Hardware Requirements - KB 2106572 vSphere SSO Domain 6.

vSphere SSO Domain 6.0 Configuration Maximums Command Line Interface (CLI) Migration from Deprecated to Recommended Topology

* A deprecated topology is one that is currently supported in vSphere 6.0, but will not be in the next release of vSphere. Migrating to a recommended topology will be required prior to upgrading.*
Tiny Small Medium Large --list Lists vCenter and / or PSC services --start Starts services can be used with all or individual services
Resources PSC Maximum PSCs per vSphere SSO Domain 8 service-control
Environment Environment Environment Environment *Appliance Shell* --status View the status of the vC Server and / or PSC services --stop Stops services can be used with all or individual services
vSphere SSO Domain: vSphere.local vSphere SSO Domain: vSphere.local vSphere SSO Domain: vSphere.local
--all Can be used in conjunction with list, start, stop --dry-run Displays the actions that the command runs without executing the actions

Maximum PSCs per site, behind a load balancer 4

Number of CPUs 2 2 4 8 16 /usr/lib/vmware-vmdir/bin Site: Palo Alto Site: Palo Alto Site: Palo Alto

showservers Embedded Deployment Model Embedded Deployment Model Virtual Machine Virtual Machine Virtual Machine
Maximum objects within a vSphere SSO Domain (Users and Groups) 1,000,000 vdcrepadmin -f showservers -h <PSC FQDN or IP address> -u administrator -w Administrator Password
Virtual Machine Virtual Machine
d
Example: vdcrepadmin -f showservers -h psc1.vmware.local -u administrator -w VMware1! Platform Services Platform Services Platform Services
Memory 2 GB 8 GB 16 GB 24 GB 32 GB
showpartners
ate Controller Controller Controller

c
Platform Services Platform Services

e
Maximum tolerance for time skew between PSC nodes 5 minutes 1. Deploy an external PSC Or

pr
vdcrepadmin -f showpartners -h <PSC FQDN or IP address> -u administrator -w Administrator Password Controller Controller
Example: vdcrepadmin -f showpartners -h psc1.vmware.local -u administrator -w VMware1!

De
2. Join PSC to embedded deployment
vdcrepadmin vSphere SSO domain Or
*Bash Shell* showpartnerstatus vCenter Server vCenter Server
Maximum Active Directory or Open LDAP Groups per User for 3. Run cmsso-util to Reconfigure / Repoint
1015 vdcrepadmin -f showpartnerstatus -h <PSC FQDN or IP address> -u administrator -w Administrator Password Virtual Machine Virtual Machine Virtual Machine Virtual Machine
Storage Requirements - KB 2106572 best performance embedded deployment
Example: vdcrepadmin -f showpartnerstatus -h psc1.vmware.local -u administrator -w VMware1! Site: Palo Alto Site: Palo Alto
*Optional secondary PSC can be deployed for vCenter Server vCenter Server vCenter Server vCenter Server
createagreement redundancy*
Maximum number of vCenter Servers connected to a single PSC 4 vdcrepadmin -f createagreement -2 -h <Source PSC FQDN or IP address> -H <New Partner PSC FQDN or IP Address> -u administrator
VCSA with an VCSA with an External PSC
Environment Type Example: vdcrepadmin -f createagreement -2 -h psc1.vmware.local -H psc3.vmware.local -u Administrator -w VMware1!
Embedded PSC External PSC Appliance
removeagreement
Maximum number of vCenter Servers in a vSphere SSO Domain 10
vdcrepadmin -f removeagreement -2 -h <Source PSC FQDN or IP address > -H <Remove PSC FQDN or IP address> -u administrator -w Administrator_Password
Tiny Environment
120 GB 86 GB 86 GB Example: vdcrepadmin -f removeagreement -2 -h psc1.vmware.local -H psc3.vmware.local -u Administrator -w VMware1!
(up to 10 Hosts / 100 VMs)
vSphere SSO Domain: vSphere.local vSphere SSO Domain: vSphere.local vSphere SSO Domain: vSphere.local
Maximum number of subordinate Certificate Authority servers in the chain
6
within VMware Certificate Authority /bin
Small Environment
150 GB 108 GB 108 GB Reconfigure vCenter server instance with an embedded Platform Services Controller and Repoint them to the joined External Platform Services Controller Instances
Site: Palo Alto Site: Palo Alto Site: Palo Alto
(up to 100 Hosts / 1,000 VMs)
Maximum cryptographic hash used for PSC Node certificate 1 cmsso-util reconfigure --repoint-psc <PSC FQDN or IP address> --username <username> --domain-name <domain name> --password <password>
Example: cmsso-util reconfigure --repoint-psc psc.vmware.local --username administrator --domain-name vsphere.local --passwd VMware1! Embedded Deployment Model Virtual Machine Virtual Machine Virtual Machine
Medium Environment Platform Services
300 GB 220 GB 220 GB Repoint the connections Between vCenter Server and Platform Services Controller Virtual Machine Platform Services Platform Services

