vExpert

Deep Dive in to Virtualization & Cloud

VMware PSC Deployment

Starting with the release of vSphere 6.0, vCenter Server deployment has changed and it’s now possible to deploy two different components that together provide all services for the vCenter management platform.

  • The Platform Services Controller (PSC) that provides common infrastructure services for the datacenter.
  • The vCenter Server that provides the remainder of the vCenter Server functionality.

Below are the services in Platform Service Controller

  • VMware Appliance Management Service – (applmgmt) – appliance configuration and provides public API endpoints for appliance lifecycle management. Included on the Platform Services Controller appliance.
  • VMware License Service – (vmware-cis-license) -Each PSC includes VMware License Service, which manages and delivers centralized licenses and has a reporting functionality to VMware products in your environment. The license service inventory replicates across all Platform Services Controller in the domain at 30-second intervals.
  • VMware Component Manager – (vmware-cm) – offers service registration and lookup.
  • VMware PSC client – (vmware-psc-client) – it is the back end to the PSC web UI.
  • VMware Identity Management service – (vmware-sts-idmd) – those are the services for vCenter SSO, for authentication to VMware software components and users.
  • VMware Security Token Service – (vmware-stsd) – SAML token exchange mechanism.
  • VMware HTTP Reverse proxy – (vmware-rhttpproxy) – this proxy runs on every PSC and in each vCenter Server. It is an entry point into the node. Allows secure communication between services running on the node.
  • VMware Service Control Agent – (vmware-sca) – Manages service configurations. You can use the service-control CLI to manage individual service configurations.
  • VMware Appliance Monitoring Service – (vmware-statsmonitor) – monitors vCSA Guest OS system resources utilization and performance.
  • VMware vAPI Endpoint – (vmware-vapi-endpoint) – single point of access to vAAPI services
  • VMware Authentication Framework – (vmafdd) – services for a client-side framework for vmdir authentication and serves the VMware Endpoint Certificate Store (VECS).
  • VMware Certificate Service – (vmcad) – uses the VMware Endpoint Certificate Store (VECS) to serve as a local repository for certificates on every Platform Services Controller instance. Although you can decide not to use VMCA and instead can use custom certificates, you must add the certificates to VECS. 
  • VMware Directory Service – (vmdir) – multitenant, multimastered LDAP directory service that stores authentication, certificate, lookup, and license information.
  • VMware Lifecycle Manager API – (vmonapi) – start and stop vCenter server services and monitor service API health.
  • VMware Service Lifecycle Manager – (vmware-vmon) – is centralized platform-independent service the manages the lifecycle of PSC and vCenter server.
  • Likewise Service Manager – (lwsmd) – enables joining the host to a Microsoft Active Directory domain and then authentication of users through AD.

PSC Domain & PSC Site

Before going to external Platform Services Controller deployment, I would like to brief about PSC Domain and PSC Site.

  • PSC Domain – when installing PSC, there is a prompt to create vCenter Single Sign-On Domain (SSO) or join an existing domain. The domain name is used by VMware directory service for their internal LDAP structuring. You should always use another name then you’re using for your Microsoft AD, Open LDAP or other directory services within your organization.
  • PSC Site – You can organize PSC domains into logical sites. A site in the VMware Directory Service is a logical container for grouping PSC instances within a vCenter Single Sign-On domain.

Note: – You cannot change the domain to which a Platform Services Controller or vCenter Server instance belongs. If you are upgrading from vSphere 5.5, your vSphere domain name remains the default (vsphere. local). For all versions of vSphere, you cannot change the name of a domain. After you specify the name of your domain, you can add users and groups. It usually makes more sense to add an Active Directory or LDAP identity source and allow the users and groups in that identity source to authenticate. You can also add vCenter Server or Platform Services Controller instances, or other VMware products, such as vRealize Operations, to the domain.

Linked Mode

VMware vCenter Server Linked Mode is a tool that provides administrators with a consolidated view of management zones and allows servers to support an increased number of virtual machines (introduced in vSphere 4.0). Starting with vSphere 6.0, a new vCenter Enhanced Linked Mode (ELM) was introduced to replace the existing Linked Mode capability which was based on Microsoft ADAM technology. With ELM is possible to use a shared PSC for all vCenter building a single-pane of glass management with a maximum of 15 vCenter (with vSphere 6.5U1 or later). But until vSphere 6.5U2 the PSC only supported option was with the external PSC. Now it’s also possible using an Embedded deployment.

Linked mode works around the concept of SSO domains. The vCenter Single Sign-On (SSO) component is used to authenticate a user in an identity source backend. To implement the ELM, you need the same SSO domain for all the vCenter Servers.

