Storagenerd

A place to put my thoughts….

Tag Archives: Isilon

How to setup Access Zones for Multiple Active Directory Domains – Isilon 7

2 Comments Posted by on February 1, 2013

How to setup Access Zones for Multiple Active Directory Domains

The following text is strait from emc14004094. All credits go to EMC/Isilon. Just wanted to have it handy for my own reference.

OneFS 7 now has the ability to be provisioned and interact with more than one Active Directory Forest. This is done through the use of Access Zones which is integrated tightly with the Network configuration of the Cluster.

The first step to in setting up Access Zones is deciding if the Access Zones will be responding on the same Network Subnet or not.

Consider the following setup:
Domain: Contoso.com
DC: DC.Contoso.com
IP: 192.168.2.10
Subnet: 255.255.255.0

Domain: Isilon.com
DC: DC.Isilon.com
IP: 192.168.2.50
Subnet: 255.255.255.0

It is required to setup two Access Zones:
Zone: Contoso.com
Cluster IP Range: 192.168.2.11-192.168.2.15
SmartConnect IP: 192.168.2.16

Zone: Isilon.com
Cluster IP Range: 192.168.2.51-192.168.2.55
SmartConnect IP: 192.168.2.56

In this scenario, in order to setup Access Zones that have multiple pools in the same subnet, Smart Connect Advanced is required. Without Smart Connect Advanced, the Access Zones will need to be associated with Network Pools in different subnets that cannot overlap.

It is also important to note that the default “System” Access Zone will be associated with the default subnet (usually subnet0:pool0) when the system is initially setup. Removing “System” for subnet0:pool0 and not assigning “System” to another subnet (for Smart Connect Basic) or subnet:pool (for Smart Connect Advanced) will prevent login access to both SSH and WebUI for the cluster.

**NOTE: If you end up in a situation where you lose login access because the System Zone has no subnet:pool defined (possibly because it was deleted), the following will need to be done:

  1. Connect to the Console of one of the nodes on the cluster and login as root
  2. Run ifconfig and determine an IP that can be accessed and is flagged as in Zone 1 (these will be Smartconnect IPs)
    ISI70-1# ifconfig
    em0: flags=8843 metric 0 mtu 1500
    options=9b
    ether 00:0c:29:d0:68:b0
    inet 192.168.3.45 netmask 0xffffff00 broadcast 192.168.3.255 zone 1
    media: Ethernet autoselect (1000baseTX )
    status: active
    em1: flags=8843 metric 0 mtu 1500
    options=9b
    ether 00:0c:29:d0:68:ba
    inet 192.168.4.11 netmask 0xffffff00 broadcast 192.168.4.255 zone 6
    inet 192.168.5.51 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
    inet 192.168.5.52 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
    inet 192.168.5.53 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
    inet 192.168.5.54 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
    inet 192.168.5.55 netmask 0xffffff00 broadcast 192.168.5.255 zone 7
    inet 192.168.4.16 netmask 0xffffff00 broadcast 192.168.4.255 zone 1
    inet 192.168.5.56 netmask 0xffffff00 broadcast 192.168.5.255 zone 1
    media: Ethernet autoselect (1000baseTX )
    status: active
  3. The IPs associated with Zone 1 can be accessed through SSH or WebUI at which point, the network can be added back for the System Zone
  4. If there are no IPs associated with Zone 1, then a new subnet will need to be created through the CLI:
    ISI70-1# isi networks create subnet –name=subnet0 –netmask=255.255.255.0 –gateway=192.168.2.1
    Creating subnet ‘subnet0’: OK
    Saving: OKisi networks create pool –name=subnet0:pool0 –ifaces=1-3:ext-1 –ranges=192.168.2.120-122 –zone=System
    Creating pool ‘subnet0:pool0’: OK
    Saving: OK

The following will walk through setting up multiple Access Zones for a SmartConnect Basic configuration. The setup for Access Zones with SmartConnect Advanced is identical except for the networking section where you have multiple pools in the subnet and therefor define multiple ranges within the same subnet to use.

