Repointing vCenter 6.0 U1 to a Platform Services Controller (PSC) in a Different Site

 
With 6.0 Update 1, a feature that allows repointing of a standalone vCenter server to a external PSC was also released. You might be thinking “But I could already do that, couldn’t I?
 
The answer to that is Yes and No.
 
Yes, a repoint was possible before Update 1. The catch being that the PSC must have been installed in the same SSO site as well as domain. Meaning that if the PSC was not in what is considered an HA deployment without a load balancer, a repoint was not workable. In this article, I will explain how to use the updated utility which was released in conjunction with Update 1, cmsso-util. If you would like to see how to repoint a standalone VC to an external PSC in the same SSO site, please reference the original VMware KB 2113917.
 
UPDATE: If you have an embedded vCenter 6.0, you can also now use cmsso-util to break out into an external configuration and decommission the original PSC. Do this only if you are sure you will not be using the old PSC again. VMware has good documentation of this here
 

Collecting Topology Information

 
First, it’s important to understand what the difference between an SSO Domain and an SSO site is. An SSO Domain can be easily compared to an Active Directory domain. All SSO nodes in a domain (usually vsphere.local) will share their identity information through LDAP replication. Authentication can happen across this domain for objects which are available through the configured Identity Sources. An SSO site represents a single “instance” that will not be geographically disperse. If multiple SSO nodes are in the same site, they will usually have a 3rd party load balancer in front of it. This is all done during the install of the PSCs. Simply installing another PSC without explicitly selecting to join an existing domain or site will not create a unified authentication domain, regardless of if you use the same names.
 
Ensure you have the proper site information before making the move. You can use the following commands from the PSC to discover the SSO topology
 
SSO Site

  • VCSA: /usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name –server-name localhost
  • Windows: C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-site-name –server-name localhost

 
SSO Domain

  • VCSA: /usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name –server-name localhost
  • Windows: C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-domain-name –server-name localhost

 
Note: Before you begin, snapshot all SSO nodes and vCenter servers involved! This means ALL of the PSCs in an authentication domain, even if you aren’t moving anything to or from them. The replication agreements between them can easily take any mistakes and pull them into the entire environment.
 

vCenter Server Appliance

Step 1. Download cmsso-util which was provided by VMware in KB 2131191. There are two versions of the utility in the zip. For the appliance, use cmsso-util.
 
Step 2. Back up the current cmsso-util file
 

mv /bin/cmsso-util /bin/cmsso-util.bak

 
Step 3. Move the new cmsso-util file to the vCenter Server using WinSCP. the bash shell must be enabled for this to work. see Error when uploading files to vCenter Server Appliance using WinSCP (2107727).
 
Step 4. We are now ready to repoint vCenter to the new site.
 

/bin/cmsso-util repoint --repoint-psc FQDN_of_PSC_New_Site

For example:

/bin/cmsso-util repoint --repoint-psc PSC2.vcloud.local

 
Step 5. Run the move-services option on cmsso-util on the vCenter Server. Follow the prompts for the required information. This moves the current service registrations from the vCenter Server’s current site to the new site and restart all the services.
 

/bin/cmsso-util move-services

 
 

vCenter Server for Windows

 
Step 1. Download cmsso-util which was provided by VMware in KB 2131191. There are two versions of the utility in the zip. For Windows, use cmsso-util.bat.
 
Step 2. Back up the current cmsso-util file usually located in C:\Program Files\VMware\vCenter Server\bin
 

ren cmsso-util.bat cmsso-util.bak

 
Step 3. Upload the cmsso-util.bat file into the C:\Program Files\VMware\vCenter Server\bin directory.
 
Step 4. We are now ready to repoint vCenter to the new site.
 

"%VMWARE_PYTHON_BIN%" cmsso-util repoint --repoint-psc FQDN_of_PSC_New_Site

For example:

"%VMWARE_PYTHON_BIN%" cmsso-util repoint --repoint-psc psc2.vcloud.local

 
Step 5. Run the move-services option on cmsso-util on the vCenter Server. Follow the prompts for the required information. This moves the current service registrations from the vCenter Server’s current site to the new site and restart all the services.
 

%VMWARE_PYTHON_BIN%" cmsso-util move-services

 
 

Troubleshooting

 
If the command should fail, there are two service logs you can investigate for what went wrong.
 
vmdir

  • Located on the destination PSC
  • VCSA: /var/log/vmware/vmdird/vmdird-syslog.log
  • Windows: C:\ProgramData\VMware\vCenterServer\logs\vmdird\vmdir.log

 
vmafdd

  • Located on the vCenter which is being repointed
  • VCSA: /var/log/vmware/vmafdd/vmafdd-syslog.log
  • Windows: C:\ProgramData\VMware\vCenterServer\logs\vmafdd\vmafdd.log

 
 
 

Posted by:

Chris Morrow

13 Comments

  1. Josh Gray -  October 13, 2015 - 2:14 pm 289

    Well done sir, well done. And hey, why does only Sean get his mug on the blog and not you too?!?! :)

    Reply
    • Chris Morrow -  October 13, 2015 - 3:23 pm 290

      Thanks Josh! I just need to find a good enough mugshot, I guess!

