VMware NSX Domain conflict with 1 existing domain

Recently, I ran into a peculiar issue with VMware NSX trying to add domains for security grouping.  Through the GUI the process is fairly straightforward.  However, after adding a domain in testing, removing, and adding again, I ran into an issue when adding the child domain in as well.  The error received was “conflict with 1 existing domain” and then listing the name of the domain that I was trying to add.  The weird part was that in the GUI NO domains were showing.  This was a weird one.  Let’s take a look at VMware NSX Domain conflict with 1 existing domain issue.

VMware NSX Domain conflict with 1 existing domain

As I mentioned above, one of the things in this particular environment that makes life interesting is the multiple domains aspect.  Specifically, one parent domain and (2) child domains.  So how can we go about digging a little bit deeper and see what is going on under the hood when the GUI shows no domains?

No domains listed:

When attempting to add domains:

Even a reboot of the NSX Manager doesn’t change the situation.  So, something weird is going on where the GUI doesn’t show the domain(s) that are really there.  In steps the API!  With the API in NSX there is a world of power opened to your fingertips.  The API lets you get quickly and easily under the hood to configure as well as in this case – troubleshoot problems that simply can’t be solved with the GUI.

Querying the Domains API

Using your favorite GET/POST application – there are many out there, we can query the existing domains that are known by the NSX Manager.  Use the following API query to find the Directory domains:

GET https://<nsx manager IP>/api/1.0/directory/listDomains

It will return data in XML format that looks like the following.  Notice this is what was returned to me even though the GUI was blank!

<DirectoryDomains>
    <DirectoryDomain>
        <id>1</id>
        <name>testcorp.com</name>
        <type>ACTIVE_DIRECTORY</type>
        <netbiosName>TESTCORP</netbiosName>
        <username>administrator</username>
        <ignoreDisabledUsers>false</ignoreDisabledUsers>
    </DirectoryDomain>
    <DirectoryDomain>
        <id>2</id>
        <name>UK.TESTCORP.COM</name>
        <type>ACTIVE_DIRECTORY</type>
        <ignoreDisabledUsers>false</ignoreDisabledUsers>
    </DirectoryDomain>
    <DirectoryDomain>
        <id>3</id>
        <name>US.TESTCORP.COM</name>
        <type>ACTIVE_DIRECTORY</type>
        <lastSynStatus>SUCCESS</lastSynStatus>
        <lastSyncTime class="sql-timestamp">2016-07-15 11:22:34.157</lastSyncTime>
        <netbiosName>US</netbiosName>
       <username>administrator</username>
        <baseDn>DC=us,DC=TestCorp,DC=com</baseDn>
        <ignoreDisabledUsers>false</ignoreDisabledUsers>
    </DirectoryDomain>
</DirectoryDomains>

Obviously, the GUI is not showing the domains that are clearly active or at least known by the NSX Manager.  How do we delete these out?  Replace the “DOMAIN ID” with the value in the “ID” field returned above.

DELETE https://<nsx manager IP>/api/1.0/directory/deleteDomain/<DOMAIN ID>

Once you run the command above you should get a STATUS 200 as the result, meaning it was successful.  To verify that your delete was successful, simply run the “listDomains” GET statement above and you should see the domain you deleted is now gone.

Final Thoughts

After running the above commands, I was able to then test out adding the domain through the GUI and it now works.  The API is a powerful tool to configure and troubleshoot NSX.  In fact, after you get a feel for the options and configuration you want to instantiate, the API method is way more efficient to get the job done.  So on the topic of VMware NSX Domain conflict with 1 existing domain, the API is the best tool to leverage to both troubleshoot and resolve the issue.