Its looking like I need to break up our centralised, multi-tenant vCenter model up into a individual vCenters per tenant, pretty much because of the limitations of NSX – ie not able to scope access for distributed firewall admins to ‘per tenant’ ESX hosts (I want to prevent a tenant from pushing firewall rules to other tenant’s esxi nodes).
Splitting up the vcenters I’m fine with – in many ways it’d make my life simpler. But I’m getting pressure internally to consider deploying all of them into a single SSO domain – and given my recent (bad) vCenter upgrade experiences, and the rollback / DR prep you need to do in order to recover from a failed upgrade when using linked mode, it fills me with dread.
I guess you’re all aware – the only supported rollback method (outside of recovering from file based vcsa backups) is to:
– Power down ALL vcenters in the SSO domain (or at least stop services on all)
– Snap, power back up.
This makes sense, because it allows for a clean recovery point across the domain, avoiding the obvious issues you’ll run into re: PSC replication. But, it’s pretty inconvenient. If you have a failed upgrade on one vcenter, be prepared to roll them all back.
The potential scenario I’m looking at is a 9 x VCSA, single SSO deployment. (3 x tenants, 3 datacenters). To me, this spells bad news. Yes, I want centralised auth, I want global object searching….but I don’t think I have enough confidence in VMware’s directory service, nor do I think there’s enough expertise out there to support this appropriately.
Interested to know if anyone here has a large linked mode environment and how this impacts routine patching an upgrades? It’s crazy right? Someone convince me otherwise!