On a bit of a shorter note to my previous article/novella1https://blah.cloud/architecture/designing-modern-private-cloud-network/ – I have been moving my lab to a bit more of an “enterprise” style architecture – deploying SRM was in the way for that, so I had the need to set up another vCenter, however this gave the opportunity to move to a multi-PSC, multi-VC architecture.
There is quite some complexity in my lab with regard to vCenter and its integrations, I have running in production vRO, NSX and vCD – it’s also plugged into VIO and VR, so naturally I really don’t want to reinstall all these components and reconfigure them as a lot of work has gone in, in particular with NSX, dynamic peering etc set up with upstream routers and its integration with vCD.
I found a great KB2http://blogs.vmware.com/vsphere/2015/10/reconfiguring-and-repointing-deployment-models-in-vcenter-server-6-0-update-1.html?src=vmw_so_vex_mgray_1080 for such a migration from a vCenter with an embedded PSC to one with an external PSC.
So, my current setup:
And the final goal (this will likely expand to multiple PSCs in future):
The first step is to deploy an external PSC only and link it to the already existing vC with embedded PSC, so download the VCSA install ISO, choose install then deploy to your existing vCenter server (in my case:
vc01.lab.mylesgray.io) – Choose
Install Platform Services Controller:
Then you want to join it to the existing SSO domain:
Then choose to add to the existing SSO site:
Go ahead and deploy the rest of the PSC through the wizard and confirm it comes up okay in your existing vCenter:
Now the fun part, we need to log into the existing vCenter with SSH and reconfigure SSO to point to the new external PSC. I’ve filled out the below command with the params relevant to my environment:
vc01:~ # cmsso-util reconfigure --repoint-psc psc01.lab.mylesgray.io --username administrator --domain-name vsphere.local --passwd MySSOPasswordHere Validating Provided Configuration ... Validation Completed Successfully. Executing reconfiguring steps. This will take few minutes to complete. Please wait ... Stopping all the services ... All services stopped. Starting vmafd service. Successfully joined the external PSC psc01.lab.mylesgray.io Cleaning up... Cleanup completed Starting all the services ... Started all the services. The vCenter Server has been successfully reconfigured and repointed to the external Platform Services Controller psc01.lab.mylesgray.io.
Next we should verify that it reconfigured correctly:
vc01:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost https://psc01.lab.mylesgray.io:443/lookupservice/sdk
You will need to join the PSC to AD again if your vC was previous AD joined to maintain any windows based SSO you may have had as identity services have obviously moved to the PSC now. This can be found at:
Home -> Administration -> System Configuration -> Nodes -> [Choose your PSC] -> Manage -> Settings -> Active Directory -> Join...
Once joined to your AD again, reboot the PSC and your permissions will be restored across all VC objects.
Now we can go ahead and install our second vCenter server, jump into the VCSA install process again but this time choose to deploy a vCenter Server with external PSC:
Then we need to fill in our newly deployed PSC’s FQDN, SSO user and password then carry on through the install process.
Deployment can take a while depending on your storage. Once the second VC comes up, it should show up in your primary VC server under the following directory:
Home -> Administration -> System Configuration -> Nodes
If you can log into both VCs with integrated windows SSO, you know you’ve done a good job, oh and when you see this:
Please note: any configurations that directly reference the SSO lookup url will need changed to the new PSC FQDN – NSX and VR are examples of such.
Any questions, drop me a line below, until next time!
References [ + ]