Evaluating a possible scenario of a DMS that consists of DMAs across different server types:
e.g. 2 hardware based DMAs and 5 VM based DMAs.
This is normally possible with DataMiner as it natively supports a distributed architecture and VMs can co-exist with physical servers.
In this scenario, however, there would a possible complication due to the separation of IT owners:
e.g. one team supporting the OS layer of the VMs, another team dedicated to the physical servers... and each team would like to keep a different domain group.
Haven't done this with any other similar application, but where a Windows domain is in use, am I correct in thinking that regardless of the server type (VM/Physical) or OS version, all the application servers of a DataMiner cluster are best placed on the same domain group?
I would expect some user sync issues otherwise, though could work just with local users in sync through the Security.xml file in DataMiner - not a big fan of local users anymore, especially where different OS versions (and therefore different pw complexity criteria) can coexist. Is there any other issue to consider where DMA servers are not part of the same domain group?
am I correct in thinking that regardless of the server type (VM/Physical) or OS version, all the application servers of a DataMiner cluster are best placed on the same domain group?
That is indeed correct, we recommend joining the Windows Servers hosting DataMiner to the same domain, see this comment from Wouter on this question:
The default behavior is that the machines try to authenticate using their system/machine account. This usually works as machines are in the same domain.
The default behavior can be overridden by specifying a specific user and password account in the connection string. That’s what typically happens if the agents fail to communicate using the default account they have. The account specified needs to be a DataMiner account which has all permissions.
So it's possible to setup a DataMiner cluster with agents that are not joined to the same domain by setting up connection strings between the DataMiner agents.
not a big fan of local users anymore
Me neither, you could consider configuring SAML authentication (even if the agents are not in the same domain), which would allow you to use the same users/groups in DataMiner. This will then also manage password complexity, MFA,...