Data Domain: Active directory users cannot administer the Data Domain via SSH or via Enterprise Manager
Summary: Active Directory users are not able to administer a DataDomain system using their AD account if the forest root domain global controller is offline or cannot be reached.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Users belonging to the same primary Active Directory Domain as the Data Domain, or belonging to a trusted domain in the same forest, cannot access the system via SSH or via Enterprise Manager, if the global catalog for the forest root domain is offline or cannot be accessed from the Data Domain.
Cause
The first thing to verify, would be to check if the users with an Active Directory account have been granted permission to access the Data Domain system via SSH.
This is achieved by executing the command: # adminaccess authentication add cifs
If after issuing the above command, the users cannot still login, it can be happening that the global catalog for the forest root domain is offline, or not reachable (behind a firewall) from the Data Domain system.
In the Active Directory nomenclature, a forest is a collection of domains that trust each other. A Global Catalog, is a Domain Controller server that maintains a partial, read-only copy of every domain in the forest, and is used for universal group storage and logon processing, among other things.
On the other hand, the first domain that you deploy in an Active Directory forest is called the forest root domain.
This domain remains the forest root domain for the life cycle of the AD DS deployment. The forest root domain contains the Enterprise Admins and Schema Admins groups.
The reason why Data Domain tries to contact the global catalog for the forest root domain is to include the Universal group membership info in the user tokens.
Resolution
If contacting the forest root domain global catalog server from the Data Domain is an issue, and there are not Universal groups memberships that needs to be considered, there is an option in DD OS 5.7.4 and DD OS 6.0.1 that disables the requirement to be able to query the forest root domain global catalog.
This option is:
# cifs option set global-catalog-query-disable true
You can confirm that the option is then properly set with the commands:
# cifs option show
After adding the option, you need to restart cifs with the command
# cifs restart force
This option is:
# cifs option set global-catalog-query-disable true
You can confirm that the option is then properly set with the commands:
# cifs option show
After adding the option, you need to restart cifs with the command
# cifs restart force
Additional Information
This is covered in the DD OS 5.7.4.0 release notes here
165968 This release adds an option to avoid global catalog query during user authentication. Active directory user authentication may otherwise fail if the forest root domain global catalog server is offline
165968 This release adds an option to avoid global catalog query during user authentication. Active directory user authentication may otherwise fail if the forest root domain global catalog server is offline
Affected Products
Data DomainProducts
Data DomainArticle Properties
Article Number: 000051900
Article Type: Solution
Last Modified: 29 Oct 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.