Yesterday, one of my disks in one of my NUCs died. It was a standalone NUC, which only hosts stuff like jumpservers or similar unimportant things … well, except it was also hosting my Active Directory Domain Controller. Since this is only a Homelab, it wasn’t setup to be redundant nor did I take a backup. Besides, reinstalling is actually pretty fast (especially, since most of it is scripted anyway).
My actual problem was to join my vCenter into the “new” AD domain. This required of course, leaving the “old” domain before. But since it was not available anymore, I could not leave it.
When trying to “Leave Active Directory Domain” in the GUI, I got the following error:
ldm client exception: Error trying to leave AD, error code , user [email@example.com]
Since the error message is not super-specific, my first thought was, it happened because I’ve still permissions set. So I’ve removed global permissions and all object permissions, which were referring to any AD-Group.
But still the very same error.
Checking the /var/log/vmware/sso/vmware-identity-sts-default.log showed the following:
WARN sts-default[14:localhost-startStop-1] [CorId= OpId=] [org.glassfish.jersey.internal.Errors] The following warnings have been detected: HINT: A HTTP GET method, public void com.vmware.identity.rest.idm.server.resources.ServerResource.getStatus(), returns a void type. It can be intentional and perfectly fine, but it is a little uncommon that GET method returns always "204 No Content". [...] WARN sts-default[20:Thread-8] [CorId=bba76607-42b4-4a15-a3c2-7542f427d12c OpId=] [com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: -1 ERROR sts-default[20:Thread-8] [CorId=bba76607-42b4-4a15-a3c2-7542f427d12c OpId=] [com.vmware.identity.interop.ldap.OpenLdapClientLibrary] Exception when calling ldap_search_s: base=, scope=0, filter=objectclass=*, attrs=[Ljava.lang.String;@2c0b58d0, attrsonly=0 com.vmware.identity.interop.ldap.ServerDownLdapException: Can't contact LDAP server
Line 1 is kind of entertaining. And Line 5 is kind of expected.
The solution to my problem was pretty easy – just use the CLI to do the job:
First, checking the status from CLI:
root@vcsa-1 [ ~ ]# /opt/likewise/bin/domainjoin-cli query Error: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN [code 0x0000a309] Client not found in Kerberos database
Erroneous once more. Trigger a the domain leave:
root@vcsa-1 [ ~ ]# /opt/likewise/bin/domainjoin-cli leave Leaving AD Domain: VRACCOON.LAB SUCCESS root@vcsa-1 [ ~ ]#
Now, I had only to reboot the vCenter. Afterwards, the domain was gone.