Skip to main content
NetApp Knowledgebase

What is Domain Controller Discovery?

Views:
2,917
Visibility:
Public
Votes:
1
Category:
data-ontap-8
Specialty:
cifs
Last Updated:

 

Applies to

  • Data ONTAP 8 7-mode
  • Clustered Data ONTAP

Answer

Domain Controller Discovery (DC Discovery) is an automatic procedure triggered by Security Daemon (SecD). Dynamic server discovery is used by ONTAP for discovering Domain Controller's (DC's) and their associated services, such as LSA, NETLOGON, Kerberos and LDAP. It discovers all the DC's, including preferred DC's, as well as all the DC's in the local site and all remote DC's also.

ONTAP determines the optimal DC to authenticate new CIFS connections against. If there are many DC's in the environment, this can take some time. As a result, accessing or enumerating shares can be noticeably slow depending on the environment. Also, the storage controller might pick a less than optimal DC to authenticate against, for example, a DC discovered over a WAN. In certain cases, the remote DC's might be permanently unreachable due to firewall/network configurations.
The discovery process will be executed automatically (without being specifically triggered by the user) in 3 scenarios:

  • Scenario 1: Joining the SVM's CIFS server to a domain.
  • Scenario 2: Periodic discovery

Periodic discovery is performed at an ~4 hour interval, to check for possible changes on the server or LIF configuration

  • Scenario 3: Change of Preferred DC's

This operation will trigger the discovery process and automatically reset the counter of the periodic discovery

The command tree vserver cifs domain discovered-servers allows the admin to interact with the Domain Discovery process.

Options:

  1. show - Display discovered server information 
  2. reset-servers - Reset and rediscover servers for a Vserver

 

  1. vserver cifs domain discovered-servers show

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description: The vserver cifs domain discovered-servers show command displays information about the discovered servers for the CIFS domains of one or more Vserver`s. Server displays are grouped by node and Vserver , and each group is preceded by the node and Vserver identification. Within each grouping, the server display is limited to those associated with the domain specified by the domain parameter, if it is present. This command is not supported for workgroup CIFS servers.

Currently only the SVM's local domain is shown.
 
Executing the command, you will receive a tabular output. Each Column header is detailed below:

KB 1076594.png

Domain Name

FQDN of the Domain
 
Type

Unknown        The server type is not known

KERBEROS    Kerberos server

MS-LDAP        Microsoft Lightweight Directory Access Protocol (LDAP) server

MS-DC             Microsoft Domain Controller

LDAP               Lightweight Directory Access Protocol (LDAP) server

NIS                   Network Information Service (NIS) server

 
Preference

There are 4 types of preferences indexed from 0-3:

  • unknown=0     The preference level of this server is unknown
  • preferred=1    This server was administratively marked as a preferred server due to its presence in the list of preferred servers
  • favored=2      This server was marked as favored by the server discovery process by virtue of site membership. When marked as favored by the discovery process, it means that the Discovered domain controller is in the same site as the filer is.

Note: In 9.1, this process is completely automatic and cannot be 'influenced,'. If the Filer admin and the AD admin have decided to use the default configuration 'Default-SIte' and all the Domain Controller are listed there, it also means that in certain situation your filer will end up using a high-latency-response Domain Controller, which under high authentication load, might lead in filer allowing users with delays to the shares they want to access.

In 9.3, this behavior is changed. See 9.3 details below:

adequate=3   This server was discovered by the server discovery process and can be used, but has no preference associated with it.
 
DC-Name: Netbios name of the Domain Controller listed in the table
 
DC-Address: IP Adress of the Domain controller listed in the table
 
Status: The possible statuses are:

  • OK -The connection to this server is usable.

This status is shown when we have an active-ongoing connection against a Domain Controller

  • unavailable - This server is currently unavailable for use.

This status displays that we were previously connected to the Domain Controller but we do not have any active session at this time.

Given the nature of a LDAP query (open session, perform 1 query, close the session) this status is considered also a positive status.

  • slow -   The connection to this server is usable but slow.
  • expired -  The connection to this server has expired.
  • undetermined - A connection to this server has not been attempted. This server was discovered when running the discovery procedure, There is no need to connect to it.
  • unreachable -  This server is currently unreachable. This server was discovered - It is not possible to connect to it 

Note: Under certain conditions, you might see in EMS log that certain Domain controllers are marked as UNUSABLE/UNAVAILABLE

One of the known issues to Netapp Support is due to an error response returned from a 'NetrLogonSamLogonEx response, Unknown error 0xc0000413' to a trusted domain user due to 'Selective Authentication' set for Domain Trusts forcing authentication to occur using non-local highly latent DCs. 

 
Starting 9.3, the discovery behavior was changed:
=========================================

A new option ' discovery-mode' is added under the command directory vserver cifs domain discovered-servers to control server discovery.

Three options are available for the newly added command:

  1. all - Default option. Will behave as earlier by discovering all the domain controllers in the domain.
  2. site - Only DC's in local site will be discovered.
  3. none - Server discovery will not be done, and it will depend only on preferred DC's configured.
  • Any new Vserver created in a 9.3 cluster will have the discovery mode set to "all". Based on the customer environment, it can be modified to suit the customer needs.
  • On last node upgrade to 9.3, all the Vservers in the cluster will have the server discovery mode set to 'all'.
  • Setting the 'discovery-mode' to 'none' will fail if there are no preferred DC's configured for the Vserver. While removing preferred DC's, a warning will be given if 'discovery-mode' is set to 'none'.
  • The ' vserver cifs domain preferred-dc add' command can be used to add preferred DC's.
  • Setting 'discovery-mode' to 'site' will fail if 'default-site' is not present in the CIFS configuration. Removing 'default-site' configuration will be blocked if 'discovery-mode' is set to 'site'.
  • For new CIFS configuration, 'default-site' can be provided along with the ' vserver cifs create' command itself.
  • For existing CIFS configuration, ' vserver cifs modify' command can be used to configure the 'default-site'. The CIFS 'default-site' will only be used as a fallback if ONTAP is unable to discover the site information due to any reason. 

 

  1. vserver cifs domain discovered-servers reset-servers

This command will force cleaning the information of the discovered servers and trigger a new rediscovery. This is usually used in the situation where a sudden change of the Domain configuration is performed, and the discovery process did not occur. An user might want to force the rediscovery in order to have available servers for ONTAP. 

For more information, read:  Managing domain controller discovery

Additional Information

Add your text here.