Hi Dojo,
Evaluating a possible scenario of a DMS that consists of DMAs across different server types:
e.g. 2 hardware based DMAs and 5 VM based DMAs.
This is normally possible with DataMiner as it natively supports a distributed architecture and VMs can co-exist with physical servers.
In this scenario, however, there would a possible complication due to the separation of IT owners:
e.g. one team supporting the OS layer of the VMs, another team dedicated to the physical servers... and each team would like to keep a different domain group.
Haven't done this with any other similar application, but where a Windows domain is in use, am I correct in thinking that regardless of the server type (VM/Physical) or OS version, all the application servers of a DataMiner cluster are best placed on the same domain group?
I would expect some user sync issues otherwise, though could work just with local users in sync through the Security.xml file in DataMiner - not a big fan of local users anymore, especially where different OS versions (and therefore different pw complexity criteria) can coexist. Is there any other issue to consider where DMA servers are not part of the same domain group?
Thanks
Hi Alberto,
am I correct in thinking that regardless of the server type (VM/Physical) or OS version, all the application servers of a DataMiner cluster are best placed on the same domain group?
That is indeed correct, we recommend joining the Windows Servers hosting DataMiner to the same domain, see this comment from Wouter on this question:
The default behavior is that the machines try to authenticate using their system/machine account. This usually works as machines are in the same domain.
The default behavior can be overridden by specifying a specific user and password account in the connection string. That’s what typically happens if the agents fail to communicate using the default account they have. The account specified needs to be a DataMiner account which has all permissions.
So it's possible to setup a DataMiner cluster with agents that are not joined to the same domain by setting up connection strings between the DataMiner agents.
not a big fan of local users anymore
Me neither, you could consider configuring SAML authentication (even if the agents are not in the same domain), which would allow you to use the same users/groups in DataMiner. This will then also manage password complexity, MFA,...
This page should describe how you can add/edit the connection strings, it relies on a tool called SLNet Client Test, which you can find in C:Skyline DataMinerFilesSLNetClientTest.exe
: https://docs.dataminer.services/user-guide/Reference/DataMiner_Tools/SLNetClientTest_tool/SLNetClientTest_tool_advanced_procedures.html#editing-the-connection-string-between-two-dataminer-agents
Thanks for the prompt feedback, Jens. Much appreciated.
Indeed SAML can be of help – hadn’t thought about it!
Hopefully won’t need to use two different domains, but assuming connection strings are needed when the DMAs are clustered – how do we add these?
Is there a specific section in System Center?