In this post we will learn how to repoint a vcenter server with extenal psc to a new psc. Before doing that lets first understand about PSC high availability.
As we know with vSphere 6.0, VMware introduced the concept of PSC. PSC deals with identity management for administrators and applications that interact with the vSphere platform. PSC contains common infrastructure services such as vCenter Single Sign-On (SSO), VMware Certificate Authority (VMCA) and licensing etc.
To know more about PSC please read VMware KB-2113115
Since these important features lies within PSC, it is an very important to make sure PSC 100% availability of PSC server. PSC can be made highly available by deploying 2 nodes and then configuring a load balancer for the 2 nodes so that in case of failure, connections can be switched to other node.
Now what if you don’t have a load balancer with you to configure failover. Don’t be disheartened as VMware has solution for this also. The idea is to deploy one PSC node and configure the domain etc on your first PSC and then deploy the second PSC in the same domain and same site as of your first PSC.
Instructions for doing so have been laid out in this Article
The only disadvantage of not having a load balancer is that in case of Active PSC node failure, the failover do not happens automatically and you have to manually re-point your vcenter server to the other PSC node.
Even with a load balancer for PSC HA, you are not actually getting a true load balancing. William has explained this nicely in his blog post. I was really surprised to read about load balancer’s affinity to just a single PSC node.
Limitation with PSC repointing feature
Prior to 6.0U1, you had the ability to repoint a VC node to another PSC within the same vSphere SSO site.
With 6.0 U1, some more options were made available to users. These options are:
- Reconfigure an embedded deployment to an external deployment
- Repoint the VC node in an external deployment to another PSC within the same SSO domain, whether it is in the same site or not
With vSphere 6.0 U2, the limitation for repointing a VC node to another PSC is still within the same vSphere SSO domain.
In vSphere 6.5 the ability to repoint a VC server to a PSC in another vSphere SSO site is not supported. See this post for details
It means if you are running a vSphere 6.5 or a build prior to vSphere 6.0 U1, you can’t repoint vCenter amongst PSC’ which are in same domain but different site.
Things to know before going ahead with vCenter repointing
To which psc my vcenter server is pointing to?
There are 2 ways of doing so.
1: Using vmafd-cli command as shown below:
|
1 2 3 |
vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost https://psc02.alex.local/lookupservice/sdk |
2: From vCenter Web-Client
In Web Client select your vCenter server from vCenter inventory list and navigate to Manage > Advanced Settings and search for string “config.vpxd.sso.admin.uri”
What is the sso site name?
If you have too many PSC’s and vCenters deployed in your environment and each PSC/vCenter have its own domain/site name, then its very difficult to remeber these details. SSO site name can be retrieved via firing below comamnd:
|
1 |
vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost |
Finding all deployed PSC’s
In case if you need to locate all available PSC’s in your environment, you have a couple of options i.e via command line and via Web Client.
In Web Client navigate to Home > Administration > System Configuration > Nodes
It will list all deployed PSC’s and vCenter Server
SSH to one of your PSC node and fire below command:
|
1 2 3 4 5 |
psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h psc02.alex.local -u administrator -w psc-administrator-passwd cn=psc02.alex.local,cn=Servers,cn=BLR-DC2,cn=Sites,cn=Configuration,dc=alex,dc=lab cn=psc03.alex.local,cn=Servers,cn=BLR-DC2,cn=Sites,cn=Configuration,dc=alex,dc=lab |
There are few other methods of finding this info. William lam has mentioned those methods in his blog here
Find PSC’s replication partner and replication status
To know the details of to which other PSC’s your PSC is replicatiing, use below comamnd
|
1 2 3 4 5 6 7 |
psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h psc02.alex.local -u administrator -w psc-administrator-passwd ldap://psc03.alex.local psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h psc03.alex.local -u administrator -w psc-administrator-passwd ldap://psc02.alex.local |
Verify that replication health is healthy between the replicating PSC’s
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w psc-administrator-passwd Partner: psc03.alex.local Host available: Yes Status available: Yes My last change number: 1300 Partner has seen my change number: 1300 Partner is 0 changes behind. psc03:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w psc-administrator-passwd Partner: psc02.alex.local Host available: Yes Status available: Yes My last change number: 4186 Partner has seen my change number: 4186 Partner is 0 changes behind. |
Now we have all data in our hand. We can move forward with repointing vCenter server from one psc to other.
In my lab my vCenter server is currently pointing to psc02.alex.local and I am trying to repoint it to psc02.alex.local
Note: This method is only applicable to vCenter with external PSC
|
1 |
vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli set-dc-name --server-name localhost --dc-name psc03.alex.local |
After running the above command, please restart VC services:
Verify that your vCenter server is now pointing to the new PSC
|
1 2 3 |
vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost https://psc03.alex.local/lookupservice/sdk |
And that’s it. Easy enough?
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