Troubleshooting when CIFS server unable to join a domain

There can be multiple reasons why you cannot join a CIFS server to a domain. At a high level, try doing the following

  1. Check the network connectivity between VNXe and the domain. Ping from both VNXe and domain.
  2. Ping the default gateway and, if applicable, check the VLAN configuration.
  3. Ping the DNS server IP address from VNXe.
  4. Check the routing from both, domain and VNXe.

Follow the steps below to perform some more basic troubleshooting:

  1. Verify that the domain controller is reachable from VNXe:
    1. In Unisphere, click Settings > More Configuration > Routing Configuration.
    2. Select the relevant Storage Processor (SP) from the left panel, and click Ping.
    3. Ping to the domain IP address and check for connectivity.
    4. If the DNS is reachable, check the DNS configuration for DC (forward and backward loop). This requires port 389 to be enabled in the environment that is used for LDAP.

    If the ping is not successful, verify the network connectivity between the SP Ethernet module and domain.

    The VNXe IP Reflect feature sends packet or acknowledgement to the same route where it is coming from. If the domain has NIC teaming enabled with load balancing mode, normal ICMP ping may fail from one end depending on the routing configured in the environment. To resolve this issue, change the NIC teaming policy to fault tolerance mode.

  2. Verify that the user credentials entered have privileges to join a CIFS sever to a domain:

    Joining a CIFS server requires domain credentials for trusted relationship between VNXe and domain. If the user credentials entered is invalid or does not have permissions to make any changes to the domain or in Organizational Unit, CIFS server join process will fail.

  3. Verify the NTP server configuration and Kerberos authentication: For CIFS protocol, a maximum of 300 seconds difference is allowed between NTP server and VNXe times. If the time difference is more than that, the CIFS server will not join to the domain. Also, when a request comes to the NTP server, Kerberos issues an authentication ticket for time difference check and authentication validation.