Manual Chapter : Active Directory Discovery

Applies To:

Show Versions Show Versions

ARX

  • 6.3.0
Manual Chapter
16 
Use the active-directory update seed-domain command to discover an AD forest in your network and add its representation to the ARX.
active-directory update seed-domain seed proxy-user proxy
[domain-controllers max-dcs] [site-name site]
[verbose] [tentative]
seed (1-255 characters) is the name of one domain in the forest. The ARX uses this domain name to begin its forest discovery. This becomes the name of the AD-forest in the ARX configuration.
proxy (1-32 characters) is a proxy-user with credentials for accessing the seed domains DC(s). These credentials can belong to the seed domain itself, or any domain that is trusted by the seed domain. The ARX queries the DC for the names of other domains in the same AD forest.
max-dcs (optional, 1-100) sets a maximum number of DCs used in each domain. The ARX queries its DNS server to discover all the DCs in each domain; if the DNS server returns more DCs than max-dcs, the ARX takes the top DCs from the DNS list. The ARX uses the order returned from DNS.
site (optional, 1-64 characters) identifies the AD site for the ARX. If it knows of multiple DCs that can answer the same query, the ARX prefers DCs in its own site (if there are any) over DCs in any other site. The site name is defined on a DC with the Active Directory Sites and Services plugin. The site name is case insensitive, so boston and BOSTON are equivalent. If you omit this, the ARX software uses the AD site configured for the ip proxy-address subnet. Use this option if the ADs site configuration does not include the proxy-IP subnet.
verbose (optional) causes the command to show the results of the forest discovery as it progresses.
tentative (optional) makes the ARX perform the AD-forest discovery without creating the actual active-directory-forest configuration.
max-dcs - all DCs returned from each DNS query.
site - the AD site configured on the external Active Directory for the proxy-IP subnet. This default requires that the proxy-IP subnet is defined in the AD; you can add the subnet on a DC with the Active Directory Sites and Services plugin.
The active-directory update seed-domain command automatically discovers an Active Directory (AD) forest and adds it to the ARX configuration. The switch uses this information to support CIFS authentications in single- and multi-domain environments. After a successful discovery, the ARX configuration contains an AD-forest object with the name of the seed domain that you provided.
This creates a report named active-directory-seed_domain.rpt, where seed_domain is the seed domain that you chose in the command. The CLI displays the name of the report after you issue the command. Use show reports type AdUp to list all AD-discovery reports. To follow the progress of the AD-discovery operation, you can use tail reports report-name follow. Use show reports report-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. If you want to truncate the report before it finishes, use the truncate-report command. See Figure 16.1 on page 16-6 for a sample report.
Use the show active-directory command to show the configuration of the AD forest, as recorded on the ARX. To see the status of all DCs in the forest, use the show active-directory status command.
As an alternative to this automatic-discovery process, you can use the active-directory-forest command to manually create or edit the AD-forest configuration. The active-directory-forest command brings you to gbl-forest mode, where you can add all types of domains and DCs in the forest. Typically, this is only used to add dynamic-DNS servers, described later.
An AD forest can also support trees that are outside the forest roots tree. These are domains with two-way-transitive-trust relationships with one or more domains in the root tree, but their domain names are entirely different. They are called tree domains. To continue the above example, a tree domain named nonprofit.org may also be in the AD forest, and it may have a child domain named euro.nonprofit.org.
For AD forests with two-way-trust relationships, where clients from one forest are allowed to access CIFS services from the other forest, you can use the kerberos auto-realm-traversal command to automatically discover all such trust relationships. Alternatively, you can use the active-directory forest-trust command to declare a forest-to-forest trust relationship in the ARX configuration.
bstnA# active-directory update seed-domain ny.com proxy-user ny_admin
bstnA# active-directory update seed-domain vt.com proxy-user ny_admin verbose
bstnA# show reports active-directory-vt.com.rpt
Use the optional description command to set a descriptive string for the current proxy user. This appears in the show proxy-user command.
Use the no form of the command to delete the description.
text (1-255 characters) is your description. Surround the text with quotation marks () if it contains any spaces.
