MORE INFORMATION

One of the features of the Network Name resource in Windows Server 2003 is the ability to create a computer object in Active Directory that allows programs to use Kerberos as an authentication protocol when the program contacts a service by using a cluster virtual name. Programs on a virtual server that are Active Directory aware now have a correctly-maintained Active Directory computer object. Other features include better DNS integration and three status indicators for NetBIOS, DNS, and Kerberos. The rest of this article describes how to enable and use these features.

Enable Kerberos authentication

Note You receive the following error message if you try to set the Enable Kerberos Authentication option without taking the Network Name resource offline:

A VirtualServer is comprised of a Network Name and IP Address resource. The Network Name resource has been updated for Windows Server 2003 to enable the use of Kerberos authentication and the creation of a corresponding computer object. By default, Kerberos authentication and the creation of a computer object for the VirtualServer is disabled and NTLM is used for authentication. To enable the Kerberos authentication and the creation of a computer object:

1. Start Cluster Administrator, right-click the Network Name resource, and then click Take Offline.
   

Note: Access to the VirtualServer by clients cannot now occur because the Network Name resource is now offline.

1. Double-click the Network Name resource where you want to enable Kerberos authentication to view the properties for the resource, and then click the Parameters tab.
2. Click the Enable Kerberos Authentication option, click OK, right-click the Network Name resource, and then click Bring Online. A client can now use Kerberos authentication when it connects to the VirtualServer. If you view the Active Directory Users and Computers MMC, a new computer object that correlates to the Network Name resource is visible.

The Cluster service must have the proper permissions to create computer objects in the Active Directory. This should occur by default because the Cluster service, at the minimum, has to be a domain user. By default, this group has the "Add workstations to a domain" privilege.

By default, domain users are limited to creating ten computer objects in the Active Directory. To create more computer objects, you must increase the limit, or the domain administrator can pre-create the computer objects. If the domain administrator gives explicit "Create Computer Objects" rights to the Cluster service account, the quota is over-ridden. If the computer object is pre-created, the Cluster service account will need proper permissions to be able to "hijack" the object so that it can write the correct attributes to it.

The three attributes that are written to the VirtualServer's computer object are:

• DnsHostName - This is created from the Network Name resource and the Cluster's primary DNS suffix.
• ServicePrincipalName - Like the DnsHostName, this is created from the Network Name resource and the Cluster's primary DNS suffix in the following format:
  

HOST/VirtualServer's NetBIOS name
HOST/FQDN for the VirtualServer
MSClusterVirtualServer/VirtualServer's NetBIOS name
MSClusterVirtualServer/FQDN for the VirtualServer
MSServerCluster/VirtualServer's NetBIOS name (This SPN is only created for the default Cluster Name)
MSServerCluster/FQDN for the VirtualServer (This SPN is only created for the default Cluster Name)

• DisplayName - This is the friendly name for the computer object as it appears in the directory or address book. This is the Network Name resource's NetBIOS name. Default access may prevent the DisplayName from being updated. However, it is not problematic if it cannot write the change, and the resource will come online.

In addition, a password is set on the computer object.

You can view these attributes by using the Adsiedit.msc utility that is included on the Windows Server 2003 CD-ROM in the SUPPORT folder.

You can view the primary DNS suffix by running the ipconfig /all command at a command prompt. Under Windows IP Configuration, the Primary DNS Suffix section contains the primary DNS suffix that is used for the computer object. Note that the individual network adapters may have different specific suffixes, however, the Network Name resource uses the primary DNS suffix.

Renaming the Network Name and its corresponding computer object

The process of renaming a VirtualServer that has an associated computer object is similar to renaming a standard Network Name resource, except the resource has to be offline to make the change. Take the Network Name resource offline, and then change the Parameters property to the new name. The Network Name resource will automatically contact Active Directory and change the computer object's name. For the rename operation to be successful, both the Network Name on the cluster and the computer name in the Active Directory must be changed. If both cannot be changed, the original name is rolled back, and the change is not completed. The Cluster service account will require the "Write all Properties" access right to make the change to the computer object. computer objects cannot be manually renamed in the Active Directory Computers and Users MMC.

Disabling Kerberos authentication

The Cluster service never deletes a computer object from Active Directory. Instead, the Cluster service disables it. To disable the computer object, click to clear the Enable Kerberos Authentication option. After the computer object is disabled, the Network Name resource does not come online until you either select the Enable Kerberos Authentication option again or manually delete the computer object from Active Directory.

DNS settings

The DNS Registration Must Succeed option on a Network Name resource helps to make sure that DNS is updated before the resource comes online. If you select this option, the DNS HOST (A) record for the VirtualServer must be registered or the Network Name Resource fails to come online. If the DNS server accepts dynamic updates but the record could not be updated, that is considered a failure. If the DNS server does not accept dynamic updates (older versions of DNS) or there are no DNS servers associated with the resource's associated network, the Network Name will still come online. To enable the DNS Registration Must Succeed option, follow these steps:

1. Start Cluster Administrator, right-click the Network Name resource, and then click Take Offline.
   

Note Access to the VirtualServer by clients cannot now occur because the Network Name resource is offline.

