On Fri, October 10, 2008 10:36, Graeme Fowler wrote: > On Fri, 2008-10-10 at 09:27 -0500, David Dyer-Bennet wrote: >> We're running into a problem with windows boxes being on a private LAN >> inside the LVS; they can't join the domain (apparently Active Directory >> has to be able to initiate connections to the system), and now that's >> starting to interfere with their deployment of what they call "tcp" >> protocol since it authenticates service users (obviously they're not >> talking about the real tcp proptocol; Microsoft must be working *really* >> hard to obfucate things in this area!). > > Hrm... it depends on the management tools you're using as to whether > other domain member servers need to reach the realservers you're talking > about. I certainly haven't ever come across a situation where the domain > controllers initiate connections to member servers without being asked > to (like someone running a computer management application to control a > service on the realservers).
I'm not a Windows guy, but according to our Windows IT team, a computer can't be part of a windows domain unless the domain controller can initiate a connection to it. So these hidden servers can't be in our corporate domain. It's not an issue with additional services, it's the base domain membership. >> So I need to take a second look at configuring the cluster some other >> way, >> maybe; so that the server systems are directly accessible from the >> outside >> as well as being accessible through the LVS > > If this were me, I'd put a domain controller into the "private" LAN > which has firewall holes to the main AD domain controllers. That way > firewall restrictions should force the local systems use the local DC > (or DCs, for better resilience) which can then do all the fancy AD > replication back to the other DCs. > > Not ideal, but it *might* work. That might well work, with suitable firewall mapping (possible since it's to just *one* system). I'll keep that idea in mind if I need to move this direction (we're also pursuing other investigations, and may be able to get by without domain membership still). -- David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
