In this blog, we will understand the cross SSO repointing of a vCenter. In some scenario when you join a company as a System Administrator and notice inconsistencies with the way things are setup. This is the most common scenario where you will see two vCenter in a Single environment running on different SSO.
Sometimes you have two different SSO created for a reason and now you want to make all the vCenter Point to a Single SSO. In some scenario, you might even want to move a vCenter and point it to another SSO. All these things were made possible if you are using the vCenter version 6.7 in your environment as it comes with the feature of Cross SSO Migration.
Scenario 1:
Repointing of vCenter from individual PSC to a Single PSC :
Scenario 2:
Re-Pointing a vCenter from a Single PSC to Individual PSC.
Scenario 3:
Re-Pointing a vCenter to a PSC HA Setup:
Note: PSC HA FQDN will be used for you to Repoint the vCenter.
In All these 3 Scenarios the vCenter HA will be in Disabled state and will have to Re-Enable Manually it once the task is successful.
Pre-requisite:
- vCenter Version should be 6.7.
- External PSC is required on both Source and Destination.
- Source PSC must be in Healthy State so that all the Information can be copied easily.
- vCenter HA must be disabled.
- External Solutions like NSX and SRM must be re-registered manually to the Destination SSO.
- All the AD Information will be retained if both the Source and Destination SSO are pointing to the same AD Identity Source.
User-Defined Inputs:
src-psc-admin: Source PSC Username
dst-psc-fqdn: FQDN of Destination PSC
dst-psc-admin: Destination PSC Username
dst-domain-name: SSO Domain name of Destination SSO
dst-vc-fqdn: if the destination already contains a vCenter, so you need to provide the details of one of that vCenter.
Resolve Conflicts:
In order to understand and resolve conflicts even before initiating the re-pointing, you can use a pre-check test, which will check the health of the vCenter along with all the other pre-requisite so that the command doesn’t fail in between.
Command to initiate a pre-check:
Cmsso-util domain-repoint --mode pre-check --src-psc-admin Administrator --dst-psc-fqdn src-psc.vclass.local --dst-psc-admin Administrator --dst-domain-name vsphere.local --dst-vc-fqdn vc.vsphere.local
Output:
Please note that during this re-pointing the Global Permission of the Source vCenter will be lost and it will become the part of the Global permission that is part of the New SSO.
Once the prechecks are done there will be few JSON files that will be created on /storage/domain-data/
These Files will have all the conflict information with the Role, Tags and permissions, you can review these and change the Conflict Resolution to either Merge, Copy or Skip.
Steps to Re-point:
- Log in to the vCenter Server Appliance Linux console as the root user.
- Run this command:
shell.set --enabled true
Run the shell command.
shell
Run this command to repoint the vCenter Server Appliance to Platform Services Controller (PSC) appliance:
Cmsso-util domain-repoint --mode execute --src-psc-admin Administrator --dst-psc-fqdn src-psc.vclass.local --dst-psc-admin Administrator --dst-domain-name vsphere.local
Once this is done you can login to vCenter and can see the changes.
In case if you need assistance with Repointing the PSC please refer to the Article: https://knowitlikepro.com/repoint-the-psc-in-vcenter-environment/