0

I'm currently configuring two-node HA cluster based on CentOS with DRBD. Most services are packed in virtual machines with migration available.

I have not made decision where to put some core services as: dhcp, ldap, dns - which are critical for all network infrastructure. There are two possibilities:

  1. Configure them as redundant HA services on cluster hosts.
  2. Pack them all into dedicated virtual machine.

What is the best practice?

Veniamin
  • 863
  • 6
  • 11

2 Answers2

1

Redundant, especially for something that small that also has build-in cluste functionalitz - both dns as wel las dhcp have failover implementations.

I am all for HA failover on vm level, but where it makes sense, not for a leightweight core vm that provides ultra critical but also memory and cpu non-intensive services.

TomTom
  • 51,649
  • 7
  • 54
  • 136
  • Thank you. I undestand share your position. But as I know, only ldap (389-server) has full failover implementation. Two others offer redundacy only (from-the-box). DHCP needs additional config sync, DNS is mater-slave but no failother in common sence. – Veniamin Oct 29 '13 at 08:21
  • Well, no. DNS is designed for failover - you can have multiple servers for a domain. One acts as primary master, the others copy the data over. CLients will use all their dns servers until one answers. Build in failover capabilities. DHCP can be configured similar - either with 2 blocks separate, or - for more advanced dhcp servers - there is a buildin failover protocol. Windows recently added that with Server 2008 R2.... 3 generations back. But it was possible before, too... just assign separate blocks. – TomTom Oct 29 '13 at 08:27
  • 1
    So, this is really possible. Not that I care too much - my DNS picks up the zone information from a locally replicated LDAP source, so I dont even have a real master ;) – TomTom Oct 29 '13 at 08:28
  • Perfect! Full failover support for LDAP with other redundant core services quering it - that is what i need. Please update your answer accordinly and I will accept it as a solution. – Veniamin Oct 29 '13 at 12:33
  • Well, the problem with that is that you likely do not WANT it. See, Windwos Active Directory integrated DNS stores the data in Active directory.... which is LDAP based. WIndows DHCP also supports failovr between two synchronized instances.... so, use Windows for those core services, finished. – TomTom Oct 29 '13 at 12:44
  • I found out that both isc dhcp and bind9 support ldap as a backend. But I see that this functionality is hardly used. So you meight be right, I may do not want to use it. – Veniamin Oct 30 '13 at 07:48
0

After some problem investigation I made the conclusion that packing core services into VM and relaying on VM-level fail-over is not a good practice:

  1. cluster environment itself can not relay on core services this case;
  2. risks of core services outage bacuse of cluster misconfiguration;
  3. application-level failover looks to be much more stable and reliable.

Moreover, Miscrosoft 2-node cluster setup guide recommends to place DCs externally, even not on cluster hardware. Main reasons, I think, core services should be isolated from all others as much as possible.

For my case (CentOS) the main problem is that from three services I consider (ldap, dns, dhcp) only one (ldap - 389 Server) has a full failover functionality. Thanks to TomTom who advised me that others could use LDAP as a backend.

Looking for a stable integrated solution I found that FreeIPA project and its RedHat implementation in Identity Management Server -- is just what I need.

Veniamin
  • 863
  • 6
  • 11