Backing up and restoring the VMware vCenter Single Sign-On 5.5 configuration
search cancel

Backing up and restoring the VMware vCenter Single Sign-On 5.5 configuration

book

Article ID: 335945

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides information and steps for backing up and restoring the vCenter Single Sign-On (SSO) 5.5 configuration.

For more information, see the vSphere 5.5 documentation. The documentation contains definitive information. If there is a discrepancy between the documentation and this article, assume that the documentation is correct.

Environment

VMware vCenter Server 5.5.x

Resolution

If your vCenter SSO single node or primary node instance is corrupted, you can restore a backup to ensure continued vSphere access for vCenter Server and vCenter Server components.

Back up the vCenter SSO configuration in these circumstances:
  • After you install, update, or change the location of a vCenter SSO instance.
  • Before the vCenter Server virtual machine is restored from a snapshot.
  • Before the vCenter Server virtual machine is installed from a backup of the database from a prior vCenter Server instance.

Backing up a vCenter SSO 5.5 configuration

To manually back up a vCenter SSO 5.5 configuration:
Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.
Note: The preceding link was correct as of April 7, 2015. If you find the link is broken, provide a feedback and a VMware employee will update the link.
  1. Gather a log bundle from vCenter SSO:

    1. Go to Programs > VMware.
    2. Right-click Generate vCenter Single Sign-On log bundle and click Run as administrator.

      Note: This generates a log bundle on the desktop of the user logged into the vCenter SSO server. To redirect where the log bundle is to be generated, execute this script from an elevated command prompt, replacing <Absolute Path_To_Folder> with your preferred path:

      cscript "C:\Program Files\VMware\Infrastructure\VMware\cis\vmware-sso\vm-support\sso-support.wsf" /s:<Absolute Path_To_Folder>

  2. Back up associated Windows registry keys:

    1. Click Start > Run, type regedit, and press Enter. The Registry Editor window opens.
    2. Back up this registry folder:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VMwareDirectoryService

  3. Back up SSL certificates, certificate server data, and KDC data folders:

    1. To back up the SSL certificates, back up the C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf folder and its contents.

    2. To back up the certificate server data, back up the C:\ProgramData\VMware\CIS\data\vmca folder and its contents.

    3. To back up the KDC data, back up these folders and their contents:

      • C:\ProgramData\VMware\CIS\cfg\vmkdcd
      • C:\ProgramData\MIT\Kerberos5

  4. Back up the VMware Directory Service (VMdir) database:

    1. Open a command prompt. For more information, see Opening a command or shell prompt (1003892).
    2. Create a new directory to store the database backup by running the command:

      mkdir C:\MDBBackup

    3. Change directory to C:\Program Files\VMware\Infrastructure\VMware\CIS\vmdird by running the command:

      cd C:\Program Files\VMware\Infrastructure\VMware\CIS\vmdird

    4. Run the vdcbackup command to back up the database. For example:

      vdcbackup C:\ProgramData\VMware\cis\data\vmdird C:\MDBBackup

      Note: This command creates a copy of the data.mdb and lock.mdb files and places them in the C:\MDBBackup directory.

    5. Back up the MDBBackup folder where the copies of the two database files were stored.

Restoring the vCenter SSO 5.5 configuration

Restoring from a full operating system-level vCenter Server 5.5 backup

This procedure manually restores a vCenter SSO single node or primary node instance from a full operating system-level vCenter Server 5.5 backup.

Prerequisites
  • Restore the vCenter Server 5.5 system from backup according to vendor best practices.
  • Shut down the corrupt vCenter Server system after completing the steps in the Backing up a vCenter SSO 5.5 configuration section.
To manually restore from a full operating system-level vCenter Server 5.5 backup:
  1. Stop all SSO services on the restored vCenter Server system in this order:

    1. VMware Secure Token Service
    2. VMware Identity Management Service
    3. VMware Certificate Service
    4. VMware Kdc Service
    5. VMware Directory Service

    Note: For more information, see Stopping, starting, or restarting vCenter services (1003895).

  2. Restore the VMware Directory Service (VMdir) database:

    1. Ensure the VMware Directory Service is stopped.
    2. Navigate to the VMdir directory (located at C:\ProgramData\VMware\cis\data\vmdird).
    3. Copy the backed up data.mdb and lock.mdb files to the VMdir directory.

  3. In a Multisite SSO deployment, run VMdir in restore mode to allow it to import the database files and replicate with the other nodes:

    1. Open a command prompt. For more information, see Opening a command or shell prompt (1003892).
    2. Change directory to C:\Program Files\VMware\Infrastructure\VMware\CIS\vmdird by running the command:

      cd C:\Program Files\VMware\Infrastructure\VMware\CIS\vmdird

    3. Start the restore operation by running the command:

      vmdird.exe -c -m restore

      This command starts the VMware Directory Service (VMdir) in restore mode. The VMdir process terminates when the restore it complete.

  4. Start all SSO services on the restored vCenter Server system in this order:

    1. VMware Directory Service
    2. VMware Kdc Service
    3. VMware Certificate Service
    4. VMware Identity Management Service
    5. VMware Secure Token Service

    Note: For more information, see Stopping, starting, or restarting vCenter services (1003895).

