Table of Contents


 

Introduction


You install and configure System Central Virtual Machine Manager 2008 R2 on Windows Server 2008 R2, which is part of active directory domain. Administrator will not be able to logon to SCVMM administrator console if the server moves to different sub network which cannot authenticate to Active directory domain.

 

Scenario 1 :  SCVMM server Successful Authentication with Directory Service.

 

In this example, Microsoft SCVMM server is able to authenticate with active directory. The pre-requisite is SCVMM server should be able to validate the logged on active directory user credentials / the active directory user credentials specific to SCVMM console.

 

Solution Diagram

 

 

                      
                                            Figure : Data Center Configuration

 

Server Checklist

 

Servers

Description

Cisco 1800 Series Integrated Service Routers

Edge router connecting to internet

Catalyst 3750 (layer 3 ) switch

Configured with VLAN, NAT

Catalyst 6500 Layer 3 switch

Infrastructure servers connects to the switch

Microsoft Hyper-v Server

Host virtual machines

Infrastructure servers connects to the switch

Microsoft SCVMM server

Manage virtual hosts

Microsoft Domain Controller

Provide authentication to clients and users

Additional domain controller

Provide authentication to clients and users and Fault tolerance

NAS Share

Host VMWare virtual machines

Cisco 2800 series routers

Connecting between datacenter for DR

 

 

 

 

Description:

Upon user logon to windows servers, below Kerberos authentication takes place in case of domain controller availability

     A typical Kerberos high level user authentication is shown below

 


 

                        

 

After successful logon to windows console, when administrator / user launches SCVMM administrator console, it establishes 2 way authentication between the User domain and SCVMM domain and post validation user / administrator would be able to manage the resources successfully.

 

 

 

 

Scenario 2 :  SCVMM server Unsuccessful Authentication with Directory Service.

 

In this example , user is located remote and will not be able to authenticate with the domain controller. The pre-requisite is the client or the server from where the user is authenticating should be part of domain.

 

Solution Diagram

 

                                                          Figure: Data Center Configuration  - 2

 

 

 

Description:

The windows client or server is not part of the network where the Domain controller is located. Windows client / server successfully authenticates with cached credentials. The authentication process of the client or server who is not part of domain is different .

Windows uses two authentication protocol packages

a)      Lan Manager 2 Protocol
b)      Kerberos Protocol

Kerberos protocol is used only when the client / server is able to authenticate with domain controller. But in our above example, client / server uses Lan Manager 2, and calls Msv1_0.dll authentication package which validates the user credentials with SAM database.

Post successful logon using cached credentials, when user launches SCVMM administrator console, he receives an error message

 

 

      Though the user is able to successfully authenticate, SCVMM is not able to establish two way trust between the domain which results in the above error message.

 

 

Resolution :

 

The server or client should be able to authenticate with the SCVMM domain, to happen users should either

 

 

Conclusion:

 

This articles explains the domain authentication process of User and SCVMM server along with the solution diagrams which helps administrators to evaluate the scenario and explain the Dll’s involved during authentication in high level.