Network and Storage Protocols

Moving a NetApp with CIFS form one domain to a new domain

bbandlamudi
17,094 Views

Hi we should migrate a NetApp with CIFS form new domain to a new domain. All the sid's and account info will be migrated using Quest tools and I can do the cifs terminate and cifs setup. My question is what happens to the CIFS share permissions? Will be permissions be retained or should I do anything else?

Thanks a lot

6 REPLIES 6

HARI_KRISHNA981
17,094 Views

Hi bbandlamudi,

Go through this thread as it has already been discussed

https://communities.netapp.com/thread/23263

https://communities.netapp.com/thread/12077

I hope it may help you.

Regards,

Hari.

BALAJI_VENKATRAMAN
17,094 Views

Hi

It should not be that complicated.

I am assuming that your filer is now joined to one Domain.If you now want to join it to another domain,here are the steps

1) Make sure the AD server of the new domain is reachable from this filer

2)Run CIFS setup

3)Fill in the questionnaire that CIFS setup gives you - making appropriate entries for the new Domain.It should also create a new object for this filer in this Domain Database

4) Delete all the existing CIFS shares  (This is to ensure that all the residual CIFS sessions get terminated and its gets flushed from the cache as well

5)Recreate all the shares once again

6)Since all the user accounts are being migrated (at the AD level),when the filer connects to the Domain to lookup for the objects and SID.these should be available(Honestly we have not done this step till now but basic windows AD knowledge and common sense tell me this)

The above steps should work fine.

Also there is no case of data migration here from your question so the AD is the most important part of the migration.

All this becomes much much simpler if there is a trust relationship between both the domains.

I would suggest to run a POC first for few test users and then plan the migration phase-by-phase.

Do let us know how it goes

Balaji

bbandlamudi
17,094 Views

Hi thanks for the reply. I have couple of questions

1) should I first do the AD migration and then do the CIFS setup on Netapp or first do Cifs set up on Netapp and then do AD migration or it doesn't matter

2) How can I do a test or a POC. I don't have a test NetApp. I have only one NeApp and it's on production. I cannot have downtime to do the CIFS setup. The only time I can have downtime is during the realigns toon from one domain to another

Yes we do have trust between both domains

Also if I follow your below procedure the share permissions will be intact right?

Thanks,

Bhargav

Sent from my iPhone

Bhargav Bandlamudi | Data Center Engineer

Presidio | www.presidio.com<http://www.presidio.com>

10 Sixth Road, Woburn, MA 01801

C: 302.276.4086 | bbandlamudi@presidio.com<mailto:bbandlamudi@presidio.com>

<http://www.presidio.com>

Follow us:

<http://www.twitter.com/presidio>

CCOLEMAN_
17,094 Views

Hey,

Here are some helpful tips

1. Capture the output from the commands below on all controllers

a.  Controller1*> cifs shares

b. Controller1*> qtree status

c. Controller1*> wcc -s domain\joe

2. You can use SnapMirror or Robocopy to migrate data and retain ACLs.

3. Ensure the NEW volumes retain the same security style (Should be "NTFS" in most instances)

4. If something goes wrong consider these solutions

a. Resetting the CIFS connection to Domain Controllers by running the "cifs resetdc" and "cifs sidcache" commands to clear CIFS SID-to-name map cache entries

b. Run the "cifs access <share> -m" command to reset the Windows machine accounts access to the share.

c. Ensure the  Name Resolution and Authentication have been determined as working successfully.

Here is a tool provided by NetApp that you can install on a Client machine and change a permission manually. http://support.netapp.com/NOW/download/tools/ssaccess/

Good luck!!

BALAJI_VENKATRAMAN
17,094 Views

Hi Bhargav,

You should definitely make sure that the AD migration happens first.All the objects,user ID,permissions etc should be replicated and available in the new AD controller database.

Since you dont have a test netapp your only and best shot would on the production device itself.

 

One question - do you still want any dependency on your old Domain Controller (i.e domain) from which you are disconnecting or you are planning to decomission or removing it?

 

We had an activity in our team wherein the objects were changed within the same DC - so in our case a CIFS TESTDC /RESETDC worked fine.

Please note that CIFS RESETDC will disconnect the connection(read it as all CIFS shares losing connectivity for some time) and then try to establish it back (provided the DC is reachable)

 

In your case - best bet I feel would be CIFS setup only -Because during the downtime - when you will momentarily drop the connection to the old DC (say for shutting it down and rediecting to new DC) - when you run CIFS setup it will query you for domain controller for new details and it would be re-run again.

SO I would say this is  disruptive .Make sure you have all the details handy and all AD objects are migrated fine - because typically only the authenticating body changes.The administrator account and password in the new domain to authenticate the user to add the filer to the domain should be handy before running "CIFS Terminate" and "CIFS SETUP"

Also all the additional checks mentioned by other contributor  "CCOLEMAN_ " are also relevant and helpful.

Note - there is no need for recreating the CIFS shares which I mentioned before.

Good Luck Let us know how the activity goes.

Balaji

BALAJI_VENKATRAMAN
17,094 Views

Hi Bhargav,

Did you activity go fine.Let us know if you followed the same steps?

Balaji

Public