方案二：主備源IP用于AG通信、主備新增網(wǎng)卡綁定IP用于業(yè)務(wù)訪問(wèn)

讓客戶(hù)滿(mǎn)意是我們工作的目標(biāo)，不斷超越客戶(hù)的期望值來(lái)自于我們對(duì)這個(gè)行業(yè)的熱愛(ài)。我們立志把好的技術(shù)通過(guò)有效、簡(jiǎn)單的方式提供給客戶(hù)，將通過(guò)不懈努力成為客戶(hù)在信息化領(lǐng)域值得信任、有價(jià)值的長(zhǎng)期合作伙伴，公司提供的服務(wù)項(xiàng)目有：國(guó)際域名空間、網(wǎng)絡(luò)空間、營(yíng)銷(xiāo)軟件、網(wǎng)站建設(shè)、簡(jiǎn)陽(yáng)網(wǎng)站維護(hù)、網(wǎng)站推廣。

測(cè)試環(huán)境描述：

AG角色	主機(jī)名	網(wǎng)絡(luò)適配器	IP地址
主庫(kù)	TEST-GS-ZHXT1	Ethernet0	10.198.197.167
Ethernet1	10.198.197.173
備庫(kù)	TEST-GS-ZHXT2	Ethernet0	10.198.197.168
Ethernet1	10.198.197.174
災(zāi)備	TEST-GS-ZHXT3	Ethernet0	10.198.194.183

總體思路：

將業(yè)務(wù)使用的網(wǎng)卡和高可用使用的網(wǎng)卡分開(kāi)，高可用優(yōu)先使用到Ethernet 0，配置網(wǎng)卡優(yōu)先級(jí)。在故障切換時(shí)WSFC和AG優(yōu)先使用Ethernet 0通信。業(yè)務(wù)訪問(wèn)使用的是SQL賬號(hào)，無(wú)需Kerberos驗(yàn)證，是SQL驗(yàn)證。

調(diào)整網(wǎng)卡優(yōu)先級(jí)：

開(kāi)始->運(yùn)行->輸入“ncpa.cpl”->快捷鍵“Alt+N”->高級(jí)設(shè)置

將源IP綁定的網(wǎng)絡(luò)適配器如Ethernet0優(yōu)先級(jí)調(diào)整到最一個(gè)。

對(duì)于訪問(wèn)的業(yè)務(wù)應(yīng)用IP添加靜態(tài)路由：

由于主機(jī)只能有一個(gè)默認(rèn)網(wǎng)關(guān)，已設(shè)置到源IP綁定的網(wǎng)絡(luò)適配器如Ehernet0上。對(duì)于需要訪問(wèn)新增IP的業(yè)務(wù)應(yīng)用，需要使用route add -p添加靜態(tài)路由，并使用if參數(shù)指定具體的網(wǎng)絡(luò)適配器接口ID。

遠(yuǎn)程Windows驗(yàn)證登錄SQL Server實(shí)例使用Kerberos驗(yàn)證：

使用域賬號(hào)遠(yuǎn)程登錄SQL Server實(shí)例，查看驗(yàn)證方式：

select * from sys.dm_exec_connections where session_id=@@spid;

無(wú)法使用Kerberos驗(yàn)證，使用的是NTLM。

參考：https://technet.microsoft.com/en-us/library/bb463166.aspx

打開(kāi)Kerberos日志調(diào)試：

“

On an Active Directory server, Kerberos error messages are found in the Event Log. It is necessary to enable extended Kerberos logging before all message types will appear. To enable extended Kerberos logging, add a DWORD registry entry of LogLevel in the following location, and set it to 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

The server must be started after this change before the logging will be implemented.

”

Error	ErrorName	Description
0x7	KDC_ERR_S_PRINCIPAL_UNKNOWN	Server not found in Kerberos database

根據(jù)錯(cuò)誤判斷，應(yīng)該是SPN未注冊(cè)或未正確注冊(cè)。

參考：https://technet.microsoft.com/en-us/library/bb463167.aspx

“

Common DNS Issues

DNS problems are often encountered only during a service ticket request after a successful TGT request. If a client can successfully authenticate initially but is then unable to acquire a service ticket or access services, then DNS problems are the likely cause.

