Subscribe

Operations Manager ~ Locking a service account

[ Edited ]

OM server is locking out the Windows AD service account used by snapdrive on the host servers.  The problem is I can not understand WHY?

OM runs on a Windows server with DAS and does not have snapdrive installed and the OM 'windows' services do not use this account.  OM connects to the filers via root or a dfm_service account so I can not understand why this is happening.

The Window's DC log files show the OM server as the cause of the wrong password attempts (every 15 minutes) and since the OM service has been turned off, we have had no more 'lock outs' on the snapdrive service account.

Any ideas why this may be happening or how to trouble shoot it?

Thanks

Bren

Re: Operations Manager ~ Locking a service account

Nightmare but now resolved.

The DFM logs are in \Program Files\NetApp\DataFabric\DFM\log

By a process of opening each on in turn I was able to find that dfmserver.log has useful information.

Jun 16 14:30:05 [dfmserver: INFO]: [18312:0x3384]: Logon request for DOMAIN\ACCOUNT (domain\account) denied: 1326, Logon failure: unknown user name or bad password.

Using the time stamp I was able to find that audit.log {open with wordpad} also has a piece of the puzzle:

Jun 16 14:30:05 [Unknown:NOTIC]: DOMAIN\ACCOUNT:API:err:[www.xxx.yyy.zzz]:Authentication failed for user  - DOMAIN\ACCOUNT Input API is - <dfm-about/>

Investigation of the server showed Snapdrive V6 and SMSQL v5

Nothing could be found in the SMSQL GUI for the Operations Manager link

However in the Windows registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SWSvc\Parameters\DFMConfigParams\ServerConfig

These values should be blank if the server is not 'talking' too operations manager.

Removed vaules and operations manager is no longer locking out the service account.

Hope this helps you out.

Bren

Re: Operations Manager ~ Locking a service account

Brendon,

Had a similar issues cause by an incorrect password used when installing SnapDrive 6.2 and Protection Manager Integration. RE-installing snapdrive would not update DFM with the correct password. I had to use snapdrive cli to update the password with DFM.

The account would be locked out at the very beginig of each SMSQL backup.

sdcli dfm_config set –host <dfm host>  -user <domain\service account> -pwd <password>

Re: Operations Manager ~ Locking a service account

Do you run the command on the host which has SMSQL installed or on the

DFM server? The hard part of this process was finding out which host

{we have 80+) was causing the issue. However the next release will

address this I am told.

Bren

Re: Operations Manager ~ Locking a service account

Host where SMSQL is installed

-Robert

Operations Manager ~ Locking a service account

Wow, this saved me so much time!  I tried to reinstall Snapdrive to add in the protection piece and it kept locking the account in AD.  After updating using the snapdrive cli it works like a champ!  Thanks for sharing!!

Re: Operations Manager ~ Locking a service account

Been having this problem also, was SME in our DR site had the sdcli dfm_config set and was locking out the account - tracking it using the dfmserver.log and audit.log helped.

Cheers!