You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by David Ortiz <dp...@outlook.com> on 2013/04/22 22:42:58 UTC
Using different DNS for guests than Virtual Router
Hello,
I am trying to setup a Windows AD server as a guest on my cloudstack cluster, and join my other guests to the domain it is serving using PowerBroker Identity Services Open. From what I am seeing, the virtual router will block me from being able to perform nslookup or join the domain using the domainjoin-cli command. If I modify /etc/resolv.conf to point directly at my DC as the dns server, it can join the domain without any issues. Unfortunately when I reboot, the dhcp setup with the virtual router will point it back to the virtual router as the name server. I also found that I could get nslookup (but not joining the domain) to work by playing with the dnsmasq.conf settings on the virtual router a little bit, which works until it is rebooted at which point they revert back to what they had been originally. Is there a way to get the virtual router to point guests at the domain controller as the DNS, or to set up the dnsmasq to allow the AD joins to occur (and make those settings persistent)? Or alternatively, would I be able to set up DHCP on the DC and just circumvent the virtual router entirely?
Thanks,
David Ortiz
RE: Using different DNS for guests than Virtual Router
Posted by David Ortiz <dp...@outlook.com>.
Shanker,
I actually did not realize I could set it to ignore dhcp settings for dns from the client side. I was trying to figure out how to get the VR to issue the dns settings I was interested in the guests having.
Thanks for that information, David
From: shanker.balan@shapeblue.com
To: users@cloudstack.apache.org
Subject: Re: Using different DNS for guests than Virtual Router
Date: Wed, 24 Apr 2013 04:31:20 +0000
On 23-Apr-2013, at 2:12 AM, David Ortiz <dp...@outlook.com> wrote:
Hello,
I am trying to setup a Windows AD server as a guest on my cloudstack cluster, and join my other guests to the domain it is serving using PowerBroker Identity Services Open. From what I am seeing, the virtual router will block me from being able to perform
nslookup or join the domain using the domainjoin-cli command.
David, I don't fully understand how the VR can block you from doing nslookups. While the VR does provide DNS services and I have not seen it prevent DHCP clients from using other DNS services (like 8.8.8.8) if a client is configured to use something else.
If I modify /etc/resolv.conf to point directly at my DC as the dns server, it can join the domain without any issues. Unfortunately when I reboot, the dhcp setup with the virtual router will point it back to the virtual router as the
name server.
Yes, that's expected behaviour from DHCP clients. They will default to DHCP server supplied DNS information.
This default behaviour can be modified depending on your client OS. On Linux distros using "dhclient", look at dhclient.conf(5) man page for "supersede".
The supersede statement
supersede [ option declaration ] ;
If for some option the client should always use a locally-configured
value or values rather than whatever is supplied by the server, these
values can be defined in the supersede statement.
I also found that I could get nslookup (but not joining the domain) to work by playing with the dnsmasq.conf settings on the virtual router a little bit, which works until it is rebooted at which point they revert back to what they had
been originally. Is there a way to get the virtual router to point guests at the domain controller as the DNS, or to set up the dnsmasq to allow the AD joins to occur (and make those settings persistent)? Or alternatively, would I be able to set up DHCP
on the DC and just circumvent the virtual router entirely?
The dhclient supersede option would fix the problem for you cleanly. The DHCP client will default to AD for DNS lookups and the join would succeed.
Hth.
--
Shanker Balan
Managing Consultant
M: +91 98860 60539
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue India, 22nd floor, Unit 2201, World Trade Centre, Bangalore - 560 055
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or
related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd
is a company incorporated in England & Wales. ShapeBlue Services India LLP is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: Using different DNS for guests than Virtual Router
Posted by Shanker Balan <sh...@shapeblue.com>.
On 23-Apr-2013, at 2:12 AM, David Ortiz <dp...@outlook.com>> wrote:
Hello,
I am trying to setup a Windows AD server as a guest on my cloudstack cluster, and join my other guests to the domain it is serving using PowerBroker Identity Services Open. From what I am seeing, the virtual router will block me from being able to perform nslookup or join the domain using the domainjoin-cli command.
David, I don't fully understand how the VR can block you from doing nslookups. While the VR does provide DNS services and I have not seen it prevent DHCP clients from using other DNS services (like 8.8.8.8) if a client is configured to use something else.
If I modify /etc/resolv.conf to point directly at my DC as the dns server, it can join the domain without any issues. Unfortunately when I reboot, the dhcp setup with the virtual router will point it back to the virtual router as the name server.
Yes, that's expected behaviour from DHCP clients. They will default to DHCP server supplied DNS information.
This default behaviour can be modified depending on your client OS. On Linux distros using "dhclient", look at dhclient.conf(5) man page for "supersede".
The supersede statement
supersede [ option declaration ] ;
If for some option the client should always use a locally-configured
value or values rather than whatever is supplied by the server, these
values can be defined in the supersede statement.
I also found that I could get nslookup (but not joining the domain) to work by playing with the dnsmasq.conf settings on the virtual router a little bit, which works until it is rebooted at which point they revert back to what they had been originally. Is there a way to get the virtual router to point guests at the domain controller as the DNS, or to set up the dnsmasq to allow the AD joins to occur (and make those settings persistent)? Or alternatively, would I be able to set up DHCP on the DC and just circumvent the virtual router entirely?
The dhclient supersede option would fix the problem for you cleanly. The DHCP client will default to AD for DNS lookups and the join would succeed.
Hth.
--
Shanker Balan
Managing Consultant
[cid:E7CE8425-E245-4C99-B967-713DF2967392@local]
M: +91 98860 60539
shanker.balan@shapeblue.com<ma...@shapeblue.com> | www.shapeblue.com<http://www.shapeblue.com> | Twitter:@shapeblue
ShapeBlue India, 22nd floor, Unit 2201, World Trade Centre, Bangalore - 560 055
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
RE: Using different DNS for guests than Virtual Router
Posted by David Ortiz <dp...@outlook.com>.
Matt,
Once I removed the old virtual router and let it create a new one, that seemed to take care of it. It is now doing exactly what you said would happen in terms of the nameservers being allocated, and my guests seem able to join the domain fine.
Thanks for the help!
David Ortiz
> From: dportiz@outlook.com
> To: users@cloudstack.apache.org
> Subject: RE: Using different DNS for guests than Virtual Router
> Date: Tue, 23 Apr 2013 13:28:10 -0400
>
> Matt,
> The ID of the network offering is 6. Here is what I tried so far. I was able to get it to show up as no longer supporting dns in the Cloudstack GUI, but when I rebooted the virtual router it still had it enabled. Going to try deleting it and letting it be recreated though.
> mysql> use cloud;Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -A
> Database changedmysql> select * from network_offerings where id=6;+----+-------------------------------------------+--------------------------------------+-------------------------------------------+-----------------------------------------------------+---------+---------+--------------+------+-------------+--------------+---------------------+---------------+---------------------+---------+---------+--------------+----------------------+---------------------------+----------+--------------------------+---------+------------+--------------------+--------------------+-------------------+| id | name | uuid | unique_name | display_text | nw_rate | mc_rate | traffic_type | tags | system_only | specify_vlan | service_offering_id | conserve_mode | created | removed | default | availability | dedicated_lb_service | shared_source_nat_service | sort_key | redundant_router_service | state | guest_type | elastic_ip_service | elastic_lb_service | specify_ip_ranges |+----+-------------------------------------------+--------------------------------------+-------------------------------------------+-----------------------------------------------------+---------+---------+--------------+------+-------------+--------------+---------------------+---------------+---------------------+---------+---------+--------------+----------------------+---------------------------+----------+--------------------------+---------+------------+--------------------+--------------------+-------------------+| 6 | DefaultSharedNetworkOfferingWithSGService | dd92b963-7ebc-406c-8751-21ed0d80b231 | DefaultSharedNetworkOfferingWithSGService | Offering for Shared Security group enabled networks | NULL | NULL | Guest | NULL | 0 | 1 | NULL | 1 | 2013-04-08 21:25:16 | NULL | 1 | Optional | 1 | 0 | 0 | 0 | Enabled | Shared | 0 | 0 | 1 |+----+-------------------------------------------+--------------------------------------+-------------------------------------------+-----------------------------------------------------+---------+---------+--------------+------+-------------+--------------+---------------------+---------------+---------------------+---------+---------+--------------+----------------------+---------------------------+----------+--------------------------+---------+------------+--------------------+--------------------+-------------------+
> mysql> select * from ntwk_offering_service_map;+----+---------------------+----------------+-----------------------+---------------------+| id | network_offering_id | service | provider | created |+----+---------------------+----------------+-----------------------+---------------------+| 1 | 6 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 2 | 6 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 3 | 6 | SecurityGroup | SecurityGroupProvider | 2013-04-08 21:25:16 || 4 | 6 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 5 | 7 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 6 | 7 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 7 | 7 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 8 | 8 | PortForwarding | VirtualRouter | 2013-04-08 21:25:16 || 9 | 8 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 10 | 8 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 11 | 8 | StaticNat | VirtualRouter | 2013-04-08 21:25:16 || 12 | 8 | Lb | VirtualRouter | 2013-04-08 21:25:16 || 13 | 8 | SourceNat | VirtualRouter | 2013-04-08 21:25:16 || 14 | 8 | Firewall | VirtualRouter | 2013-04-08 21:25:16 || 15 | 8 | Gateway | VirtualRouter | 2013-04-08 21:25:16 || 16 | 8 | Vpn | VirtualRouter | 2013-04-08 21:25:16 || 17 | 8 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 18 | 9 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 19 | 9 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 20 | 9 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 21 | 10 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 22 | 10 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 23 | 10 | Lb | Netscaler | 2013-04-08 21:25:16 || 24 | 10 | StaticNat | Netscaler | 2013-04-08 21:25:16 || 25 | 10 | SecurityGroup | SecurityGroupProvider | 2013-04-08 21:25:16 || 26 | 10 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 27 | 11 | PortForwarding | VpcVirtualRouter | 2013-04-08 21:25:16 || 28 | 11 | UserData | VpcVirtualRouter | 2013-04-08 21:25:16 || 29 | 11 | NetworkACL | VpcVirtualRouter | 2013-04-08 21:25:16 || 30 | 11 | Dns | VpcVirtualRouter | 2013-04-08 21:25:16 || 31 | 11 | StaticNat | VpcVirtualRouter | 2013-04-08 21:25:16 || 32 | 11 | Lb | VpcVirtualRouter | 2013-04-08 21:25:16 || 33 | 11 | SourceNat | VpcVirtualRouter | 2013-04-08 21:25:16 || 34 | 11 | Gateway | VpcVirtualRouter | 2013-04-08 21:25:16 || 35 | 11 | Vpn | VpcVirtualRouter | 2013-04-08 21:25:16 || 36 | 11 | Dhcp | VpcVirtualRouter | 2013-04-08| 37 | 12 | PortForwarding | VpcVirtualRouter | 2013-04-08| 38 | 12 | UserData | VpcVirtualRouter | 2013-04-08| 39 | 12 | NetworkACL | VpcVirtualRouter | 2013-04-08| 40 | 12 | Dns | VpcVirtualRouter | 2013-04-08| 41 | 12 | StaticNat | VpcVirtualRouter | 2013-04-08| 42 | 12 | SourceNat | VpcVirtualRouter | 2013-04-08| 43 | 12 | Gateway | VpcVirtualRouter | 2013-04-08| 44 | 12 | Vpn | VpcVirtualRouter | 2013-04-08| 45 | 12 | Dhcp | VpcVirtualRouter | 2013-04-08+----+---------------------+----------------+-----------------------+-----------45 rows in set (0.00 sec)
> mysql> delete from ntwk_offering_service_map where id=2;Query OK, 1 row affected (0.01 sec)
> mysql> quit
>
> Thanks, David
>
> > From: mathias.mullins@citrix.com
> > To: users@cloudstack.apache.org
> > Subject: Re: Using different DNS for guests than Virtual Router
> > Date: Tue, 23 Apr 2013 16:59:20 +0000
> >
> > There is, I'll have to work on the SQL statement later today for you.
> > What's the ID of your network offering that you are using?
> >
> > Thanks,
> > Matt
> >
> >
> > On 4/23/13 9:56 AM, "David Ortiz" <dp...@outlook.com> wrote:
> >
> > >Matt,
> > > That sounds like exactly what I am going for. Is there a way to
> > >disable dns on a network/virtual router that already exists, or would I
> > >need to do this prior to creating the zone?
> > >Thanks, David
> > >
> > >> From: mathias.mullins@citrix.com
> > >> To: users@cloudstack.apache.org
> > >> Subject: Re: Using different DNS for guests than Virtual Router
> > >> Date: Tue, 23 Apr 2013 16:04:02 +0000
> > >>
> > >> David,
> > >>
> > >> I've done a lot of installs with AD. Your best bet is to just remove the
> > >> the DNS function from the virtual router. Leave DHCP in place, don't
> > >>have
> > >> that be taken over by external DHCP as it will cause issues.
> > >>
> > >> Also tweaking the dnsmasq is a short term fix as it will only go away
> > >>once
> > >> the VR reboots.
> > >>
> > >> Once you remove DNS, you then set your public and private DNS in the
> > >>zone
> > >> to your active directory servers. That will automatically filter down to
> > >> the VMs and you'll get the desired results.
> > >>
> > >> Hope this helps,
> > >> Matt
> > >>
> > >>
> > >> On 4/23/13 8:51 AM, "David Ortiz" <dp...@outlook.com> wrote:
> > >>
> > >> >Hello Ahmad,
> > >> > That was my initial attempt. The issue I ran into was that the
> > >> >dnsmasq settings on the Virtual Router seem to block the traffic that
> > >>was
> > >> >required for the machine to join the domain. I played around with the
> > >> >settings a little bit and was able to get it to find the domain, so I
> > >> >would imagine that I could tweak it some more to not be an issue.
> > >> >However, any changes I make on the virtual router only last until it is
> > >> >restarted, so without a way to make those permanent I have to
> > >>circumvent
> > >> >it entirely. The blog post that Murali linked for how to set up a
> > >> >network without DHCP and DNS seems like it was probably the correct way
> > >> >to do it, but as far as I can tell would require me to start my zone
> > >>from
> > >> >scratch, so I am trying to avoid that if possible.
> > >> >Thanks, David Ortiz
> > >> >
> > >> >> CC: users@cloudstack.apache.org
> > >> >> From: aemneina@gmail.com
> > >> >> Subject: Re: Using different DNS for guests than Virtual Router
> > >> >> Date: Tue, 23 Apr 2013 08:49:06 -0700
> > >> >> To: users@cloudstack.apache.org
> > >> >>
> > >> >> Coming from someone that has no clue about active directory... If
> > >>your
> > >> >>using a basic zone, why don't you have the AD server deployed outside
> > >>of
> > >> >>cloudstack s control. Then point have your dns entries point to it.
> > >>Have
> > >> >>the default security group for guests open to the ports AD works on.
> > >> >>
> > >> >> Ahmad
> > >> >>
> > >> >> On Apr 22, 2013, at 1:42 PM, David Ortiz <dp...@outlook.com> wrote:
> > >> >>
> > >> >> > Hello,
> > >> >> > I am trying to setup a Windows AD server as a guest on my
> > >> >>cloudstack cluster, and join my other guests to the domain it is
> > >>serving
> > >> >>using PowerBroker Identity Services Open. From what I am seeing, the
> > >> >>virtual router will block me from being able to perform nslookup or
> > >>join
> > >> >>the domain using the domainjoin-cli command. If I modify
> > >> >>/etc/resolv.conf to point directly at my DC as the dns server, it can
> > >> >>join the domain without any issues. Unfortunately when I reboot, the
> > >> >>dhcp setup with the virtual router will point it back to the virtual
> > >> >>router as the name server. I also found that I could get nslookup
> > >>(but
> > >> >>not joining the domain) to work by playing with the dnsmasq.conf
> > >> >>settings on the virtual router a little bit, which works until it is
> > >> >>rebooted at which point they revert back to what they had been
> > >> >>originally. Is there a way to get the virtual router to point guests
> > >>at
> > >> >>the domain controller as the DNS, or to set up the dnsmasq to allow
> > >>the
> > >> >>AD joins to occur (and make those settings persistent)? Or
> > >> >>alternatively, would I be able to set up DHCP on the DC and just
> > >> >>circumvent the virtual router entirely?
> > >> >> > Thanks,
> > >> >> > David Ortiz
> > >> >
> > >>
> > >
> >
>
RE: Using different DNS for guests than Virtual Router
Posted by David Ortiz <dp...@outlook.com>.
Matt,
The ID of the network offering is 6. Here is what I tried so far. I was able to get it to show up as no longer supporting dns in the Cloudstack GUI, but when I rebooted the virtual router it still had it enabled. Going to try deleting it and letting it be recreated though.
mysql> use cloud;Reading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -A
Database changedmysql> select * from network_offerings where id=6;+----+-------------------------------------------+--------------------------------------+-------------------------------------------+-----------------------------------------------------+---------+---------+--------------+------+-------------+--------------+---------------------+---------------+---------------------+---------+---------+--------------+----------------------+---------------------------+----------+--------------------------+---------+------------+--------------------+--------------------+-------------------+| id | name | uuid | unique_name | display_text | nw_rate | mc_rate | traffic_type | tags | system_only | specify_vlan | service_offering_id | conserve_mode | created | removed | default | availability | dedicated_lb_service | shared_source_nat_service | sort_key | redundant_router_service | state | guest_type | elastic_ip_service | elastic_lb_service | specify_ip_ranges |+----+-------------------------------------------+--------------------------------------+-------------------------------------------+-----------------------------------------------------+---------+---------+--------------+------+-------------+--------------+---------------------+---------------+---------------------+---------+---------+--------------+----------------------+---------------------------+----------+--------------------------+---------+------------+--------------------+--------------------+-------------------+| 6 | DefaultSharedNetworkOfferingWithSGService | dd92b963-7ebc-406c-8751-21ed0d80b231 | DefaultSharedNetworkOfferingWithSGService | Offering for Shared Security group enabled networks | NULL | NULL | Guest | NULL | 0 | 1 | NULL | 1 | 2013-04-08 21:25:16 | NULL | 1 | Optional | 1 | 0 | 0 | 0 | Enabled | Shared | 0 | 0 | 1 |+----+-------------------------------------------+--------------------------------------+-------------------------------------------+-----------------------------------------------------+---------+---------+--------------+------+-------------+--------------+---------------------+---------------+---------------------+---------+---------+--------------+----------------------+---------------------------+----------+--------------------------+---------+------------+--------------------+--------------------+-------------------+
mysql> select * from ntwk_offering_service_map;+----+---------------------+----------------+-----------------------+---------------------+| id | network_offering_id | service | provider | created |+----+---------------------+----------------+-----------------------+---------------------+| 1 | 6 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 2 | 6 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 3 | 6 | SecurityGroup | SecurityGroupProvider | 2013-04-08 21:25:16 || 4 | 6 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 5 | 7 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 6 | 7 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 7 | 7 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 8 | 8 | PortForwarding | VirtualRouter | 2013-04-08 21:25:16 || 9 | 8 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 10 | 8 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 11 | 8 | StaticNat | VirtualRouter | 2013-04-08 21:25:16 || 12 | 8 | Lb | VirtualRouter | 2013-04-08 21:25:16 || 13 | 8 | SourceNat | VirtualRouter | 2013-04-08 21:25:16 || 14 | 8 | Firewall | VirtualRouter | 2013-04-08 21:25:16 || 15 | 8 | Gateway | VirtualRouter | 2013-04-08 21:25:16 || 16 | 8 | Vpn | VirtualRouter | 2013-04-08 21:25:16 || 17 | 8 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 18 | 9 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 19 | 9 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 20 | 9 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 21 | 10 | UserData | VirtualRouter | 2013-04-08 21:25:16 || 22 | 10 | Dns | VirtualRouter | 2013-04-08 21:25:16 || 23 | 10 | Lb | Netscaler | 2013-04-08 21:25:16 || 24 | 10 | StaticNat | Netscaler | 2013-04-08 21:25:16 || 25 | 10 | SecurityGroup | SecurityGroupProvider | 2013-04-08 21:25:16 || 26 | 10 | Dhcp | VirtualRouter | 2013-04-08 21:25:16 || 27 | 11 | PortForwarding | VpcVirtualRouter | 2013-04-08 21:25:16 || 28 | 11 | UserData | VpcVirtualRouter | 2013-04-08 21:25:16 || 29 | 11 | NetworkACL | VpcVirtualRouter | 2013-04-08 21:25:16 || 30 | 11 | Dns | VpcVirtualRouter | 2013-04-08 21:25:16 || 31 | 11 | StaticNat | VpcVirtualRouter | 2013-04-08 21:25:16 || 32 | 11 | Lb | VpcVirtualRouter | 2013-04-08 21:25:16 || 33 | 11 | SourceNat | VpcVirtualRouter | 2013-04-08 21:25:16 || 34 | 11 | Gateway | VpcVirtualRouter | 2013-04-08 21:25:16 || 35 | 11 | Vpn | VpcVirtualRouter | 2013-04-08 21:25:16 || 36 | 11 | Dhcp | VpcVirtualRouter | 2013-04-08| 37 | 12 | PortForwarding | VpcVirtualRouter | 2013-04-08| 38 | 12 | UserData | VpcVirtualRouter | 2013-04-08| 39 | 12 | NetworkACL | VpcVirtualRouter | 2013-04-08| 40 | 12 | Dns | VpcVirtualRouter | 2013-04-08| 41 | 12 | StaticNat | VpcVirtualRouter | 2013-04-08| 42 | 12 | SourceNat | VpcVirtualRouter | 2013-04-08| 43 | 12 | Gateway | VpcVirtualRouter | 2013-04-08| 44 | 12 | Vpn | VpcVirtualRouter | 2013-04-08| 45 | 12 | Dhcp | VpcVirtualRouter | 2013-04-08+----+---------------------+----------------+-----------------------+-----------45 rows in set (0.00 sec)
mysql> delete from ntwk_offering_service_map where id=2;Query OK, 1 row affected (0.01 sec)
mysql> quit
Thanks, David
> From: mathias.mullins@citrix.com
> To: users@cloudstack.apache.org
> Subject: Re: Using different DNS for guests than Virtual Router
> Date: Tue, 23 Apr 2013 16:59:20 +0000
>
> There is, I'll have to work on the SQL statement later today for you.
> What's the ID of your network offering that you are using?
>
> Thanks,
> Matt
>
>
> On 4/23/13 9:56 AM, "David Ortiz" <dp...@outlook.com> wrote:
>
> >Matt,
> > That sounds like exactly what I am going for. Is there a way to
> >disable dns on a network/virtual router that already exists, or would I
> >need to do this prior to creating the zone?
> >Thanks, David
> >
> >> From: mathias.mullins@citrix.com
> >> To: users@cloudstack.apache.org
> >> Subject: Re: Using different DNS for guests than Virtual Router
> >> Date: Tue, 23 Apr 2013 16:04:02 +0000
> >>
> >> David,
> >>
> >> I've done a lot of installs with AD. Your best bet is to just remove the
> >> the DNS function from the virtual router. Leave DHCP in place, don't
> >>have
> >> that be taken over by external DHCP as it will cause issues.
> >>
> >> Also tweaking the dnsmasq is a short term fix as it will only go away
> >>once
> >> the VR reboots.
> >>
> >> Once you remove DNS, you then set your public and private DNS in the
> >>zone
> >> to your active directory servers. That will automatically filter down to
> >> the VMs and you'll get the desired results.
> >>
> >> Hope this helps,
> >> Matt
> >>
> >>
> >> On 4/23/13 8:51 AM, "David Ortiz" <dp...@outlook.com> wrote:
> >>
> >> >Hello Ahmad,
> >> > That was my initial attempt. The issue I ran into was that the
> >> >dnsmasq settings on the Virtual Router seem to block the traffic that
> >>was
> >> >required for the machine to join the domain. I played around with the
> >> >settings a little bit and was able to get it to find the domain, so I
> >> >would imagine that I could tweak it some more to not be an issue.
> >> >However, any changes I make on the virtual router only last until it is
> >> >restarted, so without a way to make those permanent I have to
> >>circumvent
> >> >it entirely. The blog post that Murali linked for how to set up a
> >> >network without DHCP and DNS seems like it was probably the correct way
> >> >to do it, but as far as I can tell would require me to start my zone
> >>from
> >> >scratch, so I am trying to avoid that if possible.
> >> >Thanks, David Ortiz
> >> >
> >> >> CC: users@cloudstack.apache.org
> >> >> From: aemneina@gmail.com
> >> >> Subject: Re: Using different DNS for guests than Virtual Router
> >> >> Date: Tue, 23 Apr 2013 08:49:06 -0700
> >> >> To: users@cloudstack.apache.org
> >> >>
> >> >> Coming from someone that has no clue about active directory... If
> >>your
> >> >>using a basic zone, why don't you have the AD server deployed outside
> >>of
> >> >>cloudstack s control. Then point have your dns entries point to it.
> >>Have
> >> >>the default security group for guests open to the ports AD works on.
> >> >>
> >> >> Ahmad
> >> >>
> >> >> On Apr 22, 2013, at 1:42 PM, David Ortiz <dp...@outlook.com> wrote:
> >> >>
> >> >> > Hello,
> >> >> > I am trying to setup a Windows AD server as a guest on my
> >> >>cloudstack cluster, and join my other guests to the domain it is
> >>serving
> >> >>using PowerBroker Identity Services Open. From what I am seeing, the
> >> >>virtual router will block me from being able to perform nslookup or
> >>join
> >> >>the domain using the domainjoin-cli command. If I modify
> >> >>/etc/resolv.conf to point directly at my DC as the dns server, it can
> >> >>join the domain without any issues. Unfortunately when I reboot, the
> >> >>dhcp setup with the virtual router will point it back to the virtual
> >> >>router as the name server. I also found that I could get nslookup
> >>(but
> >> >>not joining the domain) to work by playing with the dnsmasq.conf
> >> >>settings on the virtual router a little bit, which works until it is
> >> >>rebooted at which point they revert back to what they had been
> >> >>originally. Is there a way to get the virtual router to point guests
> >>at
> >> >>the domain controller as the DNS, or to set up the dnsmasq to allow
> >>the
> >> >>AD joins to occur (and make those settings persistent)? Or
> >> >>alternatively, would I be able to set up DHCP on the DC and just
> >> >>circumvent the virtual router entirely?