PSC can be installed into a virtual machine (VCSA and Windows versions) or also on a physical machine (Windows only), both types of installation are supported by VMware. Below are the different types of PSC deployments.

vCenter Server with an Embedded PSC

All services that are bundled with the Platform Services Controller are deployed together with the vCenter Server services on the same virtual machine or physical server. Using an embedded Platform Services Controller results in a standalone deployment that has its own vCenter Single Sign-On domain with a single site. Starting with vSphere 6.5 Update 2, other instances of vCenter Server with an embedded Platform Services Controller can be joined to enable enhanced linked mode.

Installing vCenter Server with an embedded Platform Services Controller has the following advantages:

  • The connection between vCenter Server and the Platform Services Controller is not over the network, and vCenter Server is not prone to outages caused by connectivity and name resolution issues between vCenter Server and the Platform Services Controller.
  • If you install vCenter Server on Windows virtual machines or physical servers, you need fewer Windows licenses.
  • You manage fewer virtual machines or physical servers.

You can configure the vCenter Server Appliance with an embedded Platform Services Controller in vCenter High Availability configuration.

vCenter Server with an External PSC

You can register multiple vCenter Server instances with one common external Platform Services Controller instance. The vCenter Server instances assume the vCenter Single Sign-On site of the Platform Services Controller instance with which they are registered. All vCenter Server instances that are registered with one common or different joined Platform Services Controller instances are connected in Enhanced Linked Mode. When you deploy or install a Platform Services Controller instance, you can create a vCenter Single Sign-On domain or join an existing vCenter Single Sign-On domain. Joined Platform Services Controller instances replicate their infrastructure data, such as authentication and licensing information, and can span multiple vCenter Single Sign-On sites.

Installing vCenter Server with an external Platform Services Controller has the following disadvantages:

  • The connection between vCenter Server and Platform Services Controller might have connectivity and name resolution issues.
  • If you install vCenter Server on Windows virtual machines or physical servers, you need more Microsoft Windows licenses.
  • You must manage more virtual machines or physical servers.

A vCenter Server instance installed on Windows can be registered with either a Platform Services Controller installed on Windows or a Platform Services Controller appliance. A vCenter Server Appliance can be registered with either a Platform Services Controller installed on Windows or a Platform Services Controller appliance. Both vCenter Server and the vCenter Server Appliance can be registered with the same Platform Services Controller.

To ensure Platform Services Controller high availability in external deployments, you must install or deploy at least two joined Platform Services Controller instances in your vCenter Single Sign-On domain. When you use a third-party load balancer, you can ensure an automatic failover without downtime.

Note: – vCenter Server deployments using an external Platform Services Controller will not be supported in a future vSphere release. Deploy or upgrade to a vCenter Server deployment using an embedded Platform Services Controller. For more information, see Knowledge Base article.

https://kb.vmware.com/kb/60229

PSC with a Load Balancer

You can use a third-party load balancer per site to configure Platform Services Controller high availability with automatic failover for this site. To configure Platform Services Controller high availability behind a load balancer, the Platform Services Controller instances must be of the same operating system type. Mixed operating systems Platform Services Controller instances behind a load balancer are unsupported. The vCenter Server instances are connected to the load balancer. When a Platform Services Controller instance stops responding, the load balancer automatically distributes the load among the other functional Platform Services Controller instances without downtime.

PSC with Load Balancers Across vCenter Single Sign-On Sites

Your vCenter Single Sign-On domain might span multiple sites. To ensure Platform Services Controller high availability with automatic failover throughout the domain, you must configure a separate load balancer in each site.

PSC with No Load Balancer

When you join two or more Platform Services Controller instances in the same site with no load balancer, you configure Platform Services Controller high availability with a manual failover for this site.

Note: – If your vCenter Single Sign-On domain includes three or more Platform Services Controller instances, you can manually create a ring topology. A ring topology ensures Platform Services Controller reliability when one of the instances fails. To create a ring topology, run the /usr/lib/vmware-vmdir/bin/vdcrepadmin -f createagreement command against the first and last Platform Services Controller instance that you have deployed.

PSC with No Load Balancer Across vCenter Single Sign-On Sites

In the event of a Platform Services Controller failover the vCenter Servers will need to be manually repointed to the functioning Platform Services Controller. vCenter Servers attached to higher latency Platform Services Controller may experience performance issues

Thanks,

If you have any comments, please drop me a line.
I hope this article was informative, and don’t forget to buy me a coffee if you found this worth reading.

Post Views: 154
, ,
, ,

Posted by:

Vysakh Nair

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Me

A side profile of a woman in a russet-colored turtleneck and white bag. She looks up with her eyes closed.

Vysakh Nair is a Consulting Architect in the Technology Consulting BU at huco FZCO. He holds 15 years of experience in IT infrastructure with demonstrated history of working in Information Technology and Services industry with core expertise is into VMware Technologies and have hands on experience in Microsoft, Linux, Storage. Continue Reading