The vserver active-directory create command creates an Active Directory account for a Vserver; and the vserver active-directory show does not list which active directory you are connected to but it list the account that you have created for that specific vserver on your AD.
Check the link below for more information regarding the active-directory command:
Did you create an account using the vserver active-directory create?
Account previously available on the AD is not part of the result the command you issuing "vserver active-directory show -vserver <vservername> " would list; it will list what you create from the NetApp side for that vserver.
My understanding is that if the CIFS SVM was joined to an AD domain with the 'vserver cifs create' command, you won't see anything with the 'vserver active-directory' command. Or, to put it another way, they are mutually exclusive.
Just reiterating...basically, "vserver active-directory show" commands only shows the 'computer account name' that you have created from the storage side voluntarily.
I have a brand new SVM with nothing configured (Protocol wise) but just one data LIF. Now, if I want I can create a computer account in the Active Directory for this VSERVER
I will run: ::> vserver active-directory create 'cmd' Once this is created, I can verify the 'computer account name' in the Active Directory OU=computers.
On the storage side: If I run this command, it will show up:
::> vserver active-directory show 'cmd' It will show the one I created just above.
However, if instead of running the active-directory create 'cmd', had I setup the CIFS server for this vserver, it would also create a 'computer account under 'OU=computers' in Active-Directory by authenticating with Domain you provided during cifs setup. However, when account is created using 'CIFS setup', it wil NOT show-up using "active-directory show" 'cmd'
Similarly, once I have setup CIFS server, I cannot use the command 'active-directory create' command, b'cos having both a CIFS server and an Active Directory account for the same Vserver is not supported. You will have to first delete the CIFS account in order to use that 'active-directory create command.
I am guessing, if the CIFS is already setup for your vserver, then there should be 'computer account' created for this CIFS_VSERVER in Active Directory under OU=computers, and nothing should show up on storage side when you run 'active directory show ' cmd.
You addressed my question. Thanks a lot for the bottom-up explanations. Now, I have a few follow-ups:
1. 'cifs setup" seems obsoleted, now the only way to have the vserver joined into AD domain is to use for instance "vserver active-directory create 'cmd'". Right?
2. If I wanted to migrate AD domain for this vserver to a different AD domain, then I can use "vserver active-directory modify -domain "new_ad.com". After that, the "old_ad" domain should be replaced. Now, all permissions associated with old_domain would no longer work on the filer and NTFS level. I will have to manually change them to match new SID / new permissions. Then there will be down time. Correct?
3. Once AD domain got replaced, those NTFS permissions on CIFS shares will have to be changed on Window level, not on the filer level. Correct?
Hopefully, I can continually hear your inputs. Thanks!
The following example modifies the 'Active Directory domain' and ou for the CIFS server associated with Vserver "vs1". The administrative status of the CIFS server must be set to "down" to proceed with Active Directory domain modification. If the command completes successfully, the administrative status is automatically set to "up".
cluster1::> vserver cifs modify -vserver vs1 -domain example.com -ou ou=example_ou -cifs-server example -status-admin down
vserver active-directory: Creates a link between ONTAP and Active Directory for SVM or ONTAP management only. No data access is available via SMB when you create an active-directory machine account with this method. Use cases: For AD users to manage ONTAP via ssh/http, for AD users to manage block-based (iSCSI, FC) SVMs. No CIFS license is required for this access.
cifs server create: Creates a link between ONTAP and Active directory to create SMB shares for clients to access data. This does require a CIFS license. This can also cover the previous use cases of management access.