Failed to Repoint a vCenter Server Node to an Existing Domain with a Replication Partner | Could not connect to VMware Directory Service via LDAP
search cancel

Failed to Repoint a vCenter Server Node to an Existing Domain with a Replication Partner | Could not connect to VMware Directory Service via LDAP

book

Article ID: 398818

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms: 

  • You want to repoint a vCenter Server Node to an Existing Domain with a Replication Partner.

 

  • Unable to Repoint a vCenter Server Node to an Existing Domain with a Replication Partner using cmsso-util domain-repoint

 

  • Running a pre-check doesn't show any error , however fails while actually executing the command

With flag: -m pre-check:

cmsso-util domain-repoint -m pre-check --src-emb-admin Administrator --replication-partner-fqdn FQDN_of_destination_node --replication-partner-admin PSC_Admin_of_destination_node --dest-domain-name destination_PSC_domain

With flag: -m execute

cmsso-util domain-repoint -m execute --src-emb-admin Administrator --replication-partner-fqdn FQDN_of_destination_node --replication-partner-admin PSC_Admin_of_destination_node --dest-domain-name destination_PSC_domain

 

Enter Source embedded vCenter Server Admin Password :
Enter Replication partner Platform Services Controller Admin Password :

The domain-repoint operation will export License, Tags, Authorization data
before repoint and import after repoint.

WARNING: Global Permissions for the source vCenter Server system will be lost. The
         administrator for the target domain must add global permissions manually.
         Source domain users and groups will be lost after the Repoint operation.
         User '[email protected]' will be assigned administrator role on the
         source vCenter Server system.

         The default resolution mode for Tags and Authorization conflicts is Copy,
         unless overridden in the conflict files generated during pre-check.

         Solutions and plugins registered with vCenter Server must be re-registered.

         Before running the Repoint operation, you should backup of all nodes.
         You can use file based backups to restore in case of failure. By using the
         Repoint tool you agree to take the responsibility for creating backups,
         otherwise you should cancel this operation.

Repoint Node Information:
         Source embedded vCenter Server:vcsa_fqdn.local

         Replication partner Platform Services Controller: vcsa_fqdn.local
         Thumbprint: FD:AC:79:3A:3C:4E:..:..:..:..:..:76:B4:19:8A:FA:Ax:9x:9x


All Repoint configuration settings are correct; proceed? [Y|y|N|n]: Y

Starting License export                                                         ... Done
Export Service Data                                                             ... Done
Uninstalling Platform Controller Services                                       ... Done
Stopping all services                                                           ... Done
Updating registry settings                                                      ... Failed
Repoint failed. Restore from backup

 

  • You may see log snippets similar to:

     cmsso_util.log: 

2025-05-16T02:50:04.54Z INFO cmsso_util RC = 1
Stderr = 2025-05-16T02:50:04.003Z  password:
2025-05-16T02:50:04.003Z  Initializing Directory server instance ...
Vdcpromo failed. Error[9127]
Could not connect to VMware Directory Service via LDAP.
Verify VMware Directory Service is running on the appropriate system and is reachable from this host.

2025-05-16T02:50:04.003Z  <class 'cis.baseCISException.BaseInstallException'>
2025-05-16T02:50:04.006Z  Exception: Traceback (most recent call last):
  File "/usr/lib/vmware-vmafd/firstboot/vmafd-firstboot.py", line 184, in main
    controller.firstboot()
  File "/usr/lib/vmware-vmafd/firstboot/vmafd-firstboot.py", line 55, in firstboot
    self.init()
  File "/usr/lib/vmware-vmafd/firstboot/vmafd-firstboot.py", line 61, in init
    service.init()
  File "/usr/lib/vmware-vmafd/firstboot/identityinstall/vmdirInstall.py", line 406, in init
    self.setup_domain()
  File "/usr/lib/vmware-vmafd/firstboot/identityinstall/vmdirInstall.py", line 258, in setup_domain
    raise self.utils.createInstallException(
cis.baseCISException.BaseInstallException: {
    "detail": [
        {
            "id": "install.vmafd.vmdir_vdcpromo_error_23",
            "translatable": "Could not connect to VMware Directory Service via LDAP. Verify VMware Directory Service is running on the appropriate system and is reachable from this host.",
            "localized": "Could not connect to VMware Directory Service via LDAP. Verify VMware Directory Service is running on the appropriate system and is reachable from this host."
        }
    ],
    "componentKey": "vmafd",
    "problemId": "install.vmafd.vmdir_vdcpromo_error_23",
    "resolution": {
        "id": "install.vmafd.vmdir_vdcpromo_error_23.resolution",

Environment

VMware vSphere 7.x

VMware vSphere 8.x

Cause

Issue caused due to port 389 being blocked in the environment. 

vmafdvmdirclient.log

2025-05-16T02:50:04.000Z:t@140497003722304:ERROR: VmDirAnonymousLDAPBindEx to (ldap://vcsa_fqdn.local:389) failed. (-1)(Can't contact LDAP server)
2025-05-16T02:50:04.000Z:t@140497003722304:ERROR: VmDirGetServerName failed with error (9127)
2025-05-16T02:50:04.000Z:t@140497003722304:ERROR: VmDirJoin (vcsa_fqdn.local)(Default-First-Site)(vcsa_fqdn.local)() failed. Error(9127)
2025-05-16T02:50:04.020Z:t@140497028900416:ERROR: VmDirAnonymousLDAPBindEx to (ldap://vcsa_fqdn.local:389) failed. (-1)(Can't contact LDAP server)
2025-05-16T02:50:04.020Z:t@140497028900416:ERROR: _VmDirGetDSERootAttributeEx failed with error (9127)

Resolution

Enable the port 389 between both the vCenter servers and make sure both the vCenter servers are able to connect on port 389. Port 389 is used in LDAP for SSO in Enhanced Linked Mode (ELM) configurations.

Additional Information

Powered by Wolken Software