Subscribe
Accepted Solution

CIFS not joining AD domain

[ Edited ]

Hello,

 

Follow problem with ONTAP 9 and FAS2552

 

cl1::vserver cifs> dns

 

cl1::vserver services name-service dns> show

                                                              Name

Vserver         State     Domains                             Servers

--------------- --------- ----------------------------------- ----------------

cl1             enabled   gym-hksb.local                      10.30.253.1,

                                                              10.30.253.3

nas             enabled   gym-hksb.local                      10.30.253.1,

                                                              10.30.253.3

2 entries were displayed.

 

cl1::vserver services name-service dns> cifs

 

cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers

 

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the

"CN=Computers" container within the "GYM-HKSB.LOCAL" domain.

 

Enter the user name: administrator

 

Enter the password:

 

Error: Machine account creation procedure failed

  [  1002] Loaded the preliminary configuration.

  [  1730] Created a machine account in the domain

  [  1732] Successfully connected to ip 10.30.253.1, port 445 using

           TCP

  [  1833] Unable to connect to LSA service on dc01.gym-hksb.local

           (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

  [  1835] Successfully connected to ip 10.30.253.3, port 445 using

           TCP

  [  1937] Unable to connect to LSA service on dc02.gym-hksb.local

           (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)

  [  1937] No servers available for MS_LSA, vserver: 4, domain:

           gym-hksb.local.

**[  1937] FAILURE: Unable to make a connection

**         (LSA:GYM-HKSB.LOCAL), result: 6940

  [  1937] Could not find Windows SID

           'S-1-5-21-1131981276-2882716370-3949356162-512'

  [  1944] Deleted existing account

           'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'

 

Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.

 

 

 

ping to Domain successful

time zone on Domain and Netapp correct

 

Any idea to solve this?

 

Thanks,

Jürgen

Re: CIFS not joining AD domain

Hi @jha71

 

It might be the issue with the login account you are using. Does user account have admin privalages to active directory. You need admin privalages to add Netapp vserever to active directory domain.

Re: CIFS not joining AD domain

Hi,

 

sure I use the Domain administrator Account.

 

KR

Re: CIFS not joining AD domain

Please let me know the result of this ... :-)

 

Naveenkumar Pusuluru

Storage lead | C3i Healthcare connections

Re: CIFS not joining AD domain

DC is reachable
DNS is configured
time zone is correct


cl1::vserver cifs> create -cifs-server file02 -domain gym-hksb.local -ou CN=Computers

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers"
container within the "GYM-HKSB.LOCAL" domain.

Enter the user name: administrator

Enter the password:

Error: Machine account creation procedure failed
[ 86] Loaded the preliminary configuration.
[ 121] Created a machine account in the domain
[ 122] Successfully connected to ip 10.30.253.1, port 445 using
TCP
[ 123] Unable to connect to LSA service on dc01.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
[ 123] Successfully connected to ip 10.30.253.3, port 445 using
TCP
[ 124] Unable to connect to LSA service on dc02.gym-hksb.local
(Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERR
OR)
[ 124] No servers available for MS_LSA, vserver: 4, domain:
gym-hksb.local.
**[ 124] FAILURE: Unable to make a connection
** (LSA:GYM-HKSB.LOCAL), result: 6940
[ 124] Could not find Windows SID
'S-1-5-21-1131981276-2882716370-3949356162-512'
[ 131] Deleted existing account
'CN=FILE02,CN=Computers,DC=gym-hksb,DC=local'

Error: command failed: Failed to create the Active Directory machine account "FILE02". Reason: SecD Error: no server available.

cl1::vserver cifs> ping -node cl1-0
cl1-01 cl1-02
cl1::vserver cifs> ping -node cl1-01 -destination
Destination
cl1::vserver cifs> ping -node cl1-01 -destination GYM-HKSB.LOCAL
GYM-HKSB.LOCAL is alive

cl1::vserver cifs> dns show
Name
Vserver State Domains Servers
--------------- --------- ----------------------------------- ----------------
cl1 enabled gym-hksb.
local 10.30.253.1,
10.30.253.3
nas enabled gym-hksb.local 10.30.253.1,
10.30.253.3
2 entries were displayed.

