Upgrading from embedded SSO 5.5 to External SSO (PSC) 6.0

 
UPDATE: As of vCenter 6.0 Update 1, there are more options available to reconfigure an existing embedded topology to an external setup without the need to reinstall. More information can be found in this post
 
There has been a lot of discussion surrounding an upgrade from vSphere 5.1 or 5.5 to vSphere 6.0 when you currently have Single Sign-On (SSO) embedded and want to move to an external deployment. I highly recommend, in anyone’s environment that you future proof by setting up vSphere 6 in an external deployment. There are multiple reasons for this, but a few of them are: SRM connected to an embedded Platform Services Controller (PSC) is not supported, and any type of multisite configuration using embedded PSCs is not supported (See Recommended Topologies in vSphere 6.0 for more information). There are quite a few more reasons, but I’m sure you get the point.
 
As many of our customers are currently on vCenter Server 5.x with embedded SSO, I wanted to provide a guide on how you can upgrade to an external vSphere 6.0 deployment model. It requires a few additional steps than a traditional upgrade, but it will save you a lot of time in the future, especially if you want to move to multisite, use High Availability, or even use SRM. I’m going to go over the steps for Windows, but the appliance can be done in a similar fashion. The summary of the steps are shown below, with even more details surrounding the steps with pictures further down.
 
Note: The steps below will utilize repoint commands and they are very sensitive to passwords. If you hit any errors mentioning “Invalid Input” it’s probably your password. I recommend that change the SSO password to what I feel uses the most friendly special character – the @ sign (Or ensure you fall under the supported character list). You can always change your password back once you are done. I suggest doing this before moving on to the steps because it can be done easily with the Web Client as shown below, otherwise you could get stuck in a chicken and egg situation because you are trying to register the vSphere Web Client with SSO but cannot, so you won’t be able to log into the Web Client to change the password. If this happens, you can run through the following KB to reset the SSO admin password.
 
1
 

Summary of Steps

1. Deploy a new Windows Server – Install current SSO version (5.1 U1, 5.5 U2, etc.).
2. Repoint Inventory Service, vCenter Server, and the vSphere Web Client to the new SSO node.
3. Upgrade your new Single Sign-On node from 5.x to 6.0.
4. Upgrade your vCenter Server (management node) on your original server.
5. Uninstall SSO 5.x from your original server.
 

Full Steps for upgrading to external PSC deployment

 
Step 1. First, you will want deploy a new Windows Server that will be used for your external PSC. Don’t install PSC yet… Configure the name, networking, dns, domain information, etc. Once you are ready, download and install your current version of Single Sign-On. Make sure you use the exact version that you are on to ensure that you don’t run into any issues. You do not need to install any other components at this time. I won’t go through the install steps at this time as it’s straight forward and at this point, you have already done it, but please let me know if you have any questions in the comments section.
 
3
 
Step 2. Go back to your original Server and repoint the following components to the new SSO node.
 
Repoint Inventory Service
 
vSphere 5.1

C:\Program Files\VMware\Infrastructure\Inventory Service\scripts\is-change-sso.bat https://FQDN:7444/lookupservice/sdk "admin@System-Domain" "P@ssword1"

vSphere 5.5

C:\Program Files\VMware\Infrastructure\Inventory Service\scripts\is-change-sso.bat https://FQDN:7444/lookupservice/sdk "administrator@vSphere.local" "P@ssword1"

 
Repoint vCenter Server
 
Before running these commands, you will need to unzip the following file. C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg.zip. Also, if you are using a custom vCenter install path, be sure you add the argument –vc-install-dir “PATH to the following commands.
 
vSphere 5.1

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg\repoint.cmd configure-vc --lookup-server https://FQDN:7444/lookupservice/sdk --user "admin@System-Domain" --password "P@ssword1" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"

vSphere 5.5

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg\repoint.cmd configure-vc --lookup-server https://FQDN:7444/lookupservice/sdk --user "administrator@vSphere.local" --password "P@ssword1" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"

 
Note: If you get the following error, “The system cannot find the path specified” you may need to set the JAVA_HOME environment variable using the commands below.
 
vSphere 5.1

set JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre

vSphere 5.5

set JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\

 
Repoint vSphere Web Client
 
vSphere 5.1

C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts\client-repoint.bat https://FQDN:7444/lookupservice/sdk "admin@System-Domain" "P@ssword1"

 
vSphere 5.5

C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts\client-repoint.bat https://FQDN:7444/lookupservice/sdk "administrator@vSphere.local" "P@ssword1"

 
Step 3. Upgrade your new Single Sign-On node from 5.x to 6.0. Run through the installer using the settings you prefer. For a detailed set of steps with screenshots on upgrading, please click here.
 
