Purpose	The ARX must understand the Active-Directory (AD) hierarchy in the Windows network. That is, each ARX-CIFS service (and, in some sites, the authentication software for the CLI/GUI) must know where to find the correct DC for each domain in the AD forest. The ARX database requires a full representation of the AD forest, with the IP addresses of at least one DC per domain. Use the active-directory update seed-domain command to discover an AD forest in your network and add its representation to the ARX.
Mode	priv-exec
Security Role(s)	storage-engineer or crypto-officer
Syntax	active-directory update seed-domain seed proxy-user proxy [domain-controllers max-dcs] [site-name site] [verbose] [tentative]   seed (1-255 characters) is the name of one domain in the forest. The ARX uses this domain name to begin its forest discovery. This becomes the name of the AD-forest in the ARX configuration. proxy (1-32 characters) is a proxy-user with credentials for accessing the seed domains DC(s). These credentials can belong to the seed domain itself, or any domain that is trusted by the seed domain. The ARX queries the DC for the names of other domains in the same AD forest. max-dcs (optional, 1-100) sets a maximum number of DCs used in each domain. The ARX queries its DNS server to discover all the DCs in each domain; if the DNS server returns more DCs than max-dcs, the ARX takes the top DCs from the DNS list. The ARX uses the order returned from DNS. site (optional, 1-64 characters) identifies the AD site for the ARX. If it knows of multiple DCs that can answer the same query, the ARX prefers DCs in its own site (if there are any) over DCs in any other site. The site name is defined on a DC with the Active Directory Sites and Services plugin. The site name is case insensitive, so boston and BOSTON are equivalent. If you omit this, the ARX software uses the AD site configured for the ip proxy-address subnet. Use this option if the ADs site configuration does not include the proxy-IP subnet. verbose (optional) causes the command to show the results of the forest discovery as it progresses. tentative (optional) makes the ARX perform the AD-forest discovery without creating the actual active-directory-forest configuration.
Default(s)	max-dcs - all DCs returned from each DNS query. site - the AD site configured on the external Active Directory for the proxy-IP subnet. This default requires that the proxy-IP subnet is defined in the AD; you can add the subnet on a DC with the Active Directory Sites and Services plugin.
Guidelines	The ARX uses a DNS query to find the DC(s) in this domain, then queries one of the DCs for the other domains in the forest. The DNS server that you use must be able to translate for all DCs in the target forest. Use the ip name-server command to add a DNS server to the ARX configuration. The active-directory update seed-domain command automatically discovers an Active Directory (AD) forest and adds it to the ARX configuration. The switch uses this information to support CIFS authentications in single- and multi-domain environments. After a successful discovery, the ARX configuration contains an AD-forest object with the name of the seed domain that you provided. This creates a report named active-directory-seed_domain.rpt, where seed_domain is the seed domain that you chose in the command. The CLI displays the name of the report after you issue the command. Use show reports type AdUp to list all AD-discovery reports. To follow the progress of the AD-discovery operation, you can use tail reports report-name follow. Use show reports report-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. If you want to truncate the report before it finishes, use the truncate-report command. See Figure 16.1 on page 16-6 for a sample report. Use the show active-directory command to show the configuration of the AD forest, as recorded on the ARX. To see the status of all DCs in the forest, use the show active-directory status command.
Guidelines: Manual AD-Forest Configuration	As an alternative to this automatic-discovery process, you can use the active-directory-forest command to manually create or edit the AD-forest configuration. The active-directory-forest command brings you to gbl-forest mode, where you can add all types of domains and DCs in the forest. Typically, this is only used to add dynamic-DNS servers, described later.
Guidelines: Domain Types	The report and the show commands all identify a domain type for each of the forests domains. The discovery process categorizes all of the domains as it finds them. Domains in an AD forest have parent-child relationships based on their names. For example, the domain, myco.com, can have child domains named usa.myco.com and britain.myco.com. In this relationship, myco.com is called the forest-root domain and the other two domains are child domains. An AD forest can also support trees that are outside the forest roots tree. These are domains with two-way-transitive-trust relationships with one or more domains in the root tree, but their domain names are entirely different. They are called tree domains. To continue the above example, a tree domain named nonprofit.org may also be in the AD forest, and it may have a child domain named euro.nonprofit.org.
Guidelines: Dynamic DNS	Kerberos authentication requires that the forests DNS servers have up-to-date mappings of the ARXs CIFS services and their IP addresses. To facilitate DNS updates as the ARXs CIFS services are added and removed, you can use the gbl-forest name-server command to identify a dynamic-DNS server for each domain in the forest. The discovery process does not discover dynamic-DNS servers. In many cases, the DC itself can also double as the name server for its domain.
Guidelines: Trusts Between Forests	For AD forests with two-way-trust relationships, where clients from one forest are allowed to access CIFS services from the other forest, you can use the kerberos auto-realm-traversal command to automatically discover all such trust relationships. Alternatively, you can use the active-directory forest-trust command to declare a forest-to-forest trust relationship in the ARX configuration.
Guidelines: Offline DCs Slow the Discovery	If any of the discovered DCs are offline or unreachable, they slow the time required to discover the forest. Testing has shown that the forest discovery requires an additional 2.5 minutes for each offline DC; the delay may vary at your site.
Samples	bstnA# active-directory update seed-domain ny.com proxy-user ny_admin   Report File : active-directory-NY.COM.rpt discovers an AD forest named NY.COM and adds the forest to the ARX configuration. This also creates a report, active-directory-NY.COM.rpt. See Figure 16.1 on page 16-6 for a sample report.
bstnA# active-directory update seed-domain vt.com proxy-user ny_admin verbose   Report File : active-directory-vt.com.rpt   DNS lookup vt.com from 172.16.108.139 10.51.100.8 172.16.213.8 172.16.213.9   Enumerate Forest vt.com from 10.51.100.8 Domain Name Pre-Win2k Name Domain Type ------------------------------------------- -------------------- ------------ BSH.ATLANTIC.ME.ORG BASSHARBOR child-domain MCNIELS.VT.COM MCNIELS child-domain VT.COM VT tree-domain ATLANTIC.ME.ORG ATLANTIC tree-domain   Domain Controller Discovered:   Domain Type Domain Name Pre-Win2k Name IP Address ----------- -------------------------------------- ---------------- ----------- tree-domain ATLANTIC.ME.ORG ATLANTIC 172.16.210.7 tree-domain ATLANTIC.ME.ORG ATLANTIC 172.16.210.14 forest-root VT.COM VT 10.51.100.8 ... child-domain BSH.ATLANTIC.ME.ORG BASSHARBOR 172.16.210.9 child-domain BSH.ATLANTIC.ME.ORG BASSHARBOR 172.16.110.11   Change Summary:   Site: (null) No Domain Controllers discovered for this site.   tree-domain ATLANTIC.ME.ORG ATLANTIC 172.16.210.7 added. tree-domain ATLANTIC.ME.ORG ATLANTIC 172.16.210.14 added. forest-root VT.COM VT 10.51.100.8 added. forest-root VT.COM VT 172.16.213.8 added. forest-root VT.COM VT 172.16.213.9 added. child-domain MCNIELS.VT.COM MCNIELS 172.16.240.88 added. child-domain MCNIELS.VT.COM MCNIELS 172.16.240.70 added. child-domain BSH.ATLANTIC.ME.ORG BASSHARBOR 172.16.210.9 added. child-domain BSH.ATLANTIC.ME.ORG BASSHARBOR 172.16.110.11 added.
	discovers the vt.com forest and shows the discovery process as it occurs.
Related Commands	ip name-server proxy-user active-directory-forest name-server kerberos auto-realm-traversal active-directory forest-trust show active-directory show active-directory status

Purpose	Use the optional description command to set a descriptive string for the current proxy user. This appears in the show proxy-user command. Use the no form of the command to delete the description.
Modes	gbl-proxy-user
Security Role(s)	crypto-officer
Syntax	description text no description   text (1-255 characters) is your description. Surround the text with quotation marks () if it contains any spaces.
Default(s)	no description
Guidelines	This description appears in the output for show global-config and show proxy-user.
Sample	stoweA(gbl-proxy-user[jckilley])# description "Jean-Claude's user identity" specifies a description for the current proxy-user configuration.
Related Commands	show proxy-user show global-config

Purpose	Use this command to provide the ARX software with Windows credentials, so that it can perform the following functions: Query the Windows Active Directory for its Windows Domains and domain-controller (DC) addresses (see active-directory update seed-domain); Validate inventory of back-end filers and import them into a managed volume; Maintain access control and permissions on back-end filers; Monitor free disk space on back-end filers; Enforce CIFS policy rules by migrating files between back-end shares. You can also use a proxy user for other functions, such as logging into a filers CLI and invoking snapshot operations. For these uses, the credentials may be a Unix username and password with permission to run snapshot commands. Use the no form of the command to remove a proxy-user configuration.
