Solved: "vserver active-directory" shows me nothing

netappmagic · ‎2020-06-09

9.6p7 here.

If there is no active-directory configured in any vservers as nothing I can get by running "vserver active-directory shwo", how can CIFS shares work with AD Domain?

If I run "cifs domain discovered-servers show", it results a list of DC servers.

I probably miss some knowledge about how AD should be configured with the cluster or vserver. If somebody can help me out.

Mjizzini · ‎2020-06-11

Cluster Data Ontap can have hundreds of vservers. Each vserver can server CIFS, SAN, NFS...

Vserver active-directory command is related to managing the vserver itself.

To be able to server data through CIFS, you should create a CIFS vserver using "vserver cifs create". (Start CIFS services).

You manage cifs vserver with "::> vserver cifs ......." commands.

Manage the CIFS configuration of a Vserver

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-960/TOC__vserver__cifs.html

View solution in original post

hmoubara · ‎2020-06-09

Hello,

The vserver active-directory create command creates an Active Directory account for a Vserver; and the vserver active-directory show does not list which active directory you are connected to but it list the account that you have created for that specific vserver on your AD.

Check the link below for more information regarding the active-directory command:

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-960/TOC__vserver__active-directory.html

netappmagic · ‎2020-06-09

Why it didn't list anything? that was my question.

I got result "There are no entries matching your query.".

Shouldn't it list account infor on AD for that vserver as you said?

hmoubara · ‎2020-06-09

Hello,

Did you create an account using the vserver active-directory create?

Account previously available on the AD is not part of the result the command you issuing "vserver active-directory show -vserver <vservername> " would list; it will list what you create from the NetApp side for that vserver.

Thanks

netappmagic · ‎2020-06-10

I inherited the environment, so, didn't personally run "vserver active-directory create".

If the vserver didn't have an AD account, then why we can use AD permissions on CIFS shares?

Brett_Monroe · ‎2020-06-11

My understanding is that if the CIFS SVM was joined to an AD domain with the 'vserver cifs create' command, you won't see anything with the 'vserver active-directory' command. Or, to put it another way, they are mutually exclusive.

netappmagic · ‎2020-06-11

I won't see anything? Why?

Based on this document as following, I should see information about AD account, this vserver joined.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2FTOC__vserver__active-directory.html

I am sorry, I didn't meant to ignore what you said, but I just don't understand.

How do I know which vserver is joined to which AD Domain then?

hmoubara · ‎2020-06-11

You should be able to run the command below:

Example:

cluster::>vserver cifs show -vserver test -fields domain

vserver domain
------- --------------
test NAS-DEEP.LOCAL

Mjizzini · ‎2020-06-11

Cluster Data Ontap can have hundreds of vservers. Each vserver can server CIFS, SAN, NFS...

Vserver active-directory command is related to managing the vserver itself.

To be able to server data through CIFS, you should create a CIFS vserver using "vserver cifs create". (Start CIFS services).

You manage cifs vserver with "::> vserver cifs ......." commands.

Manage the CIFS configuration of a Vserver

https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-960/TOC__vserver__cifs.html

Ontapforrum · ‎2020-06-12

Hi,

Just reiterating...basically, "vserver active-directory show" commands only shows the 'computer account name' that you have created from the storage side voluntarily.

For example:

I have a brand new SVM with nothing configured (Protocol wise) but just one data LIF.
Now, if I want I can create a computer account in the Active Directory for this VSERVER

I will run:
::> vserver active-directory create 'cmd'
Once this is created, I can verify the 'computer account name' in the Active Directory OU=computers.

On the storage side: If I run this command, it will show up:

::> vserver active-directory show 'cmd'
It will show the one I created just above.

