Assigning the user permission to update dns – HP Storage Mirroring V5 Software User Manual
Page 112
102 Recommended Credentials
Assigning the user to the local servers’ Administrators group
The user running the Application Manager must have access to both the servers' administrative shares and
have rights to modify the SPN permissions.
The target's machine account needs to be added to the source's Active Directory computer object for the
purpose of updating the SPNs during failover and failback.
The administrative shares are used to manage the configuration files and failover scripts on the source and
target. To satisfy both of these rights, it is recommended that the user must be a member of the local
“Administrators” group on each server (source and target).
Follow these steps to add a user to the Administrators group on each server.
1.
On the first server, select
Start, Settings, Control Panel
. Double-click
Administrative Tools
, then double-click
Computer Management
.
2.
In the left pane, select the
Groups
folder (located under
Computer Management\System Tools\Local Users and
Groups\
).
3.
Right-click the
Administrator
group and select
Properties
.
4.
If the user is not already a member of the Administrators group, click
Add
.
5.
In
Location
, click the domain containing the users you want to add, then click
OK
.
6.
In
Name
, type
Administrator
.
7.
Click
OK
to close all open dialog boxes.
8.
Repeat for each additional server.
Assigning the user permission to update DNS
In order to update the source DNS records, the user must have the following permissions:
•
A member of the “DNS Admin” domain local group
•
One of the following:
• A member of the “Domain Admins” group for the domain in which the DNS server resides, or
• “Full Control” on each of the individual DNS records that is associated to the source (native or virtual in
the case of clusters) IP and to be updated by the DFO utility.
•
A member of the “Server Operator”, at the very least, to “Deny” the source access to the records. The
resource record security can be set through the record properties within the DNSMgmt console.
NOTE:
The “Domain Admins” right surpasses all these individual rights, so this would be all that needs to be
added.
The specified user or DNS Admin group must be designated “full control” on all DNS Zones, both forward and
reverse, in which any of the source's DNS records reside. The “Full Control” must be set for “this object and all
child objects”.
NOTE:
The Application Manager will first attempt to impersonate the current logged-on user before
prompting for different credentials.
To be able to make calls to WMI without being part of the Domain Admins group, follow these steps:
On the DNS Server:
1.
Run
DCOMCNFG
.
2.
Expand
Component Services
.
3.
Expand
Computers
.
4.
Right-click on
My Computer
and select
Properties
.
5.
Click the
COM Security
tab.