Implementing Azure NetApp Files with Kerberos

Published Feb 09 2022 06:02 PM 1,856 Views
Microsoft

Implementing Azure NetApp Files with Kerberos

PoC and Validation

Kerberos with ANF for SAP HANA

Encryption is a very big topic when it comes to data security especially in public clouds.

Azure NetApp Files (ANF) supports DES, Kerberos AES 128, and Kerberos AES 256 encryption types (from the least secure to the most secure). If you enable AES encryption, the user credentials used to join Active Directory must have the highest corresponding account option enabled that matches the capabilities enabled for your Active Directory.

The question which has to be answered is if Kerberos adds additional value to the overall system security and system performance. Encryption always will cost CPU cycles and will also enlarge the storage latency. With SAP HANA you can enable LSS encryption which will encrypt the data additionally before the data will be written to the storage. At the storage the data will be encrypted at REST a second time by default. So, enabling Kerberos the data would be encrypted a third time which obviously has the biggest impact since this encryption is in the data path.

 

Anyway, the request to enable Kerberos is coming more and more.

This document will try to describe the configuration and will also try to show the impact when Kerberos is enabled.

 

To start with I will show the starting point without enabling Kerberos and LSS. The numbers here are the so, called “default”.

Before you begin read:

Compare Active Directory-based services in Azure | Microsoft Docs

We will use Azure Active Directory Domain Services (Azure AD DS) in this documentation.

Overview of Azure Active Directory Domain Services | Microsoft Docs

Kerberos Authentication

Kerberos Authentication Overview | Microsoft Docs

ANF – Kerberos configuration

Create and manage Active Directory connections for Azure NetApp Files | Microsoft Docs

Configure NFSv4.1 Kerberos encryption for Azure NetApp Files | Microsoft Docs

Performance impact of Kerberos on Azure NetApp Files NFSv4.1 volumes | Microsoft Docs

 

The NetApp TR-4616 is also a very good information how to configure Kerberos and also describes some Kerberos terms very detailed.

TR-4616: NFS Kerberos in ONTAP (netapp.com)

 

Some facts to know:

Performance impact of Kerberos on Azure NetApp Files NFSv4.1 volumes | Microsoft Docs

The security options currently available for NFSv4.1 volumes are as follows:

  • sec=sys uses local UNIX UIDs and GIDs by using AUTH_SYS to authenticate NFS operations.
  • sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.
  • sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
  • sec=krb5p uses Kerberos V5 for user authentication and integrity checking. It encrypts NFS traffic to prevent traffic sniffing. This option is the most secure setting, but it also involves the most performance overhead.

Throughput here the baseline is 128MB (max):

Sec=sys

120MB/s

Sec=krb5

95.1MB/s

Sec=krb5i

94.5MB/s

Sec=krb5p

23.8MB/s

 

Reference (German) NFS mit Kerberos sichern › Kerberos › Wiki › ubuntuusers.de

 

This is the test setup

RalfKlahr_69-1644399736733.png

 

SUSE documentation

Network Authentication with Kerberos | Security and Hardening Guide | SUSE Linux Enterprise Server 1...

 

First some Performance measurements with and without Kerberos:

 

Data and Log volumes:

I used a 12TiB Ultra Volume for the tests. Both tests (data and Log) are pointing to the same volume.

 

HCMT native no Kerberos:

RalfKlahr_70-1644399789787.png

 

HCMT with Kerberos krb5

RalfKlahr_2-1644399601135.png

 

HCMT with Kerberos krb5i

RalfKlahr_3-1644399601152.png

 

We also tested Kerberos 5p. However, based on the throughput we could achieve, and which is not shown here, it is not recommended to use Kerberos 5p. The impact on throughput and latency was very significant. The performance penalty for Kerberos 5p is by far too high to meet any SAP HANA or any other DBMS KPI. We even got dumps with the random 1M data file read which caused HCMT to break.

So available and recommended Kerberos flavors are 5 and 5i but NOT 5p.

 

HANA Stress tool

This tool (from GitHub) is creating 10000 tables and will add 20000 rows into each table.

I started the tool three times to see if there are no differences in the runs.

 

For the tests I am using two Ultra volumes – Data 4TB and Log 3TB

RalfKlahr_71-1644399901141.png

 

Native

anaadm@ralfvm01:/opt/hanastress> time ./hanastress.py -v --host localhost -i 00 -u HANASTRESS -p HANAStress02 -g <Group> --tables 10000 --rows 20000 
--threads 10
[info] Starting Generation...

 

real    12m.921s

user    0m1.084s

sys     0m0.559s

 

real    13m24.9s

user    0m1.002s

sys     0m0.592s

 

real    13m83.918s

user    0m1.005s

sys     0m0.575s

 

Kerberos 5

real    14m16.617s

user    0m10.739s

sys     0m6.127s

 

real    14m54.530s

user    0m10.764s

sys     0m6.055s

 

real    15m41.758s

user    0m10.798s

sys     0m6.294s

 

 

Kerberos 5i

real    16m20.946s

user    0m11.175s

sys     0m6.018s

 

real    16m52.497s

user    0m11.094s

sys     0m6.181s

 

real    17m36.939s

user    0m11.190s

sys     0m6.055s

 

 

This is the graphical overview. !!! Lower is better !!!

RalfKlahr_72-1644399952437.png

 

Setup of our test scenario

Azure AD DS

First create the Azure Active Directory Domain Service

RalfKlahr_73-1644399989731.png

Select the:

 

The user who is trying to create the AD DS must have the Global Administrator role for the Directory.

Select the:

RalfKlahr_8-1644399601169.png

Click on Create

 

RalfKlahr_9-1644399601171.png

 

RalfKlahr_10-1644399601177.png

 

RalfKlahr_11-1644399601181.png

 

Use the same vNET but let the service create a new subnet.

 

RalfKlahr_12-1644399601185.png

 

RalfKlahr_13-1644399601188.png

 

RalfKlahr_14-1644399601201.png

Click on Create after the validation was successful.

Kerberos RC4 Encryption

Enable or disable Kerberos RC4 encryption for your managed domain. When Kerberos RC4 encryption is disabled, all Kerberos requests that use RC4 encryption will fail.

 

Kerberos Armoring

Enable or disable Kerberos Armoring for your managed domain. This will provide a protected channel between the Kerberos client and the KDC.

 

Helpful Links

Harden an Azure Active Directory Domain Services managed domain

 

RalfKlahr_15-1644399601205.png

 

 

RalfKlahr_16-1644399601207.png

 

It will take several minutes to complete…

RalfKlahr_17-1644399601210.png

 

As the result Azure will create the Azure AD DS with two DNS IP addresses

Configure the vNET DNS config

After the Azure ADDS was deployed, we need to change the default DNS entry in the vNET settings.

RalfKlahr_18-1644399601213.png

 

RalfKlahr_19-1644399601216.png

 

RalfKlahr_20-1644399601219.png

If you do not sync all users only the Domain Admins will be synchronized from the Azure AD to the Azure AD DS.

 

The synchronization will take some time.

After the synchronization is done you must see al users in the Administrative User tool. Be aware that you cannot change or add users in this tool (the Azure AD DS is read only from this point)

 

RalfKlahr_0-1644400909383.png

Be aware that if you only have the Azure AD DS Service as your Domain Controller and AD you must reset the passwords if you like to authenticate towards the Azure AD DS service.

Passwords are not synced from the Azure AD.

RalfKlahr_1-1644400967930.png

 

Then log-off from the Azure portal and re-logon to the Azure portal. You now need to change the password. Now the password hash is also in the Azure AD DS.

 

Run ipconfig /renew after the reboot of the VM to switch from the Azure default DNS to the new created Azure AD DS

Before:

ipconfig /all

  DNS-Server . . . . . . . . . . . : 168.63.129.16

 

After..

ipconfig /renew
ipconfig /all

   DNS-Server  . . . . . . . . . . . : 10.4.2.4

 

Now you can join the domain….

Enable synchronization of password hashes from on-prem AD (if required)

If you select the Azure AD DS resource you see this picture on the right side. Click now Instructions for synced user accounts

Enable password hash sync for Azure AD Domain Services | Microsoft Docs

 

Check the AD settings from the JumpBox

RalfKlahr_23-1644399601263.png

 

Install the required DNS Tolls if you would like to manage the DNS as well.

RalfKlahr_24-1644399601279.png

When starting the DNS Editor you only need to specify the domain name.

RalfKlahr_25-1644399601283.png

 

If you like to add the Linux host in the domain simply specify the client here as new host.

 

RalfKlahr_26-1644399601296.png

You need to restart the nscd daemon on the client that the clint can ping the new defined entry.

ping ralfwest02.sapcontoso.com
ping: ralfwest02.sapcontoso.com: Name or service not known

 

systemctl restart nscd
ping ralfwest02.sapcontoso.com
64 bytes from ralfwest02.internal.cloudapp.net (10.4.0.5): icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from ralfwest02.internal.cloudapp.net (10.4.0.5): icmp_seq=2 ttl=64 time=0.044 ms

To understand the LDAP structure, it is important to start the ADSI Edit to view an understand
how the LDAP structure from the Azure AD DS looks like.

RalfKlahr_2-1644401554219.png

For the ANF SMB and Kerberos configuration the AADDS structure must be used.

This is the OU which must be configured in ANF for the AD join.

 

RalfKlahr_28-1644399601309.png

The hostname of the DNS Server for the ANF AD join can also be retrieved from the MMC

Start MMC on the JumpBox

RalfKlahr_3-1644401644121.png

Note the DNS hostname for the Kerberos Realm ANF config.

Azure AD DS User workaround

Because you cannot modify the G-id and U-id under OU=AADDS Users you need to create a new OU for the SAP LDAP users.

First create a new OU

RalfKlahr_30-1644399601319.png

Specify the name for the OU … can be anything, here I used SAP

 

RalfKlahr_5-1644401762616.png

Open the properties by right click on the SAP OU.

 

RalfKlahr_6-1644401762642.png

Note down the full OU. This is required for the ANF AD connection.

Here: OU=SAP,DC=sapcontoso,DC=com

LDAP User creation

Select the new OU (Organizational Unit) by a single click and use the add user button.

 

RalfKlahr_7-1644401762642.png

Specify the SIDadm user. Here anaadm

RalfKlahr_8-1644401762646.png

 

Specify the password for the user and click Next then finish.

RalfKlahr_9-1644401762649.png

 

DoubleClick the just created user and go to Attribute Editor.

RalfKlahr_10-1644401762662.png

Change the uid, uidNumber and the gid to the values from the Linux user.

Here

     uid =           anaadm
     uidNumber=      1001
     gidNumber=      79

DoubleClick the just created user and go to Attribute Editor.

RalfKlahr_11-1644401762668.png

Then create the Group sapsys

RalfKlahr_12-1644401762672.png

 

Open again the Attribute Editor and change the gidNumber to 79

RalfKlahr_13-1644401762681.png

 

Now we have created the SIDadm user and the sapsys group.

RalfKlahr_31-1644402631014.png

 

Now create the NFS Volume with enabled Kerberos

Before you create a volume for SAP workloads you must enable the UNIX permission feature of ANF

Those features are public preview at the moment.

Configure Unix permissions and change ownership mode for Azure NetApp Files NFS and dual-protocol vo...

Create an NFS volume for Azure NetApp Files | Microsoft Docs

az feature register --namespace Microsoft.NetApp --name ANFUnixPermissions
az feature register --namespace Microsoft.NetApp --name ANFChownMode
az feature register --namespace Microsoft.NetApp --name ANFLdapExtendedGroups

az feature list --namespace Microsoft.NetApp

the activation can take up to 60 minutes...

After the feature registration there is a new field in the volume creation workflow under protocol. After the volume is created you can change the volume access from restricted to unrestricted.

Join ANF to the Domain

After we created the Azure AD DS we join the NetApp Account to this AD

RalfKlahr_15-1644401762700.png

 

Click join

Configure the AD settings

 

RalfKlahr_16-1644401762704.png

RalfKlahr_17-1644401762705.png

 

 

As a result, you will see the config in the portal

 RalfKlahr_18-1644401762709.png

go to your ANF account and create a new Volume

RalfKlahr_19-1644401762712.png

 

 Select the Kerberos Protokoll which suits your requironments. If you select all, all kerberos modies will be possible.

RalfKlahr_32-1644403591791.png

 

Kerberos 5p is not supported because of performance and functional reasons.

Now we create the data volume

 

After the volume is created you find additional entries in the LDAP

RalfKlahr_22-1644401762719.png

Configure Active Directory connection

Also see this documentation:

Configure NFSv4.1 Kerberos encryption for Azure NetApp Files | Microsoft Docs

Configuration of NFSv4.1 Kerberos creates two computer accounts in Active Directory:

  • computer account for SMB shares
  • A computer account for NFSv4.1--You can identify this account by way of the prefix NFS-.

After creating the first NFSv4.1 Kerberos volume, set the encryption type for the computer account by using the following PowerShell command:

Set-ADComputer $NFSCOMPUTERACCOUNT -KerberosEncryptionType AES256

 

You can find the correct command line in the Portal under Mount Instructions

RalfKlahr_23-1644401762725.png

Set-ADComputer NFS-ANFSMB-8859 -KerberosEncryptionType AES256

RalfKlahr_24-1644401762726.png

The AD is now configured.

 

If you like to add an Azure AD user as Windows Logon User you must add the user as Desktop User

PS C:\Windows\system32> net localgroup "Remote Desktop Users" /add "anaadm@sapcontoso.com"

 

 

 

 

 

Set-ADComputer NFS-ANFSMB-8859 -KerberosEncryptionType AES256

 

 

The AD is now configured.

 

If you like to add an Azure AD user as Windows Logon User you must add the user as Desktop User

PS C:\Windows\system32> net localgroup "Remote Desktop Users" /add "anaadm@sapcontoso.com"

 

Configuration of the client SLES15SP2

Configure an NFS client for Azure NetApp Files | Microsoft Docs

 

Install the required SUSE packages for Kerberos

zypper in krb5 krb5-client realmd samba-common chrony nfs-utils sssd-ad sssd-ipa sssd-krb5 sssd-ldap sssd-proxy realmd-lang 
zypper in sssd-tools sssd adcli

configure the chrony (NTP) service

nslookup 0.pool.ntp.org
Server:         10.4.2.4
Address:        10.4.2.4#53

 

vi /etc/chrony.conf
server 0.pool.ntp.org iburst

 

Start the chrony service

systemctl enable chronyd.service
systemctl start chronyd.service

 

check the chrony status

chronyc sources -v
210 Number of sources = 5

MS Name/IP address         Stratum Poll Reach LastRx Last sample
=========================================================================
#* PHC0                    0   3   377    11    -15us[  -86us] +/- 2724ns
^- lithium.constant.com    2   9   377   249  +2054us[+1878us] +/-   70ms
^- 149.20.176.27           4  10   377   899    -13ms[  -13ms] +/-  880ms
^- 38.229.54.9             2   8   377   108   +743us[ +456us] +/-  164ms
^- 50-205-244-109-static.hf>   9   377   501  -2665us[-2603us] +/-   57ms

Search Domain

If you like to add your own search domain in the /etc/resolv.conf you have to change the network config. Manual changes in /etc/resolv.conf will be overwritten from the wicked daemon after some time.

cd /etc/sysconfig/network 
vi config

 

add the search domains here:

## Type:        string
## Default:     ""
#
# List of DNS domain names used for host-name lookup.
# It is written as search list into the /etc/resolv.conf file.
#
NETCONFIG_DNS_STATIC_SEARCHLIST="reddog.microsoft.com sapcontoso.com"

 

Restart the network service

netconfig update

 

now the change is persistent in the /etc/resolv.conf

 

cat /etc/resolv.conf
### /etc/resolv.conf is a symlink to /var/run/netconfig/resolv.conf
### autogenerated by netconfig!
#
#
# See also the netconfig(8) manual page and other documentation.
#
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.
search reddog.microsoft.com sapcontoso.com
nameserver 10.4.2.4
nameserver 10.4.2.5

 

Join the Active Directory domain

To join the AD Domain, issue the command (as root)

 

example:

realm join SAPCONTOSO.COM -U ralf.klahr --computer-ou="OU=AADDC Computers"
Password for ralf.klahr:*********
ralfwestvm01:~ #

 

To validate the success, you can check again the AD and the realm list command

realm list
sapcontoso.com
  type: kerberos
  realm-name: SAPCONTOSO.COM
  domain-name: sapcontoso.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: adcli
  required-package: samba-client
  login-formats: %U@sapcontoso.com
  login-policy: allow-realm-logins
 

The client is now also visible in the AD

RalfKlahr_33-1644407068420.png

 

Ensure that default_realm is set to the provided realm in /etc/krb5.conf. If not, add it under the [libdefaults] section in the file as shown in the following example:

 

Backup the existing default Kerberos config

cp /etc/krb5.conf /etc/krb5.back

 

As an example:

vi /etc/krb5.conf
includedir  /etc/krb5.conf.d
[libdefaults]
    default_realm = SAPCONTOSO.COM
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96
    permitted_enctypes = aes256-cts-hmac-sha1-96
[realms]
    SAPCONTOSO.COM = {
        kdc = ALX5KJKDVH49M91.sapcontoso.com
        admin_server = ALX5KJKDVH49M91.sapcontoso.com
        master_kdc = ALX5KJKDVH49M91.sapcontoso.com
        default_domain = SAPCONTOSO.COM
    }
[domain_realm]
    .sapcontoso.com = SAPCONTOSO.COM
    sapcontoso.com = SAPCONTOSO.COM
[logging]
    kdc = SYSLOG:INFO
    admin_server = FILE=/var/kadm5.log


Run the kinit command with the user account to get tickets:

For example:

kinit ralf.klahr@SAPCONTOSO.COM
Password for ralf.klahr@SAPCONTOSO.COM: *********

Or for the SISadm...

kinit anaadm@SAPCONTOSO.COM

 

Restart all NFS services:

 

systemctl restart nfs-*
systemctl restart rpc-gssd.service

 

Change the idmapd config

vi /etc/idmapd.conf 
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = defaultv4iddomain.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody

Finally try to mount the Volume

mount -t nfs -o sec=krb5i,rw,hard,rsize=262144,wsize=262144,vers=4.1,tcp anfsmb-8859.sapcontoso.com:/ralfaddata01 /mnt

 

df -h
Filesystem                                Size  Used Avail Use% Mounted on
...
..
anfsmb-8859.sapcontoso.com:/ralfaddata01  100G     0  100G   0% /mnt
mount
anfsmb-8859.sapcontoso.com:/ralfaddata01 on /mnt type nfs4 (rw,relatime,vers=4.1,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5i,clientaddr=10.4.0.4,local_lock=none,addr=10.4.1.4)

 

if you plan to install HANA on a default SLES image you also need to install

zypper in libatomic1 insserv sapconf libltdl7

 

 

For the HCMT test I made sure that both volumes are on the same storage endpoint

ralfwestvm01:~ # ping 10.4.1.4
PING 10.4.1.4 (10.4.1.4) 56(84) bytes of data.
64 bytes from 10.4.1.4: icmp_seq=1 ttl=63 time=0.551 ms
64 bytes from 10.4.1.4: icmp_seq=2 ttl=63 time=0.468 ms
64 bytes from 10.4.1.4: icmp_seq=3 ttl=63 time=0.550 ms

ralfwestvm01:~ # ping anfsmb-8859.sapcontoso.com
PING anfsmb-8859.sapcontoso.com (10.4.1.4) 56(84) bytes of data.
64 bytes from 10.4.1.4 (10.4.1.4): icmp_seq=1 ttl=63 time=0.380 ms
64 bytes from 10.4.1.4 (10.4.1.4): icmp_seq=2 ttl=63 time=0.483 ms
64 bytes from 10.4.1.4 (10.4.1.4): icmp_seq=3 ttl=63 time=0.467 ms

 

Configure the /etc/hosts entries

vi/etc/hosts 
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#
127.0.0.1       localhost
10.4.0.5        ralfwest02.sapcontoso.com ralfwest02
10.4.1.4        anfsmb-72cb.sapcontoso.com
10.4.1.5        anfsmb-e16d.sapcontoso.com

Configure the /etc/fstab

vi /etc/fstab
#
# Kerberos Volume
anfsmb-e16d.sapcontoso.com:/ralfaddata01    /hana/data/ANA/mnt00002  nfs   sec=krb5i,rw,hard,rsize=262144,wsize=262144,vers=4.1,tcp  0  0
anfsmb-e16d.sapcontoso.com:/ralfadlog01   /hana/log/ANA/mnt00002  nfs   sec=krb5,rw,hard,rsize=262144,wsize=262144,vers=4.1,tcp  0  0
#
# normal ANF Volume
10.4.1.4:/ralfdtata01                      /hana/data/ANA/mnt00001  nfs   rw,hard,rsize=262144,wsize=262144,sec=sys,vers=4.1,tcp  0  0
10.4.1.4:/ralflog01                       /hana/log/ANA/mnt00001  nfs   rw,hard,rsize=262144,wsize=262144,sec=sys,vers=4.1,tcp  0  0
10.4.1.4:/ralfshared01                     /hana/shared/ANA  nfs   rw,hard,rsize=262144,wsize=262144,sec=sys,vers=4.1,tcp  0  0

 

First we start HCMT the “normal NFSv4.1 non Kerberos Volume:

df -h
Filesystem                               Size  Used Avail Use% Mounted on
10.4.1.4:/ralfdtata01                     12T     0   12T   0% /hana/data/ANA/mnt00001
anfsmb-8859.sapcontoso.com:/ralfaddata01  100G    0  100G   0% /hana/data/ANA/mnt00002

 

Start of HCMT in an “screen” to avoid any connection issues

screen
cd /hana/shared/HCMT
ralfwestvm01:/hana/shared/HCMT # ./hcmt -v -p config/storage.json

Press CTRL+A and D to leave the screen

 

This test was done on native, Krb5 and krb5i.

The HCMT with krb5p never was successful.

 

For the HANASpeed tests I copied the data and log area over from the native to the Kerberos volumes.

su – anaadm
anaadm@ralfwest02:/usr/sap/ANA/HDB00> kinit anaadm@SAPCONTOSO.COM
Password for anaadm@SAPCONTOSO.COM:*****
anaadm@ralfwest02:/usr/sap/ANA/HDB00> cp -r /hana/data/ANA/mnt00001/* /hana/data/ANA/mnt00002/
anaadm@ralfwest02:/usr/sap/ANA/HDB00> cp -r /hana/log/ANA/mnt00001/* /hana/log/ANA/mnt00002/

 

then I remounted the Kerberos volumes under the mnt00001 path and restarted HANA and the tests.

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3142010%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EImplementing%20Azure%20NetApp%20Files%20with%20Kerberos%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3142010%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CH1%20id%3D%22%5C%26quot%3Btoc-hId--2135721262%5C%26quot%3B%22%20id%3D%22toc-hId--2135596232%22%20id%3D%22toc-hId--2135596232%22%20id%3D%22toc-hId--2135596232%22%3E%3CFONT%20size%3D%22%5C%26quot%3B6%5C%26quot%3B%22%3EImplementing%20Azure%20NetApp%20Files%20with%20Kerberos%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FH1%26gt%3B%5Cn%3CP%3EPoC%20and%20Validation%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FFONT%3E%3C%2FH1%3E%3CH1%20id%3D%22%5C%26quot%3Btoc-hId-351791571%5C%26quot%3B%22%20id%3D%22toc-hId-351916601%22%20id%3D%22toc-hId-351916601%22%20id%3D%22toc-hId-351916601%22%3EKerberos%20with%20ANF%20for%20SAP%20HANA%26lt%3B%5C%2FH1%26gt%3B%5Cn%3CP%3EEncryption%20is%20a%20very%20big%20topic%20when%20it%20comes%20to%20data%20security%20especially%20in%20public%20clouds.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAzure%20NetApp%20Files%20(ANF)%20supports%20DES%2C%20Kerberos%20AES%20128%2C%20and%20Kerberos%20AES%20256%20encryption%20types%20(from%20the%20least%20secure%20to%20the%20most%20secure).%20If%20you%20enable%20AES%20encryption%2C%20the%20user%20credentials%20used%20to%20join%20Active%20Directory%20must%20have%20the%20highest%20corresponding%20account%20option%20enabled%20that%20matches%20the%20capabilities%20enabled%20for%20your%20Active%20Directory.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThe%20question%20which%20has%20to%20be%20answered%20is%20if%20Kerberos%20adds%20additional%20value%20to%20the%20overall%20system%20security%20and%20system%20performance.%20Encryption%20always%20will%20cost%20CPU%20cycles%20and%20will%20also%20enlarge%20the%20storage%20latency.%20With%20SAP%20HANA%20you%20can%20enable%20LSS%20encryption%20which%20will%20encrypt%20the%20data%20additionally%20before%20the%20data%20will%20be%20written%20to%20the%20storage.%20At%20the%20storage%20the%20data%20will%20be%20encrypted%20at%20REST%20a%20second%20time%20by%20default.%20So%2C%20enabling%20Kerberos%20the%20data%20would%20be%20encrypted%20a%20third%20time%20which%20obviously%20has%20the%20biggest%20impact%20since%20this%20encryption%20is%20in%20the%20data%20path.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAnyway%2C%20the%20request%20to%20enable%20Kerberos%20is%20coming%20more%20and%20more.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThis%20document%20will%20try%20to%20describe%20the%20configuration%20and%20will%20also%20try%20to%20show%20the%20impact%20when%20Kerberos%20is%20enabled.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ETo%20start%20with%20I%20will%20show%20the%20starting%20point%20without%20enabling%20Kerberos%20and%20LSS.%20The%20numbers%20here%20are%20the%20so%2C%20called%20%E2%80%9Cdefault%E2%80%9D.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EBefore%20you%20begin%20read%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fcompare-identity-solutions%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3ECompare%20Active%20Directory-based%20services%20in%20Azure%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3EWe%20will%20use%20Azure%20Active%20Directory%20Domain%20Services%20(Azure%20AD%20DS)%20in%20this%20documentation.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Foverview%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EOverview%20of%20Azure%20Active%20Directory%20Domain%20Services%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3EKerberos%20Authentication%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fkerberos%2Fkerberos-authentication-overview%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EKerberos%20Authentication%20Overview%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3EANF%20%E2%80%93%20Kerberos%20configuration%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fcreate-active-directory-connections%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3ECreate%20and%20manage%20Active%20Directory%20connections%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-kerberos-encryption%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EConfigure%20NFSv4.1%20Kerberos%20encryption%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fperformance-impact-kerberos%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EPerformance%20impact%20of%20Kerberos%20on%20Azure%20NetApp%20Files%20NFSv4.1%20volumes%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20NetApp%20TR-4616%20is%20also%20a%20very%20good%20information%20how%20to%20configure%20Kerberos%20and%20also%20describes%20some%20Kerberos%20terms%20very%20detailed.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fwww.netapp.com%2Fmedia%2F19384-tr-4616.pdf%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3ETR-4616%3A%20NFS%20Kerberos%20in%20ONTAP%20(netapp.com)%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ESome%20facts%20to%20know%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fperformance-impact-kerberos%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EPerformance%20impact%20of%20Kerberos%20on%20Azure%20NetApp%20Files%20NFSv4.1%20volumes%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20security%20options%20currently%20available%20for%20NFSv4.1%20volumes%20are%20as%20follows%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CUL%3E%5Cn%3CLI%3Esec%3Dsys%20uses%20local%20UNIX%20UIDs%20and%20GIDs%20by%20using%20AUTH_SYS%20to%20authenticate%20NFS%20operations.%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FLI%3E%3CLI%3Esec%3Dkrb5%20uses%20Kerberos%20V5%20instead%20of%20local%20UNIX%20UIDs%20and%20GIDs%20to%20authenticate%20users.%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FLI%3E%3CLI%3Esec%3Dkrb5i%20uses%20Kerberos%20V5%20for%20user%20authentication%20and%20performs%20integrity%20checking%20of%20NFS%20operations%20using%20secure%20checksums%20to%20prevent%20data%20tampering.%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FLI%3E%3CLI%3Esec%3Dkrb5p%20uses%20Kerberos%20V5%20for%20user%20authentication%20and%20integrity%20checking.%20It%20encrypts%20NFS%20traffic%20to%20prevent%20traffic%20sniffing.%20This%20option%20is%20the%20most%20secure%20setting%2C%20but%20it%20also%20involves%20the%20most%20performance%20overhead.%26lt%3B%5C%2FLI%26gt%3B%5Cn%26lt%3B%5C%2FUL%26gt%3B%5Cn%3CP%3EThroughput%20here%20the%20baseline%20is%20128MB%20(max)%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CTABLE%3E%5Cn%3CTBODY%3E%5Cn%3CTR%3E%5Cn%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3ESec%3Dsys%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3E120MB%2Fs%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%26lt%3B%5C%2FTR%26gt%3B%5Cn%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%5Cn%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3ESec%3Dkrb5%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3E95.1MB%2Fs%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%26lt%3B%5C%2FTR%26gt%3B%5Cn%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%5Cn%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3ESec%3Dkrb5i%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3E94.5MB%2Fs%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%26lt%3B%5C%2FTR%26gt%3B%5Cn%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%5Cn%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3ESec%3Dkrb5p%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22%5C%26quot%3B302%5C%26quot%3B%22%3E%3CP%3E23.8MB%2Fs%26lt%3B%5C%2FP%26gt%3B%5Cn%26lt%3B%5C%2FTD%26gt%3B%5Cn%26lt%3B%5C%2FTR%26gt%3B%5Cn%26lt%3B%5C%2FTBODY%26gt%3B%5Cn%26lt%3B%5C%2FTABLE%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EReference%20(German)%20%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fwiki.ubuntuusers.de%2FKerberos%2FNFS_mit_Kerberos_sichern%2F%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3ENFS%20mit%20Kerberos%20sichern%20%E2%80%BA%20Kerberos%20%E2%80%BA%20Wiki%20%E2%80%BA%20ubuntuusers.de%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThis%20is%20the%20test%20setup%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346608i8CEFB05FF88B0C77%2Fimage-dimensions%2F538x383%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B538%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B383%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_69-1644399736733.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_69-1644399736733.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ESUSE%20documentation%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocumentation.suse.com%2Fsles%2F15-SP2%2Fhtml%2FSLES-all%2Fcha-security-kerberos.html%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3ENetwork%20Authentication%20with%20Kerberos%20%7C%20Security%20and%20Hardening%20Guide%20%7C%20SUSE%20Linux%20Enterprise%20Server%2015%20SP2%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId-1042353045%5C%26quot%3B%22%20id%3D%22toc-hId--1445034758%22%20id%3D%22toc-hId--1445034758%22%20id%3D%22toc-hId--1445034758%22%3EFirst%20some%20Performance%20measurements%20with%20and%20without%20Kerberos%3A%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EData%20and%20Log%20volumes%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EI%20used%20a%2012TiB%20Ultra%20Volume%20for%20the%20tests.%20Both%20tests%20(data%20and%20Log)%20are%20pointing%20to%20the%20same%20volume.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EHCMT%20native%20no%20Kerberos%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346609iA8FA048E4CD751B5%2Fimage-dimensions%2F606x188%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B606%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B188%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_70-1644399789787.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_70-1644399789787.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EHCMT%20with%20Kerberos%20krb5%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346558i3BD13284CB882BFD%2Fimage-dimensions%2F603x169%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B603%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B169%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_2-1644399601135.