d
(up to 400 Hosts / 4,000 VMs)

e
Controller Controller Controller

t
Maximum RSA Public Key length used for PSC Node certificate 16,384 cmsso-util repoint --repoint-psc <PSC FQDN or IP address> Virtual Machine 1. Deploy an external PSC

a
cmsso-util Platform Services

c
Example: cmsso-util repoint --repoint-psc psc.vmware.local 2. Join PSC to embedded deployment Or

e
*Bash Shell* Controller

pr
vCenter Server vSphere SSO domain Or
Large Environment Moving vCenter Server between Sites

De
450 GB 280 GB 280 GB
(up to 1,000 Hosts / 10,000 VMs) https://www.vmware.com/pdf/vsphere6/r60/vsphere-60-configuration-maximums.pdf cmsso-util move-services --psc-node <PSC FQDN or IP address> --domain-name <vSphere Domain Name> --username Administrator 3. Run cmsso-util to Reconfigure / Repoint
vCenter Server
embedded deployment
--passwd Administrator Password --oldsite-name <vCenter Server's Original Site> --newsite-name <vCenter Server's New Site> Virtual Machine Virtual Machine Virtual Machine Virtual Machine
cmsso-util move-services --psc-node psc3.vmware.local --domain-name vsphere.local --username Administrator --passwd VMware1! --oldsite-name Palo Alto 4. Run cmsso-util to Repoint external
Site: Palo Alto
--newsite-name Austin vCenter Server vCenter Server vCenter Server vCenter Server vCenter Server
*Optional secondary PSC can be deployed
Firewall Requirements - KB 2106283 General Information -h : Prints help for vim top command line options for redundancy*
-v : Prints the vim top version number
vimtop -c : Loads a user defined vim top configuration file (if the -c option is not used, the default configuration file is /root/vimtop/vimtop.xml)
Port Protocol Description Deployment Models
*Appliance Shell* -n : Sets the number of performed iterations before the vim top exits interactive mode, the default value is 10000
-p / -d seconds : Sets the update period in seconds
Supports both GUI and CLI installs -r : Enables record batch mode vSphere SSO Domain: vSphere.local vSphere SSO Domain: vSphere.local
22 TCP / UDP System port for SSHD. This port is used only by the vCenter Server Appliance.
-R : Enables reply mode
External Deployment Model
Embedded Deployment Model Site: Palo Alto Site: Palo Alto Site: Palo Alto
-h, --help : prints help for pgtop
vCenter Server requires port 80 for direct HTTP connections. Port 80 Virtual Machine
80 TCP pgtop --version : Prints the pgtop version number Virtual Machine
redirects requests to HTTPS port 443. Embedded Deployment Model Virtual Machine Virtual Machine Virtual Machine
*Appliance Shell* -I, --idle : Does not display idle processes
Platform Services
Virtual Machine -b, --batch : All input from the terminal is ignored. Interrupt characters, such as ^C and ^\ still have an effect Platform Services

d
Platform Services Platform Services Platform Services

e
Controller

t
Controller Controller Controller Controller

a
88 TCP VMware key distribution center port Platform Services

c
1. Deploy an external PSC

pre
Controller http://www.vmware.com/go/vcsashell
vCenter Server 2. Join PSC to external PSC vSphere SSO domain

De
This port must be open on the local and all remote instances of vCenter
3. Run cmsso-util to Reconfigure / Repoint embedded deployment
389 TCP / UDP Server. This is the LDAP port number for the Directory Services for the vCenter Server
Site: Palo Alto
vCenter Server group. Virtual Machine Virtual Machine Virtual Machine Virtual Machine Virtual Machine
Virtual Machine
Other Resources Services
The default port that the vCenter Server system uses to listen for vCenter Server vCenter Server vCenter Server vCenter Server vCenter Server
443 TCP vCenter Server
connections from the vSphere Web Client.
Platform Services Controller Decision Tree http://www.vmware.com/go/psctree VMware Certificate Service PSC
vSphere Syslog Collector port for vCenter Server on Windows and
514 UDP
vSphere Syslog Service port for vCenter Server Appliance. VMware Directory Service PSC
Generating vCenter Server & Platform Services
http://www.vmware.com/go/topologydiagrams
Prerequisites Controller deployment topology diagrams
For vCenter Server Enhanced Linked Mode, this is the SSL port of the local VMware ESX Agent Manager PSC
636 TCP Instance. If another service is running on this port, it may be preferable to
remove it or change its port to a different port. Reconfiguring and Repointing Deployment Recommended Topologies
http://www.vmware.com/go/ReconfigureandRepoint
These prerequisites should be in place and tested prior to proceeding with a new Models in vCenter Server 6.0 Update 1 VMware Identity Management Service PSC
The default port that the vCenter Server system uses to send data to installation or upgrade.
902 TCP / UDP managed hosts. Managed hosts also send a regular heartbeat over UDP vSphere SSO Domain: vSphere.local
port 902 to the vCenter Server system. The future of vCenter Server http://www.vmware.com/go/vcsamicrosite VMware License Service PSC
Recommended Latency
DNS - Resolution of fully qualified domain name (FQDN), short name (host name),
vSphere Syslog Collector TLS port for vCenter Server on Windows and
and IP address (reverse lookup)
VMware Security Token Service PSC Virtual Machine 1 Single Sign-On Domain
1514 TCP / UDP Getting Comfortable with vPostgres and
vSphere Syslog Service TLS port for vCenter Server Appliance. http://www.vmware.com/go/vpostgres-part-1 Platform Services
Time - Validate time is synchronized across the environment. Use of a NTP source is recommended. the vCenter Server Appliance Part 1 1 Single Sign-On Site Enhanced Linked Mode (ELM) PSC <—> PSC vCenter —> PSC
Controller
VMware Content Library Service vCenter Server 1 vCenter Server with embedded Platform Services Controller Less than 100ms RTT between PSCs 5 ms (i.e. it is recommended to have a PSC local at each
Passwords - Should be at least 8 characters, but no more than 20 characters. Getting Comfortable with vPostgres and All features that utilize ELM are facilitated via the
2012 TCP Control interface RPC for vCenter Single Sign-On (SSO) http://www.vmware.com/go/vpostgres-part-2 location a vCenter Server is deployed)
Using ASCII characters containing at least one lowercase letter, one uppercase letter, the vCenter Server Appliance Part 2 vCenter Server
No requirement of Enhanced Linked mode PSC, for the best user experience within a vSphere Less than 10ms between nodes within a site
one number and one special character. VMware vCenter Inventory Service vCenter Server environment, low latency is highly recommended.
vCenter Server and PSC should be on a routable network
Small deployments, Lab / POC PSCs are multi-master
https://featurewalkthrough.vmware.com/#!/
2014 TCP RPC port for all VMCA (VMware Certificate Authority) APIs VMware Product WalkThroughs Site: Palo Alto Replication interval: 30 sec
http://www.vmware.com/go/vcprerequisites vsphere-6-0 VMware Message Bus Configuration Service vCenter Server

