[-]
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
Updated on 2/20/2019
Direct link to topic in this publication:
DR Design Guides
Troubleshooting Failover
Home

Troubleshooting Failover

Failover Recovery Procedures

In the event that a Failover does not complete all steps successfully, please refer to the Eyeglass Failover Recovery Procedures to assess the state of your environment and for recovery steps.

Collecting Logs for Failover Troubleshooting

To collect the logs for Failover Troubleshooting, following the instructions for collecting support information found in the Eyeglass FAQ document here.  The Failover logs will be included with other Eyeglass logs contained in the Logs Backup file.

Authentication with Service Principal Name Considerations with Active Directory and SMB Shares in Access Zones

Active Directory only allows a single computer account to register a Service Principal Name against a computer account.  This property can be seen with ADSI Edit tool.  The SPN is in the form of HOST/service name and typically has 2 entries one for Netbios naming (15 characters)  and one for DNS URL format for each SmartConnect zone or zone alias created on a cluster.

The service principal name is required to exist on the machine account handling authentication requests from clients to send to a domain controller for authentication using kerberos session tickets.

Active Directory does prevent duplicate SPN from being registered and if this occurs Kerberos authentication fails for clients and they will be unable to mount data if NTLM fall back authentication does not succeed.    Eyeglass failover deletes the SPN's of the subnet pool and it’s aliases on the selected source cluster Access Zone from the  AD computer account or ALL AD providers assigned to the Access Zone during failover.  

Eyeglass also scans cluster machine accounts during configuration replication jobs and fixes missing SPN’s if detected.

Example Error seen after duplicate SPN’s were created.  This is seen on the domain controller attempting to authenticate a mount request. This error only appears once and not for each failed authentication.

For information this event see KB article https://support.microsoft.com/en-us/kb/321044 

Copyright Superna LLC