Solved: DNS server is returning ldap errors

harshitmarwah · ‎2019-12-12

Hi All,

I'm getting strange errors from DNS server

NTAP-clstr::> event log show -message-name secd.*
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
12/12/2019 08:55:23 nodeA ERROR secd.dns.server.timed.out: DNS server 64.181.180.21 did not respond to vserver = PRDCORP within timeout interval.
12/12/2019 08:55:21 nodeA EMERGENCY secd.ldap.noServers: None of the LDAP servers configured for Vserver (PRDCORP) are currently accessible via the network.
12/12/2019 08:24:01 nodeC ERROR secd.dns.server.timed.out: DNS server 64.181.180.21 did not respond to vserver = PRDCORP within timeout interval.
12/12/2019 08:23:59 nodeC EMERGENCY secd.ldap.noServers: None of the LDAP servers configured for Vserver (PRDSCORP) are currently accessible via the network.

Upon checking i found the ip address 64.181.180.21 corresponds to one of NTP servers configured on cluster.

NTAP-clstr::> ntp server show
(cluster time-service ntp server show)
Server Version
------------------------------ -------
xx.xxx.xx.xxx auto
xxx.xxx.xx.xxx auto
64.181.180.21 auto

Can removing the server from ntp confirguration would stop these alert ?

Or Am i looking at wrong place?How to stop these alert from triggering?

Looking for some expert advice!!

donny_lang · ‎2019-12-12

I do not think removing the NTP configuration will solve your problem. The errors mean that ONTAP is having trouble contacting the LDAP server configured for the PRDCORP vserver. Here is a useful KB that will walk through some troubleshooting steps that can help narrow down the issue:

https://kb.netapp.com/app/answers/answer_view/a_id/1029829/~/how-to-troubleshoot-ldap-issues-in-clustered-data-ontap-

ANDRESCHMITZ · ‎2019-12-12

You should also check if you have a time difference between your cluster and your AD greater than 5 Minutes. If your Cluster time is more than 5 minutes behind your AD time the Kerberos ticket is expired.

harshitmarwah · ‎2019-12-17

Hi Donny , I checked the article earlier but as per pt.1 I verfied the the ladp is not being used as name service. As its not configured as a source in the nsswitch configuration.

Hi Andre, Yea i checked that my Netapp cluster is configured with MST timezone while AD server lives in CST. And also one more strange thing i noticed on Cluster. Today logged in System Manger GUI under settings i went to Data and Time option but its not loading and screen showing "Loading information" from past 2hrs.

S-Sahu · ‎2020-07-06

It is saying do not have permission to access the link,

You do not have permission to view this page. @donny_lang

Ontapforrum · ‎2020-07-06

As others have also mentioned : The time difference (clock skew) between the cluster and the domain controller must not be more than five minutes. Just googling, it appears Central Time is 1 hour ahead of Mountain Time.

Does the 'status' say 'OK' ?:
::> vserver cifs domain discovered-servers show

1) Just RDP to one of your "DC server" and check time there.

2) Login to cluster: check the date & time/timezone?
::> date
Node Date Time zone
--------- ------------------------ -------------------------

3) Enter the following command to change it to whatever timezone is "on the DC".

timezone -
-timezone -version
BRDRSANCL1::> timezone -timezone
Africa/ America/ Antarctica/ Arctic/ Asia/ Atlantic/
Australia/ Brazil/ CET CST6CDT Canada/ Chile/
Cuba EET EST EST5EDT Egypt Eire
Etc/ Europe/ Factory GB GB-Eire GMT
GMT+0 GMT-0 GMT0 Greenwich HST Hongkong
Iceland Indian/ Iran Israel Jamaica Japan
Kwajalein Libya MET MST MST7MDT Mexico/
NZ NZ-CHAT Navajo PRC PST8PDT Pacific/
Poland Portugal ROC ROK Singapore Turkey
UCT US/ UTC Universal W-SU WET
Zulu

4) check the date/time timezone again and ensure it is in sync with DC, with 5 mint difference.
::> date

5) If not manually set the date/time:
::> date YYYYMMDDHHMM

Once the time are in sync, wait for sometime, it will be sorted. Else, you can re-set it.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-CAED5556-D751-4BCA-BF39-EFDEEBC1312A.html

Thanks!