we have an issue with SnapManager for Exchange. If we configure the protection dataset of SnapManager for Exchange with the configuration wizard we get: "Error code: 0xc00414df Unable to create SnapManager dataset". The log says that there are some issues with the access from SME to OCM (DFM).
Creating SnapManager dataset... SDDatasetMemberIterStart failed. [SDAPI Error]: RBAC access check failed with the following reason. Error Description :'DFM.DataBase.Read access denied on dataset SnapMgr_Exchange_Server for user DOMAIN2\netapp_snapmgr on Operations Manager server DFMsrv'.
We think the problem is that SME-user and OCM (DFM) are not in the same domain. SME-user is in DOMAIN2 and DFMsrv in DOMAIN1. Is there any solution for usage in different domains?
if there is a space before the name or something strange, then the user needs to be readded.
In general, we have the following requirements for Snapmanager service user:
-In case of SME, Member of "Organization Management' Exchange Security group, (unless you are using RBAC with latest available SME version, where you can assign less permisisons with a role defined with specific permissions)
- In case of SMSQL, the above service needs to have sysadmin role assigned within the managed instances.
- On every server where SME/SMSQL is installed, the snapmanager service should be a member of the local administrators account
- ACL's on the lun's where databases and logs are hosted should allow full control to the above service.
- if you configure SME/SMSQL with DFM/PM archiving, then you also need to ensure SnapDrive and SnapManager users are added to the GlobalFullControl role.
But as you said, I have deleted and readded the user and did get:
C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr Warning: DOMAIN2\netapp_snapmgr does not exist in the administrator database(s), so login is disabled for this administrator. Added administrator DOMAIN2\netapp_snapmgr. Added 1 role to administrator DOMAIN2\netapp_snapmgr.
I think the problem is that there are two different domains wich don´t know each others users. But we will not change this architecture because of security. Is there any solution?
If I add a user without the underscore "_" for example "DOMAIN2\snapmgr" your query works:
C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\snapmgr Warning: DOMAIN2\snapmgr does not exist in the administrator database(s), so login is disabled for this administrator. Added administrator DOMAIN2\snapmgr. Added 1 role to administrator DOMAIN2\snapmgr.
C:\Windows\system32>dfm query run "SELECT objId, objFullName from objects where objName = 'DOMAIN2\snapmgr'" "objId","objFullName" "5577323","DOMAIN2\snapmgr"
Are there any restrictions in name usage, because the underscore is a normal ASCII character?
This needs to have a proper setup on the OCUM LDAP side, meaning registering one of multiple DC servers and configuring the LDAP options like:
[root@romuald-5 conf]# dfm ldap list Address Port Last Use Last Failure ------------------------------------------ ------ -------------------------- -------------------------- ams2k3domdc1.ams2k3dom.ngslabs.netapp.com 389 2015-03-25 13:52:01.000000 [root@romuald-5 conf]#
due to the fact that in our case both domains are independent and there is no domain on top of them only a trust between these two will be the solution. As this is against our architecture, we need to setup a snapvault relationship between snapvault primary and secondary without using DFM/Protection Manager.