How To Join Existing vCenter Servers By Enhanced Linked Mode

Last month I was asked to join two existing VMware vCenter Servers each with embedded platform services controllers, in enhanced linked mode. Additionally, this will create one SSO domain and enable vCenter Enhanced Linked Mode.

The first thing I did was read VMware’s documentation which can be found by clicking here, and secondly, I created a lab with two vCenter 6.7 U3 appliances. Each VCSA was configured with its own embedded platform services controller and both use an SSO domain of vsphere.local.

It is worth to note that repointing an existing vCenter server from one domain to another is only supported in vCenter 6.7 U1 and above.

Current VMware vCenter Configuration

As I mentioned previously I have two VMware vCenter 6.7 U3 servers called VCLOUDPG-VC-A and VCLOUDPG-VC-B (VCLOUDPG stands for vCloud PlayGround, which is an area I do quite a bit of testing in). Each vCenter server has its own embedded platform services controller and has an SSO domain of vsphere.local.

vCenter Enhanced Linked Mode

Our objective is to join the two vCenter servers together to create an enhanced linked mode setup, which will look like this:

vCenter Enhanced Linked Mode

Steps to create vCenter Enhanced Linked Mode

The very first thing I did before making any changes was shutdown each vCenter server and create a VM snapshot. In addition to this, you can also create a vCenter backup via the vCenter Appliance Management page – Backup.

Once all your backups are sorted, I logged into VCLOUDPG-VC-B, as I want to join this vCenter to VCLOUDPG-VC-A. We run a pre-check to ensure that everything is ok and no conflicts are encountered before performing the actual repoint. The syntax of the domain-repoint command can be found by clicking here. The CLI command I enter into VCLOUDPG-VC-B is:

cmsso-util domain-repoint --mode pre-check --src-emb-admin administrator --replication-partner-fqdn vcloudpg-vc-a.vmlab.local --replication-partner-admin administrator --dest-domain-name vsphere.local

The 2 screenshots below are the output of the cmsso-util pre-check

vCenter Enhanced Linked Mode
vCenter Enhanced Linked Mode

As you can see in the screenshot above, in purple, ‘Conflict data, if any, can be found under /storage/domain-data/Conflict*.json. That’s what we are going to do now, browse to that directory and check if we have any conflicts.

I enter into the vCenter shell, change directory to /storage/domain-data and then type ls to list the files. I can see that I have 1 Conflict file named Conflict_Roles.json. Let’s use vi to edit this file and take a look at what’s inside.

vCenter Enhanced Linked Mode

We can see that there are 2 roles, NoCryptoAdmin and Admin that have a conflict with the privilege Vsan.DataProtection.Management. The default action is to copy the roles across. I’ll exit vi by typing :q!

vCenter Enhanced Linked Mode

You can see the Roles, within the Web UI. In the screenshot below we are looking at the No Cryptography Administrator role. On the right hand side under vSAN, you can see the Data Protection Management Privilege.

vCenter Enhanced Linked Mode

It’s now time to perform the actual join. To do this we use the –mode execute option. The full command looks like the output in the following 2 screenshots:

cmsso-util domain-repoint --mode execute --src-emb-admin administrator --replication-partner-fqdn vcloudpg-vc-a.vmlab.local --replication-partner-admin administrator --dest-domain-name vsphere.local
vCenter Enhanced Linked Mode
vCenter Enhanced Linked Mode

Steps to check and verify vCenter Enhanced Linked Mode

Now that the domain re-join has completed successfully, we can check the replication partner via cli from VCLOUDPG-VC-B by entering into the shell, changing directory to /usr/lib/vmware-vmdir/bin and typing the following:

./vdcrepadmin -f showpartners -h localhost -u administrator -w VMware1

You will then see the output showing that this vCenter’s replication partner is VCLOUDPF-VC-A

vCenter Enhanced Linked Mode

Once we log into our vCenter server web UI, we will now see the 2 vCenter servers within the ‘single pane of glass’. Also, take note of the ‘Linked vCenter Server’ tab displaying the linked vCenter.

vCenter Enhanced Linked Mode



  1. It might be safer to use “less Conflict_Roles.json” than vi. Or at least “cat Conflict_Roles.json | more”

    Less is vi in read only mode. Same commands, features, scrolling etc. And from memory it’s supported VMware CLI.

    Less is a more advanced version or more. Vi should open be opened for editing 🙂

    • I usually use VI cause I’m familiar with all the commands, plus to make changes you need to enter into insert mode and then write/quite. However, you can use any of the commands you mentioned to view the file as well, all good

  2. Nice Article, is it possible to create an Enhanced Link Mode vCenter ( embedded based ) setup on ESXi 6.5 and then upgrade to 6.7

  3. I have 2 vcenters I would like to do this on. One is our “regional” vcenter 6.7U3i and the other is our VxRail vCenter 6.7U3. The regional VC has an embedded PSC, but the VxRail VC has an external PSC, as I guess that is how it has to be setup. Can the 2 vCenter’s be link together in a configuration like this or does it only work with embedded PSC’s on both sides?

  4. did you ever get answer to this? I have a current 6.5u3 environment with 2 embedded linked VCSA’s and I am planning an upgrade to 6.7u3. looking to see if this is possible or if there are any special procedures that you need to follow

    • Hi Edward, if your VCSA’s are already linked and running 6.5u3 with internal PSC’s you can upgrade to 6.7, please read the upgrade guides though first as they do change pre-reqs and caveats from time to time

  5. I have existing 4 vCenter running on 6.7 U1 , and I need it to configure with enhanced linked mode.How that can be achieved?

  6. We have two vcenter servers with embeded PPSC and both vcenter servers are using vsphere.local as SSO domain.
    We have to change an IP for once vceter at some time later when we move the location.

    Will their be any issue on changing the IP?

    • Hi John, probably be good to change it before joining ELM if you can ? Will reduce the troubleshooting in case something goes wrong.

  7. If I install Plugin on one VC , will it get replicated to both or do I need to install plugin separately on both VC

    • Hi Shani, it depends on the plugin. read through the release notes for the plugin as some might detect that you have enhanced linked mode and install to both. However for the ones that don’t, you’ll need to install on both vcenters.

  8. We are about to to link two vcenters that are version 6.7. The replication partner platform vcenter is going to be upgrade to version. Will this break the link between these two vcenters?

  9. Thanks for this detailed walk-though. I just wanted to mention that I followed this process for joining two vCenter 7.0 VCSA’s and the only differences were that the outputs of the commands differed slightly from your screenshots (as that is understandable as there are differences between 7.0 and 6.7).

    Take care.

  10. /i know I’m late to this party, but I just tried this and it failed. My prerequisites checked out 100%, no conflicts, but the repoint ended with

    Updating registry settings
    Repoint failed. Restore from backup

    Can someone offer some assistance in finding the exact cause of this error?

  11. Hi, in my case all vcenter servers showed up in vc-b but not in vc-a, do you know what could be the problem?
    Thank you.

Leave a Reply

Your email address will not be published.



This site uses Akismet to reduce spam. Learn how your comment data is processed.