The content of this blog is based on training material provided by Will Stowe, TME and Aainy Zahra, fellow CSA. Much appreciated !
I have noticed over the years that SMB is trickier than NFS, why is that ?
I would like to focus specifically on SMB nice-to-know stuff.
SMB has more moving parts than NFSv3/NFSv4.1 like:
- Domain Controllers
- Authentication
- Networks/Firewalls
- DNS/name resolutions
- What the heck is an “OU”?
ANF AD Connection Requirements
■ Active Directory
– IP address of one (preferred TWO domain controllers)
– DNS name of AD domain (deltateam.local)
– Organisational Unit (OU) for the ANF computer account(s)
■ Location in AD for ANF to create computer accounts for service
■ OU Delegation
– Site Name –Credentials
■ THIS DOES NOT REQUIRE DOMAIN ADMIN CREDENTIALS
■ Recommend using a “service account”, disable password expiration policies
– Firewall Group Policy
■ Exception for ANF delegated subnet/disable FW. Depends on customer
AD Connection Wizard
■ If you can’t access the DC, your SMB volume creation will fail
– The AD Connections Wizard does NOT validate settings (yet)
– Double check values (IP addresses, OU settings, credentials)
– For AD credentials, use the username only. Do NOT use DOMAIN\USER or USER@DOMAIN.
Network
■ Ensure Domain Controller is accessible to ANF delegated subnet
■ DC(s) can be located
– In the same VNET as ANF
– In another VNET peered with ANF vnet in the same region
– On prem, over ExpressRoute
■ Network Security Groups (not supported on ANF)
■ Firewall Rules (Windows/AD/on prem/VNET)
Azure Native Networking
[In this scenario your customer either has DCs running in Azure or they are using AADDS (Azure Active Directory Domain Services)
Hybrid Networking
Scenario 1:
• This Hub/Spoke Topology is in the same region
Scenario 2:
• This Hub/Spoke Topology is spanning multiple Azure regions using global vnet peers
Be mindful that ANF-Client networking rules also apply to ANF-Active Directory DC networking too!
Constraints
• User-defined routes (UDRs) with address prefix as Azure NetApp files subnet
• If the customer has an NVA in the HUB filtering traffic back-on-prem this will affect ANF ability to reach your DCs on premises
• This is NOT supported today
Common SMB Deployment Errors
Common Error Messages: Troubleshoot Azure NetApp Files Resource Provider errors
Which is the most common error when deploying SMB?
- Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available.
- This error occurs when you try to create an SMB volume, but a DNS server (specified in your Active Directory configuration) is unreachable.
- Cause: You are trying to create an SMB volume, but a DNS server (specified in your Active Directory configuration) is unreachable.
- Solution: Review your Active Directory configuration and make sure that the DNS server IP addresses are correct and reachable. If there’s no issues with the DNS server IP addresses, then verify that no firewalls are blocking the access.
- Aside from networking please double-check all input parameters for the AD connection on the ANF account
HELP! I can’t logon
■ I’m getting “DNS Server not found” error when attempting to create an SMB Volume!
– Ensure AD Connections info is CORRECT (DC IP, OU, domain name, creds)
– Ensure connectivity is good (firewalls/NSGs/routing)
■ If you are having trouble verifying if ANF can reach the domain try the following:
– Create an NFS volume first– this way you have an IP in the ANF subnet
– Log into the DC or another server in the same network and ping the NFS IP
– If we do not get a response, we know something in our network is the issue
• Is the customer using NVAs/UDRs for Hybrid Network ANF-AD connectivity?
• Am I in an ANF-AD supported network topology?
• Is ANF trying to reach the domain over a global VNET peer? – this does NOT work
• GWs are a possible workaround but we cannot have VNET peers and S2S GWs on the same VNET
• Have I checked AD sites/services – can the customer add a site scope to AD ANF connector?
• Does the AD server have the proper ports open listed here?
■ I can’t access the SMB share from a Windows host!
– Is the Windows host a member of the same/trusted AD domain as ANF?
– New Azure VM’s, check DNS settings for VM/VNET for host
So I’ve created an SMB volume, now what?
■ Go to the mount instructions, copy the UNC path (\\ANF\Share)
■ From a Windows host (that is part of the same domain/trusted domain) and open File Explorer
■ Paste the UNC path in the File Explorer path
■ You should see the share!
– Create stuff on the share
– Create a snapshot
– Show Previous Versions feature
SMB Service Updates
■Starting in ANF Release 2020.04
• Ability to Edit Existing AD ANF Connection
•Edit DNS IPs, OUs, AD user/service account creds etc
• SMB Cross-Region-Replication Support
• This will require an AD connection on the destination ANF account (where the same ANF-AD networking rules apply)
• BUILTIN\BackUp Operator Support [will require customer whitelisting initially]
• This will allow us to use non-privileged AD accounts for SMB migrations to handle the migration of the ACLs
Documentation
Microsoft Official Document links
– https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-create-volumes-smb