WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / VCSA / All replicated Platform Services Controller should be joined to Active Directory

All replicated Platform Services Controller should be joined to Active Directory

06.16.2015 by William Lam // 4 Comments

replicated-platform-services-controller-all-nodes-must-join-active-directory-0Last week a colleague of mines was setting up a new vSphere 6.0 environment which contained a vCenter Server with an external Platform Services Controller (PSC) for our Management vSphere Cluster and another vCenter Server also with an external PSC for our Compute vSphere Cluster. The PSC's were configured to replicate with each other which meant they were part of the same SSO Domain providing us with the new Enhanced Linked Mode (ELM) feature that was introduced in vSphere 6.0.

With ELM, you can now easily view all of your vCenter Servers by logging into either of the vSphere Web Client Servers provided by any of the vCenter Servers that are connected to the replicated PSCs. In addition to providing a single view into your vSphere environment, data such as Licensing, Tags, VM Storage Policies, Roles/Permissions & Affinity/Anti-Affinity Rules to name a few are also replicated and made available to all the other vCenter Servers.

As part of the initial setup, my colleague had joined the first PSC (psc-01) to our Active Directory domain after completing the deployment of the VCSA, as the vSphere Web Client was required to make further changes to the PSC. The question that my colleague had was whether or not additional PSC nodes were required to be joined to the same Active Directory domain or would it automatically be handled by the PSC replication?

This was actually a great question and in fact something that could easily be overlooked or at least until you try to login using an Active Directory account and can not. What you will notice when going to the SSO Admin Configuration screen is that the Active Directory Identity Source has been added, so I can see why one would assume this would automatically be handled. If we take a closer look at my home lab environment and the Active Directory configuration within each of the PSC, we will see why this not the case.

If we take a look at the Active Directory configuration for psc-01, we can see that it is part of our AD Domain and the "Join" option is grayed out.

replicated-platform-services-controller-all-nodes-must-join-active-directory-1
If we now take a look at psc-02, you will see that the Active Directory configuration is empty and the option to "Join" is still available.

replicated-platform-services-controller-all-nodes-must-join-active-directory-2
To resolve this problem, you just need to add the additional PSC nodes to Active Directory and then reboot for the changes to go into affect. The PSC's also support different Active Directory domains as long as a trust relationship exists between the two, for more details take a look at this VMware KB 2064250. It should also be noted that this should not be an issue for those deploying a Windows based vCenter Server since it is usually a best practice to joined the Windows system to an AD Domain prior to installing additional software on top.

More from my site

  • How to change the default ports on the vCenter Server Appliance in vSphere 6.0?
  • Which Platform Services Controller (PSC) is my vCenter Server pointing to?
  • vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
  • vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
  • vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?

Categories // VCSA, vSphere 6.0 Tags // active directory, platform service controller, psc, vcenter server appliance, VCSA, vcva

Comments

  1. *protectedtjpatter says

    06/17/2015 at 10:27 am

    What is the primary advantage to joining PSC's to AD vs. using the LDAP option into AD in this type of setup. The "Use Windows authentication" option is the only real benefit I can think of, but the Google Chrome browser will not support it anyways due to recent policy changes. Thoughts?

    Reply
  2. William Lam says

    06/17/2015 at 1:49 pm

    "Use Windows Auth" is one of the benefits but the other is that the Machine Account will be used to perform all the "magic" as my buddy in GSS mentioned and details can be found here http://kb.vmware.com/kb/2064250 else a simple bind is used, which has problems with recursions.

    BTW - Windows Auth works fine on Chrome, not sure which policy change but haven't had issues with latest version

    Reply
  3. *protected*protected email* says

    08/08/2015 at 1:49 am

    Curious on external PSC deployment. If I have a PSC in US and one in SEA, should each have their own PSC independent join them together? Is there a recommended latency threshold that should be observed?

    Reply
  4. *protectedRalf says

    02/17/2016 at 5:51 am

    We are having a lot of problems with our 3 external PSC's in Germany, Singapour and the US and enhanced linked mode. Latency is 100ms to th US and 200ms to Singapour. The Web Client is sluggish (even sluggisher as it is usually) and the client crashes regularly. Not sure about the max. supported latency, but I think I heard something like 100ms. I need to find out how I can migrate this single SSO domain with sites to 3 separate SSO domains now.

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...