Solved: vSphere 5.0 to 5.5 SSO Design question

JPM300 · ‎05-20-2014

Hello all,

Currently we have a setup with two virtual center servers installed. One at our Production site and one at our Dr site. Our Production site and DR Site are in different location in the city but are currently on a flat network, however this is subject to change so we treat it as a totaly seperate location. We also currently do not use vCenter Linked Mode as we only have two vCenters and like the seperation, however if its requried we can install it.

The plan is to upgrade the DR site first to iron everything out prior to upgrading production, with that said we where thinking about installing SSO as such:

http://www.vmware.com/files/pdf/vcenter/VMware-vCenter-Server-5.5-Technical-Whitepaper.pdf

Page 11: I've attached the design picture

We where thinking of install the first SSO at the DR site and when we fully upgrade our production site install another SSO as another site to keep the SSO replcatio in place aka option:

vCenter Single Sign-On for an additional vCenter Server with a new site

The end config would look like the second attached file ssoconfig2

Just wanted some oppinons on this design choice and if its the best way to go with what we have.

Any help is greatly appricated,

Thanks,

bayupw · ‎05-21-2014

Hi

What I mean is Option 3 will be required if you want to use linked mode.

Regarding your questions:

1. Yes you can keep both vCenter separated and do a simple install or do option 1 install on both

2. Linked Mode require option 3 to function. But you can still use Option 3 without linked mode if you want to have single domain SSO replicating (means if you create a user in SSO VC1, it will be replicated to the other SSO).

Let say you do not use option 3 for your second vCenter, later on if you decide to use linked mode, you will need to uninstall and reinstall SSO for your second vCenter to change form Option 1 to Option 3 replicating from your first vCenter

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

View solution in original post

bayupw · ‎05-20-2014

Hi

Choosing Option 3 - vCenter Single Sign-On for an additional vCenter Server with a new site means you will use multi-site SSO as per your picture SSOconfig.png

Option 1 is for your first vCenter, and the additional vCenter in different site will use Option 3. Option 2 is for your additional vCenter if it is in the same datacenter which currently you do not have.

More about SSO Deployment Options you can read this blog post: Getting ready to upgrade production to vCenter Server 5.5? Make sure you're using the correct deploy...

If you are planning to use Linked Mode in the future, you are selecting the right options/deployment.

As per documentation here: vSphere 5.5 Documentation Center - Linked Mode Prerequisites for vCenter Server

Make sure that all vCenter Servers in a Linked Mode group are registered to the same vCenter Single Sign-On server.

It would be fine if you plan to install your DR first (Option 1) and later install the DC with Option 3.

As described here: Allow me to introduce you to vCenter Single Sign-On 5.5 | VMware vSphere Blog - VMware Blogs

The new architecture is based on a multi-master model where each instance is automatically kept up to date with it peers via builtin replication

Also explained in the other blog post:

This selection (Option 3) will create a replication partner and have no dependency on the first vCenter Single Sign-On server deployed.

Later on if you want to check which SSO deployment are you using, you can follow the procedures described in this KB: VMware KB: Identifying VMware vCenter Single Sign-On server deployment mode

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

JPM300 · ‎05-20-2014

Hello Bayu,

Thanks for your input, it was helpful however I am still left with some questions.

So I gathered from additional reading and from your comments that Option 2 is only for another virtual center in the same DC which is out as that's not what we are trying to accomplish. That leaves option 3, are you saying option 3 can only be done if you are in linked mode?

The main problem is I would like to simply do option 1 for both virtual centers and just keep them totally separated however both virtual centers are talking to the same AD server/infrastructure so I'm not sure if that will be problematic or not. Which makes me just cycle back to option 3 again.

So in conclusion:

Question1: Can you keep both VC's separated not in linked mode and do a simple install on both?

Question2: Does Option 3 require Linked Mode to function? or can you install it / use the same architecture but not have your VC's in linked mode?

bayupw · ‎05-21-2014

Hi

What I mean is Option 3 will be required if you want to use linked mode.

Regarding your questions:

1. Yes you can keep both vCenter separated and do a simple install or do option 1 install on both

2. Linked Mode require option 3 to function. But you can still use Option 3 without linked mode if you want to have single domain SSO replicating (means if you create a user in SSO VC1, it will be replicated to the other SSO).

Let say you do not use option 3 for your second vCenter, later on if you decide to use linked mode, you will need to uninstall and reinstall SSO for your second vCenter to change form Option 1 to Option 3 replicating from your first vCenter

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw