https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168378#M38596 <P>How does the Serviceprinciplenames of the SVMs look like ? It is hard to understand if these are just dns zones and where the SVM belongs too - what is the Kerberos Realm etc.&nbsp;You could define 2 Broadcast domains with their domain name - so the lif there would only "handle" one domain if there are 2 KRB Realms too.</P> Tue, 13 Jul 2021 04:49:48 GMT mario_grunert 2021-07-13T04:49:48Z https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168374#M38593 <P>IHAC running ONTAP 9.6p3.&nbsp; They're complaining of CIFS performance, and managing the SVM (adding domain users into local groups, etc) timeout, and users have problems accessing shares.&nbsp; I verified that the time is in sync with the DCs, and the SVM can ping the domain name.<BR /><BR />When I performed a dns check, I have 2 different experiences.&nbsp; The DNS server is also a domain controller -&nbsp;192.168.1x.xx5<BR />That DC hosts 2 different domains:</P><P><BR /><STRONG>bad.domain.com</STRONG> (this is the customer's AD domain)</P><P><STRONG>good.domain.com</STRONG> (this looks like an administrative domain that was created in AD)<BR /><BR />On the prod SVM (as well as a test SVM), I configured DNS:<BR /><EM>::&gt; vserver services dns create -vserver svm1 -domains <STRONG><FONT color="#FF0000">bad.domain.com</FONT></STRONG> -name-servers 192.168.1x.xx5, 100.100.x.xx1</EM><BR /><BR />When I check the domain, the test sometimes times out, or responds VERY slowly:</P><P><EM>ntap01::*&gt; vserver services dns check -vserver svm1 -instance</EM></P><P><EM>Vserver: svm1</EM><BR /><EM>Name Server: 192.168.1x.xx5</EM><BR /><EM>Name Server Status: up</EM><BR /><EM>Status Details: <FONT color="#FF0000">Response time (msec): <STRONG>3623</STRONG></FONT></EM></P><P><EM>Vserver: svm1</EM><BR /><EM>Name Server: 100.100.x.xx1</EM><BR /><EM>Name Server Status: up</EM><BR /><EM>Status Details: <FONT color="#FF0000">Response time (msec): <STRONG>2743</STRONG></FONT></EM><BR /><EM>2 entries were displayed.</EM></P><P>&nbsp;</P><P>But when I change the domain (not the CIFS domain, but the domain that the SVM has configured for DNS settings), the response adequate:</P><P>&nbsp;</P><P><EM>::&gt; vserver services dns modify -vserver svm1 -domains<STRONG> <FONT color="#339966">good.domain.com</FONT></STRONG></EM></P><P><EM>ntap01::*&gt; vserver services dns check -vserver svm1 -instance</EM></P><P><EM>Vserver: svm1</EM><BR /><EM>Name Server: 192.168.1x.xx5</EM><BR /><EM>Name Server Status: up</EM><BR /><EM>Status Details:<STRONG> <FONT color="#339966">Response time (msec): 15</FONT></STRONG></EM></P><P><EM>Vserver: svm1</EM><BR /><EM>Name Server: 100.100.x.xx1</EM><BR /><EM>Name Server Status: up</EM><BR /><EM>Status Details: <STRONG><FONT color="#339966">Response time (msec): 13</FONT></STRONG></EM><BR /><EM>2 entries were displayed.</EM></P><P>&nbsp;</P><P>Both domains (<FONT color="#339966"><STRONG>good.domain.com</STRONG></FONT> and<FONT color="#FF0000"><STRONG> bad.domain.com</STRONG></FONT>) are zones on the same DNS server.&nbsp; I can reproduce this problem with the prod SVM that is having CIFS problems.&nbsp; If I create a new nfs-only SVM, I get the same issues even though the test SVM is not part of an AD domin.