Migrating from vCenter Server Embedded PSC to External PSC in vCenter Server 6

For the past few weeks i am working on enhancing my VMware home lab setup to be more scalable and enterprise grade , which gave me an opportunity to migrate the embededd PSC to external to extend my vCenter Single Sign-On domain with more vCenter Server instances to support multi site NSX and SRM use cases, you can reconfigure and repoint the existing vCenter Server instance to an external Platform Services Controller.

Few things to note before starting the migration :

  • The process is relatively straightforwad but remember there is no coming back once you migrate the embedded PSC to external .
  • Make Sure to take the snapshot of vCenter Server , in case anything gone wrong during the migration you can revert back vCenter to the last working state
  • Non Ephemeral virtual port groups are not supported by the PSC , as a workaround we need to create a new Ephemeral port group in the same VLAN (if using VLANs) as vCenter server network for the sake of deployment of new PSC . You can migrate the PSC network to non ephemeral port group after the migration completes successfully .


This is what I am running in my lab currently , a vCenter server appliance with embedded PSC:


I want to achieve the below topology with External PSC:


Lets start this by installing the external Platform Services Controller instance as a replication partner of the existing embedded Platform Services Controller instance in the same vCenter Single Sign-On site.

Mount the VCSA ISO and start the installation .


Enter the credentials of the ESXi host where you are planning to deploy the PSC appliance.


Acceppt the self sigh certificate .



Here select “Install Platform Service Controller” .1.png

Select Join an SSO domain in an existing vCenetr PSC:


Join the exsiting site and select the SSO site name:




As I have explained before e, if you have not created a Ephemeral virtual port group you will  not be able to select a network to deploy the new PSC.


Go back to vCenter and create a Distributed port group with Ephemeral port binding which will be used for the PSC Deployment.


Enter the standard networking parameters and complete the deployment wizard.



Click on finish and wait for the deployment completion . This process will take approx: 8-10 minutes.


You will get the below screen once PSC deployed successfully.


Now , Log in to the vCenter Server instance with an embedded Platform Services Controller.Verify that all Platform Services Controller services are running by executing the below command:

service-control –status –all


The final step is to run the below command to repoint the embedded PSC to new deployed external PSC:

cmsso-util reconfigure –repoint-psc psc_fqdn_or_static_ip –username username –domain-name domain_name –passwd password [–dc-port port_number]

Use the  –dc-port  option if the external Platform Services Controller runs on a custom HTTPS port. The default value of the HTTPS port is 443.


If you have followed all the instructions mentioned above, you will get the below success message: “vCenter Server has been successfully reconfigured and repointed to the external PSC .


That was it , PSC has been successfully migrated from Embedded to external! I hope it was helpful .

ESXi Certificates in vSphere 6

Starting from vSphere 6.0, VMCA (VMware Certificate Authority) provisions each new ESXi host with certificates when they are added to the vCenter Server system.1.png

In contrast to vCenter Server Certificates, ESXi certificates are not stored in VECS (VMware Endpoint Certificate Store). Instead they are stored locally on each host in /etc/vmware/ssl


An upgrade to ESXi 6.0 replaces existing thumbprint certificates with VMCA signed certificates, custom certificates are retained. However if you select renew certificates in vSphere web client, VMCA pushes a fresh VMCA signed certificate to the host and overwrites any existing certificate even a custom certificate.2.png

To prevent overwriting custom certificate, you can change the certificate mode from vSphere Web Client. There can be three kind of certificate mode in vSphere 6.0:

  • Thumbprint mode: To accommodate any legacy host
  • VMCA Mode: Which uses VMCA as a root CA
  • Custom Mode: To use only third party certificate


To set certificate mode in vSphere web client, go to vCenter Server – Manage – Settings – Advance Settings – click edit3.png

In the filter box, enter “certm” to display only certificate management keys.4.png


Change the value of “vpxd.certmgmtmode” to custom, if you intend to manage you own certificate and thumbprint if you want to use thumbprint mode and click OK.

Restart the vCenter server service. The mode always apply to all the host managed by vCenter server system that uses that mode.

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

This blog is one of the shortest blog i have written so far , however i have seen a lot of confusion around certificates in vSphere 6 so thought of writing a quick one on this.

The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens.

You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.

You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate.


1 Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.

2 Browse to Administration > Single Sign-On > Configuration.

3 Select the Certificates tab, then the STS Signing sub tab, and click the Add STS Signing Certificate icon.1

4 Click Browse to browse to the key store JKS file that contains the new certificate and  click  open.


If the key store file is valid, the STS certificate table is populated with the certificate information.

5 Click OK.

The new certificate information appears on the STS Signing tab.

Now you should Restart the vSphere Web Client service. You can find all services in the System Configuration area of Administration.

Working with vSphere Management assistant

Before I talk about the various commands we can use with VMA , first let me explain bit about VMA.”vSphere Management Assistant enables administrators to run scripts or agent that interact with ESXi host and VMware vCenter server systems without authenticating each time. VSphere Management Assistant is easy to download and install, and configure through vSphere Web Client.

vSphere Management assistant is a virtual appliance that consist of following components:

– SUSE Linux Enterprise Server

– vmware tools

– vSphere SDK for Pearl

– vSPhere CLI

– Java JRE Version 1.6

– vi-fastpass , an authentication component for the appliance

vSphere Management Assistant requires ESXi Host that supports 64-bit virtual machines. The CPU on the ESXi host must be AMD opetron , rev E or later, or an Intel processor with EM64T support with VT enabled.by default vSphere Management Assistant uses 1 vCPU , 600 MB RAM and 3 GB of virtual disk. VSphere Management Assistant is used with vSphere 5.x or 6.

Let’s get started now.

  • Start SSH and vSphere ESXi Shell Services on the ESXi host you want to manage from vSphere Management assistant
  • Login to VMware vSphere Management Assistant, You use PuTTY to establish an SSH session to the VMware vSphere Management Assistant appliance.
  • using vi-admin as the user name and password that you have set during the initial power on the appliance1.png
  • Now we need to add vCenter Server systems and ESXi hosts as vSphere Management Assistant target servers to simplify commands
  • Add the vCenter Server system as a server target.
  • vifp addserver vc01.vclass.local –authpolicy fpauth –username administrator@vsphere.local
  • Any user with sufficient vCenter Server privileges can be specified, including VMware vCente  Single Sign-On users. The vSphere administrator user name is used here because it is the default vCenter Server Appliance administrator account.
  • When prompted for a password, enter the password you have set
  • When prompted to store the user name and password in the credential store, enter yes.2
  • Add the ESXi host as a server target.
  • vifp addserver esxi01.vclass.local –authpolicy fpauth –username root
  • When prompted for a password, enter password yo have set3
  • List the configured target servers.
  • vifp listservers
  • vCenter Server system and the ESXi host appear in the list.vc01.vclass.local   and esxi01.vclass.local must be listed4
  • Now I will add ESXi host thumbprint to the certificate store on the vCenter Server system so that a trust relationship exists between the host and the server. This trust relationship is necessary to run ESXCLI commands.
  • Let me show what happens when I run the command without adding ESXi host thumbprint to the certificate store on the vCenter Server system5
  • Add the ESXi host thumbprint to the vCenter Server certificate store.
  • /usr/lib/vmware-vcli/apps/general/credstore_admin.pl add -s esxi01.vclass.local -t thumbprint
  • thumbprint is displayed in the last command. You can copy the thumbprint into the command by selecting and right-clicking it.6
  • Now you can use ESXCLI commands to query the ESXi host properties , I will show you some important command that you can use in day to day administration of vSphere environment
  • Set the ESXi host as the current target server.
  • vifptarget -s esxi01.vclass.local
  • As a result of running the command, the name of the target server appears as part of the command prompt.81.Display the CPU characteristics of the ESXi host.
  • esxcli hardware cpu list9
  • Use the command output to determine CPU characteristics.
  • Number of CPUs installed on the host
  • Brand of the first CPU
  • Family and model of the first CPU
  •  Core speed of the second CPU
  • 2.Display the ESXi host memory.
  • – esxcli hardware memory get10
  • Use the command output to determine memory characteristics.
  • Amount of physical memory
  • NUMA node count
  • 3.Display the platform on which the ESXi software is installed.
  • esxcli hardware platform get11
  • Use the command output to determine platform characteristics.
  • Product name
  • IPMI supported status
  • 4.List the software version of ESXi that is installed on the host.
  • esxcli system version get125.Display the time and date on the host.
  • esxcli hardware clock get

    6.Determine the system host name.

  • esxcli system hostname get

    7.Determine the system’s boot device.

  • esxcli system boot device get15 8.Last command i want to highlight is vicfg-ntp commands in the vSphere Management Assistant which you can use to query and configure Network Time Protocol (NTP) settings.
  • (i) List the NTP servers that are configured onesxi01.vclass.local.
  • vicfg-ntp –list
  • NTP servers are not yet configured.16
  • (ii)  top the NTP service.
  • vicfg-ntp –stop
  • (iii) Add an NTP server.
  • vicfg-ntp –add


  • (iv) List the configured NTP server.
  • vicfg-ntp –list18.png
  • (v) Start the NTP service.
  • vicfg-ntp –start


Configuring vCenter Server 6 Appliance to use Active Directory Services

In this blog i will show how to configure Active directory in vCenter server appliance in vSphere 6 . i will also show how to grant the ESX Admins group in active directory right to log in to VMware vCenter Serve as administrators.

First we need to add the acitve directory to VCSA as follow:

– login to web client using administrator account.
– Point to the Home icon and select Home.
– In the left pane, click Administration and click System Configuration.1

– in the left pane, click Nodes and select vc01.vclass.local.(vCenter server)

– On the System Configuration page, click the Manage tab.
– In the middle pane, click Active Directory and click Join.3

– In the Domain text box, enter vclass.local.(enter your domain here)
– leave the Organizational unit text box empty.
– In the user name and password text boxes
– Click OK.4– At the top of the middle pane, click Actions and select Reboot.
– In the Reboot window, enter a reason for the reboot and click OK.5.png

– vCenter Server Appliance takes several minutes to reboot. You can refresh the vSphere     Web Client page, or close the browser window and reopen it, to show when the appliance is back up.
– After the reboot you should see the domain as below:


Now i will add active directory as an identity resource in web client and grant the ESX Admins group in active directory the right to log in to VMware vCenter Server™ as administrators.

– Point to the Home icon and select Home.
– In the left pane, click Administration.
– Under Single Sign-On, select Configuration.
– Click the Identity Sources tab.
– Click the Add Identity Source (green plus sign) icon.7.png

– In the Add identity source dialog box, select Active Directory as a LDAP Server for the Identify source type.
– In the Name text box, entervclass.local.
– In the Base DN for users text box, enter CN=Users, DC=vclass, DC=local.
– In the Domain name text box, entervclass.local.
– In the Domain alias text box, entervclass.
– In the Base DN for groups text box, enter CN=Users, DC=vclass, DC=local.
– In the Primary server URL text box, enter ldap://vclass.local:389.
– In the Username text box, enter username in domain\Administrator format.
– In the Password text box, enter password
– Click Test Connection. 8.png

– A dialog box appears indicating that the connection has been established.
– Click OK.
– Click OK to close the Add identity source dialog box.9.png
– In the left pane under Single-Sign-On, select Users and Groups.
– Click the Groups tab.
– Under Group Name, click Administrators.10.png
– In the bottom Group Members pane, click the Add member (blue person with green plus sign) icon.
– Select the domain you just added.
– Select the Domain Admins group and click Add.


-click OK.

i hope this blog was helpful. keep learning and keep sharing 🙂


License vCenter Server & ESXi Host in vSphere 6

This blog post is regarding assigning new licenses in vSphere 6 environment.

First thing is to add the vCenter and ESXi licenses in vSphere web client, for this:

– Log in to vSphere web client using administrator account.

-In the left pane, click Administration and click Licenses.


– In the middle pane, click the Licenses tab, in the middle pane, click the plus sign to create new licenses.


– In the text box on the Enter license keys page, enter the license keys one per line, and click next.3

– On the Edit license names page, enter the new license names for  vCenter Server and Enterprise Plus in the License Name dialog boxes and click Next.


On the Ready to complete page, click Finish.


Now that we have added the licenses to vCenter , its time to assign the vCenter server and ESXi host licenses.

Assign vCenter Server license key to the vCenter Server instance.
– In the middle pane, click the Assets tab, Click the vCenter Server systems tab and click the Assign License link.


