Save to My DOJO
VMware vCenter Enhanced Linked Mode (ELM) allows virtual infrastructure admins to connect and manage multiple vCenter Server instances together, through a single pane of glass.
By joining vCenter Servers together in Enhanced Linked Mode, they become part of the same Single Sign-On (SSO) domain, allowing administrators to log into any of the linked vCenter Servers simultaneously using a single set of credentials.
As well as roles and permissions, ELM also enables the sharing of tags, policies, and search capabilities across the inventories of all linked vCenter Servers from the vSphere Client.
An example of a common ELM setup is the management and workload vCenter Servers from the primary and secondary sites (for a total of 4) linked together, improving ease of administration and usability.
Example vCenter Enhanced Linked Mode Setup
What is the Difference Between Enhanced Linked Mode and Hybrid Linked Mode?
Hybrid Linked Mode is concerned with linking your on-premises vCenter Server with a cloud vCenter Server. The key difference is that Hybrid Linked Mode does not join the same SSO domain, but instead maps through the connection using either a Cloud Gateway Appliance or an LDAP Identity Source.
You can set up on-premises vCenter Servers in Enhanced Linked Mode, and still connect these to a cloud vCenter Server using Hybrid Linked Mode. An example of this is a hybrid cloud setup with VMware Cloud on AWS providing the cloud vCenter, linked with vCenter Servers in your data centre(s).
Example vCenter Hybrid Linked Mode Setup
What are the Requirements for Enhanced Linked Mode in vCenter 7.0?
-
- An embedded Platform Services Controller (PSC) deployment
-
- At least 2, and a maximum of 15, vCenter Server Appliances (VCSA) in the same SSO domain
-
- vCenter Server Standard licensing, ELM is not included with vCenter Server Foundation or Essentials
-
- All vCenter Servers must be running the same version
If you are running vCenter 7.0 then both the Windows vCenter and the external Platform Services Controller are deprecated.
For previous versions, or non-compliant deployment types, review the following steps:
-
- vCenter 6.0 – vSphere 6.0 is out of support, whilst ELM was available with vCenter 6.0, it required external PSC node(s), which is also no longer a supported deployment option in vCenter 7.0. Upgrade to vSphere 6.5 or 6.7 first, and then upgrade to vCenter 7.0.
-
- vCenter 6.5/6.7 – ELM is supported with the embedded PSC from vCenter 6.5 Update 2 and later. However, due to the end of support approaching on October 15 2022 for both vSphere 6.5 and 6.7, you should still consider upgrading to vCenter 7.0.
-
- Windows vCenter – Windows vCenter Servers are not supported with ELM or with vCenter 7.0. During the upgrade process, you can migrate all your configuration and historical data to the vCenter Server Appliance from the vCenter 7.0 upgrade UI.
-
- External PSC – The external PSC deployment model is not supported with vCenter 7.0. During the upgrade process, you can consolidate your external PSC(s) into the embedded model using the converge tool built into the vCenter 7.0 upgrade UI.
How to Configure Enhanced Linked Mode for Existing vCenter Server Appliances
If you have existing vCenter Server deployments in separate SSO domains, then you can still join the vCenter Servers together in Enhanced Linked Mode using the SSO command line utility.
First, confirm your vCenter Server instance is not already using Enhanced Linked Mode as part of an existing SSO domain:
-
- Log into the vSphere Client
-
- Select the vCenter Server (top level) from the inventory
-
- Click the Linked vCenter Server Systems tab
-
- If you cannot see this option, click the … icon to reveal more
-
- Review the list of linked vCenter Server systems
-
- If the list is blank, then ELM is not setup
The steps below will demonstrate repointing a source vCenter, not already in ELM, to an existing target SSO domain. You will need to amend the syntax with the following values:
-
- –src-emb-admin Administrator
-
-
- The source SSO domain administrator, account name only. The default is administrator.
-
-
- replication-partner-fqdn FQDN_of_destination_node
-
-
- The Fully Qualified Domain Name (FQDN) of the target vCenter Server.
-
-
- –replication-partner-admin SSO_Admin_of_destination_node
-
-
- The target SSO domain administrator, account name only. The default is administrator.
-
-
- –dest-domain-name destination_SSO_domain
-
-
- The target SSO domain name, the default is vsphere.local.
