W2k3 R2 Cluster: Virtual Server name Machine Accounts in Domain

Hi All,

I'm trying to get to the bottom of the purpose of machine accounts for the
virtual nodes that get created in AD.

We've built a 2 node active/active cluster with 6 virtual nodes on it (each
with their own LUN, etc...). I've noticed that each virtual node has created
a computer account in AD.

Reading the documentation this is required for Kerberos Authentication, and
that is what we are using.

However, the machine accounts don't seem to get their passwords changed
every 30 days like physical servers do.

Has anyone seen this before? is it a known issue ?

Thanks

Alex


--
----------------8<-------------
Alex French

In order for Kerberos to work, there has to be a machine object in AD for
the cluster network name resources. That object is merely a placeholder for
a SID so that Kerberos can authenticate a session between clients using the
cluster name and the cluster. They are obviously not real machines
therefore, any machine policies should not be applied to them. Can you give
us a little more detail about what specific issues you are seeing that is a
problem?
--
Jeff Hughes, MCSE
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support (Server Core/Cluster)


"Alex French" <> wrote in message
news:0E1C4B6D-E7E7-4392-8A09-...
> Hi All,
>
> I'm trying to get to the bottom of the purpose of machine accounts for the
> virtual nodes that get created in AD.
>
> We've built a 2 node active/active cluster with 6 virtual nodes on it
> (each
> with their own LUN, etc...). I've noticed that each virtual node has
> created
> a computer account in AD.
>
> Reading the documentation this is required for Kerberos Authentication,
> and
> that is what we are using.
>
> However, the machine accounts don't seem to get their passwords changed
> every 30 days like physical servers do.
>
> Has anyone seen this before? is it a known issue ?
>
> Thanks
>
> Alex
>
>
> --
> ----------------8<-------------
> Alex French

Hi Jeff,

Thanks for the prompt reply!

We're trying to clean up old AD computer accounts using the 'password last
changed' (pwdLastSet) LDAP attribute and the virtual server computer accounts
get flagged as they haven't changed their password since they were first
created...

Is it by design that the placeholder account doesn't get it's password set?
or is it just that because it's not a 'real' OS instance with a netlogon
service instance behind it that it's not going to ever get changed?

I understand if that's the case - We can code around it !

Thanks again

Alex
--
----------------8<-------------
Alex French


"Jeff Hughes [MSFT]" wrote:

> In order for Kerberos to work, there has to be a machine object in AD for
> the cluster network name resources. That object is merely a placeholder for
> a SID so that Kerberos can authenticate a session between clients using the
> cluster name and the cluster. They are obviously not real machines
> therefore, any machine policies should not be applied to them. Can you give
> us a little more detail about what specific issues you are seeing that is a
> problem?
> --
> Jeff Hughes, MCSE
> Senior Support Escalation Engineer
> Microsoft Enterprise Platforms Support (Server Core/Cluster)
>
>
> "Alex French" <> wrote in message
> news:0E1C4B6D-E7E7-4392-8A09-...
> > Hi All,
> >
> > I'm trying to get to the bottom of the purpose of machine accounts for the
> > virtual nodes that get created in AD.
> >
> > We've built a 2 node active/active cluster with 6 virtual nodes on it
> > (each
> > with their own LUN, etc...). I've noticed that each virtual node has
> > created
> > a computer account in AD.
> >
> > Reading the documentation this is required for Kerberos Authentication,
> > and
> > that is what we are using.
> >
> > However, the machine accounts don't seem to get their passwords changed
> > every 30 days like physical servers do.
> >
> > Has anyone seen this before? is it a known issue ?
> >
> > Thanks
> >
> > Alex
> >
> >
> > --
> > ----------------8<-------------
> > Alex French
>