Deploying a Highly Available Platform Services Controller Topology – Part 1

by admin

One of the big changes with the introduction of vSphere 6 is the Platform Services Controller. You can find out more about the PSC here. The PSC can be installed on a Windows server, or deployed as a virtual appliance. The PSC contains common infrastructure services that VMware products make use of – these include vCenter Single Sign-On (SSO), VMware Certificate Authority (VMCA) and licensing.

There are a number of ways in which the PSC can be deployed – covered in this VMware document. When deploying vSphere 6, decsions need to be made on whether to use an embedded or external PSC. Embedded is where the PSC will be deployed on the same server as vCenter, whilst external is where you have the PSC deployed as a separate VM (or VMs) to vCenter. Once deployed, you can’t switch between an external or embedded PSC without having to reinstall vCenter, so it’s important to make the right decision on this for your environment at the beginning.

The two main drivers to go for an external PSC configuration rather than embedded are scale and resilience. If you are thinking of using VMware solutions other than vCenter, such as vRealize Automation, then an external PSC is probably the way to go. You also have the option of configuring pairs of PSCs as a HA cluster, behind a supported load balancer.

The aim in my lab environment is to end up with a highly available external PSC configuration, which will later be used by a vRealize Automation deployment. The resultant topology should look a bit like this:




The focus of the remainder of this post will be on getting two platform service controllers deployed. In later posts I will cover certificates, HA configuration and load balancing, using a Citrix Netscaler appliance.

Deploying the Platform Services Controllers

The first step is to deploy the PSC appliances. Before doing so there are a couple of pre-reqs to be aware of. DNS records should be in place for all PSC instances and for the virtual IP that will be configured on the load balancer. Note that if the DNS record cannot be found  the deployment will fail. It’s also necessary to have the appliances initially connected to a port group with  ‘ephemeral’ binding. This is highlighted during the deployment process. The PSC is deployed from the vCenter Server Appliance media, and requires the client integration tools to be installed (I’ve covered deploying the vCenter Appliance before, here). We start by clicking ‘Install’ to start the deployment walk through:


The first step is to accept the license agreement, then enter the details of the ESXi host to where the PSC appliance will be deployed:


Next, set a name for the appliance/VM, and a password to be used for the root account:


On the next page, set the Deployment Type. For this, we want to select ‘Install Platform Services Controller’:


The next step is to configure the new Single Sign On domain:


The appliance size is set automatically to ‘Platform Services Controller’:


The next step is to select the datastore to which the PSC will be deployed. Following that, configure the network settings which include the portgroup, IP address, DNS and NTP settings:


The ‘Ready to Complete’ screen gives you a summary of your chosen settings. Review the configuration then click ‘Finish’ to begin the deployment task. A progress bar will be displayed whilst the deployment task runs, before displaying a message once the task completes:


We should now have a working Platform Services Controller:


Deploying the Second PSC

Next, as with are building a highly available PSC set up, we need to deploy the second PSC, following the same steps (but with a couple of changes). When deploying the second PSC, at the ‘Set Up Single Sign On’ page, select to join an existing SSO domain, and enter the details of the first PSC:


Then on the following screen select to join the existing single sign-on site:


With that done, follow the rest of the steps through until the second platform services controller is deployed. In my next post I’ll be looking at configuring CA signed certificates, and setting the PSCs up as a sub-ordinate certificate authority using VMCA.

Keep up to date with new posts on - Follow us on Twitter:
Be Sociable, Share!

Leave a Comment


Previous post:

Next post: