ONTAP Discussions

Failed to create active directory machine account

skellner
7,057 Views

I'm trying to create an active-directory account to be able to authenticate to a cluster with an ad account. As I have no cifs svm in the cluster I use a data svm with a mgmt lif on e0M for authentication as described in the system admin guide. The create fails. However, I can't see why as DNS, firewall and credentials of my userid should be ok. Hope somebody can help on this. I attach the secd.log. From what I can see it finds all necessary DCs in the environment but in the end fails to create the machine account.

 

Q100BPCC002::> vserver active-directory create -vserver q100bpcv002_cp01 -account-name q100bpcc002 -domain v998dpv1.v998.intern -ou OU=Fileserver,OU=Server,OU=VRZ

In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "OU=Fileserver,OU=Server,OU=VRZ"
container within the "V998DPV1.V998.INTERN" domain.

Enter the user name: j255030

Enter the password:

Warning: An account by this name already exists in Active Directory at CN=q100bpcc002,OU=Fileserver,OU=Server,OU=VRZ,DC=v998dpv1,DC=v998,DC=intern
         Ok to reuse this account? {y|n}: y

Error: Machine account creation procedure failed
  ...
  [  1090] Successfully connected to 17.243.129.17:88 using TCP
  [  1151] Unable to connect to LSA service on
           v998spwdv12124s.v998dpv1.v998.intern (Error:
           RESULT_ERROR_SPINCLIENT_SOCKET_SEND_ERROR)
  [  1160] Successfully connected to 7.242.192.141:445 using TCP
  [  1173] Successfully connected to 17.243.129.17:88 using TCP
  [  1234] Unable to connect to LSA service on
           v998spwdv12125s.v998dpv1.v998.intern (Error:
           RESULT_ERROR_SPINCLIENT_SOCKET_SEND_ERROR)
  [  3235] TCP connection to 12.243.129.17:445 via interface
           17.249.26.72 failed: (Operation timed out).
  [  3235] Could not open a socket to
           'v998spwdv12121b.v998dpv1.v998.intern'
  [  3235] Unable to connect to LSA service on
           v998spwdv12121b.v998dpv1.v998.intern (Error:
           RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
  [  5236] TCP connection to 12.243.129.22:445 via interface
           17.249.26.72 failed: (Operation timed out).
  [  5236] Could not open a socket to
           'v998spwdv12126b.v998dpv1.v998.intern'
  [  5236] Unable to connect to LSA service on
           v998spwdv12126b.v998dpv1.v998.intern (Error:
           RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
  [  7237] TCP connection to 12.243.129.19:445 via interface
           17.249.26.72 failed: (Operation timed out).
  [  7237] Could not open a socket to
           'v998spwdv12123b.v998dpv1.v998.intern'
  [  7237] Unable to connect to LSA service on
           v998spwdv12123b.v998dpv1.v998.intern (Error:
           RESULT_ERROR_SPINCLIENT_UNABLE_TO_RESOLVE_SERVER)
  [  7238] No servers available for MS_LSA, vserver: 5, domain:
           v998dpv1.v998.intern.
**[  7238] FAILURE: Unable to make a connection
**         (LSA:V998DPV1.V998.INTERN), result: 6940
  [  7238] Could not find Windows SID
           'S-1-5-21-1374259203-670540105-1957837697-512'
  [  7239] Uncaptured failure while creating server account

Error: command failed: Failed to create the Active Directory machine account "Q100BPCC002". Reason: SecD Error: no server available.

1 REPLY 1

Jeff_Yao
6,849 Views

i remember that mgmt port can't be used for cifs authentication as the default firewall policy and connectivity issue from 8.3.

someone correct me if i'm wrong

Public