"Leave the vCenter Server from Active Directory domain before proceeding" pre-check error message during VCF 9.x upgrade
search cancel

"Leave the vCenter Server from Active Directory domain before proceeding" pre-check error message during VCF 9.x upgrade

book

Article ID: 373004

calendar_today

Updated On:

Products

VMware vCenter Server VMware Cloud Foundation

Issue/Introduction

During vCenter Server upgrade to VCF 9.0, an administrator will get this error message:

Please leave the Active Directory domain before proceeding https://knowledge.broadcom.com/external/article?articleId=373004

The vCenter Server currently running 8.x versions is using IWA for an identity source.

Some environments reported that the "Leave AD" button in the UI was grayed out or non-functional due to existing identity source integrations (e.g., MS Entra or IWA).

Environment

VCF 9.x
VMware vCenter Server 8.x
VMware SDDC Manager 9.x

Cause

VCF 9.x deprecates and removes support for direct Active Directory domain join and IWA, necessitating a move to LDAPS or Federated Identity. 

Resolution

Before upgrading to VCF 9.0, an existing vCenter Server Appliance from an older version must leave the Active Directory domain it is joined in. The vCenter Server administrator must manually leave the Active Directory domain and ensure alternative authentication.  Avoid "N/A" or leaving the identity source blank.

Customers can use MFA through federated authentication. See here for more information on configuring federated authentication.

Procedure to leave the vCenter Server from the Active Directory domain.

  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for [email protected] or another member of the vCenter Single Sign-On Administrators group.
  3. Navigate to the Configuration UI
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Under the Identity Provider tab, click Active Directory Domain.
  5. Click Leave AD, enter the Active Directory user name and password, and click Leave.
  6. Restart the vCenter Server.

Manually remove the IWA Identity Source and ensure alternative authentication:  "Remove Integrated Windows Authentication (IWA) Identity Source from the vCenter Server" pre-check error message during VCF 9.0 upgrade

 

Leave Domain Using CLI

If the vCenter Server cannot be removed from the domain using the vSphere Client, SSH to the vCenter Server appliance VM as root and run the following commands:

  • Verify Domain Join Status:
    /opt/likewise/bin/domainjoin-cli query

  • Command to Leave Domain:
    /opt/likewise/bin/domainjoin-cli leave

or specify the domain explicitly:

/opt/likewise/bin/domainjoin-cli leave <DomainName.com>

After running these commands, please restart the vCenter Server.

Additional Information

If the leave command fails with the error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

Please refer to the following KB article for troubleshooting steps: Unable to leave Active Directory Domain from UI or CLI


Powered by Wolken Software