I have been testing the new VCSAv U2m. Migrating from AD joined VCS 5.5 with embedded database. The migration always works with zero errors and I can login with the local SSO admin. However the appliance is always jacked up with the AD join. It appears to be AD joined in the GUI as before, and it says it is AD joined when I run a domainjoin-cli query from the shell. However any attempt to query AD users or add additional AD users are met with errors such as "cannot extract SSO users" or Errors contacting domain, etc.

Looking through some logs on the newly migrated appliance I see this in the idmd log:

vmware-sts-idmd: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

I also found this as well, which makes no sense as the firewalls are not an issue, I have triple checked. And of course the IP address moves from VCS to VCSA. And all AD operations were working perfectly under VCS:

[2016-10-21T14:11:07.810Z vsphere.local        f20106a0-dd1f-47f3-ab35-300f1d16f4bf WARN ] [ServerUtils] cannot bind connection: [ldap://xxxx, null]

[2016-10-21T14:11:07.810Z vsphere.local        f20106a0-dd1f-47f3-ab35-300f1d16f4bf ERROR] [ServerUtils] cannot establish connection with uri: [ldap://xxxx]

[2016-10-21T14:11:07.810Z vsphere.local        f20106a0-dd1f-47f3-ab35-300f1d16f4bf ERROR] [ActiveDirectoryProvider] Failed to get non-GC connection to domain XXXX in retry

I am really totally lost as to what may be the problem with this migration. I keep rolling back to snap and repeating. Can anyone point me in any direction? I have a call into support. I have not tried to Leave the domain from the Appliance and Re-join. I want to try to figure out why the migration keeps bombing, because I have several more to do.