CIFS Not joining AD Controller

arsalankhan · ‎2018-03-19

We are trying to connect Data Ontap 9.3P2 (FAS9000) to AD Domain Controller.

We are getting below error. Could you please help.

ECC_MCC_2::> vserver cifs create -vserver ecc_vs1 -cifs-server eccnas7 -domain aaa.com

In order to create an Active Directory machine account for the CIFS server,
you must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
"AAA.COM" domain.

Enter the user name: bukedj0a

Enter the password:

Warning: An account by this name already exists in Active Directory at
CN=ECCNAS7,OU=NON Windows Systems,OU=EXPEC,OU=Migration
Production,DC=aaa,DC=com.
If there is an existing DNS entry for the name ECCNAS7, it must be
removed. Data ONTAP cannot remove such an entry.
Use an external tool to remove it after this command completes.
Ok to reuse this account? {y|n}: y

Error: Machine account creation procedure failed
[ 500] Loaded the preliminary configuration.
[ 503] Successfully connected to ip 10.4.94.180, port 88 using
TCP
[ 514] Successfully connected to ip 10.4.94.180, port 389 using
TCP
[ 520] Account 'ECCNAS7' already exists in the 'AAA.COM'
domain
**[ 521] FAILURE: Could not rename existing account
** 'CN=ECCNAS7,OU=NON Windows Systems,OU=EXPEC,OU=Migration
** Production,DC=aaa,DC=com' to
** 'cn=ECCNAS7,cn=computers,dc=aaa,dc=com': Insufficient
** access

Error: command failed: Failed to create the Active Directory machine account
"ECCNAS7". Reason: LDAP Error: The user has insufficient access rights.

ECC_MCC_2::>

3/19/2018 14:33:41 cdcnas7 DEBUG secd.unexpectedFailure: vserver (cdc_vs1) Unexpected failure. Error: Machine account creation procedure failed
[ 470] Loaded the preliminary configuration.
[ 475] Successfully connected to ip 10.4.94.180, port 88 using TCP
[ 487] Successfully connected to ip 10.4.94.180, port 389 using TCP
[ 492] Account 'CDCNAS7' already exists in the 'AAA.COM' domain
**[ 492] FAILURE: Could not rename existing account 'CN=cdcnas7,OU=NON Windows Systems,OU=EXPEC,OU=Migration Production,DC=aaa,DC=com' to 'cn=CDCNAS7,cn=computers,dc=aaa,dc=com': Insufficient access

We tried by deleting the object from Domain Controller first and tried again but we are still getting almost same error. Intrestingly we tried with multiple users who have full permission on that OU and can create OU and machine accounts on Domain Controller but couldnt join.

Could someone please help..

Thanks in advance.

Arsalan

Abhishar · ‎2018-03-19

Hi,

Its looks like the account you are using to add vserver in domain doesn't have rights to modify account in AD.

Please check with AD team and try with different user, also try to give user name like <User_name>@<domain_name>

Also cross check the secd logs.

@arsalankhan wrote:

We are trying to connect Data Ontap 9.3P2 (FAS9000) to AD Domain Controller.

We are getting below error. Could you please help.

ECC_MCC_2::> vserver cifs create -vserver ecc_vs1 -cifs-server eccnas7 -domain aaa.com

In order to create an Active Directory machine account for the CIFS server,
you must supply the name and password of a Windows account with sufficient
privileges to add computers to the "CN=Computers" container within the
"AAA.COM" domain.

Enter the user name: bukedj0a

Enter the password:

Warning: An account by this name already exists in Active Directory at
CN=ECCNAS7,OU=NON Windows Systems,OU=EXPEC,OU=Migration
Production,DC=aaa,DC=com.
If there is an existing DNS entry for the name ECCNAS7, it must be
removed. Data ONTAP cannot remove such an entry.
Use an external tool to remove it after this command completes.
Ok to reuse this account? {y|n}: y

Error: Machine account creation procedure failed
[ 500] Loaded the preliminary configuration.
[ 503] Successfully connected to ip 10.4.94.180, port 88 using
TCP
[ 514] Successfully connected to ip 10.4.94.180, port 389 using
TCP
[ 520] Account 'ECCNAS7' already exists in the 'AAA.COM'
domain
**[ 521] FAILURE: Could not rename existing account
** 'CN=ECCNAS7,OU=NON Windows Systems,OU=EXPEC,OU=Migration
** Production,DC=aaa,DC=com' to
** 'cn=ECCNAS7,cn=computers,dc=aaa,dc=com': Insufficient
** access

Error: command failed: Failed to create the Active Directory machine account
"ECCNAS7". Reason: LDAP Error: The user has insufficient access rights.

ECC_MCC_2::>

3/19/2018 14:33:41 cdcnas7 DEBUG secd.unexpectedFailure: vserver (cdc_vs1) Unexpected failure. Error: Machine account creation procedure failed
[ 470] Loaded the preliminary configuration.
[ 475] Successfully connected to ip 10.4.94.180, port 88 using TCP
[ 487] Successfully connected to ip 10.4.94.180, port 389 using TCP
[ 492] Account 'CDCNAS7' already exists in the 'AAA.COM' domain
**[ 492] FAILURE: Could not rename existing account 'CN=cdcnas7,OU=NON Windows Systems,OU=EXPEC,OU=Migration Production,DC=aaa,DC=com' to 'cn=CDCNAS7,cn=computers,dc=aaa,dc=com': Insufficient access

We tried by deleting the object from Domain Controller first and tried again but we are still getting almost same error. Intrestingly we tried with multiple users who have full permission on that OU and can create OU and machine accounts on Domain Controller but couldnt join.

Could someone please help..

Thanks in advance.

Arsalan

arsalankhan · ‎2018-03-20

Hi Abhishar,

Thanks for the reply but I tried with multiple users of different groups. All the users have Full Control on that particular OU. They can create new OU and delete OUs without a problem manually.

Tried it again after deleting the OU but results are same.

No Luck so far.

Yogananda · ‎2018-09-19

Is someone able to fix this issue? If so could you please help me because i am facing the same error i my evironment.

Bit urgent.