Assigning the user permission to update dns – HP Storage Mirroring V5 Software User Manual

102 Recommended Credentials

Assigning the user to the local servers’ Administrators group

The user running the Application Manager must have access to both the servers' administrative shares and

have rights to modify the SPN permissions.
The target's machine account needs to be added to the source's Active Directory computer object for the

purpose of updating the SPNs during failover and failback.
The administrative shares are used to manage the configuration files and failover scripts on the source and

target. To satisfy both of these rights, it is recommended that the user must be a member of the local

“Administrators” group on each server (source and target).
Follow these steps to add a user to the Administrators group on each server.

1.

On the first server, select

Start, Settings, Control Panel

. Double-click

Administrative Tools

, then double-click

Computer Management

.

2.

In the left pane, select the

Groups

folder (located under

Computer Management\System Tools\Local Users and

Groups\

).

3.

Right-click the

Administrator

group and select

Properties

.

4.

If the user is not already a member of the Administrators group, click

Add

.

5.

In

Location

, click the domain containing the users you want to add, then click

OK

.

6.

In

Name

, type

Administrator

.

7.

Click

OK

to close all open dialog boxes.

8.

Repeat for each additional server.

Assigning the user permission to update DNS

In order to update the source DNS records, the user must have the following permissions:

•

A member of the “DNS Admin” domain local group

•

One of the following:
• A member of the “Domain Admins” group for the domain in which the DNS server resides, or
• “Full Control” on each of the individual DNS records that is associated to the source (native or virtual in

the case of clusters) IP and to be updated by the DFO utility.

•

A member of the “Server Operator”, at the very least, to “Deny” the source access to the records. The

resource record security can be set through the record properties within the DNSMgmt console.

NOTE:

The “Domain Admins” right surpasses all these individual rights, so this would be all that needs to be

added.

The specified user or DNS Admin group must be designated “full control” on all DNS Zones, both forward and

reverse, in which any of the source's DNS records reside. The “Full Control” must be set for “this object and all

child objects”.

NOTE:

The Application Manager will first attempt to impersonate the current logged-on user before

prompting for different credentials.

To be able to make calls to WMI without being part of the Domain Admins group, follow these steps:
On the DNS Server:

1.

Run

DCOMCNFG

.

2.

Expand

Component Services

.

3.

Expand

Computers

.

4.

Right-click on

My Computer

and select

Properties

.

5.

Click the

COM Security

tab.