Storagenerd
A place to put my thoughts….
Category Archives: Isilon
How to setup Access Zones for Multiple Active Directory Domains – Isilon 7
February 1, 2013
Posted by on How to setup Access Zones for Multiple Active Directory Domains
The following text is strait from emc14004094. All credits go to EMC/Isilon. Just wanted to have it handy for my own reference.
OneFS 7 now has the ability to be provisioned and interact with more than one Active Directory Forest. This is done through the use of Access Zones which is integrated tightly with the Network configuration of the Cluster.
The first step to in setting up Access Zones is deciding if the Access Zones will be responding on the same Network Subnet or not.
Consider the following setup:
Domain: Contoso.com
DC: DC.Contoso.com
IP: 192.168.2.10
Subnet: 255.255.255.0
Domain: Isilon.com
DC: DC.Isilon.com
IP: 192.168.2.50
Subnet: 255.255.255.0
It is required to setup two Access Zones:
Zone: Contoso.com
Cluster IP Range: 192.168.2.11-192.168.2.15
SmartConnect IP: 192.168.2.16
Zone: Isilon.com
Cluster IP Range: 192.168.2.51-192.168.2.55
SmartConnect IP: 192.168.2.56
In this scenario, in order to setup Access Zones that have multiple pools in the same subnet, Smart Connect Advanced is required. Without Smart Connect Advanced, the Access Zones will need to be associated with Network Pools in different subnets that cannot overlap.
It is also important to note that the default “System” Access Zone will be associated with the default subnet (usually subnet0:pool0) when the system is initially setup. Removing “System” for subnet0:pool0 and not assigning “System” to another subnet (for Smart Connect Basic) or subnet:pool (for Smart Connect Advanced) will prevent login access to both SSH and WebUI for the cluster.
**NOTE: If you end up in a situation where you lose login access because the System Zone has no subnet:pool defined (possibly because it was deleted), the following will need to be done:
- Connect to the Console of one of the nodes on the cluster and login as root
- Run ifconfig and determine an IP that can be accessed and is flagged as in Zone 1 (these will be Smartconnect IPs)
ISI70-1# ifconfig
em0: flags=8843 metric 0 mtu 1500
options=9b
ether 00:0c:29:d0:68:b0
inet 192.168.3.45 netmask 0xffffff00 broadcast 192.168.3.255 zone 1
media: Ethernet autoselect (1000baseTX )
status: active
em1: flags=8843 metric 0 mtu 1500
options=9b
ether 00:0c:29:d0:68:ba
inet 192.168.4.11 netmask 0xffffff00 broadcast 192.168.4.255 zone 6
inet 192.168.5.51 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
inet 192.168.5.52 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
inet 192.168.5.53 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
inet 192.168.5.54 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
inet 192.168.5.55 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
inet 192.168.4.16 netmask 0xffffff00 broadcast 192.168.4.255 zone 1
inet 192.168.5.56 netmask 0xffffff00 broadcast 192.168.5.255 zone 1
media: Ethernet autoselect (1000baseTX )
status: active - The IPs associated with Zone 1 can be accessed through SSH or WebUI at which point, the network can be added back for the System Zone
- If there are no IPs associated with Zone 1, then a new subnet will need to be created through the CLI:
ISI70-1# isi networks create subnet –name=subnet0 –netmask=255.255.255.0 –gateway=192.168.2.1
Creating subnet ‘subnet0’: OK
Saving: OKisi networks create pool –name=subnet0:pool0 –ifaces=1-3:ext-1 –ranges=192.168.2.120-122 –zone=System
Creating pool ‘subnet0:pool0’: OK
Saving: OK
The following will walk through setting up multiple Access Zones for a SmartConnect Basic configuration. The setup for Access Zones with SmartConnect Advanced is identical except for the networking section where you have multiple pools in the subnet and therefor define multiple ranges within the same subnet to use.
Setting up Multiple Access Zones on a cluster
Consider the following Cluster and Domain Configuration:
Isilon Cluster is setup as follows:
ISI70-1# isi networks list pools -v
subnet0:pool0 – Default ext-1 pool
In Subnet: subnet0
Allocation: Static
Ranges: 1
192.168.2.120-192.168.2.122
Pool Membership: 1
1:ext-1 (up)
Aggregation Mode: Link Aggregation Control Protocol (LACP)
Access Zone: System (1)
SmartConnect:
Suspended Nodes : None
Auto Unsuspend … 0
Zone : isi70.a.dom.com
Time to Live : 0
Service Subnet : subnet0
Connection Policy: Round Robin
ISI70-1# isi networks list subnets -v
subnet0 – Default ext-1 subnet
Address Family: IPv4
Netmask: 255.255.255.0
Subnet: 192.168.2.0
Gateway 192.168.2.1, Priority 1
MTU: 1500
SC Service Address: 192.168.2.119
VLAN Tagging: Disabled
VLAN ID: 0
DSR Addresses: 0
Pools: 1
pool0 – Default ext-1 pool
ISI70-1# isi networks list interfaces -v
Node: 1
Interface: ext-1
NIC Name: em1
Status: up
In: 9.0Kb/s
Out: 828b/s
Owners: 3
subnet0:pool0
IP Addrs: 3
192.168.2.120
The Domains are setup as follows:
Domain: Contoso.com
DC: DC.Contoso.com
DC IP: 192.168.4.10
DNS IP: 192.168.4.10
Subnet: 255.255.255.0
Domain: Isilon.com
DC: DC.Isilon.com
DC IP: 192.168.5.50
DNS IP: 192.168.5.50
Subnet: 255.255.255.0
It is required to setup two Access Zones:
Zone: Contoso.com
Cluster IP Range: 192.168.4.11-192.168.4.15
SmartConnect IP: 192.168.4.16
Zone: Isilon.com
Cluster IP Range: 192.168.5.51-192.168.5.55
SmartConnect IP: 192.168.5.56
The goal of this setup will be the following:
- Storage Admins will access the cluster through WebUI is SSH by connecting to 192.168.2.119
- Users from domain Contoso.com will access the cluster via SMB by connecting to 192.168.3.16
- Users from domain Isilon.com will access the cluster via SMB by connecting to 192.168.4.56
Setup and Configuration of the Access Zones
- List the current Zone Configuration:
ISI70-1# isi zone zones list –verbose
Name: System
Cache Size: 4.77M
Map Untrusted:
SMB Shares: –
Auth Providers: –
Local Provider: Yes
NetBIOS Name:
All SMB Shares: Yes
All Auth Providers: Yes
User Mapping Rules: –
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Zone ID: 1 - Modify the System Zone to remove All Auth Providers and SMB Shares:
ISI70-1# isi zone zones modify System –all-auth-providers=No
ISI70-1# isi zone zones modify System –all-smb-shares=No - Verify the change to System:
ISI70-1# isi zone zones list –verbose
Name: System
Cache Size: 4.77M
Map Untrusted:
SMB Shares: –
Auth Providers: –
Local Provider: Yes
NetBIOS Name:
All SMB Shares: No
All Auth Providers: No
User Mapping Rules: –
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Zone ID: 1 - Add a new Subnet and Pool for the Contoso and Isilon Zones
ISI70-1# isi networks create subnet –name=subnet4 –gateway=192.168.4.1 –netmask=255.255.255.0 –sc-service-addr=192.168.4.16
Creating subnet ‘subnet4’: OK
Saving: OKISI70-1# isi networks create pool –name=subnet4:pool0 –ranges=192.168.4.11-15 –sc-subnet=subnet4 –zone=isi70.contoso.com –ifaces=1-3:ext-1
Creating pool ‘subnet4:pool0’: OK
Saving:ISI70-1# isi networks create subnet –name=subnet5 –gateway=192.168.5.1 –netmask=255.255.255.0 –sc-service-addr=192.168.5.56
Creating subnet ‘subnet5’: OK
Saving: OKISI70-1# isi networks create pool –name=subnet5:pool0 –ranges=192.168.5.51-55 –sc-subnet=subnet5 –zone=isi70.isilon.com –ifaces=1-3:ext-1
Creating pool ‘subnet5:pool0’: OK
Saving: - Verify the new subnets and pools:
ISI70-1# isi networks list subnet
Name Subnet Gateway:Prio SC Service Pools
————— —————— —————— ————— —–
subnet0 192.168.2.0/24 192.168.2.1:1 192.168.2.119 1
subnet4 192.168.4.0/24 192.168.4.1:2 192.168.4.16 1
subnet5 192.168.5.0/24 192.168.5.1:3 192.168.5.56 1ISI70-1# isi networks list pools
Subnet Pool SmartConnect Zone Ranges Alloc
————— ————— ———————- ———————- ——-
subnet0 pool0 isi70.a.dom.com 192.168.2.120-192.1… Static
subnet4 pool0 isi70.contoso.com 192.168.4.11-192.16… Static
subnet5 pool0 isi70.isilon.com 192.168.5.51-192.16… Static - List the DNS Configuration:
ISI70-1# isi networks
Domain Name Server: N/A
DNS Search List: N/A
DNS Resolver Opti… N/A
DNS Default Error: REFUSED
DNS Caching: Enabled
Client TCP ports: 2049, 445, 20, 21, 80
Rebalance delay: 0Subnets: subnet0 – Default ext-1 subnet (192.168.2.0/24)
subnet4 (192.168.4.0/24)
subnet5 (192.168.5.0/24) - Configure DNS for both domains (in our example the DNS Server for Contoso.com will be 192.168.4.10 and the DNS Server for Isilon.com will be 192.168.5.50)
ISI70-1# isi networks –add-dns-search=contoso.com,isilon.com –add-dns-servers=192.168.4.10,192.168.5.50
Adding domain name server 192.168.4.10: OK
Adding domain name server 192.168.5.50: OK
Adding DNS search suffix contoso.com: OK
Adding DNS search suffix isilon.com: OKSaving: - Join the domains
ISI70-1# isi auth ads create –name=contoso.com –user=administrator –verbose
password:
Created Active Directory provider: contoso.COMISI70-1# isi auth ads create –name=isilon.com –user=administrator –verbose
password:
Created Active Directory provider: isilon.COM - Verify the Domains
ISI70-1# isi auth ads list
Name Authentication Status DC Name Site
—————————————————————-
CONTOSO.COM Yes online – Default-First-Site-Name
ISILON.COM Yes online – Default-First-Site-Name
—————————————————————-
Total: 2 - Create the Access Zones:
ISI70-1# isi zone zones create –name=contoso.com –all-auth-providers=No –all-smb-shares=No –auth-providers=lsa-activedirectory-provider:contoso.com
ISI70-1# isi zone zones create –name=isilon.com –all-auth-providers=No –all-smb-shares=No –auth-providers=lsa-activedirectory-provider:isilon.com - List the Access Zones:
ISI70-1# isi zone zones list -v
Name: System
Cache Size: 4.77M
Map Untrusted:
SMB Shares: –
Auth Providers: –
Local Provider: Yes
NetBIOS Name:
All SMB Shares: No
All Auth Providers: No
User Mapping Rules: –
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Zone ID: 1
——————————————————————————–
Name: contoso.com
Cache Size: 4.77M
Map Untrusted:
SMB Shares: –
Auth Providers: lsa-activedirectory-provider:CONTOSO.COM
Local Provider: Yes
NetBIOS Name:
All SMB Shares: No
All Auth Providers: No
User Mapping Rules: –
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Zone ID: 6
——————————————————————————–
Name: isilon.com
Cache Size: 4.77M
Map Untrusted:
SMB Shares: –
Auth Providers: lsa-activedirectory-provider:ISILON.COM
Local Provider: Yes
NetBIOS Name:
All SMB Shares: No
All Auth Providers: No
User Mapping Rules: –
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Zone ID: 7 - Modify the Access Zone for the Subnets:
ISI70-1# isi networks modify pool –name=subnet4:pool0 –access-zone=contoso.com
Modifying pool ‘subnet4:pool0’:Saving:ISI70-1# isi networks modify pool –name=subnet5:pool0 –access-zone=domain.com
Modifying pool ‘subnet5:pool0’:Saving: OK
- Verify the Access Zone Configuration:
ISI70-1# isi networks list pools -v
subnet0:pool0 – Default ext-1 pool
In Subnet: subnet0
Allocation: Static
Ranges: 1
192.168.2.120-192.168.2.122
Pool Membership: 1
1:ext-1 (up)
Aggregation Mode: Link Aggregation Control Protocol (LACP)
Access Zone: System (1)
SmartConnect:
Suspended Nodes : None
Auto Unsuspend … 0
Zone : isi70.a.dom.com
Time to Live : 0
Service Subnet : subnet0
Connection Policy: Round Robinsubnet4:pool0
In Subnet: subnet4
Allocation: Static
Ranges: 1
192.168.4.11-192.168.4.15
Pool Membership: 1
1:ext-1 (up)
Aggregation Mode: Link Aggregation Control Protocol (LACP)
Access Zone: contoso.com (6)
SmartConnect:
Suspended Nodes : None
Auto Unsuspend … 0
Zone : isi70.contoso.com
Time to Live : 0
Service Subnet : subnet4
Connection Policy: Round Robinsubnet5:pool0
In Subnet: subnet5
Allocation: Static
Ranges: 1
192.168.5.51-192.168.5.55
Pool Membership: 1
1:ext-1 (up)
Aggregation Mode: Link Aggregation Control Protocol (LACP)
Access Zone: isilon.com (7)
SmartConnect:
Suspended Nodes : None
Auto Unsuspend … 0
Zone : isi70.isilon.com
Time to Live : 0
Service Subnet : subnet5
Connection Policy: Round Robin - Create shares for each Access Zone:
ISI70-1# isi smb shares create contoso –path=/ifs/data/contoso –create-path
ISI70-1# isi smb shares create isilon –path=/ifs/data/isilon –create-path - Modify the zones to add their respective share:
ISI70-1# isi zone zones modify contoso.com –add-smb-shares=contoso
ISI70-1# isi zone zones modify isilon.com –add-smb-shares=isilon