– In the Assign License dialog box, select the vCenter Server license key.
– Click OK


Assign the vSphere Enterprise Plus Edition 6 license key to the ESXi host.
– In the center pane, click the Hosts tab and click the Assign License link.


In the Assign License dialog box, select the vSphere Enterprise Plus Edition 6 license key


Click OK.

I hope the post was helpful . keep learning and sharing 🙂

vCenter Server Enhancements in vSphere 6

vCenter Server Enhancements in vSphere 6


With the release of vSphere 6, there are few significant changes in vCentre server architecture and the way it will be deployed. As far as I can see I think that the deployment has been simplified compared to the previous versions.

There are two ways for the vCentre server deployment:

  • Embedded
  • External


As you can see below, in the embedded configuration vCenter server and Platform Service controller are installed on the same physical/virtual machine.

8-3-2015 2-35-27 PM

The approach of embedded vCenter server configuration comes with its own advantages and disadvantages. Let me cover the advantages first.

  • The biggest advantage is the connection between vCenter Server and the Platform Services Controller is not over the network, therefore vCenter Server is not prone to outages because of connectivity and name resolution issues between vCenter Server and the Platform Services Controller
  • In case you are doing a windows based vCentre server installation, you will need fewer Windows licenses
  • No need of a load balancer to distribute the load across Platform Services Controller
  • You will have to manage fewer virtual machines or physical servers


  • There is a Platform Services Controller for each product which might be more than required. This consumes more resources.
  • The model is not scalable and is suited for the small scale environment.


In external configuration, vCenter server and Platform Service controller are installed on different physical/virtual machine.8-3-2015 2-48-35 PM

Installing vCenter Server with an external Platform Services Controller has the following advantages:

  • Less resources consumed by the combined services in the Platform Services Controllers enables a reduced footprint and reduced maintenance.
  • Your environment can consist of more vCenter Server instance.

Installing vCenter Server with an external Platform Services Controller has the following disadvantages:

  • The connection between vCenter Server and Platform Services Controller is over the network and is prone to connectivity and name resolution issues.
  • If you install vCenter Server on Windows virtual machines or physical servers, you need more Microsoft Windows licenses
  • You must manage more virtual machines or physical servers.

With the new release, PSC (Platform service controller) is responsible for the following vCenter services:

  • VMware vCenter Single Sign-On
  • VMware Certificate Authority (CA)
  • License service
  • Lookup service
  • VMware Directory Services

The vCenter server will take care of reminder of the services, which are:

  • vCenter Server
  • vSphere Web Client
  • Inventory Service
  • VMware vSphere Auto Deplo
  • VMware vSphere ESXi Dump Collector
  • vSphere Syslog Collector on Windows and vSphere Syslog Service for the VMware vCenter Server Appliance

We can also install multiple instances of PSC for high availability, in this scenario the Platform Service Controller replicates information such as licenses, roles and permissions, and tags with other Platform Service Controllers  , this allows for a single pane of glass of the environment with Enhanced Linked mode.

Enhanced Linked Mode:

Linked mode using Microsoft ADS/ADAM replaced with Enhanced Linked mode. Platform Service Controller’s now replicate all information required for Linked mode.

8-3-2015 3-05-28 PM

  • Enhanced Linked mode is now enabled by default in an environment
  • vCenter Appliance now supported with Enhanced Linked mode
  • Mixing Windows and Appliance platforms supported

VMware Certificate Authority (CA)

  • VMware CA is a solution to this complexity as it now acts as the Root certificate authority for vSphere to which all certificates are generated
  • Allows for enhanced security as all certificates for components are signed and valid
  • Root certificate can be replaced with one from a corporate CA to integrate vSphere into an existing infrastructure

VMware Endpoint Certificate Store

  • Certificate store on each Platform Services Controller or vCenter host that stores all certificates for components on the server

Individual certificate no longer required for each component

  • In previous releases each component (vCenter Service, Inventory Service, and so on) required a unique certificate
  • In vSphere 6.0 all communication is directed through the Reverse Proxy Endpoint, therefore, only a single certificate per server is required

vCenter for Windows and vCenter Appliance support the same scalability numbers and features:8-3-2015 3-15-50 PM