<BR /><BR />The reason I'm putting stock into this test is because<STRONG><EM> vserver cifs check</EM></STRONG> doesn't bode well (<EM>the below output is a re-enactment, so some of the responses have been manually modified to simulate the actual response</EM><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>&nbsp;</P><P><EM>::&gt; vserver cifs check -vserver svm1 -instance</EM></P><P><EM>Vserver: svm1</EM><BR /><EM>Node: ntap01-01</EM><BR /><EM>CIFS NetBIOS Name: SVM1</EM><BR /><EM>CIFS Server Status: Running</EM><BR /><EM>CIFS Server Site:</EM><BR /><EM>Domain Controller Name: <FONT color="#FF0000"><STRONG>bad.domain.com</STRONG></FONT></EM><BR /><EM>Domain Controller IP Addr: <FONT color="#FF0000">192.168.1x.xx5</FONT></EM><BR /><EM>Connectivity Status: <STRONG>down</STRONG></EM></P><P>&nbsp;</P><P>Any ideas?&nbsp; My initial thought was bad SRV records or something, but the rest of the computer accounts are OK.&nbsp; There are no other NetApp instances on their AD domain.<BR /><BR />Thanks for the help</P><P><BR /><BR /><BR /></P> Wed, 04 Jun 2025 10:19:27 GMT https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168374#M38593 borkp 2025-06-04T10:19:27Z https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168378#M38596 <P>How does the Serviceprinciplenames of the SVMs look like ? It is hard to understand if these are just dns zones and where the SVM belongs too - what is the Kerberos Realm etc.&nbsp;You could define 2 Broadcast domains with their domain name - so the lif there would only "handle" one domain if there are 2 KRB Realms too.</P> Tue, 13 Jul 2021 04:49:48 GMT https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168378#M38596 mario_grunert 2021-07-13T04:49:48Z https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168383#M38601 <P>&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/8214">@mario_grunert</a>&nbsp;Thanks for the reply. &nbsp;Kerberos is not configured. &nbsp;The SPN of the CIFS SVM account should be default, but the nfs-only SVM wouldn’t have one as it is not configured for Kerberos or AD.&nbsp;<BR /><BR /></P><P>thr only difference is the DNS domain configured via vserver services dns create/modify.&nbsp;<BR /><BR /></P><P>It’s so odd as both zones are hosted on the same DNS/AD server, and that server is on the same subnet as the SVM’s LIF.&nbsp;<BR /><BR /></P><P>To rule out the actual DNS server being a problem, I modified the list of configured DNS servers on the SVM to just one, and reproduced the results. I did this with 3 different DNS servers.&nbsp;</P> Tue, 13 Jul 2021 09:53:54 GMT https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168383#M38601 borkp 2021-07-13T09:53:54Z https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168392#M38605 <P>Probably worth getting a packet trace during each ping to see what is going on behind the scenes.</P><P>&nbsp;</P><P>DNS check is a very basic command that just does standard A/AAAA queries, so this is likely either a network issue or you have duplicate records out there. A trace will tell you more.</P> Tue, 13 Jul 2021 14:07:42 GMT https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168392#M38605 parisi 2021-07-13T14:07:42Z https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168617#M38670 <P>The SVM will need to DNS to connect to the dc. After establishing the connection, it stays open for a long time.</P> <P>You can even try to add a preferred dc to the SVM to minimize DNS interactions.</P> <P>&nbsp;</P> <P>I will recommend checking the network or the DC connections.&nbsp;&nbsp;</P> <P><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_can_I_check_in_ONTAP_if_an_external_service_such_as_netlogon%2C_ldap-ad%2C_lsa%2C_ldap-nis-namemap%2C_or_nis_is_responding_slowly" target="_self"><SPAN>How can I check in ONTAP if an external service such as netlogon, ldap-ad, lsa, ldap-nis-namemap, or nis is responding slowly?</SPAN></A></P> Wed, 21 Jul 2021 06:28:57 GMT https://community.netapp.com/t5/ONTAP-Discussions/dns-check-produces-2-different-experiences-but-same-DNS-servers/m-p/168617#M38670 Mjizzini 2021-07-21T06:28:57Z