- ONTAP 9
- Data ONTAP 8 7-Mode
- Clustered Data ONTAP
- Domain Controller Discovery (DC Discovery) is an automatic procedure triggered by Security Daemon (SecD). Dynamic server discovery is used by ONTAP for discovering Domain Controller's (DC's) and their associated services, such as LSA, NETLOGON, Kerberos and LDAP.
- It discovers all the DC's, including preferred DC's, as well as all the DC's in the local site and all remote DC's also.
- Contact Microsoft for more information on using Active Directory Sites and Services to manage sites to control what servers are discovered.
- ONTAP determines the optimal DC to authenticate new CIFS connections against. If there are many DC's in the environment, this can take some time.
- As a result, accessing or enumerating shares can be noticeably slow depending on the environment.
- Also, the storage controller might pick a less than optimal DC to authenticate against, for example, a DC discovered over a WAN. In certain cases, the remote DC's might be permanently unreachable due to firewall/network configurations.
- The discovery process will be executed automatically (without being specifically triggered by the user) in 3 scenarios:
- Joining the SVM's CIFS server to a domain.
- Periodic discovery is performed at an ~4 hour interval, to check for possible changes on the server or LIF configuration
- Change of Preferred DC's
|This operation will trigger the discovery process and automatically reset the counter of the periodic discovery.|
Domain Discovery Commands
- The command tree
vserver cifs domain discovered-serversallows the admin to interact with the Domain Discovery process.
- show - Display discovered server information
- reset-servers - Reset and rediscover servers for a Vserver
vserver cifs domain discovered-servers show
- Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
- Description: The
vserver cifs domain discovered-servers showcommand displays information about the discovered servers for the CIFS domains of one or more Vserver`s. Server displays are grouped by node and Vserver , and each group is preceded by the node and Vserver identification.
- Within each grouping, the server display is limited to those associated with the domain specified by the domain parameter, if it is present. This command is not supported for workgroup CIFS servers.
- Currently only the SVM's local domain is shown.
- Executing the command, you will receive a tabular output.
- Each Column header is detailed below:
::> cifs domain discovered-servers show -vserver vserver01
Domain Name Type Preference DC-Name DC-Address Status
--------------- -------- ---------- --------------- --------------- ---------
nas-deep.local KERBEROS preferred "" 10.216.29.254 undetermined
nas-deep.local KERBEROS preferred "" 10.216.29.255 undetermined
nas-deep.local KERBEROS adequate dc-2012-251 10.216.29.251 undetermined
nas-deep.local KERBEROS adequate dc-2012-251 172.16.0.251 undetermined
nas-deep.local KERBEROS preferred dc-2012-252 10.216.29.253 undetermined
nas-deep.local MS-LDAP preferred "" 10.216.29.254 undetermined
nas-deep.local MS-LDAP preferred "" 10.216.29.255 undetermined
nas-deep.local MS-LDAP adequate dc-2012-251 10.216.29.251 undetermined
nas-deep.local MS-LDAP adequate dc-2012-251 172.16.0.251 undetermined
nas-deep.local MS-LDAP preferred dc-2012-25 10.216.29.253 undetermined
nas-deep.local MS-DC preferred "" 10.216.29.254 undetermined
nas-deep.local MS-DC preferred "" 10.216.29.255 undetermined
nas-deep.local MS-DC adequate dc-2012-251 10.216.29.251 undetermined
nas-deep.local MS-DC adequate dc-2012-251 172.16.0.251 undetermined
nas-deep.local MS-DC preferred dc-2012-251 10.216.29.253 OK
15 entries were displayed.
