Unsolved
This post is more than 5 years old
24 Posts
0
4130
Joining to multiple trusted AD-domains
IHAC who is hoping to design multi AD-domain configuration with single DNS domain setup on isilon cluster.
"Dom_1" ...Isilon is joined to this domain. DNS is configured for this domain on isilon.
"Dom_2" ...Isilon is joined to this domain. Trusted domain with Dom_1. This domain's SVR record can be queried from Dom_1 DNS.
"Dom_3" ...Isilon is not joined to this domain. Trusted domain with Dom_2 (no trust relationship with Dom_1). User from this domain is expected to access to the isilon.
I personally believe this is common practice to realize multi-domain configuration until OneFS 7.x. However, I'm looking if there's any available KB or documentation which explains about technical feasibility of isilon design like this.
It'd be highly appreciated if someone could suggest any related information.
Thanks&Regards,
yu tezuka
sjones51
252 Posts
0
November 7th, 2016 07:00
Hi tezuky,
You are correct that it is a fairly common set up to have a trusted domain to which the cluster is not directly connected. Here is some information to get you started:
How to Setup Multidomain Isilon Clusters: https://support.emc.com/kb/305558
Ports for Domain Communication https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
How to include trusted Active Directory domains in user identity mapping for Isilon Clusters https://support.emc.com/kb/333923
How to configure OneFS and Active Directory for RFC2307 compliance https://support.emc.com/kb/335338
As another resource, DELL EMC does have network architects available to assist with design and implementation. That would be set up through the account team.
tezuky
24 Posts
0
November 23rd, 2016 21:00
Thank you sjones, sorry for my late reply. What we’ve actually seen in Customer’s environment these days is all the SMB access from Dom_3 user was failing with unknown error during user/password authentication.
As far as it’s identified from our testing, it appears the DNS server defined on the isilon (Dom_1 in this case) should have configured to resolve the DNS domain of SMB clients (Dom_3 here) connecting to isilon, otherwise the access is not successful.
The solution in our case was adding conditional forwarding from Dom_1 to Dom_3 or using multiple groupnets with OneFS 8.x specifying Dom_2 as additional DNS so that Dom_3 DNS is resolved from Isilon.
Customer is hoping to know if this is due to isilon’s specific behavior or by standard windows file share rules.
Any comment is greatly appreciated if someone has relevant info or hints.
Thanks&Regards,