[lvs-users] Single-lan config?

Graeme Fowler graeme at graemef.net
Fri Oct 10 16:36:57 BST 2008

On Fri, 2008-10-10 at 09:27 -0500, David Dyer-Bennet wrote:
> We're running into a problem with windows boxes being on a private LAN
> inside the LVS; they can't join the domain (apparently Active Directory
> has to be able to initiate connections to the system), and now that's
> starting to interfere with their deployment of what they call "tcp"
> protocol since it authenticates service users (obviously they're not
> talking about the real tcp proptocol; Microsoft must be working *really*
> hard to obfucate things in this area!).

Hrm... it depends on the management tools you're using as to whether
other domain member servers need to reach the realservers you're talking
about. I certainly haven't ever come across a situation where the domain
controllers initiate connections to member servers without being asked
to (like someone running a computer management application to control a
service on the realservers).

> So I need to take a second look at configuring the cluster some other way,
> maybe; so that the server systems are directly accessible from the outside
> as well as being accessible through the LVS

If this were me, I'd put a domain controller into the "private" LAN
which has firewall holes to the main AD domain controllers. That way
firewall restrictions should force the local systems use the local DC
(or DCs, for better resilience) which can then do all the fancy AD
replication back to the other DCs.

Not ideal, but it *might* work.


More information about the lvs-users mailing list