Before upgrading to VCF 9.0, an existing vCenter Server Appliance from an older version must leave the Active Directory domain it is joined in. The vCenter Server administrator must manually leave the Active Directory domain and ensure alternative authentication.

Customers can use MFA through federated authentication. See here for more information on configuring federated authentication.

Procedure to leave the vCenter Server from the Active Directory domain.

• Log in with the vSphere Client to the vCenter Server.
• Specify the user name and password for [email protected] or another member of the vCenter Single Sign-On Administrators group.
• Navigate to the Configuration UI
  • From the Home menu, select Administration.
  • Under Single Sign On, click Configuration.
• Under the Identity Provider tab, click Active Directory Domain.
• Click Leave AD, enter the Active Directory user name and password, and click Leave.
• Restart the vCenter Server.
  
  

Leave Domain Using CLI

If the above steps fail to remove the vCenter from the domain,

• Verify Domain Join Status:
  /opt/likewise/bin/domainjoin-cli query
  
  
• Command to Leave Domain:
  /opt/likewise/bin/domainjoin-cli leave

or specify the domain explicitly:

/opt/likewise/bin/domainjoin-cli leave <DomainName.com>

After running these commands, please restart the vCenter Server.

If the leave command fails with the error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

Please refer to the following KB article for troubleshooting steps: Unable to leave Active Directory Domain from UI or CLI