When making changes to the SSO domain, various issues can occur with VMware Live Recovery. Symptoms may include:

• Broken site pair where the two appliances cannot connect to each other.
• Plugin in vCenter for Site Recovery may show errors.

SRM and vSphere Replication rely heavily on the Lookup Service to find vCenter, the SSO STS (Security Token Service), and its peer site. When you repoint a vCenter to a new or different SSO domain:

• The Solution Users (SRM-specific accounts) in the old SSO domain become orphaned.
• The Service Registrations in the Lookup Service are invalidated.
• The SSL Trust Anchors between the two SRM sites are broken because the identity context has changed.

This can rely in hms and hbr accounts being unable to authenticate in the SSO domain, breaking Site Recovery.

It is recommended when making changes to the SSO domain to deploy new VLR appliances and import the previously used configuration to them. This ensures that every solution user instance and Lookup Service entry is fresh and accurate to the new SSO domain, and prevents future arising from them not being up to date. This should be done in the below order.

• Export/Document Everything: Export your Protection Groups and Recovery Plan configurations to CSV or report format. If you use SRM Configuration Import/Export Tool, try to take a backup, but be aware it may not import cleanly into a new SSO context.
• Break the Site Pairing: In the SRM UI, break the pairing between Site A and Site B.
• Uninstall/Unregister SRM: Unregister the SRM extension from the vCenter before the repoint while the old SSO still exists.
• Perform the Domain Repoint: Execute your vCenter SSO repoint and ELM split.
• Deploy New SRM Appliances: Deploy fresh SRM appliances (or reset the existing ones to a factory state).
• Pair and configure: Pair the sites under the new SSO identities and rebuild all the mappings, PG, RP, etc.

There are various reasons a repoint of the SSO domain may be needed, such as fixing VMDIR issues or migrating a vSphere environment to VCF. This will particularly come up when upgrading an 8.0 or earlier vSphere environment to 9.0, as there will no longer be options not involving VCF so an SSO repoint will always be needed.