Sun Storage 7000 Unified Storage System: ZFS Storage Appliance unable to join/reconnect to Active Directory Domain after upgrade to 2011.1

Asset ID:	1-71-1402313.1
Update Date:	2018-02-21
Keywords:

Solution Type Technical Instruction Sure

Solution 1402313.1 : Sun Storage 7000 Unified Storage System: ZFS Storage Appliance unable to join/reconnect to Active Directory Domain after upgrade to 2011.1

Applies to:

Sun ZFS Storage 7320 - Version All Versions and later
Sun Storage 7110 Unified Storage System - Version All Versions and later
Sun Storage 7210 Unified Storage System - Version All Versions and later
Sun Storage 7310 Unified Storage System - Version All Versions and later
Sun Storage 7410 Unified Storage System - Version All Versions and later
7000 Appliance OS (Fishworks)

Goal

This document describes issues that could prevent ZFS Storage Appliances from connecting to an Active Directory domain after upgrade to the 2011.1 software release, and potential solutions.

To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - Disk Storage ZFS Storage Appliance Community

Solution

As of the 2011.1 release, the ZFS Storage Appliance uses a new method for outbound SMB connections with the Active Directory Domain Controller. This change can cause two potential problems.

First, it may simply be necessary to navigate to the

Configuration - Services - Active Directory - Join Domain

screen within the BUI and re-enter the administrative credentials. This is simply to re-initialize the connection with the new method.

The second potential problem is a compatibility issue with the NtlmMinServerSec registry setting (HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinServerSec). If this setting is configured to anything other than the default of zero, the appliance will not be able to negotiate a connection with the Domain Controller.

This issue can be most easily resolved by upgrading the ZFSSA system software to 2011.1.3.0 or later.

To resolve the issue on older versions, set the registry setting back to the default, or contact Oracle Support to determine whether a workaround or fix is available. Detailed information on this setting from Microsoft can be found here.

The software upgrade is a much better solution, there should be a very good reason for the customer to decline the upgrade before initiating this procedure.

The details on the workaround and the related bug can be found on the support wiki here.

If it is intended to use the proposed workaround that modifies the service properties, pay careful attention to the note at the end of the wiki article on compatibility with an upcoming fix for Server 2008 and NTLMv2.

Back to 1402353.1 - Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issues.

References

MS NTLMMINSERVERSEC DOC: HTTP://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/CC759681%28WS.10%29.ASPX
SUPPORT WIKI CR 7126542 WORKAROUND: HTTPS://STBEEHIVE.ORACLE.COM/TEAMCOLLAB/WIKI/AMBERROADSUPPORT:WORKAROUND+FOR+CR+7126542+-+AFTER+UPDATE+TO+2011.1.1+APPLIANCE+UNABLE+TO+JOIN+AD+DOMAIN
<NOTE:1402353.1> - Sun Storage 7000 Unified Storage System: How to Troubleshoot Active Directory Issues

Attachments

This solution has no attachment