VMware vCenter Server shows VMware ESXi 5.x host with Lockdown Mode enabled when it is not enabled
search cancel

VMware vCenter Server shows VMware ESXi 5.x host with Lockdown Mode enabled when it is not enabled

book

Article ID: 324975

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • VMware vCenter Server shows Lockdown Mode as enabled. However, it is disabled on the host.
  • vCenter Server continues to show the incorrect status for the host even after:

    • The vSphere Client is restarted.
    • The host management services are restarted.
    • The VirtualCenter Server service is restarted.
    • The host is removed and re-added to the vCenter Server inventory.

  • This issue occurs when using Autodeployed ESXi 5.x hosts.
  • If the host is restarted, Lockdown Mode is disabled, but vCenter Server shows that it is enabled.
  • Changing Lockdown Mode from vCenter Server fails with the error:

    A general system error occurred: Invalid fault
    Call "HostSystem.EnableAdmin" for object "esxi host FQDN" on vCenter Server


Environment

VMware vCenter Server 5.5.x
VMware vCenter Server 5.1.x
VMware vSphere ESXi 5.5
VMware vSphere ESXi 5.0
VMware vCenter Server 5.0.x
VMware vSphere ESXi 5.1

Cause

This issue occurs because vCenter Server enables and disables Lockdown Mode for the ESXi hosts, without checking the current Lockdown status of the host to determine the current state. That is, if vCenter Server (through the vSphere Client) puts a host into Lockdown Mode and the Direct Console User Interface (DCUI) is used to take the host out of Lockdown Mode, vCenter Server is not notified of the state change and still operates as if the host is in Lockdown Mode.

Resolution

To work around this issue, enable Lockdown Mode to make it consistent with vCenter Server and then disable Lockdown Mode through vCenter Server.

To enable Lockdown Mode from the DCUI:
  1. Log in directly to the ESXi host.
  2. Open DCUI on the host.
  3. Press F2 for Initial Setup.
  4. Toggle to Configure Lockdown Mode setting.
To enable Lockdown Mode from the ESXi command line:

Check if Lockdown Mode is enabled, run the command:

vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
  • To enable Lockdown Mode:

    Run the command:

    vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter

  • To enable Lockdown Mode from the PowerCLI:

    Run the command:

    (get-vmhost hostname | get-view).EnterLockdownMode() get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown


    Note: If Lockdown Mode is disabled in DCUI, running the PowerCLI command creates a task in vCenter Server. However, the task can fail with the message:

    The Administrator permission is already disabled on the host (Except for the vim user)


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions boxEnabling or disabling Lockdown mode on an ESXi host
Using Tech Support Mode in ESXi 4.1, ESXi 5.x, and ESXi 6.x

Powered by Wolken Software