what did you learn today? (part 2)
- Thread starter continuum
- Start date
He's talking DNS name, not IP. I've never seen a router with a DNS entry though cause networking guys seem to prefer to memorize numbers.
I had a client who had particular requirements from upstream for security and reporting that made it easier to just use statics (could have used static reservations but then you would have to update it whenever a PC was replaced rather than just looking at the spreadsheet that said user X gets IP Y). It was an office of ~25 people and they had been doing it that way for a decade (this was in 2004-2005 so quite a long time). Admin there even had a script that read the spreadsheet and a log in and replaced IP with user name.
Perhaps the understatement of the year.
The thing about routers? Each interface has an IP, or two, or three. Some have way more. Want to troubleshoot a long distance multihop connection? Those DNS entries are a lifesaver. Also...you know...dynamic routing. Anyone want to play "let's see how often convergence happens and how long it takes!"
Sadly, the resistance to actual managed DNS entries in the network layer is still very prevalent.
Yeah I really don't get it. I DNS the shit out of my servers and storage.
Non-domain joined client's can't generate DDNS names if you are using microsoft DHCP/DNS without disabling secure updates (which is a bad idea)
No it can't. Not with Windows DHCP/DNS, not without disabling secure updates.
Sure it can.
See https://technet.microsoft.com/en-us/library/dd145315(v=ws.10).aspx section "Securing records when using the DnsUpdateProxy group"
See https://technet.microsoft.com/en-us/library/dd145315(v=ws.10).aspx section "Securing records when using the DnsUpdateProxy group"
Unfortunately, the site I was at didn't understand that reserved DHCP was infinitely superior for their use case as opposed to completely static IPs.
Only reason I can think of for using a ton of static DNS entries is if maybe scavenging is set ridiculously aggressively, and nobody knew/understood it. Or, yeah, job security.
There's a third kind, the type of IT person who routinely deals with equipment that won't take DHCP reservation properly or the DHCP portion is broken in the firmware and unlikely to be fixed any time soon.
TIL the reason why the UCS manager and therefore the Cisco Hyperflex Platform installer couldn't "find" the Hyperflex nodes was because I foolishly manually configured the CIMC for remote access prior to getting the Fabric Interconnect cluster up.
I couldn't find any fricking thing in 2 days of searching. Finally I tried a slightly different variant of the search terms and blam.
2014.
In my face.
Reset the CIMC to factory defaults, add an IP pool for the OOB management (CIMC) and the discovery started working within a minute.
Dammit.
I feel like I had the tirejack under the bumper.
I couldn't find any fricking thing in 2 days of searching. Finally I tried a slightly different variant of the search terms and blam.
2014.
In my face.
Reset the CIMC to factory defaults, add an IP pool for the OOB management (CIMC) and the discovery started working within a minute.
Dammit.
I feel like I had the tirejack under the bumper.
Speaking of DNS...is Microsoft DNS only secured by user or by computer as well? I've got two major types of workstation, each in their own security groups for ease of permissions or security filtering when needed. I've got a single A record I have to secure that Group A workstations must resolve but Group B workstations must not resolve. I removed the Everyone read permission and setup Group A for explicit allow read, Group B for explicit deny read. Group B is still resolving.
Shouldn't it be that simple?
Shouldn't it be that simple?
So what do you think of it? I have a customer wanting Cisco, but we've had good success with VxRail and Nutanix so far.
As far as I know all that would do would hide the record from those users if they had access to manage DNS. Lookups are a non-authenticated action.
On the one hand, it seems nice.
On the other hand, some obvious stuff is not easily findable on the internet:
-leave the servers alone! from OOB to start of platform installer, or else
-you may need an IP pool manually added at first to make it work
-It doesn't seem obvious whether the VLANs and subnets are allowed to be reused with other bits of your L2 data center network
-no instructions on WTF to do with your upstream switches or even what is supported specifically or jumbo frames, etc (it does support jumbo frames, but you only find out in the platform installer)
And it's typical Cisco. Why sell you one server appliance and license, when they can sell you a few different server appliance VMs and licenses.
Cisco also seems to be vacillating on whether it is best to have hardware appliances (servers) or VM appliances, not even considering sizing. I suppose the appeal of the hardware licenses is for those who don't want to pay the VMWare licensing and have the rackspace/power/crac/ups/etc
Mind you, this isn't the full UCS experience with the blade chassis, but the Hyperflex nodes which gets you the same 1U and 2U server chassis but with a VIC/line card style LOM onboard. It acts as a linecard for the Fabric Interconnect switches.
The Fabric Interconnect switches appear to use the old Nexus 5010 chassis, but expanded and the NX-OS on it has an entirely different command set. It's a cross between the Nexus and the MDS line, including FC features and licensing.
I could see myself learning to like doing things this way, but I prefer more connectivity and redundancy than I saw.
Lack of sufficiently accessible pertinent documentation is the killer, even if it turns out to be somewhat unnecessary.
I think the best equivalent might be Dell's data center provisioning automation process.
Your best option is to ditch Microsoft dns and use something that supports dns views
Is the problem name resolution or access? If it actually is name resolution then, well, DNS doesn't really work like that. If its access, then firewall rules are your solution. Or bespoke hosts files on your servers.
Bit of both. Basically, I need to do the hosts file or GPO a Windows firewall rule. Could make sense that way.
No it can't. You can not trust the client. Ever. If you need actual separation it must be done at some L3 point. ACL on a router. Firewall. Etc.
