How to Validate AD Cluster Delegation is Ready for Failover and failback of SPNs

How to Validate AD Delegation is Ready for Failover




Technical Note



Abstract:

This technical note provides test methodologies to  AD delegation is ready for failover under four scenarios:

  • PRIMARY Cluster SELF SPN Delegation

  • PRIMARY Cluster CROSS SPN Delegation

  • DR Cluster SELF SPN Delegation

  • DR Cluster CROSS SPN Delegation

Use this procedure to validate AD delegation is done correctly.  A common mistake is the computer account delegation.

Understanding how failover works

Failover process requires the target cluster to have AD permissions to manage SPN(s) on the source cluster AD machine account.  The delegation guide sets this up for each cluster machine account to failover in either direction.

If not setup correctly the following issues are frequently seen:

  • Ldap constraint violation

  • Ldap permissions error

Locate AD Isilon machine Account Name

Log into you cluster as ‘root’ and run the following CLI command to locate machine account name:

# isi auth ads list -v

.

For OneFS 8.x

Section 1 - All Steps performed on PRIMARY CLUSTER [For OneFS 8.x.x.x]

1A - SELF test

  • CREATE SPN for PRIMARY Cluster [oneFS 8.x]

For this test, you will need 2 OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi_classic auth ads spn add --machinecreds --spn=HOST/superna.test.spn --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

.

  • DELETE SPN for PRIMARY Cluster [oneFS 8.x]


For this test, you will need OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete the SPN from the same cluster by issuing the following command

           “sudo isi_classic auth ads spn delete --machinecreds --spn=HOST/superna.test.spn --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was deleted  successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


.

1B - CROSS test

  • CREATE SPN for DR Cluster [oneFS 8.x]

For this test, you will need OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add SPN for DR cluster using PRIMARY cluster
sudo isi_classic auth ads spn add --machinecreds --account=xxx$ --spn=HOST/superna.test.spn --domain=xxx


[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully
sudo isi_classic auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name].

  • DELETE SPN for DR Cluster [oneFS 8.x]

For this test, you will need OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete SPN for DR cluster using PRIMARY cluster
sudo isi_classic auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn --domain=xxx


[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was deleted successfully
sudo isi_classic auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]



.

Section 2 - All Steps performed on DR CLUSTER [For OneFS 8.x.x.x]

1A - SELF test

  • CREATE SPN for DR Cluster [oneFS 8.x]

For this test, you will need OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi_classic auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

.

  • DELETE SPN for DR Cluster [oneFS 8.x]


For this test, you will need OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete the SPN from the same cluster by issuing the following command

           “sudo isi_classic auth ads spn delete --machinecreds --spn=HOST/superna.test.spn --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was deleted  successfully.
           “sudo isi_classic auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


.

1B - CROSS test

  • CREATE SPN for PRIMARY Cluster [oneFS 8.x]

For this test, you will need OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add SPN for PRIMARY cluster using DR cluster
sudo isi_classic auth ads spn add --machinecreds --account=xxx$ --spn=HOST/superna.test.spn --domain=xxx


[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully
sudo isi_classic auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name].

  • DELETE SPN for PRIMARY Cluster [oneFS 8.x]

For this test, you will need OneFS 8.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete SPN for PRIMARY cluster using DR cluster
sudo isi_classic auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx


[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was deleted successfully
sudo isi_classic auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


.

For OneFS 7.x

Section 1 - All Steps performed on PRIMARY CLUSTER [For OneFS 7.x.x.x]

1A - SELF test

  • CREATE SPN for PRIMARY Cluster [oneFS 7.x]

For this test, you will need  OneFS 7.x.x.x clusters connected to same AD.

Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


.

  • DELETE SPN for PRIMARY Cluster [oneFS 7.x]

For this test, you will need OneFS 7.x.x.x clusters connected to same AD.


Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete the SPN from the same cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was deleted  successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]



.

1B - CROSS test

  • CREATE SPN for DR Cluster [oneFS 7.x]

For this test, you will need OneFS 7.x.x.x clusters connected to same AD.


Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Create the SPN from PRIMARY for DR cluster by issuing the following command

           “sudo isi auth ads spn create --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was created successfully.
           “sudo isi auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


.

  • DELETE SPN for DR Cluster [oneFS 7.x]

For this test, you will need OneFS 7.x.x.x clusters connected to same AD.


Step 1. Log in to your PRIMARY cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete the SPN from PRIMARY cluster for DR cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was deleted  successfully.
           “sudo isi auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

.

Section 2 - All Steps performed on DR CLUSTER [For OneFS 7.x.x.x]

1A - SELF test

  • CREATE SPN for DR Cluster [oneFS 7.x]

For this test, you will need  OneFS 7.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Add a SPN by using the following command

           “sudo isi auth ads spn add --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


Step 3. Check if SPN was created successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name].

  • DELETE SPN for DR Cluster [oneFS 7.x]

For this test, you will need OneFS 7.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete the SPN from the same cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was deleted  successfully.
           “sudo isi auth ads spn list --machinecreds --domain=xxx

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]


.

1B - CROSS test

  • CREATE SPN for PRIMARY Cluster [oneFS 7.x]

For this test, you will need OneFS 7.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Create the SPN from DR cluster for PRIMARY cluster by issuing the following command

           “sudo isi auth ads spn create --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was created  successfully.
           “sudo isi auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name].

  • DELETE SPN for PRIMARY Cluster [oneFS 7.x]

For this test, you will need OneFS 7.x.x.x clusters connected to same AD.


Step 1. Log in to your DR cluster using “eyeglass” user and issue the following command
           “whoami


Step 2. Delete the SPN from DR cluster for PRIMARY cluster by issuing the following command

           “sudo isi auth ads spn delete --machinecreds --account=xxx$ --spn=HOST/superna.test.spn.domain.com --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]

Step 3. Check if SPN was deleted  successfully.
           “sudo isi auth ads spn list --machinecreds --account=xxx$ --domain=xxx

[--account= is the AD computer machine name that we are deleting SPN from. “$” sign is needed after the AD computer name.]

[--machinecred is needed to authenticate your cluster]

[--domain= Enter your Domain name]