Installing vSphere 6.0 Platform Services Controller (PSC) in High Availability mode

Note: In this example I am using appliances for my PSCs  and the BigIP F5 Load Balancer.
 
Step 1. Create 3 DNS Records.

  • Platform Services Controller 1
  • Platform Services Controller 2
  • Load Balancer VIP

 
Step 2. Mount the vCenter Server 6.0 Appliance ISO to a Windows VM and Install the Client Integration Plugin.

1
 
Step 3. Open the vcsa-setup.html file

2
 
Step 4. Select the Install button

3
 
Step 5. Accept the terms of the license agreement, click Next.
 
Step 6.Select a target ESXi host to deploy the appliance.

4

Accept the thumbprint by clicking “Yes
 
Step 7. Specify the Platform Services controller name and root password.

5
 
Step 8. Select the “Install Platform Services Controller” Option under “External Platform Services Controller”

6
 
Step 9. Select “Create a new SSO Domain” and enter a password, SSO domain name, and SSO site name.

7
 
Step 10. Select a Datastore

8
 
Step 11. Enter your Network Settings

9

Make sure to check in the “Enable ssh” checkbox!

10
 
Step 12. Confirm your settings, then Select Finish
 
Step 13. SSH into your new PSC appliance, and enable the shell with the following commands:

# shell.set --enable=true
# shell

11
 
Step 14. Download and unzip the sso-ha.zip file.

Download: sso-ha.zip

SCP the file to your appliance and unzip it.

Note: – In order to transfer files to and from the new VCSA you will need to change the default shell from /bin/appliancesh to /bin/bash by running the following command:

# chsh -s "/bin/bash" root
# unzip VMware-psc-ha-6.0.0.2503195.zip

12
 
Step 15. Change into the “VMware-psc-ha-6.0.0.2503195” directory and run the following command:

# python gen-lb-cert.py --primary-node --lb-fqdn=<loadbalancerfqdn> --password <certpassword>

13
 
Step 16. Set your load balancer up for the two PSCs on ports 443, 2012, 2014, 2020, 389, and 636. For more information, please page 90 of the  “vCenter Server 6.0 Deploy Guide guide“.
 
Step 17. Click Install again to deploy the second PSC

14
 
Step 18. Accept the terms of the license agreement, click Next.
 
Step 19. Select a target ESXi host to deploy the appliance.

4

Accept the thumbprint by clicking “Yes
 
Step 20. Specify the Platform Services controller name and root password.

15
 
Step 21. Select the “Install Platform Services Controller” Option under “External Platform Services Controller”

6
 
Step 22. Choose the option “Join an SSO domain in an existing vCenter 6.0 platform services controller” and specify your first PSC and SSO password.

16
 
Step 23. Choose “Join an existing site” and select your site from the drop down.

17

Click Next
 
Step 24. Choose your Datastore

18
 
Step 25. Enter your Network Settings

19

Ensure you select enable SSH.
 
Step 26. Confirm your settings and hit Finish.
 
Step 27. From the first PSC copy the files in /etc/vmware-sso/keys/ to /ha/keys.

20

 

Note: – You will once again need to run the following command but this time on the second PSC to allow SCP.

# chsh -s "/bin/bash" root

Then copy the VMware-psc-ha-6.0.0.2503195 and ha folders from the first PSC to the second PSC.

  21

 
Step 28. Change into the “VMware-psc-ha-6.0.0.2503195” directory and run the following command:

# python gen-lb-cert.py --secondary-node --lb-fqdn= --lb-cert-folder=/ha --sso-serversign-folder=/ha/keys/

22
 
Step 29. Run the following command:

# python lstoolHA.py --hostname=<FQDNofPSC2> --lb-fqdn=<LoadBalancerFQDN> --lb-cert-folder=/ha --user=Administrator@vsphere.local

24
 
Step 30. Confirm the Load balancer status:

23

All done! You can now install vCenter Server 6.0 and point it to the VIP name of the Load Balancer! If you already have a vCenter Server(s) pointing to PSC that is now being load balanced, you will need to Repoint vCenter Server to the new PSC load balancer Virtual IP (VIP).

We have tried to simplify the High Availability of SSO (or the PSC in 6.0) for our users so I hope this process goes smoothly for everyone!

Posted by:

Sean Whitney

22 Comments

  1. Serge NG. -  March 28, 2015 - 6:40 pm 68

    legacy port 7444 seem to be required on the load balancer.

    Reply
  2. Marcelo -  April 11, 2015 - 10:43 pm 83

    Hello Sean,

    First of all congrats!!! for the site, it is very helpfull and encourages me.

    Would you please help me once more?

