Support for InfoScale products in Windows environments without Active Directory

book

Article ID: 100044827

calendar_today

Updated On:

Description

Common non-ADsupportability requirement across products and options

Applications and infrastructure environments must also be supported and configured for a non-AD environment.

  • Example of not supported: Applications like Exchange or SharePoint are dependent upon AD. Additionally, Microsoft Failover Cluster requires AD. Therefore, when InfoScale products are deployed within such applications or environments, AD is also required.
  • Example of supported: SQL Server can be deployed and configured in a non-AD environment. Therefore, InfoScale products can also be deployed in such an environment if the correct practices for non-AD SQL Server deployment and the other practices outlined in this article are followed.

 

Per product and options non-AD supportability requirements

The supportability statements and the associated requirements or limitations for the InfoScale products or product options in a non-AD environment are as follows.

 

InfoScale Availability:Supported with limitations

Note: This supportability statement and requirements list include HA and DR deployments of the product.

  • Not supported with any application that requires AD.
  • Not supported with the Hyper-V virtual machine-level DR solution provided by InfoScale. This solution integrates with Microsoft Failover Cluster, which requires AD.
  • Authentication and authorization supportability requirements:
    • Veritas Cluster Server Helper service (HADHelperUser): While it is possible to keep the Veritas Cluster Server Helper service unconfigured in a non-AD environment, it is recommended to configure the service on all nodes. Requirements for the configuration of the VCS Helper Service account include:
      • Use the Windows Local System account for the service
        OR
      • Utilize a local account that is configured exactly the same on all nodes in the cluster.
    • The service account must be a local account in the local Administrators group on all non-domain joined nodes.
    • The account on all nodes, within an InfoScale cluster, must be the same username and same password.
      Note: Testing of your specific configuration with either Local System or a local service account should be done in order to ensure required functionality is achieved or maintained for the specific application(s) or service(s) you are clustering.
    • VCS Secure Clusters:
      • Not supported as the VCS Authentication Service relies upon integration with third-party directories, such as AD, for authentication and authorization.
      • Only deploy non-secure VCS clusters in a non-AD environment.
    • SQL Authentication:
      • In a SQL + VCS non-AD environment, SQL native or mixed mode authentication must be utilized. When running SQL tools, including Management Studio, they must be run with a native SQL user account, not with a Windows local account.
  • Configuration process requirements:
    Note: Most of the configuration process must be performed manually instead of using the VCS end-to-end and application-specific configuration wizards.

To configure a cluster in a non-AD environment

  1. In order to utilize the cluster configuration wizard in a non-AD environment, launch the Veritas Cluster Configuration Wizard from the command prompt using the command: vcw.exe –nonad
  2. After configuring the cluster, manually enable the Veritas Cluster Server Helper service on each of the nodes with the following settings:
    • Startup type: Automatic
    • Logon: Local System account or specify the local user with administrator rights in “This account:” setting
    • Start the service
  • The application- or service-specific service group configuration wizards from the Solutions Configuration Center cannot be used for configuration in a non-AD environment. Service group configuration needs to be done manually by using one of following methods:
    • Command-line interface or scripts
    • Service group templates with the Cluster Explorer
    • Manually creating empty service group(s) and then adding resources and dependencies with the Cluster Explorer
  • Veritas Cluster Server (VCS) agent support and attribute settings:
    Certain VCS agents have explicit configuration settings that provide integration with AD or that rely on AD. The known agent attributes or settings that have specific requirements in non-AD environments are as follows.
Lanman agent
Attribute Value
ADContainer Must not be specified (empty).

ADUpdateRequired 

 Must be set to false (disabled).
ADCriticalForOnline Must be set to false (disabled).

VCS DNS update functionality:

VCS Lanman agent provides functionality to update DNS with virtual name and IP of the protected application instance to ensure continued access of the application by clients after failover cross subnets, particularly in a DR configuration. This functionality is not supported in a Non-AD environment. All attributes on Lanman resource related to DNS update functionality, including the following, must be set to false or unconfigured.
AdditionalDNSServers Do not set.
DNSCriticalForOnline Must be set to false (disabled).
DNSOptions Do not set.
DNSUpdateRequired Must be set to false (disabled).
DNSRefreshInterval Keep at default value of 0.
DNSZones Do not set.
AliasName Do not set.
TSIGKeyFile Do not set.
TTL Keep at default value of 0.
Oracle database agent
DetailMonitor

Must be set to false (disabled).

Detail monitoring functionality of individual Oracle databases is not supported as it is reliant upon authentication from an AD domain user.
SQL Server database agent
DetailMonitor

Must be set to false (disabled).

Detail monitoring functionality for SQL databases is not supported as it is reliant upon authentication from an AD domain user.

Note: SQL must use native SQL or mixed mode authentication. Utilizing Windows authentication cannot be supported with VCS in a non-AD environment.
Generic Service agent
Domain

Must not be specified (empty).

When not set, agent assumes value in UserAccount attribute is local to the node.
Service Monitor agent
Domain

Must not be specified (empty).

When not set, agent assumes value in UserAccount attribute is local to the node.
Process agent
Domain

Must not be specified (empty).

When not set, agent assumes value in UserAccount attribute is local to the node.
   
   
  • The following VCS agents are not supported:
    • File Share / Composite File Share agents
    • Exchange agent (all versions)
    • SharePoint agent (all versions)
    • NetApp agents (none of the agents, SnapDrive, Filer, and SnapMirror agents are supported for any version)

 

InfoScale Storage:Supported with limitations

  • Not supported with any application that requires AD.
  • Not supported in a non-AD Microsoft Failover Cluster environment, because Microsoft Failover Cluster requires AD (not supported in a non-AD environment with Veritas Microsoft Clustering option).
  • Veritas Scheduler Service:
    If using Veritas Scheduler Service for items such as enabling capacity monitoring information transfer for automatic volume growth between InfoScale cluster nodes in a non-AD environment, then the following must be followed and considered:
    • The service account must be a local account in the local Administrators group on all non-domain joined nodes.
    • The must be the same username and same password on all nodes.

Dynamic Multi-Pathing (DMP) option:Supported

  • Not supported with any application that requires AD.
  • No explicit limitations or configuration criteria to adhere to in a non-AD environment.

Volume Replicator (VVR) component:Supported with limitations

  • Not supported with any application that requires AD.
  • Not supported in a non-AD Microsoft Failover Cluster environment, because Microsoft Failover Cluster requires AD.
  • VVR Security Service (VxSAS):
    The VxSAS service is required by VVR for communication between source and target replication nodes. In a non-AD environment the following must be followed for the VxSAS service account:
    • The service account must be a local account in the local Administrators group on all non-domain joined nodes.
    • The account must be the same username and same password on all nodes.

InfoScale Enterprise:Supported with limitations

As this product includes the features of both, InfoScale Availability and InfoScale Storage, and the possible associated options, the aforementioned supportability statements and requirements for individual products and options fully applies to the combined product.

Issue/Introduction

Veritas InfoScale products are supported in environments without Active Directory (henceforth referred to as AD, throughout this article) if specific deployment and configuration criteria are followed. This article outlines the support for the various InfoScale products, components, and product options in an environment without AD.
Powered by Wolken Software