stoweA(gbl-proxy-user[jckilley])# description "Jean-Claude's user identity"
Use the no form of the command to remove a proxy-user configuration.
name (1-32 characters) is a name you choose for the proxy user.
The documentation for the user (gbl-proxy-user) command describes the exact privileges required for the Windows-user account. You can use the probe exports command with this proxy user to determine whether or not the proxy user has (at least) Backup Operator privileges. To prove that the proxy user has full Administrator privileges, use it with the show exports ... paths command; the paths are blank unless the proxy user belongs to the Administrators group on the filer.
After you create proxy-user configurations, you apply one or more to a namespace through the proxy-user (gbl-ns) command. Use the show proxy-user command to display all configured proxy users and their associated domains and usernames.
bstnA(gbl)# proxy-user acoProxy2
show exports ... paths
To support CIFS authentication, the ARX requires an accurate representation of your networks current Active Directory (AD) forest(s). Use the show active-directory command to review the AD-forest configuration as currently recorded on the ARX.
forest-name (optional, 1-256 characters) identifies a particular forest to show.
domain-name (optional, 1-256 characters) identifies a particular domain.
The show active-directory command displays the current AD configuration in one or two sections: Active Directory Domains and, if there are any forest-to-forest trusts, an additional Forest Trust table.
The Active Directory Domains section contains one table per AD forest. Each table has a Forest Name heading, showing the name configured with the active-directory-forest or active-directory update seed-domain command. The forest table contains one sub table per domain. Each sub table row contains the following fields:
forest-root, child-domain, or tree-domain is the type of the Windows domain in the AD forest, followed by the domain name and its pre-Windows 2000 name. This is the heading for the sub table of DCs for the domain. This domain name is discovered automatically, or it is manually set with the forest-root, child-domain, or tree-domain commands.
IP Address is the address of the Key-Distribution Center (KDC, a domain controller used for Kerberos) and/or dynamic-DNS server for this Windows domain. You establish this with the forest-root, child-domain, or tree-domain command, or the ARX automatically discovers it if you use active-directory update seed-domain. You can also use name-server to identify a dynamic-DNS server; in many cases, dynamic DNS runs on the same server as the KDC.
Services are KDC and/or DNS, as explained above.
Preferred shows whether or not this DC is on the preferred list for its domain. The choices are YES or NO. The Kerberos software chooses its active DC(s) from the preferred list if there are any online. The preferred DCs are the DCs in the same AD site as the ARX (see active-directory update seed-domain or active-directory update forest), or you can manually set the DC preference with an optional flag in the forest-root, child-domain, or tree-domain commands.
The Forest Trust table only appears if at least one forest-to-forest trust has been declared in the ARX configuration. You can declare a forest-to-forest trust with the active-directory forest-trust command. Each trust relationship appears as one row in the table, with the following fields:
Forest-2 are the two forests in the trust relationship. Clients from either of these forests can access CIFS services in the other.
Trust Type is always bidirectional in the current release. Clients in Forest-1 can access services in Forest-2, and clients in Forest-2 can access services in Forest-1.
bstnA# show active-directory
bstnA# show active-directory
Use the show active-directory status command to see the status of all Domain Controllers (DCs) in the Active-Directory configuration.
detailed (optional) expands the output to include statistics about each DCs health.
forest-name (optional, 1-256 characters) identifies a particular forest to show.
domain-name (optional, 1-256 characters) identifies a particular domain.
The top line in the output shows the Offline timeout, which is the time that the ARX waits for a response from a DC before declaring it offline. This is a system-wide variable, set with the kerberos health-check threshold command.
PROCESSOR slot.proc, where slot.proc identifies the processor.
Forest is the name of the AD forest (set by the active-directory update seed-domain or the active-directory-forest command).
Domain Name is the Windows domain.
Domain Controller is the IP address of one of the domains DCs.
Status is Active, Backup, Offline, Unusable, or NoStatus.
Unusable means that the DC is not usable for forest-to-forest trusts (configured with the active-directory forest-trust command) because the ARX cannot verify that it is a Windows 2003 (or later) server. The DC must confirm that it is running Windows 2003 or a later release to be usable for these trusts.

