Data Backup and Recovery Discussions

SME - Error Code: 0xc00414df




we have an issue with SnapManager for Exchange. If we configure the protection dataset of SnapManager for Exchange with the configuration wizard we get: "Error code: 0xc00414df Unable to create SnapManager dataset". The log says that there are some issues with the access from SME to OCM (DFM).



Creating SnapManager dataset...
SDDatasetMemberIterStart failed.
[SDAPI Error]: RBAC access check failed with the following reason.
Error Description :'DFM.DataBase.Read access denied on dataset SnapMgr_Exchange_Server for user DOMAIN2\netapp_snapmgr on Operations Manager server DFMsrv'.



We think the problem is that SME-user and OCM (DFM) are not in the same domain. SME-user is in DOMAIN2 and DFMsrv in DOMAIN1. Is there any solution for usage in different domains?




Re: SME - Error Code: 0xc00414df



try this on the DFM server's cli:

dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr


You also need to make sure that on the SnapManager/SnapDrive server, the user you pass to SnapDrive for DFM queries has also GlobalFullControl (check with "sdcli dfm_config list").




Re: SME - Error Code: 0xc00414df


Thanx dmauro for your reply,

we did this allready, but this doesn´t work ether.

Re: SME - Error Code: 0xc00414df


could you provide the output of the command:


C:\Users\Administrator>dfm query run "SELECT objId, objFullName from objects where objName = 'DOMAIN2\netapp_snapmgr'"


it should return this:




if there is a space before the name or something strange, then the user needs to be readded.

In general, we have the following requirements for Snapmanager service user:

-In case of SME,  Member of  "Organization Management' Exchange Security group, (unless you are using RBAC with latest available SME version, where you can assign less permisisons with a role defined with specific permissions)

- In case of SMSQL, the above service needs to have sysadmin role assigned within the managed instances.

- On every server where SME/SMSQL is installed, the snapmanager service should be a member of the local administrators account

- ACL's on the lun's where databases and logs  are hosted should allow full control to the above service.

- if you configure SME/SMSQL with DFM/PM archiving, then you also need to ensure SnapDrive and SnapManager users are added to the GlobalFullControl  role.


it must work.



Re: SME - Error Code: 0xc00414df


with this query I only get:




But as you said, I have deleted and readded the user and did get:


C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr
Warning: DOMAIN2\netapp_snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\netapp_snapmgr.
Added 1 role to administrator DOMAIN2\netapp_snapmgr.


I think the problem is that there are two different domains wich don´t know each others users. But we will not change this architecture because of security. Is there any solution?

Re: SME - Error Code: 0xc00414df


Some more information:


If I add a user without the underscore "_" for example "DOMAIN2\snapmgr" your query works:


C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\snapmgr
Warning: DOMAIN2\snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\snapmgr.
Added 1 role to administrator DOMAIN2\snapmgr.

C:\Windows\system32>dfm query run "SELECT objId, objFullName from objects where
objName = 'DOMAIN2\snapmgr'"


Are there any restrictions in name usage, because the underscore is a normal ASCII character?

Re: SME - Error Code: 0xc00414df



from your last output, I don't really see any change.

It still creates the user but then it disables it.

So, I am not sure if a trust is required between the two domain.

I have asked a colleague who is specialized in DFM and will take a look and reply.


Domenico Di Mauro.


Re: SME - Error Code: 0xc00414df


This needs to have a proper setup on the OCUM LDAP side, meaning registering one of multiple DC servers and configuring the LDAP options like:


[root@romuald-5 conf]# dfm ldap list
Address                                    Port   Last Use                   Last Failure
------------------------------------------ ------ -------------------------- --------------------------  389    2015-03-25 13:52:01.000000
[root@romuald-5 conf]#


[root@romuald-5 conf]# dfm option list|grep ldap
ldapBaseDN                                  CN=Users,DC=AMS2K3DOM,DC=NGSLABS,DC=NETAPP,DC=COM
ldapBindDN                                  CN=Administrator,CN=Users,DC=AMS2K3DOM,DC=NGSLABS,DC=NETAPP,DC=COM
ldapBindPass                                ********
ldapEnabled                                 Yes


ldapMember                            uniqueMember

ldapUGID                              CN

ldapUID                               sAMAccountName

ldapVersion                           3


The different setups/options can be found in OCUM documentation.

As you can figure it out from the above output, a signle domain setup is allowed, so if you have multiple domains, you need to setup one of the topest in the hiearchy or insure a trust.

If you have difficulties to set this up, do not hesitate to open a case with us 😉




View solution in original post

Re: SME - Error Code: 0xc00414df


Thx Rom for your reply,


due to the fact that in our case both domains are independent and there is no domain on top of them only a trust between these two will be the solution. As this is against our architecture, we need to setup a snapvault relationship between snapvault primary and secondary without using DFM/Protection Manager.

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums