Home > Blogs > VMware vSphere Blog


Linked mode with SSO for SRM

With the introduction of Single Sign On in vCenter 5.1, it poses a change in behaviour for those of you using linked mode.   This post will outline some of the considerations for why or why not to use linked mode with SSO and SRM in 5.1, and how to install SSO in multi-site mode in order to take advantage of linked mode.

Mostly linked mode is used by customers with Site Recovery Manager for purposes of visibility of both your protected and recovery sites including protection status and looking at the placeholders so you can see what is protected for recovery.  Linked mode also gives easier license sharing between sites, so you can install the same SRM key at both sites and have automated transfer of per-VM usage between sites when migrating or failing-over between sites.

Don’t forget, that doesn’t mean you can exceed the total number for which you are licensed, e.g. if you have a 75 VM SRM license you can install that license on both sites of the linked mode install, but you are still only allowed to protect up to 75 VMs whether it’s 50 on one site and 25 on the other, or 75 at one and zero at the other.  What linked mode will do is allow you to failover and then protect back while automatically deducting the protected number of VMs from the appropriate license at either site depending on where your protected VMs are running.

Linked mode is *not* a prerequisite for using SRM.  Even without Linked Mode you get a lot of benefit from SRM – it will happily show you all the DR information you need, from both protected and recovery sites in a single pane of glass.  SRM works just fine with or without linked mode.  If you want to use it, however, be aware that with 5.1, linked mode has a new prerequisite: Namely that SSO be installed at both sites, and that it be installed very specifically in “Multisite mode”.  While the SRM plugin still uses the vSphere “thick client” which does not use SSO, the backend communication of the VCs will require multisite SSO.

Linked mode vCenter instances need to authenticate against what appears to be a single SSO instance, whether it is a single SSO instance at one site, multiple SSO instances in HA mode, or multiple SSO instances in multi-site mode.  Of those options when using SRM, my preference is to either not use linked mode at all, or to deploy SSO in multisite mode.  A single instance or an HA cluster at one site will always introduce the risk that you can not log in during a disaster.

Of course, the other choice is to not use linked mode, and to stand up independent VC and SSO instances at each site and manage them as separate entities all together.  This is of course what you will do if you don’t want or need linked mode and multisite SSO.  In any of these cases, SRM will be fine and your approach and architecture will merely alter how you manage the environment.

So the purpose of this post is a quick walkthrough of how to install (or upgrade) from vSphere 5.0 to 5.1 and move to SSO linked mode for use with SRM.

The first and most important factor is that you *cannot use the simple install process* of the vCenter installer.  You *must* install each component individually.  This is specifically because the simple install does not expose the functions of multi-site SSO or allow you to select primary and secondary roles of the SSO servers.

So first, let’s log into the primary site vCenter Server, open the installer and choose to install SSO independently as the first step.

The first requirement is to choose the appropriate SSO deployment type.  What we will want to do is to “Create the primary node for a new vCenter Single Sign On installation.”  This will set up SSO as a standalone entity for your local vCenter, but also give you the ability to join the second site’s SSO install to it when we get to that stage.  You could be doing a new install, an upgrade from VC 5.0, or even installing SSO on a separate system from your VC – the point remains the same, to choose to create a new primary node.

NewImage

Now it will want to know a password for the SSO system domain password.  Choose a good password, and write it down!  We’ll need it a few times throughout the install.

The next step is to choose the SSO sign-on type.  We can choose to install a basic mode or a primary node for a new multimode SSO. Here we choose to “Create the primary node for a new vCenter Single Sign On installation” which will then give us the opportunity to join other SSO instance to this one.

NewImage

The rest of the steps are fairly self explanatory – Keep in mind SSO domain admin password you choose, and keep both it and the https port written down somewhere, we’ll need that again later too.

Install or upgrade the Inventory service next, (and handle the certificates however you see fit).  Hold off on the other pieces (web client, client, possibly VUM…) until after you’ve installed vCenter Server, which is what you should do next.

NewImage

When you install vCenter Server itself, make sure you are *not* trying to join a Linked Mode instance – we are going to create a “standalone” instance and then later join the second site’s VC to this one.   Also, when entering the SSO data into the VC install wizard, you’ll need to use the same ID and password you used for “admin@System-Domain” earlier.

NewImage

One thing I quite like about this install is the ability to populate the administrators group with a domain admin group.  You can either choose to leave the default “Administrators” group, populate it with an ID, or as I did, give it my “domain\Domain Admins” entry so all my domain admins would be automatically recognized as SSO admins.

NewImage

You should then be up and running with a primary multi-node SSO operating standalone, and a standalone VC 5.1 using local inventory services and the local SSO.

At this point you can optionally upgrade this site’s SRM to 5.1, which is a very basic process and really only requires 64 bit SRAs and a 64 bit ODBC in terms of required changes to the server for doing the upgrade.

Now let’s move over to the other site and log into the secondary vCenter.

Again, we will need to run the installer component by component, rather than using the simple installer, as we need to choose various SSO options to get it working.

The first step again is to do the SSO install.  Here, we choose the option to “Join an existing vCenter Single Sign On installation.” rather than to create the primary node.  The primary has already been crafted on the first site, we simply want to join into it.

NewImage

The next step is to choose the “Multisite” installation type.  This will give us the opportunity at the bottom of the window to input all of the information for our first site’s SSO installation.  Since I installed SSO on my protected site’s vCenter Server, I give it the FQDN of my primary site VC, the https port we used earlier, and the SSO domain admin password we chose earlier so it can authenticate with the remote SSO. Told you we’d need them again.

NewImage

Be careful here, look this screen over a few times.  I can’t tell you how many times while in a rush I’ve entered the wrong site’s information on this type of screen!  Ensure you have entered the *first site’s SSO location information* and *not* the name of the current system you’re installing it in!

You will also need to enter the admin password for the *local* SSO.  Since we want to use a multisite SSO, guess what you want to enter here?  The same password you used for the other SSO.  Keep it all in identity.

Choose a database of your preference, give the SSO it’s local IP or FQDN, an appropriate set of credentials, and then a preferred port for the local SSO.

Again, my preference here is to use the same port that was used on the other site.  Makes life so much easier when you don’t have to mess around with different ports in different sites…

It will take some time to install, and ultimately all is done.  You will now have a multisite SSO installation with common IDs and passwords between sites.  Keep in mind, if you make *any* changes to your SSO you will need to *MANUALLY* export, copy, and import those changes to have them reflect at the other site – please see KB article 2038677 (http://kb.vmware.com/kb/2038677)

Now you can install or upgrade your inventory service on this site.  There will be further certificate choices, I personally use the autogen certs so things are easier for me in my lab.

NewImage

Ultimately this is also fairly straightforward.  Keep in mind that when your inventory service requests the SSO information you will need to give it the *local* SSO instance information like password and URL.

It will register and install, and now it’s time for vCenter server.

When we install this, we *do* now want to choose to install it as linked mode.  When the screen comes up for linked mode or standalone, make sure you choose “Join a VMware vCenter Server group using Linked Mode to share information”.  This is, however, not critical at all.  You can quite happily install vCenter server as a local instance using a multisite SSO and not use linked mode.  To get linked mode all you would have to do is (once the inventory service and web client are installed) go into the start menu and as traditionally done, alter your vCenter to join linked mode after the fact.

NewImage

At this point your recovery site SRM will need to be installed or upgraded to 5.1.

Once that is done, and SRM is functional, you should be able to log into your vSphere client or use the web client, and you can see the wealth of detail visible from linked mode.

For example, looking at the protected site, you can see visually which VMs are protected, by their special icon, but also from the same interface you can examine the recovery site and see the placeholder VM icons represented by the lightning bolt.

NewImage

We can also now do some interesting license management, installing a common SRM license in both sites, giving us the ability to share the license across sites and have it automatically use up licenses from the appropriate location depending on where the protected virtual machines reside.

NewImage

 

Throughout the install process we have built out a primary site local SSO as the primary of a multisite installation, an inventory service hooked into that local SSO instance, and then a standalone vCenter Server using those components.  At the second site we have installed a secondary SSO and joined it to that of the first site, then an inventory service using its local SSO, and lastly a vCenter Server that uses its local SSO and inventory service, but is connected by linked mode to the first site’s vCenter Server.  The architecture should look like this:

Multisite

 

So, what’s left?  I haven’t addressed a handful of things in this posting – first and foremost the management of a multisite SSO instance requires you to be very familiar with the change control process and management tasks necessary to export and import the environment if you make changes.   Please review this carefully, and understand exactly what’s going on in the documentation for SSO at http://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.install.doc%2FGUID-03E1B870-21BA-47A5-87C3-9413B077CCD0.html

The other aspect I think is important that I haven’t addressed is certificates.  That is worthy of a few articles of itself, but keep in mind if you are using custom certificates for either VC or for SRM, you will need to do so across the board – we do not support using “mixed mode” certificates where one part uses custom and the other uses auto generated.  And lastly – SRM 5.1 uses 2048 bit certificates, so if you’re upgrading you may have to do the whole lot!

88 thoughts on “Linked mode with SSO for SRM

  1. Dmitry

    I does not clearly understand this point: ” If you want to use it, however, be aware that with 5.1, linked mode has a new prerequisite: Namely that SSO be installed at both sites, and that it be installed very specifically in “Multisite mode”” because in Linked mode prerequisite talk that: “Make sure that all vCenter Servers in a Linked Mode group are registered to the same vCenter Single Sign On server.”

    If we will use only one SSO server will it work?

    Reply
    1. Ken

      If you use only one SSO server you cannot use Linked Mode. Linked Mode requires multiple SSO servers in either HA or Multisite mode.
      If you don’t use linked mode you would still have problems in an SRM environment – either your SSO server would be placed at the the primary site and would be unavailable in case of a site failure, or it would be placed at the recovery site in which case all your SSO traffic would have to cross the WAN.
      For an SRM use case you really want to have 2 fully separate VCs and two separate SSO servers. If you don’t need linked mode, you’re done at that point!

      Reply
  2. Ken

    Hi Dmitry. Yes, it will work with only one SSO server, but that can lead to some serious repercussions in the case of full site failure.
    I would strongly recommend having two full SSO servers, one at each site.
    That means the options are fully standalone SSO servers without linked mode, cross-site HA servers (bad idea), or multi-site servers.

    Reply
      1. Ken

        Sorry was trying to reply to you above. HA mode is designed for local redundancy – the database is shared between the nodes and you’d end up with all SSO traffic going between sites. Further, if your database is dead as part of the site failure, you have then lost it and are unable to authenticate at the recovery site regardless of the HA SSO instance being there.

        Reply
        1. Les

          Would it be possible to use vsphere replication to protect a single SSO instance, replicating it to the DR site, as lazy effort?

          Reply
          1. Ken

            The problem with that Les is that if your SSO crashes and needs recovery, you won’t be able to login to VC to recover it with VR!

  3. Vlado

    Hi Ken.
    What if I’ve allready upgraded vCenter5.0 to 5.1 with SSO installed like “basic” node type (your second picture). Now I’ve decided to implement SRM with vCenters in linked mode. Is there a possibility to easy convert “basic” SSO node type to “primary” node type for multisite SSO installation?

    Reply
    1. Ken

      There’s no ‘easy’ way to do it, but it can be done without too much effort. Basically you’d rebuild the SSO as the first node of a multisite configuration and relink the inventory and VC services to the new SSO instance. It’s basically a rip-and-replace, but just of the SSO piece, not the entire VC. You’d then have to rebuild the second SSO instance as well and this time join the existing multisite instance you’ve already built.

      Reply
      1. Vlado

        Thank you for your answer. But I have even one question – what was basic mode made for? Just for complications with possible future multisite/ha configuration, or has some advantages over multisite primary when there are no plans for multisite/ha config.? Why not to install every vCenter deployement as multisite primary to be opened for future changes?

