Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

StorageGuy201

30 Posts

4396

June 5th, 2008 09:00

CIFS setup keeps failing when joining AD domain

I don't have Domain Admin rights but I do have access to a particular OU container where I created a computer account called "celerra" and authorized my AD account to be able to join this computer to the domain.

Then I did:

server_cifs server_2 -Join compname=celerra,domain=abc.ad,admin=myaccount,ou=abc.ad/Computers/celerra

But it fails, I don't know if I'm not specifying the ou container address or if it has to have the Domain Admin rights?

nandas

4 Operator

 • 

1.5K Posts

June 5th, 2008 14:00

Great to know that, you are able to join the CIFS server to the AD - so our tips helps. Please don't forget to mark the answers as Correct or Helpful :)

By the way, Did you create any share for this CIFS server? If not, please create a CIFS share on a file system and make it available on the CIFS server and then you can browse the share
\\cifs_server_name\share_name

By default, only Domain admin is added to the local administrators group on the CIFS server, so if you are not a Domain Admin, you will not be able to access c$ share and also will not be able to make any changes on the computer management.

Request your domain admin to add you to the local administrators group on the CIFS server.

Or else, Unjoin the CIFS server from the domain and set a parameter on the Data mover to add the user account which is used to Join the CIFS server to the AD, to the local administrator groups on the CIFS server.

The parameter is -

cifs djAddAdminToLg=1

Thanks,
Sandip

Message was edited by: Forgot to mention that you need to add the CIFS server to the AD after setting the parameter (may require a reboot on the data mover).
Sandip

nandas

4 Operator

 • 

1.5K Posts

June 5th, 2008 10:00

You need to specify OU in the correct format -

ou="ou=celerra:ou=Computers"

or

ou=Computers,ou=celerra

No need to specify the root of the domain abc.ad in the OU field as that is already defined with domain=abs.ad option.

Check the server_log on the data mover after the command fails - it will provide you more details why it is failing - or whether it is a permission issue or not.

Also, the join command will fail if the Time on Data Mover is not synchronized with AD time (time skewness should not be more than 5 mins). server_log command will show the same, In that case, please check whether NTP is working properly on the Data mover or whether the Time on the data mover is correct or not

server_date server_x

server_date server_x timesvc stats ntp

Hope you 'll be able to Join the CIFS server with out any issue.

Regards,
Sandip

StorageGuy201

30 Posts

June 5th, 2008 11:00

Thanks for the pointer...I see a bunch of DNS errors in the log, apparently the data movers can't talk to the DNS servers and I believe it's because of the incorrect subnet mask the previous admin had put in. Which of course, I can't fix because of the "in use by Replication" error as I mentioned in my other thread...sigh.

StorageGuy201

30 Posts

June 5th, 2008 12:00

Got most of it figured out getting:
2008-06-05 14:58:42: USRMAP: 4: Broadcast timeout, No answer received
2008-06-05 15:05:05: USRMAP: 4: last message repeated 2 times
2008-06-05 15:07:38: USRMAP: 4: Broadcast timeout, No answer received

Rainer_EMC

4 Operator

 • 

8.6K Posts

June 5th, 2008 12:00

Got most of it figured out getting:
2008-06-05 15:07:38: USRMAP: 4: Broadcast timeout,
No answer received


I think you can safely disregard them - they are from usermapper which isnt involved when joining a domain

nandas

4 Operator

 • 

1.5K Posts

June 5th, 2008 12:00

Also check whether proper route is added.

As I just mentioned in the other thread, the NAS code needs to be upgraded to get rid of the "Interface in-use by replication" issue.

However, another solution comes to my mind which requires some configuration changes and one more valid IP Address. You may create a new Interface with a new IP Address and proper subnet mask on the same physical device where the current IP address is configured. Since the CIFS server is not joined to the domain - you should be able to select the new IP Address to be used by this CIFS server going to the CIFS server property page. Ensure the forward and reverse DNS entries are updated properly - if you are using DDNS, this will be automatically done when you join the CIFS server to the AD. Since the CIFS server is not a part of the domain, no question of any issue accessing the servers in the domain. Then join the CIFS server to the domain.

Please note that, this is completely a personal thought that came to my mind - should not be treated as anything official :)

Cheers,
Sandip

Rainer_EMC

4 Operator

 • 

8.6K Posts

June 5th, 2008 12:00

see if you can server_ping your AD controller and your DNS server

you can to a "server_dns server_2 -option dump" to see if DNS works


You could also just create another (virtual) interface with the correct netmask

StorageGuy201

30 Posts

June 5th, 2008 13:00

Thanks guys. So I did ignore it (comes naturally) but I was getting Access denied when trying to do "net view \\celerra" from a windows box - that's why I thought it may have to do with usermapping/AD authentication but I guess not. So what else am I missing?

The share I was trying to view was created using the GUI interface where it didn't ask me for the NTFS acls/permissions etc so I'm assuming the defaults are laxed enough to at least allow me to browse the shares?

nandas

4 Operator

 • 

1.5K Posts

June 5th, 2008 13:00

If the CIFS server is not joined to the domain, you will not be able to access/browse it. Did you able to join the CIFS server to the AD?

Also - as I mentioned earlier, did you check the time on data mover?

Lastly - you may open a computer management (or MMC with computer mgmt) window and select the CIFS server to connect (right click on the computer name and select Connect to another computer) - you will be able to see all the shares and their share level and NTFS permissions on the file systems.

Thanks,
Sandip

StorageGuy201

30 Posts

June 5th, 2008 14:00

Sandip,
Yes, I was able to join the domain using another physical interface, thanks for your help.

However, I can't browse the shares, do I need to give myself access at the per share level from within Celerra.

StorageGuy201

30 Posts

June 5th, 2008 16:00

Well, I still get the "System Error 5 - Access denied". I'm starting to think we don't actually have a CIFS license for this box...will have to get in touch with the EMC sales guys.

Rainer_EMC

4 Operator

 • 

8.6K Posts

June 6th, 2008 07:00

you can check with nas_license or the GUI

However I think if you didnt have a CIFS license it wouldnt let you create a CIFS server

If this is the first time you are using CIFS on that data mover you might have to start the CIFS service first

This is where using the Create CIFS server wizard in Celerra Manager is really nice - it checks and does all these steps for you

just post the output of server_cifs server_2

The Windows message doesnt really help - it could mean anything from your client not able to resolve the CIFS server name to an IP address to you using a non-domain account

Instread open Windows Explorer and try to map a share (C$) will do - either from the name or the IP address

StorageGuy201

30 Posts

June 6th, 2008 09:00

# nas_license -list
key status value
site_key online
iscsi online
advancedmanager online
nfs online
cifs online


# server_cifs server_2
256 Cifs threads started
Security mode = NT
Max protocol = NT1
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled

Enabled interfaces: (All interfaces are enabled)

Disabled interfaces: (No interface disabled)

Unused Interface(s):
if=iSCSI1.16 l=192.168.228.15 b=192.168.228.255 mac=0:60:16:a:14:34
if=NFS2 l=10.240.255.26 b=10.240.255.255 mac=0:60:16:a:14:37

DOMAIN mycomp FQDN=mycomp.ad SITE=US RC=5
SID=S-1-5-15-65ff6ba0-16c1a5e5-1cfde15e-ffffffff
DC=DC3(15.15.18.17) ref=2 time=1 ms (Closest Site)
DC=DC3(15.15.16.17) ref=2 time=1 ms (Closest Site)


CIFS Server CELERRA[MYCOMP] RC=2
Full computer name=celerra.mycomp.ad realm=MYCOMP.AD
Comment='EMC-SNAS:T5.5.23.201'
if=dcdnis l=172.240.255.27 b=172.240.255.255 mac=xx:yy:xx:zz
FQDN=celerra.mycomp.ad (Removed from DNS)
Password change interval: 0 minutes
Last password change: Thu Jun 5 23:04:14 2008 GMT
Password versions: 3

I tried mapping the share it said network not found but I can ping the system using the name and the ip address both.

Message was edited by:
StorageGuy201

Rainer_EMC

4 Operator

 • 

8.6K Posts

June 6th, 2008 14:00

I suggest to open a service request (or start from fresh)

the good news is that you have a CIFS license

What I can see is that you apparently have a problem with dynamic DNS (the removed from DNS comment).
DDNS isnt necessarily needed, but if you dont use it you need another form of NetBIOS name resolution (like WINS) for clients that are not on the Celerra local subnet
You can check for name resolution on Windows CLI with nbtstat

mapping something like \\172.240.255.27\C$ with a Windows user name that is part of the domain that the Celerra is joined to should work

You also seem to have usermapper disabled - dont know why.

Here's how it looks like on a working system:

server_cifs server_2
server_2 :
256 Cifs threads started
Security mode = NT
Max protocol = NT1
I18N mode = UNICODE
Home Directory Shares DISABLED
Usermapper auto broadcast enabled

Usermapper[0] = [127.0.0.1] state:active (auto discovered)

Enabled interfaces: (All interfaces are enabled)

Disabled interfaces: (No interface disabled)

Unused Interface(s):
if=VMwareETS0 l=192.168.99.10 b=192.168.99.255 mac=0:60:16:4:30:d1
if=PROD_ESX_ISCSIl=10.64.240.137 b=10.64.240.255 mac=0:60:16:4:30:d1
if=ESX_boot1 l=192.168.0.1 b=192.168.0.255 mac=0:60:16:4:30:cd
if=VMwareETS1 l=192.168.98.10 b=192.168.98.255 mac=0:60:16:4:30:d0
if=VMware-ISCI-SW l=192.168.99.100 b=192.168.99.255 mac=0:60:16:4:30:d1

DOMAIN XXX FQDN=XXX.local SITE=Default-First-Site-Name RC=4
SID=S-1-5-15-17d62036-d35d38aa-d9f787ba-ffffffff
DC=YYYY(192.168.99.111) ref=2 time=1 ms (Closest Site)
DC=YYYYY(10.64.240.111) ref=3 time=1 ms (Closest Site)


CIFS Server CELERRA_FS2[XXX] RC=2
Full computer name=celerra_fs2.XXX.local realm=XXX.LOCAL
Comment='EMC-SNAS:T5.5.30.5'
if=10_64_240_139 l=10.64.240.139 b=10.64.240.255 mac=0:60:16:4:30:d1
FQDN=celerra_fs2.XXX.local (Updated to DNS)
Password change interval: 0 minutes
Last password change: Tue Feb 5 18:10:53 2008 GMT
Password versions: 2
-------------------------------------------------------------------------------
CIFS service of VDM VDM_Demo1 (state=loaded)
Home Directory Shares DISABLED

DOMAIN NEUSS FQDN=XXX.local SITE=Default-First-Site-Name RC=4
SID=S-1-5-15-17d62036-d35d38aa-d9f787ba-ffffffff
DC=YYY(192.168.99.111) ref=2 time=1 ms (Closest Site)
DC=YYY(10.64.240.111) ref=4 time=1 ms (Closest Site)


CIFS Server CELERRA_FS1[NEUSS] RC=3
Full computer name=celerra_fs1.XXX.local realm=XXX.LOCAL
Comment='EMC-SNAS:T5.5.30.5'
if=10_64_240_138 l=10.64.240.138 b=10.64.240.255 mac=0:60:16:4:30:d1
FQDN=celerra_fs1.XXX.local (Updated to DNS)
Password change interval: 0 minutes
Last password change: Wed May 23 17:38:26 2007 GMT
Password versions: 2

Was this post helpful?

View All

0 events found

No Events found!

Top