Network and Storage Protocols

Migrating FAS 3170 CIFS to Active Directory

dbhughes16
5,233 Views

Hello. This is my first post on here so if I am in the wrong area, I apologize. We currently run a FAS 3170 (2 filers) in a workgroup environment. I have been tasked with assisting in migrating this environment to a domain. Servers and workstations were too easy. However, the NetApp is what has me concerned. We don't have storage engineers on this project. Many of the guys have managed shares and user accounts on NetApp arrays, but nothing more than that. So, we have the documentation for joining the CIFS to our domain. We have already created the required DNS records and feel ready to go.

First, I have a few questions:

1. We will have a continued need to grant access to non-domain (remote) users. They access just a few shares. We already have accounts built for them and access granted to them on those shares. Will the shares, permissions, or users go away once we connect the CIFS to the domain? Can we continue to have (non-domain) users access the shares once it is integrated with Active Directory?

2. I read a lot about timing. All the documentation says the Active Directory server and NetApp Filer(s) have to be configured with the same time/date/time zone. Is that always the case? Can I not use Zulu time on one and another country's time zone on the other one, as long as they are still technically the same time?

3. As far as the CIFS domain join goes, do I need to do the process for each filer? They are clustered....


Thanks for any insight you can provide. I am in a pinch and am not going to do anything to the NetApp until receive more information. I cannot afford to lose any data on the shares that already exist.

-Dustin

4 REPLIES 4

DOMINIC_WYSS
5,233 Views

1. yes, you can continue to use local users. it is like on a Windows server, you still can create and use local users. the current CIFS permission won't be changed.

2. the timezone should not matter, as long it is configured correctly. but the time is important because of Kerberos. if the filer is more than 5min apart from AD you cannot login/join.

3. yes, you must run cifs setup on both filers.

radek_kubka
5,233 Views

I beg to differ in following areas:

2. The time zone does matter - if it is different, then login into AD will simply not work, even if time is exactly the same.

3. Both controllers are independent, also from AD integration perspective and you can integrate just one of them. If the hardware fails, the same logical instance will be run in memory of the surviving partner, but AD will still "talk" to the same object.

Regards,
Radek

dbhughes16
5,233 Views

Thank you both for the useful insight. We were able to join the FAS 3170 to the domain. I did join both filers to the domain, but now there are follow on issues. I will make the situation we are in as short as possible. Basically, we have a mix of users domain & non-domain on one network accessing the CIFS shares. Our non-domain users access via \\ip\share while the domain users access \\filername\share. You may be asking, what's the issue? Well, we run software that is unique to our system that is on the domain, which requires access to shares via \\ip\share. If I am logged into the DC/DNS (both hosted on same Server 2008 machine), I can ping, tracert, nslookup, etc. just fine to the filers, and likewise from the filers back to the DC/DNS server. I can manage them like domain computers (CIFS, Users, etc.). It is just not allowing my domain accounts to access them via IP. It is not a routing issue, because if I login to a domain computer as a local computer user, I can access the shares via IP.

I know all this sounds a  little backwards. I have searched high and low on the internet with few solutions offered (ie. reset NICs on DC/DNS server, restart DC/DNS server/services). We have done all those things, to no avail. I am getting what looks like a SMB authentication mismatch error on the filers sometimes though. I ran tests on the netapp to testdc and DNS and everything looks normal. If I look at domain info, all my DC setting show up ok. I cannot perform a ADupdate from the filer though. The LDAP server section under domain info on the filer is also blank. If I try to access via IP from domain account, it tells me network not found. The last part is if I try to add it as a network drive via IP, (manually storing credentials of a user on the NetApp), it allows me to do it, from a domain account & computer. Any help?

DOMINIC_WYSS
5,233 Views

this sounds like a Kerberos issue.

if you don't access the filer via it's Netbios name, then the Kerberos ticket is invalid (host mismatch). normally Windows will fall back to NTLM authentication and the access via IP works.

but in you environment this may be disabled via policies (Windows GPOs).

it's the same issue with DNS alias but there you can set the alias name with an SPN. but afaik you cannot do an SPN alias with an IP.

you may try to disable smb2 on the filer, then it also should fall back to NTLM auth.

Public