Announced in November 2018, the External Platform Services Controller (PSC) is being deprecated. Previously, many customers have deployed the External PSC to take advantage of features such as Enhanced Linked Mode (ELM) or PSC HA. With the removal of the External PSC, VMware has provided a Converge Tool to be able to migrate from an External Deployment to an Embedded deployment. The Converge Tool does require you to be on vSphere 6.5 Update 2d or greater or vSphere 6.7 Update 1 or greater and be running the vCenter Server Appliance (VCSA).
Planning your Convergence
Prior to executing your migration from an External to Embedded Platform Services controller, the first thing we need to do is analyze our current SSO domain to understand the solutions and servers we are dealing with. We need to review our SSO environment and identify which solutions are registered with the SSO Lookup Service, such as NSX and Site Recovery Manager (SRM). These and other solutions need to be manually repointed to the embedded vCenter Server once convergence is complete. If you are unsure what solutions are registered to your SSO Server, you can use the following KB2043509 to find out what services are registered with the SSO lookup service.
Also, if you are unsure which Platform Services Controller your vCenter Server is pointed to—you have two ways to check. The first option is utilize the vSphere Client and review the Advanced Settings. Navigate to your vCenter Server and choose the Configuration tab. Proceed to Advanced Settings and search for config.vpxd.sso.admin.url and this will show your connected PSC.
If you prefer to go the CLI route, you can run the following command to identify the connected PSC.
1 |
/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location —server-name localhost |
We will also log into our NSX Manager’s and validate which External PSC and vCenter Server they are currently registered with.
In my example environment I have drawn out the following diagram to understand my architecture based on information I gathered. I currently have two External PSC’s in Enhanced Linked Mode with two External vCenter Servers. I also have 2 separate NSX Manager instances registered with my External PSC’s that will need to be re-registered once the Converge Tool is ran.
Executing the Converge Tool
Once we have our target environment planned out, we can look to the execution of the Converge Tool. If you are familiar with the VCSA CLI based installer currently used with vSphere 6.5 and vSphere 6.7 the Converge Tool will look quite familiar. To run the Converge Tool you must download and mount the VCSA iso, and first prepare your JSON templates. You will have one template to run the Converge Tool to migrate from an External to Embedded PSC and there will be a second template used to decommission the external PSC which will shut it down and remove it from the SSO domain.
First up is the converge template, within this template there are four sections:
- Information about the Managing vCenter or ESXi Host.
- Information about the vCenter Server you wish to Converge to Embedded.
- (Optional) Active Directory Information if you wish to join the Embedded vCenter to AD.
- (Optional) Replication Partner Information. If this vCenter Server is the first converged node within the SSO domain you will leave this blank, but if it is not the first you will need to fill it out for additional nodes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
{ "__version": "2.11.0", "__comments": "Template for VCSA with external Platform Services Controller converge", "vcenter": { "description": { "__comments": [ "This section describes the vCenter appliance which you want to", "converge and the ESXi host on which the appliance is running. " ] }, "managing_esxi_or_vc": { "hostname": "<FQDN or IP address of the ESXi or vCenter on which the vCenter Server Appliance resides.>", "username": "<Username of a user with administrative privilege on the ESXi host or vCenter Server. For example 'root' for ESXi and 'administrator@<SSO domain name>' for vCenter >", "password": "<Password of the administrative user on the ESXi host or vCenter Server. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>" }, "vc_appliance": { "hostname": "<FQDN or IP address of the vCenter Server Appliance>", "username": "administrator@<SSO domain name>", "password": "<vCenter Single Sign-On administrator password. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>", "root_password": "<Appliance root password. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>" }, "ad_domain_info": { "__comments": [ "Important Note: This section is needed only when PSC (Platform Services Controller) appliance is joined to a domain.", "Remove this section if PSC appliance is not joined to a domain.", "Keeping this section without valid values results in JSON validation errors." ], "domain_name": "<Domain name of the Platform Services Controller appliance's AD domain>", "username": "<AD domain username with privileges to join any machine to the provided domain>", "password": "<AD domain password with privileges to join any machine to the provided domain>", "dns_ip": "<DNS IP which resolves AD domain name. This is an optional field and is required only when the provided AD domain cannot be resolved by the existing DNS setting of the VCSA node.>" } }, "replication": { "description": { "__comments": [ "Important Note: Make sure you provide the information in this section very carefully, as this changes the replication topology.", "Refer to the documentation for complete details. Remove this section if this is first converge operation in your setup.", "This section provides details of the PSC node which will be set up as a replicated node for a new PSC on the target VCSA node." ] }, "partner": { "hostname": "<FQDN or IP address of the target VCSA PSC node>" } } } |
Now that we understand what the JSON template fields do, let’s review what a prepared converge template looks like. In this example my first external deployment was not joined to Active Directory and it is the first one I am converging in my SSO domain so I only have two sections to fill out.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
{ "__version": "2.11.0", "__comments": "Template for VCSA with external Platform Services Controller converge", "vcenter": { "description": { "__comments": [ "This section describes the vCenter appliance which you want to", "converge and the ESXi host on which the appliance is running. " ] }, "managing_esxi_or_vc": { "hostname": "mco-vcsa-01.cpbu.lab", "password": "VMware1!" }, "vc_appliance": { "hostname": "mco-vcsa-01.cpbu.lab", "password": "VMware1!", "root_password": "VMware1!" } } } |
My second external deployment was also not joined to Active Directory and since I already have one Embedded vCenter Server I must point to it as the replication partner. If I choose to leave this blank, it would automatically create a replication back to its External PSC and when we go to decommission those we would’ve actually created two separate SSO domains because of the lack of replication.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
{ "__version": "2.11.0", "__comments": "Template for VCSA with external Platform Services Controller converge", "vcenter": { "description": { "__comments": [ "This section describes the vCenter appliance which you want to", "converge and the ESXi host on which the appliance is running. " ] }, "managing_esxi_or_vc": { "hostname": "mco-vcsa-02.cpbu.lab", "password": "VMware1!" }, "vc_appliance": { "hostname": "mco-vcsa-02.cpbu.lab", "password": "VMware1!", "root_password": "VMware1!" } }, "replication": { "description": { "__comments": [ "Important Note: Make sure you provide the information in this section very carefully, as this changes the replication topology.", "Refer to the documentation for complete details. Remove this section if this is first converge operation in your setup.", "This section provides details of the PSC node which will be set up as a replicated node for a new PSC on the target VCSA node." ] }, "partner": { "hostname": "mco-vcsa-01.cpbu.lab" } } } |
Now, that we have our JSON templates filled out properly, we can proceed to executing them. We will run the Converge Tool against our first vCenter Server and proceed until all vCenter Servers within the SSO domain are complete. You will be unable to decommission an external PSC until all remaining vCenter Servers in the SSO domain are converged to Embedded.
To understand all the parameters available with the Converge Tool we can run the following command to learn more.
1 |
.\vcsa-converge-cli\win32\vcsa-util.exe converge --help |
To execute the Converge Tool against our vCenter Server we will run the following command.
Note: We can only run the Converge Tool against one vCenter Server Appliance at a time.
1 |
.\vcsa-converge-cli\win32\vcsa-util.exe converge --no-ssl-certificate-verification --backup-taken C:\pathtofile.json |
At this step, we have now consolidated our environment and have two Embedded vCenter Servers, however our NSX Manager’s are still pointing to our External PSC’s.
To correct this registration we need to log into our NSX Managers and re-register the lookup service with our new Embedded vCenter Servers.
At this point our external solutions are now registered properly, and we can move forward with decommissioning our External PSC’s.
Note: You will be unable to decommission your external PSC’s until all vCenter Servers within your SSO domain have been migrated to Embedded Deployments
Next up we will review the decommission template. Within this template there are four sections:
- Information about the Managing vCenter or ESXi Host of the External PSC.
- Information about the Platform Services Controller you wish to Decommission.
- Information about the Managing vCenter or ESXi Host of an Embedded vCenter in the SSO Domain.
- Information about the Embedded vCenter in the SSO Domain.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
{ "__comments": "Template for decommissioning PSC node with converge CLI tool.", "__version": "2.11.0", "psc": { "description": { "__comments": [ "This section describes the PSC appliance which you want to", "decommission and the ESXi host on which the appliance is running. " ] }, "managing_esxi_or_vc": { "hostname": "<FQDN or IP address of the ESXi or vCenter on which the Platform Services Controller appliance resides.>", "username": "<Username of a user with administrative privilege on the ESXi host or vCenter Server. For example 'root' for ESXi and 'administrator@<SSO domain name>' for vCenter >", "password": "<Password of the administrative user on the ESXi host or vCenter Server. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>", "port": "This section may be removed, if default port is 443. If not, custom port have to be specified" }, "psc_appliance": { "hostname": "<FQDN or IP address of the Platform Services Controller appliance>", "username": "administrator@<SSO domain name>", "password": "<vCenter Single Sign-On administrator password. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>", "root_password": "<Appliance root password. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>" } }, "vcenter": { "description": { "__comments": [ "This section describes the embedded vCenter appliance which is in ", "replication with the provided PSC" ] }, "managing_esxi_or_vc": { "hostname": "<FQDN or IP address of the ESXi or vCenter on which the vCenter Server Appliance resides.>", "username": "<Username of a user with administrative privilege on the ESXi host or vCenter Server. For example 'root' for ESXi and 'administrator@<SSO domain name>' for vCenter >", "password": "<Password of the administrative user on the ESXi host or vCenter Server. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>", "port": "This section may be removed, if default port is 443. If not, custom port have to be specified" }, "vc_appliance": { "hostname": "<FQDN or IP address of the vCenter Server Appliance>", "username": "administrator@<SSO domain name>", "password": "<vCenter Single Sign-On administrator password. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>", "root_password": "<Appliance root password. If left blank, or omitted, you will be prompted to enter it at the command console during template verification.>" } } } |
Here is an example of our prepared JSON template for decommission.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
{ "__comments": "Template for decommissioning PSC node with converge CLI tool.", "__version": "2.11.0", "psc": { "description": { "__comments": [ "This section describes the PSC appliance which you want to", "decommission and the ESXi host on which the appliance is running. " ] }, "managing_esxi_or_vc": { "hostname": "mco-vcsa-01.cpbu.lab", "password": "VMware1!" }, "psc_appliance": { "hostname": "mco-psc-01.cpbu.lab", "password": "VMware1!", "root_password": "VMware1!" } }, "vcenter": { "description": { "__comments": [ "This section describes the embedded vCenter appliance which is in ", "replication with the provided PSC" ] }, "managing_esxi_or_vc": { "hostname": "mco-vcsa-01.cpbu.lab", "password": "VMware1!" }, "vc_appliance": { "hostname": "mco-vcsa-01.cpbu.lab", "password": "VMware1!", "root_password": "VMware1!" } } } |
We will run the Converge Tool using the decommission option to remove our External PSC’s, repeating for each remaining node.
1 |
.\vcsa-converge-cli\win32\vcsa-util.exe decommission --no-ssl-certificate-verification C:\pathtofile.json |
At this point we have now successfully ran the Converge Tool to migrate all External PSC’s to Embedded PSC’s and decommissioned our External PSC’s leaving us with our preferred deployment as seen below.
Additional Resources
vCenter Server 6.7 Update 1 Convergence Tool – Emad Younis
Conclusion
VMware has announced the deprecation of the External PSC and customers should begin the migration to the Embedded PSC Deployment as soon as they are able to. The Embedded deployment simplifies patching, upgrading and management of our environment not only from an architecture standpoint but also with less servers to manage. I hope this blog prepared you to properly plan and execute running the Converge Tool within your environment.
If you have any feedback or questions feel free to post below.