Mode	gbl
Security Role(s)	crypto-officer
Syntax	proxy-user name no proxy-user   name (1-32 characters) is a name you choose for the proxy user.
Default(s)	None
Guidelines	All CIFS namespaces require a proxy user, whether the network uses NTLM, NTLMv2, or Kerberos. The switch uses a proxy-user configuration as its identity when it accesses back-end filers. This command places you in gbl-proxy-user mode, where you then use user (gbl-proxy-user) and windows-domain (gbl-proxy-user) to define a valid Windows username, password, and Windows domain for this proxy-user configuration. The documentation for the user (gbl-proxy-user) command describes the exact privileges required for the Windows-user account. You can use the probe exports command with this proxy user to determine whether or not the proxy user has (at least) Backup Operator privileges. To prove that the proxy user has full Administrator privileges, use it with the show exports ... paths command; the paths are blank unless the proxy user belongs to the Administrators group on the filer. After you create proxy-user configurations, you apply one or more to a namespace through the proxy-user (gbl-ns) command. Use the show proxy-user command to display all configured proxy users and their associated domains and usernames.
Guidelines: Changing the Password	For security reasons, you may choose to change the password for the proxy-user account from time to time. For a Windows proxy user, this change must occur in two places: the Active Directory, where the corresponding Windows user is defined, and in the ARX configuration. Use the following steps to make the change: Change the password on a Domain Controller (DC). Wait for all of the DCs in the proxy users Windows Domain to synchronize their databases. After the DCs are synchronized with the new password, re-run the user (gbl-proxy-user) command to change the password on the ARX. During the time that the proxy-user password on the ARX does not match the one in the external Active Directory, the volumes that use the proxy user cannot access any of their back-end-CIFS storage. This prevents the managed volumes from performing autonomous operations, such as policy-driven migrations, and causes the CIFS shares to go offline. We recommend that you perform this procedure during non-busy hours.
Sample	bstnA(gbl)# proxy-user acoProxy2 bstnA(gbl-proxy-user[acoProxy2])# starts the configuration of proxy user, acoProxy2.
Related Commands	user (gbl-proxy-user) windows-domain (gbl-proxy-user) description (gbl-proxy-user) proxy-user (gbl-ns) show global-config namespace show proxy-user probe exports show exports ... paths

Purpose	To support CIFS authentication, the ARX requires an accurate representation of your networks current Active Directory (AD) forest(s). Use the show active-directory command to review the AD-forest configuration as currently recorded on the ARX.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show active-directory show active-directory forest forest-name show active-directory domain domain-name   forest-name (optional, 1-256 characters) identifies a particular forest to show. domain-name (optional, 1-256 characters) identifies a particular domain.
Guidelines	For the current status of the DCs in this output, use the show active-directory status command. The show active-directory command displays the current AD configuration in one or two sections: Active Directory Domains and, if there are any forest-to-forest trusts, an additional Forest Trust table.
Guidelines: Active Directory Domains Output	The Active Directory Domains section contains one table per AD forest. Each table has a Forest Name heading, showing the name configured with the active-directory-forest or active-directory update seed-domain command. The forest table contains one sub table per domain. Each sub table row contains the following fields: forest-root, child-domain, or tree-domain is the type of the Windows domain in the AD forest, followed by the domain name and its pre-Windows 2000 name. This is the heading for the sub table of DCs for the domain. This domain name is discovered automatically, or it is manually set with the forest-root, child-domain, or tree-domain commands. IP Address is the address of the Key-Distribution Center (KDC, a domain controller used for Kerberos) and/or dynamic-DNS server for this Windows domain. You establish this with the forest-root, child-domain, or tree-domain command, or the ARX automatically discovers it if you use active-directory update seed-domain. You can also use name-server to identify a dynamic-DNS server; in many cases, dynamic DNS runs on the same server as the KDC. Services are KDC and/or DNS, as explained above. Preferred shows whether or not this DC is on the preferred list for its domain. The choices are YES or NO. The Kerberos software chooses its active DC(s) from the preferred list if there are any online. The preferred DCs are the DCs in the same AD site as the ARX (see active-directory update seed-domain or active-directory update forest), or you can manually set the DC preference with an optional flag in the forest-root, child-domain, or tree-domain commands.
