Dell EMC Unity: NAS Servers display an error "DC cannot open NETLOGON pipe" (User Correctable)

This solution applies when a minimum of one Windows Server 2008 or older Domain Controller is in use and is connected to Unity's NAS server.  This solution does not apply to Windows Server 2008R2 and newer Domain Controllers.

After upgrading the Unity system to OE version 5.0.6, some NAS Servers are affected by this error message:

DC cannot open NETLOGON pipe.

This occurs intermittently, and randomly, affecting several NAS Servers at the same time or individually, but there's always at least one displaying this error.

Customer can use FQDN to access the share, but is not able to access via IP address.

When running the command svc_cifssupport <NAS_server_name> -pdcdump it will show the following error:
 
Cnx=WRONG_CREDENTIAL_HANDLE,DC cannot open NETLOGON pipe

As part of providing Secure RPC functionality in Dell EMC Unity OE version 5.0.6, the "getDCcapas" function was introduced, in accordance with the Microsoft Netlogon function specification to support Microsoft's ServerCapabilities parameter.  However, that function was only added to supported versions of Windows Server.  Therefore, the function is not implemented in Windows Server 2008 and earlier.

Microsoft Reference Document: [MS-NRPC]: Netlogon Remote Protocol - 7 Appendix B: Product Behavior
Section 3.5.4.4.10:
The ServerCapabilities parameter is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

Fix:
The safest long-term solution is to upgrade any Domain Controllers connecting with Unity systems running 5.0.6 or higher to a supported version of Windows Server.  Until then, please see the Workaround section below.

Workaround:
Since the parameter "param NTsec.NETLOGON.getDCcapas" in Dell EMC Unity systems controls how NAS servers check DC capabilities, the workaround is to modify the parameter to disable this feature.

IMPORTANT NOTE:  In environments in which multiple Domain Controllers exist, and at least one is on older Windows Server versions and at least one is on newer Windows Server versions (i.e. 2003 and 2012), it appears that disabling the ServerCapabilities function does not negatively impact the newer versions.  This indicates that currently, Microsoft is not enforcing the use of this function.  However, this may change at some time in the future, and customers will have to decide between older or newer versions of Windows Server to run against that SP.

If you must implement the change immediately and you cannot reboot your SP, please contact Dell EMC Technical Support or your Authorized Service Provider and quote this Knowledgebase article.  The workaround can be implemented in a different way, but it requires elevated privilege.  Please note that this parameter can only be implemented at the SP level and thus affects ALL NAS servers across the SP.

If you can implement the change and reboot your SP, please follow the steps below:
 

Step 1 of 2. Run command:  svc_nas ALL -param -facility NTsec -m NETLOGON.getDCcapas -v 0
 

service@spb:~/user# svc_nas ALL -param -facility NTsec -m NETLOGON.getDCcapas -v 0 param NTsec.NETLOGON.getDCcapas added into the list of visible params SPA : done Warning 17716815750: SPA : You must reboot the SP for NETLOGON.getDCcapas changes to take effect. SPB : done Warning 17716815750: SPB : You must reboot the SP for NETLOGON.getDCcapas changes to take effect.

Step 2 of 2. Reboot Storage Processors (SPs), one at a time.

Additional Info can be viewed by the article’s designated audience.
To confirm if the Dell EMC Unity Array is experiencing this issue:

From EMCSystemLogFile.log:

service@spb:~/user# tailf  00_emc_backend_log_shared/EMCSystemLogFile.log |grep -i "WRONG_CREDENTIAL_HANDLE"
B       03/18/21 09:43:44.507 DART_SMB         10380008 [WARN] Audit: For the NAS server NAS in the domain DOMAIN, the DC DC01 has the following error: compname nas DC=DC01 Step='Open NETLOGON Secure Channel' ' ' 'DC cannot open NETLOGON pipe: status=WRONG_CREDENTIAL_HANDLE '.
B       03/18/21 09:43:46.559 DART_SMB         10380008 [WARN] Audit: For the NAS server NAS in the domain DOMAIN, the DC DC02 has the following error: compname nas DC=DC02 Step='Open NETLOGON Secure Channel' ' ' 'DC cannot open NETLOGON pipe: status=WRONG_CREDENTIAL_HANDLE '.

From c4_safe_ktrace.log: 

service@spb:~/user# tailf 02_emc_c4core_log/c4_safe_ktrace.log |grep -i "WRONG_CREDENTIAL_HANDLE"
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] Srv=NAS DC=DC01 buildSecureChannel(2)=Capa_ErrorQueryFailed NTStatus=WRONG_CREDENTIAL_
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] HANDLE pwdno=2
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] NLogon_SecureChannel not OK=Capa_ErrorQueryFailed
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] smbSync failed to create new SecureChannel DC=DC01 NTstatus=SUCCESS LogonStatus=Capa_ErrorQueryFai
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] led SessionKey:StrongKeys authV:[PRIVACY,sign:HMAC_MD5,seal:RC4] 
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 6:[NAS] DC0x00175e1038: setDCDown DC(xx.xx.xxx.xxx), refresh if needed (origin=netLogonAuth2)
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] smbSync SamLogon[0] DC=DC01 'DC cannot open NETLOGON pipe' NTstatus=WRONG_CREDENTIAL_HANDLE LogonS
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] tatus=Capa_ErrorQueryFailed (rSCstatus=-1 pipeClosed=0)