vSphere SSO domain replication topology

Last week I had a customer request to integrate a 3rd vCenter (Version 7 with embedded PSC) into his existing vSphere SSO domain where he already had 2 similar vCenters.

His main use case was to have all vCenters in a single pane of glass using the vCenter Enhanced Linked Mode (ELM). As far as I remembered you should make sure to create a ring topology between all SSO members, so that a failure of one member in the middle of the chain doesn’t cause severe SSO replication errors.

Because I haven‘t had this scenario in a Version 7 environment yet, I had to do a little research first. A good start for example is the VMware Documentation – Understanding vSphere Domains and Domain Names:

// prerequisites

All vCenters that will be a part of the SSO replication should be identical in ther version and configuration (like AD integration, time settings, etc.).

DNS and NTP (as always) are critical. At least two DNS servers should be used. And the same three time servers should be used for all vCenters.

Make sure you have a full backup of all vCenters and I would highly recommend to make offline snapshots of all ELM members at the same time before you do the changes! Trust me, I have made my painful experiences.

// creating the ring topology

Deploy the new 3rd vCenter Appliance and join it to the existing SSO domain using the 2nd vCenter.

Enable ssh, connect to all 3 vCenters and navigate to the vdcrepadmin-folder under /usr/lib/vmware-vmdir/bin/

Check the status of all members of the SSO domain:
# ./vdcrepadmin -f showservers -h <…vcenter[1/2/3]-fqdn…> -u administrator
You should get a list of all 3 vCenters.

Check the replication partners of all vCenters:
# ./vdcrepadmin -f showpartners -h <…vcenter1-fqdn…> -u administrator
# ./vdcrepadmin -f showpartners -h <…vcenter2-fqdn…> -u administrator
# ./vdcrepadmin -f showpartners -h <…vcenter3-fqdn…> -u administrator

You should see that vCenter 1 is connected to vCenter2 and vCenter2 is connected to vCenter3. At this moment it is a chain. You can also see it in the vSphere Client under Administration => System Configuration:

vCenter System Configuration – chain topology

Change the replication partner of the the 3rd vCenter to close the ring:
# ./vdcrepadmin -f createagreement -2 -h <…source-vcenter3-fqdn…> -H <…target-vcenter1-fqdn…> -u administrator

After the change it should look like this:

vCenter System Configuration – ring toplogy

Check the replication status of the partners of all vCenters:
# ./vdcrepadmin -f showpartnerstatus -h <…vcenter[1/2/3]-fqdn…> -u administrator
You should see something like:
“Host available: Yes, Status available: Yes, and Partner is 0 changes behind”
If not wait a few minutes and try again. Replication will take some time and could still be in progress.
For further investigations check the logs under /var/log/vmware/vmdird/vmdird-syslog.log.

If you want to know more about the options of vdcrepadmin I would recommend to have a look at the VMware KB Article – Determining replication agreements and status with the Platform Services Controller(PSC) 6.x (2127057):

If you have read up to this point, I hope my article was helpful to you. Feel free to share if you like…

// footnotes

Date: 05.04.2022
Version: 1.1