SSO Domain Repointing
Repoint an Embedded vCenter Server to a New SSO Domain
SSO Domain Repointing was introduced to allow the repointing of a vCenter Server from one SSO Domain to another, something that was not possible in vSphere 6.0/6.5. The vCenter Server being repointed, moves from its current SSO domain and joins the other existing domain as another vCenter Server connected via Enhanced Linked Mode (ELM).
This powerful feature can not only help customers with mergers & acquisitions who may have a need to change the name of an SSO Domain but also joining two different SSO Domains into one common domain. If there is a need to repoint a vCenter Server from its current domain to a brand new SSO Domain, that is also possible.
Discovering Conflicts
If repointing a vCenter Server to another SSO Domain that has other vCenter Servers, we need to discover any conflicts prior.
Conflict discovery is accomplished by performing a pre-check before completing the repointing of the vCenter Server to another SSO Domain. The (pre-check flag) is used with the CMSSO-UTIL command to discover conflicts between each SSO Domain. An example would be: cmsso-util domain-repoint -m pre-check
Discovering Conflicts
Pre-check mode fetches the tagging (tags and categories) and authorization (roles and privileges) data from the (PSC) vCenter Server without actually performing the repointing actions.
Four JSON files are produced; All_Privileges.json, All_Roles.json, All_TagCategories.json, and All_Tags.json. These files can be found exported to the /storage/domaindata/ folder on the source vCenter Server where the Domain Repoint command was executed.
In this demo, we are repointing upg-dhcp-1570-vm-055.cpbu.lab which the vCenter Server 6.7 Update 1. Notice that the Single Sign-On domain is currently vsphere.local. We can also see that the vCenter Server is an embedded deployment type.
We get started by logging in via SSH to the source vCenter Server that will be repointed to a new destination SSO Domain. Provide the root credentials to login to the appliance.
From the appliance shell we can run cmsso-util to review our command syntax. Here we can also see the other functions of the cmsso-util command such as unregister, reconfigure, repoint (for repointing a vCenter Server to another SSO Site), and domain-repoint. We will be using the domain-repoint argument to point our vCenter Server to a new SSO Domain.
Because we are not migrating this vCenter Server into an existing SSO Domain, the is no need to do a pre-check to review any possible data conflicts between the Source and Destination domains. We begin repointing with the following command: cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name nigel.local
NOTE: The SSO Administrator (Administrator@sso-domain.local) credentials of the Source vCenter Server are required here. Also, the Destination domain name (--dest-domain-name) equals the name of the new SSO Domain you are pointing the Source vCenter Server to.
To continue, answer the question (Y or N) to confirm all settings are correct to proceed with the repointing operations.
Data is exported from the current SSO Domain, PSC services are updated, SSO data is then imported to the new SSO Domain, CEIP participation status (joined or not joined) is applied, and all services are restarted. At this point, we can now see that our Domain Repoint was a success.
We can further validate this change by logging into the vCenter Server Appliance Management Interface (VAMI) on port 5480. Notice that the Single Sign-On Domain is now changed to nigel.local.
This concludes the "Repoint an Embedded vCenter Server to a New SSO Domain" Walkthrough. Visit vSphere Central for more Product Walkthroughs: https://vspherecentral.vmware.com
Part 1: SSO Domain Repointing (Video)
In this video, we will discuss vSphere SSO Domain Repointing. We'll cover the prerequisites for repointing a vCenter Server to an existing SSO domain.
Additionally, showing the required commands (CMSSO-UTIL) and what to expect when executing an SSO Domain Repoint.
Part 2: Repointing vCenter Server to a New SSO Domain (Video)
In this video, we will discuss to process of repointing a vCenter Server to an entirely new SSO Domain. This process can be helpful when changing the name of a vSphere SSO Domain is a requirement.
Part 3: Splitting Enhanced Linked Mode (Video)
In this video, we will discuss leveraging the SSO Domain Repointing action to split or break Enhanced Linked Mode (ELM) by repointing one vCenter Server out of the source SSO domain into a brand new SSO domain.