By Roger Osborne
Like many of you, when I test out new Windows features, I often turn to TechNet documentation, to be certain I’m following Microsoft guidelines and recommendations along the way. A lot of work and effort goes into making this information available, and, more often than not, the details provide all the necessary pieces to get the feature working. That wasn’t the case, however, when I decided to configure the Hyper-V Replica connection broker following this post: http://technet.microsoft.com/en-us/library/jj134153.aspx#BKMK_1_4.
After carefully following the step-by-step instructions, the wizard appeared to successfully create the connection broker and close, only then to have the role status show it was in a failed state.
After scratching my head for a minute and mumbling a few choice words at the computer screen, I decided to put on my troubleshooting hat.
Since the Replica Broker role was being created in the Failover Cluster Manager, I felt pretty confident the cluster, itself, needed specific permissions to successfully configure the role in AD; however, what I didn’t know was which permissions were needed, or what took place when the wizard was able to successfully create the role, for that matter!
The other clue was found on the summary page of the Replica Broker Wizard (which I decided to finally read after my 3rd or 4th unsuccessful go at it!!). As you can see from the screenshot below, it displays the full OU path where my Hyper-V hosts’ computer objects were located.
In order to feel confident I would be successful on my next attempt, I opened Active Directory Users and Computers (ADUC) on my Domain Controller and drilled down to my Hyper-V OU. Next, I right-clicked and selected Delegate Control. I then added my cluster computer object and gave it full control of the OU, just to be certain it could do anything it needed. (This is when having a test lab comes in handy, as you definitely wouldn’t want to do this in production!)
With the delegation now in place I went through the wizard again. Lo and behold, the Replica Broker was created successfully and came online without issue! Next, I went back to my Hyper-V OU and discovered the Replica Broker Wizard creates a new computer object, which is used to by the role to keep the broker service running and able to move from node-to-node, just like a VM.
So, we know delegating full control of the Hyper-V OU to the cluster computer object works, but that’s obviously not the least privilege approach. The base requirement, however, is simple: a computer object needs to be created in the Hyper-V OU to facilitate the Replica Broker role.
Now I can hear you saying, “Roger, what’s the best method to get this role working?” I’m so glad you asked!! J There are two ways! Although I would personally lean more towards option one, there may be some who prefer the second option, so I’ve included both. Only you can decide which works best in your environment!
The first option is to pre-stage a computer object in the Hyper-V OU that is the name of the Replica Broker role you wish to create (e.g. ReplicaBroker1). Once the object is created, you will then need to go to the Security tab, add the cluster computer object; finally, give it full control.
Here you can see the pre-staged computer object I created in my Hyper-V OU:
After creating the object, called REPLICABROKER1, I right-clicked on it then went to the Security tab. Next, I added the Cluster computer object and gave it full control. (In this screenshot, you’ll notice my cluster is named HV1-HV2-2012CLU.) Click Apply then OK.
Once that is complete, you can successfully create the Replica broker in the Failover Cluster Manager!
The second option is to delegate control of your Hyper-V host OU, giving the cluster computer object the necessary rights to create computer objects within the OU.
After opening ADUC (Active Directory Users and Computers), locate and right-click the Hyper-V OU and select Delegate Control. Click Next on the Welcome screen, then click Add under Selected users and groups.
When presented with the following screen, select Object Types.
Click to add Computers and press OK.
Next, add the cluster computer object.
Now we need to select the Create a custom task to delegate, then press Next.
Select Only the following objects in the folder, check Computer objects, then check Create selected objects in this folder. Press Next.
Finally, under Permissions, check Write and click Next.
On the summary screen click Finish.
In closing, I hope you enjoyed this post and found it informative!