Platform Services Controller and/or vCenter Server Appliance is unable to leave Active Directory Domain from UI or CLI
search cancel

Platform Services Controller and/or vCenter Server Appliance is unable to leave Active Directory Domain from UI or CLI

book

Article ID: 316613

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • In the HTML5 Client, navigating to Administration > Single Sign On > Configuration > Active Directory Domain > Leave AD, the node fails to leave the domain.
  • In the Flash Client, attempting to leave the domain fails with error: ldm client exception: Error trying to leave AD, error code [1321],user [domainusername]
  • In command line, /opt/likewise/bin/domainjoin-cli leave fails with error: Error: ERROR_MEMBER_NOT_IN_GROUP
  • Querying the domain status using the command /opt/likewise/bin/domainjoin-cli query give below output:

Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN [code 0x0000a309]
Client not found in Kerberos database

Environment

  • vCenter Server 7.x
  • vCenter Server 8.x

Resolution

Below steps will make changes in Likewise registry, Hence please make sure to take a snapshot of the appliance. Please refer the KB for more details regarding offline snapshot for vcenters in ELM: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

  1. SSH to the PSC or vCenter node as root.
  2. Enter the likewise registry:  /opt/likewise/bin/lwregshell
  3. Execute the below command to view the domain:
    • cd HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin
    • ls
    • An output similar to the below will appear:
      ​​​​​[\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin\]
      + "Default" REG_SZ         "<domain-name>"
      [HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin\<domain-name>]

     4. Delete all entries using the delete_ commands (replace domain-name with the previous output)

    • ls
    • delete_tree <domain-name>
    • delete_value Default

     5. Restart the likewise service:

    • /opt/likewise/bin/lwsm restart lwreg

     6. Confirm with domainjoin-cli query command that the PSC/vCenter node no longer references the Active Directory Domain:

    • /opt/likewise/bin/domainjoin-cli query
Output should look like:
Name = vcenter
Domain = 
Powered by Wolken Software