Its looking like I need to break up our centralised, multi-tenant vCenter model up into a individual vCenters per tenant, pretty much because of the limitations of NSX - ie not able to scope access for distributed firewall admins to 'per tenant' ESX hosts (I want to prevent a tenant from pushing firewall rules to other tenant's esxi nodes).

Splitting up the vcenters I'm fine with - in many ways it'd make my life simpler.  But I'm getting pressure internally to consider deploying all of them into a single SSO domain - and given my recent (bad) vCenter upgrade experiences, and the rollback / DR prep you need to do in order to recover from a failed upgrade when using linked mode, it fills me with dread.

I guess you're all aware - the only supported rollback method (outside of recovering from file based vcsa backups) is to:

- Power down ALL vcenters in the SSO domain (or at least stop services on all)

- Snap, power back up.

This makes sense, because it allows for a clean recovery point across the domain, avoiding the obvious issues you'll run into re: PSC replication.  But, it's pretty inconvenient.  If you have a failed upgrade on one vcenter, be prepared to roll them all back.

The potential scenario I'm looking at is a 9 x VCSA, single SSO deployment.  (3 x tenants, 3  datacenters).  To me, this spells bad news.  Yes, I want centralised auth, I want global object searching....but I don't think I have enough confidence in VMware's directory service, nor do I think there's enough expertise out there to support this appropriately.

Interested to know if anyone here has a large linked mode environment and how this impacts routine patching an upgrades?  It's crazy right?  Someone convince me otherwise!