2016-07-08 12:19 AM - last edited on 2016-07-08 03:43 AM by Li-Jacques
we using NetApp 2552 storage (8.2.2P1 -7-Mode) and we are moving a Netapp Filer from an old domain to a New Domain
Our domain server is Windows 2012 R2 Server and all the security and permission are handled by the Active Directory. And there is no storage level security or permission used.
Around 200+ users are accessing the storage (via- cifs protocol)
Please provide me some helpful tips on details for the procedure on what to do if we are going to change our domain. And let me know what will be the expected impacts or problems and how can I resolve it.
Need to take any backup (Configuration files)
What about SID, is it change?
User face any files access and permissions issues?
2016-07-08 08:17 AM
Did you migrated or replicated all the AD settings from old Domain controller to new DC ? If yes then just follow the steps below to change you Netapp controller to new domain
Please note changing domain of a filer will have disruption to you storage accessed through network ( NAS ) make sure No open files at the time of change because it may cause file corruption. Recommended to perform this during off-peak hours.
After change ask users to remount the shares using new fully qualified domain name or can just use the Filer name followed by share name
Remember before proceeding make sure you have a Windows account with administrative privileges handy of the new Domain server
First terminate the CIFS
Netapp7> cifs terminate
Now run the cifs setup
Netapp7> cifs setup
Now follow the prompts below and choose
Do you want to delete the existing filer account information? [no] Yes
Note: You must delete your existing account information to reach the DNS server entry prompt.
After deleting your account information, you are given the opportunity to rename the storage system:
The default name of this filer will be 'Netapp7'.
Do you want to modify this name? [no]:
Keep the current storage system name by pressing Enter; otherwise, enter yes and enter a new storage system name.
Data ONTAP displays a list of authentication methods:
Data ONTAP CIFS services support four styles of user authentication. Choose the one from the list below that best suits your situation.
(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Work group authentication using the filer's local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication
It chooses the domain 1 by default
Selection (1-4)? :
Now enter the new domain Name
What is the name of the Active Directory domain? [netapp.com]: testfiler.com
In Active Directory-based domains, it is essential that the filer's
time match the domain's internal time so that the Kerberos-based
authentication system works correctly. If the time difference between
the filer and the domain controllers is more than 5 minutes,
authentication will fail. Time services are currently not configured
on this filer.
Would you like to configure time services? [y]: n
In order to create an Active Directory machine account for the filer,
you must supply the name and password of a Windows account with
sufficient privileges to add computers to the testfiler.com domain.
Enter the name of the Windows user [Administrator@testfiler.com]: administrator
Password for Administrator@testfiler.com:
Respond to the remainder of the cifs setup prompts; to accept a default value, press Enter.
Upon exiting, the cifs setup utility starts CIFS.
Confirm your changes by entering the following command:
Netapp7> cifs domaininfo
You will be able to see your controller connected to the new domain
****If my reply helped you to solve the issue, Please help to mark it as solution to help others****
2016-08-10 06:11 AM - edited 2016-08-10 06:19 AM
As you have a 2552 with 8.2.2P1 I am guessing you are running cDOT - if so, then yo can use this process.
Sorry, I just noticed you are running 7 mode so page 61 of the attached doc should do the trick.
2016-08-10 08:13 AM
Moving the filer to the new domain is the easy part. Doing it in a way that still allows the users to access their files is the interesting part. As you mentioned, the SIDs in the file system ACLs will all belong to the user's accounts in their old domain. You may want to leverage ADMT with SidHistory if possible to avoid having to re-ACL your file systems.