In these day , I tried to implement a workgroup cluster. let’s say I will execute bellow cmdlet on srv2,
PS C:\> New-Cluster -Name FSCLUSTER -Node srv2,srv3 -StaticAddress 10.0.0.29 -NoStorage -AdministrativeAccessPoint Dns -Verbose
I got many errors as bellow.
Cluster network name resource failed registration of one or more associated DNS names(s) because the corresponding DNS Zone does not accept dynamic updates. Cluster Network name: 'Cluster Name' DNS Zone: 'alex.tls' Guidance: Ensure that the DNS is configured as a Dynamic DNS zone. If the DNS server does not accept dynamic updates uncheck the 'Register this connection's' addresses in DNS' in the properties of the network adapter.
I not quite curious on these errors , the most thing I curious is about the authentication in this operation, as it will perform some operation on remote server node , which is srv3 , how ever in this cmdlet , I found I can’t specify my credential to authenticate to srv2 and srv3 ,not like new-pssesion or enter-pssession , it will let you use a credential parameter,right ?
So when I execute this cmdlet , PS will pass my current user’ credential to remote server srv3 ,right ? but in windows , there is an implement called UAC, it let user accounts that are members of the local Administrators group will run most applications by using the principle of “least privilege.” when a member of the local Administrators group has to perform a task that requires administrator rights, Windows automatically prompts the user for approval.
After PS passes my current user’s credential to srv3, according to UAC , the remote PS session from srv2 to srv3 will have a filtered token (least privilege) ,at least PS console does pop up a UAC windows to me to approve an operation that required administrative rights.
So the first question is, user does not need administrative rights to deploy workgroup cluster using PS?
Then I google the deployment of workgroup cluster , I found some post mention that we need to change this registry key that will affect User Account Control (UAC). Ok. more clear , it’s bellow modification:
new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1
Finally ,the key point is LocalAccountTokenFilterPolicy .
In this post : https://blog.ahasayen.com/remote-local-administrator-localaccounttokenfilterpolicy/ , it said LocalAccountTokenFilterPolicy is used for this purpose: “This is saying that, if I receive a connection with a user name and password that matches a local user account on my local credential store, I will consider it valid transaction.”
In other post from ms: https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows , it said LocalAccountTokenFilterPolicy is used to determine the type of session token , which is filtered token and elevated token.
So the final question is , which one do you agree about the LocalAccountTokenFilterPolicy ?