Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Netbackup VCS Cluster 2 sites

Created: 01 May 2014 | 4 comments's picture

Hello everybody, fisrt of all I want to thank you for helping me to solve my issues.

This time i need to setup a netbackup server global cluster distributed in 2 sites. Each site has its ip addres segment so when the service group is running in the first site clients must resolve the ip address assined in that site.

When the service group change to the second site clients must resolve the ip address for the second site.

the cluster is running and we can do the switchover from primary site to secondary and viceversa. At the dns level we have to dns records pointning to both primary and secondary sites ip addresses

The issue we are facing is we can ping to master on the site that runs the service group but not from the other, if we switch over is the same.

this is the result of nslookup and the ping does not response

the service group run in the

bash-3.00# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet netmask ff000000
e1000g0: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet netmask ffffff00 broadcast
        ether 0:c:29:5b:c5:90
e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet netmask ffffff00 broadcast
        ether 0:c:29:5b:c5:9a

bash-3.00# nslookup master

Name:   master.dominio.local
Name:   master.dominio.local

bash-3.00# ping master     (No responce)

Operating Systems:

Comments 4 CommentsJump to latest comment

Nicolai's picture

Something is not right with you're configuration. A cluster service address need to be on the SAME IP segment on both sides and you usally don't use the IP addreees of the physical to address traffic to clients. Symantec netbackup has logic that enables them to set source IP address on outbound traffic to the cluster service IP and not the physcial node.

But I also think you got one more addresses wrong. The physical node has (e1000g0) and something else has (e1000g1) . The address you are trying to reach is But since no NIC has the IP address of, it will no be able to respond to pings.

Assumption is the mother of all mess ups.

If this post answered your'e qustion -  Please mark as a soloution.

AAlmroth's picture

There doesn't seem to be a virtual IP set on the node you have run ifconfig on. As Nicolai says, VCS should control the ifup/ifdown of an IP address not bound to a specific host.

If possible, send the VCS for us to study how the two clusters are set up.

Also, using DNS round-robin (two or more IP addresses resolvable for same host) is not a good solution in NetBackup. As only one address should be "online" at any time. If clients tries to resolve, they would fail on every second lookup.

Also, NetBackup uses an internal host cache, which records name and IP, and this would also add some noise if using two different IP addresses for the master server. This can most likely be worked around. The feature in my opinion sometimes add more problems and spent time on troubleshooting than it actually works in large environments (IMHO).

That said, you could certainly use two different IP addresses, but it would require another approach in DNS. VCS supports updating the DNS record (using SecDNS functionality) when you switch between the clusters (GCO).

You would need to add a DNS resource in your service groups in both clusters.This will update the DNS server, and clients can now resolve the correct "onilne" IP address. Please note that this approach does require additional security setup on your DNS servers.

The internal host cache in NBU would need to be looked at in more detail, to see if this can be solved somehow neatly.

/A's picture

Thank you for replying. 

I am implementing the DNS Agent from VCS but i can update the ip address where are the netbackup services running only when there is non-secure updates enabled on the DNS server.

Because there is a production enviroment I cannot use non-secure updates into the DNS. I have enabled the kerberos configuration and also I added a user into the Active Directory in order to log into the DNS with kinit and so I can update the DNS records.

The cluster servers are running on Solaris 11.

when i log into the AD i got the following:

root@master2:~# kinit abcd
Password for abcd@DOMINIO.LOCAL:
kinit:  no ktkt_warnd warning possible

I have loged into

root@master2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: abcd@DOMINIO.LOCAL

Valid starting                Expires                Service principal
05/08/14 19:18:26  05/09/14 05:18:27  krbtgt/DOMINIO.LOCAL@DOMINIO.LOCAL
        renew until 05/15/14 19:18:26

I am ussing a sample file to update the dns record

root@master2:~# cat
server ad-dominio.dominio.local
update add abcde.dominio.local 86400 A

When I try to update the DNS record I got this

root@master2:~# nsupdate
update failed: REFUSED

This is my krb5.conf

root@master2:~# cat /etc/krb5/krb5.conf


default_realm = DOMINIO.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5



kdc = ad-dominio.DOMINIO.LOCAL
kpasswd_server = ad-dominio.DOMINIO.LOCAL
kpasswd_protocol = SET_CHANGE
admin_server = ad-dominio.DOMINIO.LOCAL



        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {                period = 1d

versions = 10


        kinit = {
                renewable = true
                forwardable= true

AAlmroth's picture


Your krb5.conf differs a bit form the examples in the bundled agent guide. Have alook if there are additional variables need to be set.

Second, the user account that you use, does it have the required privileges to make updates in the DNS?

You could try to run with the -d (debug) option on nsupdate, so see whether the DNS server provide additional information.

You could also do a test run in VCS, to see the logging from the DNS agent there.