I have an isolated network, into which I've built a vfiler. The point of this network is that it's a non routed 'test' network.
However, there's a need for LDAP/Kerberos and CIFS access to the filer, via domain level accounts.
So we have Read Only domain controllers deployed.
To join a Windows box to the RODC, we would:
- create a machine account by hand.
- join the domain, and specify the machine account password on the client.
A spot of googling finds me: https://kb.netapp.com/support/index?page=content&id=1012918
Where the advice is: Point the filer at a writable DC manually first.
I'd rather not do that if I can avoid it – I don't have writable DCs on this piece of the network deliberately. More importantly – my vfilers are on an ipspace, so I can't even temporarily 'jump over' to a network with the right access. (Which is sort of the point I guess, but even so…)
Does anyone have a suggestion for how I can accomplish this – I'm assuming I may need to extract some information from my DC and transfer it over, such as a servicePrincipal. Or perhaps just 'set' my CIFS password manually somewhere.
Best Answer
You can temporarily jump back by adding a routable interface to the IPSpace- then you could join the domain and then remove that interface from the IPSpace.