Network and Storage Protocols

FQDN of Disaster Recovery CIFS vserver not resolved



During failover test  to DR vserver, customer is not capable to access the DR CIFS server using FQDN, only using the short name.

Here is the setup:

Prod site : vserver SRV-NAS-04

DR site :  vserver SRV-NAS-05

Both PROD and DR vservers are registered in Active Directory and have a lif with same ip address, DR lif normally down when PROD is up

net interface show:

 (network interface show)
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----

            srvnas04_cifs_data up/up XXXNASNOSC1NA-NO1 a0a true

            srvnas04dr_cifs_data down/down XXXNASMACC1NA-NO1 a0b true

DR vserver SRV-NAS-05 has a netbios alias equal to the Prod vserver name SVR-NAS-04:

vserver cifs show -vserver SRV-NAS-05
                                          Vserver: SRV-NAS-05
                         CIFS Server NetBIOS Name: SRV-NAS-05
                    NetBIOS Domain/Workgroup Name: CUSTOMERNAME
                      Fully Qualified Domain Name: CUSTOMERNAME.LOCAL
                              Organizational Unit: CN=Computers
Default Site Used by LIFs Without Site Membership:
                                   Workgroup Name: -
                             Authentication Style: domain
                CIFS Server Administrative Status: up
                          CIFS Server Description: -
                          List of NetBIOS Aliases: SRV-NAS-04

When Prod vserver is running normally, users can access CIFS shares using  FQDN or short names:

\\srv-nas-04\shares         -> OK
\\srv-nas-04.customername.local\shares    -> OK

When doing DR test, we put prod lif srvnas04_cifs_data down and DR lif srvnas04dr_cifs_data up

When DR site is active, users can still access CIFS shares using short names but not via FQDN anymore

\\srv-nas-04\shares         -> OK
\\srv-nas-04.customername.local\shares    -> NOT ACCESSIBLE ANYMORE

What could be the reason why the FQDN are not resolved anymore in DR?



can you print the spn for the cname ? (run from any windows box with any permission)

setspn /q *\FQDN

setspn /q *\netbios (short name)

see as well


you likely have a kerberos delegation for the FQDN, but not the netbios. the delegation itself is good for security (keep it!) , and what yo should do is actually to flip it to the other SVM upon DR and back. but that's also what prevent the clients to fall back to NTLM (as they likely do with the netbios name) when you repoint the cname/A. 



Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK