You can configure the File Services, which enable you to create file shares on your vSAN datastore.
- Enable vSAN file services.
- Allocate static IP addresses as file server IPs from vSAN File Service network, each IP is the single point access to vSAN file shares.
- For best performance, the number of IP addresses must be equal to the number of hosts in the vSAN cluster.
- All the static IP addresses should be from the same subnet.
- Every static IP address has a corresponding FQDN, which should be part of the Forward lookup and Reverse lookup zones in the DNS server.
- If you are planning to create a Kerberos based SMB file share or a Kerberos based NFS file share, you need the following:
- Microsoft Active Directory (AD) domain to provide authentication to create an SMB file share or an NFS file share with the Kerberos security.
- (Optional) Active Directory Organizational Unit to create all file server computer objects.
- A domain user in the directory service with the sufficient privileges to create and delete computer objects.
- Navigate to the vSAN cluster and click Configure > vSAN > Services.
- Click Configure Domain.
The File service domain wizard opens.
- In the File service domain page, enter the unique namespace and click Next. The domain name must have minimum two characters. The first character must be an alphabet or a number. The remaining characters can include an alphabet, a number, an underscore ( _ ), a period ( . ), a hyphen ( - ).
- In the Networking page, enter the following information, and click Next:
Affinity site option is available if you are configuring vSAN file service on a stretched cluster. This option allows you to configure the placement of the file server on Preferred or Secondary site. This helps in reducing the cross-site traffic latency. The default value is Either, which indicates that no site affinity rule is applied to the file server.Note: If your cluster is a ROBO cluster, ensure that the Affinity site value is set to Either.
- Protocol: You can select IPv4 or IPv6. vSAN File Service only supports IPv4 or IPv6 stack. The reconfiguration between IPv4 and IPv6 is not supported.
- DNS servers: Enter a valid DNS server to ensure the proper configuration of File Services.
- DNS suffixes: Provide the DNS suffix that is used with the file services. All other DNS suffixes from where the clients can access these file servers should also be included. File Services does not support DNS domain with single label, such as "app", "wiz", "com" and so on. A domain name given to file services should be of the format thisdomain.registerdrootdnsname. DNS name and suffix must adhere to the best practices detailed in https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain.
- Subnet mask: Enter a valid subnet mask. This text box appears when you select IPv4.
- Prefix length: Enter a number between 1 and 128. This text box appears when you select IPv6.
- Gateway: Enter a valid gateway.
- IP Pool: Enter primary IP address and DNS name.
In a site failure event, the file server affiliated to that site fails over to the other site. The file server fails back to the affiliated site when it is recovered. Configure more file servers to one site if more workloads can be expected from a certain site.Note: If the file server contains SMB file shares, then it does not failback automatically even if the site failure is recovered.Consider the following while configuring the IP addresses and DNS names:
- To ensure proper configuration of File Services, the IP addresses you enter in the Networking page must be static addresses and the DNS server must have records for those IP addresses. For best performance, the number of IP addresses must be equal to the number of hosts in the vSAN cluster.
- You can have a maximum of 64 hosts in the cluster. If large scale cluster support is configured, you can enter up to 64 IP addresses.
- You can use the following options to automatically fill the IP address and DNS server name text boxes:
AUTO FILL: This option is displayed after you enter the first IP address in the IP address text box. Click the AUTO FILL option to automatically fill the remaining fields with sequential IP addresses, based on the subnet mask and gateway address of the IP address that you have provided in the first row. You can edit the auto filled IP addresses.LOOK UP DNS: This option is displayed after you enter the first IP address in the IP address text box. Click the LOOK UP DNS option to automatically retrieve the FQDN corresponding to the IP addresses in the IP address column.Note:
- All valid rules apply for the FQDNs. For more information, see https://tools.ietf.org/html/rfc953.
- The first part of the FQDN, also known as NetBIOS Name, should not have more than 15 characters.
The FQDNs are automatically retrieved only under the following conditions:
- You should have entered a valid DNS server in the Domain page.
- The IP addresses entered in the IP Pool page should be static addresses and the DNS server should have records for those IP addresses.
- In the Directory service page, enter the following information and click Next.
Option Description Active directory Configure an Active Directory domain to vSAN File Services for authentication. If you are planning to create an SMB file share or an NFSv4.1 file share with Kerberos authentication, then you must configure an AD domain to vSAN File Services. AD domain
Fully qualified domain name joined by the file server.
Preferred AD Server
Enter the IP address of the preferred AD server. In case of multiple IP addresses, ensure that they are separated by comma.
Organizational unit (Optional)
Contains the computer account that the vSAN File Services creates. In an organization with complex hierarchies, create the computer account in a specified container by using a forward slash mark to denote hierarchies (for example, organizational_unit/inner_organizational_unit).Note: By default, the vSAN File Services create the computer account in the Computers container.
User name to be used for connecting and configuring the Active Directory service.
This user name authenticates the active directory on the domain. A domain user authenticates the domain controller and creates vSAN File Services computer accounts, related SPN entries, and DNS entries (when using Microsoft DNS). As a best practice, create a dedicated service account for the file services.A domain user in the directory service with the following sufficient privileges to create and delete computer objects:
- (Optional) Add/Update DNS entries
Password Password for the user name of the Active Directory on the domain. vSAN File Services use the password to authenticate to AD and to create the vSAN File Services computer account.Note:
- vSAN File Services does not support the following:
- Read-Only Domain Controllers (RODC) for joining domains because the RODC cannot create machine accounts. As a security best practice, a dedicated org unit should be pre-created in the Active Directory and the user name mentioned here should be controlling this organization.
- Disjoint namespace.
- Spaces in organizational units (OUs) names.
- Multi domain and Single Active Directory Forest environments.
- Only English characters are supported for Active Directory user name.
- Only single AD domain configuration is supported. However, the file servers can be put on a valid DNS subdomain. For example, an AD domain with the name
example.comcan have file server FQDN as
- Pre-created computer objects for file servers are not supported. Make sure that the user provided here have sufficient privilege over the organizational unit.
- vSAN File Services update the DNS records for the file servers if the Active Directory is also used as a DNS server and the user has sufficient permission to update the DNS records. vSAN File Services also has a Health Check to indicate if the forward and reverse lookups for file servers are working properly. However, if there are other proprietary solutions used as DNS servers, the Vi admin should update these DNS records.
- Review the settings and click Finish.
The file services domain is configured. File servers are started with the IP addresses that were assigned during the vSAN File Services configuration process.