Latest Posts



Translate

Total Pageviews

Saturday, 27 December 2014

VMware vCenter Server shows VMware ESXi 5.x host with Lockdown Mode enabled when it is not enabled (2017394)

Symptoms

  • VMware vCenter Server shows Lockdown Mode as enabled, but is disabled on the host.
  • vCenter Server continues to show the incorrect status for the host even after:

    • The vSphere Client is restarted.
    • The host management services are restarted.
    • The VirtualCenter Server service is restarted.
    • The host is removed and re-added to the vCenter Server inventory.
  • This issue occurs when using Autodeployed ESXi 5.x hosts.
  • If the host is restarted, Lockdown Mode is disabled, but vCenter Server shows that it is enabled.
  • Changing Lockdown Mode from vCenter Server fails with the error:

    A general system error occurred: Invalid fault
    Call "HostSystem.EnableAdmin" for object "esxi host FQDN" on vCenter Server

Cause

This issue occurs because vCenter Server enables and disables Lockdown Mode for the ESXi hosts, without checking the current Lockdown status of the host to determine the current state. This means if vCenter Server (through the vSphere Client) puts a host into Lockdown Mode and the Direct Console User Interface (DCUI) is used to take the host out of Lockdown Mode, vCenter Server is not notified of the state change and still operates as if the host is in Lockdown Mode.
 
 

Resolution

This is a known issue.

Currently, there is no resolution.
 
To work around this issue, enable Lockdown Mode to make it consistent with vCenter Server and then disable Lockdown Mode through vCenter Server.

To enable Lockdown Mode from the DCUI:
  1. Log in directly to the ESXi host.
  2. Open DCUI on the host.
  3. Press F2 for Initial Setup.
  4. Toggle to Configure Lockdown Mode setting.
To enable Lockdown Mode from the ESXi command line:
Check if Lockdown Mode is enabled, run the command:

vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled
  • To enable Lockdown Mode, run the command:

    vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter
  • To enable Lockdown Mode from the PowerCLI: 

    Run the command:

    (get-vmhost hostname | get-view).EnterLockdownMode() get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDown

    Note: If Lockdown Mode is disabled in DCUI, running the PowerCLI command creates a task in vCenter Server, but the task can fail with the message:

    The Administrator permission is already disabled on the host (Except for the vim user)
  • In My case i ENABLED it from DCUI and DISABLED it using vSphere Client/vSphere Web Client but from the client i connected with vCenter. 
  • Source KB:-
  • http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2017394&src=vmw_so_vex_ragga_1012