Changing vCenter Default Domain

One of the less annoying things I encounter on a daily basis is the wrong default domain on my vCenter appliance. Changing the vCenter default domain is necessary in my environment because the empty-root domain is default. Our main domain where all of our user accounts reside is a sub-domain of the empty-root domain. That means that you can’t just login with your normal credentials without using the domain\username or username@domain.com formats. This isn’t a large problem but anything that speeds up my day is always appreciated.

It turns out that this is a known problem for users in a child domain where the vCenter has been upgraded from version 5.5.0 to 5.5.0b or later.  In my case the users can login still if they put the domain prefix as part of their login.  I just don’t want to have to worry about that especially for those in our enterprise that can’t figure out how to login by using a domain prefix.

Resolution

To change the behavior of the identity source, the default domain can be changed on the Single Sign-On (SSO) server from the domain that was created during the upgrade.

Windows-based Single Sign-On (SSO)

Connect to the machine that is running the SSO instance.
Create the defaultdomain.ldif file containing this information using a plain text editor:

dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: example.com

Note: Replace example.com with the desired default domain from your environment. Contents of .ldif file should be terminated with “-” .

As an Administrator, click Start > Run, type cmd and then click OK.
Run C:\>ldifde command to confirm that the ldifde tool is available. This list returns a list of available commands.
If the tool is not present, install it by running this command:

C:\>ServerManagerCmd -i RSAT-ADDS-Tools

For Windows 2012 run this powershell command:

Install-WindowsFeature RSAT-ADDS

Run this command to update the default domain:

C:\>ldifde -i -f filepath\defaultdomain.ldif -s localhost -t 11711 -a “cn=Administrator,cn=Users,dc=vsphere,dc=local” *

 

When prompted, enter the Administrator@vsphere.local Single Sign-On (SSO) password.
The command should complete successfully.

VMware vCenter Server Appliance with local Single Sign-On (SSO)

Connect to the machine that is running the SSO instance.
Create the defaultdomain.ldif file containing this information using a plain text editor:

dn: cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
changetype: modify
replace: vmwSTSDefaultIdentityProvider
vmwSTSDefaultIdentityProvider: example.com

Note: Replace example.com with the desired default domain from your environment. Contents of .ldif file should be terminated with “-” .

Open a console to the vCenter Server Appliance.
Run this command to update the default domain:

/opt/likewise/bin/ldapmodify -f filepath/defaultdomain.ldif -h localhost -p 11711 -D “cn=Administrator,cn=Users,dc=vsphere,dc=local” -W

 

Enter the Administrator@vsphere.local SSO password.
The command should complete successfully.

 

Here is the link to kb2070433  if you would like to read the full article for yourself. It is a trivial change to fix a trivial problem but I am glad to say it works like a charm.

Unleash your formidable comments