I have a cluster of 5 failover pairs, 4 are in a workgroup while 1 pair is in a domain. Credentials for the built-in administrator is the same on all agents.
When the agent in a domain tries to connect to another agent(workgroup), SLNet authenticates via "domain\hostname$"(computer account) while agents in a workgroup authenticates via "NT_authority\anonymous". Unfortunately this results in authentication to fail using "domain\host$" and thus the agent in domain cannot communicate with the rest of the cluster while the 4 agents in a workgroup have no communication issues.
Skyline worked around the issue by configuring connection strings for the agent in a domain.
However, the users would like an explanation in order to understand how SLNet authentication is working on their setup, therefore they want to know:
1. Does DataMiner support this type of architecture where some agents are in a domain while others are not?
2. Why authentication is different between agents in a domain and agents in a workgroup?
3. Is it not possible to use "NT_authority\anonymous"?
4. If it Windows who decides to authenticate via "domain\hostname$"? Can DataMiner not avoid this?
Hello Ben,
Good question, to be honest, I do not believe it has ever been discussed…
Originally there were 4 failover pairs in Luxembourg, the customer wanted to intergrade devices located in The US into DataMiner and thus a license was purchased for an additional DMA located in The US. It just happens that in the US, the servers were added to a domain, I am not sure really if it is because they want to make use of their domain users but as far as I know, there were no consultations regarding this.
The failover agent in a domain is not being fully utilized at the moment as the elements still need to be provisioned.
From an IT point of view it sounds very normal that DMA's that are in the same cluster need be in the same workgroup/domain. This is also the case when you configure a Windows server cluster.
I think that's also why we used to set the workgroup name to "Skyline" during the manual DMA installations. This step can still be found in old installation manuals.
Thanks for the answer Olivier
Windows server 2016 actually allows clustering of servers which are members of different domains, I believe we also deployed clusters containing agents in separate domains(with trust configured). But I never heard of a cluster made up of domain and workgroup agents hence my question here if it is supported or not.
They indeed added this, but MS multi-domain clusters don’t use the active directory. And its also not recommended for services that need AD access.
If we follow the rules of MS multi-domain clusters, then only DataMiner users should be used on a multi-domain DataMiner cluster
Just out of curiosity here Christine, but what is the reason why one would want to have a DataMiner System where some nodes are in the domain and others are not? Is this desirable for one or another reason?