ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Start a New Post

"vserver active-directory" shows me nothing

netappmagic
‎2020-06-09 11:14 AM

9.6p7 here.

 

If there is no active-directory configured in any vservers as nothing I can get by running "vserver active-directory shwo", how can CIFS shares work with AD Domain?

If I run "cifs domain discovered-servers show", it results a list of DC servers.

 

I probably miss some knowledge about how AD should be configured with the cluster or vserver. If somebody can help me out. 

0 Kudos
1 ACCEPTED SOLUTION

Mjizzini
Community Manager
‎2020-06-11 10:44 PM

Cluster Data Ontap can have hundreds of vservers. Each vserver can server CIFS, SAN, NFS...

Vserver active-directory command is related to managing the vserver itself.

 

To be able to server data through CIFS, you should create a CIFS vserver using "vserver cifs create".  (Start CIFS services). 

You manage cifs vserver with         "::> vserver cifs ......." commands.

 

Manage the CIFS configuration of a Vserver

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-960/TOC__vserver__cifs.html

 

View solution in original post

0 Kudos
16 REPLIES 16

chris_hurley
NetApp
‎2020-06-23 12:06 PM

Just to clarify:

 

 

vserver active-directory:     Creates a link between ONTAP and Active Directory for SVM or ONTAP management only.   No data access is available via SMB when you create an active-directory machine account with this method.   Use cases:   For AD users to manage ONTAP via ssh/http, for AD users to manage block-based (iSCSI, FC) SVMs.    No CIFS license is required for this access.

 

cifs server create:   Creates a link between ONTAP and Active directory to create SMB shares for clients to access data.  This does require a CIFS license.   This can also cover the previous use cases of management access.

0 Kudos

Ontapforrum
‎2020-06-12 05:45 AM

Hi,

 

Just reiterating...basically, "vserver active-directory show" commands only shows the 'computer account name' that you have created from the storage side voluntarily.

 

For example:

I have a brand new SVM with nothing configured (Protocol wise) but just one data LIF.
Now, if I want I can create a computer account in the Active Directory for this VSERVER

 

I will run:
::> vserver active-directory create 'cmd'
Once this is created, I can verify the 'computer account name' in the Active Directory OU=computers.

 

On the storage side: If I run this command, it will show up:

::> vserver active-directory show 'cmd'
It will show the one I created just above.

 

However, if instead of running the active-directory create 'cmd',  had I setup the CIFS server for this vserver, it would also create a 'computer account under 'OU=computers' in Active-Directory by authenticating with Domain you provided during cifs setup. However, when account is created using 'CIFS setup', it wil NOT show-up using "active-directory show" 'cmd'


Similarly, once I have setup CIFS server, I cannot use the command 'active-directory create' command, b'cos having both a CIFS server and an Active Directory account for the same Vserver is not supported. You will have to first delete the CIFS account in order to use that 'active-directory create command.

 

I am guessing, if the CIFS is already setup for your vserver, then there should be 'computer account' created for this CIFS_VSERVER in Active Directory under OU=computers, and nothing should show up on storage side when you run 'active directory show ' cmd.

 

Thanks!

0 Kudos

netappmagic
‎2020-06-12 06:43 AM
In response to Ontapforrum

@Ontapforrum 

You addressed my question. Thanks a lot for the bottom-up explanations. Now, I have a few follow-ups:


1. 'cifs setup" seems obsoleted, now the only way to have the vserver joined into AD domain is to use for instance "vserver active-directory create 'cmd'". Right?

 

2. If I wanted to migrate AD domain for this vserver to a different AD domain, then I can use "vserver active-directory modify -domain "new_ad.com". After that, the "old_ad" domain should be replaced.  Now, all permissions associated with old_domain would no longer work on the filer and NTFS level. I will have to manually change them to match new SID / new permissions. Then there will be down time. Correct?

 

3. Once AD domain got replaced, those NTFS permissions on CIFS shares will have to be changed on Window level, not on the filer level. Correct?

 

Hopefully,  I can continually hear your inputs.  Thanks!

0 Kudos

Mjizzini
Community Manager
‎2020-06-15 07:38 PM
In response to netappmagic

.  "vserver cifs create"  command will be the one used to have the vserver joined into AD domain.

.  Since the dc connection has to be reinitialized, migrating the domain will have a down time.

. The NTFS permissions on CIFS shares will have to be changed from the client side.

0 Kudos

netappmagic
‎2020-06-16 11:55 AM
In response to Mjizzini

@Mjizzini 

 

Thanks for your messages!

 

To replace currently AD Domain, why do I have to use  "vserver cifs create" , not  "vserver cifs modify"?

