Merge pull request #14702 from MikeRayMSFT/20200424-bdc-troubleshoot

garycentric · web-flow · commit 88851649dca9 · 2020-04-24T10:49:12.000-07:00
Stage AD reverse lookup zone.
diff --git a/docs/big-data-cluster/troubleshoot-active-directory.md b/docs/big-data-cluster/troubleshoot-active-directory.md
@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot Active Directory integration
+title: Troubleshoot Active Directory domain group scope
 titleSuffix: SQL Server Big Data Cluster
 description: Troubleshoot deployment of a SQL Server Big Data Cluster in an Active Directory domain.
 author: rl-msft
@@ -17,25 +17,81 @@ ms.technology: big-data-cluster
 
 This article explains how to troubleshoot deployment of a SQL Server Big Data Cluster in Active Directory mode.
 
-## Check deployment progress
+## Symptom
 
-Deployment can take several minutes. If the cluster is not ready after 15 minutes, check controller logs for more details.
+You started deploying BDC with AD mode however the deployment is stuck and not moving forward.
 
-While the cluster is deploying, check the pods.
+The following example shows the deployment results in a bash shell.
 
-```console
-kubectl get pods -n mssql-cluster
+```
+The privacy statement can be viewed at:
+https://go.microsoft.com/fwlink/?LinkId=853010
+ 
+The license terms for SQL Server Big Data Cluster can be viewed at:
+Enterprise: https://go.microsoft.com/fwlink/?linkid=2104292
+Standard: https://go.microsoft.com/fwlink/?linkid=2104294
+Developer: https://go.microsoft.com/fwlink/?linkid=2104079
+ 
+Cluster deployment documentation can be viewed at:
+https://aka.ms/bdc-deploy
+ 
+NOTE: Cluster creation can take a significant amount of time depending on
+configuration, network speed, and the number of nodes in the cluster.
+ 
+Starting cluster deployment.
+Cluster controller endpoint is available at bdc-control.contoso.com:30080, 193.168.5.14:30080.
+Waiting for control plane to be ready after 5 minutes.
+Waiting for control plane to be ready after 10 minutes.
+Waiting for control plane to be ready after 15 minutes.
+Waiting for control plane to be ready after 20 minutes.
+Waiting for control plane to be ready after 25 minutes.
 ```
 
-Verify that the list of pods returned includes:
+Check the current deployed pods.
 
-- `compute-`$
-- `data-`
-- `storage-`
+```bash
+kubectl get pods -n mssql-cluster
+```
 
-If the compute, data, and storage pods are not created, check the logs to identify why.
+The following list shows only pods that belong to the controller have been deployed. No Compute, data or storage pool pods are being created.
+
+```
+NAME              READY   STATUS    RESTARTS   AGE
+appproxy-6q4rm    2/2     Running   0          32m
+compute-0-0       3/3     Running   0          32m
+control-n8jqh     3/3     Running   0          35m
+controldb-0       2/2     Running   0          35m
+controlwd-fgpj8   1/1     Running   0          34m
+data-0-0          3/3     Running   0          32m
+data-0-1          3/3     Running   0          32m
+dns-fjp7n         2/2     Running   0          34m
+gateway-0         2/2     Running   0          32m
+logsdb-0          1/1     Running   0          34m
+logsui-d26c5      1/1     Running   0          34m
+master-0          3/4     Running   0          32m
+master-1          3/4     Running   0          32m
+master-2          3/4     Running   0          32m
+metricsdb-0       1/1     Running   0          34m
+metricsdc-c2kbh   1/1     Running   0          34m
+metricsdc-lmqzx   1/1     Running   0          34m
+metricsdc-r6499   1/1     Running   0          34m
+metricsdc-tj99w   1/1     Running   0          34m
+metricsui-dg8rz   1/1     Running   0          34m
+mgmtproxy-dvzpc   2/2     Running   0          34m
+nmnode-0-0        2/2     Running   0          32m
+nmnode-0-1        2/2     Running   0          32m
+operator-27gt9    1/1     Running   0          32m
+sparkhead-0       4/4     Running   0          31m
+sparkhead-1       4/4     Running   0          31m
+storage-0-0       4/4     Running   0          31m
+storage-0-1       4/4     Running   0          31m
+storage-0-2       4/4     Running   0          31m
+zookeeper-0       2/2     Running   0          32m
+zookeeper-1       2/2     Running   0          32m
+zookeeper-2       2/2     Running   0          32m
+```
 
-## Check logs
+### Check logs
 
 To identify why deployment quit without creating compute, data, or storage pods, check the following logs: 
 
@@ -60,9 +116,11 @@ To identify why deployment quit without creating compute, data, or storage pods,
   WARNING | Retrying.
   ```
 
