ONTAP Discussions

AD pass-through for SVM

a_jasewicz
4,834 Views

We are in the beginning stages of converting from VMware to Hyper-v. Reading the Best practices I need to join my data LIF's to AD. At issue is the current Storage vlan is an isolated network with no routing because and only hosts NFS and iSCSI traffic. We are planning to use SMB for Hyper-v. I have configured AD pass-through in this cluster and it is working to my nodes. There is no AD, DNS or layer 3 on the storage vlan (VMware and NFS does not have this requirement) Is there a way to create a pass-through for AD to my SVM or do I need to put a Domain Controller on this network? cDOT 8.3.1

1 ACCEPTED SOLUTION

aborzenkov
4,777 Views

I'm confused. This document says exactly the same - create separate LIF(s) for data and management. So where is your problem? Sorry, I really do not understand.

View solution in original post

6 REPLIES 6

aborzenkov
4,811 Views
No, pass-through works only for administrative access to cluster. Just add another LIFs to SVM that are able to contact domain controller. You can also restrict data protocols through these LIFs if this is security concern.

a_jasewicz
4,796 Views

Thank you for the reply, it confirms what I have come to understand about the pass-through, but been unable to find in print. I like the thought of adding another LIF to join AD; which I do for other SVM's, however cDOT Hyper-v documentation specifically stats that the DATA LIFs be set up as the CIFS server and the name has to be different than the SVM name. My understanding is that AD can only have one SID per system/machine. Since this is two data ports from the same SVM if I join the AD domain using the management LIF I cannot join the DOMAIN a second time from the DATA LIF correct? At this point we are looking into this: multi-homing one of the secondary DNS/domain controllers.

Your Thoughts.

aborzenkov
4,790 Views

cDOT Hyper-v documentation specifically stats that the DATA LIFs be set up as the CIFS server and the name has to be different than the SVM name

Can you provide link to documentation?

 


Since this is two data ports from the same SVM if I join the AD domain using the management LIF I cannot join the DOMAIN a second time from the DATA LIF correct?

You do not join LIF, you join SVM. Let's wait until you show documentation you mentioned.

a_jasewicz
4,784 Views

Sure thing, I should have lead with that.

https://kb.netapp.com/support/index?page=content&id=1015099

(KB Doc ID 1015099 Version: 7.0 Published date: 02/25/2016)

aborzenkov
4,778 Views

I'm confused. This document says exactly the same - create separate LIF(s) for data and management. So where is your problem? Sorry, I really do not understand.

a_jasewicz
4,764 Views

Sorry for the long delay and I appreciate the quick response, I was busy configuring.  I think I am all set.  I did use the management port to join CIFS.  When I read the doc and the Microsoft consultant read doc and the VMware admin read the doc we all thought that the DATA LIF had to be be joined to AD.  I used the managment LIF to join AD.   I do not know if it is a issue , using the management LIF, but that is what I did. 

 

Again thank you for your time and help.

Public