Troubleshooting Failover
Failover Recovery Procedures
If a failover does not complete all steps successfully, refer to the Eyeglass Failover Recovery Procedures to assess the state of your environment and follow the necessary recovery steps.
Collecting Logs for Troubleshooting
To collect logs for failover troubleshooting, follow the instructions for collecting support information in the Eyeglass FAQ document. The failover logs will be included along with other Eyeglass logs in the Logs Backup file.
Authentication with Service Principal Name Considerations with Active Directory and SMB Shares in Access Zones
-
Active Directory allows only a single computer account to register a Service Principal Name (SPN) against a computer account. You can view this property using the ADSI Edit tool. The SPN is in the form of
HOST/service name
and typically has two entries: one for NetBIOS naming (15 characters) and one for DNS URL format for each SmartConnect zone or zone alias created on a cluster. -
The Service Principal Name must exist on the machine account that handles authentication requests from clients, allowing it to send requests to a domain controller for authentication using Kerberos session tickets.
-
Active Directory prevents duplicate SPNs from being registered. If this occurs, Kerberos authentication will fail for clients, and they will be unable to mount data unless NTLM fallback authentication succeeds. During failover, Eyeglass deletes the SPNs of the subnet pool and its aliases from the AD computer account on the selected source cluster Access Zone, or from all AD providers assigned to the Access Zone.
-
Eyeglass also scans cluster machine accounts during configuration replication jobs and fixes any missing SPNs if detected.
The error seen after duplicate SPNs are created. This error appears on the domain controller when attempting to authenticate a mount request. Note that this error occurs only once, not for each failed authentication.