Skip to main content

Join ONTAP SMB SVMs to Active Directory domains

Contributors netapp-aaron-holt netapp-aherbin netapp-ahibbard
PDFs

You can join a storage virtual machine (SVM) to an Active Directory domain without deleting the existing SMB server by modifying the domain using the vserver cifs modify command. You can rejoin the current domain or join a new one.

Before you begin

  • The SVM must already have a DNS configuration.

  • The DNS configuration for the SVM must be able to serve the target domain.

    The DNS servers must contain the service location records (SRV) for the domain LDAP and domain controller servers.

About this task

  • The administrative status of the CIFS server must be set to down to proceed with Active Directory domain modification.

  • If the command completes successfully, the administrative status is automatically set to up. Learn more about up in the ONTAP command reference.

  • When joining a domain, this command might take several minutes to complete.

Steps

  1. Join the SVM to the CIFS server domain: vserver cifs modify -vserver vserver_name -domain domain_name -status-admin down

    Learn more about vserver cifs modify in the ONTAP command reference. If you need to reconfigure DNS for the new domain, learn more about vserver dns modify in the ONTAP command reference.

    In order to create an Active Directory machine account for the SMB server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the ou= example ou container within the example.com domain.

    Beginning with ONTAP 9.7, your AD administrator can provide you with a URI to a keytab file as an alternative to providing you with a name and password to a privileged Windows account. When you receive the URI, include it in the -keytab-uri parameter with the vserver cifs commands.

  2. Verify that the CIFS server is in the desired Active Directory domain: vserver cifs show

Example

In the following example, the SMB server “CIFSSERVER1” on SVM vs1 joins the example.com domain using keytab authentication:

cluster1::> vserver cifs modify -vserver vs1 -domain example.com -status-admin down -keytab-uri http://admin.example.com/ontap1.keytab

cluster1::> vserver cifs show

          Server       Status       Domain/Workgroup  Authentication
Vserver   Name         Admin        Name              Style
--------- -----------  ---------    ----------------  --------------
vs1       CIFSSERVER1  up           EXAMPLE          domain