In this post we will learn how to repoint a vcenter server with extenal psc to a new psc. Before doing that lets first understand about PSC high availability.

As we know with vSphere 6.0, VMware introduced the concept of PSC. PSC deals with identity management for administrators and applications that interact with the vSphere platform. PSC contains common infrastructure services such as vCenter Single Sign-On (SSO), VMware Certificate Authority (VMCA) and licensing etc.

To know more about PSC please read VMware KB-2113115

Since these important features lies within PSC, it is an very important to make sure PSC 100% availability of PSC server. PSC can be made highly available by deploying 2 nodes and then configuring a load balancer for the 2 nodes so that in case of failure, connections can be switched to other node.

Now what if you don’t have a load balancer with you to configure failover. Don’t be disheartened as VMware has solution for this also. The idea is to deploy one PSC node and configure the domain etc on your first PSC and then deploy the second PSC in the same domain and same site as of your first PSC.

Instructions for doing so have been laid out in this Article

The only disadvantage of not having a load balancer is that in case of Active PSC node failure, the failover do not happens automatically and you have to manually re-point your vcenter server to the other PSC node.

Even with a load balancer for PSC HA, you are not actually getting a true load balancing. William has explained this nicely in his blog post. I was really surprised to read about load balancer’s affinity to just a single PSC node.

Limitation with PSC repointing feature

Prior to 6.0U1, you had the ability to repoint a VC node to another PSC within the same vSphere SSO site.

With 6.0 U1, some more options were made available to users. These options are:

  • Reconfigure an embedded deployment to an external deployment
  • Repoint the VC node in an external deployment to another PSC within the same SSO domain, whether it is in the same site or not

With vSphere 6.0 U2, the limitation for repointing a VC node to another PSC is still within the same vSphere SSO domain.

In vSphere 6.5 the ability to repoint a VC server to a PSC in another vSphere SSO site is not supported. See this post for details

It means if you are running a vSphere 6.5 or a build prior to vSphere 6.0 U1, you can’t repoint vCenter amongst PSC’ which are in same domain but different site.

Things to know before going ahead with vCenter repointing

To which psc my vcenter server is pointing to?

There are 2 ways of doing so.

1: Using vmafd-cli command as shown below:

vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost


2: From vCenter Web-Client

In Web Client select your vCenter server from vCenter inventory list and navigate to Manage > Advanced Settings and search for string “config.vpxd.sso.admin.uri” 


What is the sso site name?

If you have too many PSC’s and vCenters deployed in your environment and each PSC/vCenter have its own domain/site name, then its very difficult to remeber these details. SSO site name can be retrieved via firing below comamnd:

vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost



Finding all deployed PSC’s

In case if you need to locate all available PSC’s in your environment, you have a couple of options i.e via command line and via Web Client.

In Web Client navigate to Home > Administration > System Configuration > Nodes

It will list all deployed PSC’s and vCenter Server


SSH to one of your PSC node and fire below command:

psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h psc02.alex.local -u administrator -w psc-administrator-passwd



There are few other methods of finding this info. William lam has mentioned those methods in his blog here

Find PSC’s replication partner and replication status

To know the details of to which other PSC’s your PSC is replicatiing, use below comamnd

psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h psc02.alex.local -u administrator -w psc-administrator-passwd


psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h psc03.alex.local -u administrator -w psc-administrator-passwd


Verify that replication health is healthy between the replicating PSC’s

psc02:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w psc-administrator-passwd

Partner: psc03.alex.local
Host available: Yes
Status available: Yes
My last change number: 1300
Partner has seen my change number: 1300
Partner is 0 changes behind.

psc03:~ # /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w psc-administrator-passwd

Partner: psc02.alex.local
Host available: Yes
Status available: Yes
My last change number: 4186
Partner has seen my change number: 4186
Partner is 0 changes behind.

Now we have all data in our hand. We can move forward with repointing vCenter server from one psc to other.

In my lab my vCenter server is currently pointing to psc02.alex.local and I am trying to repoint it to psc02.alex.local

Note: This method is only applicable to vCenter with external PSC

vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli set-dc-name --server-name localhost --dc-name psc03.alex.local

After running the above command, please restart VC services:


Verify that your vCenter server is now pointing to the new PSC

vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost


And that’s it. Easy enough? 

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Posted in: vSphere 6.X.
Last Modified: August 11, 2017

Leave a reply