Skip to main content
NetApp adopts Microsoft’s Business-to-Customer (B2C) Identity Management
Effective December 3 - NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources. For accounts that did not pre-register (prior to Dec 3) access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity. To learn more, Read the FAQ and Watch the video. Need assistance? Complete this form and select “Registration Issue” as the Feedback Category. 
NetApp Knowledge Base

What is Domain Controller Discovery?

Views:
6,922
Visibility:
Public
Votes:
2
Category:
data-ontap-8
Specialty:
cifs
Last Updated:

 

Applies to

  • Data ONTAP 8 7-mode
  • Clustered Data ONTAP
  • ONTAP 9

Answer

  • Domain Controller Discovery (DC Discovery) is an automatic procedure triggered by Security Daemon (SecD). Dynamic server discovery is used by ONTAP for discovering Domain Controller's (DC's) and their associated services, such as LSA, NETLOGON, Kerberos and LDAP.
  • It discovers all the DC's, including preferred DC's, as well as all the DC's in the local site and all remote DC's also.
  • ONTAP determines the optimal DC to authenticate new CIFS connections against. If there are many DC's in the environment, this can take some time.
  • As a result, accessing or enumerating shares can be noticeably slow depending on the environment.
  • Also, the storage controller might pick a less than optimal DC to authenticate against, for example, a DC discovered over a WAN. In certain cases, the remote DC's might be permanently unreachable due to firewall/network configurations.
  • The discovery process will be executed automatically (without being specifically triggered by the user) in 3 scenarios:
  1. Joining the SVM's CIFS server to a domain.
  2. Periodic discovery is performed at an ~4 hour interval, to check for possible changes on the server or LIF configuration
  3. Change of Preferred DC's
This operation will trigger the discovery process and automatically reset the counter of the periodic discovery.
Domain Discovery Commands 
  • The command tree vserver cifs domain discovered-servers allows the admin to interact with the Domain Discovery process.
  • Commands:
    1. show - Display discovered server information 
    2. reset-servers - Reset and rediscover servers for a Vserver
  1. vserver cifs domain discovered-servers show

  • Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
  • Description: The vserver cifs domain discovered-servers show command displays information about the discovered servers for the CIFS domains of one or more Vserver`s. Server displays are grouped by node and Vserver , and each group is preceded by the node and Vserver identification.
  • Within each grouping, the server display is limited to those associated with the domain specified by the domain parameter, if it is present. This command is not supported for workgroup CIFS servers.
  • Currently only the SVM's local domain is shown.
  • Executing the command, you will receive a tabular output.
  • Each Column header is detailed below:

 ::> cifs domain discovered-servers show -vserver vserver01
Node: node01
Vserver: vserver01

Domain Name Type Preference DC-Name DC-Address Status
--------------- -------- ---------- --------------- --------------- ---------
nas-deep.local KERBEROS preferred "" 10.216.29.254 undetermined
nas-deep.local KERBEROS preferred "" 10.216.29.255 undetermined
nas-deep.local KERBEROS adequate dc-2012-251 10.216.29.251 undetermined
nas-deep.local KERBEROS adequate dc-2012-251 172.16.0.251 undetermined
nas-deep.local KERBEROS preferred dc-2012-252 10.216.29.253 undetermined
nas-deep.local MS-LDAP preferred "" 10.216.29.254 undetermined
nas-deep.local MS-LDAP preferred "" 10.216.29.255 undetermined
nas-deep.local MS-LDAP adequate dc-2012-251 10.216.29.251 undetermined
nas-deep.local MS-LDAP adequate dc-2012-251 172.16.0.251 undetermined
nas-deep.local MS-LDAP preferred dc-2012-25 10.216.29.253 undetermined
nas-deep.local MS-DC preferred "" 10.216.29.254 undetermined
nas-deep.local MS-DC preferred "" 10.216.29.255 undetermined
nas-deep.local MS-DC adequate dc-2012-251 10.216.29.251 undetermined
nas-deep.local MS-DC adequate dc-2012-251 172.16.0.251 undetermined
nas-deep.local MS-DC preferred dc-2012-251 10.216.29.253 OK
15 entries were displayed.

