HP StorageWorks Storage Mirroring application notes Guidelines for networking and failover (T2558-96063, February 2008)
Storage Mirroring Guidelines for networking and failover application notes 13
Failure: The target account name is incorrect” will be returned if the computer account with which the SPN
is associated does not belong to the server that receives the connection request.
When Storage Mirroring failover occurs, the source's SPNs must be deleted so that the target server will
accept requests when clients attempt to access
\\SOURCE\SHARE. If there are no SPNs associated with the
name used in the request, the target server will allow the client connection since there is no conflict.
The “Write servicePrincipalName” permission on the source's AD computer account must be assigned to
the account that will modify the SPNs. This is an advanced permission and assigning either of the more
general Write or Full Control permissions, which are assigned to Domain Admins by default, will also be
adequate. The permission must be assigned to one of the following:
• The target's Storage Mirroring service logon account. If the target's Storage Mirroring service is
configured to log on as the System account, the target's Active Directory computer account should be
assigned the permissions.
• The account specified in the failover monitor configuration.
Use the following steps to give an account the appropriate permissions to modify the source's SPNs.
1. Start Active Directory Users and Computers.
2. Select
View, Advanced.
3. Locate the source's computer account.
4. Right-click on the source computer account and select
Properties.
5. Select the Security tab and click
Advanced.
6. If the account or group you want to add is not listed, click
Add to add it.
7. Select the account or group and click
View/Edit.
8. Select the Properties tab and check
Write servicePrincipalName.
9. Click
OK to accept the change.
There are two utilities that can be used to verify the SPN modifications and make the changes via
command line if necessary. The HP NSISPN.EXE utility can be downloaded at
http://www.hp.com/_download/dtnt42/nsispn.exe. Usage help is available by running NSISPN
with no parameters. Microsoft’s SETSPN.EXE utility is also available in the Windows Resource Kit, and has
similar functionality and usage.
If the computer accounts have been moved from the default containers (the Computers and Domain
Controllers containers), Storage Mirroring failover in versions prior to 4.2 Service Pack 1 and versions of
the NSISPN utility prior to 1.1 may not make the necessary changes. Accordingly, please ensure that the
version of NSISPN in use is 1.1 or later. The version is reported when NSISPN is run with no parameters.
After failover, the source SPNs can be viewed by running the following command:
NSISPN -L SOURCE_NAME
If the following SPNs are present, they must be deleted in order for clients to use the source name to access
shares on the target:
HOST/SOURCE_NAME
HOST/SOURCE_NAME.domain.com
Following is a sample script to remove the source SPNs and add them to the target. This can be run as a
Storage Mirroring failover script and may be necessary if the source computer is not in the default AD
container when using versions of Storage Mirroring prior to 4.2 Service Pack 1. If NSISPN is used in a
failover script, the Storage Mirroring service logon account must have the appropriate permissions to
delete and add the SPNs since the failover scripts run in its security context. All instances of
SOURCE and
TARGET must be replaced with the associated computers' names, and domain.com should be replaced
with the appropriate AD domain name. This script removes/adds both the HOST and SMTPSVC SPNs,
which are typical for a Windows 2000 or later server running Exchange Server 5.5.