Also, what should I do to keep the original cifs permission on the filer intact?

 

Please explain to me in details.

0 Kudos

Ontapforrum
‎2020-06-16 12:53 PM
In response to netappmagic

Yes, you can use 'modify' command.

 

The following example modifies the 'Active Directory domain' and ou for the CIFS server associated with Vserver "vs1". The administrative status of the CIFS server must be set to "down" to proceed with Active Directory domain modification. If the command completes successfully, the administrative status is automatically set to "up".

 

cluster1::> vserver cifs modify -vserver vs1 -domain example.com -ou ou=example_ou -cifs-server example -status-admin down

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fvserver__cifs__modify.html&anchor=:~:text=The%20vserver%20cifs%20m....

 

For share permissions you can re-create, based on what you got on filer side.
For ACLs, please refer to these articles: (There are more if you google)
https://www.petenetlive.com/KB/Article/0001306
https://blog.thesysadmins.co.uk/admt-series-3-sid-history.html

 

Thanks!

0 Kudos

netappmagic
‎2020-07-08 02:43 PM
In response to Ontapforrum

@Ontapforrum  Just got the chance to reply. Thanks again for your help!

 

My only question left, should this OU name be already created in the new AD domain, before I run the following command? If yes, this OU name should be created by AD Admin, correct?

cluster1::> vserver cifs modify -vserver vs1 -domain example.com -ou ou=example_ou -cifs-server example -status-admin down

 

0 Kudos

Ontapforrum
‎2020-07-08 03:05 PM
In response to netappmagic

No worries, it has become a quite a lengthy thread 🙂

 

Regarding your query: By default, it takes ' -ou CN=Computers', this is very generic and something already exists in every AD. All the computer objects are placed in the Computers container (which is technically not an OU). But, if you have an OU already created/existing you can give that OU name in the command line.

0 Kudos

Mjizzini
Community Manager
‎2020-06-11 10:44 PM

Cluster Data Ontap can have hundreds of vservers. Each vserver can server CIFS, SAN, NFS...

Vserver active-directory command is related to managing the vserver itself.

 

To be able to server data through CIFS, you should create a CIFS vserver using "vserver cifs create".  (Start CIFS services). 

You manage cifs vserver with         "::> vserver cifs ......." commands.

 

Manage the CIFS configuration of a Vserver

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-960/TOC__vserver__cifs.html

 

View solution in original post

0 Kudos

hmoubara
NetApp
‎2020-06-09 02:15 PM

Hello,

 

The vserver active-directory create command creates an Active Directory account for a Vserver; and the vserver active-directory show does not list which active directory you are connected to but it list the account that you have created for that specific vserver on your AD.

Check the link below for more information regarding the active-directory command:

 

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-960/TOC__vserver__active-directory.html

0 Kudos

netappmagic
‎2020-06-09 03:59 PM
In response to hmoubara

Why it didn't list anything? that was my question.

I got result "There are no entries matching your query.".

 

Shouldn't it list account infor on AD for that vserver as you said?

 

0 Kudos

hmoubara
NetApp
‎2020-06-09 05:45 PM
In response to netappmagic

Hello,

 

Did you create an account using the vserver active-directory create?

Account previously available on the AD is not part of the result the  command you issuing  "vserver active-directory show -vserver <vservername> " would list; it will list what you create from the NetApp side for that vserver.

 

Thanks 

0 Kudos

netappmagic
‎2020-06-10 10:28 AM
In response to hmoubara

I inherited the environment, so, didn't personally run "vserver active-directory create". 

 

If the vserver didn't have an AD account, then why we can use AD permissions on CIFS shares?

0 Kudos

Brett_Monroe
‎2020-06-11 11:58 AM
In response to netappmagic

My understanding is that if the CIFS SVM was joined to an AD domain with the  'vserver cifs create' command, you won't see anything with the 'vserver active-directory' command.  Or, to put it another way, they are mutually exclusive.

0 Kudos

netappmagic
‎2020-06-11 01:50 PM
In response to Brett_Monroe

I won't see anything? Why?

 

Based on this document as following, I should see information about AD account, this vserver joined.

 https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2FTOC__vserver__active-directory.html

 

I am sorry, I didn't meant to ignore what you said, but I just don't understand. 

 

How do I know which vserver is joined to which AD Domain then?

 

0 Kudos

hmoubara
NetApp
‎2020-06-11 05:22 PM
In response to netappmagic

You should be able to run the command below:

 

Example:

cluster::>vserver cifs show -vserver test -fields domain

vserver domain
------- --------------
test NAS-DEEP.LOCAL

0 Kudos
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public