2015-03-24 12:48 AM - edited 2015-12-18 01:05 AM
we have an issue with SnapManager for Exchange. If we configure the protection dataset of SnapManager for Exchange with the configuration wizard we get: "Error code: 0xc00414df Unable to create SnapManager dataset". The log says that there are some issues with the access from SME to OCM (DFM).
Creating SnapManager dataset...
[SDAPI Error]: RBAC access check failed with the following reason.
Error Description :'DFM.DataBase.Read access denied on dataset SnapMgr_Exchange_Server for user DOMAIN2\netapp_snapmgr on Operations Manager server DFMsrv'.
We think the problem is that SME-user and OCM (DFM) are not in the same domain. SME-user is in DOMAIN2 and DFMsrv in DOMAIN1. Is there any solution for usage in different domains?
Solved! SEE THE SOLUTION
2015-03-24 06:55 AM
try this on the DFM server's cli:
dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr
You also need to make sure that on the SnapManager/SnapDrive server, the user you pass to SnapDrive for DFM queries has also GlobalFullControl (check with "sdcli dfm_config list").
2015-03-24 11:41 PM
could you provide the output of the command:
C:\Users\Administrator>dfm query run "SELECT objId, objFullName from objects where objName = 'DOMAIN2\netapp_snapmgr'"
it should return this:
if there is a space before the name or something strange, then the user needs to be readded.
In general, we have the following requirements for Snapmanager service user:
-In case of SME, Member of "Organization Management' Exchange Security group, (unless you are using RBAC with latest available SME version, where you can assign less permisisons with a role defined with specific permissions)
- In case of SMSQL, the above service needs to have sysadmin role assigned within the managed instances.
- On every server where SME/SMSQL is installed, the snapmanager service should be a member of the local administrators account
- ACL's on the lun's where databases and logs are hosted should allow full control to the above service.
- if you configure SME/SMSQL with DFM/PM archiving, then you also need to ensure SnapDrive and SnapManager users are added to the GlobalFullControl role.
it must work.
2015-03-25 12:21 AM - edited 2015-03-25 12:22 AM
with this query I only get:
But as you said, I have deleted and readded the user and did get:
C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr
Warning: DOMAIN2\netapp_snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\netapp_snapmgr.
Added 1 role to administrator DOMAIN2\netapp_snapmgr.
I think the problem is that there are two different domains wich don´t know each others users. But we will not change this architecture because of security. Is there any solution?
2015-03-25 04:16 AM - edited 2015-03-25 04:18 AM
Some more information:
If I add a user without the underscore "_" for example "DOMAIN2\snapmgr" your query works:
C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\snapmgr
Warning: DOMAIN2\snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\snapmgr.
Added 1 role to administrator DOMAIN2\snapmgr.
C:\Windows\system32>dfm query run "SELECT objId, objFullName from objects where
objName = 'DOMAIN2\snapmgr'"
Are there any restrictions in name usage, because the underscore is a normal ASCII character?
2015-03-25 05:58 AM
from your last output, I don't really see any change.
It still creates the user but then it disables it.
So, I am not sure if a trust is required between the two domain.
I have asked a colleague who is specialized in DFM and will take a look and reply.
Domenico Di Mauro.
2015-03-25 06:19 AM
This needs to have a proper setup on the OCUM LDAP side, meaning registering one of multiple DC servers and configuring the LDAP options like:
[root@romuald-5 conf]# dfm ldap list
Address Port Last Use Last Failure
------------------------------------------ ------ -------------------------- --------------------------
ams2k3domdc1.ams2k3dom.ngslabs.netapp.com 389 2015-03-25 13:52:01.000000
[root@romuald-5 conf]# dfm option list|grep ldap
The different setups/options can be found in OCUM documentation.
As you can figure it out from the above output, a signle domain setup is allowed, so if you have multiple domains, you need to setup one of the topest in the hiearchy or insure a trust.
If you have difficulties to set this up, do not hesitate to open a case with us
2015-03-25 06:52 AM
Thx Rom for your reply,
due to the fact that in our case both domains are independent and there is no domain on top of them only a trust between these two will be the solution. As this is against our architecture, we need to setup a snapvault relationship between snapvault primary and secondary without using DFM/Protection Manager.