Objectives for 1.2 are broke down as the following
- Deploy vCenter core components according to a deployment plan:
- Deploy and Configure a Platform Services Controller (PSC):
- Determine use case for embedded vs external PSC
- Re-point a vCenter Server Appliance to another External PSC
- Deploy and Configure Identity Sources for Single Sign-On:
- Configure Single Sign-On users and groups
- Change Default domain for Single Sign-On
- List services registered with Single Sign-on
- Deploy and configure vCenter Server
- Deploy / Configure Enhanced Link Mode
- Deploy and Configure a Platform Services Controller (PSC):
- Manage / Configure vCenter components according to a deployment plan:
- Configure Global Permissions for vCenter services
- Configure Dump Collector service
- Configure the Syslog Collector / Syslog service
- Managing vCenter Server advanced configurations
Deploy vCenter core components according to a deployment plan
Deploy and Configure a Platform Services Controller (PSC)
Platform Services controller was introduced with vSphere 6. The PSC includes services such SSO, licensing and VMCA, PSCs also replicate information such as licenses, roles and permissions. PSC can be installed on the same machine with vCenter known as embedded or it can be on its own machine known as external.
Its important to know the support topologies and when to deploy an external PSC or an embedded.
For support topologies see here
Advantages for embedded deployments include the communication between vCenter and PSC is not across the network, less Windows licenses if using Windows boxes and no need for load balancers. Advantages for external deployments include support for Enhanced Linked Mode and high availability across multiple PSCs. Following supported topologies if you are planning more than one vCenter within the site you must use an external PSC.
The following will illustrate the process how to deploy an external PSC as a virtual appliance, one of the opjectives for this section is to re point a vCenter appliance to another external PSC so in this example I am creating a new external PSC with the view to move my running embedded vCenter/PSC. First download the vCenter appliance and run through the setup. Point the installation to either an existing vCenter or a ESXi host in my case I use my running vCenter.
Choose a resource pool and give the appliance a name with a local root password
I choose to install an external PSC and join my existing SSO domain
I now need to pick the same SSO site as the embedded vCenter / PSC that I will change, one of the prerequisite to repoint the embedded PSC to an external one is the newly deployed external PSC must be in the same SSO site.
I then choose the required datastore and set the IP information, a DNS record must exist for the IP address
Finish the wizard and monitor the deployment
Now deployed I will move on to re pointing my existing embedded vCenter / PSC. I SSH onto my existing embedded vCenter / PSC and run the following command and point to the new external PSC. Note – the identifier for the PSC is case sensitive.
>cmsso-util reconfigure –repoint-psc lab-psc.vjenner.com –username administrator –domain-name vsphere.local -passwd Password123!
An important consideration is the VMCA, although its not listed as an objective at this point its still important, for my lab I have created the VMCA as a subordinate of my Enterprise PKI infrastructure which in turn has provided certificates for vCenter services and ESXi hosts. By re pointing the PSC means my vCenter now needs its certificates updated again.
I need to update the VMCA on the new external PSC, to do this see my previous post here. As this is now an external PSC I need to run the following on the vCenter server
This time I select option 3 for the machine certificates then option 6 for the user certificates and point to the external PSC when prompted.
When I first run this I get the below error
Error Message : Failed to connect to the remote host
If you get this error you must run the following on the vCenter appliance
>mv /var/lib/vmware/vmca/root.cer /var/lib/vmware/vmca/root.bkp
This renames the root.cer, once renamed I can run options 3 and 6 again.
I am using Update 2 and after I applied the certificates I received a SSO error using the Web Client and the C# client didnt log in at all. If you have this error re apply the certificates and change the OU to match the relevant service. See here for more details.
Deploy and Configure Identity Sources for Single Sign-On
To check existing identity services open the Web Client – Administration – Single Sign On – Configuration
To add a new identity source select the Add icon and add the relevant details. Below is an example to add an Active Directory domain
To make mark an identity source as Default Domain highlight the identity source and select the icon
To list services registered with SSO I run the following command, the following relates to the virtual appliance to run this I need to be logged on to the appliance or connnected via SSH
>/usr/lib/vmidentity/tools/scripts/lstool.py list –url https://lab-psc.vjenner.com:7444/lookupservice/sdk
To run the same command on a Windows box run the following
>”C:\Program Files\VMware\vCenter Server\python\python.exe” “C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\lstool.py” list –url http://localhost:7080/lookupservice/sdk
Deploy and configure vCenter Server
I have a previous post on a vCenter deployment using the virtual appliance here.
Deploy / Configure Enhanced Link Mode
Enhanced Linked Mode links multiple vCenter instances by using one or more PSCs. This mode replicates roles, permissions and license data across vCenter systems. You can log in to any linked vCenter instance with a single user name and password and view the inventory of all systems.
You must use the web client for Enhanced Linked Mode and be using vCenter Server Standard license. In vCenter 5.5 linked mode data was stored and replicated using ADAM but in vCenter 6 this is no longer needed the PSC provides replication.
Manage / Configure vCenter components according to a deployment plan
Configure Global Permissions for vCenter services
To view I open the Web Client – Administration – Access Control – Global Permissions
To add select the Add icon – Users and Groups – Add. Select an identity source previously added and select the user or group
Then select a role for the user / group
Configure Dump Collector service
The ESXi Dump Collector is installed but not running automatically to start it go to Web Client – System Configuration – Services – VMware vSphere ESXi Dump Collector. I start the service and mark it as Automatic
Configure the Syslog Collector / Syslog service
Syslog service can be configured to point to a syslog server on the network Web Client – System Configuration – Services – VMware Syslog Service. The syslog collector is also installed with vCenter, on the summary health message it will display the server details and if it is running
If you want to change the local host to a remote central syslog server add the remote server details from the Manage tab
Managing vCenter Server advanced configurations
In advanced settings you can modify the vpxd.cfg – the vCenter Server configuration file. Browse to Web Client – vCenter Inventory List – vCenter Servers – vCenter – Manage – Advanced Settings
To add a new entry select Edit and add the relevant Key and Value data