The error “Server not found in Kerberos database” is common and can be misleading because it often appears when the service principal is not missing. The error can be caused by domain/realm mapping problems or it can be the result of a DNS problem where the service principal name is not being built correctly. Server logs and network traces can be used to determine what service principal is actually being requested.

Kerberos recognizes short host names as different from long host names. For example, problems may occur if a client computer knows an application server as appserver1.example.com, but the Kerberos server knows the same computer as appserver1. Check that each host in the environment knows the others by using a consistent naming pattern.

Kerberos is case sensitive. Problems can occur in an environment using host names with mixed case. In the world of Kerberos, appserver1.EXAMPLE.COM and appserver1.example.com are not the same. Check that DNS resolves host names with consistent case.

Kerberos relies on the presence of both forward and reverse lookup entries in DNS. Check that the host name of each computer can be resolved to its IP address and that its IP address can be resolved to its host name.

DNS domain name ambiguities in a multidomain environment can result in subtle DNS issues. Check that each computer knows the others using the same domain name. Avoiding the use of short host names is particularly important in a multidomain environment.

Look carefully at the configuration of any multihomed hosts. You might need to perform network traces to determine which interfaces and what names are being used in requests to or from computers with multiple network cards.

”

根據(jù)上文中 “Kerberos relies on the presence of both forward and reverse lookup entries in DNS.”對(duì)于綁定了新的網(wǎng)卡的IP，需要到DNS去做反向解析。如下圖：

再去驗(yàn)證連接，就是Kerberos驗(yàn)證了。

參考：https://blogs.msdn.microsoft.com/apgcdsd/2011/09/26/kerberosntlm-sql-server/

“

SQL Server 2008/2008 R2

1) 當(dāng)SPN被映射到正確的域或者內(nèi)建機(jī)器賬號(hào)時(shí) (Local System, Network Service)，本地連接會(huì)使用NTLM，而遠(yuǎn)程連接會(huì)使用Kerberos。

2) 當(dāng)沒(méi)有找到注冊(cè)在正確的域或內(nèi)建機(jī)器賬號(hào)下的SPN時(shí)，連接會(huì)使用NTLM。

3) 當(dāng)域中存在錯(cuò)誤的SPN時(shí)，認(rèn)證失敗。

”

具體Kerberos驗(yàn)證的過(guò)程，可以參考：https://blogs.technet.microsoft.com/askds/2008/03/06/kerberos-for-the-busy-admin/

測(cè)試：

1. 從AG移除備節(jié)點(diǎn)，切換10.198.197.173和10.198.197.174，通過(guò)167和168登錄服務(wù)器，修改Ethernet 1的IP地址后，禁用啟用網(wǎng)卡。DNS反向查找區(qū)域中刪除原來(lái)的解析，添加新對(duì)應(yīng)關(guān)系的地址解析。

查看WSFC狀態(tài)：

通過(guò)Windows驗(yàn)證遠(yuǎn)程訪問(wèn)10.198.197.173和174，查看是否使用Kerberos驗(yàn)證：

都能遠(yuǎn)程訪問(wèn)數(shù)據(jù)庫(kù)服務(wù)。

2. 業(yè)務(wù)切換到備庫(kù)測(cè)試完畢后，IP切換回來(lái)。

都能遠(yuǎn)程訪問(wèn)數(shù)據(jù)庫(kù)服務(wù)。

總結(jié)：

方案二能滿(mǎn)足業(yè)務(wù)IP和高可用IP分開(kāi)使用的需求。能保證WSFC和AG對(duì)Ethernet 0的優(yōu)先穩(wěn)定使用，保證集群的安全可靠。

當(dāng)前題目：AlwaysOn業(yè)務(wù)IP和高可用IP分開(kāi)使用（三）
轉(zhuǎn)載來(lái)源：http://www.chinadenli.net/article10/iiicdo.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供手機(jī)網(wǎng)站建設(shè)、服務(wù)器托管、商城網(wǎng)站、電子商務(wù)、云服務(wù)器、響應(yīng)式網(wǎng)站

廣告

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請(qǐng)盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng)，如需處理請(qǐng)聯(lián)系客服。電話(huà)：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來(lái)源： 創(chuàng)新互聯(lián)