Before installing vCenter Single Sign-On, Inventory Service, and vCenter Server, review the prerequisites.

vCenter Server versions 5.1 and later require vCenter Single Sign-On and Inventory Service. You must install these components in this order: vCenter Single Sign-On, Inventory Service, and vCenter Server. Review the topics in the section How vCenter Single Sign On Affects vCenter Server Installation and Upgrades

Review the release notes for known issues or special installation notes.

Gather the information that the vCenter Single Sign-On, Inventory Service , and vCenter Server installation wizards require. See Required Information for Installing or Upgrading vCenter Single Sign-On, Inventory Service, and vCenter Server.

Decide whether the vCenter Server instance will be a standalone instance or in a Linked Mode group. See Creating vCenter Server Linked Mode Groups.

Download the vCenter Server installer from the VMware Web site.

Verify that your system meets the requirements listed in Hardware Requirements for vCenter Server, vCenter Single Sign On, vSphere Client, and vSphere Web Client and vCenter Server Software Requirements, and that the required ports are open, as discussed in Required Ports for vCenter Server.

Before you install or upgrade any vSphere product, synchronize the clocks of all machines on the vSphere network. See Synchronizing Clocks on the vSphere Network.

Review the Windows Group Policy Object (GPO) password policy for your system machines. The Single Sign-On installation requires you to enter passwords that comply with GPO password policy.

Verify that the DNS name of the vCenter Server host machine matches the actual computer name.

Verify that the host name of the machine that you are installing vCenter Server on complies with RFC 952 guidelines.

The installation path of vCenter Server must be compatible with the installation requirements for Microsoft Active Directory Application Mode (ADAM/AD LDS). The installation path cannot contain any of the following characters: non-ASCII characters, commas (,), periods (.), exclamation points (!), pound signs (#), at signs (@), or percentage signs (%).

Verify that the host machine computer name is no more than 15 characters.

Verify that the system on which you are installing vCenter Server is not an Active Directory domain controller.

On each system that is running vCenter Server, verify that the domain user account has the following permissions:

Member of the Administrators group

Act as part of the operating system

Log on as a service

vCenter Server requires the Microsoft .NET 3.5 SP1 Framework. If your system does not have it installed, the vCenter Server installer installs it. The .NET 3.5 SP1 installation might require Internet connectivity to download more files.

If the system that you use for your vCenter Server installation belongs to a workgroup rather than a domain, not all functionality is available to vCenter Server. If assigned to a workgroup, the vCenter Server system is not able to discover all domains and systems available on the network when using some features. To determine whether the system belongs to a workgroup or a domain, right-click My Computer. Click Properties and click the Computer Name tab. The Computer Name tab displays either a Workgroup label or a Domain label.

Verify that the NETWORK SERVICE account has read permission on the folder in which vCenter Server is installed and on the HKLM registry.

Verify that the NETWORK SERVICE account has read and execute permissions on the folder where the RSA SSPI service is located. The default location is: C:\Program Files\VMware\Infrastructure\SSOServer\utils\bin\windows-x86_64\.

During the installation, verify that the connection between the machine and the domain controller is working.

Before the vCenter Server installation, in the Administrative Tools control panel of the vCenter Single Sign-On instance that you will register vCenter Server to, verify that the vCenter Single Sign-On and RSA SSPI services are started.

You must log in as a member of the Administrators group on the host machine, with a user name that does not contain any non-ASCII characters.

Verify that the fully qualified domain name (FQDN) of the system where you will install vCenter Server is resolvable. To check that the FQDN is resolvable, type nslookup your_vCenter_Server_fqdn at a command line prompt. If the FQDN is resolvable, the nslookup command returns the IP and name of the domain controller machine.

Verify that DNS reverse lookup returns a fully qualified domain name when queried with the IP address of the vCenter Server. When you install vCenter Server, the installation of the web server component that supports the vSphere Client fails if the installer cannot look up the fully qualified domain name of the vCenter Server from its IP address. Reverse lookup is implemented using PTR records. To create a PTR record, see the documentation for your vCenter Server host operating system.

Verify that no Network Address Translation (NAT) exists between the vCenter Server system and the hosts it will manage.

