Advice for Moving Primary CIFS server between Active Directory domains

Question

We're running a VNX5300 v 7.1.71.1.

Currently the primary CIFS server is joined to an Active Directory domain that we're migrating away from ("ADold") and we want to switch it over to our new domain ("ADnew").

User accounts have been migrated from ADold (preserving SID history), and authentication using ADnew\username works fine and people can access their files.

Has anyone attempted this before? Or seen a procedure for doing so?

I can't find a procedure from EMC or any success stories from attempting this. Which makes me think that it's either as easy as dis-joining the old domain and joining the new one, or it's so impossibly convoluted that it's never been successfully done. Either seems equally likely.

Obviously, it'd be nice to do this without interrupting access for clients, but I doubt that's possible.

mpeters2 · Answer

Hi Alex,

What you're looking for is the doc on Configuring and Managing CIFS on VNX found here.

Skip down to the Domain Migration section starting on page 15 and then Managing domain migration on page 88.

There are a couple of commands that are designed to assist with transitioning the CIFS server between domains.

It may be worth testing with a second temp CIFS server on the array to ensure the migration behaves like you expect.

Cheers!

Michael

umichklewis · Answer

If you're replicating this CIFS server to another VNX, you can start by exporting a snapshot to a temporary CIFS server on the old AD domain, then go through the Domain Migration section that Michael Peters points out above.  This might be a good test for you.

Rainer_EMC · Answer

Testing on an temp. VDM and CIFS server is always a good idea

alex.graham · Answer

I've found the following ECN threads about it:

Each of them contains a little insight into how this is most effectively done.

The reason that all of these threads exist and none of them have a complete, correct answer is that the documentation is inadequate for accomplishing the task.

Rainer_EMC · Answer

Well – customer environments differ greatly so you need to adapt.

Also sometimes storage admins don’t know how their AD is configured since its done by a different group.

Its always a good idea to create a test VDM and CIFS server and test it before executing on live data

alex.graham · Answer

I think that this is what we want to do and would love it if others took a look to see if this seems font-family: andale mono,times;'>for i in $(server_export server_2 -Protocol cifs -list | cut -f2 -d'/' | cut -f1 -d'\'' | grep -v 'server_2' | sort -u) ; do server_cifs server_2 -Migrate $i -acl [old domain]:nb=[cifs server name]:if=[interface name] [new domain]:nb=[cifs server name]:if=[interface name] ; done server_cifs server_2 -Unjoin compname=[cifs server name],domain=[old domain],admin=[admin account] server_cifs server_2 -delete compname=[cifs server name] server_cifs server_2 -add compname=[cifs server name],domain=[new domain],interface=[interface name] server_cifs server_2 -Join compname=[cifs server name],domain=[new domain],admin=[admin account],ou='ou=Computers:ou=EMC Celerra' for i in $(server_export server_2 -Protocol cifs -list | cut -f2 -d'/' | cut -f1 -d'\'' | grep -v 'server_2' | sort -u) ; do server_cifs server_2 -Replace $i -acl :nb=[cifs server name]:if=[interface name] ; done The lines & logic: The for loop takes a list of filesystems that have CIFS exports, then runs the -Migrate command on them (yes, that's capitalized for some reason). Nothing in the documentation says this can or can't be done live, or well in advance of the migration, nor does it give any clues about how long this might take. Then dis-join from the old domain (prompts for a password) Delete the existing CIFS server Add a new CIFS server with the same name and same interface Join the new CIFS server to the new domain (prompts for a password) Get a list of filesystems w/ CIFS exports and run -Replace on each of them (again, capitalized). Nothing in the documentation says that this can or can't be done on live data, whether it needs to be done at all, or how long it might take. I've done this with a test CIFS server in a VDM and found that if you re-create the CIFS server with the same name and interface, all the CIFS shares work again without having to re-create them. Since I can only test this in a VDM, I'm not sure if the primary CIFS server will behave identically, so it's probably a good idea to count on having to do that rather than hope you don't. On that note: you can see a list of your current CIFS exports by running: server_export server_2 -Protocol cifs -list -all Which is only moderately useful because it gives you share names, paths, and some other info, but doesn't contain any information about share permissions. This Microsoft Support page shows how to back up and restore the registry keys that contain information about your CIFS shares: Saving and restoring existing Windows shares, those same keys exist on the VNX, and the 'Configuring and Managing CIFS on VNX' document has a few examples of modifying registry keys, so I suspect that you could use the same MS instructions to back up and restore the share settings, including security info. If anyone from EMC can validate the truth of that, it would be appreciated.

Rainer_EMC · Answer

For the second part – DONT change the VNX CIFS server registry for creating shares and share ACL’s.

That’s what sharedup.exe or any other Windows based tool that uses Win32 API like rmtshare is for.

Rainer_EMC · Answer

Correct – if you delete a CIFS server the share config doesn’t get deleted so if you re-create it with the same name the VNX applies the previous config.

That works on PDM-PDM or VDM-VDM

If you need to delete on PDM and recreate on VDM you should first use the procedure to move the CIFS server

VNX

Advice for Moving Primary CIFS server between Active Directory domains

Was this post helpful?