VMware vCenter Server Heartbeat - Performing a Least Privilege Install of vCenter Server Heartbeat When Protecting SQL Server

Follow

Summary

This Knowledgebase article provides the procedure to perform a Least Privilege Install of vCenter Server Heartbeat when protecting SQL Server. If SQL Server is not being protected, please see vCSHB-Ref-2482 (VMware KB 2017529 ) Performing a Least Privilege Install of vCenter Server Heartbeat.


More Information

To run SetSPN without a domain administrator account, the domain user that runs SetSPN must have the Write all properties permission on the object (user or computer account) that runs SQL Server on the vCenter Server Heartbeat server and they must be a Local Administrator on both Primary and Secondary vCenter Server Heartbeat servers.

Note : All actions on the Domain Controller must be performed by a Domain Administrator with Domain Admin privileges.

If SQL Server is run with a domain user account (with local admin rights on the vCenter Server Heartbeat server):

  1. On the Domain Controller, navigate to Active Directory Users and Computers .
  2. Right-click the user under which SQL Server runs and select Properties .
  3. Select the Security tab and click Advanced .
  4. On the Permissions tab click Add .
  5. Select the user to run the SetSPN command (this can be the same user that runs SQL Server).
  6. Assign the Allow permission for Write all properties and Apply to this object and all child objects .
  7. Click OK .

    From the vCenter Server Heartbeat Console:
  8. Navigate to the Applications: Tasks tab.
  9. Click User Accounts and add the user to run the SetSPN command.
  10. In the Tasks pane, navigate to Network Configuration > SqlServer , select Set SPN (Primary) , and click Edit .
  11. For Run As , select the user added at step 5 from the drop-down list and click OK .
  12. In the Tasks pane, navigate to Network Configuration > SqlServer , select Set SPN (Secondary) , and click Edit .
  13. For Run As , select the user added at step 5 from the drop-down list and click OK .
  14. Select the Set SPN task corresponding to the active server and click Run Now to test the task (The status returned should be: Completed with exit code 0 ).

If SQL Server is run with a LocalSystem account:

  1. On the Domain Controller, navigate to Active Directory Users and Computers .
  2. Select the computer account of the server running vCenter Server Heartbeat.
  3. On the Primary computer account (Primary Management Name):
    1. Navigate to the Security tab and click Advanced .
    2. On the Permissions tab click Add .
    3. Select the user to run the SetSPN command (this can be the same user that runs SQL Server).
    4. Assign the Allow permission for Write all properties and Apply to this object and all child objects .
    5. Click OK .
  4. On the Secondary computer account (Secondary Management Name):
    1. Navigate to the Security tab and click Advanced .
    2. On the Permissions tab click Add .
    3. Select the user to run the SetSPN command (this can be the same user that runs SQL Server).
    4. Assign the Allow permission for Write all properties and Apply to this object and all child objects .
    5. Click OK .
  5. Note: At this point, NFSetSPN will not operate properly as it requires SQL Server to be run with a domain user account. The following steps provide a workaround for this issue.

  6. On Windows Server 2003, download and install Windows Resource Kit .
  7. On the Primary server, create a .bat file containing:
    1. A pause command:
      • sleep 5 , on Windows Server 2003.
      • timeout 5 , on Windows Server 2008.
    2. the SetSPN command:
      setspn.exe -a MSSQLSvc/<FQDN_Public_Name>:<SQL instance name> <Primary Management Name>

  8. On the Primary server, in the vCenter Server Heartbeat Console, navigate to the Applications: Tasks tab.
  9. Click User Accounts and add the user you want to run the SetSPN command.
  10. In the Network Configuration > Sql Server > Set SPN (Primary) click Edit .
  11. In the Command textbox, Browse to the location of the script created at step 6.
  12. For Run As , select the user added at step 7 from the drop-down list and click OK .
  13. On the Secondary server, create a .bat file containing the SetSPN command: setspn.exe -a MSSQLSvc/<FQDN_Public_Name>:<SQL instance name> <Secondary Management Name>
  14. On the Secondary server, in the vCenter Server Heartbeat Console, navigate to the Applications: Tasks tab.
  15. In the Network Configuration > Sql Server > Set SPN (Secondary) click Edit .
  16. In the Command textbox, Browse to the location of the script created at step 12.
  17. For Run As , select the user added at step 7 from the drop-down list and click OK .
  18. Select the task corresponding to the active server and click Run Now to test the task (The returned status should be: Completed with exit code 0 )


Applies To

vCenter Server Heartbeat v6.4 and v6.4 Update 1


Related Information

vCSHB-Ref-2485

KBID-2485

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.