Cloud Volumes Service for AWS Common Questions Flashcards
What ports need to be open to create the CIFS server?
If you use Windows Active Directory (AD) servers with cloud volumes, you should familiarize yourself with the guidance on AWS security group settings. The settings enable cloud volumes to integrate with AD correctly.
By default, the AWS security group applied to an EC2 Windows instance does not contain inbound rules for any protocol except RDP. You must add rules to the security groups that are attached to each Windows AD instance to enable inbound communication from Cloud Volumes Service. The required ports are as follows:
Service Port Protocol AD Web Services 9389 TCP DNS 53 TCP DNS 53 UDP ICMPv4 N/A Echo Reply Kerberos 464 TCP Kerberos 464 UDP Kerberos 88 TCP Kerberos 88 UDP LDAP 389 TCP LDAP 389 UDP LDAP 3268 TCP NetBIOS name 138 UDP SAM/LSA 445 TCP SAM/LSA 445 UDP Secure LDAP 636 TCP Secure LDAP 3269 TCP w32time 123 UDP If you are deploying and managing your AD installation domain controllers and member servers on an AWS EC2 instance, you will require several security group rules to allow traffic for the Cloud Volumes Service. Below is an example of how to implement these rules for AD applications as part of the AWS CloudFormation template.
How are Share ACLs modified?
An account in the Domain Administrator’s group is required to change share permissions
Access Control Entries (ACEs) can be added to CIFS/SMB shares via the Computer Management console.
From the “Run” prompt on a Windows device, in the “open” field type compmgmt.msc and select “ok”. Once loaded, select “Action” > Connect to Another Computer. Input the IP or hostname of the storage device and click “ok”.
Select System Tools > Shared Folders > Shares to view the list of shares on the storage device. Right-click the share to be changed and select “Properties” > “Share Permissions”. Adjust the share permissions as necessary and then click “OK” to apply the changes.
The cifs share is inaccessible via the hostname. An nslookup against hostname reports that the hostname is unresolvable.
In some circumstances, the A record for the CIFS server isn’t added to DNS on CIFS server creation. This causes subsequent CIFS server hostname lookups to fail. To remedy this, manually create the A record using the name in the UI for the CIFS server. To find the IP needed for the A record, create a small, temporary NFS volume if one doesn’t exist. The IP listed below the NFS volume in the ‘Volumes’ tab is the IP needed for creating the A record.
How do I change my DNS server?
Select the “Active directory” tab. Click the ‘Actions’ dropdown on the row that corresponds to the Active Directory settings that are being modified. Select “Update active directory”. This will bring up the “Update active directory” pane. Replace entries in the ‘DNS server’ field with the required DNS server(s) and clickthe “Update active directory” button.
How many DNS servers can be configured?
Up to three DNS servers can be configured.
Can the cifs server machine account be resynchronized if it was deleted or modified in AD?
Yes. Select the “Active directory” tab. Click the ‘Actions’ dropdown on the row that corresponds to the Active Directory settings that are being modified. Select “Update active directory”. This will bring up the “Update active directory” pane. Change the NetBIOS name to a different, available name. Click “Update active directory”. After this finishes, repeat the process with the original name. ‘klist purge’ any clients that may have a stale kerberos ticket from their CLI.
What is the ‘NetBIOS’ field used for in the “Create active directory” and “Active directory” forms?
This value is the CIFS Server machine account name that will be created in Active Directory for the CIFS Server. This machine account name should not be pre-provisioned.
Why is the Previous Version tab not available?
Some shares have been created without the flag that allows for Previous Versions access. Please open a case with NetApp support if you are unable to access the Previous Versions tab.
Why is the ~snapshot/.snapshot directory inaccessible?
The supported method for snapshot access is via Previous Versions. If the Previous Versions tab is unavailable/doesn’t work, please open a case with NetApp support.
“Create New Volume” fails when SMB protocol is specified along with Active Directory settings:
ERROR 1: Reason: SecD Error: no server available
SOLUTION 1: DNS port 53 (TCP or UDP) may be blocked. Verify if those ports are reachable from the dns server and cloud volume IP.
SOLUTION 2: Verify that DNS srv (Service Location) records exist for kerberos and ldap on the DNS server.
SOLUTION 3: Kerberos port 88 (TCP) may be blocked. Verify if those ports are reachable from the KDC server and cloud volume IP.
SOLUTION 4: LDAP port 389 (TCP or UDP) may be blocked. Verify if those ports are reachable from the LDAP server and cloud volume IP.
SOLUTION 5: Verify SMB2 protocol version is enabled on the Domain Controller.
SOLUTION 6: Verify the account password specified in the Active Directory configuration is correct.
SOLUTION 7: Verify the account has permissions in Active Directory to join computer objects.
SOLUTION 8: Disable LDAP Server Signing Requirements
Can the Microsoft Client for NFS be used with Cloud Volumes?
The Microsoft Client for NFS is not compatible with Cloud Volumes
Does Cloud Volumes Service Sync support a data broker per region?
At this time, only one data broker is allowed across all regions. If multiple brokers are required in different regions, utilize the Cloud Sync standalone interface
How are the data broker logs accessed?
Allow SSH in the security group to the data broker
SSH to the data broker
Log files are located in /opt/netapp/databroker/logs
Problem: Access Denied seen on transfer
Use the following checklist to assist with resolution
Confirm that the data broker has access to both source and destination
If using CIFS for the transfer protocol, ensure that share ACLs on both source/destination allow the user chosen to transfer the data
If using NFS for the transfer protocol, ensure that the export policy allow the IP of the data broker to mount with root/superuser access
Test access to both sides by mounting the exports manually from the data broker and attempt a test write to the destination
If the volume is specified as ‘Dual-protocol’ with NTFS security style and NFS as the transferring protocol
Consider whether manipulation of NT DACLs or unix mode bits will be the preferred method for permissions management
If unix mode bits managment is desired, change the volume to ‘unix’ security style
If NT DACLs will be used, a usermapping will be required for root to \root
This will require that \root be created in the AD domain that the CVS volume is joined to
What maximum bandwidth should be expected from a Cloud Volumes Service volume?
A Cloud Volumes Service volume’s maximum bandwidth is a function of both the service level assigned to the volume as well as the volume’s allocated capacity. This matrix displays the maximum bandwidth given the service level and allocated capacity.
