VMware Cloud Community
Eds89
Enthusiast
Enthusiast

Unable to remove standalone host from domain

Hi,

 

I have a standalone ESXi host that was/is joined to my domain.

My SSO logins don't work, and when trying to leave the domain, I get the error saying the group does not exist.

 

I've looked up other ways to leave the domain, but they all seem to relate to vCenter, and I can find no information on how to do this on a standalone host.

Can anyone advise me on how to leave the domain via the CLI so I can give that a go, or any other approach I should take?

 

Thanks

Eds

Reply
0 Kudos
23 Replies
D_G_Tal
Enthusiast
Enthusiast

hi Eds,

1) Put the ESX in maintenance mode
2) Go to Configuration > Authentication Services
3) click on Properties
4) On the Domain Settings, click button Leave Domain
5) Exit maintenance mode

PowerCLI command to see which ESX is still authenticated to AD:-

Get-VMHost | sort | Get-VMHostAuthentication | select vmhost,domain,DomainMembershipStatus,TrustedDomains | ft -a

maybe this article help you.

Removing an ESX/ESXi host from a domain fails with the error: The operation is not allowed in the cu...

 

Eds89
Enthusiast
Enthusiast

Hi,

 

I think what you are describing might be the vCenter UI?

My standalone host has this menu structure and this error:

Eds89_0-1662334679856.png

 


Host and management services have been restarted to no avail. I'm not sure if I should follow the other part of the KB article given the error is different?

 

Cheers

Eds

Reply
0 Kudos
D_G_Tal
Enthusiast
Enthusiast

this error say your domain account not exist. so i think your domain got renamed in past and known as EDS89.com but username on domain is EDS\vmware that cant authenticate in domain. so maybe with change username from EDS\vmware to EDS89\Vmware 

Reply
0 Kudos
Digory34
Enthusiast
Enthusiast

you can try to update your VMware server user (currently EDS\VMware-admins) with another ldap user (you can use your ldap if you have the admin right).

If someone or your active directory have disable your vmware service account for policy security or just deleted, it will not work.

The error show that this account can not be used at this moment to leave the current active directory.

If need, you can try to use command line to leave the domain :

/opt/likewise/bin/domainjoin-cli leave

then reboot.

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

Can confirm the domain has not been renamed.

Domain name is EDS89.com with NETBIOS name of EDS.

 

The group it references in the error definitely still exists and has not been modified since the host was added to the domain.

 

Thanks.

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

This is a homelab, so I am the AD administrator, and have not modified the domain nor touched the VMware Admins group references in the error message.

 

I will try that command to leave the domain later and report back, but I think this is one I came across before, but believe it was not available on my standalone host.

 

Thanks

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

Digory, that path does not exist on my host as far as I can see, so I believe this may be specific for vCenter?

 

How else can I leave the domain or attempt a user change on a standalone ESXi host?

 

Cheers

Eds

Reply
0 Kudos
Digory34
Enthusiast
Enthusiast

My appologie, looking to this kb https://kb.vmware.com/s/article/50112055 and it's appear that the command is for VCSA.

They are another KB that you can try but I'm not sure about the resolution on 6x and 7x.

https://kb.vmware.com/s/article/2035634

 

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

When trying to run this:

/etc/init.d/lsassd stop

It just says:

-sh: init.d/lsassd: not found

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

Any other suggestions on how to tackle this please?

 

Cheers

Eds

Reply
0 Kudos
IRIX201110141
Champion
Champion

Why not re-create the Group within your AD and try to leave it again? Btw thats not the standard group name which is "ESX Admins".

Regards,
Joerg

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

Because it already exists.

This is my whole problem and reason for posting.

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

Anyone able to offer any further suggestions?


Cheers

James

Reply
0 Kudos
IRIX201110141
Champion
Champion

If you tried "/usr/lib/vmware/likewise/bin/domainjoin-cli" from the command line for leaving the AD? Not sure but maybe there is a force parameter. The needed service is "chkconfig --list lwsmd" and needs to be running.

Regards,
Joerg

 

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

How do I run this?
SSH session just says command not found.

Reply
0 Kudos
IRIX201110141
Champion
Champion

Its not in $PATH so you need the complete path or jump into the directory first.

Regards,
Joerg

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

I was in the directory, but it didn't seem to work.

Have tried using the full path, and now it seems to work.

 

In any case, it reports success:

Eds89_0-1666456179903.png

 

However, the Web UI shows it is still joined to the domain:

Eds89_1-1666456204380.png

 

Do I need to restart a service for this change to take effect?


Cheers

James

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

Can anyone help me further with this please?

Reply
0 Kudos
Eds89
Enthusiast
Enthusiast

Can anyone help me any further please?

 

Cheers

Eds

Reply
0 Kudos