secd.ldap.noServers:EMERGENCY due to trusted DC discovery after ONTAP upgrade
Applies to
- ONTAP 9.12.1P8 and later
- ONTAP 9.13.1 and later
- SMB/CIFS
- Domain Trusts
Issue
- After upgrading ONTAP to fixed release of CONTAP-79128: The default site is always used for trusted domain controller discovery in the CIFS discovery mode "site", EMS logs every 4 hours for CIFS SVM:
[node1: secd: secd.ldap.noServers:EMERGENCY]: None of the LDAP servers configured for Vserver (SVM1) are currently accessible via the network for LDAP service type (Service: LDAP (Active Directory), Operation: SiteDiscovery).
[node1: secd: secd.conn.auth.failure:notice]: Vserver (SVM1) could not make a connection over the network to server (ip <TrustedDC>, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery).
Note: EMS entry for trusted Domain Controllers. Before upgrade, no such log entry.
A Kerberos pre-authentication failure occurred for SVM "svm_ZUSCUPxxST1xx" due to invalid credentials for ZUxCUPDAXxxx$@TAAAXxx01.LOCAL
- The MS-LDAP discovered servers for trusted domains are unavailable:
::> vserver cifs domain discovered-servers show -vserver <svm>
- Below troubleshooting steps can be performed before proceeding with solution
- Ensure communication between SVM and trusted DC:
- LDAP to trusted DCs is not blocked by firewalls etc.
- DCs respond to LDAP requests.
- If the indicated trusted domain no longer exists:
- Cosmetic error without impact
- Remove any decommissioned domain trust relationships from Active Directory to prevent errors
- Ensure communication between SVM and trusted DC: