David,
Normally you wouldn't want load balanced servers to be in an anctive
directory domain...
but if it is a requirement then either use:
Direct Routing (but make sure DNS is set to manual in both active
directory and on the real servers) otherwise active directory stupidly
registers the loopback adpater address :-0.
Or you can try single network NAT and make sure that:
On the load balancer:
In order for one arm NAT to work correctly you must modify the
firewall script on the load
balancers to disable ICMP redirects:
# For single NIC NAT you will also need to disable re-directs
# director is gw for realservers so turn OFF icmp redirects (1 on, 0 off)
echo "0" >/proc/sys/net/ipv4/conf/all/send_redirects
echo "0" >/proc/sys/net/ipv4/conf/default/send_redirects
echo "0" >/proc/sys/net/ipv4/conf/eth0/send_redirects
echo "0" >/proc/sys/net/ipv4/conf/eth1/send_redirects
echo "0" >/proc/sys/net/ipv4/conf/eth2/send_redirects
Make sure that these lines are active by removing the # at the start
of each echo command.
Then configure the routing on the windows real servers:
Route configuration for Windows Server with one arm NAT mode
When a client on the same subnet as the real server tries to access
the virtual server on the load balancer
the request will fail. The real server will try to use the local
network to get back to the client rather than
going through the load balancer and getting the correct network
translation for the connection.
To rectify this issue we need to add a route to the the load balancer
that takes priority over Windows default
routing rules.
This is a simple case of adding a permanent route:
route add -p 192.168.1.0 mask 255.255.255.0 metric 1
NB. Replace 192.168.1.0 with your local subnet address.
The default route to the local network has a metric of 10, so this new
route overrides all local traffic and
forces it to go through the load balancer as required.
Any local traffic (same subnet) is handled by this route and any
external traffic is handled by the default
route (which also points at the load balancer).
I'm not sure what happens if the active directory is on a routed
network, but I think it will still work.
Please let me know.
Thanks.
2008/10/10 David Dyer-Bennet <dd-b@xxxxxxxx>
>
>
>
> I'm not a Windows guy, but according to our Windows IT team, a computer
> can't be part of a windows domain unless the domain controller can
> initiate a connection to it. So these hidden servers can't be in our
> corporate domain. It's not an issue with additional services, it's the
> base domain membership.
>
--
Regards,
Malcolm Turnbull.
Loadbalancer.org Ltd.
Phone: +44 (0)870 443 8779
http://www.loadbalancer.org/
|