LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Single-lan config?

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Single-lan config?
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Fri, 10 Oct 2008 16:36:57 +0100
On Fri, 2008-10-10 at 09:27 -0500, David Dyer-Bennet wrote:
> We're running into a problem with windows boxes being on a private LAN
> inside the LVS; they can't join the domain (apparently Active Directory
> has to be able to initiate connections to the system), and now that's
> starting to interfere with their deployment of what they call "tcp"
> protocol since it authenticates service users (obviously they're not
> talking about the real tcp proptocol; Microsoft must be working *really*
> hard to obfucate things in this area!).

Hrm... it depends on the management tools you're using as to whether
other domain member servers need to reach the realservers you're talking
about. I certainly haven't ever come across a situation where the domain
controllers initiate connections to member servers without being asked
to (like someone running a computer management application to control a
service on the realservers).

> So I need to take a second look at configuring the cluster some other way,
> maybe; so that the server systems are directly accessible from the outside
> as well as being accessible through the LVS

If this were me, I'd put a domain controller into the "private" LAN
which has firewall holes to the main AD domain controllers. That way
firewall restrictions should force the local systems use the local DC
(or DCs, for better resilience) which can then do all the fancy AD
replication back to the other DCs.

Not ideal, but it *might* work.

Graeme



<Prev in Thread] Current Thread [Next in Thread>