> >> >> > Thanks,
> >> >> > David Ortiz
> >> >
> >>
> >
>
Re: Using different DNS for guests than Virtual Router
Posted by Mathias Mullins <ma...@citrix.com>.
There is, I'll have to work on the SQL statement later today for you.
What's the ID of your network offering that you are using?
Thanks,
Matt
On 4/23/13 9:56 AM, "David Ortiz" <dp...@outlook.com> wrote:
>Matt,
> That sounds like exactly what I am going for. Is there a way to
>disable dns on a network/virtual router that already exists, or would I
>need to do this prior to creating the zone?
>Thanks, David
>
>> From: mathias.mullins@citrix.com
>> To: users@cloudstack.apache.org
>> Subject: Re: Using different DNS for guests than Virtual Router
>> Date: Tue, 23 Apr 2013 16:04:02 +0000
>>
>> David,
>>
>> I've done a lot of installs with AD. Your best bet is to just remove the
>> the DNS function from the virtual router. Leave DHCP in place, don't
>>have
>> that be taken over by external DHCP as it will cause issues.
>>
>> Also tweaking the dnsmasq is a short term fix as it will only go away
>>once
>> the VR reboots.
>>
>> Once you remove DNS, you then set your public and private DNS in the
>>zone
>> to your active directory servers. That will automatically filter down to
>> the VMs and you'll get the desired results.
>>
>> Hope this helps,
>> Matt
>>
>>
>> On 4/23/13 8:51 AM, "David Ortiz" <dp...@outlook.com> wrote:
>>
>> >Hello Ahmad,
>> > That was my initial attempt. The issue I ran into was that the
>> >dnsmasq settings on the Virtual Router seem to block the traffic that
>>was
>> >required for the machine to join the domain. I played around with the
>> >settings a little bit and was able to get it to find the domain, so I
>> >would imagine that I could tweak it some more to not be an issue.
>> >However, any changes I make on the virtual router only last until it is
>> >restarted, so without a way to make those permanent I have to
>>circumvent
>> >it entirely. The blog post that Murali linked for how to set up a
>> >network without DHCP and DNS seems like it was probably the correct way
>> >to do it, but as far as I can tell would require me to start my zone
>>from
>> >scratch, so I am trying to avoid that if possible.
>> >Thanks, David Ortiz
>> >
>> >> CC: users@cloudstack.apache.org
>> >> From: aemneina@gmail.com
>> >> Subject: Re: Using different DNS for guests than Virtual Router
>> >> Date: Tue, 23 Apr 2013 08:49:06 -0700
>> >> To: users@cloudstack.apache.org
>> >>
>> >> Coming from someone that has no clue about active directory... If
>>your
>> >>using a basic zone, why don't you have the AD server deployed outside
>>of
>> >>cloudstack s control. Then point have your dns entries point to it.
>>Have
>> >>the default security group for guests open to the ports AD works on.
>> >>
>> >> Ahmad
>> >>
>> >> On Apr 22, 2013, at 1:42 PM, David Ortiz <dp...@outlook.com> wrote:
>> >>
>> >> > Hello,
>> >> > I am trying to setup a Windows AD server as a guest on my
>> >>cloudstack cluster, and join my other guests to the domain it is
>>serving
>> >>using PowerBroker Identity Services Open. From what I am seeing, the
>> >>virtual router will block me from being able to perform nslookup or
>>join
>> >>the domain using the domainjoin-cli command. If I modify
>> >>/etc/resolv.conf to point directly at my DC as the dns server, it can
>> >>join the domain without any issues. Unfortunately when I reboot, the
>> >>dhcp setup with the virtual router will point it back to the virtual
>> >>router as the name server. I also found that I could get nslookup
>>(but
>> >>not joining the domain) to work by playing with the dnsmasq.conf
>> >>settings on the virtual router a little bit, which works until it is
>> >>rebooted at which point they revert back to what they had been
>> >>originally. Is there a way to get the virtual router to point guests
>>at
>> >>the domain controller as the DNS, or to set up the dnsmasq to allow
>>the
>> >>AD joins to occur (and make those settings persistent)? Or
>> >>alternatively, would I be able to set up DHCP on the DC and just
>> >>circumvent the virtual router entirely?
>> >> > Thanks,
>> >> > David Ortiz
>> >
>>
>
RE: Using different DNS for guests than Virtual Router
Posted by David Ortiz <dp...@outlook.com>.
Matt,
That sounds like exactly what I am going for. Is there a way to disable dns on a network/virtual router that already exists, or would I need to do this prior to creating the zone?
Thanks, David
> From: mathias.mullins@citrix.com
> To: users@cloudstack.apache.org
> Subject: Re: Using different DNS for guests than Virtual Router
> Date: Tue, 23 Apr 2013 16:04:02 +0000
>
> David,
>
> I've done a lot of installs with AD. Your best bet is to just remove the
> the DNS function from the virtual router. Leave DHCP in place, don't have
> that be taken over by external DHCP as it will cause issues.
>
> Also tweaking the dnsmasq is a short term fix as it will only go away once
> the VR reboots.
>
> Once you remove DNS, you then set your public and private DNS in the zone
> to your active directory servers. That will automatically filter down to
> the VMs and you'll get the desired results.