Guidelines: Forest Trust Table	The Forest Trust table only appears if at least one forest-to-forest trust has been declared in the ARX configuration. You can declare a forest-to-forest trust with the active-directory forest-trust command. Each trust relationship appears as one row in the table, with the following fields: Forest-1 and Forest-2 are the two forests in the trust relationship. Clients from either of these forests can access CIFS services in the other. Trust Type is always bidirectional in the current release. Clients in Forest-1 can access services in Forest-2, and clients in Forest-2 can access services in Forest-1.
Sample	bstnA# show active-directory shows all active-directory forests on the ARX. See Figure 16.2 for sample output.
Related Commands	active-directory-forest show active-directory status

Purpose	Use the show active-directory status command to see the status of all Domain Controllers (DCs) in the Active-Directory configuration.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show active-directory status [detailed] show active-directory status forest forest-name [detailed] show active-directory status domain domain-name [detailed]   detailed (optional) expands the output to include statistics about each DCs health. forest-name (optional, 1-256 characters) identifies a particular forest to show. domain-name (optional, 1-256 characters) identifies a particular domain.
Guidelines: Output	The top line in the output shows the Offline timeout, which is the time that the ARX waits for a response from a DC before declaring it offline. This is a system-wide variable, set with the kerberos health-check threshold command. The remaining output is divided into sections, one per control-plane processor. Each processor section has the following heading: PROCESSOR slot.proc, where slot.proc identifies the processor. Each processor section contains a subsection for each AD forest. The subsections have the following headings: Forest is the name of the AD forest (set by the active-directory update seed-domain or the active-directory-forest command). One table per DC appears in each forest subsection. Each DC table contains the following fields: Domain Name is the Windows domain. Domain Controller is the IP address of one of the domains DCs. Status is Active, Backup, Offline, Unusable, or NoStatus. Active means that the processor is using this DC for authentication. Backup indicates that there are redundant DCs configured for this domain, where one or more other DCs are preferred over this one (see below), and the processor is currently using the DCs redundant peer(s). Offline indicates that the DC is unreachable. An unreachable DC is one that fails to respond to an LDAP query before the time set for the kerberos health-check threshold. The maximum time appears in the Offline timeout field at the top of the output.
Guidelines: Output (Cont.)	Unusable means that the DC is not usable for forest-to-forest trusts (configured with the active-directory forest-trust command) because the ARX cannot verify that it is a Windows 2003 (or later) server. The DC must confirm that it is running Windows 2003 or a later release to be usable for these trusts. If such a DC is in the forest, no cifs service can support the recommended constrained delegation feature (described with the domain-join command). NoStatus appears very briefly before the processor first queries the DC. You are unlikely to ever see this status. Preferred is 1 (one) if this DC is on the preferred list for its domain, or 0 (zero) otherwise. If any preferred DC is online for a given domain, a processor chooses the DC for Active status instead of its non-preferred peers. The preferred DCs are the DCs in the same AD site as the ARX (see active-directory update seed-domain or active-directory update forest), or you can manually set the DC preference with an optional flag in the forest-root, child-domain, or tree-domain commands.
Guidelines: Forest Trust Table	The Forest Trust table only appears if at least one forest-to-forest trust has been declared in the ARX configuration. You can declare a forest-to-forest trust with the active-directory forest-trust command. Each trust relationship appears as one row in the table, with the following fields: Forest-1 and Forest-2 are the two forests in the trust relationship. Clients from either of these forests can access CIFS services in the other. Trust Type is always bidirectional in the current release. Clients in Forest-1 can access services in Forest-2, and clients in Forest-2 can access services in Forest-1. Last Transition (UTC) is the timestamp showing the most-recent status change. (This time stamp is in UTC, not local time.) The ARX periodically checks each forest-root DC to confirm that it is online. If the forest has redundant root DCs, only the active DC has its status checked. The next field shows the results of the status check. Status should be Forest roots are online. This indicates that the trust is functional. If either or both are offline, check the connectivity to each DC, and the DC itself. You can use the show active-directory command to identify the forest root(s) for each forest.
Guidelines: Detailed Output	If you use the detailed flag in the command, the output changes to a separate table for each DC. The DC tables are organized by processor, then by forest. Each table contains the following fields: Domain Name is the DCs Windows domain. Domain Controller is the IP address of one of the domains DCs. Status is Active, Backup, Offline, Unusable, or NoStatus, as described above. Active Count is the number of times that the current DC has been Active for its domain. Health Check Failure counts the number of times that the ARX failed to connect to the DC. Health Check Timeout counts the number of times that the DC exceeded the kerberos health-check threshold before responding to the LDAP query. Transition Total is the count of transitions to Active from some other status. Last Transition (UTC) is the timestamp for the most-recent transition, in Coordinated Universal Time (known as UTC). LDAP Health Check shows round-trip times for the LDAP query and response. These statistics only appear for a DC that is either Active or Backup. Since last transition displays the average, minimum, and maximum round-trip times since the last time a new DC became reachable in this domain. Last 5/30/60 minutes shows the average round-trip times over the last 5 minutes, the last half hour, and the last hour.
