VMware Cloud Community
SlobodanS
Enthusiast
Enthusiast
‎03-28-2011 03:56 AM
Jump to solution

Virtual or Physical Dns : Best Practice on HA/DRS Environment

Hello everyone,

Our current infrastructure is composed by 19 ESX, 1 vCenter, 2 virtual DNS. All our clusters are configured for HA/DRS.

Last week, our network team changed some configuration and we had a broadcast storm on the managment network. Half of our VM were shutdown from HA configuration, including our 2 virtual DNS. We had a lot of trouble to power on those servers, first unregistered, then locked, etc...

I want to avoid this kind of problem in futur.

So, do i have to exclud DNS server from DRS/HA Clusters? Do i need to have a physical one?

Thanks

Tags (5)
0 Kudos
1 Solution

Accepted Solutions
depping
Leadership
Leadership
‎03-28-2011 04:00 AM
Jump to solution

A couple of things here. You might want to "reconsider" your design decision around the "Isolation Response" as that could cause VMs to be powered down in scenarios like these where hosts are "swamped" with traffic. It is basically a DoS attack on your own network that happened. With or without a physical DNS server the scenario more than like would be the same.

Duncan (VCDX)

Available now on Amazon: vSphere 4.1 HA and DRS technical deepdive

View solution in original post

0 Kudos
4 Replies
depping
Leadership
Leadership
‎03-28-2011 04:00 AM
Jump to solution

A couple of things here. You might want to "reconsider" your design decision around the "Isolation Response" as that could cause VMs to be powered down in scenarios like these where hosts are "swamped" with traffic. It is basically a DoS attack on your own network that happened. With or without a physical DNS server the scenario more than like would be the same.

Duncan (VCDX)

Available now on Amazon: vSphere 4.1 HA and DRS technical deepdive

0 Kudos
SlobodanS
Enthusiast
Enthusiast
‎03-28-2011 04:14 AM
Jump to solution

Thank you for your reponse.

We are aware about that, but we lost a lot of time to power on those machine, to access on vcenter, then to esx to identify where VM were lock, etc..

That why i m thinking about maybe moving those VM on different ESX that not part of DRS or having a third physical.

0 Kudos
chriswahl
Virtuoso
Virtuoso
‎03-28-2011 08:52 AM
Jump to solution

Even if you set the isolation response on your DNS VM servers to "Leave powered on", HA would still attempt to restart the VM on another host (when the lock expires). I'd avoid going this route for this reason, although I believe vSphere 4.X will "kill" the original VM to avoid having two VMs with the same UUID going at the same time.

I'd go with Duncan's advice and set it up so that a broadcast storm cannot defeat your HA isolation address, as this was basically a false positive HA restart event.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
SlobodanS
Enthusiast
Enthusiast
‎03-28-2011 11:41 AM
Jump to solution

Ok Guys, thank you. I will check those options.

0 Kudos