Home / server / Questions / 636939
Accepted
Sobrique
Asked: 2014-10-15 06:48:40 +0800 CST

Joining a NetApp to a domain on a Read Only Domain Controller

  • 772

I have an isolated network, into which I've built a vfiler. The point of this network is that it's a non routed 'test' network.

However, there's a need for LDAP/Kerberos and CIFS access to the filer, via domain level accounts.

So we have Read Only domain controllers deployed.

To join a Windows box to the RODC, we would:

  • create a machine account by hand.
  • join the domain, and specify the machine account password on the client.

A spot of googling finds me: https://kb.netapp.com/support/index?page=content&id=1012918

Where the advice is: Point the filer at a writable DC manually first.

I'd rather not do that if I can avoid it - I don't have writable DCs on this piece of the network deliberately. More importantly - my vfilers are on an ipspace, so I can't even temporarily 'jump over' to a network with the right access. (Which is sort of the point I guess, but even so...)

Does anyone have a suggestion for how I can accomplish this - I'm assuming I may need to extract some information from my DC and transfer it over, such as a servicePrincipal. Or perhaps just 'set' my CIFS password manually somewhere.

active-directory

2 Answers

  1. You can temporarily jump back by adding a routable interface to the IPSpace- then you could join the domain and then remove that interface from the IPSpace.

    • 1
  2. Best Answer

    In the end I went with open the firewall temporarily. Alternative options might have been to configure a new virtual interface, add it to the IP space temporarily. That would have worked, but not in my environment (I was already using the VLAN/interface I would have needed to move) .

    However, once you have access to a writable DC - the article above isn't quite correct.

    You need to;

    • set the prefdc with cifs prefdc add <DC_IP>
    • set the ldap server, by setting options.ldap.preferred (typically, this will be the same as the DC).
    • run the domain join and create the machine account.

    Change the prefdc and preferred LDAP back to the original. Run cifs resetdc to force it.

    Expect No Trusted Logon Servers Available and Client not found in Kerberos database because your local RODCs won't have replicated the right details.

    You may also need to adjust the computer account to be a member of a group so that it replicates fully. Part of the point of RODCs is that they don't have a complete database and omit some of the shared secrets as part of the machine account.

    • 0