vCenter Server upgrade fails pre-check with "VMDIR is not in normal state"
search cancel

vCenter Server upgrade fails pre-check with "VMDIR is not in normal state"

book

Article ID: 433192

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms

When attempting to upgrade vCenter Server (e.g., to version 8.0.3.00800), the upgrade process is blocked during the pre-update check. You will observe the following symptoms:

  • The vCenter Server upgrade UI reports the error: VMDIR is not in normal state.

  • In the /var/log/vmware/applmgmt/update_microservice.log, the pre-check fails immediately after executing the replication partner status check:

Running command: ['/usr/lib/vmware-vmdir/bin/vdcrepadmin', '-f', 'showpartnerstatus', '-h', 'localhost', '-u', 'vcenter.domain.lab'] "id": "vmdir.stateerror.text", "translatable": "VMDir is not in normal state", "localized": "VMDir is not in normal state"

  • If this vCenter is not in ELM you may not see any useful log entries in the /var/log/vmware/vmdir/vmdird-syslog.log

  • In the VMware Directory Service trace log (/var/log/vmware/vmdir/vmdird.log), you see repeated LDAP/SASL authentication errors:

SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)

 

Environment

 

  • vCenter Server 8.0.x

 

Cause

This issue occurs because the vCenter Server's Machine Account password is out of sync. This mismatch causes SASL authentication failures (Error -13) when querying the VMware Directory Service (vmdird).

Note for Standalone Environments: This failure will occur even on a standalone vCenter Server that does not have external replication partners. The vCenter upgrade framework unconditionally executes the vdcrepadmin tool to verify the directory's health before upgrading. Because this tool relies on the local machine account to authenticate to the local vmdird database via SASL, an out-of-sync password causes the local authentication to fail. This immediately trips the "not in normal state" alarm and blocks the upgrade to prevent potential database corruption.

Resolution

To resolve this issue, you must reset the vCenter Server machine account password so the directory can successfully authenticate.

  1. Follow the steps outlined in Broadcom KB article 421523 to execute the built-in reset_machine_pw.sh script.

  2. Once the script completes successfully, restart all vCenter Server services to apply the new password and restore the directory to a normal state.

  3. Retry the vCenter Server upgrade.

Powered by Wolken Software