#Multi Domains between management and data svm's.

I am planning to have management ip's (Admin SVM) in one domain and all other data serving svm's in another domain. Do you think is that a good practice and let me know if you see any possible issues with this approach.
I have one concern especially with backup's either node scoped or CAB backup it goes through Admin SVM (again in my case it will be on different domain) so i am not sure how can i achieve if its on 2 different doamins. I have to have trust open between 2 domains is the answer but is that worth keeping in 2 different domains?
Appreciate if you can share your experience. Thank you.

what do you mean by "domain"? Windows AD domain? and if you say "management IPs" do you mean cluster/node management? or SVM management as well?

because having LIFs of one SVM in two different windows domains doesn't work. Also, the cluster management SVM (what I assume you mean by "admin SVM") cannot directly join any AD domain itself either

Domain 1 = sales.company.com
Domain 2 = prod.company.com
Management IP = only cluster/node ip's that is Admin SVM.
Data SVM = data serving lif which will be in prod.company.com.
For joining to AD, i can use any of the data server CIFS and create tunnel and get that authenticated.
I have user in prod.company.com and all the AD authentication will happen with that AD but my question is being management in other domain (sales.company.com) is any bad design or any concerns if i do that way?

I would not use an existing CIFS SVM for the tunnel but instead a separate one that doesn't serve files via CIFS but instead only has a vserver active-directory create done, for a clear separation, but that's only me.
I wonder what you want to achieve with the second domain. If it is some kind of resource domain, for security reasons, then yes, that is a very common practice to have the tunnel SVM in that resource domain. But then you explicitly do not want a domain trust between those domains, again for a clear separation.
If you just want users from another domain to administer the filer, then yes you can do that but if the domains are trusted it, again, doesn't really matter if you join the prod or the sales domain

so yeah, from a security perspective two domains make sense, but only if they're not trusted but completely separate

We don't want to discuss about the cifs svm for the AD authentication i can do that on a dedicated svm as you mentioned.
My concern here is not primarily for the security purpose, to have mgmt interface (Admin SVM) in one domain and data in another domain.But to have all the mgmt interfaces and data serving svm's to be in only one domain. But due to internal reason they are asking me to put in 2 different domains which i am not in favor of.
What i saw with the backup's related to ndmp or non-ndmp is that it will go through the Admin SVM for node scoped or CAB cluster aware backup (here in this case will be on different domain because admin svm is sales domain and data serving is on prod domain) so in that case again i need to have trust between these 2 domains is what my understanding is. Please correct me if i am wrong here.
Bottom line is i need some valid reason not to have in 2 domains to make my team understand with proper valid reasons or potential risks if we have 2 domains.

you only need trust between domains if you need to have user authentication from one domain pass through to the other domain. It doesn't really matter what domain the backup service user is in, unless I'm misunderstanding something here.
If you're looking for a technical reason why having 2 different domains is bad, I cannot think of one. But maybe someone else can?

Thank you for the explanation @true bronze on the backup service user which makes sense since i will be creating the local account for backup activity that should not be a problem.
Yes keeping management in one domain and data svm's other domain i am not sure if that is best practice or have any issues with that approach, that is where i am weighing in here if some one can share their experiences. Let's see if some one responds and learn something from them.

@true bronze -- Another question, can we have node mgmt access from 2 different domains?
N1 -- 10.10.1.1 (Sales Domain) and again same node N1 - 10.20.1.1. (Prod Domain) and same goes to N2 node and cluster mgmt as well? Is this possible?

no, you can only have one tunnel SVM and that tunnel SVM can only be in one domain. That is, unless the domains are trusted of course

@true bronze - I am asking about the mgmt interface (e0m) , can we access same netapp from 2 different domains?
Node 0 - Mgmt IP -- x.x.x.x (Sales Domain) , Node 1 - Mgmt IP -- x.x.x.x (Sales Domain) , cluster IP -- Mgmt IP -- x.x.x.x (Sales Domain)
Node 0 - Mgmt IP -- x.x.x.x (Prod Domain) , Node 1 - Mgmt IP -- x.x.x.x (Prod Domain) , cluster IP -- Mgmt IP -- x.x.x.x (Prod Domain)

Maybe not e0M, but you can move node management LIFs to other interfaces. Just make sure that both have internet access otherwise AutoSupports won't work.

Again, I'm not sure I follow. "access from different domains" -> do you mean access from IP addresses from different subnets? or access with user accounts from different AD domains? IP Adresseses are not in any way related to AD domains

I think he simply wants another cluster-mgmt LIF in another subnet.

yeah that's what I'm thinking too... but the discussion started with users from different AD domains which has me confused

Maybe we're talking about broadcastDOMAINS?

maybe... but we were talking about the tunnel SVM so at some point it was definitely about AD domains 🙂

@true bronze sorry for teh confusion. It is not about the tunnel svm. It is the basic mgmt ip's which are part of Admin SVM.
@tawny bane -- Yes cluster mgmt in another subnet as well.
@thorny merlin -- Since e0M is used for mgmt , i need to have other subnet as well if that is possible.

sure, you can have as many management LIFs (= IPs) in as many subnets as you want

You don't have to technically have management LIFs on e0M.

Thank you for the response.

Hello I have Clusters using Admin SVM with tunnel to a first AD domain using management lif, and data SVM in anothers domain. For the backups, all volumes of all SVM are backed up on the Admin SVM Domain (using NDMP) in my case. and there is no trust between the different AD. It works without issue.