Hello,

The vserver active-directory create command creates an Active Directory account for a Vserver; and the vserver active-directory show does not list which active directory you are connected to but it list the account that you have created for that specific vserver on your AD.

Check the link below for more information regarding the active-directory command:

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-960/TOC__vserver__active-directory.html

Why it didn't list anything? that was my question.

I got result "There are no entries matching your query.".

Shouldn't it list account infor on AD for that vserver as you said?

Hello,

Did you create an account using the vserver active-directory create?

Account previously available on the AD is not part of the result the  command you issuing  "vserver active-directory show -vserver <vservername> " would list; it will list what you create from the NetApp side for that vserver.

Thanks 

I inherited the environment, so, didn't personally run "vserver active-directory create". 

If the vserver didn't have an AD account, then why we can use AD permissions on CIFS shares?

My understanding is that if the CIFS SVM was joined to an AD domain with the  'vserver cifs create' command, you won't see anything with the 'vserver active-directory' command.  Or, to put it another way, they are mutually exclusive.

I won't see anything? Why?

Based on this document as following, I should see information about AD account, this vserver joined.

 https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2FTOC__vserver__active-directory.html

I am sorry, I didn't meant to ignore what you said, but I just don't understand. 

How do I know which vserver is joined to which AD Domain then?

You should be able to run the command below:

Example:

cluster::>vserver cifs show -vserver test -fields domain

vserver domain
------- --------------
test NAS-DEEP.LOCAL

Hi,

Just reiterating...basically, "vserver active-directory show" commands only shows the 'computer account name' that you have created from the storage side voluntarily.

For example:

I have a brand new SVM with nothing configured (Protocol wise) but just one data LIF.
Now, if I want I can create a computer account in the Active Directory for this VSERVER

I will run:
::> vserver active-directory create 'cmd'
Once this is created, I can verify the 'computer account name' in the Active Directory OU=computers.

On the storage side: If I run this command, it will show up:

::> vserver active-directory show 'cmd'
It will show the one I created just above.

However, if instead of running the active-directory create 'cmd',  had I setup the CIFS server for this vserver, it would also create a 'computer account under 'OU=computers' in Active-Directory by authenticating with Domain you provided during cifs setup. However, when account is created using 'CIFS setup', it wil NOT show-up using "active-directory show" 'cmd'

Similarly, once I have setup CIFS server, I cannot use the command 'active-directory create' command, b'cos having both a CIFS server and an Active Directory account for the same Vserver is not supported. You will have to first delete the CIFS account in order to use that 'active-directory create command.

I am guessing, if the CIFS is already setup for your vserver, then there should be 'computer account' created for this CIFS_VSERVER in Active Directory under OU=computers, and nothing should show up on storage side when you run 'active directory show ' cmd.

Thanks!

@Ontapforrum 

You addressed my question. Thanks a lot for the bottom-up explanations. Now, I have a few follow-ups:

1. 'cifs setup" seems obsoleted, now the only way to have the vserver joined into AD domain is to use for instance "vserver active-directory create 'cmd'". Right?

2. If I wanted to migrate AD domain for this vserver to a different AD domain, then I can use "vserver active-directory modify -domain "new_ad.com". After that, the "old_ad" domain should be replaced.  Now, all permissions associated with old_domain would no longer work on the filer and NTFS level. I will have to manually change them to match new SID / new permissions. Then there will be down time. Correct?

3. Once AD domain got replaced, those NTFS permissions on CIFS shares will have to be changed on Window level, not on the filer level. Correct?

Hopefully,  I can continually hear your inputs.  Thanks!

.  "vserver cifs create"  command will be the one used to have the vserver joined into AD domain.

.  Since the dc connection has to be reinitialized, migrating the domain will have a down time.

. The NTFS permissions on CIFS shares will have to be changed from the client side.

@Mjizzini 

Thanks for your messages!

To replace currently AD Domain, why do I have to use  "vserver cifs create" , not  "vserver cifs modify"?

Also, what should I do to keep the original cifs permission on the filer intact?

Please explain to me in details.

Yes, you can use 'modify' command.

The following example modifies the 'Active Directory domain' and ou for the CIFS server associated with Vserver "vs1". The administrative status of the CIFS server must be set to "down" to proceed with Active Directory domain modification. If the command completes successfully, the administrative status is automatically set to "up".

cluster1::> vserver cifs modify -vserver vs1 -domain example.com -ou ou=example_ou -cifs-server example -status-admin down

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fvserver__cifs__modify.html&anchor=:~:text=The%20vserver%20cifs%20m....

For share permissions you can re-create, based on what you got on filer side.
For ACLs, please refer to these articles: (There are more if you google)
https://www.petenetlive.com/KB/Article/0001306
https://blog.thesysadmins.co.uk/admt-series-3-sid-history.html

Thanks!

Just to clarify:

vserver active-directory:     Creates a link between ONTAP and Active Directory for SVM or ONTAP management only.   No data access is available via SMB when you create an active-directory machine account with this method.   Use cases:   For AD users to manage ONTAP via ssh/http, for AD users to manage block-based (iSCSI, FC) SVMs.    No CIFS license is required for this access.

cifs server create:   Creates a link between ONTAP and Active directory to create SMB shares for clients to access data.  This does require a CIFS license.   This can also cover the previous use cases of management access.

@Ontapforrum  Just got the chance to reply. Thanks again for your help!

My only question left, should this OU name be already created in the new AD domain, before I run the following command? If yes, this OU name should be created by AD Admin, correct?

cluster1::> vserver cifs modify -vserver vs1 -domain example.com -ou ou=example_ou -cifs-server example -status-admin down