The Great Big Platform Services Controller Blog Post

This blog post is attempting to collate all the details on the platform services controller

First and foremost, let’s call out some things you can’t do, so you don’t read this whole blog only to find out your use case isn’t supported…


  • You CANT merge vSphere domains in vSphere 6.0, that is, if you have 2 vCenters with embedded (or external) PSCs that were deployed independently of one another, whether you used custom domain names or the default “vSphere.local” domain they can’t be merged into a single vSphere domain. [ref1]
  • You CANT migrate a vCenter server from one vSphere domain to another [ref1]
  • You CANT use enhanced linked mode between two separate vcenters in separate Domains, as enhanced link mode requires all PSCS to be in the same domain. [ref1]
  • Snapshots, this is a contentious one, if a PSC is replicating to other PSCs within the same site or cross sites then rolling back to previous snapshots are not supported as they can result in a PSC being out of sync with its sibling PSCs, this also applies to image level backups. This does not apply to standalone PSCs. [ref1] [ref6] [ref7]


  • You can migrate from an embedded PSC to an external PSC. There are some considerations when converting; certificates, integrated applications such as SRM, vRO, vRA need reconfiguring/repointing at the new PSC. When you migrate to an external PSC you use the cmsso-util reconfigure command rather than the smsso-util repoint command using “reconfigure” de-comms the embedded PSC. [ref2]
  • You can repoint a vCenter server to another PSC within the same site, providing of course that the PSC is in the same vSphere domain. [ref3]
  • You CAN repoint a vCenter server in SSO site 1 to a PSC in SSO site 2, providing of course that both sites are a member of the same vSphere domain! HOWEVER the pre-req for this is that vCenter Server is running 6.0 update 1 or later. THIS FUNCTION HAS SINCE BEEN REMOVED IN VSPHERE 6.5 so this is only supported in versions 0u1 – 6.5. Instructions on how to do this can be found in the references below. [ref4] In 6.5 or 6.0 before u1, if no functional PSC instance is available in the same site as the vCenter, then you must deploy or install a new PSC instance in this site as a replication partner of a functional PSC instance from another site.

PSC Maximums

There’s a great blog post by leading vCommunity legend William Lam on the PSC maximums in 6.5

Those numbers vary slightly from those in 6.0

vSphere 6.0 [ref7] vSphere 6.5 [ref8]
Maximum PSCS per vSphere Domain 8 10
Maximum Linked VCs 10 10
Maximum PSCS per site behind Load Balancer 4 4

Musing/Question – I’ve struggled to find the maximum number of sites within a vSphere Domain listed in any VMware documented, I’ll update this blog if I find anything conclusive.  Assuming at this point it’s limited by the number of PSCs allowed in a vSphere Domain

PSC Replication Topologies

When considering a PSC design, there are six high level PSC topologies VMware recommend:

  1. vCenter Server with Embedded PSC
  2. vCenter Server with External PSC
  3. PSC in Replicated Configuration
  4. PSC in HA Configuration
  5. vCenter Server Deployment Across Sites
  6. vCenter Server Deployment Across Sites with Load Balancer

Vmware have provided a handy decision tree for those yet to make their deployment decision, shout out to @Emad_younis & @eck79 [ref9]


PSCs are multi-master, but the default replication topology for the PSC is one to one, in a scenario where more than 2 PSCs exist within a vSphere domain, it is a recommendation to use a ring topology. This prevents a break in replication when a PSC fails.

Jeff Green in his virtual data cave has a good blog post below, which is relevant for 6.0 & 6.5

expanding a little, In my example below, we’ve 1 vSphere (SSO) Domain, 2 sites and 3 environments Prod, Non Prod & Development.  Each environment has physical infrastructure at both sites for BCDR purposes, each physical piece of infrastructure has a vCenter and a PSC. In this example, a ring topology would look like below, 2 PSC controllers at the same site would need to fail in order to break replication.


