Platform Services Controller and/or vCenter Server Appliance is unable to leave Active Directory Domain from UI or CLI
search cancel

Platform Services Controller and/or vCenter Server Appliance is unable to leave Active Directory Domain from UI or CLI

book

Article ID: 316613

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • In the HTML5 Client, navigating to Administration > Single Sign On > Configuration > Active Directory Domain > Leave AD, the node fails to leave the domain.
  • In the Flash Client, attempting to leave the domain fails with error: ldm client exception: Error trying to leave AD, error code [1321],user [domainusername]
  • In command line, /opt/likewise/bin/domainjoin-cli leave fails with error: Error: ERROR_MEMBER_NOT_IN_GROUP
  • Querying the domain status using the command /opt/likewise/bin/domainjoin-cli query give below output:

Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN [code 0x0000a309]
Client not found in Kerberos database

Environment

VMware vCenter Server 6.x 

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Resolution

Below steps will make changes in Likewise registry, Hence please make sure to take a snapshot of the appliance. Please refer the KB for more details regarding offline snapshot for vcenters in ELM: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

  1. SSH to the PSC or vCenter node as root.
  2. Enter the likewise registry:  /opt/likewise/bin/lwregshell
  3. Execute the below command to view the domain:
    • cd HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin
    • ls
    • An output similar to the below will appear:
      ​​​​​[\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin\]
      + "Default" REG_SZ         "<domain-name>"
      [HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory\DomainJoin\<domain-name>]

     4. Delete all entries using the delete_ commands (replace domain-name with the previous output)

    • ls
    • delete_tree <domain-name>
    • delete_value Default

     5. Restart the likewise service:

    • /opt/likewise/bin/lwsm restart lwreg

     6. Confirm with domainjoin-cli query command that the PSC/vCenter node no longer references the Active Directory Domain:

    • /opt/likewise/bin/domainjoin-cli query
Output should look like:
Name = vcenter
Domain = 



Powered by Wolken Software