Network and Storage Protocols

FQDN of Disaster Recovery CIFS vserver not resolved



During failover test  to DR vserver, customer is not capable to access the DR CIFS server using FQDN, only using the short name.

Here is the setup:

Prod site : vserver SRV-NAS-04

DR site :  vserver SRV-NAS-05

Both PROD and DR vservers are registered in Active Directory and have a lif with same ip address, DR lif normally down when PROD is up

net interface show:

 (network interface show)
            Logical    Status     Network            Current       Current Is
Vserver     Interface  Admin/Oper Address/Mask       Node          Port    Home
----------- ---------- ---------- ------------------ ------------- ------- ----

            srvnas04_cifs_data up/up XXXNASNOSC1NA-NO1 a0a true

            srvnas04dr_cifs_data down/down XXXNASMACC1NA-NO1 a0b true

DR vserver SRV-NAS-05 has a netbios alias equal to the Prod vserver name SVR-NAS-04:

vserver cifs show -vserver SRV-NAS-05
                                          Vserver: SRV-NAS-05
                         CIFS Server NetBIOS Name: SRV-NAS-05
                    NetBIOS Domain/Workgroup Name: CUSTOMERNAME
                      Fully Qualified Domain Name: CUSTOMERNAME.LOCAL
                              Organizational Unit: CN=Computers
Default Site Used by LIFs Without Site Membership:
                                   Workgroup Name: -
                             Authentication Style: domain
                CIFS Server Administrative Status: up
                          CIFS Server Description: -
                          List of NetBIOS Aliases: SRV-NAS-04

When Prod vserver is running normally, users can access CIFS shares using  FQDN or short names:

\\srv-nas-04\shares         -> OK
\\srv-nas-04.customername.local\shares    -> OK

When doing DR test, we put prod lif srvnas04_cifs_data down and DR lif srvnas04dr_cifs_data up

When DR site is active, users can still access CIFS shares using short names but not via FQDN anymore

\\srv-nas-04\shares         -> OK
\\srv-nas-04.customername.local\shares    -> NOT ACCESSIBLE ANYMORE

What could be the reason why the FQDN are not resolved anymore in DR?



can you print the spn for the cname ? (run from any windows box with any permission)

setspn /q *\FQDN

setspn /q *\netbios (short name)

see as well


you likely have a kerberos delegation for the FQDN, but not the netbios. the delegation itself is good for security (keep it!) , and what yo should do is actually to flip it to the other SVM upon DR and back. but that's also what prevent the clients to fall back to NTLM (as they likely do with the netbios name) when you repoint the cname/A. 



Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Register for Insight 2021 Digital

INSIGHT 2021 Digital: Meet the Specialists 2

On October 20-22, gear up for a fully digital, totally immersive virtual experience with a downright legendary lineup of world-renowned specialists. Tune in for visionary conversations, solution deep dives, technical sessions and more.

NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner