[Full Guide] How to Change vCenter SSO Domain and Fix the Common Issues
Are you looking to change the domain for your vCenter Single Sign-On (SSO)? This page provides a quick and easy overview of the key considerations and steps involved in this process. So let's dive in and make this process a success.
What is vCenter single sign-on domain
vCenter SSO (Single Sign-On) domain is an important component of a VMware vCenter Server environment that is used for authentication and authorization. vCenter SSO domains are a set of users, groups, and solution users (such as the vSphere Web Client and vSphere Update Manager) that have the privileges needed to perform specific actions in a vCenter Server environment.
The vCenter SSO domain is created by configuring and managing users and groups in the VMware Identity Management Service (IDM). It also provides a way to share authentication information across multiple vCenter Server instances and other VMware solutions, allowing users to authenticate once and access multiple VMware products and services.
In the vCenter Server environment, the vCenter SSO domain also provides additional function, such as:
- Support for multiple identity providers (Active Directory, LDAP, or local IDP…)
- Support for multiple domains and forests.
- Support for multiple organizations and tenants.
Reasons for changing the vCenter SSO domain
There can be various reasons for changing vCenter Single Sign-On (SSO) domains, and the following are common situations that people encounter in the operations:
- Organizational consolidation: When two or more organizations merge, it may be necessary to consolidate their domains into a new domain. In this case, the vCenter SSO domain will need to be changed to align with the new domain.
- Domain name change: Organizations may change the name of their domain, for example to comply with corporate naming conventions or because of a change in their Internet domain name. In this case, the vCenter SSO domain will need to be changed to reflect the new domain name.
- Security requirements: Security requirements may require changes to the vCenter SSO domain, such as updating the information in vCenter SSO when a user in the domain changes his or her password to ensure security.
- Moving to the cloud: When an organization migrates a VMware vSphere environment to the cloud, the vCenter SSO domain may need to be changed to reflect the new cloud domain.
That is to say, the reasons for changing the vCenter SSO domain are usually related to organizational structure, security requirements, or infrastructure changes. Regardless of the reason, changing the vCenter SSO domain is necessary to ensure the stability and security of the vSphere environment.
How to change vCenter domain name and SSO
Changing vCenter SSO domain is a complex operation that involves key authentication and access control mechanisms in the system. Therefore, it is critical to ensure that the implications and steps are fully understood before performing this operation. Next, I will show how to change SSO domain name in vCenter and how to change SSO domain in vCenter.
Steps to change vCenter domain name
1. Log in to vCenter Server Management with root credentials from https://VC_FQDN:5480. And navigate to Networking >> Network Setting >> Edit.
2. Select NIC 0, and click Next. Then change the hostname and click NEXT.
3. Enter with administrator credential and click NEXT. Then review the setting you have done in the last summary page and click FINISH.
Steps to change vCenter single sign-on domain
1. At first, connect to the administration interface of the VCSA via https://ip_of_vcsa:5480 and log in with the root account and password. Then navigate to Access >> Edit.
2. Input the Timeout value for the BASH Shell, and click Enable SSH Login and Enable BASH Shell.
3. Log in to VCSA appliance via a PuTTY client. Then type shell to access the BASH Shell.
4. Enter the command cmsso-util and press Enter, and it will show the various options that are available for repointing or reconfiguring the SSO domain.
5. Launch the following precheck command to review any conflicts.
cmsso-util domain-repoint -m pre-check --src-emb-admin Administrator --replication-partner-fqdn FQDN_of_destination_node --replication-partner-admin PSC_Admin_of_destination_node --dest-domain-name destination_PSC_domain
6. Enter the administrator’s password twice, one for the source vCenter Server and the other for the destination vCenter Server. Then validate by typing Y and you will get the screen that looks like the following:
7. After the precheck, use the execute option to do the operation.
cmsso-util domain-repoint -m execute --src-emb-admin Administrator --replication-partner-fqdn vcsaphoton.lab.local --replication-partner-admin Administrator --dest-domain-name vsphere.local
8. Connect to your vCenter Server and select Menu >> Global Inventory Lists and the second vCenter Server will be displayed here.
Common issues when changing vCenter SSO domain and how to fix
There are several common issues that can arise when changing vCenter SSO domain, and here are some potential solutions:
1. Connectivity issues: After changing the SSO domain name, vCenter Server may not be able to communicate with other components such as ESXi hosts and vSphere clients. In this case, check network connectivity and firewall settings to ensure that traffic is allowed between the components.
2. Certificate errors: Changing the SSO domain name can cause certificate errors to occur. This can happen if the new SSO domain uses a different SSL certificate than the old one. To fix this, you may need to update the SSL certificate on the vCenter Server and all associated components.
3. Authentication issues: Users may experience domain authentication issues after the SSO domain name is changed. This can happen if user accounts are not properly migrated to the new SSO domain. To fix this, ensure that all user accounts have been properly migrated to the new SSO domain and that they have the necessary permissions.
4. Licensing issues: Changing the SSO domain name can cause licensing issues if the new domain is not recognized by your licensing server. To fix this, contact VMware support to update your license key.
5. Database issues: If the vCenter database is not updated to reflect the new SSO domain name, you may experience issues with database connectivity and performance. To fix this, update the vCenter database schema using the provided scripts.
6. Data loss: After changing the vCenter SSO domain, you may find that user data is lost. This may be due to an error in the process of changing the domain, causing the user data to be deleted. The solution to this issue is to restore the user data from a backup or try to recover it using the recovery software.
Efficient VM backup for vCenter server
During the process of changing the vCenter SSO domain, we have highlighted the importance of backups. Data backups are a key measure to ensure that data integrity and recoverability are maintained during any operation. Whether you change vCenter SSO domains or make other important system changes, always keep in mind that backing up your data is the best way to protect your organization's important information.
And here I introduce you to a VMware backup software - AOMEI Cyber Backup, it supports VMware vSphere 6.0 to 8.0 and enables you to backup multiple VMs in 4 simple steps. Additionally, it also offers you the following benefits:
◇ Agentless Backup: Create complete and independent image-level backup for VMware ESXi and Hyper-V VMs.
◇ Flexible vSphere Backup: Batch backup large numbers of VMs managed by vCenter Server, or multiple VMs on a standalone ESXi host.
◇ Multiple Storage Destinations: Backup to local drive, or network destinations like Windows share or NAS.
◇ Automated Execution: Schedule to automate backups daily, weekly, or monthly with email notifications.
◇ Role Assignment: Allows one administrator to create sub-accounts with limited privileges.
AOMEI Cyber Backup supports VMware ESXi 6.0 and later versions. You can click the following button to download the 30-day free trial:
*You can choose to install this VM backup software on either Windows or Linux system.
Step 1. Bind Device: Access to AOMEI Cyber Backup web client, select Source Device, click VMware >> +Add VMware Device. Then Add vCenter or Standalone ESXi to add a host. And then click … to Bind Device.
Step 2. Create Backup Task: Navigate to Backup Task and Create New Task. Then select VMware ESXi Backup for Backup Type. After that, set the Task Name, Device, Target, Schedule and Cleanup according to your need.
Step 3. Run Backup: Click Start Backup and choose Add the schedule and start backup now or Add the schedule only.
Step 4. Restore Task: When backup tasks are completed, it’s simple to restore your virtual machines to another place now. Navigate to Start Restore, you can change restore location here to create a new VM to another datastore or host.
Changing a vCenter SSO domain can be a complex and sensitive process, but with proper planning and careful execution, you can complete this operation successfully. I emphasized the importance of making adequate backups prior to changing vCenter SSO domains. Because virtual machine backups are key to protecting the integrity of your data and to recover in the event of an unforeseen situation.
Through this article, you could have a clear understanding of how to use vCenter SSO change domain controller and have the basic knowledge to implement these changes.