VMware Cloud Community
snyderkv1
Enthusiast
Enthusiast

vCenter linked mode node domain rejoin?

We cannot login username and password to a few of our Linked Mode vCenters. When trying to disjoin and rejoin the node, I receive this error.

"There is already a native AD IDS or LDAP AD IDS registered"

A google search reveals this KB that says to disjoin from the command line but to take snapshots of all your vCenters which makes me a little nervous.

My question is, could disjoining a single node affect the upstream partner or all the linked vCenters?

https://kb.vmware.com/s/article/71083

Reply
0 Kudos
5 Replies
Nawals
Expert
Expert

It will not affect all node. I would suggest you to follow the KB, however, perform on one VC if successful then proceed on another VC. About snapshots saying when you delete the identity source and re-create  might impact vCenter Permissions, hence snapshot is important:

NKS Please Mark Helpful/correct if my answer resolve your query.
Reply
0 Kudos
snyderkv1
Enthusiast
Enthusiast

Right but it wants me to delete the identity source from the Linked parent. We have a dozen vCenters meaning we'd have to shutdown and snapshot all of them for the procedure with no guarantee that the snapshot restore won't cause future gremlins. Could I instead partially unregister the vCenter and then disjoin it there? Has anyone tried this? I spent too much time linking these bastards to wing it.

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

Try to join domain using commandline without removing identity source is the only option i can think off.. If you remove linked mode, it is again a huge task

VMware Knowledge Base

thanks,

MS

Reply
0 Kudos
ChrisFD2
VMware Employee
VMware Employee

What version are you on?

VMware Knowledge Base - there are some really useful commands in this KB article.

Have you opened a GSS case?

Regards,
Chris
VCIX-DCV 2023 | VCIX-NV 2023 | vExpert *** | CCNA R&S
Reply
0 Kudos
snyderkv1
Enthusiast
Enthusiast

Instead of removing the identity source, I just created a new vCenter not linked and still have a login issue.

It joins just fine and we're able to add the SSO however, we still get "invalid credentials" when logging in via domain\username.

It would appear as the problem is related more to a network port being blocked or DC/DNS issue?

Of course a simple curl -v telnet://DC: 389 135 636 and 53 all work. I also tried the vdcadmintool and it passes the bind test.

Any other ports for SSO authentication to the DC? The only thing I haven't tried was turning off the firewall on the ESX host where the vCenter resides but that's just a shot in the dark.

Reply
0 Kudos