However, if instead of running the active-directory create 'cmd', had I setup the CIFS server for this vserver, it would also create a 'computer account under 'OU=computers' in Active-Directory by authenticating with Domain you provided during cifs setup. However, when account is created using 'CIFS setup', it wil NOT show-up using "active-directory show" 'cmd'

Similarly, once I have setup CIFS server, I cannot use the command 'active-directory create' command, b'cos having both a CIFS server and an Active Directory account for the same Vserver is not supported. You will have to first delete the CIFS account in order to use that 'active-directory create command.

I am guessing, if the CIFS is already setup for your vserver, then there should be 'computer account' created for this CIFS_VSERVER in Active Directory under OU=computers, and nothing should show up on storage side when you run 'active directory show ' cmd.

Thanks!

netappmagic · ‎2020-06-12

@Ontapforrum

You addressed my question. Thanks a lot for the bottom-up explanations. Now, I have a few follow-ups:

1. 'cifs setup" seems obsoleted, now the only way to have the vserver joined into AD domain is to use for instance "vserver active-directory create 'cmd'". Right?

2. If I wanted to migrate AD domain for this vserver to a different AD domain, then I can use "vserver active-directory modify -domain "new_ad.com". After that, the "old_ad" domain should be replaced. Now, all permissions associated with old_domain would no longer work on the filer and NTFS level. I will have to manually change them to match new SID / new permissions. Then there will be down time. Correct?

3. Once AD domain got replaced, those NTFS permissions on CIFS shares will have to be changed on Window level, not on the filer level. Correct?

Hopefully, I can continually hear your inputs. Thanks!

Mjizzini · ‎2020-06-15

. "vserver cifs create" command will be the one used to have the vserver joined into AD domain.

. Since the dc connection has to be reinitialized, migrating the domain will have a down time.

. The NTFS permissions on CIFS shares will have to be changed from the client side.

netappmagic · ‎2020-06-16

@Mjizzini

Thanks for your messages!

To replace currently AD Domain, why do I have to use "vserver cifs create" , not "vserver cifs modify"?

Also, what should I do to keep the original cifs permission on the filer intact?

Please explain to me in details.

Ontapforrum · ‎2020-06-16

Yes, you can use 'modify' command.

The following example modifies the 'Active Directory domain' and ou for the CIFS server associated with Vserver "vs1". The administrative status of the CIFS server must be set to "down" to proceed with Active Directory domain modification. If the command completes successfully, the administrative status is automatically set to "up".

cluster1::> vserver cifs modify -vserver vs1 -domain example.com -ou ou=example_ou -cifs-server example -status-admin down

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-960%2Fvserver__cifs__modify.html&anchor=:~:text=The%20vserver%20cifs%20m....

For share permissions you can re-create, based on what you got on filer side.
For ACLs, please refer to these articles: (There are more if you google)
https://www.petenetlive.com/KB/Article/0001306
https://blog.thesysadmins.co.uk/admt-series-3-sid-history.html

Thanks!

netappmagic · ‎2020-07-08

@Ontapforrum Just got the chance to reply. Thanks again for your help!

My only question left, should this OU name be already created in the new AD domain, before I run the following command? If yes, this OU name should be created by AD Admin, correct?

cluster1::> vserver cifs modify -vserver vs1 -domain example.com -ou ou=example_ou -cifs-server example -status-admin down

Ontapforrum · ‎2020-07-08

No worries, it has become a quite a lengthy thread 🙂

Regarding your query: By default, it takes ' -ou CN=Computers', this is very generic and something already exists in every AD. All the computer objects are placed in the Computers container (which is technically not an OU). But, if you have an OU already created/existing you can give that OU name in the command line.

chris_hurley · ‎2020-06-23

Just to clarify:

vserver active-directory: Creates a link between ONTAP and Active Directory for SVM or ONTAP management only. No data access is available via SMB when you create an active-directory machine account with this method. Use cases: For AD users to manage ONTAP via ssh/http, for AD users to manage block-based (iSCSI, FC) SVMs. No CIFS license is required for this access.

cifs server create: Creates a link between ONTAP and Active directory to create SMB shares for clients to access data. This does require a CIFS license. This can also cover the previous use cases of management access.