If such a DC is in the forest, no cifs service can support the recommended constrained delegation feature (described with the domain-join command).
Preferred is 1 (one) if this DC is on the preferred list for its domain, or 0 (zero) otherwise. If any preferred DC is online for a given domain, a processor chooses the DC for Active status instead of its non-preferred peers. The preferred DCs are the DCs in the same AD site as the ARX (see active-directory update seed-domain or active-directory update forest), or you can manually set the DC preference with an optional flag in the forest-root, child-domain, or tree-domain commands.
The Forest Trust table only appears if at least one forest-to-forest trust has been declared in the ARX configuration. You can declare a forest-to-forest trust with the active-directory forest-trust command. Each trust relationship appears as one row in the table, with the following fields:
Forest-2 are the two forests in the trust relationship. Clients from either of these forests can access CIFS services in the other.
Trust Type is always bidirectional in the current release. Clients in Forest-1 can access services in Forest-2, and clients in Forest-2 can access services in Forest-1.
Last Transition (UTC) is the timestamp showing the most-recent status change. (This time stamp is in UTC, not local time.) The ARX periodically checks each forest-root DC to confirm that it is online. If the forest has redundant root DCs, only the active DC has its status checked. The next field shows the results of the status check.
Status should be Forest roots are online. This indicates that the trust is functional. If either or both are offline, check the connectivity to each DC, and the DC itself. You can use the show active-directory command to identify the forest root(s) for each forest.
Domain Name is the DCs Windows domain.
Domain Controller is the IP address of one of the domains DCs.
Status is Active, Backup, Offline, Unusable, or NoStatus, as described above.
Active Count is the number of times that the current DC has been Active for its domain.
Health Check Failure counts the number of times that the ARX failed to connect to the DC.
Health Check Timeout counts the number of times that the DC exceeded the kerberos health-check threshold before responding to the LDAP query.
Transition Total is the count of transitions to Active from some other status.
Last Transition (UTC) is the timestamp for the most-recent transition, in Coordinated Universal Time (known as UTC).
LDAP Health Check shows round-trip times for the LDAP query and response. These statistics only appear for a DC that is either Active or Backup.
Since last transition displays the average, minimum, and maximum round-trip times since the last time a new DC became reachable in this domain.
Last 5/30/60 minutes shows the average round-trip times over the last 5 minutes, the last half hour, and the last hour.
Use show active-directory to see the switchs representation of the AD configuration.
bstnA# show active-directory status
bstnA# show active-directory status domain FDTESTNET.NET
bstnA# show active-directory status
bstnA# show active-directory status domain FDTESTNET.NET
name (optional; 1-32 characters) is the name of a proxy user. If no name is specified, this command shows all configured proxy users.
Name identifies the proxy-user object. You choose this when you use the proxy-user command to create the proxy-user configuration.
Windows Domain identifies the domain of the proxy user, if there is one. This is typically an FQDN. Use the windows-domain (gbl-proxy-user) command to change this.
Pre-Win2k is the domain name that the ARX uses for its NTLM authentications; some filers do not accept FQDNs for NTLM. This is an old-style domain name, in the format used by Windows networks before Windows 2000. By default, this name is discovered automatically, through active-directory update seed-domain. If this domains name was not discovered, the ARX uses the first name in the Windows Domains FQDN, up to 15 characters before the first period. You can manually set the name with an option in the windows-domain (gbl-proxy-user) command, though we recommend setting it at the AD and discovering it from there.
User is the username used by this proxy-user object. If the ARX uses this proxy-user object, this is the username it presents to back-end filers. You can change this with the user (gbl-proxy-user) command.
Description shows a descriptive string for the proxy user, if one is defined. You can use the description (gbl-proxy-user) command to add a description to a proxy-user configuration.
bstnA> show proxy-user
bstnA> show proxy-user
Use the no user command to remove the username from the current configuration.
user username
username (1-64 characters) is a valid username you choose for this proxy-user configuration. This is typically a Windows user, though it may be a Unix user for certain applications of the proxy user (for example, see the documentation for proxy-user (gbl-filer)). Any Windows proxy user must be a member of the Backup Operators or Administrators group on all filers that use these credentials; see below for details.
bstnA(gbl)# proxy-user acoProxy2
Password: ********
A proxy user is a set of user credentials (a username and password) that the ARX can use to access its back-end filers. The ARX uses the proxy-user credentials when it must perform autonomous operations, such as importing files into a managed volume. For a Windows proxy user, you can use this command to identify the Windows domain.
Use the no form of the command to remove the domain name.
windows-domain domain-name [pre-win2k-name old-style-domain]
domain-name (1-64 characters) is the name of the Windows domain to identify with this Windows user. This must be a Fully-Qualified-Domain Name (FQDN) for the proxy user to authenticate through Kerberos. Choose a domain in the same Active-Directory forest as the filers.
old-style-domain (optional, 1-15 characters, no periods) is the legacy Windows domain for the proxy-user account. The proxy user may have to use NTLM when it authenticates with back-end filers, and not all back-end filers accept an FQDN for NTLM authentication. Use this option only if the default (below) is incorrect; this option is rarely necessary.
old-style-domain - The old-style name discovered with active-directory update seed-domain. If the old-style name was never discovered for this domain, the ARX uses the first part (before the first ., up to 15 characters) of the FQDN in the domain-name.
When assigned to a namespace through proxy-user (gbl-ns), a proxy-user provides a login ID for the ARX to access back-end filers. The ARX uses this account for imports, file migrations from one back-end filer to another, and other autonomous operations.
Ideally, the domain should be one that the ARX has already discovered with active-directory update seed-domain. If you are creating the proxy user before you run that command, the CLI warns that the domain is unknown. This warning is designed for situations where the domain is typed incorrectly, and is benign in this case.
Use the show proxy-user command to view all configured proxy users, and their associated Windows domains and usernames.
bstnA(gbl)# proxy-user acoProxy2
bstnA(gbl-proxy-user[acoProxy2])# windows-domain medarch.org
stoweA(gbl)# proxy-user acoProxy3
stoweA(gbl-proxy-user[acoProxy3])# windows-domain FDTESTNET.COM pre-win2k-name BOSTONCIFS