      Reply
  2. Huy -  December 15, 2015 - 8:43 am 351

    Chris, great write up. I currently have a vcenter with an embedded PSC. I currently do no have an external PSC. When I create the first external PSC can I join it to the embedded one? Or do I create a brand new PSC?

    Reply
    • Chris Morrow -  December 15, 2015 - 8:54 am 352

      Thanks Huy, You will want to join the new external PSC to the embedded one for the transition. Then use cmsso-util from the vc to repoint like this:

      cmsso-util reconfigure –repoint-psc newpsc.mylab.local –username administrator –domain-name vsphere.local –passwd somepassword

      Obviously your values will differ slightly but that’s it. You should be done a that point. Snapshot it all first in case anything goes wrong though :)

      Reply
  3. GA -  February 25, 2016 - 4:40 am 426

    Hi Sean/Chris,

    I have two different embedded Windows VCs at two different locations with external MS SQL DBs. The first site is primary& secondary is DR. Both VCs are at 5.5 U1. We need to upgrade to 6.0 U1 with external PSCs. Also enhanced linked mode is a requirement. Can you guide the steps for this pls? Thanks in advance.

    Reply
  4. Geoff -  March 14, 2016 - 6:39 pm 442

    Is it possible to point your vCenter to a new SSO domain?

    This was possible in 5.5

    Reply
    • Chris Morrow -  May 17, 2016 - 5:08 pm 481

      This is no longer possible in 6.0. Its very unfortunate :(

      Reply
      • Geoff -  May 17, 2016 - 5:40 pm 482

        Yep you now have to do it by reinstalling which is a more reliable way anyway

        Reply
  5. Ray Hapes -  March 22, 2016 - 12:24 pm 444

    This is the best article on this process out there, Thanks. I need to consolidate 2 separate SSO domains into one. I am upgrading 2 vCenters each 5.5 with its own SSO domain and site. My goal is to consolidate the 2 domains into 1 with multiple PSCs replicating between sites. Both are in the same AD domain. Any help here?

    Reply
    • Geoff -  May 17, 2016 - 4:33 pm 476

      Ray, I have done quite a lot of this recently.

      The way I did it was by reinstalling. It was far more reliable than using VMware’s tools. You need to backup the database and the permissions. There are scripts around to import/export the permissions. I never had any DB issues though but still you need a backup.

      are your SSOs internal or external? If internal I would split before upgrading. Then I would upgrade both to 6. Then from 1 site that will become a secondary site, uninstall vcenter then uninstall the psc. Then reinstall the psc and join to the psc thats already there then reinstall vcenter. then if needed import permissions.

      the first psc becomes a master – just something to keep in mind – if you have more than 2 I would join any others to the master then afterwards you can create replication agreements between them all.

      Reply
  6. chandran -  July 26, 2016 - 2:09 am 507

    re-point from external HO-PSC02 windows (site:default-first-site) to another external HO-PSC01 (site: headoffice) is failing with error “import cis.utils line 49″. I have followed KB 2131191, extracted cmsso-util, copied to vcenter server/bin folder and executed re-point command. FYI,

    history:

    1. vCenter HO connected moved from embedded to external PSC HO-PSC02 (default-first-site)

    2. vCenter SS moved from embedded to external PSC SS-PSC01 (default-first-site).

    3. No replication enabled when we move from embedded to external individually.

    4. Deployed another PSC HO-PSC01 (headoffice) with replicatioi to SS-PSC01 (default-first-site)

    5. Trying to move vCenter HO from HO-PSC02 to HO-PSC01 (between sites) and its giving error.

    C:\Program Files\VMware\vCenter Server\bin>”%VMWARE_PYTHON_BIN%” cmsso-util repoint –repoint-psc AIKWHOV-VPSC01.Alghanim.com

    Traceback (most recent call last):

    File “cmsso-util”, line 49, in

    from cis.utils import (invoke_command, read_ssl_certificate, setupLogging,

    ImportError: cannot import name set_deployment_nodetype

    C:\Program Files\VMware\vCenter Server\bin>ren cmsso-util cmsso-util.bak

    C:\Program Files\VMware\vCenter Server\bin>cmsso-util -h

    Traceback (most recent call last):

    File “C:\Program Files\VMware\vCenter Server\bin\\cmsso-util”, line 42, in

    from cis.utils import (invoke_command, read_ssl_certificate, setupLogging,

    ImportError: cannot import name set_deployment_nodetype

    C:\Program Files\VMware\vCenter Server\bin>

    Reply
  7. Brandon -  September 16, 2016 - 2:31 pm 524

    If a vCenter Server Appliance has been unregistered using the cmsso-util command can it then be re-registered with the PSC?

    Reply
  8. Francesco -  November 17, 2016 - 3:38 am 538

    Hi Sean,

    your article is great! Just a question. You explain the difference between SSO Domain and SSO Site. I haven’t understood completely your sentences. My question is: Can I have the same Site name on different SSO Server in the SAME SSO domain?

    I think that:

    – SSO Domain is like AD
    – SSO Site is like a label to differentiate different istances (like hostname for Domain Controllers).
    – Replication is only between istances in the SAME SSO Domain.

    I’m confusing… Can you try to explain in other word?

    THANK YOU!!!

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top