I have a standalone ESXi host that was/is joined to my domain.
My SSO logins don't work, and when trying to leave the domain, I get the error saying the group does not exist.
I've looked up other ways to leave the domain, but they all seem to relate to vCenter, and I can find no information on how to do this on a standalone host.
Can anyone advise me on how to leave the domain via the CLI so I can give that a go, or any other approach I should take?
1) Put the ESX in maintenance mode
2) Go to Configuration > Authentication Services
3) click on Properties
4) On the Domain Settings, click button Leave Domain
5) Exit maintenance mode
PowerCLI command to see which ESX is still authenticated to AD:-
Get-VMHost | sort | Get-VMHostAuthentication | select vmhost,domain,DomainMembershipStatus,TrustedDomains | ft -a
maybe this article help you.
Removing an ESX/ESXi host from a domain fails with the error: The operation is not allowed in the cu...
I think what you are describing might be the vCenter UI?
My standalone host has this menu structure and this error:
Host and management services have been restarted to no avail. I'm not sure if I should follow the other part of the KB article given the error is different?
this error say your domain account not exist. so i think your domain got renamed in past and known as EDS89.com but username on domain is EDS\vmware that cant authenticate in domain. so maybe with change username from EDS\vmware to EDS89\Vmware
you can try to update your VMware server user (currently EDS\VMware-admins) with another ldap user (you can use your ldap if you have the admin right).
If someone or your active directory have disable your vmware service account for policy security or just deleted, it will not work.
The error show that this account can not be used at this moment to leave the current active directory.
If need, you can try to use command line to leave the domain :
Can confirm the domain has not been renamed.
Domain name is EDS89.com with NETBIOS name of EDS.
The group it references in the error definitely still exists and has not been modified since the host was added to the domain.
This is a homelab, so I am the AD administrator, and have not modified the domain nor touched the VMware Admins group references in the error message.
I will try that command to leave the domain later and report back, but I think this is one I came across before, but believe it was not available on my standalone host.
Digory, that path does not exist on my host as far as I can see, so I believe this may be specific for vCenter?
How else can I leave the domain or attempt a user change on a standalone ESXi host?
My appologie, looking to this kb https://kb.vmware.com/s/article/50112055 and it's appear that the command is for VCSA.
They are another KB that you can try but I'm not sure about the resolution on 6x and 7x.
When trying to run this:
It just says:
-sh: init.d/lsassd: not found
Any other suggestions on how to tackle this please?
Why not re-create the Group within your AD and try to leave it again? Btw thats not the standard group name which is "ESX Admins".
Because it already exists.
This is my whole problem and reason for posting.
Anyone able to offer any further suggestions?
If you tried "/usr/lib/vmware/likewise/bin/domainjoin-cli" from the command line for leaving the AD? Not sure but maybe there is a force parameter. The needed service is "chkconfig --list lwsmd" and needs to be running.
How do I run this?
SSH session just says command not found.
Its not in $PATH so you need the complete path or jump into the directory first.
I was in the directory, but it didn't seem to work.
Have tried using the full path, and now it seems to work.
In any case, it reports success:
However, the Web UI shows it is still joined to the domain:
Do I need to restart a service for this change to take effect?
Can anyone help me further with this please?
Can anyone help me any further please?