4
 
Step 4. Upgrade your vCenter Server (management node) to vCenter Server 6.0.For a detailed set of steps with screenshots on upgrading, please click here.
 
5
 
Step 5. Uninstall SSO 5.5 from your original server to clean it up.
 
6
 
To me, this seems to be the best supported method for moving from an embedded SSO environment in vSphere 5.x to an external model in vSphere 6.0. Please let me know if you run into any issues or have any questions surround the steps as I’ll do my best to help!
 

Posted by:

Sean Whitney

72 Comments

  1. Rich Dowling -  June 5, 2015 - 1:33 am 135

    Hi, thanks for the guide. Is there any reason it has to be a new *windows* SSO server, or could the VCSA be used?

    Reply
    • Sean Whitney -  June 5, 2015 - 10:33 am 137

      Hi Rich,

      No particular reason, I just found it to be the most common use case. You could certainly use the VCSA, the steps should be very similar.

      Thanks,
      Sean

      Reply
  2. George Popescu -  June 5, 2015 - 11:14 am 141

    Great article, question when you install the external 5.5 SSO you create a new SSO site with the multi-site option, correct ?

    Reply
    • Sean Whitney -  June 5, 2015 - 5:35 pm 143

      Yes, that’s correct.

      Reply
  3. George Popescu -  June 5, 2015 - 11:16 am 142

    Also what happens with VRA and SRM when you move those 3 services to the external new SSO ? Do they break… ?

    Reply
    • Sean Whitney -  June 5, 2015 - 5:35 pm 144

      Yeah, I don’t think they entirely break, but SRM would need to be reregistered to the new lookup service. I think VRA uses it’s own SSO though, so it shouldn’t matter.

      Reply
  4. Newsletter: June 13, 2015 | Notes from MWhite -  June 13, 2015 - 5:01 pm 158

    […] from embedded SSO 5.5 to external SSO (PSC) 6.0 This should be the best practice for people upgrading to 6 at a minimum.  This has has extra steps but you will end up moving from […]

    Reply
  5. PB -  June 19, 2015 - 12:46 am 173

    Hi,
    Sorry to ask this again but just to be clear when I install the external 5.5 SSO which of the following do I choose?

    1. vCenter Single Sign-On for your first vCenter Server.
    2. vCenter Single Sign-On for an additional vCenter Server in an existing site.
    3. vCenter Single Sign-On for an additional vCenter server with a new site.

    Cheers,

    PB.

    Reply
    • Sean Whitney -  June 21, 2015 - 7:37 pm 175

      Hi PB,

      I would choose step 3 which is multisite so you can grow and future proof. Option 1 is standalone, which I never recommend over option 3 in case you ever grow. Option 2 is HA mode, so only choose this for high availability of SSO.

      Thanks,
      Sean

      Reply
      • Anthony -  January 18, 2016 - 7:01 am 372

        Hey Sean,
        Thanks for your blog.

        I’m not too clear about why you would select option 1.
        I thought option 1 was for the first vcenter and not necessary for a standalone setup.

        And it seems when I select option 3, I don’t get the option to repoint services.

        Any comments?

        thanks.

        Anthony

        Reply
  6. PB -  June 21, 2015 - 7:51 pm 177

    Hi Sean,
    Thanks for your reply.

    So the new external 5.5 SSO connects into my existing SSO that’s running on my current vCenter?

    So just for clarity. We currently have two vCenter servers one at Prod and one at DR. They are in the same SSO domain with Multisite.

    So the prod SSO site is “Prod” and the DR SSO site is called “DR”.

    So to move my vCenter SSO to external before I upgrade to version 6.0 I would choose option 3 as you said above but for what will become my prod site I would need to name it say “ProdExternal” then when I do our DR vCenter SSO I could call it “DRExternal” ?

    Then when I uninstall SSO off both vCenter servers this will pretty much remove the old SSO sites that were called “Prod” and “DR”.

    Would this be correct?

    Cheers,

    PB.

