active Directory Domain:

/opt/likewise/bin/domainjoin-cli query

6. Proceed to reboot the vCenter Server Appliance