Dell EMC Unity: NAS Servers displays error "DC cannot open NETLOGON pipe" (User Correctable)

This solution applies when a minimum of one Windows Server 2008 or earlier Domain Controller is in use and is connected to Unity's NAS server. This solution does not apply to Windows Server 2008R2 and later Domain Controllers.

After upgrading the Unity system to OE version 5.0.6, some NAS Servers are affected by this error message:    
This occurs intermittently, and randomly, affecting several NAS Servers at the same time or individually, but there is always at least one displaying this error.

Users can use FQDN to access the share, but is not able to access using IP address.

When running the command svc_cifssupport <NAS_server_name> -pdcdump, it shows the following error:      
 

As part of providing Secure RPC functionality in Dell EMC Unity OE version 5.0.6, the "getDCcapas" function was introduced, in accordance with the Microsoft Netlogon function specification to support Microsoft's ServerCapabilities parameter. However, this function was only added to supported versions of Windows Server. Therefore, the function is not implemented in Windows Server 2008 and earlier.

Microsoft Reference Document: [MS-NRPC]: Netlogon Remote Protocol - 7 Appendix B: Product Behavior
Section 3.5.4.4.10:
The ServerCapabilities parameter is not supported by Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

Resolution:      
The safest long-term solution is to upgrade any Domain Controllers connecting with Unity systems running 5.0.6 or later to a supported version of Windows Server. Until then, see the Workaround section below.

Workaround:       
Since the parameter "param NTsec.NETLOGON.getDCcapas" in Dell EMC Unity systems controls how NAS servers check DC capabilities, the workaround is to modify the parameter to disable this feature.

IMPORTANT NOTE:      
In environments where multiple Domain Controllers exist, and at least one is on an older Windows Server version, and at least one is on a newer Windows Server version (i.e. 2003 and 2012), it appears that disabling the ServerCapabilities function does not negatively impact the newer versions. This indicates that Microsoft is not enforcing the use of this function. However, this may change at some time in the future, and users msut decide between older or newer versions of Windows Server to run against that SP.

If you must implement the change immediately and you cannot reboot your SP, contact Dell Technical Support or your Authorized Service Provider and quote this Knowledgebase article. The workaround can be implemented in a different way, but it requires elevated privilege. Note that this parameter can only be implemented at the SP level and thus, affects ALL NAS servers across the SP.

If you can implement the change and reboot your SP, follow the steps below:     

Step 1
Run command:  svc_nas ALL -param -facility NTsec -m NETLOGON.getDCcapas -v 0

service@spb:~/user# svc_nas ALL -param -facility NTsec -m NETLOGON.getDCcapas -v 0

param NTsec.NETLOGON.getDCcapas added into the list of visible params
SPA : done

Warning 17716815750: SPA : You must reboot the SP for NETLOGON.getDCcapas changes to take effect.
SPB : done

Warning 17716815750: SPB : You must reboot the SP for NETLOGON.getDCcapas changes to take effect.

To confirm if the Dell Unity Array is experiencing this issue:     

From EMCSystemLogFile.log:      

service@spb:~/user# tailf  00_emc_backend_log_shared/EMCSystemLogFile.log |grep -i "WRONG_CREDENTIAL_HANDLE"
B       03/18/21 09:43:44.507 DART_SMB         10380008 [WARN] Audit: For the NAS server NAS in the domain DOMAIN, the DC DC01 has the following error: compname nas DC=DC01 Step='Open NETLOGON Secure Channel' ' ' 'DC cannot open NETLOGON pipe: status=WRONG_CREDENTIAL_HANDLE '.
B       03/18/21 09:43:46.559 DART_SMB         10380008 [WARN] Audit: For the NAS server NAS in the domain DOMAIN, the DC DC02 has the following error: compname nas DC=DC02 Step='Open NETLOGON Secure Channel' ' ' 'DC cannot open NETLOGON pipe: status=WRONG_CREDENTIAL_HANDLE '.

From c4_safe_ktrace.log:        

service@spb:~/user# tailf 02_emc_c4core_log/c4_safe_ktrace.log |grep -i "WRONG_CREDENTIAL_HANDLE"
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] Srv=NAS DC=DC01 buildSecureChannel(2)=Capa_ErrorQueryFailed NTStatus=WRONG_CREDENTIAL_
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] HANDLE pwdno=2
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] NLogon_SecureChannel not OK=Capa_ErrorQueryFailed
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] smbSync failed to create new SecureChannel DC=DC01 NTstatus=SUCCESS LogonStatus=Capa_ErrorQueryFai
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] led SessionKey:StrongKeys authV:[PRIVACY,sign:HMAC_MD5,seal:RC4] 
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 6:[NAS] DC0x00175e1038: setDCDown DC(xx.xx.xxx.xxx), refresh if needed (origin=netLogonAuth2)
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] smbSync SamLogon[0] DC=DC01 'DC cannot open NETLOGON pipe' NTstatus=WRONG_CREDENTIAL_HANDLE LogonS
B       03/30/21 10:37:50.307 sade             d927f702 c4_safe_ktrace   SMB: 3:[NAS] tatus=Capa_ErrorQueryFailed (rSCstatus=-1 pipeClosed=0)

Dell EMC Unity XT 380, Dell EMC Unity XT 380F, Dell EMC Unity XT 480, Dell EMC Unity XT 480F, Dell EMC Unity 600F, Dell EMC Unity 650F, Dell EMC Unity XT 680, Dell EMC Unity XT 680F, Dell EMC Unity XT 880, Dell EMC Unity XT 880F , Dell EMC Unity Family |Dell EMC Unity All Flash, Dell EMC Unity Family, Dell EMC Unity Hybrid ... View More View Less