Reconfigure Embedded vCenter to External PSC

Prior to vSphere 6.0 U1 it was only possible to repoint vCenter Server which was deployed with external PSC to another PSC in same SSO domain. With vSphere 6.0U1, you can now reconfigure embedded vCenter server deployment to an external deployment.

Components of PSC which resides in embedded node are demoted and the repoints vCenter server to an external PSC node which resides in the same Single Sign On (SSO) domain as the source embedded node.

VMware made it possible by introducing an utility named cmsso-util and there are two main uses for cmsso-util:


  • Reconfigure is used when you want to point your vCenter server from embedded PSC to an externally deployed PSC.
  • The source and target PSC should be in same SSO domain.


  • This is used when a vCenter is deployed with external PSC and you have one more external PSC and you want to move vCenter from source PSC to target PSC.
  • The target PSC node must be a replication member in the same SSO domain as the original PSC.

Note: You cannot repoint a VC node to a PSC node in a different SSO domain.

This post is focused on using the reconfigure option for the embedded deployment. If you are new to repoint thing, you can check out my previous blog posts:

How to repoint vCenter Server 6.x between External PSC within a site

Repointing vCenter Server 6.0 to External PSC’s across sites

Lab Setup:

I have one vCenter server (vcentersrv05) with embedded psc and I have one external PSC which is in same sso domain/site as the embedded PSC. Also both vCenter server and external PSC have been joined to AD domain alex.local.

SSO domain name is alexlab.local. I have verified that health status of both vCenter and PSC node is good.


Reconfigure using cmsso-util

VMware KB-2148924 outlines the steps for this process.

Note: The reconfiguration of a vCenter Server  is a one-way process so take snapshots of the external PSC node and the vCenter server you are doing the reconfigure operation. Better safe than sorry.

Step 1: Login to the vCenter Server Appliance as root user using SSH.

Step 2: Run this command to verify that all PSC services are running:

# service-control –status –all

Step 3: Run this command for reconfigure operation:

# /bin/cmsso-util reconfigure –repoint-psc psc_fqdn –username administrator –domain-name domain_name –passwd password

For example:

#/bin/cmsso-util reconfigure –repoint-psc psc05.alex.local –username administrator –domain-name alexlab.local –passwd SSO-Admin-Pwd

If all goes well then you should see a message similar to:


Step 4: Login to the vCenter Server instance by using the vSphere Web Client and verify that the vCenter Server is running and can be managed.

Also verify the PSC where your vCenter server is pointing to.


Regenerate Certificates

Once vCenter has been reconfigured to use the new PSC, We have to regenerate certificates as the certificates that was issues by old psc is now non-existent. In my lab I am not using any complex setup for certs and all certs are issued by VMCA.

In vCSA certificates can be managed using the Certificate-Manager utility:  /usr/lib/vmware-vmca/bin/certificate-manager 

I ran the certificate-manager utility and selected option 3 to replace the machine SSL certificate with a VMCA certificate. The process immediately failed after entering in the administrator credential:

Searched google and came across VMware KB-2133028 which explains about the issue. From that KB cause of issue is

This issue occurs because vCenter Server still contains the decommissioned VMCA’s Root certificate, causing the certificate-manager utility to believe it is still an embedded node.

To fix the issue move the old certificate and retry certificate generation: mv /var/lib/vmware/vmca/root.cer /var/lib/vmware/vmca/root.bkp

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