    Because I did everything you posted, I have been followed exactly all of those your steps, but when I try to install the vCenter Server it cannot talk with PSC (VIP). Even thougth got no alerts into BIG IP.

    Everything looks fine to me, but unfortunatelly doesnt work.

    Do you have any idea of what should I do.

    Many Thanks!!!

    Reply
    • Sean Whitney -  April 13, 2015 - 10:51 am 85

      Hi Marcelo,

      Before you configured HA mode, was vCenter already pointing to a PSC? If so you need to Repoint PSC to the VIP. Can vCenter ping the VIP?

      Sean

      Reply
  3. Vmware_vs -  May 18, 2015 - 10:37 am 102

    Hi Sean,

    First of all, congratulations for passing the VCIX-NV exam !

    I would like to get your opinion on the following :-

    We have vCenter running on 5.5 U2 on win2k8 R2, In order to upgrade the Virtual infrastructure, we would do a

    parallel upgrade process where in a new vCenter with 6.0 will be build to Win2k12 R2 server and everything

    including clusters/ hosts / alarms / rules / permissions will be migrated over, Vmware flings have a tool called
    inventory snapshot but that does not work in vsphere 6 migration. Is there any tool or script that can do the job.

    Any help would be greatly appreciated.

    Reply
    • Sean Whitney -  May 19, 2015 - 10:56 am 104

      Hello!

      Thank you very much. In order to answer your question I would need the following information. What type of DB do you have, is it local or remote, and are you trying to use an external PSC, or internal PSC when you migrate to vSphere 6.0?

      Sean

      Reply
      • Vmware_vs -  May 20, 2015 - 4:32 am 105

        Hi Sean,

        We have the oracle db 11g running on a dedicated remote oracle box. We would have the External PSC and vCenter running on two different servers.

        Thanks, Vinod

        Reply
        • Sean Whitney -  May 20, 2015 - 10:28 am 106

          Hi Vinod,

          You should be able to upgrade your current node from SSO 5.5 to PSC 6.0, then spin up a new server, and fresh install vCenter Server 6.0 pointing to your existing oracle database. You will have to clean up the vCenter Server and it’s services on the old server, or maybe just disable the services for now. This should keep all of your configuration. Also, if it was my environment, I would just spin up two new servers, install PSC 6.0 on one, and vCenter 6.0 pointing to the existing oracle database, and you should be good. You would lose SSO configuration in this instance, but it usually is just identity sources and SSO users / groups.

          Thanks,
          Sean

          Reply
          • virtualcloud -  May 9, 2016 - 9:30 am 462

            Sean, in this case, dont we need to upgrade the database before we point our new vcenter to the old database of 5.5?
            Because usually during an upgrade of 5.5. to 6.0, a vcenter database is also upgraded along with the vcenter services.
            And what difference would it be for a microsoft sql database in place of oracle database?

  4. Vmware_vs -  May 21, 2015 - 2:06 am 107

    Hello Sean,

    Thanks for your reply !
    I would be deploying 2 new VMs, one for PSC and second for vCenter. Do I need to keep the vCenter machine name same as the old one (running on 5.5, of course during the course of migration, i will shut off the 5.5 vCenter so it does not show duplicate name exists on network) as all ESXi servers are registered with that name if i use a new machine name for vcenter 6 and point it to the existing db, will not that make all ESXi as unregistered or unmanageable unless we remove and add them back manually.

    Thanks,

    Reply
    • Sean Whitney -  May 21, 2015 - 10:26 am 113

      Hi Vinod,

      I just got new information, that I still need to fully verify but it changes the initial answer I gave you. Here are the steps I would follow.

      1. Spin up a new node install SSO 5.5. This will be your new PSC node.
      2. Repoint your existing vCenter Server, Inventory Service, and Web Client 5.5 to this new SSO 5.5 node. Once that is complete, you can uninstall SSO from your existing server. You will now have a two servers. (VC, IS, WC all version 5.5) and an external SSO 5.5 node.
      3. Perform an upgrade of the new SSO 5.5 node to PSC 6.0.
      4. Perform an upgrade of vCenter Server to 6.0

      This is definitely going to be the best option in my opinion.

      Thanks,
      Sean

      Reply
      • Vmware_vs -  May 21, 2015 - 10:59 am 114

        Hi Sean,

        I really appreciate your time and efforts on this !

        That Sounds great to me.
        My initial plan is to use the windows 2012 for vCenter 6 unlike current vCenter 5.5 running over win2k8. So i guess after step 3. I would upgrade the Operating system on existing vCenter to win2k12 then step 4.

        Thank you.

