ONTAP Discussions

dns check produces 2 different experiences, but same DNS servers

borkp
2,842 Views

IHAC running ONTAP 9.6p3.  They're complaining of CIFS performance, and managing the SVM (adding domain users into local groups, etc) timeout, and users have problems accessing shares.  I verified that the time is in sync with the DCs, and the SVM can ping the domain name.

When I performed a dns check, I have 2 different experiences.  The DNS server is also a domain controller - 192.168.1x.xx5
That DC hosts 2 different domains:


bad.domain.com (this is the customer's AD domain)

good.domain.com (this looks like an administrative domain that was created in AD)

On the prod SVM (as well as a test SVM), I configured DNS:
::> vserver services dns create -vserver svm1 -domains bad.domain.com -name-servers 192.168.1x.xx5, 100.100.x.xx1

When I check the domain, the test sometimes times out, or responds VERY slowly:

ntap01::*> vserver services dns check -vserver svm1 -instance

Vserver: svm1
Name Server: 192.168.1x.xx5
Name Server Status: up
Status Details: Response time (msec): 3623

Vserver: svm1
Name Server: 100.100.x.xx1
Name Server Status: up
Status Details: Response time (msec): 2743
2 entries were displayed.

 

But when I change the domain (not the CIFS domain, but the domain that the SVM has configured for DNS settings), the response adequate:

 

::> vserver services dns modify -vserver svm1 -domains good.domain.com

ntap01::*> vserver services dns check -vserver svm1 -instance

Vserver: svm1
Name Server: 192.168.1x.xx5
Name Server Status: up
Status Details: Response time (msec): 15

Vserver: svm1
Name Server: 100.100.x.xx1
Name Server Status: up
Status Details: Response time (msec): 13
2 entries were displayed.

 

Both domains (good.domain.com and bad.domain.com) are zones on the same DNS server.  I can reproduce this problem with the prod SVM that is having CIFS problems.  If I create a new nfs-only SVM, I get the same issues even though the test SVM is not part of an AD domin.

The reason I'm putting stock into this test is because vserver cifs check doesn't bode well (the below output is a re-enactment, so some of the responses have been manually modified to simulate the actual response😞

 

::> vserver cifs check -vserver svm1 -instance

Vserver: svm1
Node: ntap01-01
CIFS NetBIOS Name: SVM1
CIFS Server Status: Running
CIFS Server Site:
Domain Controller Name: bad.domain.com
Domain Controller IP Addr: 192.168.1x.xx5
Connectivity Status: down

 

Any ideas?  My initial thought was bad SRV records or something, but the rest of the computer accounts are OK.  There are no other NetApp instances on their AD domain.

Thanks for the help




4 REPLIES 4

mario_grunert
2,805 Views

How does the Serviceprinciplenames of the SVMs look like ? It is hard to understand if these are just dns zones and where the SVM belongs too - what is the Kerberos Realm etc. You could define 2 Broadcast domains with their domain name - so the lif there would only "handle" one domain if there are 2 KRB Realms too.

borkp
2,789 Views

 @mario_grunert Thanks for the reply.  Kerberos is not configured.  The SPN of the CIFS SVM account should be default, but the nfs-only SVM wouldn’t have one as it is not configured for Kerberos or AD. 

thr only difference is the DNS domain configured via vserver services dns create/modify. 

It’s so odd as both zones are hosted on the same DNS/AD server, and that server is on the same subnet as the SVM’s LIF. 

To rule out the actual DNS server being a problem, I modified the list of configured DNS servers on the SVM to just one, and reproduced the results. I did this with 3 different DNS servers. 

parisi
2,763 Views

Probably worth getting a packet trace during each ping to see what is going on behind the scenes.

 

DNS check is a very basic command that just does standard A/AAAA queries, so this is likely either a network issue or you have duplicate records out there. A trace will tell you more.

Mjizzini
2,631 Views

The SVM will need to DNS to connect to the dc. After establishing the connection, it stays open for a long time.

You can even try to add a preferred dc to the SVM to minimize DNS interactions.

 

I will recommend checking the network or the DC connections.  

How can I check in ONTAP if an external service such as netlogon, ldap-ad, lsa, ldap-nis-namemap, or nis is responding slowly?

Public