cl1::vserver cifs> network interface show
Logical Status Network Current Current Is
Vserver Interface Admin/Oper Address/Mask Node Port Home
----------- ---------- ---------- ------------------ ------------- ------- ----
Cluster
cl1-01_clus1 up/up 169.254.141.0/16 cl1-01 e0e true
cl1-01_clus2 up/up 169.254.239.201/16 cl1-01 e0f true
cl1-02_clus1 up/up 169.254.175.70/16 cl1-02 e0e true
cl1-02_clus2 up/up 169.254.53.54/16 cl1-02 e0f true
cl1
cl1-01_mgmt1 up/up 10.30.253.51/16 cl1-01 e0M true
cl1-02_mgmt1 up/up 10.30.25
3.52/16 cl1-02 e0M true
cluster_mgmt up/up 10.30.253.50/16 cl1-01 e0M true
nas
nas_lif up/up 10.30.253.55/16 cl1-01 a0a true
8 entries were displayed.

cl1::vserver cifs> system date show
Node Date Time zone
--------- ------------------------- -------------------------
cl1-01 10/24/2016 18:20:11 Europe/Berlin
+02:00
cl1-02 10/24/2016 18:20:11 Europe/Berlin
+02:00
2 entries were displayed.

cl1::vserver cifs>

 

same time on AD

 

C:\Users\Administrator.GYM-HKSB>net time \\dc01
Aktuelle Zeit auf \\dc01 ist 24.10.2016 18:20:37.

 

 event log show

 

 

cl1::vserver cifs> event log show -time >4m
Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
10/24/2016 18:26:40 cl1-01           ERROR         secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.3) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:26:40 cl1-01           ERROR         secd.conn.auth.failure: Vserver (nas) could not make a connection over the network to server (10.30.253.1) via interface 10.30.253.55. Error: Connection reset by peer.
10/24/2016 18:25:38 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:37 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_ldap._tcp.Default-First-Site-Name._sites.10.30.253.1) for vserver (nas) with error (No server(s) found).
10/24/2016 18:25:35 cl1-01           ERROR         secd.dns.srv.lookup.failed: DNS server failed to look up service (_kerberos._tcp.dc._msdcs.10.30.253.1) for vserver (nas) with error (No server(s) found).

 

Re: CIFS not joining AD domain

cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination
  <Remote InetAddress>        Destination
cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.1
10.30.253.1 is alive

cl1::vserver cifs> ping -lif nas_lif -vserver nas -destination 10.30.253.3
10.30.253.3 is alive

cl1::vserver cifs>

 

 

 

cl1::vserver cifs>
cl1::vserver cifs> dns show
                                                              Name
Vserver         State     Domains                             Servers
--------------- --------- ----------------------------------- ----------------
cl1             enabled   gym-hksb.local                      10.30.253.1,
                                                              10.30.253.3
nas             enabled   gym-hksb.local                      10.30.253.1,
                                                              10.30.253.3
2 entries were displayed.

cl1::vserver cifs>

Re: CIFS not joining AD domain

Hi,

 

Have you tried setting your timezone to closest city to you listed in the link below:

 

https://library.netapp.com/ecmdocs/ECMP1368852/html/GUID-48AD434D-433B-4208-8D9E-C3696707E20C.html

 

Before you can join the vserver to the domain you first need to set the date\time and timezone to ensure the systems time is within 5 minutes of your domain controller.

 

To check the time on your DC you can use the net time command:

 

C:\>net time \\testdc01
Current time at \\testdc01 is 23/07/2015 6:26:37 PM

The command completed successfully.

 

Then set the date on your cluster:

 

cluster1> system date modify -dateandtime 201507231826.48

cluster1> system date show
Node      Date                      Time zone
--------- ------------------------- -------------------------
node1
          7/23/2015 18:26:53 +10:00 Australia/Sydney

Then set your timezone


cluster1> timezone America/Vancouver
1 entry modified

cluster1> system date show
Node      Date                      Time zone
--------- ------------------------- -------------------------
node1
          7/23/2015 01:27:12 -07:00 America/Vancouver

 

Also it's worth mentioning that you will need to enter credentials of an Active Directory user account during the cifs setup process that has permissions in Active Directory to create the computer object and join the vserver to the domain.

 

The minimum required Active Directory permissions for computer objects in your organizational unit are:

 

http://support.microsoft.com/kb/932455

 

Create Computer Objects

Reset Password

Read and write Account Restrictions

Validated write to DNS host name

Validated write to service principal name

 

hope this helps

Re: CIFS not joining AD domain

yes - timezone and date configured without any Issue.

 

Netapp can reach BOTH domain-controller (TCP ping)  but cDOT event log complain no DC  Server is reachable :-/

 

 

Re: CIFS not joining AD domain

The Problem was DC related. Our config as follow:

 

Hyper-V with DC role. It seems thats not supported. Can anyone confirm this?

 

We created a new DC (VM) and the Domain join was successful without any Issue.  Cat Happy