    Reply
    • Sean Whitney -  June 22, 2015 - 12:39 pm 180

      On prod you would choose option 1, on DR you would choose option 3. The site is more or less just a logical grouping, so you can name it what you would like. Other than that, everything else looks good on your plan.

      Reply
  7. DM -  July 2, 2015 - 2:18 pm 191

    I would like to switch to a VCSA where ever possible. Currently I have several Windows vCenters with SSO installed on the same box.

    Can I deploy a vSphere 6 PSC appliance(s), join it to my existing SSO domain and repoint my Windows vCenters to that, then remove SSO from from the vCenters and upgrade them to 6.

    Reply
    • Sean Whitney -  July 8, 2015 - 9:57 am 196

      Hi Daniel,

      Yes, you can do that. I’ve actually done that before and it worked without any issues.

      Thanks,
      Sean

      Reply
      • Josh -  July 16, 2015 - 4:21 pm 200

        Are you sure that’s possible? I can’t get the 6.0 PSC installer to get test correctly joining to a 5.5 SSO domain. Does that only work on windows, and not the appliance?

        Reply
        • Sean Whitney -  July 24, 2015 - 8:21 pm 207

          Yeah, I haven’t tested it in the appliance but I did get new information that there may be more steps required. We are working on a KB article.

          Reply
  8. kiran -  July 27, 2015 - 2:31 am 210

    Hi,

    >>1. Deploy a new Windows Server – Install current SSO version (5.1 >>U1, 5.5 U2, etc.).
    >>2. Repoint Inventory Service, vCenter Server, and the vSphere >>Web Client to the new SSO node.
    >>3. Upgrade your new Single Sign-On node from 5.x to 6.0.

    I upgraded Windows based sso from 5.5 to 6.0, and able to see Platform Services Controller in Programs And Features. But not able to see any old 5.5 SSO for uninstall.

    Any idea? I know i have upgraded SSO to PSC successfully.

    Thanks in advance.

    Reply
    • Sean Whitney -  August 3, 2015 - 12:06 pm 215

      Hi Kiran,

      You have to do the uninstall from the old SSO server, not the new one that was upgraded.

      Thanks,
      Sean

      Reply
  9. Faisal -  July 28, 2015 - 4:56 am 211

    Great info .

    We have Vcenter 5.5 U2 along with LB
    SSO 5.5 U2 . How can we migrate it to Vcenter 6 along with External PSC.

    Reply
    • Sean Whitney -  August 3, 2015 - 12:07 pm 216

      Hi Faisal,

      I don’t have the steps for this process yet, you may want to engage VMware support to see if they have suggestions in case you attempt to roll it out and hit some issues.

      Sean

      Reply
  10. Eric C. Singer -  August 3, 2015 - 11:31 am 214

    Hi Sean,

    Had a quick question. If we didn’t need real time failover with an SSO cluster. Is there any reason we couldn’t use a cname record to point at any given node of a SSO server? I’m thinking in the case where maybe you don’t have a load balancer, but still want the ability to easily change the primary SSO server.

    Reply
    • Sean Whitney -  August 3, 2015 - 12:09 pm 218

      Hi Eric,

      I don’t believe this is supported so I can’t say I recommend it.

      Thanks,
      Sean

      Reply
  11. EricW -  August 5, 2015 - 11:07 am 221

    Thanks for the article.
    Is it possible to move from version 6 embedded to version 6 External PSC? Trying to determine if it is worth restoring back to 5.5 for this functionality.

    Reply
    • Sean Whitney -  August 15, 2015 - 8:22 am 229

      Hi Eric,

      There isn’t really a way to do this without redploying unfortunately.

      Thanks,
      Sean

      Reply
  12. KW -  August 10, 2015 - 12:16 pm 224

    Thanks very much for this, Sean.

    One question for clarification regarding PG’s questions above:
    Are we to join our new external SSO server to an existing domain (new site) or create a new domain? I’m concerned about having to re-create internal SSO users, custom roles, etc., and have those apply properly when vCenter gets repointed. Your replies on June 21 and 22 sound a little contradictory, unless I’m just missing it altogether.

    Reply
    • Sean Whitney -  August 15, 2015 - 8:27 am 232

      Hi Kenneth,

      It depends on what you are trying to accomplish. If you have one SSO server, you would choose option 1.

      1. vCenter Single Sign-On for your first vCenter Server.

