Consolidate SSO Domain before vSphere 6.5 upgrade

Juan Vicente Lopez

There is a huge number of vSphere admins and companies facing a vSphere upgrade, VMware is leading us to use VCSA and leaving behind Windows vCenter version.

We have already talked here about the awesome vCenter Migration tool. This tool is really awesome and it works like a charm. But what happens if we want to take advantage of the new Enhanced Linked Mode introduced since vSphere 6.0 and we have independent SSO Domains?

Let’s asume that we have to sites that we want to migrate, each one has its own SSO Domain with SSO service embeded at聽vCenter machine, this picture reflects the actual vSphere architecture:

000

When facing a migration of Windows vCenter 5.5 to VCSA 6.5, an idea comes up, why don’t we use this migration to also enable Enhanced Linked Mode?

Ok, as part of migration we cannot change our actual SSO architecture, we need to do it before or after migration, in my opinion it is cleaner to do it before, and that is because I don’t want to be playing with my final VCSA to unify SSO, I prefer to do it before, in that way when I migrate my environment it will be fresh and with no need of changes.

So this is the final聽architecture that we want to acomplish:

001

Let’s se how to change our actual SSO architecture before migrating to vSphere 6.5.

First of all we need to deploy one Windows virtual machine (same version as our actual Windows vCenter) per site and join them to the same AD domain as vCenter (assuming that we use AD). This two VMs will be temporal, they will end up as PSC appliances.

We go to the one deployed at Site 1, and we will install vCenter Single Sign-On (same build as actual vCenter):

unify_vmware_sso_06

It will run a pre-check to test DNS resolution and domain membership:

unify_vmware_sso_07

For this first one we will select “Standalone vCenter Single Sign-On Server”:

unify_vmware_sso_08

Define the Site Name:

unify_vmware_sso_09

Once intallation finishes we are going to repoint our actual vCenter to this new installed SSO.

As first step for the repoint, we will repoint our vCenter Inventory Service, we have to run this command:

C:\Program Files\VMware\Infrastructure\Inventory Service\scripts\is-change-sso.bat https://NEW_SSO_FQDN:7444/lookupservice/sdk “administrator@vsphere.local” “PASSWD”

When trying this with my vCenter 5.5 U3d, the script failed with the following error:

unify_vmware_sso_12

After searching a bit I found this KB. We need to edit “is-change-sso.bat” and change this:

unify_vmware_sso_13

With this:

unify_vmware_sso_14

Basically we have to change “EQU 0” to “NEQ 0”.

Then if we run again the command it will finish successfully:

unify_vmware_sso_16

Then we restart again Inventory Service:

unify_vmware_sso_15

We can check at Windows Registry that change has been done, we can see the Inventory Service is now pointing to the new SSO virtual machine, sso01:

unify_vmware_sso_19

Then we unzip file “C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg.zip”:

unify_vmware_sso_10

And we execute this command to repoint vCenter Service:

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg\repoint.cmd configure-vc –lookup-server https://NEW_SSO_FQDN:7444/lookupservice/sdk –user “administrator@vsphere.local” –password “YOUR_SSO_PASSWD” –openssl-path “C:\Program Files\VMware\Infrastructure\Inventory Service\bin/”

unify_vmware_sso_17

It finishes OK, but I’ve found that because of “VMware VirtualCenter Management Webservices” not stopping in time, the restart of vCenter fails, so we need to go to Windows services console and restart both manually to ensure a fresh start after repoint.

We can check this change at Windows Registry, too:

unify_vmware_sso_20

Finally we repoint WebClient with this command:

C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts\client-repoint.bat https://NEW_SSO_FQDN:7444/lookupservice/sdk “administrator@vsphere.local” “YOUR_SSO_PASSWD”

unify_vmware_sso_21

Change done:

unify_vmware_sso_22

We check vCenter access, WebClient… If everything is fine we proceed to uninstall SSO at vCenter machine:

unify_vmware_sso_23

We will make the same procedure at site 2, the only change is the option we select when installing SSO in the new virtual machine, this time we select “Multisite”:

unify_vmware_sso_24

It asks for a partner host, we spicify the new SSO machine at Site 1:

unify_vmware_sso_25

We name this site as Site 2:

unify_vmware_sso_26

When installation is done, we make all the repoint staff and uninstall like in Site 1.

So the picture now is this one:

002

So now it’s time to use vCenter Migration Tool, we have already covered this here.

We聽will use the tool to migrate first Site 1 SSO machine, then Site 2 SSO. When we run the Migration Assistant in a machine with only SSO service, it will detect it and migrate to PSC instead on creating a vCenter appliance, that’s the only difference of doing the migration with a vCenter with all services embeded.

Once we have migrated both SSO to PSC, we will migrate then vCenter at Site 1 and then Site 2. After that we will have the final picture as expected, with our SSO Domain unified to take advantage of Enhanced Linked Mode.

In a future post we will see how to add one PSC in each site to make it redundant.

Thanks for sharing 馃檪

CONTENIDO RELACIONADO...

  • Working with PowerCLI and VMs Folders
  • Configurando DRS desde PoweCLI
  • Upgrade to 6.5 Failed : Failed Firsboot – Virtual Center registration with Component Manager
  • NUMA y vNUMA en VMware vSphere
  • What’s new vSphere 6.7

    • Leave a Reply

    Your email address will not be published. Required fields are marked *