Unsolved
This post is more than 5 years old
44 Posts
0
6565
Isilon OneFS 7.2.0.2 unable to join domain
Hi Admins,
Am trying to join my isilon OneFS 7.2.0.2. I was able to join the same with 7.0 version but not with 7.2. What could be causing this. I have rebooted the entire cluster multiple times and the same issue persists. Is this a bug with 7.2.0.2 release ?? To be noted, am able to ping the Domain server from this cluster and vice-versa.
I even tried to join the cluster to AD using CLI but had no luck.
Please help with any steps.
Thanks !
Your Active Directory provider was not created
Error #1: Failed to get DC for 'XYZ.COM': NERR_DCNotFound
dynamox
2 Intern
2 Intern
•
20.4K Posts
1
July 4th, 2015 21:00
communication to DNS server ok, time on the cluster ok ?
virtualphoton
44 Posts
0
July 5th, 2015 01:00
I noticed the NTP was not configured earlier. But I have configured a NTP server now and both the cluster nodes are in Sync and also the WINDOWS DOMAIN CONTROLLER is in sync with the time server.
isiprnd01-1# isi_for_array -s date
isiprnd01-1: Sun Jul 5 11:13:52 AST 2015
isiprnd01-2: Sun Jul 5 11:13:53 AST 2015
There is no firewall in between them and moreover in my first post I mentioned both the cluster and the DC are able to ping each other fine.
I tried again to join AD but no luck..
Am sure there is something which am missing.
Torsten176
1 Message
0
July 6th, 2015 06:00
Hi,
can you try with the classic mode? SSH to the isilon and type
isi_classic auth ads join --domain= --user=
isi auth refresh
isi_for_array -s isi auth status
Cheers
Torsten
johnsonka
130 Posts
1
July 6th, 2015 08:00
Hello tazatemc ,
I have done some looking and this error does indicate a networking or DNS issue. Can you verify a couple of things for me?
1. Are there any NAT translations of your cluster IPs to the domain?
2. Have you made any DNS changes recently in the environment?
In addition, can you please reply to this post with the following?
1. A ping test to your domain name from the cluster as you are trying to add it in the CLI or WebUI
# ping
2. nslookup from the cluster to your domain:
# nslookup
3. A time lookup to your domain from the cluster:
# date; isi_classic auth ads time --domain=
If both of the connectivity tests succeed and the time is still in sync, please also take a look at the following KB to enable debug level logging on the OneFS auth service (lsass) so we may get some more verbose logging of this issue?
https://support.emc.com/kb/88682
Please see the sections regarding "Troubleshooting failures" and "Set logging levels" to get this information to us. Please let me know if there is anything else I can look in to for you!
virtualphoton
44 Posts
1
July 7th, 2015 01:00
Ok.. I got it working now !!!
As a test I created a test domain controller and added the cluster successfully to that DC. So that means there is some issue with the existing domain controller. I remember there were some DC changes with respective to AD in the past and even other windows VMs were having issues joining to AD.
The new test domain controller is a windows 2012 R2 but that does not mean the old DC which is running on Windows 2008 R2 will not work. So am planning to upgrade / fresh install the old DC with a new setup of windows 2012 DC.
Thanks everyone for your valuable suggestions.
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
July 7th, 2015 06:00
Are you suspecting that 2012 R2 is the problem, where just the regular 2012 will work ?
virtualphoton
44 Posts
0
July 8th, 2015 00:00
Nope.. 2012 R2 and 2012 have no issues. It was just my DNS setup which was not working the way it should be. There was a DNS change done earlier (Something with multiple domains pointing to a single domain) which effected our DNS but we did not realize that would affect this ISILON AD join.