WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / VCSA / All replicated Platform Services Controller should be joined to Active Directory

All replicated Platform Services Controller should be joined to Active Directory

06.16.2015 by William Lam // 4 Comments

replicated-platform-services-controller-all-nodes-must-join-active-directory-0Last week a colleague of mines was setting up a new vSphere 6.0 environment which contained a vCenter Server with an external Platform Services Controller (PSC) for our Management vSphere Cluster and another vCenter Server also with an external PSC for our Compute vSphere Cluster. The PSC's were configured to replicate with each other which meant they were part of the same SSO Domain providing us with the new Enhanced Linked Mode (ELM) feature that was introduced in vSphere 6.0.

With ELM, you can now easily view all of your vCenter Servers by logging into either of the vSphere Web Client Servers provided by any of the vCenter Servers that are connected to the replicated PSCs. In addition to providing a single view into your vSphere environment, data such as Licensing, Tags, VM Storage Policies, Roles/Permissions & Affinity/Anti-Affinity Rules to name a few are also replicated and made available to all the other vCenter Servers.

As part of the initial setup, my colleague had joined the first PSC (psc-01) to our Active Directory domain after completing the deployment of the VCSA, as the vSphere Web Client was required to make further changes to the PSC. The question that my colleague had was whether or not additional PSC nodes were required to be joined to the same Active Directory domain or would it automatically be handled by the PSC replication?

This was actually a great question and in fact something that could easily be overlooked or at least until you try to login using an Active Directory account and can not. What you will notice when going to the SSO Admin Configuration screen is that the Active Directory Identity Source has been added, so I can see why one would assume this would automatically be handled. If we take a closer look at my home lab environment and the Active Directory configuration within each of the PSC, we will see why this not the case.

If we take a look at the Active Directory configuration for psc-01, we can see that it is part of our AD Domain and the "Join" option is grayed out.

replicated-platform-services-controller-all-nodes-must-join-active-directory-1
If we now take a look at psc-02, you will see that the Active Directory configuration is empty and the option to "Join" is still available.

replicated-platform-services-controller-all-nodes-must-join-active-directory-2
To resolve this problem, you just need to add the additional PSC nodes to Active Directory and then reboot for the changes to go into affect. The PSC's also support different Active Directory domains as long as a trust relationship exists between the two, for more details take a look at this VMware KB 2064250. It should also be noted that this should not be an issue for those deploying a Windows based vCenter Server since it is usually a best practice to joined the Windows system to an AD Domain prior to installing additional software on top.

More from my site

  • How to change the default ports on the vCenter Server Appliance in vSphere 6.0?
  • Which Platform Services Controller (PSC) is my vCenter Server pointing to?
  • vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
  • vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
  • vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?

Categories // VCSA, vSphere 6.0 Tags // active directory, platform service controller, psc, vcenter server appliance, vcsa, vcva

Comments

  1. tjpatter says

    06/17/2015 at 10:27 am

    What is the primary advantage to joining PSC's to AD vs. using the LDAP option into AD in this type of setup. The "Use Windows authentication" option is the only real benefit I can think of, but the Google Chrome browser will not support it anyways due to recent policy changes. Thoughts?

    Reply
  2. William Lam says

    06/17/2015 at 1:49 pm

    "Use Windows Auth" is one of the benefits but the other is that the Machine Account will be used to perform all the "magic" as my buddy in GSS mentioned and details can be found here http://kb.vmware.com/kb/2064250 else a simple bind is used, which has problems with recursions.

    BTW - Windows Auth works fine on Chrome, not sure which policy change but haven't had issues with latest version

    Reply
  3. *protected email* says

    08/08/2015 at 1:49 am

    Curious on external PSC deployment. If I have a PSC in US and one in SEA, should each have their own PSC independent join them together? Is there a recommended latency threshold that should be observed?

    Reply
  4. Ralf says

    02/17/2016 at 5:51 am

    We are having a lot of problems with our 3 external PSC's in Germany, Singapour and the US and enhanced linked mode. Latency is 100ms to th US and 200ms to Singapour. The Web Client is sluggish (even sluggisher as it is usually) and the client crashes regularly. Not sure about the max. supported latency, but I think I heard something like 100ms. I need to find out how I can migrate this single SSO domain with sites to 3 separate SSO domains now.

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023
  • Is my vSphere Cluster managed by vSphere Lifecycle Manager (vLCM) as a Desired Image or Baseline? 03/10/2023
  • Interesting VMware Homelab Kits for 2023 03/08/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...