VMware vSphere 6.5 Platform Services Controller (PSC) Deployment in a Ring Topology/Replication Agreement with Enhanced Linked Mode

This process will walk you through deploying your vSphere 6.5 Platform Service Controllers in a Ring Topology. This is useful for deploying your PSCs into a single SSO domain with multiple sites (hence creating the Enhanced Linked Mode setup). It is also useful if you are going to be doing vCenter HA (vCenter HA is the process of making vCenter Highly Available as apposed to setting HA up for your clusters).

Deploying vSphere 6.5 Platform Service Controllers (PSC) in a Replication Agreement

Must haves

  • DNS entries for every PSC (this includes the reverse DNS)
  • NTP

Overview

The PSCs have to be installed one at a time. For the initial config I found that if you configure one DNS server and one NTP server during deployment it works out better. You can add a secondary DNS and NTP after you’ve finished the deployment.

This process will use ONE SSO domain (vsphere.local) and two sites (SITE1 and SITE2) – This creates our Enhanced Linked Mode between two sites.

  1. Leveraging the installer.exe from the vCenter ISO, you will deploy each PSC completely for one site and then move on to the next site.
  2. You will create a replication ring since we’ll have more than 2 PSCs

Installation

  1. Launch the installer.exe
  2. Click Install
  3. Click Next
  4. Accept the EULA and then click Next
  5. Under External Platform Services Controller select Platform Services Controller and then click Next
  6. Enter in the vCenter FQDN name that you will be using to deploy the PSC (alternatively, you can enter in a host to deploy to). Follow that by enter in a username and password of an account that has Administrator (or root) access. Click Next
  7. A thumbprint window may appear. Click Yes
  8. Select the Cluster that the PSC will be deployed to (optionally, you can select a Folder as well). Click Next
  9. Select a server to deploy the PSC to. Click Next
  10. Enter in the name of the PSC (this name is what will show up in vCenter or on your host) followed by the root password you would like assigned to the PSC. Click Next
  11. Select a datastore to deploy to and then click Next
  12. Select the following:
    • Network (select the PortGroup you will use)
    • IP Version should be IPv4 generally
    • IP assignment should be static
    • System name should be the FQDN you have setup in DNS
    • IP address should be the IP address that your DNS entry is pointing to
    • Subnet mask for prefix length should be set to whatever the mask is for the VLAN you are using
    • Default gateway for the VLAN you are using
    • DNS server should be the one DNS server that holds the entry for the PSC

  1. Once you have all of that information correct click Next
  2. Verify the information you entered on the Summary page and then click Finish
  3. The VM will now be deployed to vCenter/the host you specified. Wait until  the deployment says it has finished.

  1. Once finished, click Continue
  2. Click Next
  3. Enter in the one NTP server in the box and depending on your environment, Enable SSH (see below). Click Next

  1. Use the following to setup the SSO and site configuration:
  • First PSC – Create a New SSO domain
  • Second – Forth PSC – Join an existing SSO domain

IF you are creating a New SSO domain:

  • Single Sign-On domain name = vsphere.local
  • Single Sign-On password = Password for the administrator@vsphere.local account
  • Confirm password = Re-enter the password
  • Site = SITE1 (or whatever you want to call your first site)

IF you selected Join an existing SSO domain:

  • Platform Services Controller = Enter in the FQDN of the very last one you just deployed. Example: if this is your second PSC deployment, you will enter in the FQDN of the first PSC you deployed
  • Single Sign-On domain name = vsphere.local
  • Single Sign-On password = Password for the administrator@vsphere.local account

Click Next

IF this is your first PSC, select Create a new site and enter in SITE1 and then click Next
IF this is your second PSC, select Join an existing site and select SITE1 and then click Next
IF this is your third PSC, select Create a new site and enter in SITE2 and then click Next
IF this is your forth PSC, select Join an existing site and select SITE2 and then click Next

  1. You can uncheck or leave checked the Join the CEIP and then click Next
  2. Validate that all the settings you entered are correct and then click Finish
  3. You are going to get a warning about not being able to stop the configuration. Click OK
  4. Wait for it to finish

  1. Repeat the above steps until all four PSCs are deployed

Creating a vSphere Platform Services Controller (PSC) 6.5 Ring Topology or Ring Agreement

Why do we need to enable a Ring Topology (or a Ring Agreement)? Here is how all of the PSCs are setup currently if you deployed all four:

Now, what happens if we lose a PSC:

You will have broken the replication links as below. So if a change happens on PSC1, it will not be replicated to PSC3 or PSC4:

So we need to create a full ring:

So, if PSC2 dies, replication will continue. Connecting PSC1 to PSC4 creates the full ring. This is not done by default. We will run through the steps to create this.

  1. SSH into the fourth PSC
  2. Type: cd /usr/lib/vmware-vmdir/bin
  3. Type: ./vdcrepadmin -f showpartners -h psc01.contoso.com -u administrator -w VMware1! (note that the password listed here is the password you setup for the administrator@vsphere.local account). This should return:

ldap://psc02.contoso.com

  1. Type: ./vdcrepadmin -f showpartners -h psc02.contoso.com -u administrator -w VMware1!  This should return:

ldap://psc01.contoso.com
ldap://psc03.contoso.com

  1. Type: ./vdcrepadmin -f showpartners -h psc03.contoso.com -u administrator -w VMware1! This should return:

ldap://psc02.contoso.com
ldap://psc04.contoso.com

  1. Type: ./vdcrepadmin -f showpartners -h psc04.contoso.com -u administrator -w VMware1! This should return:

ldap://psc03.contoso.com

  1. You can see from the above commands that they depict exactly the relationship the pictures above do. So we need to connect PSC4 to PSC1. While still SSH’d into PSC4 type the following: ./vdcrepadmin -f createagreement -2 -h psc04.contoso.com -H psc01.contoso.com -u administrator -w VMware1!
  2. The above command will return nothing. So, now type: ./vdcrepadmin -f showpartners -h psc04.contoso.com -u administrator -w VMware1!
  3. This should now return the following:

ldap://psc03.contoso.com
ldap://psc01.contoso.com

  1. Once the above command returns both ldap://psc03.contoso.com and ldap://psc01.contoso.com, you have now created the Platform Services Controller Replication Agreement!

Adding Additional DNS and NTP

Now that we have all the PSCs online and connected, let’s just do some quick best practice stuff. This is to put a second (or more) DNS and NTP addresses in.

  1. Go to the PSCs Administration page. Example: https://psc01.contoso.com:5480/
  2. Log into the site with the root account you created during the setup
  3. Click Networking and then click the Manage button
  4. Look at the Hostname, Name Servers, and Gateways heading and then look to the right for the Edit button. Click it.
  5. Enter in the secondary DNS IP and then click OK
  6. Now back on the left, click Time
  7. Look at the Time Synchronization heading and then look to the right for the Edit button. Click it.
  8. Enter in another NTP server (separate them with commas). Click OK. These can be DNS FQDN.

You can now move on to either deploying your vCenter servers or creating your VMCA 6.5 as a Subordinate CA.

2 Replies to “VMware vSphere 6.5 Platform Services Controller (PSC) Deployment in a Ring Topology/Replication Agreement with Enhanced Linked Mode”

  1. The step 8 under creating ring agreement has a typo, it should be “psc04.contoso.com” instead of “‘psc03.contoso.com” .
    Please rectify it. The document is pretty elaborative and informative. Thank you..!!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.