Subscribe

Not able to join to AD due to Unable to contact DNS

[ Edited ]

Hi Team,

 

Unable to join vserver to AD and giving error as Unable to contact DNS

 

SA6CLS02::> vserver cifs create -vserver NS6VFL02 -cifs-server NS6VFL02 -domain wa6ads07.axabs-in.intraxa

In order to create an Active Directory machine account for the CIFS server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the
"CN=Computers" container within the "WA6ADS07.AXABS-IN.INTRAXA" domain.

Enter the user name: aravind shastry.adm

Enter the password:

Error: Machine account creation procedure failed
[ 0 ms] Trying to create machine account 'NS6VFL02' in domain
'WA6ADS07.AXABS-IN.INTRAXA' for Vserver 'NS6VFL02'
[ 2004] Failed to connect to 10.90.125.10 for DNS: Operation
timed out
[ 4013] Failed to connect to 10.90.125.10 for DNS: Operation
timed out
**[ 4014] FAILURE: Unable to contact DNS to discover domain
** controllers.

Error: command failed: Failed to create the Active Directory machine account "NS6VFL02". Reason: Unable to contact DNS.

 

 

****************************

Attached text file for more info

 

SA6CLS02::> network ping -node SA6UNS06 axabs-in.intraxa
axabs-in.intraxa is alive

SA6CLS02::> network ping -node SA6UNS05 axabs-in.intraxa
no answer from axabs-in.intraxa

SA6CLS02::> network ping -node SA6UNS05 axabs-in.intraxa
axabs-in.intraxa is alive

SA6CLS02::> network ping -node SA6UNS06 -destination 10.90.141.1
10.90.141.1 is alive

SA6CLS02::> network ping -node SA6UNS05 -destination 10.90.141.1
10.90.141.1 is alive

 

Added record in DNS for Data  LIF1 and able to ping Gateway & DNS IP from filer

 

Regards

Srikanth

9966443310

 

Re: Not able to join to AD due to Unable to contact DNS

Hi,

 

Have you ensured the DNS service on the vserver is configured before attempting to join it to the domain? EG:

 

cluster1> services dns create -vserver vserver1 -domains testlab.local -name-servers 192.168.100.10 -state enabled -timeout 5 -attempts 3

 

cluster1> services dns show -vserver vserver1

               Vserver: vserver1
               Domains: testlab.local
          Name Servers: 192.168.100.10
    Enable/Disable DNS: enabled
        Timeout (secs): 5
      Maximum Attempts: 3

 

If the vservers DNS service is not configured\enabled then you won't be able to join it the domain

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Not able to join to AD due to Unable to contact DNS

Hi,

 

Also i noticed you are attempting to create the vserver's computer object in the Computers container in AD (this is unlikely to be the cause of your issue) however the best practise is to specify which organizational unit the computer account is created in by using the -ou paramater. EG

 

cluster1> vserver cifs create ?
   [-vserver] <vserver name>           Vserver
   [-cifs-server] <NetBIOS>            CIFS Server NetBIOS Name
   [-domain] <TextNoCase>              Fully Qualified Domain Name
  [[-ou] <text>]                       Organizational Unit (default:
                                       CN=Computers)

 

This will enable you to delegate administration and apply group policy (as you can't apply group policy to a container object in AD). Also ensure that the Active Directory user account specified when joining the vserver to the domain has sufficent permissions on the OU to create the computer object and join it to the domain.The following table defines the permissions required to securely delegate Active Directory permissions to perform a CIFS setup and create computer objects for vservers within an Organizational Unit (http://support.microsoft.com/kb/932455)

 

  • Create Computer Objects
  • Delete Computer Objects
  • Reset Password
  • Read and write Account Restrictions
  • Validated write to DNS host name
  • Validated write to service principal name

Hope this information is useful

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Not able to join to AD due to Unable to contact DNS

Thanks Matt.

I have tried with your options but no luck .

 

Data LIF is not able to ping Gateway and DNS server so i have raise a request to Network team to open firewall port open. Hope it will be work 

 

 

 

 

SA6CLS02::*> event log show -event secd*
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
1/7/2016 16:21:52 SA6UNS06 WARNING secd.dns.server.timed.out: DNS server 10.90.125.70 did not respond to vserver = NS6VFL02 within timeout interval.
1/7/2016 15:57:42 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.70 did not respond to vserver = NS6VFL02 within timeout interval.
1/7/2016 15:18:19 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.70 did not respond to vserver = NS6VFL02 within timeout interval.
1/7/2016 15:14:04 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.70 did not respond to vserver = NS6VFL02 within timeout interval.
1/7/2016 15:06:46 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.70 did not respond to vserver = NS6VFL02 within timeout interval.
1/7/2016 14:00:47 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.70 did not respond to vserver = NS6VFL02 within timeout interval.
1/7/2016 13:53:27 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.10 did not respond to vserver = NS6VFL02 within timeout interval.
1/7/2016 13:42:23 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.10 did not respond to vserver = NS6VFL02 within timeout interval.
1/6/2016 22:47:19 SA6UNS05 WARNING secd.dns.server.timed.out: DNS server 10.90.125.10 did not respond to vserver = NS6VFL02 within timeout interval.
9 entries were displayed.

 

 

Thanks

Srikanth Manchana

+91 9966443310

Re: Not able to join to AD due to Unable to contact DNS

What version of cDOT are you using?  We had a similar issue due to case sensativity and our Bluecat DNS system.  8.3.1 resolved the issue (see bug ID 886457).  Note that the workaround in this bug ID did not work for us and Support recommended the upgrade, which worked as promised.

Re: Not able to join to AD due to Unable to contact DNS

SA2CLS01::> version
NetApp Release 8.3P1: Tue Apr 07 16:05:35 PDT 2015

Re: Not able to join to AD due to Unable to contact DNS

Hi,  

I am having the same problem with version 8.3.2P2, did you ever find a resolution?

Re: Not able to join to AD due to Unable to contact DNS

Add ports to VLAN on network switch side  and do Vlan tagging at C mode

 

 

Regards

Srikanth