A compute manager, for example, vCenter Server, is an application that manages resources such as hosts and VMs.

NSX-T Data Center polls compute managers to collect cluster information from vCenter Server.

For more information about vCenter Server roles and privileges, see the vSphere Security document.

Prerequisites

  • Verify that you use the supported vSphere version. See Supported vSphere version.
  • IPv6 and IPv4 communication with vCenter Server.
  • Verify that you use the recommended number of compute managers. See https://configmax.vmware.com/home.
    Note: NSX-T Data Center does not support the same vCenter Server to be registered with more than one NSX Manager.
  • When you add a vCenter Server compute manager, you must provide a vCenter Server user's credentials. You can provide the vCenter Server administrator's credentials, or create a role and a user specifically for NSX-T Data Center and provide this user's credentials.
    Create an admin role with the following vCenter Server privileges:
    Extension.Register extension
    Extension.Unregister extension
    Extension.Update extension
    Sessions.Message
    Sessions.Validate session
    Sessions.View and stop sessions
    Host.Configuration.Maintenance
    Host.Configuration.NetworkConfiguration
    Host.Local Operations.Create virtual machine
    Host.Local Operations.Delete virtual machine
    Host.Local Operations.Reconfigure virtual machine
    Tasks
    Scheduled task
    Global.Cancel task
    Permissions.Reassign role permissions
    Resource.Assign vApp to resource pool
    Resource.Assign virtual machine to resource pool
    Virtual Machine.Configuration
    Virtual Machine.Guest Operations
    Virtual Machine.Provisioning
    Virtual Machine.Inventory
    Network.Assign network
    vApp

    To use the NSX-T Data Center license for the vSphere Distributed Switch 7.0 feature, the vCenter Server user must either be an administrator, or the user must have Global.Licenses privileges and be a member of the LicenseService.Administrators group.

  • Before you create a service account on the compute manager, ensure the admin user's role has the following additional vCenter Server privileges:

    Service Account Management.Administer
    Permissions.Modify permission
    Permissions.Modify role
    VMware vSphere Lifecycle Manager.ESXi Health Perspectives.Read
    VMware vSphere Lifecycle Manager.Lifecycle Manager: General Privileges.Read
    VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Read
    VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Privileges.Write
    VMware vSphere Lifecycle Manager.Lifecycle Manager: Image Remediation Privileges.Write
    VMware vSphere Lifecycle Manager.Lifecycle Manager: Settings Privileges.Read
    VMware vSphere Lifecycle Manager.Lifecycle Manager: Settings Privileges.Write
    VMware vSphere Lifecycle Manager.Lifecycle Manager: General Privileges.Write

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Fabric > Compute Managers > Add.
  3. Complete the compute manager details.
    Option Description
    Name and Description Type the name to identify the vCenter Server.

    You can optionally describe any special details such as, the number of clusters in the vCenter Server.

    FQDN or IP Address Type the FQDN or IP address of the vCenter Server.
    Type The default compute manager type is set to vCenter Server.
    HTTPS Port of Reverse Proxy The default port is 443. If you use another port, verify that the port is open on all the NSX Manager appliances.

    Set the reverse proxy port to register the compute manager in NSX-T.

    Username and Password Type the vCenter Server login credentials.
    SHA-256 Thumbprint Type the vCenter Server SHA-256 thumbprint algorithm value.
    Create Service Account Enable this field for features such as vSphere Lifecycle Manager that need to authenticate NSX-T Data Center APIs. During registration, compute manager creates a service account.
    Note: On a global NSX Manager, service account is not applicable.

    If service account creation fails, the compute manager's registration status is set to Registered with errors. The compute manager is successfully registered. However, vSphere Lifecycle Manager cannot be enabled on NSX-T Data Center clusters.

    If a vCenter Server admin deletes the service account after it was successfully created, and vSphere Lifecycle Manager tries to authenticate NSX-T Data Center APIs, then the compute manager's registration status is set to Registered with errors.

    Enable Trust

    Enable this field to establish trust between NSX-T Data Center and compute manager, so that services running in vCenter Server can establish trusted communication with NSX-T Data Center. For example, for vSphere Lifecycle Manager to be enabled on NSX-T Data Center clusters, you must enable this field.

    Supported only on vCenter Server 7.0 and later versions.

    Access Level Enable one of the options based on your requirement:
    • Full Access to NSX: Is selected by default. This access level gives the compute manager complete access to NSX-T Data Center. Full access ensures vSphere for Kubernetes and vSphere Lifecycle Manager can communicate with NSX-T Data Center. The vCenter Server user's role must be set to an Enterprise Admin.
    • Limited Access to NSX: This access level ensures vSphere Lifecycle Manager can communicate with NSX-T Data Center. The vCenter Server user's role must be set to Limited vSphere Admin.
    If you left the thumbprint value blank, you are prompted to accept the server provided thumbprint.

    After you accept the thumbprint, it takes a few seconds for NSX-T Data Center to discover and register the vCenter Server resources.

    Note: If the FQDN, IP, or thumbprint of the compute manager changes after registration, edit the computer manager and enter the new values.
  4. If the progress icon changes from In progress to Not registered, perform the following steps to resolve the error.
    1. Select the error message and click Resolve. One possible error message is the following:
      Extension already registered at CM <vCenter Server name> with id <extension ID>
    2. Enter the vCenter Server credentials and click Resolve.
      If an existing registration exists, it will be replaced.

Results

It takes some time to register the compute manager with vCenter Server and for the connection status to appear as UP.

You can click the compute manager's name to view the details, edit the compute manager, or to manage tags that apply to the compute manager.

After the vCenter Server is successfully registered, do not power off and delete the NSX Manager VM without deleting the compute manager first. Otherwise, when you deploy a new NSX Manager, you will not be able to register the same vCenter Server again. You will get the error that the vCenter Server is already registered with another NSX Manager.

Note: After a vCenter Server (VC) compute manager is successfully added, it cannot be removed if you successfully performed any of the following actions:
  • Transport nodes are prepared using VDS that is dependent on the VC.
  • Service VMs deployed on a host or a cluster in the VC using NSX service insertion.
  • You use the NSX Manager UI to deploy Edge VMs, NSX Intelligence VM, or NSX Manager nodes on a host or a cluster in the VC.

If you try to perform any of these actions and you encounter an error (for example, installation failed), you can remove the VC if you have not successfully performed any of the actions listed above.

If you have successfully prepared any transport node using VDS that is dependent on the VC or deployed any VM, you can remove the VC after you have done the following:
  • Unprepare all transport nodes. If uninstalling a transport node fails, you must force delete the transport node.
  • Undeploy all service VMs, any NSX Intelligence VM, all NSX Edge VMs and all NSX Manager nodes. The undeployment must be successful or in a failed state.
  • If an NSX Manager cluster consists of nodes deployed from the VC (manual method) and nodes deployed from the NSX Manager UI, and you had to undeploy the manually deployed nodes, then you cannot remove the VC. To sucessfully remove the VC, ensure that you re-deploy an NSX Manager node from the VC.

This restriction applies to a fresh installation of NSX-T Data Center 3.0 as well as an upgrade.