Cloud Volumes Service for AWS Common Questions and Resources
Applies to
Cloud Volumes Service for AWS
Answer
CIFS/SMB
Question: What ports need to be open to create the CIFS server?
Answer: The following ports should be opened
Question: What is the 'NetBIOS' field used for in the "Create active directory" and "Active directory" forms?
Answer: This value is the CIFS Server machine account name that will be created in Active Directory for the CIFS Server. This machine account name should not be pre-provisioned.
Question: Why is the ~snapshot/.snapshot directory inaccessible?
Answer: The supported method for snapshot access is via Previous Versions. If the Previous Versions tab is unavailable/doesn't work, please open a case with NetApp support.
Question: "Create New Volume" fails when SMB protocol is specified along with Active Directory settings with one of the following errors
ERROR 1: Reason: SecD Error: no server available
FAILURE: Unable to contact DNS to discover domain ** controllers
(sample ERROR 1) Error when creating - Failed to create the Active Directory machine account "LODDEMO". Reason: SecD Error: no server available Details: Error: Machine account creation procedure failed [ 0 ms] Trying to create machine account 'LODDEMO' in 'DEMO.NETAPP.COM' for Vserver 'svm_98c264ad9f1c4c41b76ffd3d05c4f106_9b5e3359' [ 2009] Failed to connect to 192.168.0.253 for DNS via Source Address 192.168.0.190: Operation timed out **[ 4019] FAILURE: Unable to contact DNS to discover domain ** controllers. [ 4019] Unable to connect to any (0) domain controllers. [ 4019] 'NisDomain' configuration not available [ 4019] NIS configuration not found for Vserver 4 [ 6029] Failed to connect to 192.168.0.253 for DNS via Source Address 192.168.0.190: Operation timed out [ 6029] Unable to contact DNS to discover domain controllers. [ 8039] Failed to connect to 192.168.0.253 for DNS via Source Address 192.168.0.190: Operation timed out [ 8039] Unable to contact DNS to discover domain controllers. [ 10049] Failed to connect to 192.168.0.253 for DNS via Source Address 192.168.0.190: Operation timed out [ 10049] Unable to contact DNS to discover domain controllers. [ 10049] No servers available for MS_LDAP_AD, vserver: 4, domain: DEMO.NETAPP.COM. .
SOLUTION 1: DNS port 53 (TCP or UDP) may be blocked. Verify if those ports are reachable from the dns server and cloud volume IP.
ERROR 2: Reason: SecD Error: no server available
FAILURE: Hostname lookup failed with error: hostname nor ** servname provided, or not known
(sample ERROR 2)
Error when creating - Failed to create the Active Directory machine account "LODDEMO". Reason: SecD Error: no server available Details: Error: Machine account creation procedure failed [ 0 ms] Trying to create machine account 'LODDEMO' in 'DEMO.NETAPP.COM' for Vserver 'svm_98c264ad9f1c4c41b76ffd3d05c4f106_9b5e3359' [ 8] Entry for host-name: dc2.demo.netapp.com not found in any of the available sources **[ 9] FAILURE: Hostname lookup failed with error: hostname nor ** servname provided, or not known [ 14] Hostname found in Name Service Negative Cache [ 14] Hostname lookup failed with error: hostname nor servname provided, or not known [ 14] No servers found in DNS lookup for _ldap._tcp.DEMO.NETAPP.COM. [ 14] No servers available for MS_LDAP_AD, vserver: 4, domain: DEMO.NETAPP.COM. [ 14] Cannot find any domain controllers; verify the domain name and the node's DNS configuration [ 14] Unable to connect to any (0) domain controllers. [ 14] 'NisDomain' configuration not available [ 14] NIS configuration not found for Vserver 4 [ 20] Hostname found in Name Service Negative Cache [ 20] Hostname lookup failed with error: hostname nor servname provided, or not known [ 20] No servers found in DNS lookup for _ldap._tcp.dc._msdcs.DEMO.NETAPP.COM. [ 23] Hostname found in Name Service Negative Cache [ 23] Hostname lookup failed with error: hostname nor servname provided, or not known [ 23] No servers found in DNS lookup for _ldap._tcp.DEMO.NETAPP.COM. [ 26] Hostname found in Name Service Negative Cache [ 26] Hostname lookup failed with error: hostname nor servname provided, or not known [ 26] No servers found in DNS lookup for _kerberos._tcp.DEMO.NETAPP.COM. [ 26] No servers available for MS_LDAP_AD, vserver: 4, domain: DEMO.NETAPP.COM. .SOLUTION 2: Verify that DNS srv (Service Location) records exist for kerberos and ldap on the DNS server.