VMware Performance Charts vCenter Server

2020 TCP / UDP Authentication framework management vSphere SSO Domain: vSphere.local vSphere SSO Domain: vSphere.local
Logs - /var/log/vmware/ - KB 2110014
Backup VMware Postgres vCenter Server
Site: Palo Alto
6500 TCP / UDP ESXi Dump Collector port Virtual Machine Site: Palo Alto Virtual Machine Virtual Machine Site: Palo Alto
Name Description VMware Syslog Collector vCenter Server
Image level backup and restore is the only method supported for the VCSA. There are two ways 1 Single Sign-On Domain
Platform Services Platform Services Platform Services
of taking an image level backup. vSphere Data Protection (VDP) is a product that comes free 1 Single Sign-On Domain
Controller Controller Controller 2 or more Single Sign-On Site
starting with vSphere Essentials. Any third party backup solution that supports VMware vSphere vpxd/vpxd.log The main vCenter Serverlog VMware System and Hardware Health Manager vCenter Server
6501 TCP Auto Deploy Service 1 Single Sign-On Site
Storage APIs - Data Protection (VADP). 2 or more external Platform
VMware vAPI Endpoint vCenter Server 1 external Platform Services Controllers Services Controllers
vpxd/vpxd-profiler.log Profile metrics for operations performed in vCenter Server
http://www.vmware.com/go/vcbackuprestore 1 or more vCenter Server with external 2 or more vCenter Server with
6502 TCP Auto Deploy Management external Platform Services Controller
VMware vCenter Configuration Service vCenter Server
vpxd/vpxd-alert.log Non-fatal information logged about the vpxd process Platform Services Controller
Virtual Machine Virtual Machine Virtual Machine Virtual Machine Virtual Machine Virtual Machine Manual failover over across PSCs
VMware vCenter Workflow Manager vCenter Server Requirement of Enhanced Linked Mode
7444 TCP Secure Token Service perfcharts/stats.log VMware Performance Charts
Terminology vCenter Server vCenter Server vCenter Server vCenter Server vCenter Server vCenter Server
VMware Virtual Center Server vCenter Server
eam/eam.log VMware ESX Agent Manager
8088 TCP Workflow Management Service PSC Platform Services Controller VMware vService Manager vCenter Server
invsvc VMware Inventory Service
VMware vSphere Auto Deploy Waiter vCenter Server
9443 TCP vSphere Web Client HTTPS vC vCenter Server vSphere SSO Domain: vSphere.local
netdumper VMware vSphere ESXi Dump Collector
VMware vSphere ESXi™ Dump Collector vCenter Server 1 Single Sign-On Domain
Topology supported in vSphere 6.0 but not in the next vapi VMware vAPI Endpoint 1 Single Sign-On Site
11711 TCP VMware Directory service (vmdir) LDAP Deprecated
release of vSphere VMware vSphere ESXi Dump Collector Web Service vCenter Server Site: Palo Alto Virtual Machine Virtual Machine Site: Palo Alto
2 or more external Platform Services Controllers
Platform Services Platform Services
vmdird VMware Directory Service Demon
A logical grouping of PSCs within a vSphere SSO Domain. Refer VMware vSphere Profile-Driven Storage vCenter Server Controller Controller 1 or more vCenter Server with external Platform Services Controller
11712 TCP VMware Directory service (vmdir) LDAPS Site
to the Recommended Topologies section for some examples. 1 third-party load balancer
syslog vSphere Syslog Collector VMware vSphere Web Client vCenter Server
Load Balancer * Supported Load Balancers: VMware NSX, F5, Netscaler *
vSphere common authentication mechanism
vSphere SSO Domain
(Single Sign-On) vpostgres VMware vSphere Profile-Driven Storage Service
PSC to PSC 389, 636, 11711, 11712, 2012 (11711 and 11712 legacy) A Load Balancer can be used to achieve a higher degree of availability,
VMware AFD Server vCenter Server and PSC
Virtual Machine Virtual Machine RTO of less than a minute or hard availability requirement of 99.999%
PSC and VC components installed on the vsphere-client VMware vSphere Web Client (five nines). Load Balancing can be used as an automated failover
Embedded Deployment VMware Component Manager vCenter Server and PSC
PSC to vCenter 443, 389, 636, 2012, 2014, 2020, 7444 same virtual machine vCenter Server vCenter Server mechanism, but is not actually load balancing incoming requests and
workflow VMware vCenter Workflow Manager spreading the load across PSCs. Unless otherwise required, manually
PSC and VC components installed on separate VMware HTTP Reverse Proxy vCenter Server and PSC
External Deployment repointing with cmsso-utill is recommended.
vCenter to vCenter 443 virtual machines
vws VMware System and Hardware Health Manager VMware Service Control Agent vCenter Server and PSC
Link mode is the capability of managing multiple vCenter Servers
http://www.vmware.com/go/vcports Enhanced Linked Mode (ELM) sso
(maximum of 10) from one UI. Requires external PSC deployment VMware Single Sign-On VMware vCenter Configuration Service vCenter Server and PSC
vSphere SSO Domain: vSphere.local

