Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

umichklewis_ac7b91

300 Posts

443

March 10th, 2010 13:00

Two CAVA domain users?

Here's an interesting quandry:


Our organization is moving all of our Windows servers (and my CIFS servers) out of one AD Domain (Orange) into a new AD Domain (Purple) later this summer.  Today, I use a service account ORANGE\CAVA-User as my domain CAVA user.  I have CAVA servers in both ORANGE and PURPLE, using the ORANGE\CAVA-User (there's a one-way trust from PURPLE to ORANGE) which works with no major problems.  The Windows team created PURPLE\New-CAVA-User for me to test out.

Is there any reason why I wouldn't be able to use CAVA-Users from both ORANGE and PURPLE at the same time?  That is, PURPLE\CAVA-SRVR1 using ORANGE\CAVA-User and PURPLE\CAVA-SRVR9 using PURPLE\New-CAVA-User?  How does the NAS select which local admin account(s) are used for virus checking?

Thanks!

Karl

BillStein-Dell

Moderator

 • 

285 Posts

March 10th, 2010 14:00

As it is today, when a CIFS server in PURPLE needs to scan a file, it asks PURPLE's DC for a CAVA account.  PURPLE DC checks PURPLE's users, and then checks ORANGE's users because of the trust.  It then uses ORANGE's user.

Once you migrate, requests coming from PURPLE's CAVA servers will use the PURPLE CAVA user, and requests coming from ORANGE's CIFS servers will use ORANGE's CAVA user.

Remember the purpose of the CAVA user:  It has the privilege to read into anyone's folders in the domain so that it can scan files.  Once you segregate domains, I assume you'll break the one-way trust, yes?  That said, then only the ORANGE CAVA user will be able to access ORANGE CIFS servers, and the PURPLE CAVA user will be able to access PURPLE CIFS servers.

umichklewis_ac7b91

300 Posts

March 11th, 2010 11:00

Thanks very much, Bill - informative answers as always!

The idea behind trying to use CAVA users from both domains is that 30 days from now, the Windows guys are going to stop some services on the ORANGE DCs, delete some SPNs and so on.  Their hope is to shake down all the departments and groups that are falling behind on their domain migration tasks and figure out what might break when we cutover to PURPLE.  If I can use PURPLE's CAVA user to check the CIFS servers still in ORANGE, we should avoid a widespread outage, due to lack of CAVA.  Of course, if my plan fails, everyone will be able to yell at the Windows team, not the NAS guy.  Errr, I hope...

Yes - once we migrate everything to PURPLE, we'll actually kill ORANGE's DCs - just like in Office Space!

Was this post helpful?

View All

No Events found!

Top