Version: 250331

Official documentation:  https://kb.vmware.com/s/article/80469

usage: lsdoctor.py [-h] [-p] [-s] [-t] [-l] [-u] [-r]

Lookup Service Doctor

optional arguments:
  -h, --help            show this help message and exit
  -p, --pscHaUnconfigure
                        Unconfigure PSCHA on this node. Must be run on each
                        PSC in SSO site.
  -s, --stalefix        Check for stale 5.x info on a vCenter or PSC. Run on
                        each PSC and VC.
  -t, --trustfix        Check for SSL trust mismatch. Can be run on any PSC or
                        VC for each SSO site -- Once per SSO site.
  -l, --lscheck         Print report on problems in the SSO domain
  -u, --solutionusers   Recreate vSphere solution users - Run on each PSC and VC
  -r, --rebuild         Rebuild all services for a node.


###############################################
## PSC HA Unconfigure -- Calls 'lbchecks.py' ##
###############################################
You must run this on any PSC in the same SSO site as the LB, as all PSC's in a single SSO site should be 
behind the load balancer.

This option performs the following tasks:

    -- Updates the hostname.txt file with the PSC's FQDN
    
    -- Removes 'proxyName' element from the STS configuration file
    
    -- Replaces vmdir cert and key if it exists (with MACHINE cert)
    
    -- Re-registers the cs.license service registration with the FQDN and SSL cert of the PSC
    
    -- Removes all the SSO service registrations referencing the LB VIP FQDN
    
    -- Recreates the SSO service registrations with current SSL certificate and FQDN of the PSC using the 
       lookup service installer

#################################################
## Stale 5.x Fixer -- Calls 'servicechecks.py' ##
#################################################
This performed on each PSC or VC in an SSO domain.

This option performs the following tasks:

    -- Checks for and removes any service registration with service type: 'logbrowser:logbrowser'
    
    -- Checks for and removes any service registration with service type 'vsphereclient' or 'vcenterserver' 
       and version '5.1' or '5.5'
    
    -- Checks for and fixes any service registration with service type 'vsphereclient' and 
       an owner ID containing 'WebClient'.  An owner ID containing 'WebClient' is a 5.x solution user
    
    -- Checks for any service registrations with ':7444' in the URL.  If so, it will check for and fix 
       STS_INTERNAL_SSL_CERT in VECS, then remove and recreate legacy SSO service registrations

############################################
## SSL Trust Fixer -- Calls 'settrust.py' ##
############################################
This is performed on a VC or PSC in a particular SSO site.  It only needs to be run once per SSO site.
To determine the SSO site for a particular VC or PSC, you can run the following command:

VCSA:
    /usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost
Windows:
    "%VMWARE_CIS_HOME%"\vmafdd\vmafd-cli get-site-name --server-name localhost

The script automatically detects the local SSO site. 

This option performs the following tasks:

    -- Checks for logbrowser:logbrowser and prompts for permission to remove it
    
    -- Checks for 5.x web client service and prompts for permission to remove it
    
    -- For each service found in the local SSO site, it compares the certificate presented 
       on 443 for the hostname in the URL with the sslTrust value in the service.  If they don't match, 
       it changes teh SSLtrust and re-registers the service

############################################################################
## Lookup Service Checker -- Calls 'checktrust.py' ##
############################################################################
This queries all lookup service entries in the SSO domain, analyzes them, then generates a report
in the log directory.  Additionally, it will print any problems found.

This option performs the following:
    
    -- Attempts to identify the node type

    -- Checks for any service registration with service type: 'logbrowser:logbrowser'
    
    -- Checks for any service registration with service type 'vsphereclient' and version '5.1' or '5.5'
    
    -- Checks for any service registration with service type 'vsphereclient' and an owner ID containing 
       'WebClient'.  An owner ID containing 'WebClient' is a 5.x solution user
    
    -- Checks for any service registrations with ':7444' in the URL
    
    -- Checks for SSL trust mismatch between trust value in service registation endpoints and cert 
       presented on 443
       
######################################################
## Solution Users Fixer -- Calls 'solutionusers.py' ##
######################################################
You must run this in every VC/PSC on the SSO domain

It defines the standard user groups for the known solution users. It will delete the 
solution users and it will also build the solution user data based on the params. 
Then, it will perform the following in order: 

– list all solution users

– delete and recreate all the users:

    - use dir-cli to delete the user from vmdir 

    - Get certificate from VECS 

    - use dir-cli util to create the solution user in vmdir 

    - add the user to the appropriate groups as predefined.


#############################################
## Service Rebuilder -- Calls 'rebuild.py' ##
#############################################
Used to generate a template, build new services based on the candidate, 
replace all services, replace a single service, or restore to backup

        Version Detected
            Deployment type: embedded
            Version: 6.7.0.31000
        ========================

        0.  Exit
        1.  Generate a template.
        2.  Replace all services with new services.
        3.  Replace individual service.
        4.  Restore services from backup file.

        ========================

In most cases, the primary use will be option 2 and 3.

Option 1:
This option will generate a template for the current version.
Template location is the "templates" directory

Option 2:

This will replace all LS registrations with fresh ones based
on an available template.  New services are also output as a 
candidate file.  Candidate location is the "candidates" 
directory.

Option 3:

This will allow you to recreate any single non-SSO service
registration based on an available template.  Recreating the
SSO services requires use of option 2.  New services are also
output as a candidate file.  Candidate location is the 
"candidates" directory.

Option 4:

This will put the original non-SSO service registrations back.
SSO service registrations are freshly regenerated.  Backup 
location is the "backups" directory.


