DX NetOps

What type of AD account does VAIM need in order to add a MS Cluster server?  What group does the AD account need to belong to?

Hi,

in the documentation there is only documented that you will need full administrative access to all involved devices of the cluster. I didn´t find someone inside CA which can tell me more or had an documnetation of all of the needed security rights inside Windows.

In fact if you want only to monitor the cluster you need only read access to the Cluster Nodes and the Custer Ressources. The AIM will collect the data on the same way as the MS Custer do it.

If you want to minimize the needed rights you need to track the used rights with the Sysinternal Tools. But this was an quit hard work and need a lot of time.In ou projects we deside to use the domain admin group. The easysed way to do it.

Alex

I was able to find exactly what I needed in the documentation.

Monitoring

Requires a domain administrator account or a cluster node local account. If a domain user is used, it must be in the domain administrators group. If a cluster node local account is used, the user must be a member of the administrators group.

 

However, I have noticed that one of the nodes did not have the SNMP community settings which I have fixed but now that I have the cluster and both nodes in Spectrum but one of the nodes shows a IP device and the other node shows as a Windows host. 

While it works if I use the local Admin group is there perhaps a group that VAIM can use that does not have to be a domain admin or local admin account? Security and server admin guys are nervous about letting just any user account into those groups

Opnet.

If I remember correctly (it has been a few years), this was a Microsoft requirement as they locked down some of the WMI calls.

So in order for VAIM to have any ability to monitor any MS Cluster, resources, and nodes, VAIM will either have to use a domain admin account  or a local admin account on the MS Cluster.  Even with that level of access I can't seem to convince the server guys that VAIM still can't change anything.  Am I correct in that assumption??

The MS Cluster AIM only queries metrics for monitoring.  Nothing else.  If there still is a concern, have them verify with Microsoft. 

I am also guessing that the native account that VAIM will use to monitor a Cisco UCS environment is strictly so that VAIM can have visibility into all the UCS components to monitor

The Cisco USC account only needs to be a read-only account that can see all the objects.

Does that account need to be a native account, local, account, or could it be a domain account to the UCS Server with read-only rights?

It is an application account.  Meaning, you would use the same id as you would log into the UCS console.  That is how I test the userid prior to setting up the AIM.

I have a CA Service account that is on the domain that we added to the local admin group of a MS Cluster that VAIM uses to monitor the server.  But from another post I will need to create a native account on the UCS Server for VAIM to use.  We currently are trying the CA service account on the domain as the account that VAIM can use but it never connects or adds the UCS.  We don't intend VAIM to make or provision any changes within UCS but JUST monitior