Support of Veritas Storage Foundation and High Availability Solutions for Windows in environments without Active Directory
Problem
Products and product options within Veritas Storage Foundation and High Availability Solutions are supported in environments without Active Directory as long as specific deployment and configuration criteria are followed. The following outlines the support for the different products and product options, stated below, in an environment without Active Directory.
Error Message
N/A
Cause
Common non-Active Directory supportability requirement across products and options
Applications and infrastructure environments must also be supported and configured for a non-Active Directory environment.
· Example of not supported: Applications like Exchange or SharePoint are dependent upon Active Directory. Additionally, Microsoft Failover Cluster requires Active Directory. Therefore, when Storage Foundation and High Availability Solutions for Windows products are deployed within such applications or environments, Active Directory will also be required.
· Example of supported: Microsoft SQL Server can be deployed and configured in a non-Active Directory environment. Therefore, when correct practices for non-Active Directory SQL deployment are followed, Storage Foundation and High Availability Solutions for Windows can also be deployed in such an environment as long as supportability and limitation practices outlined within this document are followed.
Solution
Process to configure a cluster in a non-Active Directory environment
Per product and options non-Active Directory supportability requirements
The following provides supportability statements and associated requirements or limitations per product or product options in a non-Active Directory environment
· Storage Foundation for Windows: Supported with Limitations
o Not supported with any application that requires Active Directory.
o Not supported in a non-Active Directory Microsoft Failover Cluster environment as Microsoft Failover Cluster requires Active Directory (not supported in a non-Active Directory environment with Veritas Microsoft Clustering option for Windows ).
o Veritas Scheduler Service: If utilizing Veritas Scheduler Service for items such as enabling capacity monitoring information transfer for automatic volume growth between Veritas Cluster nodes in a non-Active Directory environment, then the following must be followed and considered:
§ The service account must be a local account in the local Administrators group on all non-domain joined nodes.
§ The must be the same username and same password on all nodes.
· Veritas Cluster Server for Windows: Supported with Limitations
o Note: Supportability statement and requirements includes HA and DR deployments of the product.
o Not supported with any application that requires Active Directory.
o Not supported with the Hyper-V Virtual Machine level disaster recovery solution provided by Veritas Cluster Server 6.0 for Windows. This solution integrates with Microsoft Failover Cluster, which requires Active Directory.
o Authentication and authorization supportability requirements:
§ VCS Helper Service (HADHelperUser): While it is possible to keep VCS Helper Server unconfigured in a non-AD environment, it is recommended to configure the service on all nodes. Requirements for the configuration of the VCS Helper Service account include:
· Use the Windows Local System account for the service
OR
· Utilize a local account that is configured exactly the same on all nodes in the cluster.
o The service account must be a local account in the local Administrators group on all non-domain joined nodes.
o The account on all nodes, within a Veritas Cluster, must be the same username and same password.
Note: Testing of your specific configuration with either Local System or a local service account should be done in order to ensure required functionality is achieved or maintained for the specific application(s) or service(s) you are clustering.
§ VCS Secure Clusters:
· Not supported as Veritas Product Authentication Services relies upon integration with 3rd party directories, such as Active Directory, for authentication and authorization.
· Only deploy non-secure VCS clusters in a non-Active Directory environment.
§ SQL Authentication:
· In a SQL + VCS non-AD environment, SQL native or mixed mode authentication must be utilized. When running SQL tools, including Management Studio, they must be run with a native SQL user account, not with a Windows local account.
o Configuration Process requirements:
§ Note: The majority of the configuration process must be performed manually instead of utilizing VCS end to end and application centric configuration wizards.
§ In order to utilize the Cluster Configuration wizard in a non-Active Directory environment, run the Veritas Cluster Configuration Wizard in the following manner:
· Launch the wizard from command prompt: vcw.exe –nonad
§ After configuration of the cluster, manually enable the VCS Helper Service NT service on each of the nodes:
· Startup type: Automatic
· Logon: Local System account or specify the local user with administrator rights in “This account:” setting
· Start the service
§ The application or service specific Service Group Configuration wizards available from the Start > All Programs > Veritas > Veritas Cluster Server > Configuration Tools menu or within the Solutions Configuration Center cannot be utilized for configuration in a non-Active Directory environment. Service Group configuration needs to be performed manually via one of following methods:
· Command line interface/scripts
· Utilizing the Service Group Templates within Cluster Explorer
· Creating empty Service Group and manually creating resources and dependencies within Cluster Explorer
o Veritas Cluster Server agent support and attribute settings:
Certain Veritas Cluster Server agents have explicit configuration settings that provide integration with or have reliance upon Active Directory. The following outlines known agent attributes/settings that have specific setting requirements in a non-Active Directory environment.
· Lanman Agent:
o ADContainer : Must not be specified (empty).
o ADUpdateRequired : Must be set to false (disabled).
o ADCriticalForOnline : Must be set to false (disabled).
o VCS DNS update functionality: VCS Lanman agent provides functionality to update DNS with virtual name and IP of the protected application instance to ensure continued access of the application by clients after failover cross subnets, particularly in a DR configuration. This functionality is not supported in a Non-AD environment. All attributes on Lanman resource related to DNS update functionality must be set to false or unconfigured including:
§ AdditionalDNSServers : Do not set.
