Patching vCenter server in HA mode: step-by-step

Here’s another topic about vCenter High Availability (vCHA), in this article I will be talking about the patching process of the vCenter nodes, it’s a bit different than patching a standalone vCenter server.

Before we begin, I assume that you are already familiar with vCenter HA, if you aren’t, don’t worry, go through the following articles first and then continue.

vCenter High Availability: things you must know first!

vCenter High Availability | Step by Step


Patching sequence

  1. Witness node.
  2. Passive node.
  3. Active node (in a passive mode).

Reaching the patch files could be reached either via a URL, or an ISO image; in this article we will be using the ISO image method. For more details about the other method, visit the KBs listed by the end of this article.


Here are the steps:

  1. Download the patching ISO image from Vmware at:



  1. Select the desired patch edition, but make sure that it’s a patch package, not a full vCenter installation image. Take a note of the patch build number (as shown below), vCenter build version should be the same as the patch package after finishing the patching process.



Build number



  1. Upload the ISO file to a datastore that all of the vCenter server HA nodes can reach, and then mount that ISO image to the CD/DVD drive of all of the three nodes.
  2. Set the vCHA mode to “maintenance mode”.
  3. Using a terminal application (I use “Putty”), login to the shell interface of the active vCenter node via SSH using the root account, the same account will be used for accessing all nodes.
  4. There are two CLI modes, “command” mode, and “Shell” mode; switch to “shell” mode by typing “shell” and then hit enter.



  1. And then SSH from the active vCenter to the witness node, use the witness node heart-beat IP address, if you don’t know it, navigate to the “vCenter HA” settings and note it down. Type the following command to SSH to the node:

ssh root@Witness_node_IP_address

Note: accept the SSH fingerprint license of prompted by typing “YES”, and then hit enter.



  1. Type the following command to start the patching command:

software-packages install –iso

Note: This command must be used on the “command” mode, not “Shell”, if the current mode of the witness CLI is set to “Shell”, switch to the “Command” mode by following the steps in the following URL:



  1. Scroll down the EULA, and then type “Yes” to accept it


If you see the following progress, this means that the patching has started successfully, if not, make sure that you’ve mounted the patching ISO file to the VM. Patching will take several minutes.



Now, go to the “vCenter HA” configuration page, and check the status of the nodes, the Witness node should be down like this, this is okay.



  1. Go back to the SSH screen, once the patching is finished you will see a screen like this, then type the following command to reboot the witness node.

shutdown reboot -r “patch reboot”



  1. The SSH session from the active node to the witness node will be disconnected; wait for the node to be rebooted, meanwhile, go to the “vCenter HA” status page again and wait for the Witness node to become green and healthy again.



  1. The “Witness” node is done.
  2. Proceed with the same steps, but this time SSH from the active node to the passive node, and repeat the same steps for patching the witness node, reboot it, monitor the status, and then move to the next step.







  1. Unmount the ISO image from both the “Witness” and “passive” nodes, but be careful, when they are unmounted, a question will pop up on the summary page of each VM, answer that question to continue unmounting the ISO image.





  1. Now, initiate a failover from the current active node to the passive node; after the failover is complete, go to the status page again and make sure now that the vCenter node that you used for performing the patching has become passive. Patching MUST be performed on passive nodes and that’s why we’ve failed over.




  1. Open a new SSH session to the active vCenter node using the same IP address of the vCenter (or FQDN), switch to the “shell” mode, and then SSH to the final vCenter node.
  2. To double-check that you are on the correct node that needs to be patched, run the following command to verify the IP address “ifconfig”.



  1. Perform the same steps for patching this node (steps 8 through 10), and then verify the node status.





  1. Verify that the build number has changed, go to the summary page of the vCenter node and verify the build number.
  2. Don’t forget to unmount the ISO image from the final node.
  3. Finally (1) change the vCenter HA mode from “maintenance” to “Enabled”, (2) perform another failover to make the primary node “Active” again,  (3) verify the build number one more time, and you are done.


VMware related articles:

Patch a vCenter High Availability Environment

Install vCenter Server Appliance Patches










Leave a Reply

%d bloggers like this: