How to - Delegation of Cluster Machine Accounts with Active Directory

 

 

Overview

In order to automate DR with SyncIQ and Eyeglass with Active Directory and SMB shares, its important to ensure Service principal names are synchronized with the machine account used by the DR cluster.

Service principal names are used by Kerberos authentication and machine accounts and an New SPN name pair is created each time a new smartconnect zone Alias is created.   

Note: Superna Eyeglass only manages SPN related to HOST.  SPNs related to HDFS or NFS are not updated and will need to be manually repaired post failover.

 

 

How to prepare you cluster for Eyeglass automated DR failover

 

Eyeglass will create Smartconnect zone names and aliases required on your DR cluster automatically in advance of a DR failover.  This is done by mapping Subnet on cluster A to Subnet on Cluster B in the Eyeglass UI and once set all new smartconnect zone's created or Alias on the Production cluster will be synced to the DR cluster network pool and subnet.   It’s important to setup AD and your cluster in advance of failover to eliminate authentication issues due to missing SPN entries on the machine account.

 

Key Design used by Eyeglass is proxy on failover SPN Management

 

During failover SPN deletes must occur against the source cluster AD machine but during a real DR event the source cluster is not reachable to issue SPN commands.   Eyeglass solves this be issuing proxy SPN update commands to the DR cluster but references the source cluster machine account name.   This means that the Eyeglass can correct SPN entries on the source cluster even when it's not reachable.

Note: This proxy SPN management solution depends on the Delegation being done as stated below with an OU used for the cluster machine accounts and allowing each cluster to update the others SPN using ISI proxy commands.

 

  1. Automated Solution with Eyeglass Object Level Method:

    1. Use this method to restrict at the object level the AD permissions needed for automated SPN management during failover and audit and remediation features in Eyeglass. Recommended with a pair of clusters.  Use the OU method if more clusters objects are involved.

    2. Select the first cluster in the pair in Users and Computers snappin as administrator user. Select properties and security tab and then the “Advanced” button of the dialog box. See below

    3. Screen Shot 2016-01-28 at 7.25.13 AM.png

    4. Click the add button on the Permissions window (see above)

    5. For Principal click select

    6. Then type SELF and check button and OK see below

    7. Screen Shot 2016-01-28 at 7.16.55 PM.png

    8. Scroll down the list of permissions and select read and write Service Principal Name (see below)

    9. Screen Shot 2016-01-29 at 6.46.21 AM.png

    10. Select Ok to go back to Advanced Security window

    11. Now we need to allow the other cluster machine account to access the SPN properties of the cluster machine account you have selected first .  This is for failover of SPN proxy feature in Eyeglass that ensures SPN’s can be managed even if a cluster is not reachable.

    12. Click the add button again but this time when selecting the principal to grant the permission we are going to enter the “other” cluster in the replication pair in the dialog box.   In the example below you can see the dialog box title is “CLUSTERA” but the principal selected for the grant is “CLUSTERB”.   Find the same read and write properties for service principal name as done above and apply the permissions to the CLUSTERB machine account.  

    13. Screen Shot 2016-01-28 at 4.03.10 PM.png

    14. The above steps ONLY applied object level permissions to one cluster.

    15. REPEAT above steps again by select the 2nd cluster of the pair and apply two sets of permissions

    16. Done Delegation step.  Do not proceed to OU step this is only done if you have more than one cluster pair to delegate and saves time and effort.

  2. Automated Solution with Eyeglass Organization Unit Method:

    1. Use this method when more than one cluster pair is replicating and saves steps by doing the delegation once at the OU level versus at the object level.  Recommended with > than 2 clusters to delegate.

    2. To avoid Eyeglass requiring the administrator AD account to synchronize the SPN for production or DR clusters.  The following one time steps MUST be executed.

    3. Using Active Directory Users and Computers Snap In admin tool

      1. Create an OU for the Isilon cluster computer accounts

      2. Screen Shot 2016-01-21 at 2.32.35 PM.png

      3. Move the cluster AD computer objects with drag and drop into this OU created above

      4. Right click the and select Delegate Control (note this applies to all computers accounts in this folder or OU)

      5. Select the Delegation option

      6. Screen Shot 2016-01-21 at 3.09.50 PM.png

      7. Follow screen shots below that assign the cluster permissions to read and write the service principal name.

      8. Once completed these steps the following test can be used to verify it's applied correctly.

      9. Create an alias on a smartconnect zone as  (example command isi networks modify pool videoserver:videoserverpool --add-zone-alias=aliastest.internal.superna.net )

      10. Then run

          1. isi auth ads spn check --domain=internal.superna.net --repair --machinecreds (this command will allow the cluster to update the SPN property itself this is used by Eyeglass on scheduled basis to ensure all aliases and smartconnect SPN updates are in sync and Eyeglass will raise an alarm if this step fails).  The following is only to validate the AD delegation is done successfully)

          2. If the command above runs without any error, the delegation was successful.  It will output successful update of the SPN for the new alias.

          3. Using ADSIedit this can also be verified.

 

    1. Now Eyeglass can operate and Sync the SPN information along with alias and smart connect zones creations or edits to ensure fully automated DR for failover and failback work as expected and kerberos authentication will succeed with SPN already synchronized.

 

How to Use Active Directory Delegation of Control Wizard to Delegate Service Principal Name Permissions to the cluster

 

 

 

 

 

 

 

 

Example of SPN in ADSIedit Tool

 

 

How to check cluster SPN permissions are set correctly

 

spn-delegation-check.gif