VMware Cloud Community
Thouvou
Contributor
Contributor
‎11-15-2017 05:07 AM

VCSA 6.5 HA with ELM at the same time

Hello to everyone,

I have been searching in almost every post in the forums but I could not find a similar case. We have the following toplogy:

2 Datacenters (Main, DR) with full routing between them. In each Datacenter there is a vSphere 6.U3 cluster with VCSA 6.5 with embedded PSC.

The vCenter servers operate in VCHA mode, configured via the wizard with the Basic setup, so in each datacenter there are 3 VMs: Primary, Passive and Witness.

Here comes the tricky part. Although VCHA exists and operates OK without any Load Balancer (we will manually repoint if needed) in each datacenter, we need to setup ELM, so we can manage both infrastructures (Main, DR) by logging in only one vCenter and having common roles etc... We think the workflow is as follows:

On the MAIN DATACENTER:

1.Deploy a new external PSC and create a new SSO Domain.

2.Deploy a seconary external PSC and JOIN in to the existing SSO previously created.

3.Configure the common certificates between.

4.Repoint with cmsso-util the primary vCenter in the VCHA cluster to the new external PSC.

On the DR DATACENTER:

1.Deploy a new external PSC and JOIN in to the existing SSO.

2.Deploy a seconary external PSC JOIN in as well.

3.Repoint with cmsso-util the primary vCenter in the VCHA cluster to WHICH PSC???

The confusion is where to repoint the Main vCenter on the DR site (which IP)? Or any IP of any PSC will function?

Also, do we have to confgure common certificates for the PSCs in the DR site?

And finally, is it easier to destroy the vCenter topology and start from ELM and then configure VCHA?

Thank you very much for your time,

Kind Regards

0 Kudos
4 Replies
erikverbruggen
Hot Shot
Hot Shot
‎11-15-2017 05:54 AM

I do not known if it is possible. Currently, you have two seperate SSO domains. It is only possible to repoint to a different PSC which is in the same SSO domain. This means that it must be a replication partner of the current PSC. Just using the same SSO domain is not possible.

This creates a problem for the DR vCenter which currently is not part of the SSO domain of the main datacenter. A solution is to deploy new PSC's in the DR datacenter and join the SSO domain of the main datacenter and then rebuild the DR vCenter from scratch using the newly deployed external PSC in the DR data center..

Further, if I read your post correctly you do not want to use a load balancer for PSC availability but will manually repoint it to another available PSC? The PSC is a integral part of the vCenter topology, if it is not available the vCenter Server will not work. The vCenter Server is configured with VCHA for improved availability but I think this does not match with your option to manually repoint the PSC if a failure occurs. If availability of the vCenter Server is of high importance, this then also applies to the PSC which should match the availability level of the vCenter Server. I would suggest to load balance the PSC's.

There is a KB article explaining the supported topologies, VMware Knowledge Base.

In your setup you will get the following configuration.

1 vSphere Single Sign-On domain

2 vSphere Single Sign-On sites

2 or more external Platform Services Controllers per Single Sign-On Site

1 or more vCenter Server with external Platform Services Controllers

1 third-party load balancer per site

0 Kudos
Thouvou
Contributor
Contributor
‎11-15-2017 06:09 AM

Thank you very much for your time,

We will actually have a common SSO domain, by deploying 2 PSCs (primary which will create the new SSO and the partner who will join in) on the Primary Datacenter and then deploying 2 new external PSCs in DR datacenter which will be JOINED to the newly created existing SSO domain from the deployment wizard. Then we can repoint the Primary and DR vCenter appliance an external PSC in each site. So we have a common SSO domain (4 PSCs participating in it) and 2 VCSAs pointed to the PSC controllers. Correct me if I do not understand and explain it right.

Secondly, what do you mean " if it is not available the vCenter Server will not work"? The VCSA will not be working with the embeded PSC but as described previously, it will be repointed to one of the external PSCs, so if one fails, we will manually repoint vCenter to the other one. The only difference is that the VCSA will not be a single VM but a 3x VM-set (VCHA:Primary-Passive-Witness)

0 Kudos
erikverbruggen
Hot Shot
Hot Shot
‎11-15-2017 06:37 AM

You will create a new SSO domain, but it is not possible to repoint a vCenter Server to a new SSO domain. You can only repoint to a PSC in the current SSO domain. This will be a problem for the second vCenter Server which is in a different SSO domain.

What I am trying to figure out is your uptime requirement for the vCenter Server. You are using VCHA which in a failure of the vCenter Server takes only minutes to make it available again. But you are also considering to manually repoint the vCenter Server in the case of a PSC failure which takes a lot longer to apply. This does not make any sense to me. If the vCenter Server availability really is important, you should also make sure the PSC has the same availability level, eg put a load balancer in front of 2 PSC's.

0 Kudos
daphnissov
Immortal
Immortal
‎11-15-2017 06:46 AM

Further to Erik's great points, I'll add that setting up vCHA using external PSCs *without* use of a fronting load balancer is an unsupported topology and should not be used.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos