This post is more than 5 years old
6 Posts
1
3653
Isilon in multiple subnet/Multiple AD domains
Hello,
I am looking to implement an Isilon cluster. Currently there are 3 clustered windows file servers and I am migrating to Isilon. The clusters are on two subnets a 10. and 172. and two AD domains the domains are trusted. I am wondering if I need to create access zones and divide up the cluster that way or if I can just list the multiple AD servers since they are trusted...
Any help is greatly appreciated
osaddict
110 Posts
2
July 24th, 2013 10:00
If there is trust between the AD domains, then you only need to join one. No need to use Access Zones in that case.
However, Access Zone can be used here if you have share name overlap. Example: there is "home" share on both servers and you want to be able to redirect the users by changing DNS, but not have to reconfigure the clients or login scripts run on the clients. In the long run, in most cases, it's best to change the client configs and use different share names. It keeps things simpler.
Access Zones are used in share name overlap case, but it's most commonly used with you multiple AD domains with no trust relationships. Often in an acquisition scenario where trust have not been created.
DC9707
6 Posts
1
July 24th, 2013 10:00
Thank you so much. That is what I thought…
In this case when I configure the cluster with the ext IP range which subnet do I put it on? The 10 or the 172? Or can I do both?
AndrewChung
132 Posts
1
July 24th, 2013 11:00
Yes, you can change share names without any problems. I would recommend scripting it form the CLI and using some sort of prefix so it is easier to revert back at a later time.
osaddict
110 Posts
0
July 24th, 2013 11:00
It would be best to put the cluster on the same subnet as the one the AD server/domain is on that you are planning on joining. All queries related to entries in the other AD server/domain should be handled by the AD server/domain you join.
Example:
Join AD1
Isilon cluster needs to query a user is AD2
Query goes from Isilon to AD1 and AD1 then queries AD2 for information.
Hope that helps and isn't confusing.
DC9707
6 Posts
0
July 24th, 2013 11:00
Perfect
Thank you
DC9707
6 Posts
0
July 24th, 2013 11:00
Do you know if share names can be changed after creation?
I need to set up the cluster, and migrate the data which of course requires different names, but then they need to be changed back to the original names once all the data is migrated and the cluster is put into production.
christopher_ime
2K Posts
0
July 26th, 2013 16:00
Just to add to the information here, in addition to overlapping share names another use case for access zones might be to limit what the users see/access when specifying SmartConnect (SC) zone names. When just the SYSTEM access zone exists, as you know already, if I specify:
\\SCzone1\
\\SCzone2\
\\SCzone3\
and just to emphasis a point:
\\"replication"SCzone\
You would see every share that you created regardless of the SC zone name used above:
share1
share2
share3
share4
Let's say I want instead for just a specific share to be viewable/accessible via a specific SC zone name, then you can do so with access zones to accomplish something similar to the following:
\\SCzone1\
share1
\\SCzone2\
share2
\\SCzone3\
share3
share4
and can also take it further to accomplish the following:
\\"replication"SCzone\
MESSAGE was edited: Wanted to add clarity to which zone I was referring to throughout (access zone or SmartConnect zone name as specified in (network) pool). Realized in certain places just using "zone" could be confusing.
shaisilon
9 Posts
0
December 8th, 2013 13:00
Hi Christopher.
In your use case example (controlling access to shares based on IP pool) you would actually have a single AD authentication provider and link all Access Zones to it, right? Is there an issue with such a single AUTH-PROV to multiple AZ design?
You could also accomplish this using a single Access Zone and have SMB host-based ACLs + Access Based Enumeration.
What are the pros and cons of each of these design?
Rdamal
165 Posts
0
December 28th, 2013 23:00
Hi
We have 8 AD in out environment and i have to join Isilon cluster 7.0.2.4 to AD where trust relationship is already established. So if i join any one among those 8 to cluster that should be fine for the authentication. My question is, will there be an issue with AD getting overloaded ?
Thank you
Damal