VMware Cloud Community
Cyberfed27
Hot Shot
Hot Shot

vCenter 5.1.0 to 5.5 any tips?

So we want to upgrade our vCenter from version 5.1.0 to version 5.5

Any tricks or tips you can share to make this as smooth as possible?

All vCenter roles are installed on one server. Except the database which resides elsewhere.

Any advice would be appreciated!

Reply
0 Kudos
8 Replies
OscarDavey
Hot Shot
Hot Shot

HI,

ensure that that you take a backup of your current vCenter installation prior to upgrade, and export any SSL certificates and everything ought to be straight forward.

Your Oscar

Reply
0 Kudos
RAMESA
VMware Employee
VMware Employee

Before you perform an upgrade please note below -

  1. Make sure you have a backup of your setup. If it is a VM make sure you taken snapshot.
  2. Before doing an upgrade check for the certificate of VC, SSO, IS, NGC. It should not be expired.
  3. FQDN is valid with proper forward and reverse lookup.
  4. Check for the SSO certificate. It should have proper - Subject Alternate Name.
  5. Follow proper order - SSO, NGC, IS, VC.
  6. After SSO upgrade before performing IS, VC upgrade make sure identity sources are proper in SSO. If something missing you need to add it manually. Automatic identity source does not have with SSO2.0.

Let us know if you need any additional information.

Regards,

Ramesh

Regards, Ramesh
Cyberfed27
Hot Shot
Hot Shot

Everything went smoothly...mostly.

I cannot log into the viClient using domain credentials.

I cannot log in webclient with domain credentials either.

I can log into webclient using admin@systemdomain

I see my domain is still listed in the identity sources. I made it my default source and no change.

When I try and log in from the viClient it says bad username/password.

From the web interface I get

The authentication server returned an unexpected error: ns0:RequestFailed: Group was not found. GroupSID='S-1-521..........' The error may be caused by a malfunctioning identity source.

When I test my domain identity source (logged in as admin@systemdomain) in the web page it comes back OK.

Reply
0 Kudos
TedH256
Expert
Expert

maybe too simple, but - when you tried to login using domain creds did you use domain\username format?

Reply
0 Kudos
Cyberfed27
Hot Shot
Hot Shot

haha I wish it was that easy. I had to remove my old identity for AD which was using LDAP.

Since SSO now supports Windows Integrated AD I had to set that up.

Once I did I was able to log on with our domain credentials again.

Just working through a minor issue now with the re-registering the inventory service with SSO so that I can see everything in the webclient when logged in via domain creds.

99% done...

Reply
0 Kudos
RAMESA
VMware Employee
VMware Employee

Couple of questions -

  1. Is VC, SSO, IS everything on same server? Ideally if it is on same same server then identity source should get migrated without any issue.
  2. Did you assign admin privilege to any of domain users to VC?
  3. Can you connect using administrator@vsphere.local and password should be what you provided during upgrade. Using this user you should be able to connect to VC. After login just check what all users have admin privilege to VC.
  4. Using same user in step 3) if you connect through NGC you should be able to see identity source. Check if something wrong with the identity source.
  5. Hopefully things should work. If still things don't work then last option should be to remove and add identity source once again.
Regards, Ramesh
Reply
0 Kudos
white_wire
Contributor
Contributor

thank for your comments but in my case :

I cannot join my vcenter to AD due to network Policies, I have to use Separate identity source for search and sending LDAP Request to AD .

i'm still facing with :

The authentication server returned an unexpected error: ns0:RequestFailed: Group was not found. GroupSID='S-1-521..........' The error may be caused by a malfunctioning identity source.


it seems that after binding to ldap ang getting the required attribute such as member-of and ... translating Group SID to Group Name is not occurred. TCP Streem of this negotiation are followed:

0....+....`....!.....*******************.........a.....

......0.........c......&OU=Technical,OU=*****,DC=***,DC=***

..

................t.....U........sAMAccountName..h_esfandiari.....+..userPrincipalName..h_esfandiari@**.......objectClass..user0....W..userPrincipalName..memberof..sn..givenName..objectSid..primaryGroupID..sAMAccountName0....M....d....C.ACN=Hamid Esfandiari,OU=**,OU=**,OU=**,DC=**,DC=**.....0.......sn1......

Esfandiari0.......givenName1.......Hamid0.......memberOf1......2CN=sysadmin,OU=Technical,OU=**,DC=**,DC=**..CN=Secure-VPN,OU=VPN,OU=**,DC=**,DC=**.)CN=VPN24,OU=VPN,OU=**,DC=**,DC=ir.#CN=**,OU=**,DC=**,DC=**.=CN=Network Configuration Operators,CN=Builtin,DC=**,DC=**.......primaryGroupID1.......5130..../..objectSid1....................h+..W_B9f......0....$..sAMAccountName1.......h_esfandiari0....1..userPrincipalName1.......h_esfandiari@**.**.........e.....

......0.........c......-OU=NOC,OU=Technical,OU=Shatel,DC=rasana,DC=ir

..

................Y........objectClass..group.....9..objectSid.,S-1-5-21-3123407060-1113544618-333407801-5130.....0.........e.....

......0.........B.


please guide me

Reply
0 Kudos