Ensure there is a valid vCenter appliance snapshot (Offline Snapshots in case of Linked Mode vCenters) before proceeding further.

1. Take an SSH session to the vCenter Server and login as the root user.
2. Run the below command to find the vCenter Server machine-id
   
   /usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost
   
   
3. Run the below ldapsearch command to check if the vpxd-extension user is missing in ServiceProviderUsers and LicenseService.Administrators groups.
   
   ldapsearch -x -H "ldap://localhost" -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W -b "dc=vsphere,dc=local" "(cn=vpxd-extension-<machine-id>)" memberof

Note: Replace <machine-id> with the machine-id found in step 2.
   
   
4. Add the vpxd-extension user in the missing groups by following below steps.
   
   1. Enable retreat mode to remove the current vcls machines from the cluster by following the steps from the below link.
      Disable vCLS on a Cluster via Retreat Mode
   2. Run the below commands to add the missing vpxd-extension user to the group:
      
      /usr/lib/vmware-vmafd/bin/dir-cli group modify --name ServiceProviderUsers --add vpxd-extension-<machine-id> --login [email protected]
/usr/lib/vmware-vmafd/bin/dir-cli group modify --name LicenseService.Administrators --add vpxd-extension-<machine-id> --login [email protected]

Note: Replace <machine-id> with the machine-id found earlier.


   3. Restart the WCP service:
      
      service-control --restart wcp


   4. Remove the cluster from retreat mode by changing the vCLS mode to System Managed by following the steps from this KB.