>
> Hope this helps,
> Matt
>
>
> On 4/23/13 8:51 AM, "David Ortiz" <dp...@outlook.com> wrote:
>
> >Hello Ahmad,
> > That was my initial attempt. The issue I ran into was that the
> >dnsmasq settings on the Virtual Router seem to block the traffic that was
> >required for the machine to join the domain. I played around with the
> >settings a little bit and was able to get it to find the domain, so I
> >would imagine that I could tweak it some more to not be an issue.
> >However, any changes I make on the virtual router only last until it is
> >restarted, so without a way to make those permanent I have to circumvent
> >it entirely. The blog post that Murali linked for how to set up a
> >network without DHCP and DNS seems like it was probably the correct way
> >to do it, but as far as I can tell would require me to start my zone from
> >scratch, so I am trying to avoid that if possible.
> >Thanks, David Ortiz
> >
> >> CC: users@cloudstack.apache.org
> >> From: aemneina@gmail.com
> >> Subject: Re: Using different DNS for guests than Virtual Router
> >> Date: Tue, 23 Apr 2013 08:49:06 -0700
> >> To: users@cloudstack.apache.org
> >>
> >> Coming from someone that has no clue about active directory... If your
> >>using a basic zone, why don't you have the AD server deployed outside of
> >>cloudstack s control. Then point have your dns entries point to it. Have
> >>the default security group for guests open to the ports AD works on.
> >>
> >> Ahmad
> >>
> >> On Apr 22, 2013, at 1:42 PM, David Ortiz <dp...@outlook.com> wrote:
> >>
> >> > Hello,
> >> > I am trying to setup a Windows AD server as a guest on my
> >>cloudstack cluster, and join my other guests to the domain it is serving
> >>using PowerBroker Identity Services Open. From what I am seeing, the
> >>virtual router will block me from being able to perform nslookup or join
> >>the domain using the domainjoin-cli command. If I modify
> >>/etc/resolv.conf to point directly at my DC as the dns server, it can
> >>join the domain without any issues. Unfortunately when I reboot, the
> >>dhcp setup with the virtual router will point it back to the virtual
> >>router as the name server. I also found that I could get nslookup (but
> >>not joining the domain) to work by playing with the dnsmasq.conf
> >>settings on the virtual router a little bit, which works until it is
> >>rebooted at which point they revert back to what they had been
> >>originally. Is there a way to get the virtual router to point guests at
> >>the domain controller as the DNS, or to set up the dnsmasq to allow the
> >>AD joins to occur (and make those settings persistent)? Or
> >>alternatively, would I be able to set up DHCP on the DC and just
> >>circumvent the virtual router entirely?
> >> > Thanks,
> >> > David Ortiz
> >
>
Re: Using different DNS for guests than Virtual Router
Posted by Mathias Mullins <ma...@citrix.com>.
David,
I've done a lot of installs with AD. Your best bet is to just remove the
the DNS function from the virtual router. Leave DHCP in place, don't have
that be taken over by external DHCP as it will cause issues.
Also tweaking the dnsmasq is a short term fix as it will only go away once
the VR reboots.
Once you remove DNS, you then set your public and private DNS in the zone
to your active directory servers. That will automatically filter down to
the VMs and you'll get the desired results.
Hope this helps,
Matt
On 4/23/13 8:51 AM, "David Ortiz" <dp...@outlook.com> wrote:
>Hello Ahmad,
> That was my initial attempt. The issue I ran into was that the
>dnsmasq settings on the Virtual Router seem to block the traffic that was
>required for the machine to join the domain. I played around with the
>settings a little bit and was able to get it to find the domain, so I
>would imagine that I could tweak it some more to not be an issue.
>However, any changes I make on the virtual router only last until it is
>restarted, so without a way to make those permanent I have to circumvent
>it entirely. The blog post that Murali linked for how to set up a
>network without DHCP and DNS seems like it was probably the correct way
>to do it, but as far as I can tell would require me to start my zone from
>scratch, so I am trying to avoid that if possible.
>Thanks, David Ortiz
>
>> CC: users@cloudstack.apache.org
>> From: aemneina@gmail.com
>> Subject: Re: Using different DNS for guests than Virtual Router
>> Date: Tue, 23 Apr 2013 08:49:06 -0700
>> To: users@cloudstack.apache.org
>>
>> Coming from someone that has no clue about active directory... If your
>>using a basic zone, why don't you have the AD server deployed outside of
>>cloudstack s control. Then point have your dns entries point to it. Have
>>the default security group for guests open to the ports AD works on.
>>
>> Ahmad
>>
>> On Apr 22, 2013, at 1:42 PM, David Ortiz <dp...@outlook.com> wrote:
>>
>> > Hello,
>> > I am trying to setup a Windows AD server as a guest on my
>>cloudstack cluster, and join my other guests to the domain it is serving
>>using PowerBroker Identity Services Open. From what I am seeing, the
>>virtual router will block me from being able to perform nslookup or join
>>the domain using the domainjoin-cli command. If I modify
>>/etc/resolv.conf to point directly at my DC as the dns server, it can
>>join the domain without any issues. Unfortunately when I reboot, the
>>dhcp setup with the virtual router will point it back to the virtual
>>router as the name server. I also found that I could get nslookup (but
>>not joining the domain) to work by playing with the dnsmasq.conf
>>settings on the virtual router a little bit, which works until it is
>>rebooted at which point they revert back to what they had been
>>originally. Is there a way to get the virtual router to point guests at
>>the domain controller as the DNS, or to set up the dnsmasq to allow the
>>AD joins to occur (and make those settings persistent)? Or
>>alternatively, would I be able to set up DHCP on the DC and just
>>circumvent the virtual router entirely?
>> > Thanks,
>> > David Ortiz
>
RE: Using different DNS for guests than Virtual Router
Posted by David Ortiz <dp...@outlook.com>.
Hello Ahmad,
That was my initial attempt. The issue I ran into was that the dnsmasq settings on the Virtual Router seem to block the traffic that was required for the machine to join the domain. I played around with the settings a little bit and was able to get it to find the domain, so I would imagine that I could tweak it some more to not be an issue. However, any changes I make on the virtual router only last until it is restarted, so without a way to make those permanent I have to circumvent it entirely. The blog post that Murali linked for how to set up a network without DHCP and DNS seems like it was probably the correct way to do it, but as far as I can tell would require me to start my zone from scratch, so I am trying to avoid that if possible.
Thanks, David Ortiz
> CC: users@cloudstack.apache.org
> From: aemneina@gmail.com
> Subject: Re: Using different DNS for guests than Virtual Router
> Date: Tue, 23 Apr 2013 08:49:06 -0700
> To: users@cloudstack.apache.org
>
> Coming from someone that has no clue about active directory... If your using a basic zone, why don't you have the AD server deployed outside of cloudstack s control. Then point have your dns entries point to it. Have the default security group for guests open to the ports AD works on.
>
> Ahmad
>
> On Apr 22, 2013, at 1:42 PM, David Ortiz <dp...@outlook.com> wrote:
>
> > Hello,
> > I am trying to setup a Windows AD server as a guest on my cloudstack cluster, and join my other guests to the domain it is serving using PowerBroker Identity Services Open. From what I am seeing, the virtual router will block me from being able to perform nslookup or join the domain using the domainjoin-cli command. If I modify /etc/resolv.conf to point directly at my DC as the dns server, it can join the domain without any issues. Unfortunately when I reboot, the dhcp setup with the virtual router will point it back to the virtual router as the name server. I also found that I could get nslookup (but not joining the domain) to work by playing with the dnsmasq.conf settings on the virtual router a little bit, which works until it is rebooted at which point they revert back to what they had been originally. Is there a way to get the virtual router to point guests at the domain controller as the DNS, or to set up the dnsmasq to allow the AD joins to occur (and make those settings persistent)? Or alternatively, would I be able to set up DHCP on the DC and just circumvent the virtual router entirely?
> > Thanks,
> > David Ortiz
Re: Using different DNS for guests than Virtual Router
Posted by Ahmad Emneina <ae...@gmail.com>.
Coming from someone that has no clue about active directory... If your using a basic zone, why don't you have the AD server deployed outside of cloudstack s control. Then point have your dns entries point to it. Have the default security group for guests open to the ports AD works on.
Ahmad
On Apr 22, 2013, at 1:42 PM, David Ortiz <dp...@outlook.com> wrote:
> Hello,
> I am trying to setup a Windows AD server as a guest on my cloudstack cluster, and join my other guests to the domain it is serving using PowerBroker Identity Services Open. From what I am seeing, the virtual router will block me from being able to perform nslookup or join the domain using the domainjoin-cli command. If I modify /etc/resolv.conf to point directly at my DC as the dns server, it can join the domain without any issues. Unfortunately when I reboot, the dhcp setup with the virtual router will point it back to the virtual router as the name server. I also found that I could get nslookup (but not joining the domain) to work by playing with the dnsmasq.conf settings on the virtual router a little bit, which works until it is rebooted at which point they revert back to what they had been originally. Is there a way to get the virtual router to point guests at the domain controller as the DNS, or to set up the dnsmasq to allow the AD joins to occur (and make those settings persistent)? Or alternatively, would I be able to set up DHCP on the DC and just circumvent the virtual router entirely?
> Thanks,
> David Ortiz
Re: Using different DNS for guests than Virtual Router
Posted by Murali Reddy <Mu...@citrix.com>.
You can try with network offering with out DHCP and DNS services and
control the guest instances to use AD as DNS/DHCP service provider. Please
try out the steps outlined in [1].
[1]
http://www.shapeblue.com/2012/05/10/using-the-api-for-advanced-network-mana
gement/
On 23/04/13 2:12 AM, "David Ortiz" <dp...@outlook.com> wrote:
>Hello,
> I am trying to setup a Windows AD server as a guest on my cloudstack
>cluster, and join my other guests to the domain it is serving using
>PowerBroker Identity Services Open. From what I am seeing, the virtual
>router will block me from being able to perform nslookup or join the
>domain using the domainjoin-cli command. If I modify /etc/resolv.conf to
>point directly at my DC as the dns server, it can join the domain without
>any issues. Unfortunately when I reboot, the dhcp setup with the virtual
>router will point it back to the virtual router as the name server. I
>also found that I could get nslookup (but not joining the domain) to work
>by playing with the dnsmasq.conf settings on the virtual router a little
>bit, which works until it is rebooted at which point they revert back to
>what they had been originally. Is there a way to get the virtual router
>to point guests at the domain controller as the DNS, or to set up the
>dnsmasq to allow the AD joins to occur (and make those settings
>persistent)? Or alternatively, would I be able to set up DHCP on the DC
>and just circumvent the virtual router entirely?
>Thanks,
> David Ortiz