Change domain of a VNX CIFS server
All information in this post can be found on https://support.emc.com, but I have been unable to find a single source.
In order to change domain of a VNX CIFS server, it is necessary to delete the CIFS server… That is right, the CIFS server needs to be deleted, but don’t worry. Shares, ownership and rights will be retained.
When I first started searching for a way to change the domain of a CIFS server, I did find documentation stating that the CIFS server needed to be deleted. I discarded those posts as I did not want to delete the CIFS shares.
I decided to open an EMC support chat to get the correct procedure for changing the domain and they also stated that I needed to delete the CIFS server. After a bit back and forth, I felt fairly convinced that it was actually the correct method, but just to be sure I set up a test before doing it on a production system.
A bit of information about the test setup:
- Old domain is called olddom.net
- New domain is called newdom.com
- The net interface used by the CIFS server is called cifs-if
- The filesystem used by the CIFS server is called cifs-fs
- There is a trust between olddom.net and newdom.com
First we need to update the security IDs (SID) on the filesystem so they correspond to the new domain. The VNX will try to match user and group form the old domain to user and group in the new domain.
server_cifs <dm-name> -Migrate cifs-fs -acl olddom.net:if=cifs-if newdom.net:if=cifs-if
The command above might take some time, but everything is online while it runs.
Next we need to unjoin the CIFS server from the old domain.
server_cifs <dm-name> -Unjoin compname=<cifs-server-name>,domain=olddom.net,admin=<admin user>
When the domain is unjoined, we can delete the CIFS server.
server_cifs <dm-name> -delete compname=<cifs-server-name>
Now it is possible to create a new CIFS server with the same name, but a different domain.
server_cifs <dm-name> -add compname=<cifs-server-name>,domain=newdom.com,admin=<admin user>
Now join the CIFS server to the domain
server_cifs <dm-name> -Join compname=<cifs-server-name>,domain=newdom.com,admin=<admin user>
Finally we can replace remove the SIDs from the old domain.
server_cifs <dm-name> -Replace cifs-fs -acl :nb=<cifs-server-name>
That’s it. Shares and files should now have the correct permissions for the new domain. I believe that this should also work without a trust between the two domains, but the -Migrate command needs the same user/group’s to be available in the new domain in order to change the SID’s correctly.
Post a Comment