    I understand about lock down. But here is a situation that recently occured with our Vcenter 4.1 and ESX 4.1 server. We are running Lab Manager and for some reason the consoles on the LM configurations were unable to communicate with the esxi host. The error indicated that it failed to communicate to the vcenter host on port 902. Investigated this error and found several articles but none proved to be helpful. Contacted VMWare support and we enabled Tech Support mode and SSH for the esxi server. Had support look at the server. They attempted to restart the services, but this failed. Their recommendation was to reboot.OK so we rebooted. When the system returned we were unable to get to the system from ANY console means. The physical console was locked out as well as any services. We essentially had a 'brick' for a server and no access to anything. Have not found any references to this type of failure. Our only recourse was to reinstall ESXi and reconnect to the Lab Manager service. A royal pain when you have hundred of VM's that are now orphaned and inaccessable. VMware support was clueless as to why this occured.

      Hi Peter, That's very unfortunate. I think a bit more troubleshooting would have been useful prior to the reboot. Did you have a TAM involved in this process? There are a few different possibilities that could have caused those symptoms. The thing with lockdown mode in 4.1 is that only vpxuser can access the host. So you need to make sure the host is accessible to vCenter at all times as this is the only way to disable lockdown mode. When troubleshooting lockdown mode may need to be disabled so you can ensure host access when necessary. If your vCenter can't communicate to the host that is the first problem to fix before anything else.

    From my testing I've found that not only if you enable lockdown mode from DCUI you lose local permissions, but if you DISABLE lockdown mode from DCUI you also lose host level permissions. Then vCenter still thinks the host is locked down, and you can no longer set lockdown mode on or off through vCenter. Not very helpful at all.