Where PSC partner replication occurs over the WAN from site 1 to site 2 it would add further resilience if replication partners PSC1 & PSC4 were on a different circuit to PSC3 & PSC6, this would ensure replication continues in the event of WAN circuit failure.

For example, if PSC2 fails, the VC can be repointed to either PSC1 or PSC3 within the same site while PSC2 is re-deployed


In addition, you could introduce load balancers into the environment and have all 3 PSCs behind the load balancer, this would prevent the manual re-pointing of a VC in the event of PSC failure. This design would be more suited to environments that would require a highly available VC.


If each environment was it’s own active directory domain, you could configure an identity source for each domain too (see below for more details) keeping all VCs in the same vSphere domain and minimising vSphere administration but simultaneously restricting access to environments by specific AD domain credentials.

Musing/Question – If both cross site partners use the same circuit, what happens if the cross site PSC replication can’t occur? All PSCs will be up and replicating intra-site but not cross-site. Will a split brain situation occur, if contradicting configurations are implemented at either site, what will take preference? I plan on creating this environment and testing; I’ll provide the results in a future blog and update this blog for reference.

PSC Replication Topology

  • It now handles the storing and generation of the SSL certificates within your vSphere environment.
  • It now handles the storing and replication of your VMware License Keys
  • It now handles the storing and replication of your permissions via the Global Permissions layer.
  • It now handles the storing and replication of your Tags and Categories.

Active Directory Trusts

Another good reference is what Microsoft Active Directory Trusts are supported and be used in vSphere SSO when using AD as an identity source [ref10]

All PSCs should be joined to Active Directory; PSCs in the same vSphere domain can be added to different Active Directory domains PROVIDING there is a trust relationship between the active directory domains. This will be relevant if you have a child Active directory domain for different GEO locations EG EMEA/AMER/APAC or environments EG prod/non prod/Dev and a different vSphere site within the same vSphere domain for each of those locations.

PSC ports

The required ports for PSC communication are listed in the following references, if you have firewalls between PSC nodes or between PSCs & vCenters then these ports will need to be opened [ref 10] [ref11]

The following ports are listening on a VC with embedded PSC and on a standalone external PSC


PSC replication occurs over TCP ports 389 & 2012 & UDP 389 according to [ref11]

NOTE: In a real world environment I have seen VCs that have been upgraded from 5.5 to 6 with embedded PSCs replicating to each other over a WAN on 11712 & 11711 (with a firewall in-between blocking 2012)

[Ref11] shows ports 11712 & 11711 as legacy and for 5.5 backwards compatibility only however I did find a reference here that lists 11711 & 11712 as vmdir.


It may be the case that as it was previously using 11711 & 11712 for replication, it’s continued to use these ports after an upgrade?

When migrating from the embedded PSC in VC 6 (updated from 5.5) to newly deployed external PSC, replication only occurred over TCP ports 389 & 2012 & UDP 389 between external PSCs

Migrating a vCenter from an embedded PSC to an external PSC, the considerations?

With a plain vanilla install of vSphere, where you’re only concerned with migrating to an external PSC the process is relatively straight forward.

The process becomes a little more intricate when other VMware solutions are registered against the embedded PSC, these solutions will need to be repointed to the new external PSC.

The most common solutions likely configured to use a PSC are vRO, SRM, NSX & vRA, 3rd party backup tools that plug into the vCenter may also have a separate configuration for the PSC. In a scenario where you want to De-Comm the embedded PSC, these solutions will need to be repointed to the external PSC.  In my experience, the PSC that these solutions point to has to be the same PSC that the VC points to.

********Update 01.09.2017********

So at the Vegas 2017 VMworld, there was some good discussions around the PSC that’s definitely worth a watch!!


