How to configure Delegation in Active Directory between a DLO Maintenance Server and remote Storage Locations
  1. Support
  2. Knowledge base
  3. 100030818

How to configure Delegation in Active Directory between a DLO Maintenance Server and remote Storage Locations

Article: 100030818
Last Published: 2019-03-15
Ratings: 0 2
Product(s): Desktop Laptop Option

Problem

It is possible to configure a DLO Maintenance Server to manage Storage Locations on remote File Servers.  This is common if the remote file server has a non-windows based OS on which the DLO Maintenance Service can not be installed - like NetApp or EMC filers.

Setting up a DLO Maintenance Server to successfully manage and groom files in such a configuration requires setting up Active Directory Delegation between the machine running DLO Maintenance Service and the File Server.

Delegation is sometimes referred to as Constrained Delegation.

Solution

Note: On the machine running the service named " Veritas  DLO Maintenance Service", this service must start with the LocalSystem account.
Note: The Active Directory Forest Functional Level should be a minimum of 2003.
 
This is how to set up Delegation when the DLO Maintenance Server is different then the server housing the NUDF Storage Locations: 
 
1. Open Active Directory Users and Computers and navigate into Computers 
2. Locate the machine running Veritas DLO Maintenance Service > Rt-Click > Properties 
3. Select the Delegation tab 
4. Select " Trust this computer for delegation to specified services only" and " Use Kerberos only"
5. Click Add 
 
 
 
6. Click Users or Computers (screen-shot omitted) 
7. Type in the name of the computer housing the NUDF > click Check Names > Click OK 
 
 8. Within the Available Services window, select cifs > click OK 
(screen-shot) 
 
 
9.  Click OK one last time and you're done in AD. 
 
10. Once complete, it is critical that the displayed " User or Computer" name resolve on the machine running the DLO Maintenance Service exactly as displayed including the FQDN.  If the FQDN resolves differently then displayed, Kerberos will not consider the machine as having the needed Delegation access.  This can be a common problem in environments with multiple domains.
 
 
11.   Reboot  the OS on the machine running the " Veritas  DLO Maintenance Service"
 
 
Additionally, each DLO User's AD Account must not prohibit delegation.  This AD setting is found within the Properties for the AD User object, on the Account tab. The " Account option" called " Account is sensitive and cannot be delegated" must not be selected.
 
 
 
12. Once the above is complete, you can proceed to  add the new Storage Location to DLO and configure the newly defined Delegated server as the Maintenance Server
 
 
13. Associate the Filer with the correct Maintenance Server
 
 
14. Now, the server correctly configured for AD Delegation is defined as the Maintenance Server for the remote Storage Location
 

 

Was this content helpful?

Article Languages