Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

pauls201

1 Message

953

June 12th, 2015 13:00

Does the Isilon platform support automated failover for domain controllers?

We have multiple domain controllers in our domain and want to know if the Isilon uses SITE records in the DNS to locate the closest one. Also, does it supported automated failover to another available DC if one is down.

johnsonka

130 Posts

June 15th, 2015 08:00

Hello pauls201,

Thank you for your question! The information you are looking for in regards to SITEs in DNS can be found in this KB: https://support.emc.com/kb/89585

The Windows Active Directory Sites and Services MMC snap-in enables you to confine network traffic, including authentication, within a local zone, allowing each site to work faster and more efficiently. AD sites differ from domains in that sites represent the physical structure of your network, whereas domains represent the logical structure of your organization. For more information about AD sites, see "Sites overview" on MSDN at http://msdn.microsoft.com/en-us/library/cc782048(v=ws.10).aspx.

In Windows environments, clients connect to Isilon storage clusters using SMB/CIFS, while primary authentication occurs via Microsoft Active Directory. In Windows 2000, Microsoft added the option to specify 'sites' in an Active Directory environment. You can specify sites in AD by adding a domain controller (DC) to a site, along with the TCP/IP subnet that belongs to the site in question. When a client authenticates, it is told which site it is a member of, and uses the appropriate local domain controllers for processing. For more information about creating Sites and Services, see "Active Directory Sites and Services" on Microsoft TechNet at http://technet.microsoft.com/en-us/library/dd277428.aspx.

This does not stop the Isilon cluster from accessing domain controllers outside of the locally designated zone, however. When the Isilon cluster lsassd process is first started, it obtains via DNS a list of all DCs associated with the domain that it is a member of, and attempt to contact one of those DCs. If the first DC to respond is outside the local subnet, the cluster then attempts to authenticate through that DC. Once the base authentication is completed, the cluster uses a different DC listed in the site in which the cluster belongs. The cluster also periodically queries other DCs to ensure that a failover DC is available, should access be lost.

NOTE
Active Directory Sites and Services does not stop the cluster from attempting to communicate with domain controllers from trusted domains that are not local to the cluster. In OneFS 6.5 and later, you can obtain a list of trusted domains via either the Isilon web administration interface or the command line interface (CLI) using the isi auth ads status command.

In regards to DC failover, this is an automated best-effort process that can take up to a 5 minute check interval in earlier versions of OneFS. This periodic check will allow for seemless authentication should a domain controller become unresponsive.

sluetze

300 Posts

June 16th, 2015 00:00

What the KB does not state, but what my experiences are with DC failover:

It does failover. But it does not failback on the “on-site” DC, when it becomes available again.

Keep in mind, that you have the “failover” also when you are just rebooting the DC (Windows Update).

May depend on your OneFS Version

Regards

--sluetze

View More

View All

No Events found!

Top