Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Netbackup VCS Cluster 2 sites

Created: 01 May 2014 | 4 comments
blanco.adalberto@ciime.mx's picture

 

 

Hello everybody, fisrt of all I want to thank you for helping me to solve my issues.

 

This time i need to setup a netbackup server global cluster distributed in 2 sites. Each site has its ip addres segment so when the service group is running in the first site clients must resolve the ip address assined in that site.

When the service group change to the second site clients must resolve the ip address for the second site.

 

the cluster is running and we can do the switchover from primary site to secondary and viceversa. At the dns level we have to dns records pointning to both primary and secondary sites ip addresses

 

The issue we are facing is we can ping to master on the site that runs the service group but not from the other, if we switch over is the same.

 

this is the result of nslookup and the ping does not response

 

the service group run in the 172.20.50.161

 

bash-3.00# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 172.21.31.90 netmask ffffff00 broadcast 172.21.31.255
        ether 0:c:29:5b:c5:90
e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 172.21.31.91 netmask ffffff00 broadcast 172.21.31.255
        ether 0:c:29:5b:c5:9a

bash-3.00# nslookup master
Server:         172.21.31.10
Address:        172.21.31.10#53

Name:   master.dominio.local
Address: 172.21.31.90
Name:   master.dominio.local
Address: 172.20.50.161

bash-3.00# ping master     (No responce)
^C

 

 

 

Operating Systems:

Comments 4 CommentsJump to latest comment

Nicolai's picture

Something is not right with you're configuration. A cluster service address need to be on the SAME IP segment on both sides and you usally don't use the IP addreees of the physical to address traffic to clients. Symantec netbackup has logic that enables them to set source IP address on outbound traffic to the cluster service IP and not the physcial node.

But I also think you got one more addresses wrong. The physical node has 172.21.31.90 (e1000g0) and something else has 172.21.31.91 (e1000g1) . The address you are trying to reach is 172.20.50.161. But since no NIC has the IP address of  172.20.50.161, it will no be able to respond to pings.

Assumption is the mother of all mess ups.

If this post answered your'e qustion -  Please mark as a soloution.

AAlmroth's picture

There doesn't seem to be a virtual IP set on the node you have run ifconfig on. As Nicolai says, VCS should control the ifup/ifdown of an IP address not bound to a specific host.

If possible, send the VCS main.cf for us to study how the two clusters are set up.

Also, using DNS round-robin (two or more IP addresses resolvable for same host) is not a good solution in NetBackup. As only one address should be "online" at any time. If clients tries to resolve, they would fail on every second lookup.

Also, NetBackup uses an internal host cache, which records name and IP, and this would also add some noise if using two different IP addresses for the master server. This can most likely be worked around. The feature in my opinion sometimes add more problems and spent time on troubleshooting than it actually works in large environments (IMHO).

That said, you could certainly use two different IP addresses, but it would require another approach in DNS. VCS supports updating the DNS record (using SecDNS functionality) when you switch between the clusters (GCO).

You would need to add a DNS resource in your service groups in both clusters.This will update the DNS server, and clients can now resolve the correct "onilne" IP address. Please note that this approach does require additional security setup on your DNS servers.

The internal host cache in NBU would need to be looked at in more detail, to see if this can be solved somehow neatly.

 

/A

blanco.adalberto@ciime.mx's picture

Thank you for replying. 

 

I am implementing the DNS Agent from VCS but i can update the ip address where are the netbackup services running only when there is non-secure updates enabled on the DNS server.

Because there is a production enviroment I cannot use non-secure updates into the DNS. I have enabled the kerberos configuration and also I added a user into the Active Directory in order to log into the DNS with kinit and so I can update the DNS records.

The cluster servers are running on Solaris 11.

when i log into the AD i got the following:

root@master2:~# kinit abcd
Password for abcd@DOMINIO.LOCAL:
kinit:  no ktkt_warnd warning possible

 

 

I have loged into

root@master2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: abcd@DOMINIO.LOCAL

Valid starting                Expires                Service principal
05/08/14 19:18:26  05/09/14 05:18:27  krbtgt/DOMINIO.LOCAL@DOMINIO.LOCAL
        renew until 05/15/14 19:18:26

 

I am ussing a sample file to update the dns record

root@master2:~# cat nsupdate.data
server ad-dominio.dominio.local
update add abcde.dominio.local 86400 A 172.21.31.50
send

 

When I try to update the DNS record I got this

root@master2:~# nsupdate nsupdate.data
update failed: REFUSED

 

 

This is my krb5.conf

root@master2:~# cat /etc/krb5/krb5.conf

[libdefaults]

default_realm = DOMINIO.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5

[realms]

DOMINIO.LOCAL = {

kdc = ad-dominio.DOMINIO.LOCAL
kpasswd_server = ad-dominio.DOMINIO.LOCAL
kpasswd_protocol = SET_CHANGE
admin_server = ad-dominio.DOMINIO.LOCAL
}

 

[domain_realm]

.DOMINIO.LOCAL = DOMINIO.LOCAL
DOMINIO.LOCAL = DOMINIO.LOCAL

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {                period = 1d

versions = 10

        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }

 

 

 

 

AAlmroth's picture

Hi,

 

Your krb5.conf differs a bit form the examples in the bundled agent guide. Have alook if there are additional variables need to be set.

Second, the user account that you use, does it have the required privileges to make updates in the DNS?

You could try to run with the -d (debug) option on nsupdate, so see whether the DNS server provide additional information.

You could also do a test run in VCS, to see the logging from the DNS agent there.

 

/A