Symptoms:

• If Active Directory is not accesible due to any possible network or Active Directory server issue and vCenter Server tries to validate the Domain Users and Groups during that time, it removes the Domain Groups from the vCenter Server > Permissions tab.
• Domain Users are not removed if they are added individually.
• As per the documented behaviour, it should remove both (Domain Groups and Domain Users), however, it is observed with removing only the Domain Groups.
• In %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vpxd\vpxd.log, you see entries similar to:
   [08728 error '[SSO]'] [UserDirectorySso] GetUserInfo exception: class Vmacore::Authorize::AuthUserNotFoundException(Group Test1\Domain Admins)
   [08728 error '[SSO]'] [UserDirectorySso] NormalizeUserName(WIN\Domain Admins, true) exception: class Vmacore::Authorize::AuthUserNotFoundException(Group Test1\Domain Admins) 
   [08728 error 'Default'] Bad group WIN\Domain Admins, removing
   [08728 info '[SSO]'] [UserDirectorySso] GetUserInfo(WIN\Domain Admins, true)
   [08728 info '[SSO][SsoAdminFacadeImpl]'] [Lookup]
• In the /var/log/vmware/sso/vmware-sts-idmd.log, you see entries similar to:
   WARN [ActiveDirectoryProvider] There may be a domain join status change since native AD is configured. ActiveDirectoryProvider can function properly only when machine is   properly joined
   WARN [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.WinLdapClientLibrary, error code: 81
   WARN [ServerUtils] cannot bind connection: [ldap://addc.Test1.local, null]
   ERROR [ServerUtils] cannot establish connection with uri: [ldap://addc.Test1.local]
   INFO [ActiveDirectoryProvider] Failed to find group Domain [email protected] to establish server connection via ldap search
   ERROR [IdentityManager] Failed to find group [Domain [email protected]] in tenant [vsphere.local]
   ERROR [ServerUtils] Exception 'com.vmware.identity.idm.InvalidPrincipalException: Principal id Domain [email protected] does not exist'
   com.vmware.identity.idm.InvalidPrincipalException: Principal id Domain [email protected] does not exist

This issue occurs due to design, if Active Directory is unavailable, and vpxd cannot validate the permissions then Domain Users and Groups will be removed. This is done on vpxd service startup and periodically as defined in Administration > vCenter Server Settings > Active Directory > Enable Validation.

This issue resolved in:

• vCenter Server 6.5 Update 3
• vCenter Server 6.7 Update 3

Workaround:
To workaround the issue,  disable validation in the Client 

For Versions 6.x  Disable validation by navigating to Hosts and Clusters > vCenter Server > Configure > Settings > General then click Edit and select User directory to uncheck Validation to disable it

For Versions 5.x  Disable validation by navigating to Hosts and Clusters > vCenter Server > Manage > Settings > General then click Edit and select User directory to uncheck Validation to disable it

The behavior is documented in the following link:

Permission Validation - vSphere 5.5

Permission Validation - vSphere 6.5

Permission Validation - vSphere 6.7


简体中文：无法访问 Active Directory 时域组权限被移除