ERROR 3: Reason: Kerberos Error: KDC Unreachable
Cannot contact any KDC ** for requested realm (KRB5_KDC_UNREACH)
(sample ERROR 3)
Error when creating - Failed to create the Active Directory machine account "LODDEMO". Reason: Kerberos Error: KDC Unreachable Details: Error: Machine account creation procedure failed [ 98] Loaded the preliminary configuration. [ 4149] TCP connection to ip 192.168.0.253, port 88 via interface 192.168.0.190 failed: Operation timed out. **[ 24233] FAILURE: Could not authenticate as ** 'administrator@DEMO.NETAPP.COM': Cannot contact any KDC ** for requested realm (KRB5_KDC_UNREACH) .
SOLUTION 3: Kerberos port 88 (TCP) may be blocked. Verify if those ports are reachable from the KDC server and cloud volume IP.
ERROR 4: Reason: LDAP Error: Cannot contact the LDAP server
FAILURE: Unable to make a connection (LDAP (Active ** Directory)
(sample ERROR 4)
Error when creating - Failed to create the Active Directory machine account "LODDEMO".
Reason: LDAP Error: Cannot contact the LDAP server
Details: Error: Machine account creation procedure failed
[ 8159] Loaded the preliminary configuration.
[ 8164] Successfully connected to ip 192.168.0.253, port 88 using TCP
[ 10202] TCP connection to ip 192.168.0.253, port 389 via interface 192.168.0.190 failed: Operation timed out.
[ 10204] Unable to connect to LDAP (Active Directory) service on dc1.demo.netapp.com (Error: Can't contact LDAP server)
**[ 10204] FAILURE: Unable to make a connection (LDAP (Active ** Directory):DEMO.NETAPP.COM), result: 7642 .
SOLUTION 4: LDAP port 389 (TCP or UDP) may be blocked. Verify if those ports are reachable from the LDAP server and cloud volume IP.
ERROR 5: Reason: SecD Error: no server available
Unable to connect to LSA service (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR)
(sample ERROR 5)
Error when creating - Failed to create the Active Directory machine account "LODDEMO". Reason: SecD Error: no server available Details: Error: Machine account creation procedure failed [ 78] Loaded the preliminary configuration. [ 154] Created a machine account in the domain [ 168] Successfully connected to ip 192.168.0.253, port 445 using TCP [ 175] Unable to connect to LSA service on dc1.demo.netapp.com (Error: RESULT_ERROR_SPINCLIENT_SOCKET_RECEIVE_ERROR) [ 175] No servers available for MS_LSA, vserver: 4, domain: demo.netapp.com. **[ 175] FAILURE: Unable to make a connection ** (LSA:DEMO.NETAPP.COM), result: 6940 [ 175] Could not find Windows SID 'S-1-5-21-296924722-389102597-4211195190-512' [ 183] Deleted existing account 'CN=LODDEMO,CN=Computers,DC=demo,DC=netapp,DC=com'
SOLUTION 5: Verify SMB2 protocol version is enabled on the Domain Controller.
ERROR 6: Reason: SecD Error: no server available
FAILURE: Could not authenticate as *account* password does not match password stored in Active ** Directory (KRB5KDC_ERR_PREAUTH_FAILED)
(sample ERROR 6)
Error when creating - Failed to create the Active Directory machine account "LODDEMO". Reason: Kerberos Error: Pre-authentication information was invalid Details: Error: Machine account creation procedure failed [ 28] Loaded the preliminary configuration. [ 30] Successfully connected to ip 192.168.0.253, port 88 using TCP **[ 35] FAILURE: Could not authenticate as ** 'administrator@DEMO.NETAPP.COM': CIFS server account ** password does not match password stored in Active ** Directory (KRB5KDC_ERR_PREAUTH_FAILED) .
SOLUTION 6: Verify the account password specified in the Active Directory configuration is correct.