§ DNSCriticalForOnline : Must be set to false (disabled).
§ DNSOptions : Do not set.
§ DNSUpdateRequired : Must be set to false (disabled).
§ DNSRefreshInterval : Keep at default value of 0.
§ DNSZones : Do not set.
§ AliasName : Do not set.
§ TSIGKeyFile : Do not set.
§ TTL : Keep at default value of 0.
· Oracle Database Agent:
o DetailMonitor : Must be set to false (disabled). Detailed Monitoring functionality of individual Oracle databases is not supported as it is reliant upon authentication from an Active Directory domain user.
· SQL 2008/2008R2 Database Agent:
o DetailMonitor: Must be set to false (disabled). Detailed Monitoring functionality for SQL databases is not supported as it is reliant upon authentication from an Active Directory domain user.
Note: SQL must use native SQL or mixed mode authentication. Utilizing Windows authentication cannot be supported with VCS in a non-AD environment.
· Generic Service Agent:
o Domain : Must not be specified (empty). When not set, agent assumes value in UserAccount attribute is local to the node.
· Service Monitor Agent:
o Domain : Must not be specified (empty). When not set, agent assumes value in UserAccount attribute is local to the node.
· Process Agent:
o Domain : Must not be specified (empty). When not set, agent assumes value in UserAccount attribute is local to the node.
· File Share / Composite File Share Agents: Not Supported
· Print Share Agent: Not Supported
· Exchange Agent (all versions): Not Supported
· SharePoint Agent (all versions): Not Supported
· NetApp Agents (all-SnapDrive, Filer and SnapMirror agents for any version): Not Supported
· Veritas Dynamic Multi-pathing for Windows (product or option): Supported
o Not supported with any application that requires Active Directory.
o No explicit limitations or configuration criteria to adhere to in a non-Active Directory environment.
· Veritas Volume Replicator for Windows option: Supported with Limitations
o Not supported with any application that requires Active Directory.
o Not supported in a non-Active Directory Microsoft Failover Cluster environment as Microsoft Failover Cluster requires Active Directory.
o VVR Security Service (VxSAS): The VxSAS service is required by VVR for communication between source and target replication nodes. In a non-Active Directory environment the following must be followed for the VxSAS service account:
§ The service account must be a local account in the local Administrators group on all non-domain joined nodes.
§ The account must be the same username and same password on all nodes.
· Veritas FlashSnap for Windows option: Supported with Limitations
o Not supported with any application that requires Active Directory.
o Not supported in a non-Active Directory Microsoft Failover Cluster environment as Microsoft Failover Cluster requires Active Directory.
o Non application integrated volume and RVG snapshots:
§ Volume snapshots that do not have application integration are fully supported without configuration caveats or limitations.
o Application integrated volume snapshots:
§ VSS integrated Exchange snapshots: Not supported because of application reliance upon Active Directory.
§ VSS integrated SharePoint snapshots: Not supported because of application reliance upon Active Directory.
§ Application aware Enterprise Vault snapshots: Not supported because of reliance upon Active Directory.
§ VSS integrated SQL snapshots: Supported as long as practices for deploying SQL in a non-Active Directory environment are followed.
§ Veritas Scheduler Service: If scheduling VSS snapshots, then the following must be adhered to:
· The service account must be a local account in the local Administrators group on all non-domain joined nodes.
· The account on all nodes, within a Veritas Cluster, must be the same username and same password.
· Veritas Storage Foundation High Availability/Disaster Recovery for Windows: Supported with Limitations
o As this product includes both Storage Foundation for Windows, Veritas Cluster Server for Windows and possible associated options, the aforementioned supportability statements and requirements for individual products and options fully applies to the combined product.
§ In order to utilize the Cluster Configuration wizard in a non-Active Directory environment, run the Veritas Cluster Configuration Wizard in the following manner:
· Launch the wizard from command prompt: vcw.exe –nonad
§ After configuration of the cluster, manually enable the VCS Helper Service NT service on each of the nodes:
· Startup type: Automatic
· Logon: Local System account or specify the local user with administrator rights in “This account:” setting
· Start the service
Applies To
The applicable products and associated options for Veritas Storage Foundation™ and High Availability Solutions for Windows that the following detailed supportability statement refers to include:
· Veritas Storage Foundation for Windows
o Veritas Microsoft Clustering option for Windows
· Veritas Cluster Server for Windows
· Veritas Cluster Server HA/DR for Windows (includes Veritas Global Cluster option)
· Veritas Storage Foundation High Availability for Windows (includes Veritas Storage Foundation and Cluster Server)
· Veritas Storage Foundation High Availability/Disaster Recovery for Windows (includes Veritas Storage Foundation, Cluster Server and Global Cluster option)
· Veritas Dynamic Multi-pathing for Windows (product and option)
· Veritas Volume Replicator for Windows option
· Veritas FlashSnap for Windows option
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.