vCenter can't join Active Directory domain using the same domain name as vCenter Single Sign-On (SSO)
Article ID: 418490
Updated On:
Products
Issue/Introduction
After joining an active directory domain with the same domain name as the VCSA, you receive the following error message when attempting to add it as an identify source:
Cannot configure identity source due to Domain with name 'vsphere.local' and alias 'VSPHERE' already exists.
Environment
VMware vCenter 7.x
VMware vCenter 8.x
Cause
This is by design and an expected error message.
When adding a new identity source, the identity source must be unique. For example the name of the vCenter SSO domain and the AD domain can't use the same name.
Resolution
Option 1
Redeploy the VCSA using a unique SSO domain name than what Active Directory uses.
Note: Using the default of vsphere.local is normally a safe option.
Option 2
Perform a domain repoint on the VCSA that changes the VCSA SSO domain name to a different SSO domain.
Note: Please make sure the VCSA has a valid forward and reverse DNS entry to support the change before attempting to repoint the domain.
WARNING: Before making changes to any VCSA, it's recommended to take offline snapshots of the VCSA and any others in ELM. You should also have a valid file based backup of the VCSA before proceeding.
WARNING: When performing option 2, please make sure you review your environment for any dependencies on the existing SSO domain. There may be other products that may need to be reconfigured/redeployed if the SSO domain is changed.
- Perform offline snapshots of all VCSA in ELM participating with the VCSA.
- Open an SSH connection to the VCSA and login with the root credentials.
- If the appliance shell is enabled, drop to the shell by using the command:
# shell
- Use the following example command to change the SSO domain (adjust for your environment):
# cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name example.local
Additional Information
Feedback
