#Can't join both SVMs to AD when using two separate network interfaces.

Sorry if I am not providing enough information. I was given a fas2750 and a generic disk shelf and was told to configure it.

Basically have a single cisco4500x , a single vlan, the two netapp controllers, and a 24 disk shelf.

I have it configured to where each controller has a 10gb port being used for NFS data, and I am using that port for AD authentication. The two ports are on the same broadcast domain if thats helpful. I have an SVM for each controller -- svm1-nfs, svm2-nfs.

I can setup cifs/smb one svm1-nfs, but not svm2-nfs, I am given a secd error of not being able to find a server. I can factory reset everything, reconfigure it, and theres a 50/50 chance that svm2 can join AD, but not the other.

If I manually migrate svm2-nfs to use the same NIC as svm1-nfs, they can both join and leave AD just fine. If I join then migrate back, the AD communication stops.

Actually not sure where to start, I figure its a switch issue. connectivity is good for all 8 of the netapp connections is good, though.

I went through something similar to this recently, and some substantial changes are being made to the AD Auth workflow for SysMgr.

That said, what is the design reason for 2 separate SVMs? That will create discrete workloads to separate volumes with unique IPs. Do you really need two? Or are you just trying to load-balance across the two controllers?

We should probably also clarify which ONTAP version we're working with here.

honestly, we have an old powershell script that someone wrote for a very similar setup -- of course that person is gone.

but i more or less copied the flow of that script and converted it to an ansible playbook

the idea was to make use of two 10gb network cards

i just got home and off the top of my head i can't remember the minor version. i want to say either 95 or 9.6

...... getting firmware updates is still a work in progress

First thing to check is if you still have a support entitlement/registered for the system. Then we can get it updated (it's very easy).

Download a zip file, Upload a zip file. Coffee break. 🙂

yea, it was a pain to even get the licenses due to the way they were purchased

i did notice that on the other setup, the switch has everything related to the netapp setup as port channel groups

That's totally fine. I'm more concerned at how out of date you are potentially, and there's some pretty significant firmware updates in there for disk/shelf/controller hardware.

theres really no reason i have to have two separate svms for nfs. so can port aggregates be made across two different controllers?

For that, it's probably better to start at the end and work backwards. What is it you're trying to serve?

What's the ultimate outcome?

only using NFS for network shares to linux and windows machines

have other network ports dedicated for san -- diskless workstations, iscsi storage for physical servers

ok cool so home drives and mapped shares, etc? No application hosting requirements?

am happy with the iscsi/san portion of the setup currently. so i have that going for me at least

nah, physical servers have iscsi luns, and virtual machine disks live on those luns

pretty much just home drives

and generic group shares.

And this is a 2-node cluster?

yes

So this is where ONTAP starts getting really fun. We have a technology called FlexGroups. While each node in a cluster has certain physical disk ownership in aggregates, you can create logical FlexVol's inside each of those aggr's. But what if we could pool capacity from multiple aggr's into a single logical layer to maximize usable capacity, and use an on-box DNS load-balancer to spread the data access and auth load across resources using all nodes and a single SVM

https://www.netapp.com/pdf.html?item=/media/12385-tr4571.pdf

TR-4571 is going to be your new best friend

oh

i think im doing the opposite of that -- just copied the powershell script process

https://www.youtube.com/watch?v=2UKyivqrA1I

Start this at 12:45

i have 4 aggregates, 4 svms

a split disk count of 12/12/5/5

then several volumes for NFS purposes are made

Are the aggr's split due to different disk type/size or?

the shelf has like 8tb drives

controllers have like 2tb drives or something

i was trying to split the san and nfs drives up

starting to think how the original guy designed our netapp things overcomplicated everything

oh, watching this video and theres something hes going over for dns

dont think i did on the AD server

Nope, sounds like it's right. Would need a disk show and aggr show output to confirm.

Since you've got 2.5" drives in the controller embedded slots and then shelves of 8TB drives, it makes sense to split those up.

Would also love to see output of storage aggregate show -fields uses-shared-disks to see whether or not it was configured using ADP.

i will report back tomorrow on that

on prem airgapped hardware x)

wait, advanced disk partitioning ?

ah yea i did that

the control+c thing while booting?

9a and 9b each node from the maint menu, yes.

yea idid that

Excellent

cant say i verified it with the command line tho

was kinda given the netapp, some dl380s and other stuff

was told to configure it with rather poorly written requirements

we can check all that when you're with the box. So, homework I guess. Those command outputs for us, and then grab some downloads and throw them on a USB or tftp laptop svr (since you said it's airgapped).

