Consolidate SSO Domain before vSphere 6.5 upgrade

There is a huge number of vSphere admins and companies facing a vSphere upgrade, VMware is leading us to use VCSA and leaving behind Windows vCenter version.

We have already talked here about the awesome vCenter Migration tool. This tool is really awesome and it works like a charm. But what happens if we want to take advantage of the new Enhanced Linked Mode introduced since vSphere 6.0 and we have independent SSO Domains?

Let’s asume that we have to sites that we want to migrate, each one has its own SSO Domain with SSO service embeded at聽vCenter machine, this picture reflects the actual vSphere architecture:


When facing a migration of Windows vCenter 5.5 to VCSA 6.5, an idea comes up, why don’t we use this migration to also enable Enhanced Linked Mode?

Ok, as part of migration we cannot change our actual SSO architecture, we need to do it before or after migration, in my opinion it is cleaner to do it before, and that is because I don’t want to be playing with my final VCSA to unify SSO, I prefer to do it before, in that way when I migrate my environment it will be fresh and with no need of changes.

So this is the final聽architecture that we want to acomplish:


Let’s se how to change our actual SSO architecture before migrating to vSphere 6.5.

First of all we need to deploy one Windows virtual machine (same version as our actual Windows vCenter) per site and join them to the same AD domain as vCenter (assuming that we use AD). This two VMs will be temporal, they will end up as PSC appliances.

We go to the one deployed at Site 1, and we will install vCenter Single Sign-On (same build as actual vCenter):


It will run a pre-check to test DNS resolution and domain membership:


For this first one we will select “Standalone vCenter Single Sign-On Server”:


Define the Site Name:


Once intallation finishes we are going to repoint our actual vCenter to this new installed SSO.

As first step for the repoint, we will repoint our vCenter Inventory Service, we have to run this command:

C:\Program Files\VMware\Infrastructure\Inventory Service\scripts\is-change-sso.bat https://NEW_SSO_FQDN:7444/lookupservice/sdk “administrator@vsphere.local” “PASSWD”

When trying this with my vCenter 5.5 U3d, the script failed with the following error:


After searching a bit I found this KB. We need to edit “is-change-sso.bat” and change this:


With this:


Basically we have to change “EQU 0” to “NEQ 0”.

Then if we run again the command it will finish successfully:


Then we restart again Inventory Service:


We can check at Windows Registry that change has been done, we can see the Inventory Service is now pointing to the new SSO virtual machine, sso01:


Then we unzip file “C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\”:


And we execute this command to repoint vCenter Service:

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg\repoint.cmd configure-vc –lookup-server https://NEW_SSO_FQDN:7444/lookupservice/sdk –user “administrator@vsphere.local” –password “YOUR_SSO_PASSWD” –openssl-path “C:\Program Files\VMware\Infrastructure\Inventory Service\bin/”


It finishes OK, but I’ve found that because of “VMware VirtualCenter Management Webservices” not stopping in time, the restart of vCenter fails, so we need to go to Windows services console and restart both manually to ensure a fresh start after repoint.

We can check this change at Windows Registry, too:


Finally we repoint WebClient with this command:

C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts\client-repoint.bat https://NEW_SSO_FQDN:7444/lookupservice/sdk “administrator@vsphere.local” “YOUR_SSO_PASSWD”


Change done:


We check vCenter access, WebClient… If everything is fine we proceed to uninstall SSO at vCenter machine:


We will make the same procedure at site 2, the only change is the option we select when installing SSO in the new virtual machine, this time we select “Multisite”:


It asks for a partner host, we spicify the new SSO machine at Site 1:


We name this site as Site 2:


When installation is done, we make all the repoint staff and uninstall like in Site 1.

So the picture now is this one:


So now it’s time to use vCenter Migration Tool, we have already covered this here.

We聽will use the tool to migrate first Site 1 SSO machine, then Site 2 SSO. When we run the Migration Assistant in a machine with only SSO service, it will detect it and migrate to PSC instead on creating a vCenter appliance, that’s the only difference of doing the migration with a vCenter with all services embeded.

Once we have migrated both SSO to PSC, we will migrate then vCenter at Site 1 and then Site 2. After that we will have the final picture as expected, with our SSO Domain unified to take advantage of Enhanced Linked Mode.

In a future post we will see how to add one PSC in each site to make it redundant.

Thanks for sharing 馃檪

Leave a Reply

Your email address will not be published. Required fields are marked *