vCenter

Encountered this bug when testing a SSO repoint we need to complete.  After a domain repoint, Administrator could no longer login to VAMI and other issues were discovered.  The trigger is the domain repoint.  Bug can be easily replicated.  Found this was true for latest 6.7 version and multiple versions in 7.0 series.

Deploy VCSA with SSO domain of vsphere.local

 - Administrator can access VAMI (port 5480) and GUI (port 443).

Perform SSO domain repoint from "vsphere.local" to anything else (say, "moonchild.local").  Repoint succeeds without errors. 

 - Administrator cannot access VAMI (port 5480)

 - Root can access VAMI (port 5480)

 - Administrator can access GUI (port 443) and perform all functions tested.

After the SSO domain repoint is completed, the SSO group "Administrators" is no longer a member of the "SystemConfiguration.Administrators" group. Adding Administrators to that group solves the problem - Administrator is then able to login to the VAMI.

However, that is not all.

Any domain repoint results in these 4 changes, which all appear to be bugs:

- SSO group "Administrators" is no longer a member of the "SystemConfiguration.Administrators" group

- vAPI services option under VAMI reports errors. lsdoctor -l shows the following error:

ERROR generateReport: default-first-site\fqdn_of_vcenter (VC 7.0 or CGW) found Duplicates Found: Ignore if this is the PSC HA VIP. Otherwise, you must unregister the extra endpoints.

- "SystemConfiguration.BashShellAdministrators" group disappears (Administrator is part of this group by default).

- waiter-xxxxxxxx account disappears from SSO domain (in fact, all accounts except Administrator, krbtgt, and K/M disappear).

I can resolve the first issue by adding Administrators back to SystemConfiguration.Administrators. The errors in the second issue are resolved by running lsdoctor -r and replacing all services. I do not know how to resolve issues 3 and 4. Testing shows that the Administrator account loses the ability to access the shell after the repoint, so issue 3 impacts functionality.

VMWare Support has not answered questions about issues 3 and 4.  On day 5 of the trouble ticket, the tech replied that issue 1 is a known bug and being worked on.

These problems are only what I have identified by my own testing.  It concerns me about other functionality that is broken by a repoint.

Almost a year later I see the same behavior on vCenter 7.0.3.0600, did you ever hear back from support?

As of vSphere 6.0U1, VMware allow an embedded vCenter server deployment to be reconfigured to an external deployment, which demotes the Platform Services Controller (PSC) components of the embedded node and points the VC server to an external PSC node which resides in the same Single Sign On (SSO) domain as the source embedded node.

myPennMedicine.org

Unfortunately that's not viable for us as we're running 7.0.3 which doesn't allow for external PSCs anymore

We gave up waiting.

The number of problems seen when performing a repoint was too high a risk.  We deployed a new vCenter with the desired domain and migrated all of the hosts to it.  A lot more time was required than just performing a repoint, but it avoided an possibility of problems from the repoint.

That's precisely what I'm thinking, however our environment is fairly big and integrated with external solutions which makes the buildout of new vCenters a little daunting... Will probably end up going that way though... I'll open an SR with support and update the thread if anything comes up

It's possible that the bug you're referring to was discovered or reported after that date. It's recommended to consult the official VMware documentation, support forums, or contact VMware support directly for the most up-to-date and accurate information regarding any vCenter bugs or issues. They will be able to provide you with guidance on how to address and resolve the specific bug you're encountering.

MyPennMedicine