All was working well and the infrastructure was hosting a relatively small amount of production VMs successfully.
The only thing was, that authentication to vCenter was taking an incredible amount of time. They were using SSO (as it was vSphere 5.1) to authenticate against a large, multi-domain AD forest.
Using the:
Measure-command
{Connect-viserver –server
*****} command I got a decent
benchmark:
Days : 0
Hours : 0Minutes : 0
Seconds : 238
238 seconds!?!?
My initial thought was that the slowness was solely due
to the fact that the Domain Controller used to authenticate against was located in a
different country, accessed across a WAN link.
Changing the identity source to a local DC would surely make a huge
improvement? I made the relevant changes
in SSO to point locally and ran the command again:
Days : 0
Hours : 0Minutes : 0
Seconds : 36
I scratched my head for a few more days, until I began thinking about the level in AD SSO was searching at.
If SSO had to wade through hundreds of thousands of AD
objects to find the User Group Membership, of course it would take a
while. So I checked the Base DN for Users and Base DN for Groups fields in SSO Administration and sure enough they
had both been set at the very top level of the domain.
I queried AD to find which OU the groups and vCenter
users were located in and entered this DN (Distinguished Name) in to the Edit
Identity Source form.
I ran the measure-command again and got:
Days : 0
Hours : 0Minutes : 0
Seconds : 6
That’s was more like it!
NB: If you decide to make this change, make sure you put
some thought into where the OU is within AD.
You don’t want to end up specifying an OU that’s too deep within the
AD structure meaning that you exclude some of the people who should be logging
on!
Chris.
No comments:
Post a Comment