Hi KFU,

try this on the DFM server's cli:

dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr

You also need to make sure that on the SnapManager/SnapDrive server, the user you pass to SnapDrive for DFM queries has also GlobalFullControl (check with "sdcli dfm_config list").

Cheers,

Domenico.

Thanx dmauro for your reply,

we did this allready, but this doesn´t work ether.

could you provide the output of the command:

C:\Users\Administrator>dfm query run "SELECT objId, objFullName from objects where objName = 'DOMAIN2\netapp_snapmgr'"

it should return this:

"objId","objFullName"
"3241","DOMAIN2\netapp_snapmgr"

if there is a space before the name or something strange, then the user needs to be readded.

In general, we have the following requirements for Snapmanager service user:

-In case of SME,  Member of  "Organization Management' Exchange Security group, (unless you are using RBAC with latest available SME version, where you can assign less permisisons with a role defined with specific permissions)

- In case of SMSQL, the above service needs to have sysadmin role assigned within the managed instances.

- On every server where SME/SMSQL is installed, the snapmanager service should be a member of the local administrators account

- ACL's on the lun's where databases and logs  are hosted should allow full control to the above service.

- if you configure SME/SMSQL with DFM/PM archiving, then you also need to ensure SnapDrive and SnapManager users are added to the GlobalFullControl  role.

it must work.

Domenico.

with this query I only get:

"objID","objFullName"

But as you said, I have deleted and readded the user and did get:

C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr
Warning: DOMAIN2\netapp_snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\netapp_snapmgr.
Added 1 role to administrator DOMAIN2\netapp_snapmgr.

I think the problem is that there are two different domains wich don´t know each others users. But we will not change this architecture because of security. Is there any solution?

Some more information:

If I add a user without the underscore "_" for example "DOMAIN2\snapmgr" your query works:

C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\snapmgr
Warning: DOMAIN2\snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\snapmgr.
Added 1 role to administrator DOMAIN2\snapmgr.

C:\Windows\system32>dfm query run "SELECT objId, objFullName from objects where
objName = 'DOMAIN2\snapmgr'"
"objId","objFullName"
"5577323","DOMAIN2\snapmgr"

Are there any restrictions in name usage, because the underscore is a normal ASCII character?

Hi,

from your last output, I don't really see any change.

It still creates the user but then it disables it.

So, I am not sure if a trust is required between the two domain.

I have asked a colleague who is specialized in DFM and will take a look and reply.

Domenico Di Mauro.

Thx Rom for your reply,

due to the fact that in our case both domains are independent and there is no domain on top of them only a trust between these two will be the solution. As this is against our architecture, we need to setup a snapvault relationship between snapvault primary and secondary without using DFM/Protection Manager.