Sun Storage 5210 NAS Appliance
 
Sun Storage 5310 NAS Appliance
 
Sun Storage 5310 NAS Gateway System
 

GCS>Sun Microsystems>Storage - Disk>Network Attached Storage
 

 ads: Retry kinit to acquire credential.
kinit: Cannot resolve network address for KDC in requested realm
ads: major status error: The routine must be called again to complete its
function
ads: minor status error: No credentials cache file found
No Master Browsers found for TB-AMERICA
Join domain [local]: locate failed
kinit: Cannot resolve network address for KDC in requested realm
ads: minor status error: Bad format in credentials cache
token[TB-AMERICA\Administrator]: retry
ads: Retry kinit to acquire credential.
kinit: Cannot resolve network address for KDC in requested realm
ads: minor status error: Bad format in credentials cache
To resolve these errors, follow the steps presented below:
Configuring the 5210/5310 for use in an Active Directory Environment
NOTE: The following steps must be done on both heads if a clustered 5310
is being configured for Active Directory.
--------------------------------------------------------------------
1. Create Machine account for 5210/5310 in the Windows 2000/2003 ADS domain.
Every computer running a Windows  NT 4.0 or higher domain environment ,
has a device or computer account. Like users, who require a valid account
before being allowed to access a networked resource, Machines and other
devices participating in an Active Directory domain have machine account
which is used for authenticating and auditing computer access to the
network and access control, security, and management to domain resources.
2. Set up  Active Directory Service (ADS)
Note: Prior to enabling ADS, you must verify that the Sun StorEdge 5210/5310
NAS time is within five minutes of any ADS Windows 2000/2003 domain
controller. If it is  not, authentication will not occur.
To verify the Sun StorEdge[TM] 5210/5310 NAS time,
select System Operations > Set Time and Date from the navigation panel.
Then enter the following:
a.  In the Domain field, enter the Windows 2000/2003 Domain in which ADS is
running. The Sun StorEdge 5210/5310 NAS must belong to this domain.
b. In the User Name field, enter the user name of a Windows 2000/2003 user
with administrative rights. This person must be the domain administrator
or a user who is a member of the domain administrators group.
The ADS client verifies secure ADS updates with this user.
Note:   If you enter the domain administrator name here and the ADS
update fails, you must change the domain administrator password
(on the domain controller). Only the administrator user must do this and
can reuse the same password. For more information, refer to the
Microsoft Support Services Web site, Article Q248808.
c. In the Password field, enter the Windows 2000/2003 administrative user's
password.
d. In the Container field, enter the ADS path location of the Windows
2000/2003 administrative user in Lightweight Directory Access Protocol
(LDAP)distinguished name (DN) notation. Do not include the domain name in
the path.
e. Enter the name of the local ADS site in the Site field.
f. In the Kerberos Realm Info section, enter the Realm name used to
identify ADS. This is normally the ADS domain or the DNS domain.
When you click Apply, this entry is converted to all upper-case
letters.
g. In the Server field, enter the host name of the Kerberos Key
Distribution Center (KDC) server. This is usually the host name of the
main domain controller in the ADS domain.
3. Verifying DNS Configuration
It is recommend that you use Dynamic DNS because with it Active Directory
servers can automatically register the necessary records in DNS. Static DNS
servers work equally well, but you must manually enter the DNS registration.
Dynamic DNS eliminates the need for WINS because it allows clients with
dynamically assigned addresses to register directly with the DNS server and
update the DNS table on the fly.
For Windows 2000/2003, dynamic updates are typically requested when either a
DNS name or IP address changes on the computer.
DNS Configuration:
In order to determine if the NAS is joining a Windows NT 4.0 domain, or
Active Directory environment and to locate the domain controllers, Kerberos
Key Distribution Center (KDC) and other required services, CIFS relies on
a properly configured DNS.  If DNS is not enabled or improperly configured,
the domain-joining phase will fail or if a Microsoft Windows Internet Naming
Service (WINS) is running assume that the domain is an NT 4.0 domain.
a. In the Navigation panel make the following selections:
Network Configuration
Configure TCP/IP
Set Up DNS
b. If DNS is not enabled, select the Enable DNS checkbox
c. Supply a Domain Name - This Doman Name MUST be the ADS domain
d. Supply 1 or 2 IP addresses you want the 5210/5310 to use as a
DNS server.
e. Select the Enable Dynamic DNS checkbox to let a Dynamic DNS client add the
Sun StorEdge 5210/5310 NAS into the DNS namespace. You must also configure
the Kerberos realm and KDC server as described above If you enable
Dynamic DNS by selecting this checkbox, non-secure dynamic updates occur
automatically if they are allowed by the DNS server.
To enable secure Dynamic DNS updates, complete the following information.
This information is not required for non-secure updates.
a. In the DynDNS User Name field, enter the user name of a Windows
2000/2003 user with whom the dynamic DNS client can verify secure
dynamic DNS updates. This user must reside within the ADS domain and
Kerberos realm specified in the Configure Domains and Workgroups panel
described above.
Note:   If you enter the domain administrator name here and the ADS
update fails, the domain administrator must change his password
(on the domain controller). Only the administrator user must do this,
and he can reuse the same password. For more information, refer to
the Microsoft Support Services Web site, Article Q248808.
b. In the DynDNS Password, enter the password of the DynDNS user. If you
update this field, delete the entire password before entering a new
one.
4. The following section only pertains to a Windows 2003 installation
If you cannot connect or authenticate to Windows 2003 Domain Controller,
perform the following steps:
By default Windows 2003 is configured to require signed digital
communications from clients. This is also known as SMB packet signing.
StorEdge does not support packet signing. Therefore, Windows 2003 must be
configured to negotiate packet signing rather than assuming that it is
present.
1. To configure this, you must access the Local Security Policy Editor on
the Windows 2003 Server.
2. Next, navigate to Security Settings/Local Policies/Security Options.
3. Scroll down to  Microsoft network server: Digitally sign network
communications (always)
4. Double click the entry and click the  Disabled  button.
5. Click  OK .
Changing this setting does not restrict the Windows 2003 server from using
packet signing with those clients that support it.
If a clustered 5310 is being configured, perform the same steps on the other
NAS head.
Performing the above steps should now allow the 5210/5310 to properly
authenticate with a Windows 2000 or 2003 Active Directory environment.

This solution has no attachment