Removing an ESXi host to Active Directory fails with the error: Failed to Leave the domain domainname.com: The user or group named 'domain\groupname' does not exist.
search cancel

Removing an ESXi host to Active Directory fails with the error: Failed to Leave the domain domainname.com: The user or group named 'domain\groupname' does not exist.

book

Article ID: 375899

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

Error : Failed to Leave the domain domainname.com: The user or group named 'domain\groupname' does not exist.

 

In ESXi var/run/log/hostd.log you see entries similar to :

[YYYY-MM-DDTHH:MM:SS] verbose hostd[xxxxxx] [Originator@6876 sub=Solo.Vmomi opID=######16 user=root] Arg accessMode:

--> "accessReadOnly"

[YYYY-MM-DDTHH:MM:SS] info hostd[xxxxxx] [Originator@6876 sub=Solo.Vmomi opID=######16  user=root] Throw vim.fault.UserNotFound

[YYYY-MM-DDTHH:MM:SS] info hostd[xxxxxx] [Originator@6876 sub=Solo.Vmomi opID=######16  user=root] Result:

--> (vim.fault.UserNotFound) {

-->    principal = "Domain_###",

-->    unresolved = false,

-->    msg = "",

Cause

This issue can occur if a stale group entry exists on the ESXi host that references the same Active Directory domain.

 

Resolution

Note:

  • If the error message refers to a group/User in the format "domain\groupname", update the command accordingly by replacing domain\groupname with domain\\groupname.

  • For stale user entries, replace addgroup with adduser, and delgroup with deluser

 

Resolution:

To resolve this issue, ensure that all users and groups associated with the Active Directory being removed are first added or removed as needed

1. List Existing Permissions
        Run the following command to view currently assigned permissions:

esxcli system permission list

Note: Make a note of all users and groups associated with the domain. Before leaving the domain, ensure that you re-add and remove all domain users and groups as necessary.

2. Add the Group to the ESXi Host

/usr/lib/vmware/busybox/bin/busybox addgroup domain\groupname

Example:

/usr/lib/vmware/busybox/bin/busybox addgroup domain\\groupname

Repeat this step for each group linked to the same domain alias, if necessary.

3. Unset Group Permissions

Remove the assigned permissions for the group:

esxcli system permission unset -i domain\\groupname

4. Leave the Active Directory Domain

From the vSphere Client (vCenter or directly from the ESXi host UI), disconnect the host from the AD domain.

5. Delete the Group from the Host

Once the host has been removed from the domain, delete the group entry:

/usr/lib/vmware/busybox/bin/busybox delgroup domain\\groupname

Example:

/usr/lib/vmware/busybox/bin/busybox delgroup domain\\groupname

 

Powered by Wolken Software