-  In the example above, the deployment fails to create a login for the domain user because the domain group is scoped as domain local. Use domain global or domain universal scoped groups. [Deploy [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ss-nover.md)] in Active Directory mode](deploy-active-directory.md) explains AD group scope requirements.
+## Cause
 
-## Check the scope of domain groups.
+In the example above, the deployment fails to create a login for the domain user because the domain group is scoped as domain local. Use domain global or domain universal scoped groups. [Deploy [!INCLUDE[big-data-clusters-2019](../includes/ssbigdataclusters-ss-nover.md)] in Active Directory mode](deploy-active-directory.md) explains AD group scope requirements.
+
+## Resolution
 
 Check the scope of the domain group (<`domain-group`>). Use [get-adgroup](/powershell/module/addsadministration/get-adgroup/).
 
@@ -112,56 +170,7 @@ catch {
 $ClusterUsersGroupScope_Result
 ```
 
-## Check security-support container 
-
-Review the security-support container logs.
-
-The following command collects the security-support logs in a cluster at namespace `mssql-cluster`.
-
-```console
-azdata bdc debug copy-logs -n mssql-cluster -c security-support
-```
-
-Extract the logs and locate `\mssql-cluster\control-<identifier>\controller\control-rts5t-controller-stdout.log`.
+## Resolution
 
-Look for the following entries in the log:
-
-```
-ERROR    | Failed to create AD user account 'cntrl-controller'. Error code: 53. Message: Failed to create user object: Failed to add object 'CN=cntrl-controller,OU=bdc, DC=CONTOSO, DC=com' to '  <domain>.<top-level-domain>  ': Server is unwilling to perform. 
-ERROR | Failed to create AD user account 'ldap-user'. Error code: 53. Message: Failed to create user object: Failed to add object 'CN=ldap-user,OU=bdc, DC=CONTOSO, DC=com' to '  <domain>.<top-level-domain>  ': Server is unwilling to perform. 
-ERROR | Failed to create AD user account 'nginx-mgmtproxy'. Error code: 53. Message: Failed to create user object: Failed to add object 'CN=nginx-mgmtproxy,OU=bdc, DC=CONTOSO, DC=com' to '  <domain>.<top-level-domain>  ': Server is unwilling to perform.
-```
-
-These entries can happen when the domain controller DNS server is missing reverse DNS entry (PTR record).
-
-## Verify reverse lookup (PTR record)
-    
-Run the following PowerShell script to confirm if you have reverse DNS entry (PTR record) configured.
-
-```powershell
-#Domain Controller FQDN 'DCserver01.contoso.local'
-$Domain_controller_FQDN = 'DCserver01.contoso.local'
-
-#Performing Domain Controller DNS record, reverse PTR Checks...
-$DcControllerDnsPtr_Result = New-Object System.Collections.ArrayList
-try {
-    $Domain_controller_DNS_Record = Resolve-DnsName $Domain_controller_FQDN -Type A -Server $Domain_DNS_IP_address -ErrorAction Stop
-    foreach ($ip in $Domain_controller_DNS_Record.IPAddress) {
-        #resolving hostname by IP address to make sure we have reverse PTR record 
-        if ((Resolve-DnsName $ip).NameHost -eq $Domain_controller_FQDN) {
-            [void]$DcControllerDnsPtr_Result.add("OK - $Domain_controller_FQDN has an A record with an IP $ip, Reverse PTR record is in place") 
-        }
-        else {
-            [void]$DcControllerDnsPtr_Result.add("Missing - $Domain_controller_FQDN has an A record with an IP $ip, But no reverse PTR record was found for the host")
-        }
-    }
-}
-catch {
-    [void]$DcControllerDnsPtr_Result.add("Error - " + $_.exception.message)
-}
-
-#show the results 
-$DcControllerDnsPtr_Result
-```
