Adding Hyper-V and SoFS cluster delegation permissions with powershell.

Author by Concurrency Blog

When using Scale-Out File Servers for Hyper-V virtual machine storage, you need to setup proper Kerberos delegations permissions on each host. To be specific, the "CIFS" (SMB) permission will need to be added for every Hyper-V node and the CNO(Computer Name Object) of the SoFS computer object, and add  "Live Migration" permissions to each Hyper-V node for migration purposes.This task is fairly simple in the GUI but can become tedious when you have multi-node Hyper-V/SoFS clusters. I've created a script that can add the required CIFS and Live Migration permissions to each Hyper-V node. The parameters are simple. CreateHyperVSoFSDelegationPermissions.ps1 -HVClusterName "hyperv.clustername.com" -SoFSClusterName "Sofscluster.clustername.com" Download Script Here

# Name: CreateHyperVSoFSDelegationPermissions # Description: This script will add CIFS rights to specified SoFS clusters and Migration right to Hyper-V nodes in a cluster. # Author: Aaron Fields # Date: 3-21-2015 [CmdletBinding()] Param ( [Parameter(Mandatory=$True,Position=1)] [string]$HVClusterName, [Parameter(Mandatory=$True,Position=2)] [string]$SoFSClusterName ) # Import and validate modules Try { Import-Module ServerManager -ErrorAction:Stop Import-Module ActiveDirectory -ErrorAction:Stop Import-Module FailoverClusters -ErrorAction:Stop } Catch { Write-Host -ForegroundColor Red "Couldn't load modules required. Make sure you have Active Directory, Hyper-V, And FailoverCluster modules installed." break; } #Creating Hyper-v node array Try { $Cluster = Get-Cluster -Name $HVClusterName -ErrorAction Stop $HVClusterNodes = $Cluster | Get-ClusterNode Write-Host -ForegroundColor Green "Getting Hyper-V Cluster Nodes ($HVClusterName)" } Catch { Write-Host -ForegroundColor Red "Couldn't find Hyper-V cluster $HVClusterName." $ClustersERR = Get-Cluster -Domain $env:UserDnsDomain Write-Host -ForegroundColor Red "Clusters in $($env:UserDNSdomain) domain : $clustersERR" break; } #Creating SoFS node array Try { $SoFSCluster = Get-Cluster -Name $SOFSClusterName -ErrorAction Stop $SoFSClusterNodes = $SoFSCluster | Get-ClusterNode Write-Host -ForegroundColor Green "Getting SoFS Cluster Nodes ($SoFSClusterName)" } Catch { Write-Host -ForegroundColor Red "Couldn't find to SoFS cluster $SoFSClusterName." $ClustersERR = Get-Cluster -Domain $env:UserDnsDomain Write-Host -ForegroundColor Red "Clusters in $($env:UserDNSdomain) domain : $clustersERR" break; } #Add Migration Services to each Hyper-V node. Foreach ($HVClusterNode in $HVClusterNodes) { $HVTargetNodes = ($HVClusterNodes | Where {$HVClusterNode.Name -ne $_.Name}).Name # This array will grab every node but itself. Foreach ($HVTargetNode in $HVTargetNodes) { $VirtualMigAdNodeProp = (Get-AdComputer $HVClusterNode.ToString() -Properties msDS-AllowedToDelegateTo | Select-Object -ExpandProperty msDS-AllowedToDelegateTo | Where {$_ -eq "Microsoft Virtual System Migration Service/$HVTargetNode"}) If ($VirtualMigAdNodeProp -ne $null) { Write-Host -ForegroundColor Gray "Computer $HVTargetNode is already trusted for delegation service 'Microsoft Virtual System Migration Service/$HVTargetNode' on Server $($HVClusterNode.Name). Skipping..." continue } Else { $ParamHash=@{"msDS-AllowedToDelegateTo"="Microsoft Virtual System Migration Service/$HVTargetNode","Microsoft Virtual System Migration Service/$HVTargetNode.$env:UserDnsDomain"} Try {Get-ADComputer $HVClusterNode.ToString() | Set-ADObject -Add $ParamHash} Catch{Write-Host -ForegroundColor Red "Failed to add $HVTargetNode delegation rights to $($HVClusterNode.ToString())"} Write-Host -ForegroundColor Green "Adding $HVTargetNode delegation for service 'Microsoft Virtual System Migration Service' on Server $($HVClusterNode.Name)." } } # Add SOFS CNO CIFS services to the Hyper-v nodes $CIFSAdSOFSCNOProp = (Get-AdComputer $HVClusterNode.Name -Properties msDS-AllowedToDelegateTo | Select-Object -ExpandProperty msDS-AllowedToDelegateTo | Where {$_ -eq "CIFS/$SoFSClustername"}) If ($CIFSAdSOFSCNOProp -ne $null) { Write-Host -ForegroundColor Gray "SoFS CNO $SoFSClustername is already trusted for delegation service 'CIFS/$SoFSClustername' on Server $($HVClusterNode.Name). Skipping..." } Else { $ParamHash=@{"msDS-AllowedToDelegateTo"="CIFS/$SoFSClustername","CIFS/$SoFSClustername.$env:UserDnsDomain"} Get-ADComputer $HVClusterNode.Name | Set-ADObject -Add $ParamHash Write-Host -ForegroundColor Green "Adding SoFS CNO $SoFSClustername delegation service 'CIFS' on Server $($HVClusterNode.Name)." } #Add CIFS services to the Hyper-v node in the foreach loop Foreach ($SoFSClusterNode in $SoFSClusterNodes) { $SoFSTargetNode = ($SoFSClusterNodes | Where {$SoFSClusterNode.Name -eq $_.Name}).Name $CIFSAdNodeProp = (Get-AdComputer $HVClusterNode.Name -Properties msDS-AllowedToDelegateTo | Select-Object -ExpandProperty msDS-AllowedToDelegateTo | Where {$_ -eq "CIFS/$SoFSTargetNode"}) If ($CIFSAdNodeProp -ne $null) { Write-Host -ForegroundColor Gray "SoFS $SoFSTargetNode is already trusted for delegation service 'CIFS/$SoFSTargetNode' on Server $($HVClusterNode.Name). Skipping..." } Else { $ParamHash=@{"msDS-AllowedToDelegateTo"="CIFS/$SoFSTargetNode","CIFS/$SoFSTargetNode.$env:UserDnsDomain"} Get-ADComputer $HVClusterNode.Name | Set-ADObject -Add $ParamHash Write-Host -ForegroundColor Green "Adding SoFS $SoFSTargetNode delegation service 'CIFS' on Server $($HVClusterNode.Name)." } } } 
Author

Concurrency Blog

The latest about Concurrency