#Not able to create the CIFS server in FAS2820

Hi,

I have FAS2820 and i am deploying it. While creating the cifs server i am getting below error.

Enter the user name: sagar.mandlik

Enter the password:

Error: Machine account creation procedure failed
[ 49] Loaded the preliminary configuration.
[ 54] Successfully connected to ip 172.24.1.29, port 88 using
TCP
[ 87] Successfully connected to ip 172.24.1.29, port 389 using
TCP
**[ 10101] FAILURE: Could not create account
** 'cn=NYKSTR,CN=Computers,dc=NYKAA,dc=LOCAL': Timed out

Error: command failed: Failed to create the Active Directory machine account
"NYKSTR". Reason: LDAP Error: The search was timed out.

Can anybody please help me here

do you have the correct security settings configured? like signing/Sealing, TLS, ... as required per your domain?

(vserver cifs security modify ...)

Also does the account you’re using to try to join have domain admin rights or rights that would let it join a computer to the domain?

yes we are using domain admin credentials

yes

Try the default OU. I suspect something else is wrong though due to the error. Wondering if your AD is large enough where ONTAP can’t get everything it needs and ultimately times out?

yes we are trying default OU only

well, "timed out" indicates a network problem somewhere. Either the port is closed, or there's a firewall in the way, or a routing or DNS issue, ....

please check which NTP has the ontap storage, also verify between the domains and the storage there's no more than 5 minutes, I recommend 3 maximum

Time issues definitely give a different error message. It will indicate Kerberos issues and usually indicate time is actually too far off
I have seen cases where ONTAP is trying to get the ad information and there is just too much to process and times out.
If that’s the case sometimes you can use a sub domain (forest?) instead of the higher level domain

So sagar.mandlik has rights to add objects to domain? Sorry just confirming.

yes sagar mandlik is enterpirse admin

We have checked and time on NetApp storage and on the domain is on sync... it is same on both the side

I am thinking about certificates. If the AD LDAP is enforcing encryption and is using a certificate from a private PKI, the PKI root certificate must be imported into the SVM.

You’re going to need to do a network trace. Pretty sure all these other ideas of issues I’ve seen before and they all have their own signature error messages. I don’t recall any of them being “timed out” as indicated in the original post.

something simple like not having the DNS configuration setup can cause this as well. The filer can't find the domain controllers with the service lookup

Based on the error message, dns looks like it worked. It resolved the domain name and connected to a dc.