        Reply
        1. Ken

          Basic mode is for exactly that – just basic single site installs with only requirement for a single VC and single SSO instance.
          If you think you might ever move to the requirement for two SSO servers there is no harm at all in installing a single site SSO as the primary in a (non-existent) multi-site configuration and then adding to it later. There is no difference in functionality between a basic running standalone and a multi-site running without a peer.

          Reply
          1. Vlado

            I thing basic mode should never exist. Primary in a (non-existent) multi-site configuration should be “basic”/default… :-)

  4. build websites

    it seems like ages that i heve been searching for a website like this one? i am glad i found it,some great information here, i am new and just starting out, anyway thanks for some great tips..

    Reply
  5. Peter

    Thanks for the blog topic, very helpful, but I have to agree with Vlado – “basic mode should never exist. Primary in a (non-existent) multi-site configuration should be “basic”/default”.
    While not being new to ESX (been using it for many years), when setting up vCentre 5.1 for the first time I didn’t understand the implications of following the defaults on the SSO install. It works fine for a single instance, but now we’re deploying VDI and SRM, I need to add a 2nd and 3rd vCentre servers and find that I either need to rebuild the SSO structure from scratch, or have all of them set up as isolated single sites – very frustrating.

    Reply
  6. Sandy Smith

    The just like you examine my thoughts! You seem to have an understanding of so much roughly that, like you published the actual e book from it something like that. I think that you simply is able to do by s. c. to be able to strain the material dwelling a small amount, nonetheless besides these very, it is great website. A terrific go through. I am going to be rear.

    Reply
  7. Garcinia Ultra

    Hi there! I just wanted to ask if you ever have any issues with
    hackers? My last blog (wordpress) was hacked and I ended
    up losing many months of hard work due to no back up. Do you have any methods to protect against hackers?

    Reply
  8. www.soapoperadigest.com

    Hey I am so grateful I found your blog page, I really found you by accident, while I was searching on Yahoo for something else, Regardless I am here now and would just like to say thanks a lot
    for a tremendous post and a all round enjoyable blog (I also love the theme/design),
    I don’t have time to look over it all at the minute but I
    have bookmarked it and also included your RSS feeds, so when I have time
    I will be back to read a great deal more, Please do
    keep up the great jo.

    Reply
  9. Garcinia Weight Loss

    Pretty component of content. I simply stumbled upon your website and in accession capital to
    claim that I acquire in fact enjoyed account your blog posts.
    Any way I’ll be subscribing in your feeds and even I success
    you get right of entry to constantly quickly.

    Reply
  10. NuvoCleanse Review

    With havin so much content do you ever run into any issues of
    plagorism or copyright violation? My blog has a lot of
    unique content I’ve either written myself or outsourced but it seems
    a lot of it is popping it up all over the internet without my permission.

    Do you know any ways to help reduce content from
    being ripped off? I’d truly appreciate it.

    Reply
  11. www.instructables.com

    My spouse and I absolutely love your blog and
    find nearly all of your post’s to be just what I’m looking for.

    can you offer guest writers to write content to suit your needs?

    I wouldn’t mind publishing a post or elaborating on many of the subjects you write in relation to here.
    Again, awesome website!

    Reply
  12. seo

    I used to be recommended this blog by my cousin.
    I’m now not certain whether or not this post is written by him as nobody else recognize such specified about my trouble.
    You are incredible! Thanks!

    Reply
  13. vinesocial.net

    Wonderful blog! Do you have any recommendations for aspiring writers?

    I’m planning to start my own website soon but I’m a little lost on everything.
    Would you recommend starting with a free platform like WordPress or go for a paid option?
    There are so many choices out there that I’m completely overwhelmed ..

    Any recommendations? Many thanks!

    Stop by my web-site … ebec.best.eu.org, vinesocial.net,

    Reply
  14. homepage

    Appreciating the hard work you put into your blog and
    in depth information you offer. It’s awesome to come across a blog every once in a while that isn’t the same unwanted rehashed material.
    Great read! I’ve saved your site and I’m including your
    RSS feeds to my Google account.

    Reply
  15. full body cleanse

    Thanks for another fantastic article. Where else may just
    anybody get that kind of information in such a perfect way
    of writing? I have a presentation next week, and I’m
    on the look for such information.

    Reply
  16. Floyd

    Hey! I could have sworn I’ve been to this site before but after checking through some
    of the post I realized it’s new to me. Anyhow, I’m definitely delighted I found it and I’ll be book-marking and checking back frequently!

    Reply
  17. pure garcinia cambogia slim system review

    The product is a unwanted fat-burner and is particularly
    successful for blasting off unwanted fat in the belly, thighs, and the buttocks.

    Extracted from a tropical fruit, Garcinia Cambogia aids in natural weight loss and is starting to become highly recognized in the
    industry. CITES certification and product analysis can prove the
    authenticity of hoodia gordonii.

    Reply
  18. lean muscle building diet

    Howdy! Someone in my Facebook group shared this site with us so I came to look it over.
    I’m definitely loving the information. I’m bookmarking and will
    be tweeting this to my followers! Excellent blog and wonderful style and design.

    Reply
  19. online income from home reviews

    I don’t know whether it’s just me or if everybody else encountering problems with your site.
    It appears like some of the written text within your posts are running off the screen.
    Can someone else please provide feedback and let me know if this is happening to them as well?
    This may be a issue with my internet browser because I’ve had this
    happen before. Thanks

    Reply
  20. Evan

    Nice weblog right here! Also your website loads up fast!
    What web host are you the usage of? Can I am getting your associate hyperlink to your host?
    I want my website loaded up as fast as yours lol

    Reply
  21. code Free wifi gratuit

    However, it’s encryption and tunneling protocols don’t
    match up to L2TP, that is a more advanced, and secure VPN.
    It also can tell you whether it sees some unusual activity in your device.
    If you use the same password for the email login, your Pay – Pal account, your
    Internet banking services, your Facebook id, etc.

    Reply
  22. project zomboid download

    Hello, I think your blog might be having browser compatibility issues.
    When I look at your blog site in Safari, it looks fine
    but when opening in Internet Explorer, it has some overlapping.
    I just wanted to give you a quick heads up! Other then that, amazing blog!

    Reply
  23. xbow clash of clans

    Finding the most popular and bestselling video games in history?
    CentipedeHaunted HouseCombatMissile CommandSuper FootballNo matter what type is your favorite,
    and which one did you played the whole game again and again, is
    the most popular. Search for sales on video games each year, there are so many games to choose
    from.

    Reply
  24. www.thebeautyofscotland.com

    You have got to exercise, even if it is just a little bit.
    They won’t give you the results you want and can be very costly to your health.

    Our consumers have been stating more positive outcomes with these products
    than other we offer– in certain the SDF-1 and SDF-2.

    Reply
  25. Http://thehuntinggame.com/forum/member.php?U=1533-RandalWea

    I have been exploring for a little for any high-quality articles or weblog posts in this sort of house .
    Exploring in Yahoo I eventually stumbled upon this website.
    Studying this info So i am satisfied to exhibit that I have a very just right uncanny feeling I discovered just what I needed.
    I such a lot without a doubt will make certain to do not put out of your mind
    this site and provides it a glance on a continuing basis.

    Reply
  26. jaffacoupons.in

    Hmm it seems like your site ate my first comment (it was super long) so I guess
    I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog writer but I’m still new to everything.
    Do you have any helpful hints for beginner blog writers?
    I’d genuinely appreciate it.

    Reply
  27. Sharron

    Cleansing colon is specially crucial if you wish to get started detoxing the body.
    Oranges and lemons rich in abscorbic acid are also very much effective.
    Although at first you will lose quite a lot of weight rapidly, this is mostly just
    fecal matter that has been lying in your colon, full of toxins.