I think this is only in the newer code on the AP9630 and newer cards.
Nope, the "network guy" didn't setup the NTP. It was a time issue.
Separate vlans with a acl disallowing access to each with there own dns server?
Here's an example of where Cisco's pre-flight docs aren't doing a good job and where the onscreen error alert is a little obtuse:
REQUIREMENT: Data Network IPs in SAME SUBNET
ERROR: Hosts in different subnets
REQUIREMENT: Management IPs in SAME SUBNET
ERROR: Hosts in different subnets
Except the hosts are in the same damn subnet, because the listed IPs are clearly in the same /24 :facepalm:
And yes, the management IPs are all in the same /24
EDIT: What worked was actually putting the storage controller traffic in the same /24 as the data and management VLANs.
Looking through the startup/setup/administrator's guide didn't reveal these tasty factoids, but then finding the right damn document is hard enough.
EDIT2: Now it doesn't like the Cisco branded SSDs (rebadged Samsung)...
REQUIREMENT: Data Network IPs in SAME SUBNET
ERROR: Hosts in different subnets
REQUIREMENT: Management IPs in SAME SUBNET
ERROR: Hosts in different subnets
Except the hosts are in the same damn subnet, because the listed IPs are clearly in the same /24 :facepalm:
And yes, the management IPs are all in the same /24
EDIT: What worked was actually putting the storage controller traffic in the same /24 as the data and management VLANs.
Looking through the startup/setup/administrator's guide didn't reveal these tasty factoids, but then finding the right damn document is hard enough.
EDIT2: Now it doesn't like the Cisco branded SSDs (rebadged Samsung)...
Nutanix has it's weirdness but overall I'm fairly happy with my decision to implement them. Only problem is I don't need the performance they offer, I need the redundancy so selling the plan is hard with the pricing.
Unfortunately, I don't have control of the gateway or the firewall. The only separate VLANs I maintain are for management, SAN, or vSphere stuff. So I should explain why I asked.
Basically, there's a piece of software we use with rather expensive licenses. Group A systems are covered by a license server on a different network while Group B systems must be licensed individually. The engineer who designed group A systems built the workstation wim with basically an alias for the license server in the software and then relies on adding an A record into a particular network's DNS. He's used to networks with only his systems and not group B systems.
As far as I am aware, the vendor doesn't provide Active Directory templates and I have yet to really discover its inner registry workings...hence the DNS approach. It's not my solution, it's the system engineer's solution.
It's ugly from a big-picture perspective, but it makes sense in that it simplifies deployment for offices without on-site administrators. It's easier for him or a remote admin to change the A record if the server's IP or FQDN changes (and it has, quite often apparently) than it would be to reconfigure each deployed system's software and also redistribute the wim for a single changed setting.
I'm in the middle of a shitfight between my department and the architecture group. I want to make some changes to the nutanix clusters where I work; the architecture group has some concerns so I've put my change on hold twice. I'm getting crap from my managers because they don't understand why architecture have anything to do with operational works, and the architecture group would like someone to do some forward thinking and do some analysis of what impact these changes will have before a core platform is impacted by some random server that decides to go bonkers.
I finally told everyone concerned that they should put on their management pants, sort this crap out and then tell me what's going. I am not anyone's secretary, and I refuse to play the Telephone game because people can't pick up a phone and call each other directly.
And the answer to what to do if the Cisco branded SSD isn’t supported is probably to deploy an earlier version of the platform installer so it is still supported. :facepalm:
Since it is a functionality thing and not a security thing, and only a single host, I might actually use a host file here. It takes a lot for me to suggest that, but In this case, it is probably the best option if fixing the root cause is not possible. This is assuming that denying a connection via the local firewall on the license server won’t accomplish your needs.
...TIL the cisco hyperflex data platform manager lacks sufficent logging to grok WTF the problem is and some problems are obtuse and annoying.
i.e. Going to the earlier version of the platform installer did take care of the compatibility issue with Cisco gear (new in box), but a different error cropped up looking for a nonexistent version of a bundle
The fix of course is to take the bundle that is almost the exact same name and upload a copy of it with the 1 letter difference and then it continues
Now it's been doing the server config portion for the last 30 minutes, which is somewhat concerning, but maybe expected since I did select "clean partitions" in the advanced setup.
EDIT: about 1 hour is what it took to get through the final corrected validation checks and config
i.e. Going to the earlier version of the platform installer did take care of the compatibility issue with Cisco gear (new in box), but a different error cropped up looking for a nonexistent version of a bundle
The fix of course is to take the bundle that is almost the exact same name and upload a copy of it with the 1 letter difference and then it continues
Now it's been doing the server config portion for the last 30 minutes, which is somewhat concerning, but maybe expected since I did select "clean partitions" in the advanced setup.
EDIT: about 1 hour is what it took to get through the final corrected validation checks and config
So I found the registry key for the license server. It IS under HKLM... But under the WOW6432Node for whatever ungodly reason. I need to check if the program accepts a straight IP address for a license server since I can't get any success from an nslookup from any of the DNS servers I can identify as close to it.
TIRL that I hate certificates. Stupid DirectAccess nls server cert expired and it took me an hour to weave my way down through the mess of settings after I finally got a coherent answer from our support group on what problem they were having.
You should set up automated checks for expiring certs.
We have nagios get increasingly more annoying at 60 days and lower.
We have nagios get increasingly more annoying at 60 days and lower.
That would involve money and or staff that no one above me cares enough to do anything about.