Implementing VMware vSphere, Enhanced Linked Mode (ELM)
- sicnarflatosa
- 1 hour ago
- 5 min read
Advantages or Benefits of Using Enhanced Linked Mode
Enhanced Linked Mode allows you to connect multiple vCenter Server instances together to provide a single-pane-of-glass view for managing them. This is often used when you want to manage more than one vCenter Server in a larger, distributed environment, but you still want the ability to see and interact with all vCenter Servers through a single interface.
Single Pane of Glass for Multiple vCenters
* You can log in once to any vCenter Server in the linked group and manage all linked vCenter Servers.
* Eliminates the need to maintain multiple browser sessions or constantly switch interfaces.
Centralized Management
* View and manage all objects (VMs, hosts, clusters, datastores, etc.) across different vCenter Servers from a single vSphere Client.
* Simplifies tasks like cloning VMs, migrating workloads, or managing distributed switches.
Shared SSO Domain
* All vCenters within ELM share the same Single Sign-On (SSO) domain.
* Enables common identity and access control across vCenters.
* Users and permissions are synchronized, allowing consistent security policies.
Improved Scalability
* Supports up to 15 vCenter Servers in linked mode in vSphere 8.
* Useful for large-scale or geographically distributed environments.
Seamless vCenter Server Failover
* If one vCenter Server is unavailable, you can still access and manage others in the linked group.
* Improves fault tolerance and administrative continuity.
Cross-vCenter Operations
* Facilitates cross-vCenter vMotion and cross-site replication.
* Critical for DR strategies, workload balancing, and data center migrations.
Simplified Licensing and Role Management
* Assign and replicate roles and permissions across multiple vCenters more easily.
Centralize license management and visibility for all vCenter instances.
VMware Enhanced Linked Mode (ELM) Requirements for vSphere 8
vCenter Server Version
* All vCenter Servers must be on the same major vSphere version (e.g., vCenter Server 8.0).
* Patch levels can differ slightly, but it's best practice to keep them consistent.
🔸 ELM is not supported between vCenter versions (e.g., mixing 7.x with 8.x).
vCenter Server Edition
* Required: vCenter Server Standard edition.
* Not Supported: Foundation and Essentials editions do not support ELM.
SSO Domain
* All vCenter Servers must be joined to the same SSO domain.
Example: vsphere.local
* Must use embedded Platform Services Controller (PSC) (PSC is now embedded in vCenter as of vSphere 7+).
🟡 External PSCs are deprecated and no longer supported in vSphere 8.
Networking & DNS
* Proper forward and reverse DNS resolution for all vCenter Servers and PSC components.
* Consistent NTP (time synchronization) across all vCenters.
* All vCenter Servers must be able to communicate over required ports:
TCP 443 (HTTPS)
TCP 389/636 (LDAP/LDAPS for AD)
TCP 2012–2015 (vCenter Linked Mode-specific)
Deployment Method
* You must join the new vCenter to an existing SSO domain during installation.
* Cannot convert an existing standalone vCenter to ELM post-deployment.
Naming and Certificates
* Hostname/FQDN must be unique and resolvable.
* Certificates (VMCA or custom CA) must be trusted by other vCenters.
Time Synchronization
* All vCenters and hosts should use a common NTP source.
* Time drift can cause SSO authentication issues or failures joining ELM.
Maximum Limits
* Up to 15 vCenter Servers in a single ELM group.
* Up to 5,000 ESXi hosts and 70,000 VMs managed across ELM.
Limitations of Enhanced Linked Mode (ELM) in VMware vSphere (especially vSphere 7 & 8)
Same vSphere Version Required
* All vCenter Servers in the ELM group must be on the same major version (e.g., all must be 8.0.x).
* Cross-version linking is not supported (e.g., vCenter 7.0 cannot be linked with vCenter 8.0).
Single SSO Domain
* All vCenter Servers must belong to one SSO domain.
* You cannot link multiple SSO domains together.
* No support for merging SSO domains post-deployment.
Deployment-Time Linking Only
* A vCenter Server must be joined to an existing SSO domain at deployment.
* You cannot convert an existing standalone vCenter to ELM after it's been deployed.
* No "one-click" upgrade path to ELM for live vCenters—redeployment is required.
Maximum Scalability Limits
* Maximum of 15 vCenter Servers in one ELM group.
* Maximum of 5,000 hosts and 70,000 VMs across all linked vCenters.
No Object Sharing
* ELM does not share inventory objects (VMs, clusters, etc.) across vCenters.
* Each vCenter still manages its own set of objects independently.
* You can view and manage all objects centrally, but not use them across vCenters without cross-vCenter operations (e.g., vMotion).
High Availability Impact
* If a vCenter Server in the ELM group becomes unavailable:
You lose access to its managed objects, even if ELM is still operational.
The rest of the environment remains functional, but access is siloed by failure domain.
Licensing Restrictions
* Not available in vCenter Foundation or Essentials editions.
* Requires vCenter Server Standard license.
Certificate Trust Requirements
* All vCenters must trust each other’s SSL certificates (especially for custom CA environments).
* Improper certificate trust can break SSO or ELM visibility.
Global Permissions Are Not Automatic
* Global permissions must be manually created and assigned across vCenters.
* Roles and permissions are not automatically synchronized.
10. Deprecation of External PSC
Older topologies with external PSCs are not supported in vSphere 8.
If migrating from vSphere 6.x, you must converge to embedded PSC before upgrading or linking.
Limitation | Description |
SSO Domain Restriction | All vCenters must be in the same SSO domain |
Max Linked vCenters | 15 |
Tag/Role Replication | ❌ Not automatic — must be done per vCenter |
Content Library Sharing | ❌ Manual setup — not automatic |
Site Awareness | ❌ No built-in site awareness |
Backup/Restore | ⚠️ Complex — must follow strict order |
Network Latency Sensitivity | ✅ Yes — requires reliable low-latency connectivity |
vCenter Removal from ELM | ❌ Not supported — must rebuild |
Comparison: ELM vs Non-ELM vCenter Setups
Feature/Capability | ELM (Linked vCenters) | Non-ELM (Standalone vCenters) |
Centralized Management | ✅ Yes – Single pane of glass across vCenters | ❌ No – Manage each vCenter separately |
Single Sign-On (SSO) | ✅ Shared SSO domain and identity source | ❌ Separate SSO instances |
Cross-vCenter vMotion | ✅ Supported (same SSO domain) | ❌ Not supported |
Permission Management | ✅ Can apply global permissions across vCenters | ❌ Roles/permissions must be manually duplicated |
Scalability | ✅ Up to 15 vCenters linked | ❌ Independent scaling; less coordination |
Disaster Recovery (SRM) | ✅ Easier to configure and manage | ❌ Complex; manual mappings required |
vSphere Client Access | ✅ Access all linked vCenters from one login | ❌ Must log in separately to each vCenter |
Inventory Object Visibility | ✅ View all hosts, clusters, and VMs across sites | ❌ Limited to the vCenter you’re logged into |
Certificate Management | ⚠️ Must ensure trust across all vCenters | ✅ Each is isolated (less complexity) |
Deployment Flexibility | ❌ Must join SSO domain at deployment time only | ✅ No linking or dependency constraints |
Security Isolation | ⚠️ Shared credentials; risk if SSO is compromised | ✅ Fully isolated – better for secure environments |
Upgrade Complexity | ⚠️ Must upgrade all vCenters together | ✅ Independent upgrade cycles |
Licensing Requirement | Requires vCenter Standard license | Can use Essentials/Foundation/Standard |
Two-Site ELM Topology – Reference Architecture (vSphere 8)
Objectives:
Enable unified management across Site A and Site B using Enhanced Linked Mode (ELM) with embedded Platform Services Controllers (PSC), while ensuring high availability, consistent authentication, and operational separation.
Key Design Elements
Component | Description |
SSO Domain | Single SSO domain (e.g., vsphere.local) shared between both sites. |
vCenter Server | One vCenter per site, each with an embedded PSC. |
SSO Site Name | Unique SSO site name per location (e.g., SiteA, SiteB). |
Network Requirements | Reliable, low-latency link (<10 ms RTT recommended) between vCenters. |
Authentication | Shared identity source (e.g., Active Directory with LDAP/LDAPS). |
Replication | Automatic SSO replication between vCenters via the embedded PSCs. |
Permissions | Roles and permissions must be manually synced between vCenters. |
vSphere Client Access | Admins can log into either vCenter and manage both environments. |
Reference KB: vCenter Enhanced Linked Mode
Comments