Complete Additional DR Installation Tasks
After DR setup is complete, do the following:
- Required: Reboot all machines that are part of your DR deployment
- Recommended: Test the DR solution by running a failover scenario and a failback scenario. For more information about how to run a failover and failback see: Administer a LogRhythm Disaster Recovery Deployment
Complete SPN Registration
Following Disaster Recovery Installation, the SQL SPNs must be registered to the domain for Windows/Kerberos authentication to function. This includes authentication using Windows user accounts (i.e., domain\bob.smith) and any service accounts used by LogRhythm services with Windows Authentication configured (i.e., domain\logrhythmWebUI). SPN registration requires a Domain Admin account. If you are using a Domain Admin account for the SQL Server Service Account, SPN registration will occur automatically on service start-up; however, that is uncommon. Most customers will need to perform SPN registration using a domain admin account by running the "Kerberos Configuration Manager for SQL Server" following the Disaster Recovery installation. For more information and access to the Microsoft Kerberos Configuration Manager for SQL Server, see this page. SPN registration must take place prior to a Disaster Recovery failover test and is required for Kerberos authentication to work with the LogRhythm application.
For customers using Windows Authentication for LogRhythm Service accounts, you may need to manually register an SPN for each of your SQL Failover IPs and create reverse DNS entries for the Failover IPs to resolve to the DR shared name with a registered SPN (logrhythmdr.domain.com) if they were not created automatically. As part of DR failover, the Global EMDB IP configuration in Consul is overwritten with the DR Failover IP for the active PM/XM. When this occurs, if you are using Windows Authentication for LogRhythm services, you may experience Kerberos failures due to the EMDB IPs they are connecting with not having an SPN registered if the Failover IP does not have reverse DNS to a name with a valid SPN or an SPN registered for the IP Address itself.
SPN registration can be done manually from command line following these examples:
setspn –a MSSQLSvc/<PMhostname>:1433 <Domain\Service account SQL is running under>
setspn –a MSSQLSvc/<DRFailoverIP>:1433 <Domain\Service account SQL is running under>
setspn –a MSSQLSvc/<logrhythmdr.domain.com>:1433 <Domain\Service account SQL is running under>
For more information about SPN requirements for Kerberos Authentication, see this page.
Change DNS Records Manually
In certain cases, dynamic updates to DNS may not be an available or allowed option due to organizational policies. Should this be the case, following a failover in the LogRhythm DR environment, the shared A Record must be manually updated in Infoblox DNS to reflect the new failover IP. This type of setup may show indications of the Failover Cluster Name Resource not being registered, as Windows is not able to update the DNS record remotely.
For Users with Infoblox DNS
The following checklist can be used for verification of Infoblox DNS update permissions as described in this section.
- In the Infoblox UI, verify a zone exists for the domain in Data Management > DNS > Zone. If this does not exist, create an authoritative zone for the domain.
- Verify the zone allows queries from the DR servers.
- Verify the zone allows updates from the DR servers.
- Allow unsigned updates from the Domain Controller if GSS-TSIG is not being used.
- If the LogRhythm DR DNS Record already exists, verify the record is set to “Dynamic” and that it is not protected.