You'll want the latest disk firmware and dqp. At the top of the page here, just grab the "all disk fw" bundle and DQP file. No need to dig for your specific disks.

https://mysupport.netapp.com/site/downloads/firmware/disk-drive-firmware

Also grab the latest shelf fw from here, again the all shelf fw link at the top of the table

https://mysupport.netapp.com/site/downloads/firmware/disk-shelf-firmware

And then finally we'll get your ONTAP updated. If you're truly on v9.5 or 9.6, we'll need to two-hop it, so grab both 9.10.1P12 and 9.12.1P2.

https://mysupport.netapp.com/site/products/all/details/ontap9/downloads-tab

okay thank you so much. ill go read through that pdf document and finish the whole video

Anytime, that's what we're here for!

https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU530

Forgot to mention, since you're doing AD Auth, this is likely to apply to you, and enforcement is coming soon.

the other thing to look at is routing - the AD join may be happening through a LIF NOT in the SVM, so make sure the admin LIF of the SVM is on a subnet which is configured with a default route

I imagine this is similar to what I was running into where the data traffic Subnet is different than the hosts subnet used for AD auth.

It's a PITA and we're working on improving that flow in SysMgr

9.9.1p7

okay so i have 2 aggregates for san, 2 for nfs, 2 for the cluster

for some reason nfs is not using shared disks, but everything else is

i do make a lif for the nfs svm

all one vlan thougg

drives up to date, need to update ontap and the shelf

i will wipe everything after the updates. maybe my issue will be magically fixed 🥴

firmware/ontap update did not magically fix the issue.

oh no, we've got some reconfig to do. Sorry I couldnt get to this right away, we were doing a show on yesterday's launch.

So you're fully updated with latest and greatest firmwares, DQP, and ONTAP 9.12.1P2?

yep. i just did another 9a and 9b too

can you kick out a disk show so we can see what you're working with?

going througg cluster setup real quick

is there anything in particular you need to see

36 disks in total

18 1.63tb sas drives, shared container types

24*

11 8.89tb fsas drives

all spares

2 aggregates, true on uses shared disks

that works. I was mostly curious if the onboard drives were SSDs or spinners

spinners for whatever dumb reason 🥳

was also another reason why i was trying to separate nfs and san disks

if it matters in reality

storage shelf show what shelf is holding the 8TBs?

ds224-12 is id 0

ds212 12 is id 1

the controller has the smaller drives

im being kicked out of lab in about 15 mins and im out tomorrow ☹️

we can continue friday i guess

ok sorry, getting pulled in diff directions myself. Spend some time with that TR-4571 doc on Flexgroups. DNS zones are pretty easy to setup as long as you've got access to your DNS servers (AD preferably). Happy to step through it with you.

np, appreciate the help

@warm trail can you paste the output of "net int show" and "net route show" and "net port show"?

yea, will do tomorrow

is there any way to communicate through the netapp website so that i can use my corporate netapp login/laptop to type x)

hm. It's a bit tricky - installation isn't a support task, so they won't typically help with these sort of questions if you open a case. And this is "community support" so typically we don't do private emails on these topics. What's your typical work timezone?

okay np, im just a slow typer on my phone

(take a drink each time I say "typically"..)

usually around 8 am to 3 pm central

kk, if it's a big deal to get the output to here - maybe @blazing marten would be ok if you emailed it to him to paste here?

I'm in Australia, so I'm not likely to be available during your work day

nbd, i will just type it

theres only like 8 network ports

DM it to me and I'll sanitize it and post it here.

net route show;

vserver nas, destination 0.0.0.0/24, gateway 192.168.30.1, metric 20

net port show

a0a, default, san-net, up, 1200, -/-

e0m, default, default, up, 1500, auto 1000

e0a/b cluster, cluster, up, 9000, auto 10k

e0c, default, default, up, 1500, auto 10k

e0d/e, is a0a

e0f, default, nfs, up, 1200, auto 10k

i think i fixed it. i added a route for both nfs svms

wiping everything and redeploying now

Where I was ultimately leading you was instead of multiple SVM's, having a single one that got load-balanced on-box across both nodes in the cluster, especially considering it's just 2 nodes. There's no "wrong" way to do it, really, but there's definitely some simplification advantages to keeping it down to 1 SVM, perhaps split them up on a per-protocol basis if you want to spread the load across various networking infrastructure.

we can still do that

learn something new

i think its clicking in my brain finally

so I have 2 aggregate, one for each controller. 1 svm, and that has both aggregates added to its resource pool. it is part of a broadcast domain that has a network port from each controller

https://docs.netapp.com/us-en/ontap/flexgroup/create-task.html

Justin's two youtube videos on that page are excellent overviews of the path I'm leading you down here. 🙂

oh yea, the actual issue ended up being i needed to make a port channel group on the switch.