diff --git a/root/usr/sbin/ns8-join b/root/usr/sbin/ns8-join
index 14a8df3..fd22586 100755
--- a/root/usr/sbin/ns8-join
+++ b/root/usr/sbin/ns8-join
@@ -216,8 +216,14 @@ if account_provider_config['isAD'] == '1':
         call(api_endpoint, "remove-external-domain", payload['token'], {"domain": account_provider_domain}, False)
         add_external_domain_response = call(api_endpoint, "add-external-domain", payload['token'], add_external_domain_request, False)
         if add_external_domain_response['data']['exit_code'] != 0:
+            # we need to leave the cluster if the external domain cannot be added
             print("Task add_external_domain has failed:", add_external_domain_response, file=sys.stderr)
-            sys.exit(1)
+            try:
+                result = subprocess.run(['/usr/sbin/ns8-leave'], check=True)
+                print("=========== Leave cluster "+ time.strftime('%a, %d %b %Y %H:%M:%S %z'), file=sys.stderr)
+                sys.exit(1)
+            except subprocess.CalledProcessError as e:
+                print('Error ns8-leave has failed:', e.stderr, file=sys.stderr)
 elif account_provider_config['isLdap'] == '1' and '127.0.0.1' in account_provider_config['LdapURI']:
     # Configure OpenLDAP as account provider of an external user domain:
     account_provider_domain = "directory.nh"
@@ -237,8 +243,14 @@ elif account_provider_config['isLdap'] == '1' and '127.0.0.1' in account_provide
     call(api_endpoint, "remove-external-domain", payload['token'], {"domain": account_provider_domain}, False)
     add_external_domain_response = call(api_endpoint, "add-external-domain", payload['token'], add_external_domain_request, False)
     if add_external_domain_response['data']['exit_code'] != 0:
+        # we need to leave the cluster if the external domain cannot be added
         print("Task add_external_domain has failed:", add_external_domain_response, file=sys.stderr)
-        sys.exit(1)
+        try:
+            result = subprocess.run(['/usr/sbin/ns8-leave'], check=True)
+            print("=========== Leave cluster "+ time.strftime('%a, %d %b %Y %H:%M:%S %z'), file=sys.stderr)
+            sys.exit(1)
+        except subprocess.CalledProcessError as e:
+            print('Error ns8-leave has failed:', e.stderr, file=sys.stderr)
 elif account_provider_config['isLdap'] == '1':
     # Remote LDAP account provider
     account_provider_domain = account_provider_config["BaseDN"].replace(",dc=", ".").replace("dc=", "")