2011-02-07 08:12 AM
We recently built two additional 2008 R2 domain controllers and wanted to know the best route to reconfigure DNS/Cifs to use these servers for DNS/Authentication since we're trying to phase out the two "old" ones (2003 servers).
1. Do I just change the DNS servers listed to the two new ones. Any restarting of services that I need to be aware of?
2. On the CIFS interface (NetApp System Manager), I don't see an option to edit the connected Domain controllers, nor the Connected LDAPS systems (same as the Domain Controllers). I assume that I'll have to go through CIFS setup in order to reconfig it? Is that correct? Any help is greatly appreciated. Thanks.
Solved! SEE THE SOLUTION
2011-02-07 09:03 AM
I just did some quick reading read through of the Ontap 7.3 file access and protocols management guide, and i think that I don't need to run CIFS setup since that's primary only required if I want to join a different domain, etc.
So from my understanding, if I just wanted to change the preferred domains then I'll just need to run "prefdc add" command.
Can someone validate the steps that I'm planning to take in order to switch our array (OnTap 7.3.2) to use different DNS servers and different DCs for (Connected Domain Controllers & Connected LDAPS)
1. Change the DNS servers listed to the two new ones. Any restarting of services or user interruption that i should be aware of?
2. Run cifs prefdc add domain_name ipaddress1 and ipaddress2
3. Run cifs resetdc domain_name
2011-02-07 09:05 AM
For the DCs being used for authentication, they should be identified automatically. Run "cifs domaininfo" and make sure you see all four DCs. If not, you need to check your AD sites and services to see if you have a site configured specifically for that subnet. However your ldap is an options setting, run "options ldap" to see your settings.
These should be the two you are most interested in. To enter two servers on the ldap.servers line use options ldap.servers "server1.ad,server2.ad"
To the DNS entries, you can have three entries live at any one time to my knowledge, so you could add one of your new DNS servers to the top of the list and the run "dns info". Do not worry if the DNS server shows DOWN, this is very misleading. DOWN could mean that you have not had enough requests to round robin over to the second server. But if it says UP and has a recent last polled, you know you have a good connection. At that point you could remove one of your old DNS servers, add the second new one to the top and repeat the process.
There should be no restart needed for either of these operations. I have done both over 50 times and never had to restart anything.
2011-02-07 09:17 AM
I ran cifs domaininfo and do see all of the DCs listed.
Does it hurt or make sense if I added my two new 2008 DCs as Preferred addresses instead of letting the system automatically set the Favored address list. If I were to go this route, should I also do the ladap.servers.preferred command too.
For the cifs prefdc command, do I just specify the NetBIOS domain name and for ldap.servers.preferred, I assume I use the FQDN...right?
2011-02-07 09:33 AM
The only thing I would watch out for using prefdc is that if the first DC in the list goes down, you have a slight timeout lag while the filer tries to authenticate. As you only have two DCs, I would not think this would be an issue.
prefdc does indeed only require the netBIOS name, where ldap should have an FQDN.
We use a Unix LDAP, so I am not 100% sure about the Windows LDAP configurations.. We use ours for multiprotocol access...if you don't have users actively authenticating to the filer over LDAP I would avoid it as it requires clear-text passwords(last I had read up on it anyway) to be sent. You can use Windows groups to manage your authentication access, just an FYI(obviously I don't know all your reqs!)
As to your other post...sorry we don't have any 2008 DCs currently, only 2003, so I don't have any frame of reference to help you there.