I deployed vCenter Server Appliance 6 (vCSA) several times last week: I had to use the wizard to be able to control and troubleshoot communications to the existing Platform Services Controller (PSC) on each steps, which I couldn’t do with the integrated command-line installer.
I ended up quickly with an error during the deployment: “Firstboot script execution error“. I already had two PSC nodes deployed in HA (behind a load balancer) and I was trying to deploy a vCSA that would connect to them.
When I expanded the details, I had the following error message.
Firstboot script execution error.
An error occurred while invoking external command : ‘Command: [‘/usr/lib/vmware-vmafd/bin/dir-cli’, ‘service’, ‘create’, ‘–name’, ‘machine-b5f2a139-8716-421f-8830-e31dae69f9fd‘, ‘–cert’, ‘/etc/certs/machine/machine.crt’, ‘–ssogroups’, ‘ComponentManager.Administrators,SystemConfiguration.Administrators’, ‘–ssoadminrole’, ‘Administrator’] Stderr: dir-cli failed. Error 68: Possible errors: LDAP error: Already exists Win Error: Operation failed with error ERROR_TOO_MANY_NAMES (68) ‘
Error in creating new service entry machine-b5f2a139-8716-421f-8830-e31dae69f9fd.
This is an unrecoverable error, please retry install. If you run into this error again, please collect a support bundle and open a support request.
The cause of the error is that there were already an entry for a machine with the same UUID (above in red) in the LDAP of the PSC nodes. In my case, this was related to the fact that it was the second time that I tried to deploy my vCSA6: the first time failed because of a Load Balancer misconfiguration.
However, other scenarios can lead to a similar situation: for example, a second attempt after a first failed vCSA deployment because of a missing DNS configuration.
To confirm (and to resolve) the issue, let’s connect to one of the PSC node, and display all the solution users that SSO is aware of:
psc01:~ # /usr/lib/vmware-vmafd/bin/dir-cli service list
The command will ask you for the SSO password (you can specify it in the command if needed).
While the two first services represent both PSC nodes, the following (3 to 6) concern our failed vCSA deployment: have you noticed the UUID (b5f2a139-8716-421f-8830-e31dae69f9fd), which is the same as in the error message above?
To clean everything, you can use the procedure to decommission a vCenter Server or a Platform Service Controller (KB 2106736):
psc01:~ # cmsso-util unregister --node-pnid --username firstname.lastname@example.org --passwd BruceWayneisBatman!
This command will unregister all entries related to the shadow vCSA in the SSO LDAP.
If you check again the list of services after the decommission, you can confirm that the four concerned services are removed.
Note: if you have two (or more) Platform Services Controllers deployed in high availability mode, you only have to run this command on one of the PSC replication partners, as the synchronization removes the entries from all other Platform Services Controller replication partners.
Now, you are good to go and to start again the deployment of your vCenter Server! 🙂