    Reply
  28. Melody

    The other day, while I was at work, my cousin stole my iphone
    and tested to see if it can survive a 40 foot drop, just so she can be a youtube sensation.

    My iPad is now destroyed and she has 83 views.

    I know this is completely off topic but I had to share it
    with someone!

    My web-site … traffic map (Melody)

    Reply
  29. sbobet

    Wow, amazing blog format! How long have you ever been blogging for?
    you made blogging glance easy. The overall look of your site is
    great, as smartly as the content material!

    Here is my web blog: sbobet

    Reply
  30. www.m88odds.com

    When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each
    time a comment is added I get three emails with the same comment.
    Is there any way you can remove me from that service?
    Many thanks!

    Feel free to visit my site – http://www.m88odds.com

    Reply
  31. Vitamin D Levels

    Write more, thats all I have to say. Literally, it seems as though you relied on the video
    to make your point. You definitely know what youre talking about,
    why waste your intelligence on just posting videos to your site when you could be giving us something informative to read?

    Reply
  32. sbobet

    It’s perfect time to make some plans for the future and it’s time to be happy.
    I’ve read this post and if I could I want to suggest you some interesting things
    or tips. Maybe you could write next articles referring to this article.
    I wish to read more things about it!

    Here is my web-site sbobet

    Reply
  33. Info Kost

    I must thank you for the efforts you’ve put in penning this website. I am hoping to view the same high-grade content from you later on as well. In truth, your creative writing abilities has inspired me to get my own, personal website now

    Reply
  34. Never Grow Old Fitness Program

    Unquestionably believe that which you said. Your favorite reason appeared
    to be on the web the easiest thing to consider of.
    I say to you, I certainly get irked even as other folks consider issues
    that they just do not recognize about. You managed to hit the nail upon the
    highest and defined out the entire thing without having side effect , people could
    take a signal. Will probably be back to get more. Thank you

    Also visit my web-site – Never Grow Old Fitness Program

    Reply
  35. Antonio

    We designed our C2T System to be as pleasant and efficient as possible.
    The master cleanse can help a Dieter eliminate an
    extreme amount of weight in a short period of time.
    Burdock root, known for liver cleansing helps in detoxifying and purifying blood.

    Reply
  36. sbobet

    Hi there! This blog post couldn’t be written much better!

    Reading through this article reminds me of my previous
    roommate! He always kept talking about this. I’ll send this information to him.

    Fairly certain he’s going to have a great read.
    I appreciate you for sharing!

    My web site – sbobet

    Reply
  37. marketing book

    The best product can only be found in the network marketing marketing
    books pdf format books will explain internet marketing
    essentials. Taking a look at is” How to Build a Large Successful Multi-Level Marketing Organization by Don Failla is on the top of their game. By reading high quality network marketing books pdf format marketing books have to offer! By reading high quality network marketing books or a course to learn from.

    Reply
  38. sbobet

    I believe that is one of the most vital information for me.
    And i am glad reading your article. However want to observation
    on some normal issues, The web site taste is great, the articles is really nice : D.
    Excellent activity, cheers

    Here is my homepage sbobet

    Reply
  39. iris eye gel Creme

    Hey I know this is off topic but I was wondering if you knew of any widgets
    I could add to my blog that automatically tweet my newest
    twitter updates. I’ve been looking for a plug-in like this
    for quite some time and was hoping maybe you would have some experience with something like this.
    Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.

    Reply
  40. צפיות ליוטיוב

    Another step to increase YouTube opinions is to create a thumbnail on your
    movie. The thumbnail is actually a snapshot that best symbolizes your
    video. It could be a graphic, wording or a freezing part of your video.
    You will have the choice of making a thumbnail
    if you are a mate of Metacafe. You could customize the
    style therefore you have the ability to build
    just one. If not an associate of YouTube, the web page will auto-generate
    three thumbnail selections for you to definitely decide on.
    Make sure that your thumbnails bode well to easily capture the attention
    of people whether in Dailymotion of in the major search engines.

    Feel free to visit my homepage צפיות ליוטיוב

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>