Table of Contents
- Introduction
- Scenario 1 : SCVMM server Successful Authentication with Directory Service.-fragment page no-wrapper" id="fragment-6615">
- Scenario 2 : SCVMM server Unsuccessful Authentication with Directory Service.
- Resolution :
- Conclusion:
Introduction
You install and configure System Central Virtual Machine Manager 2008 R2 on Windows Server 2008 R2, which is part of active directory domain. Administrator will not be able to logon to SCVMM administrator console if the server moves to different sub network which cannot authenticate to Active directory domain.Scenario 1 : SCVMM server Successful Authentication with Directory Service.
In this example, Microsoft SCVMM server is able to authenticate with active directory. The pre-requisite is SCVMM server should be able to validate the logged on active directory user credentials / the active directory user credentials specific to SCVMM console.
Solution Diagram
Figure : Data Center Configuration
Server Checklist
Servers
Description
Cisco 1800 Series Integrated Service Routers
Edge router connecting to internet
Catalyst 3750 (layer 3 ) switch
Configured with VLAN, NAT
Catalyst 6500 Layer 3 switch
Infrastructure servers connects to the switch
Microsoft Hyper-v Server
Host virtual machines
Infrastructure servers connects to the switch
Microsoft SCVMM server
Manage virtual hosts
Microsoft Domain Controller
Provide authentication to clients and users
Additional domain controller
Provide authentication to clients and users and Fault tolerance
NAS Share
Host VMWare virtual machines
Cisco 2800 series routers
Connecting between datacenter for DR
Description:
Upon user logon to windows servers, below Kerberos authentication takes place in case of domain controller availability
A typical Kerberos high level user authentication is shown below
After successful logon to windows console, when administrator / user launches SCVMM administrator console, it establishes 2 way authentication between the User domain and SCVMM domain and post validation user / administrator would be able to manage the resources successfully.
Scenario 2 : SCVMM server Unsuccessful Authentication with Directory Service.
In this example , user is located remote and will not be able to authenticate with the domain controller. The pre-requisite is the client or the server from where the user is authenticating should be part of domain.
Solution Diagram
Figure: Data Center Configuration - 2
Description:
The windows client or server is not part of the network where the Domain controller is located. Windows client / server successfully authenticates with cached credentials. The authentication process of the client or server who is not part of domain is different .
Windows uses two authentication protocol packages
a) Lan Manager 2 Protocol
b) Kerberos ProtocolKerberos protocol is used only when the client / server is able to authenticate with domain controller. But in our above example, client / server uses Lan Manager 2, and calls Msv1_0.dll authentication package which validates the user credentials with SAM database.
Post successful logon using cached credentials, when user launches SCVMM administrator console, he receives an error message
Though the user is able to successfully authenticate, SCVMM is not able to establish two way trust between the domain which results in the above error message.
Resolution :
The server or client should be able to authenticate with the SCVMM domain, to happen users should either
- Establish VPN connection with Domain Controller
- Direct access connectivity with Domain Controller
Conclusion:
This articles explains the domain authentication process of User and SCVMM server along with the solution diagrams which helps administrators to evaluate the scenario and explain the Dll’s involved during authentication in high level.
- Scenario 1 : SCVMM server Successful Authentication with Directory Service.-fragment page no-wrapper" id="fragment-6615">