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_2-1644399601135.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EHCMT%20with%20Kerberos%20krb5i%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346560i88AA590173EE9A49%2Fimage-dimensions%2F601x179%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B601%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B179%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_3-1644399601152.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_3-1644399601152.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3EKerberos%205p%20will%20not%20be%20supported%26lt%3B%5C%2FSTRONG%26gt%3B.%20The%20performance%20penalty%20is%20by%20far%20too%20high%20to%20meet%20any%20SAP%20HANA%20KPIs.%20We%20even%20got%20dumps%20with%20the%20random%201M%20data%20file%20read%20which%20caused%20HCMT%20to%20break.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ESo%20available%20and%20supported%20Kerberos%20flavors%20are%205%20and%205i%20but%20%3CSTRONG%3ENOT%205p%26lt%3B%5C%2FSTRONG%26gt%3B.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3EHANA%20Stress%20tool%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThis%20tool%20(from%20GitHub)%20is%20creating%2010000%20tables%20and%20will%20add%2020000%20rows%20into%20each%20table.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EI%20started%20the%20tool%20three%20times%20to%20see%20if%20there%20are%20no%20differences%20in%20the%20runs.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EFor%20the%20tests%20I%20am%20using%20two%20Ultra%20volumes%20%E2%80%93%20Data%204TB%20and%20Log%203TB%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346610iD527898E35876844%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_71-1644399901141.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_71-1644399901141.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ENative%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3Eanaadm%40ralfvm01%3A%2Fopt%2Fhanastress%26gt%3B%20%3CSTRONG%3Etime%20.%2Fhanastress.py%20-v%20--host%20localhost%20-i%2000%20-u%20HANASTRESS%20-p%20HANAStress02%20-g%20%3CGROUP%3E%20--tables%2010000%20--rows%2020000%20%3CBR%20%2F%3E--threads%2010%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%5Binfo%5D%20Starting%20Generation...%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FGROUP%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2012m.921s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m1.084s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m0.559s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2013m24.9s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m1.002s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m0.592s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2013m83.918s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m1.005s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m0.575s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EKerberos%205%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2014m16.617s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m10.739s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.127s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2014m54.530s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m10.764s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.055s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2015m41.758s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m10.798s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.294s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EKerberos%205i%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2016m20.946s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m11.175s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.018s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2016m52.497s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m11.094s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.181s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2017m36.939s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m11.190s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.055s%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThis%20is%20the%20graphical%20overview.%20!!!%20Lower%20is%20better%20!!!%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346611i1545A36A5B6664C8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_72-1644399952437.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_72-1644399952437.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FH2%3E%3CH1%20id%3D%22%5C%26quot%3Btoc-hId-1031849941%5C%26quot%3B%22%20id%3D%22toc-hId--1455537862%22%20id%3D%22toc-hId--1455537862%22%20id%3D%22toc-hId--1455537862%22%3E%3CFONT%20size%3D%22%5C%26quot%3B6%5C%26quot%3B%22%3ESetup%20of%20our%20test%20scenario%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FH1%26gt%3B%5Cn%3C%2FFONT%3E%3C%2FH1%3E%3CH1%20id%3D%22%5C%26quot%3Btoc-hId--775604522%5C%26quot%3B%22%20id%3D%22toc-hId-1031974971%22%20id%3D%22toc-hId-1031974971%22%20id%3D%22toc-hId-1031974971%22%3E%3CFONT%20size%3D%22%5C%26quot%3B5%5C%26quot%3B%22%3EAzure%20AD%20DS%26lt%3B%5C%2FFONT%26gt%3B%26lt%3B%5C%2FH1%26gt%3B%5Cn%3CP%3EFirst%20create%20the%20Azure%20Active%20Directory%20Domain%20Service%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346612iF75EF75BDC7E2571%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_73-1644399989731.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_73-1644399989731.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESelect%20the%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThe%20user%20who%20is%20trying%20to%20create%20the%20AD%20DS%20must%20have%20the%20Global%20Administrator%20role%20for%20the%20Directory.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ESelect%20the%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346562i4D7A36A20A836727%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_8-1644399601169.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_8-1644399601169.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EClick%20on%20Create%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346565iB67A87262BC66127%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_9-1644399601171.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_9-1644399601171.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346566iC73BD5D32C4A1639%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_10-1644399601177.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_10-1644399601177.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346567i86C019AE84665AD2%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_11-1644399601181.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_11-1644399601181.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EUse%20the%20same%20vNET%20but%20let%20the%20service%20create%20a%20new%20subnet.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346569i57FCBC53DEAB3B9C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_12-1644399601185.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_12-1644399601185.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346568iFF47839C88E92D6C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_13-1644399601188.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_13-1644399601188.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346570i50FC7B931906B8AB%2Fimage-dimensions%2F450x345%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B450%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B345%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_14-1644399601201.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_14-1644399601201.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3C%2FFONT%3E%3C%2FH1%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId--85043048%5C%26quot%3B%22%20id%3D%22toc-hId-1722536445%22%20id%3D%22toc-hId-1722536445%22%20id%3D%22toc-hId-1722536445%22%3EClick%20on%20Create%20after%20the%20validation%20was%20successful.%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3EKerberos%20RC4%20Encryption%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EEnable%20or%20disable%20Kerberos%20RC4%20encryption%20for%20your%20managed%20domain.%20When%20Kerberos%20RC4%20encryption%20is%20disabled%2C%20all%20Kerberos%20requests%20that%20use%20RC4%20encryption%20will%20fail.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3EKerberos%20Armoring%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EEnable%20or%20disable%20Kerberos%20Armoring%20for%20your%20managed%20domain.%20This%20will%20provide%20a%20protected%20channel%20between%20the%20Kerberos%20client%20and%20the%20KDC.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3EHelpful%20Links%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Faka.ms%2Fsecureyourdomain%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EHarden%20an%20Azure%20Active%20Directory%20Domain%20Services%20managed%20domain%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346571i5EC7D96E9DDB4ADE%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_15-1644399601205.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_15-1644399601205.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346572iC5DD0F596B8332D6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_16-1644399601207.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_16-1644399601207.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EIt%20will%20take%20several%20minutes%20to%20complete%E2%80%A6%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346573i1F384D9D39FB5D1F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_17-1644399601210.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_17-1644399601210.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAs%20the%20result%20Azure%20will%20create%20the%20Azure%20AD%20DS%20with%20two%20DNS%20IP%20addresses%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FH2%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId--1892497511%5C%26quot%3B%22%20id%3D%22toc-hId--84918018%22%20id%3D%22toc-hId--84918018%22%20id%3D%22toc-hId--84918018%22%3E%3CU%3E%26lt%3B%5C%2FU%26gt%3BConfigure%20the%20vNET%20DNS%20config%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3EAfter%20the%20Azure%20ADDS%20was%20deployed%2C%20we%20need%20to%20change%20the%20default%20DNS%20entry%20in%20the%20vNET%20settings.