Repointing vCenter Server to another SSO Domain

Loading

Enhanced Linked Mode facilitates the connection of multiple vCenter Server systems through one or more vCenters. Once linked, this configuration provides a centralized overview of your entire infrastructure via a single vCenter URL, allowing for the management of all vCenter servers through a unified vSphere Web Client session. Since these servers are part of the same Single Sign-On (SSO) domain, they will synchronize permissions, licenses, tags, policies, and roles across all linked vCenter Servers.

In this scenario, the two vCenters mentioned below are situated in separate data centers, and we will attempt to join the second vCenter Server Appliance (vCSA) to the SSO domain of the first appliance. The vCenter Server being repointed will transition from its current SSO domain to join the existing domain as an additional vCenter Server connected via Enhanced Linked Mode.

In this example, the source embedded vCenter Server is vcf-vc02.ash.local (the vCenter that needs to be pointed), while the replication partner Platform Services Controller is vcf-vc01.ash.local (my master vCenter). It is crucial that tags or settings on the replication partner remain unaltered.

Repointing is handled by the CMSSO-UTIL command

Run the following command from an SSH session on the vCenter server / PSC to confirm the SSO site name

/usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost

Run the following command from an SSH session on the vCenter server to confirm the SSO domain name

/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost

Run the following command from an SSH session on the vCenter server to show the PSC node the vCenter server is currently pointed to

/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost

Run a pre-check command with the option -m pre-check

# Syntax of the command
cmsso-util domain-repoint -m pre-check --src-emb-admin <PSC admin of source node> --replication-partner-fqdn <destination node FQDN> --replication-partner-admin <PSC admin of destination node> --dest-domain-name <destination PSC domain>

where;
 -m pre-check - will only do a precheck,
- source node - the node which is being repointed ( ie : vcf-vc02.ash.local )
 –src-emb-admin is the SSO administrator of our source vCenter
 –replication-partner-admin is the SSO administrator of our destination vCenter
 –replication-partner-fqdn is the destination vCenter server
  –dest-domain-name is the domain name to which the source vCenter would join

Example 

cmsso-util domain-repoint --mode pre-check --src-emb-admin administrator --replication-partner-fqdn vcf-vc01.ash.local --replication-partner-admin administrator --dest-domain-name vsphere.local

To proceed with domain join, execute the command with -m execute

cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name vsphere.local

Example of Joining vcf-vc02 to vcf-vc01

cmsso-util domain-repoint --mode execute --src-emb-admin administrator --replication-partner-fqdn vcf-vc01.ash.local --replication-partner-admin administrator --dest-domain-name vsphere.local

Show partners

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u administrator

Verifying Logs

tail -f /var/log/vmware/vmdir/vmafdvmdirclient.log

Location of conflict data if any,

Logs will be written on /storage/domain-data/Conflict*.json

References

Repointing vCenter Server to another SSO Domain – VMware vSphere Blog

(Visited 59 times, 1 visits today)

By Ash Thomas

Ash Thomas is a seasoned IT professional with extensive experience as a technical expert, complemented by a keen interest in blockchain technology.

Leave a Reply