1 Single Sign-On Domain

Knowledge Base Articles (KB) - https://kb.vmware.com/ 2 Single Sign-On Site
Virtual Machine Site: Palo Alto Virtual Machine Virtual Machine Site: Austin Virtual Machine
2 or more external Platform Services Controllers
Platform Services Platform Services Platform Services Platform Services
Controller Controller Controller Controller 1 or more vCenter Server with external
Repointing the VMware vCenter Server 6.0 between sites in a vSphere Domain 2131191 Backing up VMware vSphere 5.x and 6.0 products 2119754 Platform Services Controller

2 third-party load balancer

Services bundled with vCenter Server and vCenter Server Appliance 6.0 2108159 Load Balancer Load Balancer * Supported Load Balancers: VMware NSX, F5, Netscaler *
VMware Platform Services Controller 6.0 FAQs 2113115

A Load Balancer can be used to achieve a higher degree of availability,

Virtual Machine Virtual Machine Virtual Machine Virtual Machine
Back up and restore vCenter Server Appliance/vCenter Server 6.0 vPostgres database 2091961 RTO of less than a minute or hard availability requirement of 99.999%
Increasing the disk space for the VMware vCenter Server Appliance 6.0 2126276 (five nines). Load Balancing can be used as an automated failover
vCenter Server vCenter Server vCenter Server vCenter Server
mechanism, but is not actually load balancing incoming requests and
Unlocking and resetting the VMware vCenter Single Sign-On administrator password 2034608 spreading the load across PSCs. Unless otherwise required, manually
Update sequence for vSphere 6.0 and its compatible VMware products 2109760 repointing with cmsso-utill is recommended.

Replacing the Lookup Service SSL certificate on a Platform Services Controller 6.0 2118939
Determining replication agreements and status with the Platform Services Controller 6.0 2127057

VMware vCenter Server Appliance 5.5 and 6.0 root account locked out after password expiration 2069041 vSphere SSO Domain: vSphere.local

Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 2098006

Removing or Disabling unwanted plug-ins from vCenter Server and vCenter Server Appliance 1025360 Virtual Machine Site: Palo Alto Virtual Machine Virtual Machine Site: Austin Virtual Machine

Replacing default certificates with CA signed SSL certificates in vSphere 6.0 2111219 Platform Services Platform Services Platform Services Platform Services
1 Single Sign-On Domain
Controller Controller Controller Controller
List of recommended topologies for VMware vSphere 6.0.x 2108548
2 Single Sign-On Site

vCenter Server 6.0 installation Best Practices 2107948 2 or more external Platform Services Controllers
Toggling the vCenter Server Appliance 6.x default shell 2100508
1 or more vCenter Server with external
Virtual Machine Virtual Machine Virtual Machine Virtual Machine Platform Services Controller
Checking the status of vCenter Server performance rollup jobs 2012226
Using the cmsso command to unregister vCenter Server from Single Sign-On 2106736 vCenter Server vCenter Server vCenter Server vCenter Server

vCenter Single Sign-On and Platform Services Controller High Availability Compatibility Matrix 2112736 Supported vCenter Server high availability options 1024051

Copyright © 2016 VMware, Inc. All rights reserved. @Emad_Younis | @eck79 | @VMwarevSphere vmware.com/products/vcenter-server