Last month I was asked to join two existing VMware vCenter Servers each with embedded platform services controllers, in enhanced linked mode. Additionally, this will create one SSO domain and enable vCenter Enhanced Linked Mode.
The first thing I did was read VMware’s documentation which can be found by clicking here, and secondly, I created a lab with two vCenter 6.7 U3 appliances. Each VCSA was configured with its own embedded platform services controller and both use an SSO domain of vsphere.local.
It is worth to note that repointing an existing vCenter server from one domain to another is only supported in vCenter 6.7 U1 and above.
Current VMware vCenter Configuration
As I mentioned previously I have two VMware vCenter 6.7 U3 servers called VCLOUDPG-VC-A and VCLOUDPG-VC-B (VCLOUDPG stands for vCloud PlayGround, which is an area I do quite a bit of testing in). Each vCenter server has its own embedded platform services controller and has an SSO domain of vsphere.local.
Our objective is to join the two vCenter servers together to create an enhanced linked mode setup, which will look like this:
Steps to create vCenter Enhanced Linked Mode
The very first thing I did before making any changes was shutdown each vCenter server and create a VM snapshot. In addition to this, you can also create a vCenter backup via the vCenter Appliance Management page – Backup.
Once all your backups are sorted, I logged into VCLOUDPG-VC-B, as I want to join this vCenter to VCLOUDPG-VC-A. We run a pre-check to ensure that everything is ok and no conflicts are encountered before performing the actual repoint. The syntax of the domain-repoint command can be found by clicking here. The CLI command I enter into VCLOUDPG-VC-B is:
cmsso-util domain-repoint --mode pre-check --src-emb-admin administrator --replication-partner-fqdn vcloudpg-vc-a.vmlab.local --replication-partner-admin administrator --dest-domain-name vsphere.local
The 2 screenshots below are the output of the cmsso-util pre-check
As you can see in the screenshot above, in purple, ‘Conflict data, if any, can be found under /storage/domain-data/Conflict*.json. That’s what we are going to do now, browse to that directory and check if we have any conflicts.
I enter into the vCenter shell, change directory to /storage/domain-data and then type ls to list the files. I can see that I have 1 Conflict file named Conflict_Roles.json. Let’s use vi to edit this file and take a look at what’s inside.
We can see that there are 2 roles, NoCryptoAdmin and Admin that have a conflict with the privilege Vsan.DataProtection.Management. The default action is to copy the roles across. I’ll exit vi by typing :q!
You can see the Roles, within the Web UI. In the screenshot below we are looking at the No Cryptography Administrator role. On the right hand side under vSAN, you can see the Data Protection Management Privilege.
It’s now time to perform the actual join. To do this we use the –mode execute option. The full command looks like the output in the following 2 screenshots:
cmsso-util domain-repoint --mode execute --src-emb-admin administrator --replication-partner-fqdn vcloudpg-vc-a.vmlab.local --replication-partner-admin administrator --dest-domain-name vsphere.local
Steps to check and verify vCenter Enhanced Linked Mode
Now that the domain re-join has completed successfully, we can check the replication partner via cli from VCLOUDPG-VC-B by entering into the shell, changing directory to /usr/lib/vmware-vmdir/bin and typing the following:
./vdcrepadmin -f showpartners -h localhost -u administrator -w VMware1
You will then see the output showing that this vCenter’s replication partner is VCLOUDPF-VC-A
Once we log into our vCenter server web UI, we will now see the 2 vCenter servers within the ‘single pane of glass’. Also, take note of the ‘Linked vCenter Server’ tab displaying the linked vCenter.