Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | |||
|
|
Solution Type Technical Instruction Sure Solution 1012839.1 : Sun StorageTek[TM] 5000 Series NAS: Failure to join Windows Domain - interpreting log messages
PreviouslyPublishedAs 217620 Description Description Symptoms:
Purpose/Scope: To authenticate users from a Windows domain, the Sun StorageTek NAS must join the domain and/or integrate with Active Directory. One of the best places to look for problems with this process is the NAS system log. The attempt to join the domain, whether it succeeded, and any issues encountered are logged in detail. Note that this data collection must take place as soon as possible after the failed attempt to join the domain, otherwise, the messages may no longer be present in the log. Steps to Follow Interpreting log messages To check the System Log:
(The system log can also be viewed via the Web Admin GUI:) The following messages are examples of log messages indicating problems joining a Windows Domain or Active Directory environment, along with possible solutions:
The user account that is entered into the Sun StorageTek NAS Domain configuration screen must have the correct password and must have the authority to create computer accounts (or join them to the domain, if prestaged). Typically, a user account that is a member of the Domain Admins global group is used.
The DNS query for the ADS server failed. Ensure that the correct DNS servers have been configured, the correct, fully-qualified Active Directory domain name has been configured and that the configured DNS servers contain the records required for proper active directory function <Document: 1004157.1> .
The time differential between the NAS and the selected Active Directory server is too great. Check time zone and time server settings on both the NAS and the AD server.
This is a known Windows issue, in which DES encryption keys are not created for the Administrator under certain circumstances. See MS Knowledgebase article #248808 for additional information. The solution is to reset the Domain Administrator password. It is acceptable to re-enter the original password.
This error message indicates that the packet requesting a Kerberos ticket (TGT) is too large Privilege Attribute Certificate (PAC) field, so the client should switch from UDP to TCP. The best way to reduce the size of the request is to reduce the number of group memberships. One of the following would be the workaround for this issue :
This error that the Kerberos Realm configuration is incorrect. Determine the correct setting from the site administrators and configure manually in the NAS ADS settings.
Either the Kerberos Realm setting or the KDC setting is incorrect, or as above, it cannot be resolve by DNS.
These indicate a misconfiguration or missing setting. Review the ADS settings per <Document: 1009920.1>
This is an indication that AD is not completely configured. The most common mistake is that the container was omitted from the configuration. In this case, the attempt to join via DNS will not be made. The solution is to completely configure the AD settings.
These error messages indicate that a domain controller could not be found. They also indicate that the Active Directory integration, if configured, has failed, and the NAS is now trying to join the domain via NetBIOS. If trying to integrate with Active Directory, look for an error message earlier in the log. If Active Directory is not configured, see <Document: 1009958.1> Product Sun StorageTek 5320 NAS Gateway/Cluster System Sun StorageTek 5320 NAS Appliance Sun StorageTek 5320 Sun StorageTek 5310 NAS Gateway/Cluster System Sun StorageTek 5310 NAS Gateway System Sun StorageTek 5310 NAS Appliance Sun StorageTek 5220 NAS Appliance Sun StorageTek 5220 Sun StorageTek 5210 NAS Appliance Internal Comments This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below: storage-nas-domain@sun.com The Knowledge Work Queue for this article is KNO-STO-NAS. NAS, active directory, CIFS, log messages, KRB5 error code, ADS, minor status error, No Master Browsers found for, audited, normalized Previously Published As 89215 Change History Date: 2010-04-08 User Name: 79977 Action: Currency check Comment: Verified still current with Content Lead, william.harper@oracle.com Date: 2007-12-20 User Name: 95826 Action: Approved Comment: - verified metadata - changed review date to 2008-12-12 - checked for TM - none added, added 'Sun' in the title - checked audience : contract Publishing Version: 6 Date: 2007-12-18 User Name: 95826 Action: Accept Comment: Version: 0 Date: 2007-12-18 User Name: 102104 Action: Approved Comment: Review done for this updated document. Version: 0 Date: 2007-12-18 User Name: 102104 Action: Accept Comment: Version: 0 Date: 2007-12-11 User Name: 160775 Action: Add Comment Change History ef8d4cb2-9cd6-11da-85b4-080020a9ed93 | Sun StorageTek 5320 NAS Gateway/Cluster System 27ca3082-cb13-11da-857a-080020a9ed93 | Sun StorageTek 5320 NAS Appliance 9d23ea64-a8be-11da-85b4-080020a9ed93 | Sun StorageTek 5320 fb861199-9cd7-11da-85b4-080020a9ed93 | Sun StorageTek 5310 NAS Gateway/Cluster System 8a8b6eeb-092e-11da-99bc-080020a9ed93 | Sun StorageTek 5310 NAS Gateway System 63654ce5-f88d-11d8-ab63-080020a9ed93 | Sun StorageTek 5310 NAS Appliance a656fa3d-fc97-11da-ac3d-080020a9ed93 | Sun StorageTek 5220 NAS Appliance a656fa3d-fc97-11da-ac3d-080020a9ed93 | Sun StorageTek 5220 d4e4fc3d-7c3f-11d8-9e3a-080020a9ed93 | Sun StorageTek 5210 NAS Appliance Attachments This solution has no attachment |
||||||||||||
|