        Reply
  5. Vmware_vs -  May 21, 2015 - 6:51 am 109

    Hi Sean,

    I have another query regarding the PSC setup in HA mode.
    I am trying to setup the Vcenter 6 Platform service controller on HA mode using KB 2098006 article. I am using 90 days trial version of F5 big-ip 11.3.0 for this setup. However the Virtual IP (VIP) entry created for two PSC nodes is unable to redirect to the PSC while tested to open in the browser :-

    I can open the PSC1 /PSC2 in the https://psc1.domainname.com & https://psc2.domainname.com however the VIP entry

    https://pscvip.domainname.com does not load and shows the webpage is not available.

    While deploying the vCenter setup and providing the fqdb of the VIP for PSC, i get the following error message :-
    “The VMware vCenter Server installer could not verify that the remote vCenter Single Sign-On server is of version 6.0.0 or later. Check whether the remote vCenter Single Sign-On server is reachable and is of version 6.0.0 or later.”
    When i try to put fqdn of one of the PSC instead of PSC VIP fqdn, vcenter detects that fine.
    Would you know what went wrong here.

    Thanks a bunch,

    Reply
    • Rafael -  December 11, 2015 - 10:41 am 350

      Do you get any resolution for the “The VMware vCenter Server installer could not verify that the remote vCenter Single Sign-On server is of version 6.0.0 or later. Check whether the remote vCenter Single Sign-On server is reachable and is of version 6.0.0 or later.” problem ?

      Reply
    • Jeremy -  December 21, 2015 - 1:37 pm 355

      Just worked through this problem myself.

      2 things:
      1. Make sure your F5 routing is configured properly. I of course have a default gateway for my management IP, but I found that if I create both an “internal” and “external” vlan/self-ip that the default routing domain “0” contains both the Internal and External. I removed External from the routing domain and I’m able to get the VIP to work, but it’s flaky. In other words, I get the “could not determine SSO version”, but if I’m stubborn and keep clicking Next in the install wizard, I’ll eventually get a SSL window with the PSC’s certificate for me to accept.

      2. Turn on “sticky sessions” using Source Address Translation and make sure the timeout value is 28,800.

      3. Make sure that you give one of your PSCs a higher priority than the other in the pool. This effectively makes the PSCs Active/Passive, but ensures that you are hitting the same PSC throughout the entire setup. Doing #1 and #2 will allow you to start the install, but it will fail somewhere in the middle during the AutoDeploy component install with a FirstBoot failure with something about not being able to add the AD User. It’s very frustrating, but you basically have to configure the F5 so vCenter is only hitting a single PSC unless that PSC goes down.

      Reply
      • Jeremy -  December 21, 2015 - 1:38 pm 356

        I know I said 2 things and gave 3. Forgot to go back and edit before I submitted.

        Reply
  6. Vmware_vs -  May 21, 2015 - 9:07 am 110

    Hi Sean,

    Its me again, So we figured out the PSC VIP HA issue, it was the problem with route list in the F5 LB. once we added a default route there, the VIP worked fine.

    Thanks,

    Reply
    • Sean Whitney -  May 21, 2015 - 10:05 am 112

      Great news, Vinod! Good catch as well, it should help anyone else that may hit that issue during their deployment, so thank you for the information.

      Reply
    • Jeremy -  November 24, 2015 - 5:45 pm 341

      Can you provide the steps for configuring the default gateway on the F5? I’m running into this same problem and even though I configured a route to a gateway for a network of 0.0.0.0 with a mask of 255.255.255.255, I’m still unable to connect to the VIP. I can ping it by name/ip, and, like you were, am able to connect to the individual PCS’s at https://psc.fqdn however I’m unable to connect to the VIP via https://vip.vqdn. The network map on the F5 shows all servers/services up and online.

      Reply
  7. sam -  October 6, 2015 - 3:37 pm 273

    hello mr sean
    how can i reach u via email..i try to send u an email which was publised but it bouns back..

    Reply
    • Sean Whitney -  October 12, 2015 - 9:38 pm 280

      Hi Sam,

      My email forwarding broke for some reason. I have fixed it, try again, thanks for letting me know!

      Sean

      Reply
  8. R -  March 31, 2016 - 12:32 am 446

    Hi jeremy and Sean,

    we are having the same issue as you guys and unable to install the vCenter server.

    – we can ping the VIP FQDN
    – we can connect to the VIP FQDN

    we cannot install vcenter server when we give the fqdn of the VIP for PSC. the route settings is correctly setup on the F5 is configured correctly.

    How did you manage to resolve your issue ? any help is much appreciated.

    Reply
  9. Ronak -  May 15, 2016 - 10:18 am 470

    I have 2 vCenters 6.0 and I need to Enhanced Link them. So do I need to install vCenters again with External PSC or just Install External PSC and re point the vCenter to PSC?

    Any help appreciated.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top