DHoffman2
2 Iron

Multiple Domains and security

We have 3 domains, DEV, QA and PROD

The Celerra's joined these domains (with VDM's) and have no issues with security (A/D, NTFS) and we plan to migrate to Isilon.

Enter the Isilon

We create 3 access zones DEV, QA and PROD.

In PROD we created our Delegated DNS and SSIP and and joined to domain.

DEV we created our Delegated DNS entry and pointed it to the PROD SSIP.  Same with QA.  (This was the EMC suggestion).

Joined both DEV and QA access zones to the appropriate domain.

Now enter setting security on shares for each of those domains.

We get a message indicating the adding DEV/Domain Users cannot be completed because a Domain controller cannot be contacted.

When we attempt to robocopy and to set security during a robocopy we look at properties and see unknown SIDS from DEV and QA.

Any ideas?

Tags (1)
0 Kudos
6 Replies
christopher_ime
4 Beryllium

Re: Multiple Domains and security

DHoffmann,

May I ask first if you have the following requirements for your domains?

1) QA via DNSserver1

2) PROD via DNSserver2

3) DEV via DNSserver3

As you know, on the Celerra/VNX you are able to configure it as stated above.  You can have a unique DNS server for each domain.  Review the output of the following command on your Celerra:

server_dns <data mover>

The question I have for you is, in the list of DNS servers that you specified in the Isilon, can they *each* independently resolve all of the DNS domains (as specified in the DNS Search List)?

isi networks

Review the following fields:

Domain Name Server

DNS Search List

I hope this makes sense

0 Kudos
Highlighted
soetingr
1 Nickel

Re: Multiple Domains and security

Sorry to day, currently Isilon dns config is global. And only supports 3 entries.

Release 7.1 (Q4 2013) would support separate dns per accesszone.

0 Kudos
DHoffman2
2 Iron

Re: Multiple Domains and security

Which is a big issue if you have multiple domains, each with their own set of DNS servers and trying to accommodate any redundency (multiple DNS servers in each domain).

We dont have time till Q4, and that is assuming they make that target date.

0 Kudos
christopher_ime
4 Beryllium

Re: Multiple Domains and security

So DHoffman, from your reply can I assume then that your scenario is the former of the two scenarios I mentioned?  In other words, each of the DNS servers can only resolve one of the three domains?  Or is it the latter, can each of the DNS servers independently resolve each of the three domains?

If it is the former than what is likely happening is that if the domain is the last one in the list of three DNS servers it times out.  What I do know was asked of one client to resolve this is that you may want to consider at the DNS server level configuring the cluster for one DNS domain and using forwarders to the others.

0 Kudos
christopher_ime
4 Beryllium

Re: Multiple Domains and security

Yes soetinger, that is correct.  I have made a recommendation that I know worked for another client.

0 Kudos
DHoffman2
2 Iron

Re: Multiple Domains and security

Right now, we have two different issues, both of which EMC/Isilon is currently reviewing.

In the initial config (BTW we are not in production, still setting up) we have 3 PROD DNS server addresses and no DNS search order.

All 3 domains, DEV, QA, PROD could resolve and we were able to make 3 access zones and join each to their appropriate domain.  When security attempted to run robocopy to copy security settings, after reviwing the target folder we'd see numeric SID's and not friendly names.  When our security team tried to set security on the DEV folder

\ifs\nas\dev

he would get an access denied.  When either he or I attempted to add any DEV domain user, we would get a message to the effect of "A domain controller could not be found".

EMC/Isilon suggested taking us from 7.0.1.3 to 7.0.1.6.

After that upgrade all DEV and QA shares were not accessible.  Only shares that were in the System Zone.

A sister array still at 7.0,1.3 shares were still accessible although exhibit the same issues with the primary array, SIDS are not resolving in the DEV/QA domains.  EMC/Isilon did a webex for a few hours yesteday, and are looking into this.  They are currently stumped.

We have the following configuration.(in a nutshell, all resolution is being forwarded to the prodssip Delegation Record.

prodcifs --> prodssip.domain.com

prodssip.domain.com --> A record

qacifs --> qassip.domain.com

qassip.domaind.com --> prodssip.domain.com

devcifs --> devssip.domain.com

devssip.domain.com --> prodssip.domain.com

Once we get this figured out (assuming we do) I will post what was uncovered.

0 Kudos