- Domain Name
- FQDN of the Domain
- Unknown The server type is not known
- KERBEROS Kerberos server
- MS-LDAP Microsoft Lightweight Directory Access Protocol (LDAP) server
- MS-DC Microsoft Domain Controller
- LDAP Lightweight Directory Access Protocol (LDAP) server
- NIS Network Information Service (NIS) server
There are 4 types of preferences indexed from 0-3:
- unknown=0 The preference level of this server is unknown
- preferred=1 This server was administratively marked as a preferred server due to its presence in the list of preferred servers
- favored=2 This server was marked as favored by the server discovery process by virtue of site membership. When marked as favored by the discovery process, it means that the Discovered domain controller is in the same site as the filer is.
|In 9.1, this process is completely automatic and cannot be 'influenced'. If the Filer admin and the AD admin have decided to use the default configuration 'Default-Site' and all the Domain Controller are listed there, it also means that in certain situation your filer will end up using a high-latency-response Domain Controller, which under high authentication load, might lead in filer allowing users with delays to the shares they want to access.|
In 9.3, this behavior is changed.
- adequate=3 This server was discovered by the server discovery process and can be used, but has no preference associated with it.
- DC-Name: Netbios name of the Domain Controller listed in the table
- DC-Address: IP Adress of the Domain controller listed in the table
- Status: The possible statuses are:
- OK -The connection to this server is usable.
- This status is shown when we have an active-ongoing connection against a Domain Controller
- unavailable - This server is currently unavailable for use.
- This status displays that we were previously connected to the Domain Controller but we do not have any active session at this time.
- OK -The connection to this server is usable.
- Given the nature of a LDAP query (open session, perform 1 query, close the session) this status is considered also a positive status.
- slow - The connection to this server is usable but slow.
- expired - The connection to this server has expired.
- undetermined - A connection to this server has not been attempted. This server was discovered when running the discovery procedure, There is no need to connect to it.
- Note: Under low authentication load, it is normal to see all of the servers listed as "undetermined" except one.
- unreachable - This server is currently unreachable. This server was discovered - It is not possible to connect to it
|Under certain conditions, you might see in EMS log that certain Domain controllers are marked as UNUSABLE/UNAVAILABLE|
- One of the known issues to NetApp Support is due to an error response returned from a '
response, Unknown error 0xc0000413' to a trusted domain user due to 'Selective Authentication' set for Domain Trusts forcing authentication to occur using non-local highly latent DCs.
Starting 9.3, the discovery behavior was changed:
- A new option '
discovery-mode' is added under the command directory
vserver cifs domain discovered-serversto control server discovery.
- Three options are available for the newly added command:
- all - Default option. Will behave as earlier by discovering all the domain controllers in the domain.
- site - Only DC's in local site will be discovered.
- none - Server discovery will not be done, and it will depend only on preferred DC's configured.
- Any new Vserver created in a 9.3 cluster will have the discovery mode set to "all". Based on the customer environment, it can be modified to suit the customer needs.
- On last node upgrade to 9.3, all the Vservers in the cluster will have the server discovery mode set to 'all'.
- Setting the 'discovery-mode' to 'none' will fail if there are no preferred DC's configured for the Vserver. While removing preferred DC's, a warning will be given if 'discovery-mode' is set to 'none'.
- The '
vserver cifs domain preferred-dc add' command can be used to add preferred DC's.
- Setting 'discovery-mode' to 'site' will fail if 'default-site' is not present in the CIFS configuration. Removing 'default-site' configuration will be blocked if 'discovery-mode' is set to 'site'.
- For new CIFS configuration, 'default-site' can be provided along with the '
vserver cifs create' command itself.
- For existing CIFS configuration, '
vserver cifs modify' command can be used to configure the 'default-site'. The CIFS 'default-site' will only be used as a fallback if ONTAP is unable to discover the site information due to any reason.
vserver cifs domain discovered-servers reset-servers
- This command will force cleaning the information of the discovered servers and trigger a new rediscovery. This is usually used in the situation where a sudden change of the Domain configuration is performed, and the discovery process did not occur.
- An user might want to force the rediscovery in order to have available servers for ONTAP.
- Managing domain controller discovery
- Trusted Domain information will also be discovered during Domain Discovery as a result of 1144964
- How to discover Active Directory Domain Controllers using nslookup