Remove PSC from SSO Domain

In this post we will learn how to decommision/remove a PSC from SSO domain. I am covering steps needed for VCSA in this post. Steps for a Windows based vCenter server are very similar and is explained in VMware KB-2106736.

Why I need to do so?

In my lab I was doing a lot of new things with PSC deployments and repointing my vCenter server from one PSC to other. If you are new to how to repoint a vCenter server amongst PSC’s, please read below 2 articles:

1: How to repoint vCenter Server 6.x between External PSC within a site

2: Repointing vCenter Server 6.0 to External PSC’s across sites

At present I have 3 PSC’s namely psc02.alex.local,psc03.alex.local and psc03.alex.local. I have one vCenter server which was originally deployed with psc02 as external psc. First I moved my vCenter server from psc02 to psc03 (they were in same domain/site) and then I moved VC from psc03 to psc04 (they were in same domain but different site)

You can see in output of below command that which PSC is replicating to which other PSC

psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h psc03.alex.local -u administrator -w SSO-Admin-Pwd



And currently VC pointing to PSC04

vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost


I will first start with removing psc02.

These are the steps for doing so

1: Log in as root to the appliance shell of one of the Platform Services Controller appliances within the domain.

2: To enable the Bash shell, run the shell.set –enabled true command.

3: Run the shell command to start the Bash shell and log in.

4: Run the cmsso-util unregister command to unregister the Platform Services Controller:

psc03:~ # /bin/cmsso-util unregister --node-pnid psc02.alex.local --username administrator --passwd SSO-Admin-PWD

WARNING! This step is irreversible!
Are you sure you want to unregister host psc02.alex.local ? (Y or N) y
2017-08-13T06:48:25.696Z Running command: ['/usr/lib/vmware-vmafd/bin/dir-cli', 'service', 'list', '--login', 'administrator']
2017-08-13T06:48:25.724Z Done running command
2017-08-13T06:48:25.811Z RC = 1
Stdout = vdcleavefd offline for server psc02.alex.local
Leave federation cleanup failed. Error[1] - Operations error

Stderr = password:
ERROR unregistering computer account.

I was getting warning about “Leave federation cleanup failed. Error[1] – Operations error”

I logged into vCenter server and found my PSC was still listing in vSphere inventory and in unknown status


I googled the error and came across this command

/usr/lib/vmware-vmdir/bin/vdcleavefed -h PSC-FQDN -u administrator -w SSO-Admin-Pwd

I tried running above command and again I got error about invalid credentials. I was pretty sure that I passed the correct credentials. I checked vdcleavefed.log which resides in /storage/log/vmware/vmdir directory and I found below errors:

2017-08-13T06:48:25.798Z:t@139942665656064:VERBOSE: Reading Reg: dcAccount

2017-08-13T06:48:25.810Z:t@139942665656064:ERROR: _VmDirLeaveFederationOffline failed, You must shutdown domain controller/client psc02.alex.local before it can be removed from federation (1)

I shutdown my PSC and ran above command again and this time I did not got any error

psc03:~ # /usr/lib/vmware-vmdir/bin/vdcleavefed -h psc02.alex.local -u administrator -w SSO-Admin-Pwd

vdcleavefd offline for server psc02.alex.local
Leave federation cleanup done

Refreshed the Web Client page and PSC02 was gone


Ran the show server command and PSC02 was no longer reflicting there as well

psc03:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h psc03.alex.local -u administrator -w SSO-Admin-Pwd


And that’s it for this post.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