      If you have multiple, for each additional SSO server you are running through to make external, you would select option 3.

      3. vCenter Single Sign-On for an additional vCenter server with a new site.

      How many SSO sites do you have, and are they all embedded?

      Thanks,
      Sean

      Reply
      • KW -  August 17, 2015 - 8:49 am 233

        Sean,
        We have two SSO sites for our single SSO domain. Both are embedded on our two vCenter servers, which are configured in linked mode.
        If we were to perform the vCenter 6 upgrade, we will end up with the first of the listed “deprecated” topologies here:
        http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548

        I tried the process to add two additional external SSO servers as new sites in an existing domain, and then re-point the components, but have hit a bug in the vCenter repoint.cmd. Take a look at this thread for the gist of it.

        https://communities.vmware.com/message/2530673#2530673

        Basically, the script is trying to write a file with backslashes in the name.

        I’ve got a support case open with VMware, but they haven’t gotten to a solution yet.
        –Kenneth

        Reply
        • Sean Whitney -  August 25, 2015 - 9:19 pm 235

          Hi Ken,

          There may be a workaround to stand up 5.1 first, then upgrade to 5.5, then repoint.

          Thanks,
          Sean

          Reply
  13. Miles Jackson -  August 26, 2015 - 2:28 pm 237

    Sean,

    (Using vSphere 5.1)

    When I get to the point in the install where I need to specify the type of database to use, do I need to create a new SQL database for this?

    Currently my SSO database is hosted on a separate SQL server. Not sure if I should be using the existing one, creating a new one on the separate SQL server, or just using express.

    Thanks for the help!
    -Miles

    Reply
    • Sean Whitney -  August 27, 2015 - 10:08 am 238

      You could just create a new one, you will need to recreate the identity sources and SSO users and groups, but that is usually painless unless you have a lot.

      Reply
  14. Russ Jackson -  September 8, 2015 - 2:17 pm 248

    Not sure if you have experience moving from 5.0 to 6.0 directly, but I’ve been testing. If I choose an embedded install all my permissions, domain information, etc comes over. However, if I install the embedded SSO and then upgrade my vcenter, I see the permissions, but when I add the domain as an identity source they don’t “line up” and so the permissions don’t come over. (it doesn’t see it as the same domain I guess). It seems they need to be added after. Are you familiar with this problem at all, and do you know of a workaround?

    Reply
    • Sean Whitney -  September 11, 2015 - 9:45 pm 252

      Hi Russ,

      I’ve seen it in some of the previous versions, I would recommend opening a ticket with support as there could be a variety of causes.

      Thanks,
      Sean

      Reply
      • Russ Jackson -  September 11, 2015 - 10:03 pm 253

        Thanks – the way I got around it was to stand up the PSC first and then stood up a temporary vCenter server to configure it. Added the identity source and everything – then when I upgraded, everything came over as expected. Still battling some lingering certificate issues, but overall it was successful.

        Reply
  15. Jay Rogers -  September 28, 2015 - 7:13 am 264

    testing this process and not having much luck in the lab.
    I have simple install embedded SSO 5.5 update 2e
    My goal is to get external SSO keeping all SSO users and groups!
    I am using the windows vcenter install on Server 2012 R2
    You suggest using option 3 on the new external SSO install.
    1. vCenter Single Sign-On for your first vCenter Server.
    2. vCenter Single Sign-On for an additional vCenter Server in an existing site.
    3. vCenter Single Sign-On for an additional vCenter server with a new site.

    I do this then go back to the original embedded simple install vCenter to run the commands you mention.

    I can’t seem to get past the first inventory repoint.
    i get:
    The specified principal (InventoryService_2015.09.27_172736) is invalid.

    Am I on the right path. Any suggestions. Can you confirm it is possible to get external SSO keeping all SSO users and groups?

    Reply
    • Sean Whitney -  October 12, 2015 - 9:40 pm 281

      Hi Jay,

      You seem to be hitting an issue that may be best to engage VMware support. I would open a ticket if you haven’t already found a workaround.

