Active Directory page alerts

The alerts in the table below are listed alphabetically by their mouse-over text.

Icon Mouse-over text Description

Active Directory enabled for default namespace only.

Either:

AD authentication is enabled only for the default namespace and is not currently supported for HCP namespaces. This can happen after an upgrade, where the CIFS protocol was enabled for the default namespace with AD authentication before the upgrade occurred. To enable support for AD for HCP namespaces, enable HCP support for AD on the Active Directory page in the HCP System Management Console.

In the username mapping file used by the CIFS protocol for the default namespace, one or more usernames map to the same UID. Only one username can map to any given UID.

Active Directory secure connection issue

HCP could not communicate with AD due to a problem with the AD SSL server certificate uploaded to HCP. Ensure that you have the correct certificate. Then upload the certificate again on the Active Directory page in the HCP System Management Console. If the problem persists, please contact your authorized HCP service provider.

Cannot access Key Distribution Center

HCP cannot access the Key Distribution Center in the AD domain specified in the HCP AD configuration. Check that both the AD domain controller and the network connection between HCP and that AD domain controller are healthy. If they both appear to be working properly, please contact your authorized HCP service provider.

Cannot access LDAP server

HCP cannot access the LDAP server for the AD domain specified in the HCP AD configuration. Check that both the LDAP server and the network connection between HCP and that server are healthy. If they both appear to be working properly, please contact your authorized HCP service provider.

Could not establish connection with Active Directory - add certificate again.

HCP could not communicate with AD due to a problem with the AD SSL server certificate uploaded to HCP. Ensure that you have the correct certificate. Then upload the certificate again on the Active Directory page in the HCP System Management Console. If the problem persists, please contact your authorized HCP service provider.

DNS correctly configured.

HCP is configured to use DNS.

DNS is not enabled. Active Directory requires DNS be enabled.

HCP is not configured to use DNS. For HCP to work with AD, HCP must be configured as a subdomain in your DNS. For instructions on configuring the HCP subdomain, see Configuring DNS for HCP.

HCP computer account missing.

The HCP computer account is missing from the AD domain. Reconfigure HCP support for AD on the Active Directory page in the HCP System Management Console.

IP lookup failed for Active Directory server server-name.

HCP was unable to do an IP lookup of an IP address used to communicate with the AD domain controller for either the Key Distribution Center or the LDAP server. Ensure that the DNS configuration includes all A and AAAA records needed to resolve the IP addresses that HCP uses to communicate with the indicated domain controller.

No external time server configured. Active Directory recommends an external time server.

HCP is configured to use itself as a time server. For HCP to work with AD, HCP time must be within five minutes of AD time. The recommended configuration is for HCP and AD to use the same external time server.

No Key Distribution Center found

HCP cannot find a Key Distribution Center in the AD domain specified in the HCP AD configuration. Ensure that AD is correctly configured in your DNS. If the problem persists, please contact your authorized HCP service provider.

No LDAP server found

HCP cannot find an LDAP server in the AD domain specified in the HCP AD configuration. Ensure that AD is correctly configured in your DNS. If the problem persists, please contact your authorized HCP service provider.

Nodes correctly configured.

All of these conditions are true:

The computer accounts for all nodes are present in the AD domain. These accounts are created automatically when you configure HCP to support AD.

All nodes have valid credentials for the HCP computer account used to query AD for groups.

All nodes can connect to AD.

Nodes misconfigured.

At least one of these conditions is true:

The computer account for one or more nodes is missing from the AD domain. These accounts are created automatically when you configure HCP to support AD.

The credentials for the HCP computer account used to query AD for groups and other information are invalid on one or more nodes.

One or more nodes cannot connect to AD.

To resolve these issues, reconfigure support for AD on the Active Directory page in the HCP System Management Console. If the problem persists, please contact your authorized HCP service provider.

Reverse IP lookup failed for Active Directory server server-name. Record for server-ip-address not found.

Given the indicated IP address, HCP was unable to do a reverse IP lookup of the hostname of the AD domain controller. Ensure that your DNS includes a PTR record for that IP address that specifies the correct domain controller hostname.

Reverse IP lookup mismatch for Active Directory server server-name. Record for server-ip-address points to server other-server-name.

HCP was able to do a reverse IP lookup of an IP address used to communicate with the AD domain controller, but the PTR record identifies a different domain controller. Ensure that your DNS configuration includes a PTR record for the indicated IP address that specifies the correct domain controller hostname.

Service principal names are missing.

The SPN attribute for one or more tenants or namespaces is missing from the AD domain. If the HCP system is involved in replication, these tenants and namespaces could be defined in any system in the replication topology.

If the missing SPN attribute is for a namespace, have the administrator for the tenant that owns the namespace disable and reenable AD single sign-on for the namespace. If the missing SPN attribute is for a tenant, disable and reenable AD authentication for the tenant. If the issue is still not resolved, reconfigure HCP support for AD on the Active Directory page in the HCP System Management Console.

If the problem persists, please contact your authorized HCP service provider.

System correctly configured.

All of the following are true:

No HCP components are missing from the AD domain.

The HCP configuration of AD support is complete (that is, it’s not configured only for the CIFS protocol for the default namespace).

The username mapping file used by the CIFS protocol does not contain any invalid mappings.

Time server correctly configured.

HCP is configured to use an external time server.

Trademarks and Legal Disclaimer

© 2017 Hitachi Data Systems Corporation. All rights reserved.