Setting up Multiple Access Zones on a cluster

Consider the following Cluster and Domain Configuration:

Isilon Cluster is setup as follows:
ISI70-1# isi networks list pools -v
subnet0:pool0 – Default ext-1 pool
In Subnet: subnet0
Allocation: Static
Ranges: 1
192.168.2.120-192.168.2.122
Pool Membership: 1
1:ext-1 (up)
Aggregation Mode: Link Aggregation Control Protocol (LACP)
Access Zone: System (1)
SmartConnect:
Suspended Nodes : None
Auto Unsuspend … 0
Zone : isi70.a.dom.com
Time to Live : 0
Service Subnet : subnet0
Connection Policy: Round Robin

ISI70-1# isi networks list subnets -v
subnet0 – Default ext-1 subnet
Address Family: IPv4
Netmask: 255.255.255.0
Subnet: 192.168.2.0
Gateway 192.168.2.1, Priority 1
MTU: 1500
SC Service Address: 192.168.2.119
VLAN Tagging: Disabled
VLAN ID: 0
DSR Addresses: 0
Pools: 1
pool0 – Default ext-1 pool

ISI70-1# isi networks list interfaces -v
Node: 1
Interface: ext-1
NIC Name: em1
Status: up
In: 9.0Kb/s
Out: 828b/s
Owners: 3
subnet0:pool0

IP Addrs: 3
192.168.2.120

The Domains are setup as follows:
Domain: Contoso.com
DC: DC.Contoso.com
DC IP: 192.168.4.10
DNS IP: 192.168.4.10
Subnet: 255.255.255.0

Domain: Isilon.com
DC: DC.Isilon.com
DC IP: 192.168.5.50
DNS IP: 192.168.5.50
Subnet: 255.255.255.0

It is required to setup two Access Zones:
Zone: Contoso.com
Cluster IP Range: 192.168.4.11-192.168.4.15
SmartConnect IP: 192.168.4.16

Zone: Isilon.com
Cluster IP Range: 192.168.5.51-192.168.5.55
SmartConnect IP: 192.168.5.56

The goal of this setup will be the following:

  1. Storage Admins will access the cluster through WebUI is SSH by connecting to 192.168.2.119
  2. Users from domain Contoso.com will access the cluster via SMB by connecting to 192.168.3.16
  3. Users from domain Isilon.com will access the cluster via SMB by connecting to 192.168.4.56

Setup and Configuration of the Access Zones

  1. List the current Zone Configuration:
    ISI70-1# isi zone zones list –verbose
    Name: System
    Cache Size: 4.77M
    Map Untrusted:
    SMB Shares: –
    Auth Providers: –
    Local Provider: Yes
    NetBIOS Name:
    All SMB Shares: Yes
    All Auth Providers: Yes
    User Mapping Rules: –
    Home Directory Umask: 0077
    Skeleton Directory: /usr/share/skel
    Zone ID: 1
  2. Modify the System Zone to remove All Auth Providers and SMB Shares:
    ISI70-1# isi zone zones modify System –all-auth-providers=No
    ISI70-1# isi zone zones modify System –all-smb-shares=No
  3. Verify the change to System:
    ISI70-1# isi zone zones list –verbose
    Name: System
    Cache Size: 4.77M
    Map Untrusted:
    SMB Shares: –
    Auth Providers: –
    Local Provider: Yes
    NetBIOS Name:
    All SMB Shares: No
    All Auth Providers: No
    User Mapping Rules: –
    Home Directory Umask: 0077
    Skeleton Directory: /usr/share/skel
    Zone ID: 1
  4. Add a new Subnet and Pool for the Contoso and Isilon Zones
    ISI70-1# isi networks create subnet –name=subnet4 –gateway=192.168.4.1 –netmask=255.255.255.0 –sc-service-addr=192.168.4.16
    Creating subnet ‘subnet4’: OK
    Saving: OKISI70-1# isi networks create pool –name=subnet4:pool0 –ranges=192.168.4.11-15 –sc-subnet=subnet4 –zone=isi70.contoso.com –ifaces=1-3:ext-1
    Creating pool ‘subnet4:pool0’: OK
    Saving:ISI70-1# isi networks create subnet –name=subnet5 –gateway=192.168.5.1 –netmask=255.255.255.0 –sc-service-addr=192.168.5.56
    Creating subnet ‘subnet5’: OK
    Saving: OK