+To resolve the problem, create the AD groups with either universal or global scope and run the deployment again.
 
-[Verify reverse DNS entry (PTR record) for domain controller](deploy-active-directory.md#verify-reverse-dns-entry-for-domain-controller).
diff --git a/docs/big-data-cluster/troubleshoot-ad-reverse-lookup-zone.md b/docs/big-data-cluster/troubleshoot-ad-reverse-lookup-zone.md
@@ -0,0 +1,144 @@
+---
+title: AD mode deployment stopped - missing reverse lookup zone entry for DC
+titleSuffix: SQL Server Big Data Cluster
+description: Deployment of BDC with AD mode stuck due to missing reverse lookup zone entry for the domain controller in the domain controller DNS server.
+author: MikeRayMSFT
+ms.author: mikeray
+ms.reviewer: mikeray
+ms.date: 04/21/2020
+ms.topic: how-to
+ms.prod: sql
+ms.technology: big-data-cluster
+---
+
+# AD mode deployment stopped - missing reverse lookup zone entry for DC
+
+Deployment in Active Directory (AD) mode freezes. Check symptoms to see if cause is the domain controller DNS server is missing reverse lookup zone entry. 
+
+## Symptom
+
+You started deploying BDC with AD mode however the deployment is stuck and not moving forward.
+
+The following example shows the deployment results in a bash shell.
+
+```
+The privacy statement can be viewed at:
+https://go.microsoft.com/fwlink/?LinkId=853010
+ 
+The license terms for SQL Server Big Data Cluster can be viewed at:
+Enterprise: https://go.microsoft.com/fwlink/?linkid=2104292
+Standard: https://go.microsoft.com/fwlink/?linkid=2104294
+Developer: https://go.microsoft.com/fwlink/?linkid=2104079
+ 
+Cluster deployment documentation can be viewed at:
+https://aka.ms/bdc-deploy
+ 
+NOTE: Cluster creation can take a significant amount of time depending on
+configuration, network speed, and the number of nodes in the cluster.
+ 
+Starting cluster deployment.
+Cluster controller endpoint is available at bdc-control.contoso.com:30080, 193.168.5.14:30080.
+Waiting for control plane to be ready after 5 minutes.
+Waiting for control plane to be ready after 10 minutes.
+Waiting for control plane to be ready after 15 minutes.
+Waiting for control plane to be ready after 20 minutes.
+Waiting for control plane to be ready after 25 minutes.
+```
+
+Check the current deployed pods.
+
+```bash
+kubectl get pods -n mssql-cluster
+```
+
+The results below indicate that only pods belonging to the controller have been deployed. The pods for compute, data, or storage are not being created.
+
+```
+NAME              READY   STATUS    RESTARTS   AGE
+control-rts5t     3/3     Running   0          18m
+controldb-0       2/2     Running   0          18m
+controlwd-csgst   1/1     Running   0          16m
+dns-7kfnz         2/2     Running   0          16m
+logsdb-0          1/1     Running   0          16m
+logsui-2pc29      1/1     Running   0          16m
+metricsdb-0       1/1     Running   0          16m
+metricsdc-4rtm4   1/1     Running   0          16m
+metricsdc-6lr2t   1/1     Running   0          16m
+metricsdc-ftx9m   1/1     Running   0          16m
+metricsdc-h59jb   1/1     Running   0          16m
+metricsui-lvdpt   1/1     Running   0          16m
+mgmtproxy-mkmxp   2/2     Running   0          16m
+```
+
+Inspect the security support container logs. Look for LDAP errors. 
+
+## Check security-support container 
+
+Review the security-support container logs.
+
+The following command collects the security-support logs in a cluster at namespace `mssql-cluster`.
+
+```bash
+azdata bdc debug copy-logs -n mssql-cluster -c security-support
+```
+
+Extract the logs and locate `\mssql-cluster\control-<identifier>\controller\control-rts5t-controller-stdout.log`.
