VMware vSphere

 View Only
Expand all | Collapse all

Unable to remove standalone host from domain

IsmailSami

IsmailSamiDec 14, 2023 05:43 AM

  • 1.  Unable to remove standalone host from domain

    Posted Sep 04, 2022 01:50 PM

    Hi,

     

    I have a standalone ESXi host that was/is joined to my domain.

    My SSO logins don't work, and when trying to leave the domain, I get the error saying the group does not exist.

     

    I've looked up other ways to leave the domain, but they all seem to relate to vCenter, and I can find no information on how to do this on a standalone host.

    Can anyone advise me on how to leave the domain via the CLI so I can give that a go, or any other approach I should take?

     

    Thanks

    Eds



  • 2.  RE: Unable to remove standalone host from domain

    Posted Sep 04, 2022 04:34 PM

    hi Eds,

    1) Put the ESX in maintenance mode
    2) Go to Configuration > Authentication Services
    3) click on Properties
    4) On the Domain Settings, click button Leave Domain
    5) Exit maintenance mode

    PowerCLI command to see which ESX is still authenticated to AD:-

    Get-VMHost | sort | Get-VMHostAuthentication | select vmhost,domain,DomainMembershipStatus,TrustedDomains | ft -a

    maybe this article help you.

    Removing an ESX/ESXi host from a domain fails with the error: The operation is not allowed in the current state (2035634) (vmware.com)

     



  • 3.  RE: Unable to remove standalone host from domain

    Posted Sep 04, 2022 11:39 PM

    Hi,

     

    I think what you are describing might be the vCenter UI?

    My standalone host has this menu structure and this error:

    Eds89_0-1662334679856.png

     


    Host and management services have been restarted to no avail. I'm not sure if I should follow the other part of the KB article given the error is different?

     

    Cheers

    Eds



  • 4.  RE: Unable to remove standalone host from domain

    Posted Sep 05, 2022 09:30 AM

    this error say your domain account not exist. so i think your domain got renamed in past and known as EDS89.com but username on domain is EDS\vmware that cant authenticate in domain. so maybe with change username from EDS\vmware to EDS89\Vmware 



  • 5.  RE: Unable to remove standalone host from domain

    Posted Sep 05, 2022 02:48 PM

    Can confirm the domain has not been renamed.

    Domain name is EDS89.com with NETBIOS name of EDS.

     

    The group it references in the error definitely still exists and has not been modified since the host was added to the domain.

     

    Thanks.



  • 6.  RE: Unable to remove standalone host from domain

    Posted Sep 05, 2022 09:43 AM

    you can try to update your VMware server user (currently EDS\VMware-admins) with another ldap user (you can use your ldap if you have the admin right).

    If someone or your active directory have disable your vmware service account for policy security or just deleted, it will not work.

    The error show that this account can not be used at this moment to leave the current active directory.

    If need, you can try to use command line to leave the domain :

    /opt/likewise/bin/domainjoin-cli leave

    then reboot.



  • 7.  RE: Unable to remove standalone host from domain

    Posted Sep 05, 2022 02:50 PM

    This is a homelab, so I am the AD administrator, and have not modified the domain nor touched the VMware Admins group references in the error message.

     

    I will try that command to leave the domain later and report back, but I think this is one I came across before, but believe it was not available on my standalone host.

     

    Thanks



  • 8.  RE: Unable to remove standalone host from domain

    Posted Sep 05, 2022 05:45 PM

    Digory, that path does not exist on my host as far as I can see, so I believe this may be specific for vCenter?

     

    How else can I leave the domain or attempt a user change on a standalone ESXi host?

     

    Cheers

    Eds



  • 9.  RE: Unable to remove standalone host from domain

    Posted Sep 06, 2022 09:22 AM

    My appologie, looking to this kb https://kb.vmware.com/s/article/50112055 and it's appear that the command is for VCSA.

    They are another KB that you can try but I'm not sure about the resolution on 6x and 7x.

    https://kb.vmware.com/s/article/2035634

     



  • 10.  RE: Unable to remove standalone host from domain

    Posted Sep 06, 2022 07:57 PM

    When trying to run this:

    /etc/init.d/lsassd stop

    It just says:

    -sh: init.d/lsassd: not found



  • 11.  RE: Unable to remove standalone host from domain

    Posted Sep 19, 2022 02:04 PM

    Any other suggestions on how to tackle this please?

     

    Cheers

    Eds



  • 12.  RE: Unable to remove standalone host from domain

    Posted Sep 19, 2022 02:26 PM

    Why not re-create the Group within your AD and try to leave it again? Btw thats not the standard group name which is "ESX Admins".

    Regards,
    Joerg



  • 13.  RE: Unable to remove standalone host from domain

    Posted Sep 19, 2022 02:28 PM

    Because it already exists.

    This is my whole problem and reason for posting.



  • 14.  RE: Unable to remove standalone host from domain

    Posted Oct 22, 2022 01:10 PM

    Anyone able to offer any further suggestions?


    Cheers

    James



  • 15.  RE: Unable to remove standalone host from domain

    Posted Oct 22, 2022 01:39 PM

    If you tried "/usr/lib/vmware/likewise/bin/domainjoin-cli" from the command line for leaving the AD? Not sure but maybe there is a force parameter. The needed service is "chkconfig --list lwsmd" and needs to be running.

    Regards,
    Joerg

     



  • 16.  RE: Unable to remove standalone host from domain

    Posted Oct 22, 2022 01:59 PM

    How do I run this?
    SSH session just says command not found.



  • 17.  RE: Unable to remove standalone host from domain

    Posted Oct 22, 2022 02:11 PM

    Its not in $PATH so you need the complete path or jump into the directory first.

    Regards,
    Joerg



  • 18.  RE: Unable to remove standalone host from domain

    Posted Oct 22, 2022 04:30 PM

    I was in the directory, but it didn't seem to work.

    Have tried using the full path, and now it seems to work.

     

    In any case, it reports success:

    Eds89_0-1666456179903.png

     

    However, the Web UI shows it is still joined to the domain:

    Eds89_1-1666456204380.png

     

    Do I need to restart a service for this change to take effect?


    Cheers

    James



  • 19.  RE: Unable to remove standalone host from domain

    Posted Dec 18, 2022 09:42 PM

    Can anyone help me further with this please?



  • 20.  RE: Unable to remove standalone host from domain

    Posted Jan 17, 2023 08:56 PM

    Can anyone help me any further please?

     

    Cheers

    Eds



  • 21.  RE: Unable to remove standalone host from domain

    Posted Oct 06, 2023 05:14 AM

    I had same problem after I reboot host. AD login stopped working, status of AD in esx was ok but I didnt make any changes - leave, edit etc. I recommend you start with restart service lwsmd via web gui, and then check, if you have fill in networking tcp/ip stack - default - DNS - domain name, search domain.

    After I reboot service a I can manage leave / join and login in again.



  • 22.  RE: Unable to remove standalone host from domain

    Posted Dec 13, 2023 06:02 PM

    stopping the service and rejoining worked for me. Thank you!



  • 23.  RE: Unable to remove standalone host from domain

    Posted Dec 05, 2023 03:01 PM

    Try this trick:

    https://serverfault.com/questions/1103155/cannot-delete-orphaned-domain-group-from-permissions-on-esxi

    It allows you to remove the group first, then you can jump off the domain.

     



  • 24.  RE: Unable to remove standalone host from domain

    Posted Dec 14, 2023 05:43 AM

    thx for info