Symptoms
VMware vCenter Server shows Lockdown Mode as enabled. However, it is disabled on the host. vCenter Server continues to show the incorrect status for the host even after: The vSphere Client is restarted. The host management services are restarted. The VirtualCenter Server service is restarted. The host is removed and re-added to the vCenter Server inventory. This issue occurs when using Autodeployed ESXi 5.x hosts. If the host is restarted, Lockdown Mode is disabled, but vCenter Server shows that it is enabled. Changing Lockdown Mode from vCenter Server fails with the error:A general system error occurred: Invalid faultCall "HostSystem.EnableAdmin" for object "esxi host FQDN" on vCenter Server
Cause
This issue occurs because vCenter Server enables and disables Lockdown Mode for the ESXi hosts, without checking the current Lockdown status of the host to determine the current state. That is, if vCenter Server (through the vSphere Client) puts a host into Lockdown Mode and the Direct Console User Interface (DCUI) is used to take the host out of Lockdown Mode, vCenter Server is not notified of the state change and still operates as if the host is in Lockdown Mode.
Resolution
To work around this issue, enable Lockdown Mode to make it consistent with vCenter Server and then disable Lockdown Mode through vCenter Server. To enable Lockdown Mode from the DCUI: Log in directly to the ESXi host. Open DCUI on the host. Press F2 for Initial Setup. Toggle to Configure Lockdown Mode setting. To enable Lockdown Mode from the ESXi command line: Check if Lockdown Mode is enabled, run the command: vim-cmd -U dcui vimsvc/auth/lockdown_is_enabled To enable Lockdown Mode:Run the command:vim-cmd -U dcui vimsvc/auth/lockdown_mode_enter To enable Lockdown Mode from the PowerCLI: Run the command:(get-vmhost hostname | get-view).EnterLockdownMode() get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto Name LockDownNote: If Lockdown Mode is disabled in DCUI, running the PowerCLI command creates a task in vCenter Server. However, the task can fail with the message:The Administrator permission is already disabled on the host (Except for the vim user)
Related Information
To be alerted when this document is updated, click the Subscribe to Article link in the Actions boxEnabling or disabling Lockdown mode on an ESXi hostUsing Tech Support Mode in ESXi 4.1, ESXi 5.x, and ESXi 6.x