You can use the following command to re-point a VC from 1 external PSC to another external PSC

cmsso-util repoint –repoint-psc externalPSC –username administrator –domain-name vsphere.local –passwd password

However when migrating away from an Embedded PSC, you want to use the following command which demotes the embedded PSC and then repoints to the external PSC.

cmsso-util reconfigure –repoint-psc externalPSC –username administrator –domain-name vsphere.local –passwd password

Troubleshooting and commands

The following commands can be used to check and test the PSC replication

  1. Find out what vSphere site a PSC is ink
  • VCSA

/usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name –server-name localhost

  • Windows

C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-site-name –server-name localhost

  1. Find out the name of the vsphere domain
  • VCSA

/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain –server-name localhost

  • Windows

C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-domain –server-name localhost

  1. Find out what PSC a vCenter is point to
  • VCSA

/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location –server -name localhost


  • Windows

C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-ls-location –server -name localhost

  1. Show all Platform Services Controllers in the vsphere domain
  • VCSA

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h localhost -u administrator -w %password%

  • Windows

“%VMWARE_CIS_HOME%”\vmdird\vdcrepadmin -f showservers -h localhost -u administrator -w %password%

  1. Show replication partners with particular PSC
  • VCSA

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u administrator -w %password%


  • Windows

“%VMWARE_CIS_HOME%”\vmdird\vdcrepadmin -f showpartners -h localhost -u administrator -w %password%

  1. Show replication partner status
  • VCSA

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w %password%


  • Windows

“%VMWARE_CIS_HOME%”\vmdird\vdcrepadmin -f showpartnerstatus -h localhost -u administrator -w %password%

  1. Create a PSC replication agreement
  • VCSA

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f createagreement -2 -h sourcepscfqdn -H destinationpscfqdn -u administrator -w %password%

  • Windows

“%VMWARE_CIS_HOME%”\vmdird\vdcrepadmin -f createagreement -2 -h sourcepscfqdn -H destinationpscfqdn -u Administrator -w %password%


  1. Remove PSC replication agreement
  • VCSA

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f removeagreement -2 -h sourcepscfqdn -H destinationpscfqdn -u administrator -w %password%

  • Windows

“%VMWARE_CIS_HOME%”\vmdird\vdcrepadmin -f removeagreement -2 -h sourcepscfqdn -H destinationpscfqdn -u Administrator -w %password%

If you’re having communication/replication problems with the PSC, perhaps you have firewalls in your environment then you can use the following tools to test port connectivity.

Curl is available for telnet using the following command [ref12]

Curl –v telnet://mypsc.domain.local:443

You can install tcpdump and netcat on the VCSA using the following commands



You can use VDC Admin Tool to test LDAP connectivity, force replication plus more…

You can find the tool here






You can use JXplorer to browse LDAP using the following settings.



If you can’t WINSCP into the VCSA you’ll need to change the root shell.

chsh -s /bin/bash root

You can change the shell back by running

Chsh –s /bin/appliancesh root

If you want to remove a PSC from the environment because it has failed you can use

cmsso-util unregister –node-pnid PSCNAME.LOCAL.DOMAIN –username administrator@vsphere.local –passwd %password%

You can also use

vdcleavefed -h PSCNAME.LOCAL.DOMAIN -u administrator -w %password%

The password for the root account of the VCSA expires after 365 days by default to set to infinity

chage -M -1 -E -1 root

To change the password at the CLI type


Then confirm your new password.

You can find PSC relevant logs in the following locations






List of references by link














VCAP6-DCD Beta Exam Experience

It’s been a week since I sat the VCAP6-DCD exam and I’ve been meaning to blog about it since, I’d say the number of people who’ve posted vcap6-dcd experience blogs has already past double figures so if you’ve read them you’re unlikely to get anything new from my post, we’re also approaching the end of the Beta period so I’m not exactly sure how much use this post will be when the exam goes GA.

With that said, I feel I can add some value by providing some study material for those prepping to take the exam when it does go GA and also by providing some hope to those wanting to obtain VCIX status but are worried that their lack of design exposure may affect their chances of passing the VCAP6-DCD.

From what I can make out from twitter & blog bios, nearly all who have sat the VCAP6-DCD beta are from an architecture background, I’m not. I’m an escalation engineer at VCE so while my role is heavily VMware focused its not design focused, I’ve been an OPS guy for the majority of my career. That’s not to say I haven’t designed a VMware environment, I’ve implemented many out of the box environments in my time which obviously have required design decisions, it’s just those decisions have never manifested themselves the way VMware present them in the exam or more importantly, I’ve never had to represent those decisions the way VMware would expect them to be presented in the exam!

I’d like to think I have a deep understanding of vSphere, I’m a VCAP5-DCA a VCP4 & VCP5, I felt comfortable that my knowledge & understanding meant I wouldn’t struggle on a technical level & the only thing I would probably struggle with would be implementing a design mythology & how to represent my designs & decisions the way VMware expects using the tool provided in the exam.

I’ve been interested in progressing to VCDX ever since I passed my VCAP5-DCA so I’ve been looking into design mythologies such as TOGAF which I hoped would at least be of some assistance.

The exam was made up of 31 questions, a mixture of design questions & drag and drop. The design questions varied in complexity which of course meant they took varying times to complete.

At times I was frustrated by the limited instructions provided to complete a design task which meant with questions I could adequately answer in a real world scenario I wasn’t convinced that my representation would be marked as correct when it came to the exam.

This wasn’t down to limitations with the Visio style tool which I found functional & responsive all the way through the exam, it was my lack of exposure to design representation.

With that said, I completed the exam with 40 minutes to spare. I’m not the kind of guy to second guess & finished the exam after ensuring I’d answered every question. I left feeling that the exam was passible, whether I’ve done enough this time around or whether I have to reseat it I don’t know.

I’ve yet to get my results & I won’t until the DCD goes GA, so as yet I don’t know if I’ve passed but I’d say my score is likely to be in the high 200s or the low 300s (assuming they still mark VCAP exams out of 500)

Overall I really enjoyed the exam experience, what separates the VCAP from any other exams I’ve taken is there’s no real way to “guess” your way through, so there’s a real sense of achievement if you pass. I think this helps ensure you don’t cut corners when it comes to revision, you put in the hours and you become better at your job as a result… whether you pass or not!

I’ve detailed how I approached the exam in a separate blog post here, it’s more of a reference guide than a study guide but hopefully some of you may find this useful.

If anyone is reading this blog and thinking of taking any of the VCAP exams I’d thoroughly encourage them to do so, I’m already studying for the VCAP6-NV Deploy exam (I’m hoping to become a VCIX-NV before the design requirement is added to the pre-reqs, lazy I know!)

After that I’m going for VCIX-CMA, I’m hoping to finish all of these by the end of 2016, a tad ambitious when I don’t even know if I’m a VCIX6-DCV yet!!

I may end up being a bit top gear… ambitious but rubbish!!



VMware VCIX 6 Exam Details Released

Rejoice details on the VCIX 6 exams for Data Centre Virtualization & Cloud have finally been released!

I’d originally held off sitting the VCAP-DCD 5 exam back in Feb 2015 (im already a VCAP-DCA holder) as the VCIX 6 exams were supposedly imminent, that wait is finally over and study can begin in earnest.

Details of the beta have been posted on VMwares blog site in 3 parts here

Part 1 –

Part 2 –

Part 3 –

Exam registration is expected early to mid-January with first beta appointments in late January.

However, questions still remain on the prerequisites for the VCIX/VCAP6 exams.

It isn’t clear whether VCAP5 holders can jump straight into upgrading to VCIX

or whether they first need to sit and pass the VCP6 exam.

Blog post part 2 states the following

“From VCAP5 Administration to VCIX6 → Earn the VCAP6 Design certification by passing the VCAP6 Design Exam”

“From VCAP5 Design to VCIX6 → Earn the VCAP6 Deployment certification by passing the VCAP6 Deployment Exam (lab)”

However the official exam guide states

“Candidates are required to obtain a valid VMware Certified Professional 6 certification prior to attempting this certification”

Personally I feel the VCP6 cert should only be a pre-req for non VCAP holders, hopefully when the new VCIX sites go live things will become clearer…

For now, I’m concentrating on bringing up my lab & study, I’ll update this blog when the prerequisites become a little clearer…