IMPORTANT: In order for “Linked Mode” to work during installation the user account carrying out the installation needs rights to both installations. To quote from the vCenter installation guide:
When you join a vCenter Server instance to a Linked Mode group, the installer must be run by a domain user who is an administrator on both the machine where vCenter Server is installed and the target machine of the Linked Mode group.
For instance insufficient rights can cause these types of warnings and errors:
For this reason some administrators prefer carry out the linked mode configuration after the main installation has completed, and once both vCenter have a user account with full administration rights.
Before I begin I’ve got some key take aways:
- I did not need to generate my own certificates. All this was done using the auto-generated certificates of the installer. That said I’ve noticed that different web-browsers handle https redirects with auto-generated certificates. IE hates them. Chrome always gives you a warning. By far I’ve found Mozilla FireFox handles untrusted certs best, you add them – and you never get harassed with warnings and prompts again…
- Be sure you know your administrator@vsphere.local password which is set during the install of the FIRST vCenter/SSO instance. It requires 4-character class password.
- After completing the installation of other vCenters at other sites – intially only administrator@vsphere.local (which is held inside the SSO domain) will have rights. Until you delegate responsibility to vCenter and inventory to some other Microsoft AD group like “vCenter Admins
- Finally, I had throughly enjoyable experience of doing the setup of Windows vCenter – something I haven’t done in nearly 2 years…
It’s entirely possible that you may wish to install another vCenter at different site or location. The installation of subsequent vCenters looks and feels different dependent on the configuration you are building. This caused by installation of SSO differs in this respect around the technologies of SSO. We have not chosen not to repeat the same configuration steps as shown previously. Instead we emphasised what is different about this first installation. In this configuration we had a single SSO and single Active Directory Domain – but with two SSO sites – one called New York, and the other called New Jersey.
SSO in a Multi-Site Configuration
1. Once the prerequisites have been checked, if the install detects that SSO has already been installed once before to the same domain, you will be challenged with this dialog box:
As the radio buttons indicate the 1st option is used for first install of SSO, the other two options allow you indicate if subsequent SSO/vCenter installations are for a new vCenter in the SAME site, or a new vCenter in a DIFFERENT site. In our case, we are installing a second vCenter called “vcnj” which is the vCenter for the site of New Jersey. In this case we would select the 3rd radio button.
2. SSO Server are paired together to allow them share credential data, as such we need to supply the FQDN/password of the partner SSO/vCenter service in New York.
3. This should then retrieve the certificate of the partner SSO/vCenter:
4. In this case we are able to specify the new SSO site name (if the 2nd radio button had been used, you would only be able to select the site defined by the installation of the 1st SSO server.
5. A summary appears outlining the configuration selected.
Note: There is an error in the screen grab it should read “Selected Site name is NewJersey, and partner site name is NewYork”
Web Client installation in a Multi-Site Configuration
1. The installation of Web-Client to subsequent vCenters differs because during the part of the process where the Web Client registers with the SSO, you will be challenged for the SSO administrator password. Providing this will retrieve the SSO Lookup certificate:
Inventory Service installation in a Multi-Site Configuration:
1. As with the Web Client installation the Inventory Service install will also need credentials to register itself correctly:
2. In order for the Web-Client to work with the URL’s provided a certificate must be installed.
3. The rest of the installation follows a familiar partnering of registering the vCenter server with appropriate components
vCenter with Linked Mode in a Multi-Site SSO Configuration
Once you have completed most of the vCenter installation, the administrator is asked if “Linked Mode” should be enabled. Linked Mode is a very powerful feature, and can make administration tasks much simpler as from one Web Client or vSphere Client the administrator can manage multiple environments seamlessly.
1. On the vCenter server login as “administrator”, and run the vCenter Server Linked Mode Configuration from the >>Start >>Program >>VMware folder
2. Select to Modify Linked Mode configuration
3. Select Join vCenter Server instance to an existing Linked Mode group or another instance
You should receive a secondary prompt, warning to confirm that both vCenters are of the same version
4. Next type the URL of the vCenter at the other site, in our case this is the New York vCenter Server
Granting User Rights in the Second vCenter
At this stage only the shared, built-in SSO user of administrator@vsphere.local will have rights to BOTH vCenters. If you want to both vCenters to be available to the administration team, the administrator would need to grant this group rights.
1. Login to the Web Client vCenter server as administrator@vsphere.local
2. Select >>vCenter >>vCenter Servers
3. Select the new vCenter server in the Inventory.
4. Select the Manage tab, and the Permissions column
5. Click the green + to add a user group
6. Use the Add button to browse the Active Directory domain, and add your group
7. Grant this group the appropriate rights. In our case the CORP\vCenter Admins group was allocated the Administrator the role