-
Additionally, please note that:
-
- Whilst ELM is supported with vSphere 6.5 Update 2 and later, SSO domain repointing is only supported with vCenter 6.7 Update 1 onwards
-
- The command line utility requires the Fully Qualified Domain Name (FQDN) of the vCenter Server and will not work with the IP address
-
- The source vCenter Server is unavailable during domain repointing
-
- Ensure you have taken a file-based backup of the vCenter Server to protect against data loss
First, SSH onto the source vCenter Server. During the repointing exercise, you can migrate tags, categories, roles, and privileges.
Check for any conflicts between the source and destination vCenter Servers using the pre-check command:
cmsso-util domain-repoint -m pre-check –src-emb-admin Administrator –replication-partner-fqdn FQDN_of_destination_node –replication-partner-admin SSO_Admin_of_destination_node –dest-domain-name destination_SSO_domain
To migrate any data generated during pre-check, and repoint the vCenter Server to the target domain, run the execute command:
cmsso-util domain-repoint -m execute –src-emb-admin Administrator –dest-domain-name destination_SSO domain
If you did not run the pre-check then run the full execute syntax:
cmsso-util domain-repoint -m execute –src-emb-admin Administrator –replication-partner-fqdn FQDN_of_destination_node –replication-partner-admin SSO_Admin_of_destination_node –dest-domain-name destination_SSO_domain
You can validate ELM using the Linked vCenter Server Systems view in the vSphere client, outlined above. Alternatively, you can use the following command:
./vdcrepadmin -f showpartners -h FQDN_of_vCenter -u administrator -w SSO_Admin_Password
How to Configure Enhanced Linked Mode with vCenter 7.0
To configure Enhanced Linked Mode a vCenter Server with an existing SSO domain must already be in place. This may be through an existing vCenter in your environment, or by deploying one from scratch.
If you are deploying a greenfield environment then install vCenter Server as normal, creating a new SSO domain by default as part of the process.
Follow the process outlined below to configure Enhanced Linked Mode with your second, or further vCenter Servers in the environment.
-
- Follow stage 1 of the vCenter Server 7.0 install process as normal.
-
- Stage 1 deploys the appliance to your target host and datastore, whilst configures the appliance size and network settings.
-
- Once stage 1 is complete you are prompted to continue to stage 2.
-
- The SSO domain configuration is done during stage 2 configuration.
vCenter Server Stage 2 Install
-
- Click next. Verify the network, time, and SSH settings, click next again.
-
- On the SSO Configuration page change the default option from the new SSO domain, to join an existing SSO domain.
vCenter Server Join Existing SSO Domain
-
- Enter the details of the vCenter Server for the target SSO domain, along with the existing administrator password.
-
- Click next. Configure the Customer Experience Improvement Program (CEIP) accordingly and click next again.
-
- Review the settings and click finish to finalise the deployment.
-
- Once complete, log into vCenter Server as normal.
-
- You should now see the vCenter along with any linked vCenter Servers from the vSphere Client.
-
- You can further validate the ELM configuration by selecting the vCenter Server (top level) from the inventory and clicking the Linked vCenter Server Systems tab.
-
- The linked vCenter Servers will now be listed.
vCenter Server Configured Enhanced Linked Mode
Wrap Up
I hope that you enjoyed this article and that you now have a better idea of how to properly set up Enhanced Linked Mode in vCenter 7.0. If there are any questions, please let me know in the comments below.
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!
9 thoughts on "Setting up Enhanced Linked Mode in vCenter 7.0"
Great article! I have two vCenter in different sites, so logging into one is quick but the other is slow.
This is due to setting a Primary and secondary DC in the ldap settings.
When we tried to use the auto select domain controller we got very random results.
Any ideas how you can set authentication properly with two vCenters in enhanced linked mode but nothing the same Data Center and a bit of a network delay?
I did ask VmWare and they said…. Not to use enhanced link mode! Great!
Hi there, from a vCenter point of view there isn’t much you can do.
However, my AD knowledge is a bit rusty but I’d hazard a guess at setting up AD sites so you can define which DC to query based on IP address?
https://activedirectoryfaq.com/2015/04/ad-sites-and-services-nltest-dsaddresstosite/