    ISI70-1# isi networks create pool –name=subnet5:pool0 –ranges=192.168.5.51-55 –sc-subnet=subnet5 –zone=isi70.isilon.com –ifaces=1-3:ext-1
    Creating pool ‘subnet5:pool0’: OK
    Saving:

  5. Verify the new subnets and pools:
    ISI70-1# isi networks list subnet
    Name Subnet Gateway:Prio SC Service Pools
    ————— —————— —————— ————— —–
    subnet0 192.168.2.0/24 192.168.2.1:1 192.168.2.119 1
    subnet4 192.168.4.0/24 192.168.4.1:2 192.168.4.16 1
    subnet5 192.168.5.0/24 192.168.5.1:3 192.168.5.56 1ISI70-1# isi networks list pools
    Subnet Pool SmartConnect Zone Ranges Alloc
    ————— ————— ———————- ———————- ——-
    subnet0 pool0 isi70.a.dom.com 192.168.2.120-192.1… Static
    subnet4 pool0 isi70.contoso.com 192.168.4.11-192.16… Static
    subnet5 pool0 isi70.isilon.com 192.168.5.51-192.16… Static
  6. List the DNS Configuration:
    ISI70-1# isi networks
    Domain Name Server: N/A
    DNS Search List: N/A
    DNS Resolver Opti… N/A
    DNS Default Error: REFUSED
    DNS Caching: Enabled
    Client TCP ports: 2049, 445, 20, 21, 80
    Rebalance delay: 0Subnets: subnet0 – Default ext-1 subnet (192.168.2.0/24)
    subnet4 (192.168.4.0/24)
    subnet5 (192.168.5.0/24)
  7. Configure DNS for both domains (in our example the DNS Server for Contoso.com will be 192.168.4.10 and the DNS Server for Isilon.com will be 192.168.5.50)
    ISI70-1# isi networks –add-dns-search=contoso.com,isilon.com –add-dns-servers=192.168.4.10,192.168.5.50
    Adding domain name server 192.168.4.10: OK
    Adding domain name server 192.168.5.50: OK
    Adding DNS search suffix contoso.com: OK
    Adding DNS search suffix isilon.com: OKSaving:
  8. Join the domains
    ISI70-1# isi auth ads create –name=contoso.com –user=administrator –verbose
    password:
    Created Active Directory provider: contoso.COMISI70-1# isi auth ads create –name=isilon.com –user=administrator –verbose
    password:
    Created Active Directory provider: isilon.COM
  9. Verify the Domains
    ISI70-1# isi auth ads list
    Name Authentication Status DC Name Site
    —————————————————————-
    CONTOSO.COM Yes online – Default-First-Site-Name
    ISILON.COM Yes online – Default-First-Site-Name
    —————————————————————-
    Total: 2
  10. Create the Access Zones:
    ISI70-1# isi zone zones create –name=contoso.com –all-auth-providers=No –all-smb-shares=No –auth-providers=lsa-activedirectory-provider:contoso.com
    ISI70-1# isi zone zones create –name=isilon.com –all-auth-providers=No –all-smb-shares=No –auth-providers=lsa-activedirectory-provider:isilon.com
  11. List the Access Zones:
    ISI70-1# isi zone zones list -v
    Name: System
    Cache Size: 4.77M
    Map Untrusted:
    SMB Shares: –
    Auth Providers: –
    Local Provider: Yes
    NetBIOS Name:
    All SMB Shares: No
    All Auth Providers: No
    User Mapping Rules: –
    Home Directory Umask: 0077
    Skeleton Directory: /usr/share/skel
    Zone ID: 1
    ——————————————————————————–
    Name: contoso.com
    Cache Size: 4.77M
    Map Untrusted:
    SMB Shares: –
    Auth Providers: lsa-activedirectory-provider:CONTOSO.COM
    Local Provider: Yes
    NetBIOS Name:
    All SMB Shares: No
    All Auth Providers: No
    User Mapping Rules: –
    Home Directory Umask: 0077
    Skeleton Directory: /usr/share/skel
    Zone ID: 6
    ——————————————————————————–
    Name: isilon.com
    Cache Size: 4.77M
    Map Untrusted:
    SMB Shares: –
    Auth Providers: lsa-activedirectory-provider:ISILON.COM
    Local Provider: Yes
    NetBIOS Name:
    All SMB Shares: No
    All Auth Providers: No
    User Mapping Rules: –
    Home Directory Umask: 0077
    Skeleton Directory: /usr/share/skel
    Zone ID: 7
  12. Modify the Access Zone for the Subnets:
    ISI70-1# isi networks modify pool –name=subnet4:pool0 –access-zone=contoso.com
    Modifying pool ‘subnet4:pool0’:Saving:ISI70-1# isi networks modify pool –name=subnet5:pool0 –access-zone=domain.com
    Modifying pool ‘subnet5:pool0’:

