By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

FSx for NetApp ONTAP - Can't join domain

0

Hi there, When I am trying to join my domain (using Directory service), I am receiving the following error:

Amazon FSx is unable to establish a connection with your Active Directory domain controller(s) because the service account credentials provided are invalid. To fix this problem, delete your storage virtual machine and create a new one using a valid service account as recommended in the Amazon FSx user guide.

I have read the user guide, and followed all the steps. Now, I am using the same security group as the domain controller and allowing all traffic inside the sg. I checked with Reachability analyzer, the ENI from fsx can communicate with the domain controller's domain controller. I also tried to use the domain admin, just to make sure - but for some reason it does not work. Did any of you experienced something similar?

Topics
Security, Identity, & ComplianceStorageCompute
Tags
AWS Directory ServiceAmazon FSx for Windows File ServerWindows ProvisioningAmazon FSx for NetApp ONTAP
Language
English
mark_ccx
asked 2 years ago1451 views
1 Answer
3
Accepted Answer

Hello! I was actually testing this on my lab last week and I got it to work. The above message points to lack of permissions on the account used to join to the Directory, not connectivity as the reason behind the issue. A couple of questions come to mind:

  1. Are you using AWS Managed AD or a self managed/onprem AD with AD Connector?

  2. If using AD Connector, have you performed the delegation of permissions as explained on this link? https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/self-managed-AD-best-practices.html. You might also need to supply the OU.

  3. If using Managed AD, you need to specify the OU where the computer object of the storage virtual machine will be created. Since you are not the full domain admin of the Managed AD, you will need to supply the provisioned OU (i.e OU=<yourdomain>,DC=<yourdomain>,DC=<yoursuffix>) that you used to create the Managed AD (or any OU beneath it)

  4. You might consider testing joining the domain using ONTAP's CLI interface:

    services name-service dns create -domains example.local -name-servers 1.1.1.1,2.2.2.2,3.3.3.3

    vserver cifs create -cifs-server svm1 -domain example.local -ou “OU=OUName,DC=Domain,DC=com”

I haven't tested the CLI route, but you can find more information in this link https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-991%2Fvserver__active-directory__create.html&cp=2_2_29_17_0. The advantage of using the CLI is that you don't need to delete the SVM between each retry. Still, I would advise to continue using the AWS console for the time being, as that's all I used when testing in my lab.

AWS
SUPPORT ENGINEER
Francisco_L
answered 2 years ago
profile picture
EXPERT
Giovanni Lauria
reviewed 15 days ago
  • mark_ccx
    2 years ago

    Thanks Francisco, Your point #3 made the difference and saved me a LOT of time. Thank you once again!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content