Data Backup and Recovery

SME - Error Code: 0xc00414df

KFU

Hello,

 

we have an issue with SnapManager for Exchange. If we configure the protection dataset of SnapManager for Exchange with the configuration wizard we get: "Error code: 0xc00414df Unable to create SnapManager dataset". The log says that there are some issues with the access from SME to OCM (DFM).

 

---------

Creating SnapManager dataset...
SDDatasetMemberIterStart failed.
[SDAPI Error]: RBAC access check failed with the following reason.
Error Description :'DFM.DataBase.Read access denied on dataset SnapMgr_Exchange_Server for user DOMAIN2\netapp_snapmgr on Operations Manager server DFMsrv'.

---------

 

We think the problem is that SME-user and OCM (DFM) are not in the same domain. SME-user is in DOMAIN2 and DFMsrv in DOMAIN1. Is there any solution for usage in different domains?

 

KFU

1 ACCEPTED SOLUTION

romuald

This needs to have a proper setup on the OCUM LDAP side, meaning registering one of multiple DC servers and configuring the LDAP options like:

 

[root@romuald-5 conf]# dfm ldap list
Address                                    Port   Last Use                   Last Failure
------------------------------------------ ------ -------------------------- --------------------------
ams2k3domdc1.ams2k3dom.ngslabs.netapp.com  389    2015-03-25 13:52:01.000000
[root@romuald-5 conf]#

 

[root@romuald-5 conf]# dfm option list|grep ldap
ldapBaseDN                                  CN=Users,DC=AMS2K3DOM,DC=NGSLABS,DC=NETAPP,DC=COM
ldapBindDN                                  CN=Administrator,CN=Users,DC=AMS2K3DOM,DC=NGSLABS,DC=NETAPP,DC=COM
ldapBindPass                                ********
ldapEnabled                                 Yes

ldapGID

ldapMember                            uniqueMember

ldapUGID                              CN

ldapUID                               sAMAccountName

ldapVersion                           3

 

The different setups/options can be found in OCUM documentation.

As you can figure it out from the above output, a signle domain setup is allowed, so if you have multiple domains, you need to setup one of the topest in the hiearchy or insure a trust.

If you have difficulties to set this up, do not hesitate to open a case with us 😉

 

Regards,

Rom;)

View solution in original post

8 REPLIES 8

dmauro

Hi KFU,

try this on the DFM server's cli:

dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr

 

You also need to make sure that on the SnapManager/SnapDrive server, the user you pass to SnapDrive for DFM queries has also GlobalFullControl (check with "sdcli dfm_config list").

 

Cheers,

Domenico.

KFU

Thanx dmauro for your reply,

we did this allready, but this doesn´t work ether.

dmauro

could you provide the output of the command:

 

C:\Users\Administrator>dfm query run "SELECT objId, objFullName from objects where objName = 'DOMAIN2\netapp_snapmgr'"

 

it should return this:

 

"objId","objFullName"
"3241","DOMAIN2\netapp_snapmgr"

 

if there is a space before the name or something strange, then the user needs to be readded.

In general, we have the following requirements for Snapmanager service user:

-In case of SME,  Member of  "Organization Management' Exchange Security group, (unless you are using RBAC with latest available SME version, where you can assign less permisisons with a role defined with specific permissions)

- In case of SMSQL, the above service needs to have sysadmin role assigned within the managed instances.

- On every server where SME/SMSQL is installed, the snapmanager service should be a member of the local administrators account

- ACL's on the lun's where databases and logs  are hosted should allow full control to the above service.

- if you configure SME/SMSQL with DFM/PM archiving, then you also need to ensure SnapDrive and SnapManager users are added to the GlobalFullControl  role.

 

it must work.

 

Domenico.

KFU

with this query I only get:

 

"objID","objFullName"

 

But as you said, I have deleted and readded the user and did get:

 

C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\netapp_snapmgr
Warning: DOMAIN2\netapp_snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\netapp_snapmgr.
Added 1 role to administrator DOMAIN2\netapp_snapmgr.

 

I think the problem is that there are two different domains wich don´t know each others users. But we will not change this architecture because of security. Is there any solution?

KFU

Some more information:

 

If I add a user without the underscore "_" for example "DOMAIN2\snapmgr" your query works:

 

C:\Windows\system32>dfm user add -r GlobalFullControl DOMAIN2\snapmgr
Warning: DOMAIN2\snapmgr does not exist in the administrator database(s),
so login is disabled for this administrator.
Added administrator DOMAIN2\snapmgr.
Added 1 role to administrator DOMAIN2\snapmgr.

C:\Windows\system32>dfm query run "SELECT objId, objFullName from objects where
objName = 'DOMAIN2\snapmgr'"
"objId","objFullName"
"5577323","DOMAIN2\snapmgr"

 

Are there any restrictions in name usage, because the underscore is a normal ASCII character?

dmauro

Hi,

from your last output, I don't really see any change.

It still creates the user but then it disables it.

So, I am not sure if a trust is required between the two domain.

I have asked a colleague who is specialized in DFM and will take a look and reply.

 

Domenico Di Mauro.

 

romuald

This needs to have a proper setup on the OCUM LDAP side, meaning registering one of multiple DC servers and configuring the LDAP options like:

 

[root@romuald-5 conf]# dfm ldap list
Address                                    Port   Last Use                   Last Failure
------------------------------------------ ------ -------------------------- --------------------------
ams2k3domdc1.ams2k3dom.ngslabs.netapp.com  389    2015-03-25 13:52:01.000000
[root@romuald-5 conf]#

 

[root@romuald-5 conf]# dfm option list|grep ldap
ldapBaseDN                                  CN=Users,DC=AMS2K3DOM,DC=NGSLABS,DC=NETAPP,DC=COM
ldapBindDN                                  CN=Administrator,CN=Users,DC=AMS2K3DOM,DC=NGSLABS,DC=NETAPP,DC=COM
ldapBindPass                                ********
ldapEnabled                                 Yes

ldapGID

ldapMember                            uniqueMember

ldapUGID                              CN

ldapUID                               sAMAccountName

ldapVersion                           3

 

The different setups/options can be found in OCUM documentation.

As you can figure it out from the above output, a signle domain setup is allowed, so if you have multiple domains, you need to setup one of the topest in the hiearchy or insure a trust.

If you have difficulties to set this up, do not hesitate to open a case with us 😉

 

Regards,

Rom;)

View solution in original post

KFU

Thx Rom for your reply,

 

due to the fact that in our case both domains are independent and there is no domain on top of them only a trust between these two will be the solution. As this is against our architecture, we need to setup a snapvault relationship between snapvault primary and secondary without using DFM/Protection Manager.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public