ERROR 7: Reason: LDAP Error: The user has insufficient access rights
FAILURE: Could not create account an LDAP constraint violation occurred, which may indicate the supplied user has insufficient privilege to add an account in the specified organizational unit
(sample ERROR 7)
Error: Machine account creation procedure failed [ 33] Loaded the preliminary configuration. [ 36] Successfully connected to ip 10.216.29.40, port 88 using TCP [ 43] Requested service not found in Active Directory (KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) [ 43] Failed to initiate Kerberos authentication. Trying NTLM. [ 45] Successfully connected to ip 10.216.29.40, port 389 using TCP **[ 89] FAILURE: Could not create account ** 'cn=DOCTORDOOM,CN=Computers,dc=INTERNALDOMAINA,dc=LOCAL': ** an LDAP constraint violation occurred, which may indicate ** the supplied user has insufficient privilege to add an ** account in the specified organizational unit Error: command failed: Failed to create the Active Directory machine account "DOCTORDOOM". Reason: LDAP Error: The user has insufficient access rights.
ERROR 8: Reason: LDAP Error: Strong authentication is required
FAILURE: Unable to make a connection (LDAP (Active ** Directory)
(sample ERROR 8)
Error when creating - Failed to create the Active Directory machine account "LODDEMO". Reason: LDAP Error: Strong authentication is required Details: Error: Machine account creation procedure failed [ 31] Loaded the preliminary configuration. [ 34] Successfully connected to ip 192.168.0.253, port 88 using TCP [ 40] Successfully connected to ip 192.168.0.253, port 389 using TCP [ 45] Unable to connect to LDAP (Active Directory) service on dc1.demo.netapp.com (Error: Strong(er) authentication required) **[ 45] FAILURE: Unable to make a connection (LDAP (Active ** Directory):DEMO.NETAPP.COM), result: 7609 .
SOLUTION 8: Disable LDAP Server Signing Requirements
NFS
Question: Can the Microsoft Client for NFS be used with Cloud Volumes?
Answer: The Microsoft Client for NFS is not compatible with Cloud Volumes
SYNC
Question: Does Cloud Volumes Service Sync support a data broker per region?
Answer: At this time, only one data broker is allowed across all regions. If multiple brokers are required in different regions, utilize the Cloud Sync standalone interface
Question: How are the data broker logs accessed?
Answer: This procedure details how to collect broker logs
Problem: Access Denied seen on transfer
Answer: Use the following checklist to assist with resolution
- Confirm that the data broker has access to both source and destination
- If using CIFS for the transfer protocol, ensure that share ACLs on both source/destination allow the user chosen to transfer the data
- If using NFS for the transfer protocol, ensure that the export policy allow the IP of the data broker to mount with root/superuser access
- Test access to both sides by mounting the exports manually from the data broker and attempt a test write to the destination
- If the volume is specified as 'Dual-protocol' with NTFS security style and NFS as the transferring protocol
- Consider whether manipulation of NT DACLs or unix mode bits will be the preferred method for permissions management
- If unix mode bits managment is desired, change the volume to 'unix' security style
- If NT DACLs will be used, a usermapping will be required for root to <NTDOMAIN>\root
- This will require that <NTDOMAIN>\root be created in the AD domain that the CVS volume is joined to
- Consider whether manipulation of NT DACLs or unix mode bits will be the preferred method for permissions management
Performance
Question: What maximum bandwidth should be expected from a Cloud Volumes Service volume?
Answer: A Cloud Volumes Service volume's maximum bandwidth is a function of both the service level assigned to the volume as well as the volume's allocated capacity. Cost comparison for service levels and allocated capacity chart displays the maximum bandwidth given the service level and allocated capacity.
OTHER
Question: Why does my volume appear as 100TB regardless of the allocation size?
Answer: All volumes are created as 100TB thin provisioned volumes and will appear to the clients as such. The volumes will not reflect the 'allocation' size set in the GUI.
Question: What restore options do I have if files are overwritten or deleted within the Cloud Volumes?
Answer: Ensure that you have setup a snapshot policy when the volume was provisioned. The only natively available backup copies of data in Cloud Volumes are via these point-in-time references in snapshots.
Follow the AWS documentation on How to Restore Data from a Snapshot Copy.
Question: What is the maximum file count (inodes) allowed per volume in CVS?
Question: Why is volume cloning failing with ‘Unable to set volume attribute "files" for volume <volume> … Reason: New count must be larger than current allocated count of <number>
Answer: This issue occurs when trying to clone a volume that currently has more files allocated to it than the clone volume would be assigned for its allocation size.
For example:
If a volume currently has 90 million files and is cloned with a target allocation size to 3 TiB, then the clone will fail. This is because the maximum number of files for the a 3 TiB volume is 80 Million, 10 Million less than the source volume that’s being cloned.