Access Zones config

i am trying to remember if Isilon supports Active directory where domains are not part of the same forest.

If I understand your question (and I am relatively new to Isilon's )

You can create a number (max 20 recommended 5) of Access Zones that each point to different providers.  I understand that each provider can be a different AD (as long as they are not trusting each other when you would let trusts control access).  I haven't done this but it is what I believe to be the case.

I have a setup 7.2 with System Zone -> Customer.com and have only the ifs share in it (I know you don't quite want to do that but I know it can contain shares).  The documentation I have read say that the System Zone can 'see' all AD's. 

I have a second Access Zone created (although with the same AD Customer.com).  I use SmartConnect Zones to control pointing the users to the relevant Access Zone.  If there is multiple separate AD's I suspect you need a different SSIP for each so probably need a subnet defined for each tenant.

With 7.2 you specify the base directory of each Access Zone and when you create SMB Shares you specify the Access Zone for that share.  Slightly (and I believe) a nicer way of working with Shares and Access Zones.

I hope this is all correct and is what you are asking?

To answer your question, what is not currently supported is if these are completely separate DNS environments. In other words, today, there is no way to set a DNS server per access zone. So, you may need to create some records on your main DNS server so the cluster can find all the different AD providers. There are plans to address this in the future.

there was a discussion relatively recent where someone wanted to join Isilon to completely separate AD, that were not in the same forest, used separate DNS servers ..etc.   And the answer was that it was not supported. Can someone from Isilon confirm or clarify what is and is not supported ?

if i am in a multi-tenant scenario, who is going to let one customer configure DNS records that point to another customer ? Is that what you are suggesting ?

ok so as a reseller i will need to maintain my own DNS infrastructure and create some sort of fowarding to each individual tenant's AD ?

Hi Osaddict

Thanks for your replies.

We are planning to use diffrent DNS serves for each customer.in this case how can we achive ? 

SmartConnect will work as it is based on the client's DNS server.  So as long as the proper entries are there in the DNS server used by the client, everything is fine.  The cluster's role in SmartConnect is simply to reply the the DNS servers who request addresses.  One service IP per cluster is fine as long as the DNS servers can all reach it.  One per subnet is also reasonable to avoid router hops.

The issue is making sure that the cluster can access the DNS tables for each of the domains being used, specifically so that it can resolve the domain controllers for each domain.  Otherwise, it won't be able to join the domains.

Today, the cluster supports exactly one set of DNS servers.  In order to support multiples you will need to do some kind of forwarding from the other DNS servers to the DNS servers the cluster uses.  This is particularly important for finding the domain controllers.  The DNS Server used by the cluster needs to be able to answer the DC query for all of the Domains used by the access zones.  WIndows DNS servers can do this if you set it up to forward domains from one server to the one the Isilon uses.

Yes, this is a known issue and if you need more details on how and when this will change reach out to your Isilon SE who can talk to you under an NDA as to product roadmaps.

If we are able to setup the DNS forwarder then it will work with Smart Connect zone ? . which we want to keep them intacted ?