Shulou(Shulou.com)06/02 Report--

Lao Wang has been finding a problem for a long time. It seems that many people have some misunderstandings about the permissions of the WSFC cluster, thinking that only domain administrator can be installed, or that only Domain admins can be installed.

In fact, the installation of WSFC does not require so much permission. In this article, Lao Wang will share the WSFC AD permission plan for you, and we will use the principle of minimizing permissions as far as possible.

Mainly around two scenarios

1. Minimize permissions

two。 Pre-set CNO

The process of creating a cluster has been mentioned in the blog before. After the WSFC 2012 era, for example, when we enter the name of the cluster, the cluster will use our current execution account to create a CNO object in AD and a CNO DNS record in DNS. By default, ordinary users in AD can also register records in DNS, so we do not use Care for CNO DNS records. What we need to care about is the permissions of CNO and the permissions of VCO.

First create a cluster user cluadmin permission default

Whether the account is issued through the group policy or added manually, it can be added to the local administrators group of each node of the cluster.

This is the first permission to be added because local administrator privileges are required to execute the create Cluster Wizard

After the first step, let's go on to think. Since you want to connect the cluster wizard to AD to create CNO, you must need to have write permission to AD. In fact, this write permission does not need to be given to domain admins or enterprise admins directly. A cluster administrative account or cluster administrative account group only needs permission for OU to create a computer object and read all the properties to create a CNO object to do the required work.

The creation of CNO in the 2008 era will only be generated by default on the default computer OU. In WSFC 2012, by default, it will follow the node and create a CNO in the OU where the computer object of the cluster node is located. We can also specify which OU to create the CNO to in the process of creating the cluster, which will be demonstrated later by Lao Wang.

Open ADUC-> Select the OU-> Properties-> Security where the CNO is to be generated

Adding cluadmin gives you permission to create computer objects and read all properties

At this point, we have completed the design of the minimum permissions for creating CNO objects, which is the permissions needed to create the cluster. Now we can create the CNO under the specified OU by logging in with the cluadmin user on the cluster node.

You can see that creating clusters is supported after WSFC 2012. CNO is under the specified OU.

After the creation, you can see the CNO and DNS records normally.

In the event manager, you can see that there is no error, and the cluster is generated normally.

At this point, we have completed the construction of the WSFC cluster with minimized privileges.

So the next step is to run the application on WSFC to create VCO. As we said before, CNO is responsible for the creation and management of VCO, so we also need to give CNO computer account permission to create VCO on OU.

Similarly, CNO only needs permissions to create computer objects and read all properties of OU, because since 2012, VCO and CNO are created under the same OU by default, so we only need to give CNO permissions to the OU where CNO resides.

In addition to AD, VCO also needs DNS records, and CNO is also responsible for the creation and maintenance of VCO DNS records. Therefore, you need to make sure that the CNO computer account has the permission to modify the creation permission for the DNS area. Delete permission is optional. If you do not select it, you may need to clean up the CNO DNS records manually.

After giving OU permission and DNS permission to complete the CNO, create the VCO below and find that you can write AD and DNS normally.

At this point, we have successfully created the cluster with minimal permissions and completed the application construction on the upper layer of the cluster, which is all the permissions That's it That's all needed to create the cluster.

Let's sum it up.

For a cluster to create an account, it is required to be a member of each node's local management group.

Create computer objects and read all property permissions

The cluster CNO has permissions to create computer objects and read all properties for the host OU

The cluster CNO has permission to create and modify records for the DNS area

CNO object must have reset password permission for VCO object. VCO created through CNO has this permission by default.

In the future, you no longer need to use administrator or domain admins every time to create a cluster. You can create a cluster with such a less privileged account.

But although this mode is a little more secure, it also has its associated trouble, that is, AD administrators need to grant permissions to the cluster twice.

Give the user permission to create the cluster

Give CNO permission after the cluster is created

The key here is that once we choose this model, it represents that the AD administrator trusts the cluster administrator to leave the work created by the cluster administrator to the cluster administrator. I can give it such low permissions, and it can also do the work, which is good. For AD administrators, it is much better than before to let them use administrator, but it is more or less troublesome to grant permissions twice each time. Because in the second step, the permission of the CNO object is granted that the CNO can be generated only after the cluster is created.

So in addition to this traditional way, we also have a way to preset cluster computer accounts.

In the traditional way, the AD administrator gives a permission and then the cluster administrator connects to the AD to create the

Through preset, we can create CNO objects in AD beforehand.

For example, the cluster administrator tells the AD administrator the name of the cluster to be established, and the AD administrator creates a CNO computer object under a planned OU and disables it.

Later, when the cluster administrator creates the cluster, he connects directly to the AD and automatically activates and enables the pre-created CNO object.

The AD administrator can also give CNO the OU permission to create the VCO in advance, because the CNO has been preset, so it only needs to be granted once, which is easier.

This preset scheme is especially suitable for places where there are strict requirements for creating changes, requiring that everything be done as planned, so the preset is the best choice.

The preset also reduces the risk of misoperation by the cluster administrator, using pre-planned objects

If we go through the preset scheme, we don't even have to grant cluadmin permission to create a computer, because the creation of the computer will be done by the AD administrator in advance.

Preset CNO object operation steps

The AD administrator creates the computer object with the name told by the cluster administrator and disables it

Click computer object-> Properties-> Security gives the cluadmin account full control over the CNO object.

If the cluster needs to create VCO objects next, you have two options

Manually give the CNO object permission to create a computer object and read all properties for the OU to which it belongs, and apply to scope this object and all descendants

Preset VCO object

Since we have already done the method of manually granting permissions, we will not demonstrate it here. The only difference is that if we do not preset, we need to wait for the cluster to be created and then give CNO the permission to create VCO again. With the preset, we can directly finish it and deliver it to the cluster administrator.

Preset VCO object operation steps

Create a VCO computer object and disable it

Give CNO computer objects full control over VCO computer objects

Give CNO objects permission to modify and create DNS regions

Create a cluster with a planned name

It is detected that the cluadmin account used has been granted full control over the target CNO object, and the disabled CNO computer account that has been created before being automatically activated online

The DNS record has also been properly registered

Create a DTC VCO object with a pre-planned name

If the cluster detects that the current VCO object exists and the CNO object has permissions on the VCO object, it automatically launches the preset VCO object online.

VCO DNS records are also created correctly

Review the permission requirements of the traditional AD model of WSFC

The execution account for creating a cluster requires that the local administrator of each node

Creating a cluster account requires permission to create computer objects and read all properties on the target OU

To create a CNO object of a VCO, you need to have permission to create a computer object and read all properties to the OU where it belongs.

To create a CNO object for VCO, you need to have permission to create and modify the DNS area.

Verify that the CNO object has permission to reset the password on the VCO object. By default, VCO created through CNO has

As long as these five conditions are met, we can create a normal AD dependent cluster and upper-layer applications.

If we adopt the scheme of preset objects, we can directly grant the creation of cluster execution account full control of CNO without granting the permission of creating cluster execution account and the permission of CNO for OU, as long as CNO has full control of VCO, but the DNS area permission still needs to be granted, but the preset object scheme can be used to make WSFC AD permission objects more compliant.

The above requirements for traditional WSFC cluster AD permissions are actually verified by Lao Wang, and how to use minimized permissions to achieve WSFC permissions requirements, hoping to bring benefits to interested friends.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.