+
+> [!TIP]
+> There are multiple ways to collect the logs. Instead of copying the logs with `azdata`, you can use a notebook in Azure Data Studio.
+> In Azure Data Studio, connect to the Kubernetes cluster, and run an appropriate troubleshooting notebook. The following are examples of notebooks.
+>
+> - TSG027 - Observe cluster deployment
+> - TSG061 - Get tail of all container logs for pods in BDC namespace
+> - TSG001 - Run `azdata` copy-logs
+>
+
+## Inspect the logs
+
+Locate the log. The following example points to a controller deployment log. 
+
+`<folderOfDebugCopyLog>\debuglogs-mssql-cluster-YYYYMMDD-HHMMSS\<namespace>\control-<identifier>\controller\control-<identifier>-controller-stdout.log`"
+
+```
+YYYY-MM-DD HH:MM:SS.ms | ERROR | Failed to create AD user account 'cntrl-controller'. Error code: 53. Message: Failed to create user object: Failed to add object 'CN=cntrl-controller,OU=bdc, DC=CONTOSO, DC=com' to 'CONTOSO.COM': Server is unwilling to perform. 
+YYYY-MM-DD HH:MM:SS.ms | ERROR | Failed to create AD user account 'ldap-user'. Error code: 53. Message: Failed to create user object: Failed to add object 'CN=ldap-user,OU=bdc, DC=CONTOSO, DC=com' to 'CONTOSO.COM': Server is unwilling to perform. 
+YYYY-MM-DD HH:MM:SS.ms | ERROR | Failed to create AD user account 'nginx-mgmtproxy'. Error code: 53. Message: Failed to create user object: Failed to add object 'CN=nginx-mgmtproxy,OU=bdc, DC=CONTOSO, DC=com' to 'CONTOSO.COM': Server is unwilling to perform. 
+```
+
+## Cause
+
+The reverse lookup zone entry for the domain controller in the domain controller DNS entry is missing. 
+
+## Resolution
+
+Run the following PowerShell script to confirm if you have reverse DNS entry (PTR record) configured.
+
+```powershell
+#Domain Controller FQDN 'DCserver01.contoso.local'
+$Domain_controller_FQDN = 'DCserver01.contoso.local'
+
+#Performing Domain Controller DNS record, reverse PTR Checks...
+$DcControllerDnsPtr_Result = New-Object System.Collections.ArrayList
+try {
+    $Domain_controller_DNS_Record = Resolve-DnsName $Domain_controller_FQDN -Type A -Server $Domain_DNS_IP_address -ErrorAction Stop
+    foreach ($ip in $Domain_controller_DNS_Record.IPAddress) {
+        #resolving hostname by IP address to make sure we have reverse PTR record 
+        if ((Resolve-DnsName $ip).NameHost -eq $Domain_controller_FQDN) {
+            [void]$DcControllerDnsPtr_Result.add("OK - $Domain_controller_FQDN has an A record with an IP $ip, Reverse PTR record is in place") 
+        }
+        else {
+            [void]$DcControllerDnsPtr_Result.add("Missing - $Domain_controller_FQDN has an A record with an IP $ip, But no reverse PTR record was found for the host")
+        }
+    }
+}
+catch {
+    [void]$DcControllerDnsPtr_Result.add("Error - " + $_.exception.message)
+}
+
+#show the results 
+$DcControllerDnsPtr_Result
+```
+
+## Next steps
+
+[Verify reverse DNS entry (PTR record) for domain controller](deploy-active-directory.md#verify-reverse-dns-entry-for-domain-controller).
diff --git a/docs/toc.yml b/docs/toc.yml
@@ -221,8 +221,10 @@
       items:
       - name: Troubleshoot Kubernetes
         href: big-data-cluster/cluster-troubleshooting-commands.md
-      - name: Active directory integration
+      - name: Active directory domain group scope
         href: big-data-cluster/troubleshoot-active-directory.md
+      - name: Active directory DNS
+        href: big-data-cluster/troubleshoot-ad-reverse-lookup-zone.md
       - name: HDFS admin rights
         href: big-data-cluster/troubleshoot-hdfs-restore-admin.md
   - name: Reference
