hi

Your current AD and DNS connectivity:

1. the current routing causes all the outgoing traffic from the NAS SVM on node "ntap_cluster_krt-01" to go via interface "svm_krt_nas_ad".and can go via "svm_krt_nas_154"

all the other nodes cannot access the AD and DNS at the moment

2. i suspect that node "Ntap9000-KRT-01" managed to initiate an AD connectivity when LIF "svm_krt_dmz_lif3" was at home and up.  currently it's on a port and node that not allowing it to be up. maybe that's how you started to notice that something is funny and if you would revert it to home it will all start to "work" again. you can use the interface revert command if you like to try and fix it. but i can't take responsibility on this. - do at your own risk.

for the actual config:

in a nutshell - you would need to rebuild everything around the network config (mainly to add stuff. but may gain something from removing some as well).

the reason is that your current routing very depanded on fastpath, a feature that is discontinued. https://whyistheinternetbroken.wordpress.com/2018/02/16/ipfastpath-ontap92/

iv'e started to look on each of your current use cases and routes - but they are just wrong, a workaround on top of a workaround.... with effectively only one currently valid (and another one if you sort #2 above) .

So let me put some end-goals when you re-design it:

1. all nodes hosting LIFS that use to access CIFS or other protocols that need NTP/DNS  would need to have connectivity to AD - e.g add more dedicated LIFS for AD. or just start using the NAS LIFS for it - to keep it scalable..

2. the AD sites and subnet needs to be amended to include the filer subnet. or a preferred DC need to be set via "vserver cifs domain preferred-dc" command.

3. the routing need rebuild in a way that allow communication back without a dependency on fast-path.   the way i see it you would likely going to end up with:

     A static route or multiple ones for the 192.168.0.0/16.range

     if adding new AD LIFS. so add static routes for the DNS and AD on 10.200.120.0/24 + 10.210.154.0/24  (with setting these as pref DC)

     A default route for the NAS LIFs to 10.210.224.1

i don't have real visibility of the network, and some engagement with the network admins in the organization will be required. - you would need to fully understand the client connectivity with them. and make sure you route everything optimally.

4. All LIFs failover group need to be set correctly via a group or broadcast domains. so you don't end up with LIF migrated to a port it can't live in.

 Gidi