    Saving: OK

  13. Verify the Access Zone Configuration:
    ISI70-1# isi networks list pools -v
    subnet0:pool0 – Default ext-1 pool
    In Subnet: subnet0
    Allocation: Static
    Ranges: 1
    192.168.2.120-192.168.2.122
    Pool Membership: 1
    1:ext-1 (up)
    Aggregation Mode: Link Aggregation Control Protocol (LACP)
    Access Zone: System (1)
    SmartConnect:
    Suspended Nodes : None
    Auto Unsuspend … 0
    Zone : isi70.a.dom.com
    Time to Live : 0
    Service Subnet : subnet0
    Connection Policy: Round Robinsubnet4:pool0
    In Subnet: subnet4
    Allocation: Static
    Ranges: 1
    192.168.4.11-192.168.4.15
    Pool Membership: 1
    1:ext-1 (up)
    Aggregation Mode: Link Aggregation Control Protocol (LACP)
    Access Zone: contoso.com (6)
    SmartConnect:
    Suspended Nodes : None
    Auto Unsuspend … 0
    Zone : isi70.contoso.com
    Time to Live : 0
    Service Subnet : subnet4
    Connection Policy: Round Robinsubnet5:pool0
    In Subnet: subnet5
    Allocation: Static
    Ranges: 1
    192.168.5.51-192.168.5.55
    Pool Membership: 1
    1:ext-1 (up)
    Aggregation Mode: Link Aggregation Control Protocol (LACP)
    Access Zone: isilon.com (7)
    SmartConnect:
    Suspended Nodes : None
    Auto Unsuspend … 0
    Zone : isi70.isilon.com
    Time to Live : 0
    Service Subnet : subnet5
    Connection Policy: Round Robin

  14. Create shares for each Access Zone:
    ISI70-1# isi smb shares create contoso –path=/ifs/data/contoso –create-path
    ISI70-1# isi smb shares create isilon –path=/ifs/data/isilon –create-path
  15. Modify the zones to add their respective share:
    ISI70-1# isi zone zones modify contoso.com –add-smb-shares=contoso
    ISI70-1# isi zone zones modify isilon.com –add-smb-shares=isilon
EMC, Isilon , , , ,