      Thanks,
      Sean

      Reply
  16. Mathan Subramaniam -  October 5, 2015 - 4:58 am 271

    Hi Sean ,
    Thanks for the guide. In our environment , we are using two vcenter servers (embedded SSO) and we need to migrate embedded SSO to external PSC model . As per Vmware KB article “http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2130433” —- Vmware used two external PSC for two vcenters . We are looking for only one PSC . Could you please suggest me how to do his ? Thanks for your help in Advance

    Reply
    • Sean Whitney -  October 12, 2015 - 9:15 pm 277

      Hi Mathan,

      Sure, we recommend a PSC for each geographically dispersed environment. If this is the case, you can simply follow the steps here to split it out, then just install a vCenter pointing to the same PSC that you just split out.

      Hope this helps.

      Sean

      Reply
      • Josh Gray -  October 12, 2015 - 10:11 pm 284

        Is there a way to repoint with the Appliance yet? I saw in the release notes it did not get through QE or something….?

        Reply
        • Sean Whitney -  October 12, 2015 - 10:36 pm 285

          Hi Josh,

          Hope you are doing well, good to hear from you.

          There is indeed, it just came out with U1, which makes this post somewhat irrelevant unless you haven’t upgraded. The KB article for this is below.

          kb.vmware.com/kb/2113917

          Sean

          Reply
          • Josh Gray -  October 13, 2015 - 9:27 am 288

            Right right… but what about from _embedded_ to _external_ specifically with the appliance?

  17. Alex Soetz -  October 20, 2015 - 4:25 am 295

    Hi Sean,

    great website first of all.

    We have got 3 vCenter Server 5.5 each of them runs it’s own embedded SSO domain. Now we want to upgrade all of them to 6.0. As i understand so far, we have to upgrade all embedded SSO Domains to embedded PSC. Is there any possibilty to reduce these 3 embedded PSC to one external PSC?

    Thanks
    Alex

    Reply
    • Sean Whitney -  October 22, 2015 - 11:59 am 306

      Hi Alex,

      We are in the process of updating this article to include the repoint feature available in 6.0 U1. There is a blog Chris morrow just wrote last week that shows this process. You could upgrade to 6.0 U1 on everything, then repoint 2 of the vCenter Servers so they are all using one PSC.

      Thanks,
      Sean

      Reply
  18. Olivier -  October 21, 2015 - 3:02 am 298

    Hi Josh,

    I working on an upgrade scenario that involve SRM.In the current infrastructure, I have two sites. On each site, 15ESX and One vcenter VMs hosting sso, infra service, vcenter and srm. vcenters are linked and SSO in multi site configuration.
    In the SRM 6 documentation, It looks like SRM6 supports embedded PSC : https://pubs.vmware.com/srm-60/index.jsp#com.vmware.srm.install_config.doc/GUID-F474543A-88C5-4030-BB86-F7CC51DADE22.html
    So, do I really have to move to an external PSC or can I keep it embedded and get SRM and enhanced linked mode working and supported?

    Olivier

    Reply
    • Sean Whitney -  October 22, 2015 - 11:57 am 305

      Hi Olivier,

      Yea, you could keep embedded and run enhanced linked mode. It is supported, it’s just deprecated.

      Thanks,
      Sean

      Reply
      • Olivier -  November 3, 2015 - 6:46 am 321

        Thanks for the feedback Sean
        So now with the version 6 U1, to migrate to an external PSC from an embedded 5.5 SSO with SRM, what is the best path:
        move to an external SSO then upgrade, or upgrade then move an external PSC?

        Reply
        • Sean Whitney -  November 4, 2015 - 11:44 am 323

          Hi Olivier,

          Either way works, but it’s probably easier to upgrade, then move to external PSC.

          Thanks,
          Sean

          Reply
  19. Chris -  November 5, 2015 - 9:07 am 324

    Hello,

    Quick question, I have an environment that was installed originally with vCenter and PSC on the same server version 6.0 they had no original intent of adding another site. Then latter in the year they decided to add a site and just added it to the same PSC that is combined with the vCenter. We have updated it to update 1 in the hop that I can move the PSC to its own server. Do you if that is possible?

    thanks

    Reply
    • Sean Whitney -  November 5, 2015 - 9:51 am 325

      Hi Chris,

      Yes, this definitely possible. Just spin up a new PSC and run through this article to repoint one of your vCenter Servers.

      Repoint VC to PSC in different site

      Thanks,
      Sean

      Reply
  20. Hasan -  November 11, 2015 - 5:12 am 331

    Hi Sean,

    Great Article! it is really helpful.

    However, I have some questions and concerns. I find that you were suggesting creating a new SSO on a new VM and choose ( Multisite / join existing SSO as a New Site ).

