https://community.netapp.com/t5/ONTAP-Discussions/vserver-active-directory-create-RPC-timeouts/m-p/139582#M30820 <P>The answer to this appears to have been to create the vserver with the "-ns-switch ldap" flag via CLI.&nbsp; I had&nbsp;previously created the&nbsp;vserver from the GUI and this setting defaulted to NIS, which explains why the account was added to AD but OnTap was unable to recieve the acknowledgement of success, and thus timed out. &nbsp;I never had this problem doing the same with OnTap 9+.</P> <P>&nbsp;</P> <P>I don't understand the ins and outs of why this worked, but&nbsp;AD authentication for cluster admins works&nbsp;great now and CIFS is still&nbsp;unlicensed.</P> <P>&nbsp;</P> <P>Hopefully someone finds this helpful someday!&nbsp; Cheers</P> Sat, 14 Apr 2018 00:22:29 GMT BenCoughtry 2018-04-14T00:22:29Z https://community.netapp.com/t5/ONTAP-Discussions/vserver-active-directory-create-RPC-timeouts/m-p/139069#M30695 <P>Hi all, I I'm trying to setup an AD connection in order to domain authenticate cluster admins and I have 2x CDOT 8.2.2 clusters which&nbsp;time out when on the command 'vserver active-directory create'.&nbsp; CIFS is not licensed so I cannot use a CIFS vserver.&nbsp;&nbsp;The commands I'm using (below) work perfectly on other clusters running newer versions of OnTap (9.1 or 9.2).&nbsp; Since the&nbsp;same commands exist on 8.2.2 I'm assuming this&nbsp;is supposed to work, but not sure what the problem is.</P> <P>&nbsp;</P> <P>After I run the command, AD logs confirm the connection without errors and in fact show the new account in the Computers OU.&nbsp; If I run the command a second time OnTap tells me that the account already exists and asks if I want to reuse it, but then upon&nbsp;answering YES the command still times again with the same error.&nbsp; Thus, I know the cluster is talking to&nbsp;the&nbsp;local domain controller and I don't know why it is failing.&nbsp; Any advice would be appreciated - thanks!&nbsp; See CLI output below:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT face="courier new,courier" size="2">san901-cluster::&gt; domain-tunnel show</FONT><BR /><FONT face="courier new,courier" size="2"> (security login domain-tunnel show)</FONT><BR /><FONT face="courier new,courier" size="2">Tunnel Vserver: ldap_svm</FONT></P> <P>&nbsp;</P> <P><FONT face="courier new,courier" size="2">san901-cluster::&gt; vserver active-directory create -vserver ldap_svm -domain xxx.xxxx -account-name san901-cluster</FONT></P> <P><FONT face="courier new,courier" size="2">In order to create an Active Directory machine account, you must supply the name and password of a Windows account with sufficient privileges to add computers to the "CN=Computers" container within the</FONT><BR /><FONT face="courier new,courier" size="2">"xxxx" domain.</FONT></P> <P>&nbsp;</P> <P><FONT face="courier new,courier" size="2">Enter the user name: xxxxx</FONT></P> <P><FONT face="courier new,courier" size="2">Enter the password:</FONT></P> <P>&nbsp;</P> <P><FONT face="courier new,courier" size="2">Warning: An account by this name already exists in Active Directory at CN=SAN901-CLUSTER,CN=Computers,DC=xxx,DC=xxxx</FONT><BR /><FONT face="courier new,courier" size="2"> Ok to reuse this account? {y|n}: y</FONT></P> <P><FONT face="courier new,courier" size="2">Error: command failed: Failed to create the Active Directory machine account "SAN901-CLUSTER". Reason: ad_machine_account_create: RPC: Timed out; ct = 0x826104800 rem_addr = 127.0.0.1:655.</FONT></P> <P>&nbsp;</P> <P><FONT face="courier new,courier" size="2">san901-cluster::&gt; vserver active-directory show</FONT><BR /><FONT face="courier new,courier" size="2">This table is currently empty.</FONT></P> Wed, 04 Jun 2025 13:53:41 GMT https://community.netapp.com/t5/ONTAP-Discussions/vserver-active-directory-create-RPC-timeouts/m-p/139069#M30695 BenCoughtry 2025-06-04T13:53:41Z https://community.netapp.com/t5/ONTAP-Discussions/vserver-active-directory-create-RPC-timeouts/m-p/139582#M30820 <P>The answer to this appears to have been to create the vserver with the "-ns-switch ldap" flag via CLI.&nbsp; I had&nbsp;previously created the&nbsp;vserver from the GUI and this setting defaulted to NIS, which explains why the account was added to AD but OnTap was unable to recieve the acknowledgement of success, and thus timed out. &nbsp;I never had this problem doing the same with OnTap 9+.</P> <P>&nbsp;</P> <P>I don't understand the ins and outs of why this worked, but&nbsp;AD authentication for cluster admins works&nbsp;great now and CIFS is still&nbsp;unlicensed.</P> <P>&nbsp;</P> <P>Hopefully someone finds this helpful someday!&nbsp; Cheers</P> Sat, 14 Apr 2018 00:22:29 GMT https://community.netapp.com/t5/ONTAP-Discussions/vserver-active-directory-create-RPC-timeouts/m-p/139582#M30820 BenCoughtry 2018-04-14T00:22:29Z https://community.netapp.com/t5/ONTAP-Discussions/vserver-active-directory-create-RPC-timeouts/m-p/139750#M30875 <P>Hi,</P> <P>&nbsp;</P> <P>Refer KB&nbsp;<A href="https://kb.netapp.com/app/answers/answer_view/a_id/1027853/loc/en_US" target="_blank">https://kb.netapp.com/app/answers/answer_view/a_id/1027853/loc/en_US</A></P> Mon, 23 Apr 2018 04:48:35 GMT https://community.netapp.com/t5/ONTAP-Discussions/vserver-active-directory-create-RPC-timeouts/m-p/139750#M30875 Sahana 2018-04-23T04:48:35Z