Unsolved
This post is more than 5 years old
306 Posts
0
1605
Multiple Domains and security
We have 3 domains, DEV, QA and PROD
The Celerra's joined these domains (with VDM's) and have no issues with security (A/D, NTFS) and we plan to migrate to Isilon.
Enter the Isilon
We create 3 access zones DEV, QA and PROD.
In PROD we created our Delegated DNS and SSIP and and joined to domain.
DEV we created our Delegated DNS entry and pointed it to the PROD SSIP. Same with QA. (This was the EMC suggestion).
Joined both DEV and QA access zones to the appropriate domain.
Now enter setting security on shares for each of those domains.
We get a message indicating the adding DEV/Domain Users cannot be completed because a Domain controller cannot be contacted.
When we attempt to robocopy and to set security during a robocopy we look at properties and see unknown SIDS from DEV and QA.
Any ideas?
christopher_ime
2K Posts
0
June 1st, 2013 14:00
DHoffmann,
May I ask first if you have the following requirements for your domains?
1) QA via DNSserver1
2) PROD via DNSserver2
3) DEV via DNSserver3
As you know, on the Celerra/VNX you are able to configure it as stated above. You can have a unique DNS server for each domain. Review the output of the following command on your Celerra:
server_dns
The question I have for you is, in the list of DNS servers that you specified in the Isilon, can they *each* independently resolve all of the DNS domains (as specified in the DNS Search List)?
isi networks
Review the following fields:
Domain Name Server
DNS Search List
I hope this makes sense
soetingr
40 Posts
0
June 3rd, 2013 11:00
Sorry to day, currently Isilon dns config is global. And only supports 3 entries.
Release 7.1 (Q4 2013) would support separate dns per accesszone.
DHoffman2
306 Posts
0
June 3rd, 2013 12:00
Which is a big issue if you have multiple domains, each with their own set of DNS servers and trying to accommodate any redundency (multiple DNS servers in each domain).
We dont have time till Q4, and that is assuming they make that target date.
christopher_ime
2K Posts
0
June 3rd, 2013 20:00
So DHoffman, from your reply can I assume then that your scenario is the former of the two scenarios I mentioned? In other words, each of the DNS servers can only resolve one of the three domains? Or is it the latter, can each of the DNS servers independently resolve each of the three domains?
If it is the former than what is likely happening is that if the domain is the last one in the list of three DNS servers it times out. What I do know was asked of one client to resolve this is that you may want to consider at the DNS server level configuring the cluster for one DNS domain and using forwarders to the others.
christopher_ime
2K Posts
0
June 3rd, 2013 20:00
Yes soetinger, that is correct. I have made a recommendation that I know worked for another client.
DHoffman2
306 Posts
0
June 4th, 2013 05:00
Right now, we have two different issues, both of which EMC/Isilon is currently reviewing.
In the initial config (BTW we are not in production, still setting up) we have 3 PROD DNS server addresses and no DNS search order.
All 3 domains, DEV, QA, PROD could resolve and we were able to make 3 access zones and join each to their appropriate domain. When security attempted to run robocopy to copy security settings, after reviwing the target folder we'd see numeric SID's and not friendly names. When our security team tried to set security on the DEV folder
\ifs\nas\dev
he would get an access denied. When either he or I attempted to add any DEV domain user, we would get a message to the effect of "A domain controller could not be found".
EMC/Isilon suggested taking us from 7.0.1.3 to 7.0.1.6.
After that upgrade all DEV and QA shares were not accessible. Only shares that were in the System Zone.
A sister array still at 7.0,1.3 shares were still accessible although exhibit the same issues with the primary array, SIDS are not resolving in the DEV/QA domains. EMC/Isilon did a webex for a few hours yesteday, and are looking into this. They are currently stumped.
We have the following configuration.(in a nutshell, all resolution is being forwarded to the prodssip Delegation Record.
prodcifs --> prodssip.domain.com
prodssip.domain.com --> A record
qacifs --> qassip.domain.com
qassip.domaind.com --> prodssip.domain.com
devcifs --> devssip.domain.com
devssip.domain.com --> prodssip.domain.com
Once we get this figured out (assuming we do) I will post what was uncovered.