JRVillaceran
1 Nickel

Migrated SMB Shares cannot be accessed by Trusted Domain

Hello, experts.

Environment:

- Isilon OneFS8.0 joined to headoffice.corp.com.ph

- Isilon is joined to headoffice.corp.bpi.com.ph with 2-way trust-relationship to remoteoffice.corp.com.ph

- 10.134.16.94 is SSIP

Before migration, at VNX side, users from both domain can access the share and directories. After migration, at Isilon side, users from headoffice domain only can access the shares.

User is trying to access \\10.134.16.94\<Share>. We also tried Isilon Node IP \\10.134.16.70\<Share>.

Error:

“a device attached to the system is not functioning"

Here are the troubleshooting activities that we've done already:

1. Firewall ports from Isilon to Active Directory headoffice and remoteoffice are enabled and tested successfully.

                tcp 88 for Kerberos

                tcp 389 for LDAP

                tcp 445 for SMB

                tcp 464 for Kerberos Machine Password

                udp 53 for DNS

                tcp 3268 for AD global catalog

                tcp 3269 for AD global catalog

2. Trust-relationship between two domains are confirmed. Below commands are successfully executed by the affected user.

C:\>nltest /trusted_domains

C:\>nltest /dclist:remoteoffice.corp.bpi.com.ph

C:\>nltest /dclist:headoffice.corp.bpi.com.ph


3. Below command was successfully executed from Domain Controller.


In headoffice DC:

C:\>nltest /whowill:headoffice.corp.bpi.com.ph ibmfm-beilagan


In remoteoffice DC:
C:\>nltest /whowill:remoteoffice.corp.bpi.com.ph mecuizonj


Both results are "ACT FOUND".


4. TCP Port 445 is already opened from Workstation to Isilon IP Addresses.



We're running out of troubleshooting technique to do. Appreciate any help.

0 Kudos
16 Replies
sjones51
2 Iron

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

HI JRVillaceran,

If you are looking for more troubleshooting options, Isilon Support does have a couple troubleshooting guides that may help:

There was a similar thread recently that may also prove useful:Re: Clients autheticating on nodes 2 &amp; 3 get error message "A device attached to the system is n...

There are a couple processes on the Isilon cluster that could be verified are running. You may be able to save some time by working directly with Isilon Support. If you haven't already opened a service request, you can do so here: https://onlinesupport.emc.com/SRCreate

0 Kudos
JRVillaceran
1 Nickel

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Hi, sjones5.

Thanks for your reply. I've opened an SR and it's still on process for weeks now. We almost have the same issue but for ours, the error prompts when trying to connect to ALL NODES. We've resolved the time issue and all synced now.

Thanks again,

JR

0 Kudos
JRVillaceran
1 Nickel

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Hi, sjones5.

Is opening TCP port 445 enough from Workstation to Isilon aside from opening ports above from Isilon to Active Directory Provider?

Thanks.

0 Kudos
JRVillaceran
1 Nickel

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Hi, sjones5.

I'm wondering if we need to define an A record of the trusted domain in the headoffice domain server and if we also need to add an FQDN equivalent to remoteoffice in Isilon. Is it enough that since trust is established between two domains, there will be no configuration in Isilon side? Thanks.

0 Kudos
sjones51
2 Iron

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Hi JRVillaceran,

I think most of your questions regarding port settings can be answered within the security documentation.

8.0.0 Security Configuration Guide
http://support.emc.com/docu65067

8.0.1 Security Configuration Guide
http://support.emc.com/docu79792

In terms of DNS setup, that really depends on the environment. Typically, DNS is integrated in AD so necessary DNS components and records are added as such. If the trust is another FOREST with another DNS infrastructure, then you will need to have the proper DNS setup on the cluster. If you trust the other domain, you should probably have an NS/Delegation pointing to that forest DNS.

0 Kudos
JRVillaceran
1 Nickel

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Hi, sjones5.

In our environment, the TRUST-RELATIONSHIP is with another FOREST with another DNS Infrastructure.

DNS servers for HEADOFFICE.CORP.BPI.COM.PH

133.100.202.85

133.100.202.94

DNS servers for REMOTEOFFICE.CORP.BPI.COM.PH

133.100.206.147

133.100.206.148

133.100.206.117

133.100.206.118


DNS configuration was done in HEADOFFICE.CORP.BPI.COM.PH.

A Record - pdcnas - 10.134.16.94

NS - pdcnas1 - pointing to A record 10.134.16.94


In Isilon, below is the configuration:


SSIP - 10.134.16.94

Pool1 FQDN - pdcnas1.headoffice.corp.bpi.com.ph


Should we add configurations in Isilon and DNS even if there is trust? Isn't it that it should resolve automatically?


Thanks.

0 Kudos
JRVillaceran
1 Nickel

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Hi, sjones5.

We had packet captures and see below result. Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE was the error from Isilon SSIP. The client then replied with its DOMAIN\username and the Isilon replied with ACK. After that, RESET was sent by Workstation IP. Is this a workstation related problem?

I found a thread related to this and it seems like a workstation error. I'll check if the workstation OS was Windows10.

Packet Capture.jpgWindows 10 Technical Preview : SMB Share not working - Synology Forum

0 Kudos
crklosterman
3 Argentium

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Users should never be connecting to the SSIP for file services.  Although it may work, they should be connecting to an IP in a SmartConnect zone associated with an access zone in which the data resides.

0 Kudos
JRVillaceran
1 Nickel

Re: Migrated SMB Shares cannot be accessed by Trusted Domain

Hi, Chris.

I agree. We let the client connect to SSIP and Node IP Addresses first because we are isolating the issue. We want to omit the name resolution/dns in the picture thus we used IP Address. We want to check if it is with Network Routing, Workstation or Isilon that's causing the error.

Thanks!

0 Kudos