  • Domain Name
    • FQDN of the Domain 
    • Type
    • Unknown        The server type is not known
    • KERBEROS    Kerberos server
    • MS-LDAP        Microsoft Lightweight Directory Access Protocol (LDAP) server
    • MS-DC             Microsoft Domain Controller
    • LDAP               Lightweight Directory Access Protocol (LDAP) server
    • NIS                   Network Information Service (NIS) server
  • Preference

There are 4 types of preferences indexed from 0-3:

  • unknown=0  The preference level of this server is unknown
  • preferred=1  This server was administratively marked as a preferred server due to its presence in the list of preferred servers
  • favored=2   This server was marked as favored by the server discovery process by virtue of site membership. When marked as favored by the discovery process, it means that the Discovered domain controller is in the same site as the filer is.
In 9.1, this process is completely automatic and cannot be 'influenced'. If the Filer admin and the AD admin have decided to use the default configuration 'Default-SIte' and all the Domain Controller are listed there, it also means that in certain situation your filer will end up using a high-latency-response Domain Controller, which under high authentication load, might lead in filer allowing users with delays to the shares they want to access.

In 9.3, this behavior is changed.

  • adequate=3   This server was discovered by the server discovery process and can be used, but has no preference associated with it.
  • DC-Name: Netbios name of the Domain Controller listed in the table
  • DC-Address: IP Adress of the Domain controller listed in the table
  • Status: The possible statuses are:
    • OK -The connection to this server is usable.
      • This status is shown when we have an active-ongoing connection against a Domain Controller
    • unavailable - This server is currently unavailable for use.
      • This status displays that we were previously connected to the Domain Controller but we do not have any active session at this time.
  • Given the nature of a LDAP query (open session, perform 1 query, close the session) this status is considered also a positive status.
    • slow -   The connection to this server is usable but slow.
    • expired -  The connection to this server has expired.
    • undetermined - A connection to this server has not been attempted. This server was discovered when running the discovery procedure, There is no need to connect to it.
      • Under low authentication load, it is normal to see all of the servers listed as "undetermined" except one.
    • unreachable -  This server is currently unreachable. This server was discovered - It is not possible to connect to it 
Under certain conditions, you might see in EMS log that certain Domain controllers are marked as UNUSABLE/UNAVAILABLE
  • One of the known issues to NetApp Support is due to an error response returned from a 'NetrLogonSamLogonEx response, Unknown error 0xc0000413' to a trusted domain user due to 'Selective Authentication' set for Domain Trusts forcing authentication to occur using non-local highly latent DCs.  
Starting 9.3, the discovery behavior was changed:
  • A new option ' discovery-mode' is added under the command directory vserver cifs domain discovered-servers to control server discovery.
  • Three options are available for the newly added command:
  1. all - Default option. Will behave as earlier by discovering all the domain controllers in the domain.
  2. site - Only DC's in local site will be discovered.
  3. none - Server discovery will not be done, and it will depend only on preferred DC's configured.
  • Any new Vserver created in a 9.3 cluster will have the discovery mode set to "all". Based on the customer environment, it can be modified to suit the customer needs.
  • On last node upgrade to 9.3, all the Vservers in the cluster will have the server discovery mode set to 'all'.
  • Setting the 'discovery-mode' to 'none' will fail if there are no preferred DC's configured for the Vserver. While removing preferred DC's, a warning will be given if 'discovery-mode' is set to 'none'.
  • The ' vserver cifs domain preferred-dc add' command can be used to add preferred DC's.
  • Setting 'discovery-mode' to 'site' will fail if 'default-site' is not present in the CIFS configuration. Removing 'default-site' configuration will be blocked if 'discovery-mode' is set to 'site'.
  • For new CIFS configuration, 'default-site' can be provided along with the ' vserver cifs create' command itself.
  • For existing CIFS configuration, ' vserver cifs modify' command can be used to configure the 'default-site'. The CIFS 'default-site' will only be used as a fallback if ONTAP is unable to discover the site information due to any reason. 
  1. vserver cifs domain discovered-servers reset-servers

  • This command will force cleaning the information of the discovered servers and trigger a new rediscovery. This is usually used in the situation where a sudden change of the Domain configuration is performed, and the discovery process did not occur.
  • An user might want to force the rediscovery in order to have available servers for ONTAP. 

Additional Information