    What will happen later when you delete the embedded SSO ? what will happen to the newly created SSO ?

    Moreover, My scenario is as following:
    I have 3 vCenters (three sites), all with Embedded SSO.
    2 Are in Linked Mode. the Third is not. However, I’m not sure if the third vCenter/SSO is installed as standalone, or joined the first (main) SSO. I’m not able to identify that given that KB 2035817 ( Windows Server Option 2 ) cannot differentiate between Standalone SSO and SSOs joining a main one. It can only differentiate between SSO added as new logical site (multisite), or as the same site name (HA). Is there a way to know if third site is installed as standalone or not? I have tried one method: I added a user in first two sites (linked mode). and the user appeared on both web clients. However, the third site didn’t reflect the newly added user. I’m not sure if this is related to linked mode or not ( since it is not linked ). I assume it is not since SSO is different than linked mode, but I’m not quiet sure.

    Side Question: Can I have linked mode for two vCenters with Standalone SSO ?

    Back to my scenario:

    My idea is to do the following ( please correct if this is wrong ):
    1. create 3 VMs
    2. install a new SSO ( with First vCenter / Standalone Option )
    3. install 2 other SSOs ( with Multisite / New logical site Option )
    4. Re-point First vCenter ( with Main SSO )
    5. Re-point Rest vCenters
    6. Do Upgrade to PSC, then vCenters

    then questions comes as following:
    1. Can I carry on my Old SSO configurations with me to the new one?
    2. I’ve seen some people in forums complain about this approach and they opted for reinstall approach.

    Reply
    • Chris Morrow -  November 11, 2015 - 10:02 am 332

      For the standalone vCenter, you can simply upgrade it to 6.0 u1 and then break it out of embedded using this doc – http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.upgrade.doc%2FGUID-E7DFB362-1875-4BCF-AB84-4F21408F87A6.html

      Your plan for the other 2 vCenters is good though. You wont be able to carry over the SSO information unless you join the 2 new SSO nodes to the existing ones, but I would opt not to do that as you then have 4 nodes in the domain (2 active, 2 unused) and could complicate the upgrade.

      Reply
      • Hasan -  November 12, 2015 - 12:52 am 333

        Thanks Chris,

        I appreciate your response.

        My plan is to Create a _unified_ SSO Domain, which is not the case now as the standalone third vCenter has its own Logical SSO Domain “Although it is the same vsphere.local”. So I’m trying to break out of the isolated SSO domain and unify it withthe main one.

        Based on that, Can I follow your approach for the third site to achieve that?
        I did understand the breakout of embedded SSO part. But Just to confirm, with 6.0 U1 I can change the SSO “Domain” or is it just breaking out of the embedded SSO but staying within the same SSO logical Domain?

        —————
        As for the other two linked mode servers ( with same Local SSO Domain ).. I’m planning to remove the embedded SSO. It that possible? in other words, after joining the two new external SSO Servers, Can I go ahead and delete the original embedded SSO?

        Finally, Given that 6.0 Update 1 is out. What would be your best approach to do the upgrade of the following ( same scenario with some clarifications ):

        vCenter Site A ( Embedded SSO — Deployment Type: SSO for your first Server — Linked mode with Site C )
        vCenter Site B ( Embedded SSO — Deployment Type: Standalone SSO / SSO for your first server)
        vCenter Site C ( Embedded SSO — Deployment Type: Multisite with Site A SSO )

        I really Appreciate your help with that point as it is the only missing part in my upgrade plan.

        Reply
        • Chris Morrow -  November 13, 2015 - 11:38 am 334

          Hi Hasan, In order to “unify” the SSO domain, you will need to reinstall them all in 5.5 as a multisite configuration before the upgrade. I believe you can just uninstall the embedded SSO components after doing so as well. One thing you should know is that in 6.0, the original concept of vCenter Linked Mode is gone. Nothing needs to be done from the VCs to link them anymore. If the vCenters are all pointing to PSC nodes in the same SSO domain, they will be in what is considered “Enhanced Linked Mode” and will be automatically visible from within the web client. User permissions can be used to edit the visibility of these of course.