Guidelines: Alternative Commands	Use show active-directory to see the switchs representation of the AD configuration.
Samples	bstnA# show active-directory status shows the status of all AD forests configured on the current switch. See Figure 16.3 on page 16-18 for sample output.   bstnA# show active-directory status domain FDTESTNET.NET shows the status of one AD domain. See Figure 16.4 on page 16-19 for sample output.
Related Commands	active-directory-forest show active-directory

Purpose	The ARX needs user credentials (a username and password) for autonomous operations, such as migrating files from one filer to another. These credentials are called a proxy user. Use this command to view a list of configured proxy-user configurations on the switch.
Mode	(any)
Security Role(s)	crypto-officer, storage-engineer, network-engineer, network-technician, or operator
Syntax	show proxy-user [name]   name (optional; 1-32 characters) is the name of a proxy user. If no name is specified, this command shows all configured proxy users.
Guidelines	This command shows a table of proxy-user configurations, one per row. Each row contains the following columns: Name identifies the proxy-user object. You choose this when you use the proxy-user command to create the proxy-user configuration. Windows Domain identifies the domain of the proxy user, if there is one. This is typically an FQDN. Use the windows-domain (gbl-proxy-user) command to change this. Pre-Win2k is the domain name that the ARX uses for its NTLM authentications; some filers do not accept FQDNs for NTLM. This is an old-style domain name, in the format used by Windows networks before Windows 2000. By default, this name is discovered automatically, through active-directory update seed-domain. If this domains name was not discovered, the ARX uses the first name in the Windows Domains FQDN, up to 15 characters before the first period. You can manually set the name with an option in the windows-domain (gbl-proxy-user) command, though we recommend setting it at the AD and discovering it from there. User is the username used by this proxy-user object. If the ARX uses this proxy-user object, this is the username it presents to back-end filers. You can change this with the user (gbl-proxy-user) command. Description shows a descriptive string for the proxy user, if one is defined. You can use the description (gbl-proxy-user) command to add a description to a proxy-user configuration. Include a proxy-user name to show details for that configuration only.
Sample	bstnA> show proxy-user   shows all proxy-user configurations on the ARX. See Figure 16.5 on page 16-21 for sample output.
Related Commands	proxy-user windows-domain (gbl-proxy-user) user (gbl-proxy-user) show ntlm-auth-db

Purpose	The ARX needs user credentials (a username and password) for autonomous operations, such as migrating files from one filer to another. These credentials are called a proxy user. Use this command to enter a username and password for the current proxy-user configuration. Use the no user command to remove the username from the current configuration.
Mode	gbl-proxy-user
Security Role(s)	crypto-officer
Syntax	user username no user   username (1-64 characters) is a valid username you choose for this proxy-user configuration. This is typically a Windows user, though it may be a Unix user for certain applications of the proxy user (for example, see the documentation for proxy-user (gbl-filer)). Any Windows proxy user must be a member of the Backup Operators or Administrators group on all filers that use these credentials; see below for details.
Note: The password must be the same password set for this user in the external network. If you change the users password on the network, you must also change it on the switch through this command.
Default(s)	None
Guidelines	The system prompts you for a password, then prompts you to validate the password by entering it a second time. Enter a password (it is masked with asterisk (*) characters as you enter it) and confirm when prompted.
Guidelines: CIFS Proxy User	A CIFS-supporting namespace can contain one or more managed volumes, and uses a proxy user as its identity for accessing CIFS shares behind those volumes. The proxy user requires specific privileges to access those CIFS shares. You must set these privileges on every CIFS filer or server behind every managed volume in the proxy users namespace. Minimally, the proxy user must have Backup Operator privileges at all of its filers. This means that the user you enter with this command must be a member of the Backup Operators group at every filer/server behind every managed volume. Backup Operator privileges are required for importing shares into the volume (with the enable (gbl-ns-vol-shr) command) and for migrating files onto the share. Also, verify that the user account has full control (read and change control) at the back-end shares to be used in managed volumes. If a managed volume supports Access-Based Enumeration (ABE; see cifs access-based-enum) CIFS subshares (see the documentation for the filer-subshares command), or file-history archiving (a snapshot rule with a file-history archive), the proxy user should belong to the Administrators group on that volumes filers/servers. The volume software needs this higher level of access for file-path queries, which are required for all of the above features. If the user is a member of the local Backup Operators or Administrators group on a Windows cluster, add the Windows user to the group at every cluster node. The local groups are not shared in the cluster. A Windows server with User Access Control (UAC) places further constraints on a CIFS proxy user. This requires a user account in the Domain Users group. UAC was introduced with Windows Server 2008.
Guidelines: Changing the Password	For security reasons, you may choose to change the password for the proxy-user account from time to time. For a Windows proxy user, this change must occur in two places: the Active Directory, where the corresponding Windows user is defined, and in the ARX configuration. Use the following steps to make the change: Change the password on a Domain Controller (DC). Wait for all of the DCs in the proxy users Windows Domain to synchronize their databases. After the DCs are synchronized with the new password, re-run this command to change the password on the ARX. During the time that the proxy-user password on the ARX does not match the one in the external Active Directory, the volumes that use the proxy user cannot access any of their back-end-CIFS storage. This prevents the managed volumes from performing autonomous operations, such as policy-driven migrations, and causes the CIFS shares to go offline. We recommend that you perform this procedure during non-busy hours.
Sample	bstnA(gbl)# proxy-user acoProxy2 bstnA(gbl-proxy-user[acoProxy2])# user jqpublic Password: ******** Validate Password: ******** bstnA(gbl-proxy-user[acoProxy2])#
Related Commands	proxy-user show proxy-user

Purpose	A proxy user is a set of user credentials (a username and password) that the ARX can use to access its back-end filers. The ARX uses the proxy-user credentials when it must perform autonomous operations, such as importing files into a managed volume. For a Windows proxy user, you can use this command to identify the Windows domain. Use the no form of the command to remove the domain name.
Mode	gbl-proxy-user
Security Role(s)	crypto-officer
Syntax	windows-domain domain-name [pre-win2k-name old-style-domain] no windows-domain   domain-name (1-64 characters) is the name of the Windows domain to identify with this Windows user. This must be a Fully-Qualified-Domain Name (FQDN) for the proxy user to authenticate through Kerberos. Choose a domain in the same Active-Directory forest as the filers. old-style-domain (optional, 1-15 characters, no periods) is the legacy Windows domain for the proxy-user account. The proxy user may have to use NTLM when it authenticates with back-end filers, and not all back-end filers accept an FQDN for NTLM authentication. Use this option only if the default (below) is incorrect; this option is rarely necessary.
Default(s)	old-style-domain - The old-style name discovered with active-directory update seed-domain. If the old-style name was never discovered for this domain, the ARX uses the first part (before the first ., up to 15 characters) of the FQDN in the domain-name.
Guidelines	When assigned to a namespace through proxy-user (gbl-ns), a proxy-user provides a login ID for the ARX to access back-end filers. The ARX uses this account for imports, file migrations from one back-end filer to another, and other autonomous operations. Ideally, the domain should be one that the ARX has already discovered with active-directory update seed-domain. If you are creating the proxy user before you run that command, the CLI warns that the domain is unknown. This warning is designed for situations where the domain is typed incorrectly, and is benign in this case. Use the show proxy-user command to view all configured proxy users, and their associated Windows domains and usernames.
Samples	bstnA(gbl)# proxy-user acoProxy2 bstnA(gbl-proxy-user[acoProxy2])# windows-domain medarch.org   % INFO: The windows-domain name 'medarch.org' is not in active-directory-forest configuration. The specified name is accepted, but reconfigure the windows-domain if it is misconfigured.   bstnA(gbl-proxy-user[acoProxy2])# sets the proxy-users domain to medarch.org. The informational message is benign if it occurs before anyone has run the active-directory update seed-domain command.   stoweA(gbl)# proxy-user acoProxy3 stoweA(gbl-proxy-user[acoProxy3])# windows-domain FDTESTNET.COM pre-win2k-name BOSTONCIFS stoweA(gbl-proxy-user[acoProxy3])# sets another proxy-users domain to FDTESTNET.COM, but specifies a legacy-domain name of BOSTONCIFS. The last option is only necessary if this pre-Win2K name was not discovered earlier with the active-directory update seed-domain command.
Related Commands	ntlm-auth-server proxy-user (gbl-ns) show global-config namespace show proxy-user