Nutanix AFS – Domain Activation

Well if it’s not DNS stealing hours of your life, the next thing to make your partner angry as you miss family supper is Active Directory(AD). In more complex AD setups you may find your self going to the command line to attach your AFS instance to AD.

Some important requirements to remember:

    While a deployment could fail due to AD, the FSVM(file server VMs) still get deployed. You can do the join domain process from the UI or NCLI afterwards.


    The user attaching to the domain must be a domain admin or have similar rights. Why? The join domain process will create 1 computer account in the default Computers OU and create A service principal name (SPN) for DNS. If you don’t use the default Computers OU you will have to use the organizational-unit option from NCLI to change it to the appropriate OU. The computer account can be created in a specified container by using a forward slash mark to denote hierarchies (for example, organizational_unit/inner_organizational_unit).



    Command was

    ncli> fs join-domain uuid=d9c78493-d0f6-4645-848e-234a6ef31acc organizational-unit="stayout/afs" windows-ad-domain-name=tenanta.com preferred-domain-controller=tenanta-dc01.tenanta.com windows-ad-username=bob windows-ad-password=dfld#ld(3&jkflJJddu

    AFS needs at least 1 writable DC to complete the domain join. After the domain join is can authenticate using a local read only DC. Timing (latency) may cause problems here. To pick an individual DC you can use preferred-domain-controller from the NCLI.

NCLI Join-Domain Options

file-server | fs : Minerva file server

join-domain : Join the File Server to the Windows AD domain specified.

Required Argument(s):
uuid : UUID of the FileServer
windows-ad-domain-name : The windows AD domain the file server is
associated with.
windows-ad-username : The name of a user account with administrative
privileges in the AD domain the file server is associated with.
windows-ad-password : The password for the above Windows AD account

Optional Argument(s):
organizational-unit : An Organizational unit container is where the AFS
machine account will be created as part of domain join
operation. Default container OU is "computers". Examples:
Engineering, Department/Engineering.
overwrite : Overwrite the AD user account.
preferred-domain-controller : Preferred domain controller to use for
all join-domain operations.

NOTE: preferred-domain-controller needs to be FQDN

If you need to do further troubleshooting you can ssh into one of the FSVMs and run

afs get_leader

Then navigate to the /data/logs and look at the minerva logs.

Shouldn't be an issue in most environments but I've included used ports just in case.

Required AD Permissions

Delegating permissions in an Active Directory (AD) enables the administrator to assign permissions in the directory to unprivileged domain users. For example, to enable a regular user to join machines to the domain without knowing the domain administrator credentials.

Adding the Delegation
To enable a user to join and remove machines to and from the domain:
- Open the Active Directory Users and Computers (ADUC) console as domain administrator.
- Right-click to the CN=Computer container (or desired alternate OU) and select "Delegate control".
- Click "Next".
- Click "Add" and select the required user and click "Next".
- Select "Create a custom task to delegate".
- Select "Only the following objects in the folder" and check "Computer objects" from the list.
- Additionally select the options "Create selected objects in the folder" and "Delete selected objects in this folder". Click "Next".
- Select "General" and "Property-specific", select the following permissions from the list:
- Reset password
- Read and write account restrictions
- Read and write DNS host name attributes
- Validated write to DNS host name
- Validated write to service principal name
- Write servicePrincipalName
- Write Operating System
- Write Operating System Version
- Write OperatingSystemServicePack
- Click "Next".
- Click "Finish".
After that, wait for AD replication to finish and then the delegated user can use its credentials to join AFS to a domain.

Domain Port Requirements

The following services and ports are used by AFS file server for Active Directory communication.

UDP and TCP Port 88
Forest level trust authentication for Kerberos
UDP and TCP Port 53
DNS from client to domain controller and domain controller to domain controller
UDP and TCP Port 389
LDAP to handle normal queries from client computers to the domain controllers
UDP and TCP Port 123
NTP traffic for the Windows Time Service
UDP and TCP Port 464
Kerberos Password Change for replication, user and computer authentication, and trusts
UDP and TCP Port 3268 and 3269
Global Catalog from client to domain controllers
UDP and TCP Port 445
SMB protocol for file replication
UDP and TCP Port 135
Port-mapper for RPC communication
UDP and TCP High Ports
Randomly allocated TCP high ports for RPC from ports 49152 to ports 65535


    1. Dan Chilton says:

      Good tips Dwayne

    Speak Your Mind