          Reply
          • hasan -  November 14, 2015 - 12:23 am 335

            Hi Again Chris,

            1. Do I need to re-install All vCenters? or just the vCenter with standalone embedded SSO?
            2. If I only need to reisntall the third one, can I install the SSO part externally (Multisite)? Or does it have to be embedded as well?
            3. Does reinstallation make me lose my Tags/Folders ( related to inventory services ? ), or are they preserved? (In case I’ll lose it, how can I recover it later. I’ve spent lots of time tagging all my Objects)
            ———–
            My plan then would be:
            1. re-install Standalone vCenter. (choose Multisite)
            2. Add External SSO to both Site A and Site B
            3. uninstall embedded SSO
            4. Do the upgrade
            ———
            This plan is similar to KB 2130433. But I have 3 vCenters. Does it still apply? or does it just work with only 2 vCenters?

  21. sean -  December 31, 2015 - 10:51 am 358

    trying to find out appropriate steps to migrate to a PSC in my scenario.
    1- windows vcenter server 5.5 U3b with external windows SSO 5.5 u3b.

    I want to upgrade my external windows SSO to a PSC appliance 6.0 U1.

    How would I go about upgrading that? I will then upgrade vcenter later to a VCSA 6.0U1.

    Thanks!
    Sean

    Reply
    • Sean Whitney -  December 31, 2015 - 10:56 am 359

      Hi Sean,

      There isn’t really a supported method to move from Windows to VCSA, especially in an upgrade scenario. There is however a fling that allows you to migrate from a windows VC to a VCSA, and then you can attempt to upgrade. This isn’t supported and there is no guarantee it will work, but here is the link.

      https://labs.vmware.com/flings/vcs-to-vcva-converter

      Other than that, your only option is to spin up new appliances and just start configuring your datacenters, clusters, VDS, etc before migrating your hosts.

      Thanks,
      Sean

      Reply
      • sean -  December 31, 2015 - 10:58 am 360

        Hey Sean,

        Thanks for the response. I don’t really care about migrating VCSA, only converting/upgrading from the windows version of SSO to a appliance version of a PSC.

        Still not supported?
        thanks
        Sean

        Reply
        • Sean Whitney -  December 31, 2015 - 11:24 am 361

          Yeah, not supported, and I don’t even thing the fling can help with that one..

          You can always spin up a new PSC 6.0 U1 and repoint to it. There typically isn’t a lot of config on an SSO/PSC server, just SSO users and groups, identity sources etc.

          Sean

          Reply
          • sean -  December 31, 2015 - 11:29 am 362

            SO I would assume i just spin up a new one like you said. should it be a new standalone or do i need to connect the SSO and PSC to the existing SSO domain? Then I assume i use your repoint commands above?

            sorry for the all the questions and appreciate the help!
            Sean

          • Sean Whitney -  December 31, 2015 - 11:32 am 363

            No problem. I would upgrade to 6.0 U1 first for both VC and the SSO/PSC. Then once that is complete, spin up a stand alone PSC and repoint your VC to it via this post

  22. Craig Wallace -  January 21, 2016 - 9:18 am 378

    Hello. Thanks for a great blog post. I have a question. We want to use two PSC servers behind a load balancer. Now do i repoint the Inventory Service , vCenter Server and Web Server to one of the PSC first or do i repoint them to the LB address and let it handle it?

    I am just trying to work out my migration steps

    Many thanks

    Reply
    • Sean Whitney -  February 9, 2016 - 4:23 pm 403

      Hi Craig,

      Repoint to the LB Address (VIP).

      Thanks,
      Sean

      Reply
  23. Kevin -  February 18, 2016 - 10:05 am 420

    Sean,
    I have been dealing with an issue with the upgrade of a 5.5 SSO to the 6.0 PSC. The install gets through almost to the end and then bails out with a trackback error. I have been working on this upgrade for a couple of months now and have not been able to complete the upgrade. Can I just spin up a new server and do a clean install of 6.0 u1 PSC and then repoint my current vcenter to the new PSC? I have not seen a 6u1 stand alone install for the PSC. Is it in the iso somewhere?

    Reply
  24. Kamal Halder -  February 24, 2016 - 12:01 pm 425

    I have created additional SSO 5.5 version and repoint it. After that successfully upgrade to PSC 6.0.
    But when I am trying to upgrading the VC then there is showing your VC will upgrade to embedded PSC Server.
    I did not deploy as I believe that is not correct.
    Could you please help me?

    Reply
  25. Mohamed Ibrahim -  March 21, 2016 - 10:10 pm 443

    Hello,

    After pointing to the new SSO server, How to migrate all the user access’s to new servers, will it automatically migrate and the privileges.

