[lvs-users] Single-lan config?
dd-b at dd-b.net
Fri Oct 10 18:00:27 BST 2008
On Fri, October 10, 2008 10:36, Graeme Fowler wrote:
> On Fri, 2008-10-10 at 09:27 -0500, David Dyer-Bennet wrote:
>> We're running into a problem with windows boxes being on a private LAN
>> inside the LVS; they can't join the domain (apparently Active Directory
>> has to be able to initiate connections to the system), and now that's
>> starting to interfere with their deployment of what they call "tcp"
>> protocol since it authenticates service users (obviously they're not
>> talking about the real tcp proptocol; Microsoft must be working *really*
>> hard to obfucate things in this area!).
> Hrm... it depends on the management tools you're using as to whether
> other domain member servers need to reach the realservers you're talking
> about. I certainly haven't ever come across a situation where the domain
> controllers initiate connections to member servers without being asked
> to (like someone running a computer management application to control a
> service on the realservers).
I'm not a Windows guy, but according to our Windows IT team, a computer
can't be part of a windows domain unless the domain controller can
initiate a connection to it. So these hidden servers can't be in our
corporate domain. It's not an issue with additional services, it's the
base domain membership.
>> So I need to take a second look at configuring the cluster some other
>> maybe; so that the server systems are directly accessible from the
>> as well as being accessible through the LVS
> If this were me, I'd put a domain controller into the "private" LAN
> which has firewall holes to the main AD domain controllers. That way
> firewall restrictions should force the local systems use the local DC
> (or DCs, for better resilience) which can then do all the fancy AD
> replication back to the other DCs.
> Not ideal, but it *might* work.
That might well work, with suitable firewall mapping (possible since it's
to just *one* system). I'll keep that idea in mind if I need to move this
direction (we're also pursuing other investigations, and may be able to
get by without domain membership still).
David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/
More information about the lvs-users