UPDATE: As of vCenter 6.0 Update 1, there are more options available to reconfigure an existing embedded topology to an external setup without the need to reinstall. More information can be found in this post
There has been a lot of discussion surrounding an upgrade from vSphere 5.1 or 5.5 to vSphere 6.0 when you currently have Single Sign-On (SSO) embedded and want to move to an external deployment. I highly recommend, in anyone’s environment that you future proof by setting up vSphere 6 in an external deployment. There are multiple reasons for this, but a few of them are: SRM connected to an embedded Platform Services Controller (PSC) is not supported, and any type of multisite configuration using embedded PSCs is not supported (See Recommended Topologies in vSphere 6.0 for more information). There are quite a few more reasons, but I’m sure you get the point.
As many of our customers are currently on vCenter Server 5.x with embedded SSO, I wanted to provide a guide on how you can upgrade to an external vSphere 6.0 deployment model. It requires a few additional steps than a traditional upgrade, but it will save you a lot of time in the future, especially if you want to move to multisite, use High Availability, or even use SRM. I’m going to go over the steps for Windows, but the appliance can be done in a similar fashion. The summary of the steps are shown below, with even more details surrounding the steps with pictures further down.
Note: The steps below will utilize repoint commands and they are very sensitive to passwords. If you hit any errors mentioning “Invalid Input” it’s probably your password. I recommend that change the SSO password to what I feel uses the most friendly special character – the @ sign (Or ensure you fall under the supported character list). You can always change your password back once you are done. I suggest doing this before moving on to the steps because it can be done easily with the Web Client as shown below, otherwise you could get stuck in a chicken and egg situation because you are trying to register the vSphere Web Client with SSO but cannot, so you won’t be able to log into the Web Client to change the password. If this happens, you can run through the following KB to reset the SSO admin password.
Summary of Steps
1. Deploy a new Windows Server – Install current SSO version (5.1 U1, 5.5 U2, etc.).
2. Repoint Inventory Service, vCenter Server, and the vSphere Web Client to the new SSO node.
3. Upgrade your new Single Sign-On node from 5.x to 6.0.
4. Upgrade your vCenter Server (management node) on your original server.
5. Uninstall SSO 5.x from your original server.
Full Steps for upgrading to external PSC deployment
Step 1. First, you will want deploy a new Windows Server that will be used for your external PSC. Don’t install PSC yet… Configure the name, networking, dns, domain information, etc. Once you are ready, download and install your current version of Single Sign-On. Make sure you use the exact version that you are on to ensure that you don’t run into any issues. You do not need to install any other components at this time. I won’t go through the install steps at this time as it’s straight forward and at this point, you have already done it, but please let me know if you have any questions in the comments section.
Step 2. Go back to your original Server and repoint the following components to the new SSO node.
Repoint Inventory Service
C:\Program Files\VMware\Infrastructure\Inventory Service\scripts\is-change-sso.bat https://FQDN:7444/lookupservice/sdk "admin@System-Domain" "P@ssword1"
C:\Program Files\VMware\Infrastructure\Inventory Service\scripts\is-change-sso.bat https://FQDN:7444/lookupservice/sdk "administrator@vSphere.local" "P@ssword1"
Repoint vCenter Server
Before running these commands, you will need to unzip the following file. C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg.zip. Also, if you are using a custom vCenter install path, be sure you add the argument –vc-install-dir “PATH“ to the following commands.
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg\repoint.cmd configure-vc --lookup-server https://FQDN:7444/lookupservice/sdk --user "admin@System-Domain" --password "P@ssword1" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\sso_svccfg\repoint.cmd configure-vc --lookup-server https://FQDN:7444/lookupservice/sdk --user "administrator@vSphere.local" --password "P@ssword1" --openssl-path "C:\Program Files\VMware\Infrastructure\Inventory Service\bin/"
Note: If you get the following error, “The system cannot find the path specified” you may need to set the JAVA_HOME environment variable using the commands below.
set JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre
set JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\
Repoint vSphere Web Client
C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts\client-repoint.bat https://FQDN:7444/lookupservice/sdk "admin@System-Domain" "P@ssword1"
C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts\client-repoint.bat https://FQDN:7444/lookupservice/sdk "administrator@vSphere.local" "P@ssword1"
Step 3. Upgrade your new Single Sign-On node from 5.x to 6.0. Run through the installer using the settings you prefer. For a detailed set of steps with screenshots on upgrading, please click here.
Step 4. Upgrade your vCenter Server (management node) to vCenter Server 6.0.For a detailed set of steps with screenshots on upgrading, please click here.
Step 5. Uninstall SSO 5.5 from your original server to clean it up.
To me, this seems to be the best supported method for moving from an embedded SSO environment in vSphere 5.x to an external model in vSphere 6.0. Please let me know if you run into any issues or have any questions surround the steps as I’ll do my best to help!