    Reply
    • Richard -  July 19, 2016 - 12:32 pm 506

      I ran into the same issue.

      Did you get yours resolved? If so, what did you do?

      Reply
  26. Joe -  April 2, 2016 - 3:24 pm 448

    Sean,
    Thanks for the good article. I am on the last stage of repointing the vcenter 5.5 to external 5.5 sso before upgrading to 6.

    When I run the command to repoint VC to external SSO, It fails with

    Abnormal command failure: exception `Cannot locate configuration source C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\vcsso.properties’ of type class org.apache.commons.configuration.ConfigurationException

    ‘FO | Return code is: InternalError / 254
    FO | END EXECUTION’

    Any idea

    Joe

    Reply
  27. Rhian -  June 23, 2016 - 1:06 pm 498

    Thanks, really useful article btw

    I’m just repointing 2 vcenter 5.1 embedded servers to an external 5.5 SSO server

    In the article regarding repointing below

    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2033620

    1. Remove the Inventory Service account (Haven’t needed to do this)

    Note: This is required only if you are re-registering the vCenter Inventory Service to the same Single Sign-On instance that the vCenter Inventory Service was originally registered to.

    2. Re-register vCenter Inventory Service with vCenter Single Sign-On (Did this)
    3. Register vCenter Server with a different vCenter Single Sign-On instance (did this)
    4. Re-register vCenter Server with the Inventory Service
    5. Register the vSphere Web Client with a different vCenter Single Sign-On instance (Did this)

    You have omitted step 4. Is this ok to omit if the criteria does not apply as I am doing the same thing as you have blogged about

    Reply
  28. Naga -  August 29, 2016 - 12:29 pm 517

    Hi Sean,

    Can you Please help us to find the step by step procedure to move from VCSA 5.5 with embedded SSO to VCSA 6.0 with external PSC as appliances.

    I like your blogs for windows based but i dont find anything for appliances in similar cases.

    Reply
  29. Kalid Abdul -  December 18, 2016 - 1:59 pm 546

    Hi Sean,

    Thanks for this grate article.
    We are unable to Repoint one of our Embedded vCenter server 5.5 U2 to the newly created external Single Sign-On server.
    We keep getting the error “the specified principal (vCenterServer_2014.04.24_143555)”

    Jay Rogers (her above) mansions similar problem but I can’t yet find any answer for this issue in this blog and also onVMware support sites.
    Could you please suggest us how to solve this issue ? Thanks for your help in Advance and we really appreciate your effort.

    Kalid

    Reply
  30. Kalid Abdul -  December 18, 2016 - 11:29 pm 547

    Hi Sean,
    Thanks for this grate article.
    We are unable to Repoint one of our Embedded vCenter server 5.5 U2 to the newly created external Single Sign-On server.
    We keep getting the error “the specified principal (vCenterServer_2014.04.24_143555)” is invalid
    Jay Rogers (her above) mansions similar problem but I can’t yet find any answer for this issue in this blog and also onVMware support sites.
    Could you please suggest us how to solve this issue ? Thanks for your help in Advance and we really appreciate your effort.
    Kalid

    Reply
  31. Steve -  February 5, 2017 - 12:23 pm 556

    I have tried working through this procedure using several different iterations and couldn’t get it to work. I got stuck on the Re-pointing vCenter Server step. I would clear one hurdle just to encounter another. Finally, I got stuck on a known bug in the version of 5.5 that I was trying to upgrade (see link below) and the work-a-round didn’t work. I came up with another method that I’ll outline below. It was much simpler and didn’t have any issues (understanding that every deployment has different challenges).

    Procedure:
    – Stand up new PSC server and take a snapshot
    – Backup vCenter DBs and take a snapshot of vCenter
    – Upgrade vCenter 5.5 (with embedded SSO) to version 6.0 in place
    – Install PSC version 6.0 on new server and join the existing site (Don’t create a new site)
    – Use the procedure below to re-point vCenter to the new PSC server. In the process, the script decommissions the embedded PSC for you after it completes the transfer.
    http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.upgrade.doc%2FGUID-E7DFB362-1875-4BCF-AB84-4F21408F87A6.html

    Bug:
    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2083179

    Upgrade Sequence Doc for consideration of other deployments:
    https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2109760

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top