Install vCenter Server, like any other network server, on a machine with a fixed IP address and well known DNS name, so that clients can reliably access the service. Assign a static IP address and host name to the Windows server that will host the vCenter Server system. This IP address must have a valid (internal) domain name system (DNS) registration. Ensure that the ESXi host management interface has a valid DNS resolution from the vCenter Server and all vSphere Clients. Ensure that the vCenter Server has a valid DNS resolution from all ESXi hosts and all vSphere Clients. If you use DHCP instead of a static IP address for vCenter Server, make sure that the vCenter Server computer name is updated in the domain name service (DNS). Ping the computer name to test this connection. For example, if the computer name is host-1.company.com, run the following command in the Windows command prompt:

ping host-1.company.com

If you can ping the computer name, the name is updated in DNS.

For the vCenter Single Sign-On installer to automatically discover Active Directory identity sources, verify that the following conditions are met.

The Active Directory identity source must be able to authenticate the user who is logged in to perform the Single Sign-On installation.

The DNS of the Single Sign-On Server host machine must contain both lookup and reverse lookup entries for the domain controller of the Active Directory. For example, pinging mycompany.com should return the domain controller IP address for mycompany. Similarly, the ping -a command for that IP address should return the domain controller hostname. Avoid trying to correct name resolution issues by editing the hosts file. Instead, make sure that the DNS server is correctly set up.

The system clock of the Single Sign-On Server host machine must be synchronized with the clock of the domain controller.

Verify that your vCenter Server database meets the database requirements. See vCenter Server Database Configuration Notes and Preparing vCenter Server Databases.

Create a vCenter Server database, unless you plan to install the bundled database.

Create a vCenter Single Sign-On database, unless you plan to install the bundled database.

If you are using an existing database for Single Sign-On, you must create a database user (RSA_USER) and database administrator (RSA_DBA) to use for the Single Sign-On database installation and setup. To create these users, run the script rsaIMSLiteDBNameSetupUsers.sql. The script is included in the vCenter Server installer download package, at vCenter Server Installation directory\Single Sign On\DBScripts\SSOServer\Schema\your_existing_database..

If you are using an existing database with your vCenter Single Sign-On installation or upgrade, make sure that the table spaces are named RSA_DATA and RSA_INDEX. Any other table space names will cause the vCenter Single Sign-On Installation to fail.

If you are using an existing database for Single Sign-On, to ensure that table space is created for the database, run the script rsaIMSLite<DBName>SetupTablespaces.sql. The script is included in the vCenter Server installer download package, at vCenter Server Installation directory\Single Sign On\DBScripts\SSOServer\Schema\your_existing_database. You can run this script prior to the installation, or during the installation, when you are prompted by the installer. You can leave the installer to run the script, and resume the installer after you run the script.

If you are using a Microsoft SQL Server database for vCenter Server, residing on the same host machine as vCenter Server, and the operating system users for SQL Server and vCenter Server are different, both users must have local administrator privileges. During installation, if SQL Server is local, vCenter Server tries to connect using the local administrator. If SQL Server cannot authenticate the local administrator user, the installation fails.

If you are using an existing Microsoft SQL Server database for Single Sign-On, and you want to use a dynamic port, you must provide a named instance for the SQL database during the Single Sign-On installation. The instance name created during Microsoft SQL Server installation usually defaults to MSSQLSERVER. For non-default instance names, you can determine the instance name after Microsoft SQL Server is installed by using the SQL Configuration Manager. Under SQL Server Network Configuration, the SQL Configuration Manager lists all available instances of the SQL installation.

If you install Single Sign-On with an external Microsoft SQL Server database, using a static port, and you have a firewall between Single Sign-On and the external database, you must open a static port on the firewall to communicate between Single Sign-On and the database. For example, to do this in Windows Server 2008, you can add a static port in the Windows Firewall Control Panel.

Note

The procedure for your firewall software may differ.

If you install Single Sign-On with an external Microsoft SQL Server database, and you use the dynamic port option, and you have a firewall between Single Sign-On and the external database, you must open a firewall port for the SQL Browser Service. The SQL Server Browser Service serves incoming requests for SQL Server connection by providing information about installed instances of SQL Server. The SQL Browser Service usually uses UDP port 1434. You must also add the SQL Server instance that you want to access through the firewall.