How to Configure Delegation of Cluster Machine Accounts

Introduction

Automating Disaster Recovery with SyncIQ and Eyeglass with Active Directory and SMB shares, requires an important step: ensuring Service Principal Names (SPNs) stay synchronized with the machine account used by the DR Cluster. In order to ease failovers and ensure smooth auditing in Eyeglass, this guide will take you through the necessary steps for managing your SPNs effectively.

Service Principal Names are used by Kerberos authentication and machine accounts and an New SPN name pair is created each time a new SmartConnect Zone Alias is created.

Design and Permissions

Design

The Key Design used by Eyeglass is proxy on failover SPN Management.

What does this mean?

During failover, SPN deletes must occur against the Source Cluster AD machine, but during a real DR event, the Source Cluster is not reachable to be able to issue SPN commands.

The way that Eyeglass resolves this problem is by issuing proxy SPN update commands to the DR Cluster, but referencing the Source Cluster machine account name.

This, in essence, means that Eyeglass can correct SPN entries on the Source Cluster, even when it's not reachable.

info

Note: Superna Eyeglass only manages SPN related to HOST. SPNs related to HDFS or NFS are not updated and will need to be manually repaired post failover.

info

This proxy SPN management solution depends on the Delegation being done as stated below with an OU used for the cluster machine accounts and allowing each cluster to update the others' SPN using ISI proxy commands.

Permissions

There are two main types of permissions which must be verified.

1. Each Cluster must have permissions to read and write to the SPN property of its own computer object.
2. Each Cluster must have permissions to read and write to the SPN property of the opposite Cluster computer object.

Preparing your Cluster

Eyeglass will create SmartConnect Zone names and aliases required on your DR cluster automatically in advance of a DR failover. This is done by mapping Subnet on cluster A to Subnet on Cluster B in the Eyeglass UI and once set all new SmartConnect Zone's created or Alias on the Production cluster will be synced to the DR cluster network pool and subnet.

It’s important to setup AD and your cluster in advance of failover to eliminate authentication issues due to missing SPN entries on the machine account.

Computer Object Level Method

info

This procedure is recommended for a single pair of clusters. If more clusters are involved, go to the next method (OU).

1. Navigate to Users and Computers snap-in as administrator user.
2. Right-click the first cluster and select Properties.
3. Go to the Security Tab.
4. Click on the Advanced button.
5. When the new window for advanced security settings appears, click on the Add button under the Permissions tab.
6. Click on Select a Principal.
7. Type the word SELF into the box that appears.
8. Click on OK.
9. The Delegation of Control Wizard will appear.
10. Scroll down the list of permissions and select Read and Write Service Principal Name. (These will appear as 2 separate permissions, one for read and one for write.)
11. Repeat procedure from Step 5, but this time when selecting the principal to grant permissions, enter the second cluster in the replication pair in the Permission Entry dialog box.

IMPORTANT

The above steps ONLY applied object level permissions to one cluster, and both clusters must have these permissions for automated failover and failback. Repeat the above steps again by selecting the 2nd cluster of the pair and apply two sets of permissions.

The Delegation permissions are now completed.

Organizational Unit (OU) Method

info

This method is recommended with more than two clusters to delegate.

1. Using Active Directory Users and the Computers Snap-In admin tool, create an OU for the PowerScale cluster computer accounts.
2. Drag and drop the cluster AD computer objects into the OU you just created.
3. Right click the OU and select Delegate Control.
4. Select the Delegation option and go through the Dialog that appears: select the users or groups; select "Create a Custom Task to Delegate"; select Only the Computer Objects in the folder; under permissions, make sure that Read and Write servicePrincipalName are selected.

How to Check Cluster SPN Permissions are Set Correctly

1. Open the Active Directory Users and Computers window.
2. Click on the View Tab, and verify that the "Advanced Features" option is checked.
3. Click on the Action tab on the top left and then click on "Find..."
4. A window will appear. In this window, make sure that you're finding Computers in the Computers folder. (Select this from the drop-down next to Find - In).
5. Write the name of the computer in the Computer Name field.
6. Click on Find New. This will pull up the computer in the search results in the lower half of the window.
7. There, you may right click on the result, and click on Properties.
8. A new window will appear, called (Computer Name) Properties, click on the Object tab and make sure that the canonical name is visible and editable.
9. You may exit this window and return to the (Computer Name) Properties window, where you may now enter the Security tab.
10. Click on the Advanced button on the bottom right of the Computer Properties window.
11. A new window will load, called Advanced Settings for (Computer Name).
12. Click on the Effective Access tab.
13. Click on Select a User. In the "Enter the object name to select" box, write SELF, and click on Check Names.
14. Click on OK.
15. Back on the Effective Access tab, you will find that SELF is now selected as the User/Group.
16. Click on View Effective Access
17. A table will appear. Make sure that the permissions Read and Write servicePrincipalName both have a green check mark under the Effective Access column of the table.
18. Click on OK

You have now verified the SPN Permissions for the Cluster.

See Also

You may consult any of the Failover Guides for further detail about your desired Failover method.