Restoring from a vCenter Server 5.5 database backup

This procedure manually restores a vCenter SSO single node or primary node instance from a database backup.

Prerequisites
  • Prepare a host machine for the restored vCenter SSO instance. The host machine can be a physical machine or a virtual machine and must satisfy the hardware requirements for vCenter SSO. For more information, see the Hardware Requirements for vCenter Server, vCenter Single Sign-On, vSphere Client, and vSphere Web Client section of the vSphere Upgrade Guide.
  • Download the vCenter Server installer from the VMware Downloads to the new host machine.
  • Give the new host machine the same name as the failed SSO instance.

To manually restore from a database backup:

Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. For more information on backing up and restoring the registry, see the Microsoft Knowledge Base article 136393.
Note: The preceding link was correct as of April 7, 2015. If you find the link is broken, provide a feedback and a VMware employee will update the link.
  1. Install only SSO 5.5.x on a fresh virtual machine as per the Prerequisites section.
  2. Stop all SSO services on the restored vCenter Server system in this order:

    1. VMware Secure Token Service
    2. VMware Identity Management Service
    3. VMware Certificate Service
    4. VMware Kdc Service
    5. VMware Directory Service

    Note: For more information, see Stopping, starting, or restarting vCenter services (1003895).

  3. Restore the VMwareDirectoryService registry folder:

    1. Click Start > Run, type regedit, and press Enter. The Registry Editor window opens.
    2. Click File > Import and select the backup key.

  4. Restore the SSL certificates by restoring the backup copy of the conf folder and its contents to this directory:

    C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf

  5. Restore the Certificate server data by restoring the backup copy of the vmca folder and its contents to this directory:

    C:\ProgramData\VMware\CIS\data\vmca

  6. Restore the KDC data by restoring the backup copy of the vmkdcd and Kerberos5 folders and their contents to these directories:

    • C:\ProgramData\VMware\CIS\cfg\vmkdcd
    • C:\ProgramData\MIT\Kerberos5

  7. Restore the VMware Directory Service (VMdir) database:

    1. Ensure that the VMware Directory Service is stopped.
    2. Navigate to the VMdir directory (located at C:\ProgramData\VMware\cis\data\vmdird).
    3. Copy the backed up data.mdb and lock.mdb files to the VMdir directory.

  8. In a Multisite SSO deployment, run VMDir in restore mode to allow it to import the database files and replicate with the other nodes:

    1. Open a command prompt. For more information, see Opening a command or shell prompt (1003892).
    2. Change directory to C:\Program Files\VMware\Infrastructure\VMware\CIS\vmdird by running the command:

      cd C:\Program Files\VMware\Infrastructure\VMware\CIS\vmdird

    3. Start the restore operation by running the command:

      vmdird.exe -c -m restore

      This command starts the VMware Directory Service (VMdir) in restore mode. The VMdir process terminates when the restore it complete.

  9. Start all SSO services on the restored vCenter Server system in this order:

    1. VMware Directory Service
    2. VMware Kdc Service
    3. VMware Certificate Service
    4. VMware Identity Management Service
    5. VMware Secure Token Service

    Note: For more information, see Stopping, starting, or restarting vCenter services (1003895).

  10. Continue with the installation of vSphere 5.5.

Finding Update Sequence Number (USN) for a restoring node

The restoring node itself does not have an automated way to reliably retrieve the restored USN from the peer nodes. The administrator has to manually retrieve that USN and pass in to vmdird as an argument. When running the vmdird command in restore mode, a -n option is needed for specifying a USN to restore to.

Adminstrators can follow these steps to find the USN:
  1. Download, install, and launch JXplorer

  2. To find the restore USN, maintain a record, key in MAX_USN, of the maximum lastLocalUsnProcessed for the restoring node seen from peer nodes. Initialize it with zero.

  3. In JXplorer, connect to the nodes that have replication relation with the restoring node, one by one, or all together in different JXplorer sessions, and follow the next steps. Following are some example connection parameters:

    • IP address of the node, port 11711
    • protocol: LDAP v3
    • Security level: User + Password
    • User DN: cn=Administrator,cn=users,dc=vSphere,dc=local


  4. Navigate to World > local > vsphere > Configuration > Sites > Default-First-Site > Servers > PEER_NODE > Replication Agreements > RESTORING_NODE_LDAP_URL

  5. On the right hand side panel, click Table Editor if it is not turned on, then at the bottom click Properties button

  6. Read and note the lastLocalUsnProcessed if it is bigger than the current maximum USN you have seen (MAX_USN). Otherwise skip that value. Repeat the above for all peer nodes.

  7. On restoring node, run vmdird -n usn -c -m restore, where usn is the maximum USN (MAX_USN) you have found.


Additional Information

For more information on the LDAP Data Interchange Format (LDIF), see RFC 2849 on the Internet Engineering Task Force (IETF) site.

For information on backing up vCenter Server 5.1 using Single Sign-On 5.1, see Backing up and restoring the vCenter Single Sign-On (SSO) configuration (2034928).


Note: The preceding links were correct as of September 16, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.
Opening a command or shell prompt
How to stop, start, or restart vCenter Server services
VMware vCenter Single Sign-On 5.5 構成をバックアップおよびリストアする
备份和还原 VMware vCenter Single Sign-On 5.5 配置

Powered by Wolken Software