One of the benefits to virtual machines is the ability to create a template and then deploy new machines quickly.
There is potential to negatively impact QAS enabled machines when doing this however due to the unique nature of some requirements.
The most common issue is that a machine is joined and then saved as a template and then several other machines are cloned from this original machine. At first everything appears to work fine for the new machines. After some time has passed however only one machine out of the original batch will still be authenticating users against Active Directory.
This has the potential to be hard to track since the failures don't start occurring for several weeks after the initial deployment.
This happens because the original machine was joined and now has a computer object in Active Directory and a local keytab used for authenticating against AD to perform queries and other tasks. Once the other machines are cloned the keytab is cloned as well and since the keytab is dependent on servicePrincipleNames and not hostnames it will continue to work ever after having it's hostname changed.
For security reasons the password stored in the keytab is reset against the computer object every 30 days to a random value. Once one machine resets it's password all other machines cloned from the same image start failing since they no longer know their password which causes authentication failures for users as well.
Keytabs and the vas.conf are located on a machine by default in this location.
/etc/opt/quest/vas/
To ensure a unique hostname in AD while joining the -n option can also be employed.
-n computer Specify name of computer object
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center