1. Double-click the Network Name resource where you want to enable the DNS Registration Must Succeed option, and then click the Parameters tab.
2. Click the DNS Registration Must Succeed option, click OK, right-click the Network Name resource, and then click Bring Online. When the Network Name resource comes online, it will verify that it can register the VirtualServer with the DNS server.

Note: The Network Name is registered in DNS under the Cluster service account. Make sure that the Cluster service account has correct permissions to register records in DNS or the registration will not work.

Status indicators

When you view the properties of a Network Name resource, three status indicators are available, NetBIOS Status, DNS Status, and Kerberos Status. To view these indicators:

1. Start Cluster Administrator.
2. Double-click the Network Name resource, and then click the Parameters tab. The three status indicators are listed in the middle of the Parameters tab.

The following list describes what each Status indicator displays. These indicators are changed when the Network Name is coming online or going offline.

• NetBIOS Status: The NetBIOS Status indicator reflects the success or failure of the NetBIOS name registration with the local network redirector. A value of 0 is successful; otherwise it displays an error code. This does not indicate whether the NetBIOS name was registered to the respective WINS or DNS servers. To view the text of the error code, type net helpmsg %errorcode% at a command prompt, and then press ENTER.
• DNS Status: The DNS Status indicator reflects the success or failure of the Network Name being registered with the DNS server. A value of 0 is successful; otherwise it displays an error code. To view the text of the error code, type net helpmsg %errorcode% at a command prompt, and then press ENTER.
• Kerberos Status: The Kerberos Status indicator displays a code that indicates if the creation or updating of the Computer Object was successful or not. A value of 0 is successful; otherwise it displays an error code. To view the text of the error code, type net helpmsg %errorcode% at a command prompt, and then press ENTER.

Seven parameters for the Network Name resource in Windows Server 2003 that are not included in earlier versions of Windows

The following parameters under the Network Name resource are used to support the features of the Network Name Resource in Windows Server 2003 that are not included in earlier versions of Windows. To view these Network Name resource parameters, type cluster res "network_name_resource" /priv at a command prompt, and then press ENTER. The parameters are as follows:

• RequireDNS - The RequireDNS parameter matches the DNS Registration Must Succeed option in the user interface for the Network Name resource. It can have a value of 0 or 1:
  • 0 - Failed DNS registration does not prevent resource from coming online.
  • 1 - If the DNS server cannot be updated, the resource will not come online.
• RequireKerberos - The RequireKerberos parameter matches the Enable Kerberos Authentication option in the user interface for the Network Name resource. It can have a value of 0 or 1:
  • 0 - Kerberos Authentication is not enabled, and a computer object is not created for the Network Name resource.
  • 1 - Computer object is created and Kerberos Authentication is enabled.
• CreatingDC - The CreatingDC parameter displays the domain controller that was used by the cluster server to create or modify the VirtualServer computer object or if a computer object was pre-created by the domain administrator, the domain controller that was contacted to "hijack" the existing computer object. This value is cleared when the RequireKerberos parameter is cleared.
• ResourceData - The ResourceData value contains the encrypted password. Access to ResourceData in the registry is limited to the local administrator, system, and creator owner.
• StatusNetBIOS - This matches what is displayed in the user interface under the Network Name resource.
• StatusDNS - This matches what is displayed in the user interface under the Network Name resource.
• StatusKerberos - This matches what is displayed in the user interface under the Network Name resource.

Command-line options

Like most of administration tasks of a server cluster, you can enable the "DNS Registration Must Succeed" and "Enable Kerberos Authentication" features from a command prompt by using the Cluster.exe tool. Cluster.exe is installed by default, so to use it, issue the following commands at a command prompt (assuming you are running these commands from one of the cluster nodes).

To enable the DNS Registration Must Succeed option from the command prompt, type the following command:

Set RequireDNS=0 to disable RequireDNS.

To enable the Enable Kerberos Authentication option from the command prompt, type the following command:

Set RequireKerberos=0 to disable RequireKerberos.

To view the Status indicators from Cluster.exe, type the following command:

For more information about Cluster.exe and other uses, see "Help and Support," and then search for Cluster.exe.

The File Replication service and server clusters

The File Replication service (FRS) does not replicate with a file share that is on a server cluster under a virtual server's computer object. The FRS service looks for subscription information only under the node's computer object. The FRS service does not scan the virtual server's computer object. Distributed File System (DFS) uses the FRS to replicate data among multiple servers when a replication policy is enabled. If the DFS link with the replication policy is a virtual server, data is not replicated with any other partner. You may have to use another method to replicate the data. For example, you may have to use a file copy script.

Troubleshooting

For information about troubleshooting the creation and manipulation of computer objects by the Cluster service account, see the following article in the Microsoft Knowledge Base: