Data Domain: Active directory users cannot administer the Data Domain via SSH or via Enterprise Manager

Summary: Active Directory users are not able to administer a DataDomain system using their AD account if the forest root domain global controller is offline or cannot be reached.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms



Users belonging to the same primary Active Directory Domain as the Data Domain, or belonging to a trusted domain in the same forest, cannot access the system via SSH or via Enterprise Manager, if the global catalog for the forest root domain is offline or cannot be accessed from the Data Domain.

 

Cause

The first thing to verify, would be to check if the users with an Active Directory account have been granted permission to access the Data Domain system via SSH.

This is achieved by executing the command: # adminaccess authentication add cifs  

If after issuing the above command, the users cannot still login, it can be happening that the global catalog for the forest root domain is offline, or not reachable (behind a firewall) from the Data Domain system.

In the Active Directory nomenclature, a forest is a collection of domains that trust each other. A Global Catalog,  is a Domain Controller server that maintains a partial, read-only copy of every domain in the forest, and is used for universal group storage and logon processing, among other things. 

On the other hand, the first domain that you deploy in an Active Directory forest is called the forest root domain.

This domain remains the forest root domain for the life cycle of the AD DS deployment. The forest root domain contains the Enterprise Admins and Schema Admins groups. 

The reason why Data Domain tries to contact the global catalog for the forest root domain is to include the Universal group membership info in the user tokens.

 

Resolution

If contacting the forest root domain global catalog server from the Data Domain is an issue, and there are not Universal groups memberships that needs to be considered, there is an option in  DD OS 5.7.4 and DD OS 6.0.1 that disables the requirement to be able to query the forest root domain global catalog.

This option is:

 # cifs option set global-catalog-query-disable true
 
You can confirm that the option is then properly set with the commands:

# cifs option show
 
After adding the option, you need to restart cifs with the command
 
# cifs restart force
 

Additional Information

This is covered in the  DD OS 5.7.4.0 release notes here

165968 This release adds an option to avoid global catalog query during user authentication. Active directory user authentication may otherwise fail if the forest root domain global catalog server is offline

Affected Products

Data Domain

Products

Data Domain
Article Properties
Article Number: 000051900
Article Type: Solution
Last Modified: 29 Oct 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.