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346575i8BA8BF8AD24EB7E8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_18-1644399601213.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_18-1644399601213.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346574iD56A3B296505C510%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_19-1644399601216.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_19-1644399601216.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346576iB5507288CC984FAF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_20-1644399601219.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_20-1644399601219.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIf%20you%20do%20not%20sync%20all%20users%20only%20the%20Domain%20Admins%20will%20be%20synchronized%20from%20the%20Azure%20AD%20to%20the%20Azure%20AD%20DS.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThe%20synchronization%20will%20take%20some%20time.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAfter%20the%20synchronization%20is%20done%20you%20must%20see%20al%20users%20in%20the%20Administrative%20User%20tool.%20Be%20aware%20that%20you%20cannot%20change%20or%20add%20users%20in%20this%20tool%20(the%20Azure%20AD%20DS%20is%20read%20only%20from%20this%20point)%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346617i08B6EFEF4C3287A7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_0-1644400909383.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_0-1644400909383.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EBe%20aware%20that%20if%20you%20only%20have%20the%20Azure%20AD%20DS%20Service%20as%20your%20Domain%20Controller%20and%20AD%20you%20must%20reset%20the%20passwords%20if%20you%20like%20to%20authenticate%20towards%20the%20Azure%20AD%20DS%20service.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EPasswords%20are%20not%20synced%20from%20the%20Azure%20AD.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346618i7F7BFFCC774EC93C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_1-1644400967930.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_1-1644400967930.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThen%20log-off%20from%20the%20Azure%20portal%20and%20re-logon%20to%20the%20Azure%20portal.%20You%20now%20need%20to%20change%20the%20password.%20Now%20the%20password%20hash%20is%20also%20in%20the%20Azure%20AD%20DS.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ERun%20ipconfig%20%2Frenew%20after%20the%20reboot%20of%20the%20VM%20to%20switch%20from%20the%20Azure%20default%20DNS%20to%20the%20new%20created%20Azure%20AD%20DS%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EBefore%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3Eipconfig%20%2Fall%3CBR%20%2F%3E%E2%80%A6%3CBR%20%2F%3E%26nbsp%3B%20DNS-Server%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20%3A%20168.63.129.16%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAfter..%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3Eipconfig%20%2Frenew%3CBR%20%2F%3Eipconfig%20%2Fall%3CBR%20%2F%3E%E2%80%A6%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20DNS-Server%26nbsp%3B%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20%3A%2010.4.2.4%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3ENow%20you%20can%20join%20the%20domain%E2%80%A6.%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EEnable%20synchronization%20of%20password%20hashes%20from%20on-prem%20AD%20(if%20required)%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EIf%20you%20select%20the%20Azure%20AD%20DS%20resource%20you%20see%20this%20picture%20on%20the%20right%20side.%20Click%20now%20Instructions%20for%20synced%20user%20accounts%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Ftutorial-configure-password-hash-sync%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EEnable%20password%20hash%20sync%20for%20Azure%20AD%20Domain%20Services%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FU%3E%3C%2FH2%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId-595015322%5C%26quot%3B%22%20id%3D%22toc-hId--1892372481%22%20id%3D%22toc-hId--1892372481%22%20id%3D%22toc-hId--1892372481%22%3ECheck%20the%20AD%20settings%20from%20the%20JumpBox%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346579iB5DDD632FEE7D819%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_23-1644399601263.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_23-1644399601263.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EInstall%20the%20required%20DNS%20Tolls%20if%20you%20would%20like%20to%20manage%20the%20DNS%20as%20well.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346581i47C28BFD73491583%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_24-1644399601279.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_24-1644399601279.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhen%20starting%20the%20DNS%20Editor%20you%20only%20need%20to%20specify%20the%20domain%20name.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346580i6521CC4148A1D444%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_25-1644399601283.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_25-1644399601283.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EIf%20you%20like%20to%20add%20the%20Linux%20host%20in%20the%20domain%20simply%20specify%20the%20client%20here%20as%20new%20host.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346582iC49039AFC1F3BF8B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_26-1644399601296.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_26-1644399601296.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EYou%20need%20to%20restart%20the%20nscd%20daemon%20on%20the%20client%20that%20the%20clint%20can%20ping%20the%20new%20defined%20entry.%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Eping%20ralfwest02.sapcontoso.com%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Bping%3A%20ralfwest02.sapcontoso.com%3A%20Name%20or%20service%20not%20known%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Esystemctl%20restart%20nscd%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3E%3CSTRONG%3Eping%20ralfwest02.sapcontoso.com%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B64%20bytes%20from%20ralfwest02.internal.cloudapp.net%20(10.4.0.5)%3A%20icmp_seq%3D1%20ttl%3D64%20time%3D0.020%20ms%3CBR%20%2F%3E64%20bytes%20from%20ralfwest02.internal.cloudapp.net%20(10.4.0.5)%3A%20icmp_seq%3D2%20ttl%3D64%20time%3D0.044%20ms%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3ETo%20understand%20the%20LDAP%20structure%2C%20it%20is%20important%20to%20start%20the%20ADSI%20Edit%20to%20view%20an%20understand%3CBR%20%2F%3Ehow%20the%20LDAP%20structure%20from%20the%20Azure%20AD%20DS%20looks%20like.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346623i63535C836D7F52A9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_2-1644401554219.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_2-1644401554219.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFor%20the%20ANF%20SMB%20and%20Kerberos%20configuration%20the%20AADDS%20structure%20must%20be%20used.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThis%20is%20the%20OU%20which%20must%20be%20configured%20in%20ANF%20for%20the%20AD%20join.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346584iD127492198BA783D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_28-1644399601309.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_28-1644399601309.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20hostname%20of%20the%20DNS%20Server%20for%20the%20ANF%20AD%20join%20can%20also%20be%20retrieved%20from%20the%20MMC%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EStart%20MMC%20on%20the%20JumpBox%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346624i5ED8860C25D82A22%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_3-1644401644121.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_3-1644401644121.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ENote%20the%20DNS%20hostname%20for%20the%20Kerberos%20Realm%20ANF%20config.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FH2%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId--1212439141%5C%26quot%3B%22%20id%3D%22toc-hId-595140352%22%20id%3D%22toc-hId-595140352%22%20id%3D%22toc-hId-595140352%22%3EAzure%20AD%20DS%20User%20workaround%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3EBecause%20you%20cannot%20modify%20the%20G-id%20and%20U-id%20under%20OU%3DAADDS%20Users%20you%20need%20to%20create%20a%20new%20OU%20for%20the%20SAP%20LDAP%20users.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EFirst%20create%20a%20new%20OU%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346587i3E1FB27C18FC733A%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_30-1644399601319.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_30-1644399601319.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESpecify%20the%20name%20for%20the%20OU%20%E2%80%A6%20can%20be%20anything%2C%20here%20I%20used%20SAP%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346647i9D2340148D810052%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_5-1644401762616.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_5-1644401762616.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EOpen%20the%20properties%20by%20right%20click%20on%20the%20SAP%20OU.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346627i1275C035ED821560%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_6-1644401762642.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_6-1644401762642.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ENote%20down%20the%20full%20OU.%20This%20is%20required%20for%20the%20ANF%20AD%20connection.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EHere%3A%20%3CSTRONG%3EOU%3DSAP%2CDC%3Dsapcontoso%2CDC%3Dcom%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FH2%3E%3CH3%20id%3D%22%5C%26quot%3Btoc-hId--521877667%5C%26quot%3B%22%20id%3D%22toc-hId-1285701826%22%20id%3D%22toc-hId-1285701826%22%20id%3D%22toc-hId-1285701826%22%3ELDAP%20User%20creation%26lt%3B%5C%2FH3%26gt%3B%5Cn%3CP%3ESelect%20the%20new%20OU%20(Organizational%20Unit)%20by%20a%20single%20click%20and%20use%20the%20add%20user%20button.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346628iA237013AE123AD13%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_7-1644401762642.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_7-1644401762642.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESpecify%20the%20SIDadm%20user.%20Here%20%3CSTRONG%3Eanaadm%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346629i219BD3A377758907%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_8-1644401762646.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_8-1644401762646.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ESpecify%20the%20password%20for%20the%20user%20and%20click%20Next%20then%20finish.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346630i10E12F3A7377D704%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_9-1644401762649.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_9-1644401762649.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EDoubleClick%20the%20just%20created%20user%20and%20go%20to%20Attribute%20Editor.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346633i48C4C6ECBB13CF15%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_10-1644401762662.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_10-1644401762662.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EChange%20the%20uid%2C%20uidNumber%20and%20the%20gid%20to%20the%20values%20from%20the%20Linux%20user.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EHere%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%20uid%20%3D%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3Banaadm%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20uidNumber%3D%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%201001%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20gidNumber%3D%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2079%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FPRE%3E%3C%2FP%3E%3CP%3EDoubleClick%20the%20just%20created%20user%20and%20go%20to%20Attribute%20Editor.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346631iCD1CD7298A8F46A0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_11-1644401762668.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_11-1644401762668.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThen%20create%20the%20Group%20sapsys%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346632i6AE0C70519084EC9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_12-1644401762672.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_12-1644401762672.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EOpen%20again%20the%20Attribute%20Editor%20and%20change%20the%20gidNumber%20to%2079%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346634i4DF250F5C0345795%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_13-1644401762681.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_13-1644401762681.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ENow%20we%20have%20created%20the%20SIDadm%20user%20and%20the%20sapsys%20group.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346653i62E3EBD96C8921E0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_31-1644402631014.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_31-1644402631014.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FH3%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId-1141388968%5C%26quot%3B%22%20id%3D%22toc-hId-1275198722%22%20id%3D%22toc-hId-1275198722%22%20id%3D%22toc-hId-1275198722%22%3ENow%20create%20the%20NFS%20Volume%20with%20enabled%20Kerberos%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3EBefore%20you%20create%20a%20volume%20for%20SAP%20workloads%20you%20must%20enable%20the%20UNIX%20permission%20feature%20of%20ANF%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThose%20features%20are%20public%20preview%20at%20the%20moment.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-unix-permissions-change-ownership-mode%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EConfigure%20Unix%20permissions%20and%20change%20ownership%20mode%20for%20Azure%20NetApp%20Files%20NFS%20and%20dual-protocol%20volumes%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fazure-netapp-files-create-volumes%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3ECreate%20an%20NFS%20volume%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3CPRE%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fazure-netapp-files-create-volumes%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3E%3CSPAN%3Eaz%20feature%20register%20--namespace%20Microsoft.NetApp%20--name%20ANFUnixPermissions%3CBR%20%2F%3E%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3Eaz%20feature%20register%20--namespace%20Microsoft.NetApp%20--name%20ANFChownMode%3CBR%20%2F%3E%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3Eaz%20feature%20register%20--namespace%20Microsoft.NetApp%20--name%20ANFLdapExtendedGroups%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FSPAN%26gt%3B%3CSPAN%3Eaz%20feature%20list%20--namespace%20Microsoft.NetApp%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3Ethe%20activation%20can%20take%20up%20to%2060%20minutes...%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAfter%20the%20feature%20registration%20there%20is%20a%20new%20field%20in%20the%20volume%20creation%20workflow%20under%20protocol.%20After%20the%20volume%20is%20created%20you%20can%20change%20the%20volume%20access%20from%20restricted%20to%20unrestricted.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FH2%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId--666065495%5C%26quot%3B%22%20id%3D%22toc-hId-1141513998%22%20id%3D%22toc-hId-1141513998%22%20id%3D%22toc-hId-1141513998%22%3EJoin%20ANF%20to%20the%20Domain%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3EAfter%20we%20created%20the%20Azure%20AD%20DS%20we%20join%20the%20NetApp%20Account%20to%20this%20AD%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346635i166CA54472D7BB02%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_15-1644401762700.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_15-1644401762700.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EClick%20join%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EConfigure%20the%20AD%20settings%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346638iE9D3FEBA9DD0B4F6%2Fimage-dimensions%2F231x574%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B231%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B574%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_16-1644401762704.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_16-1644401762704.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346637i730AEB9CE5E204A5%2Fimage-dimensions%2F291x325%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B291%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B325%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_17-1644401762705.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_17-1644401762705.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAs%20a%20result%2C%20you%20will%20see%20the%20config%20in%20the%20portal%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346639iCA6E113CB6ABB261%2Fimage-dimensions%2F656x141%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B656%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B141%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_18-1644401762709.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_18-1644401762709.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Ego%20to%20your%20ANF%20account%20and%20create%20a%20new%20Volume%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346641i418331E5535CA992%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_19-1644401762712.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_19-1644401762712.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSPAN%3ESelect%20the%20Kerberos%20Protokoll%20which%20suits%20your%20requironments.%20If%20you%20select%20all%2C%20all%20kerberos%20modies%20will%20be%20possible.%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346657iDDFB700CB1D5D512%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_32-1644403591791.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_32-1644403591791.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSTRONG%3EKerberos%205p%20is%20not%20supported%26lt%3B%5C%2FSTRONG%26gt%3B%20because%20of%20performance%20and%20functional%20reasons.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ENow%20we%20create%20the%20data%20volume%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAfter%20the%20volume%20is%20created%20you%20find%20additional%20entries%20in%20the%20LDAP%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346643i4A366D2E94907270%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_22-1644401762719.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_22-1644401762719.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3C%2FH2%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId-1821447338%5C%26quot%3B%22%20id%3D%22toc-hId--665940465%22%20id%3D%22toc-hId--665940465%22%20id%3D%22toc-hId--665940465%22%3EConfigure%20Active%20Directory%20connection%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3EAlso%20see%20this%20documentation%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-kerberos-encryption%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EConfigure%20NFSv4.1%20Kerberos%20encryption%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3EConfiguration%20of%20NFSv4.1%20Kerberos%20creates%20two%20computer%20accounts%20in%20Active%20Directory%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CUL%3E%5Cn%3CLI%3Ecomputer%20account%20for%20SMB%20shares%26lt%3B%5C%2FLI%26gt%3B%5Cn%3C%2FLI%3E%3CLI%3EA%20computer%20account%20for%20NFSv4.1--You%20can%20identify%20this%20account%20by%20way%20of%20the%20prefix%20NFS-.%26lt%3B%5C%2FLI%26gt%3B%5Cn%26lt%3B%5C%2FUL%26gt%3B%5Cn%3CP%3EAfter%20creating%20the%20first%20NFSv4.1%20Kerberos%20volume%2C%20set%20the%20encryption%20type%20for%20the%20computer%20account%20by%20using%20the%20following%20PowerShell%20command%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3ESet-ADComputer%20%24NFSCOMPUTERACCOUNT%20-KerberosEncryptionType%20AES256%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EYou%20can%20find%20the%20correct%20command%20line%20in%20the%20Portal%20under%20Mount%20Instructions%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346644i4A1A262C7F882826%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_23-1644401762725.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_23-1644401762725.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESet-ADComputer%20NFS-ANFSMB-8859%20-KerberosEncryptionType%20AES256%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346645iDE90E41225F10215%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_24-1644401762726.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_24-1644401762726.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThe%20AD%20is%20now%20configured.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EIf%20you%20like%20to%20add%20an%20Azure%20AD%20user%20as%20Windows%20Logon%20User%20you%20must%20add%20the%20user%20as%20Desktop%20User%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3EPS%20C%3A%5C%5CWindows%5C%5Csystem32%26gt%3B%20%3CSTRONG%3Enet%20localgroup%20%5C%22Remote%20Desktop%20Users%5C%22%20%2Fadd%20%5C%22anaadm%40sapcontoso.com%5C%22%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CDIV%20id%3D%22%5C%26quot%3BtinyMceEditorRalfKlahr_28%5C%26quot%3B%22%20class%3D%22%5C%26quot%3BmceNonEditable%22%20lia-copypaste-placeholder%3D%22%22%3E%26nbsp%3B%26lt%3B%5C%2FDIV%26gt%3B%5Cn%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ESet-ADComputer%20NFS-ANFSMB-8859%20-KerberosEncryptionType%20AES256%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CDIV%20id%3D%22%5C%26quot%3BtinyMceEditorRalfKlahr_29%5C%26quot%3B%22%20class%3D%22%5C%26quot%3BmceNonEditable%22%20lia-copypaste-placeholder%3D%22%22%3E%26nbsp%3B%26lt%3B%5C%2FDIV%26gt%3B%5Cn%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThe%20AD%20is%20now%20configured.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EIf%20you%20like%20to%20add%20an%20Azure%20AD%20user%20as%20Windows%20Logon%20User%20you%20must%20add%20the%20user%20as%20Desktop%20User%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EPS%20C%3A%5C%5CWindows%5C%5Csystem32%26gt%3B%20%3CSTRONG%3Enet%20localgroup%20%22Remote%20Desktop%20Users%22%20%2Fadd%20%22anaadm%40sapcontoso.com%22%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CH1%20id%3D%22%5C%26quot%3Btoc-hId--115089844%5C%26quot%3B%22%20id%3D%22toc-hId--795023184%22%20id%3D%22toc-hId--795023184%22%20id%3D%22toc-hId--795023184%22%3EConfiguration%20of%20the%20client%20SLES15SP2%26lt%3B%5C%2FH1%26gt%3B%5Cn%3CP%3E%3CA%20href%3D%22%5C%26quot%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-nfs-clients%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20noreferrer%3D%22%22%3EConfigure%20an%20NFS%20client%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%26lt%3B%5C%2FA%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EInstall%20the%20required%20SUSE%20packages%20for%20Kerberos%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Ezypper%20in%20krb5%20krb5-client%20realmd%20samba-common%20chrony%20nfs-utils%20sssd-ad%20sssd-ipa%20sssd-krb5%20sssd-ldap%20sssd-proxy%20realmd-lang%26lt%3B%5C%2FSTRONG%26gt%3B%3CSTRONG%3E%26nbsp%3B%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3E%3CSTRONG%3E%3CSTRONG%3Ezypper%20in%20sssd-tools%20sssd%20adcli%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3Econfigure%20the%20chrony%20(NTP)%20service%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Enslookup%200.pool.ntp.org%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BServer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010.4.2.4%3CBR%20%2F%3EAddress%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010.4.2.4%2353%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Fchrony.conf%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3Eserver%200.pool.ntp.org%20iburst%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EStart%20the%20chrony%20service%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Esystemctl%20enable%20chronyd.service%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3E%3CSTRONG%3Esystemctl%20start%20chronyd.service%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Echeck%20the%20chrony%20status%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Echronyc%20sources%20-v%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3E210%20Number%20of%20sources%20%3D%205%3CBR%20%2F%3E%E2%80%A6%3CBR%20%2F%3EMS%20Name%2FIP%20address%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Stratum%20Poll%20Reach%20LastRx%20Last%20sample%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%23*%20PHC0%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%26nbsp%3B%203%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%26nbsp%3B%2011%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-15us%5B%26nbsp%3B%20-86us%5D%20%2B%2F-%202724ns%3CBR%20%2F%3E%5E-%20lithium.constant.com%26nbsp%3B%26nbsp%3B%26nbsp%3B%202%26nbsp%3B%26nbsp%3B%209%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20249%26nbsp%3B%20%2B2054us%5B%2B1878us%5D%20%2B%2F-%26nbsp%3B%26nbsp%3B%2070ms%3CBR%20%2F%3E%5E-%20149.20.176.27%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%204%26nbsp%3B%2010%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20899%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-13ms%5B%26nbsp%3B%20-13ms%5D%20%2B%2F-%26nbsp%3B%20880ms%3CBR%20%2F%3E%5E-%2038.229.54.9%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%202%26nbsp%3B%26nbsp%3B%208%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20108%26nbsp%3B%26nbsp%3B%20%2B743us%5B%20%2B456us%5D%20%2B%2F-%26nbsp%3B%20164ms%3CBR%20%2F%3E%5E-%2050-205-244-109-static.hf%26gt%3B%26nbsp%3B%26nbsp%3B%209%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20501%26nbsp%3B%20-2665us%5B-2603us%5D%20%2B%2F-%26nbsp%3B%26nbsp%3B%2057ms%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3C%2FH1%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId--1793461588%5C%26quot%3B%22%20id%3D%22toc-hId-1821572368%22%20id%3D%22toc-hId-1821572368%22%20id%3D%22toc-hId-1821572368%22%3ESearch%20Domain%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3EIf%20you%20like%20to%20add%20your%20own%20search%20domain%20in%20the%20%2Fetc%2Fresolv.conf%20you%20have%20to%20change%20the%20network%20config.%20Manual%20changes%20in%20%2Fetc%2Fresolv.conf%20will%20be%20overwritten%20from%20the%20wicked%20daemon%20after%20some%20time.%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Ecd%20%2Fetc%2Fsysconfig%2Fnetwork%20%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3E%3CSTRONG%3Evi%20config%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Eadd%20the%20search%20domains%20here%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%23%23%20Type%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20string%3CBR%20%2F%3E%23%23%20Default%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%5C%22%5C%22%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%20List%20of%20DNS%20domain%20names%20used%20for%20host-name%20lookup.%3CBR%20%2F%3E%23%20It%20is%20written%20as%20search%20list%20into%20the%20%2Fetc%2Fresolv.conf%20file.%3CBR%20%2F%3E%23%3CBR%20%2F%3ENETCONFIG_DNS_STATIC_SEARCHLIST%3D%5C%22reddog.microsoft.com%20%3CSTRONG%3Esapcontoso.com%26lt%3B%5C%2FSTRONG%26gt%3B%5C%22%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ERestart%20the%20network%20service%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Enetconfig%20update%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Enow%20the%20change%20is%20persistent%20in%20the%20%2Fetc%2Fresolv.conf%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Ecat%20%2Fetc%2Fresolv.conf%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%23%23%23%20%2Fetc%2Fresolv.conf%20is%20a%20symlink%20to%20%2Fvar%2Frun%2Fnetconfig%2Fresolv.conf%3CBR%20%2F%3E%23%23%23%20autogenerated%20by%20netconfig!%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%20See%20also%20the%20netconfig(8)%20manual%20page%20and%20other%20documentation.%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%23%23%20Call%20%5C%22netconfig%20update%20-f%5C%22%20to%20force%20adjusting%20of%20%2Fetc%2Fresolv.conf.%3CBR%20%2F%3E%3CSTRONG%3Esearch%20reddog.microsoft.com%20sapcontoso.com%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Bnameserver%2010.4.2.4%3CBR%20%2F%3Enameserver%2010.4.2.5%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3C%2FH2%3E%3CH2%20id%3D%22%5C%26quot%3Btoc-hId-694051245%5C%26quot%3B%22%20id%3D%22toc-hId-14117905%22%20id%3D%22toc-hId-14117905%22%20id%3D%22toc-hId-14117905%22%3EJoin%20the%20Active%20Directory%20domain%26lt%3B%5C%2FH2%26gt%3B%5Cn%3CP%3ETo%20join%20the%20AD%20Domain%2C%20issue%20the%20command%20(as%20root)%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Eexample%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Erealm%20join%20SAPCONTOSO.COM%20-U%20ralf.klahr%20--computer-ou%3D%5C%22OU%3DAADDC%20Computers%5C%22%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BPassword%20for%20ralf.klahr%3A*********%3CBR%20%2F%3Eralfwestvm01%3A~%20%23%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ETo%20validate%20the%20success%2C%20you%20can%20check%20again%20the%20AD%20and%20the%20realm%20list%20command%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Erealm%20list%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Bsapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%20type%3A%20kerberos%3CBR%20%2F%3E%26nbsp%3B%20realm-name%3A%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%20domain-name%3A%20sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%20configured%3A%20kerberos-member%3CBR%20%2F%3E%26nbsp%3B%20server-software%3A%20active-directory%3CBR%20%2F%3E%26nbsp%3B%20client-software%3A%20sssd%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20sssd-tools%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20sssd%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20adcli%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20samba-client%3CBR%20%2F%3E%26nbsp%3B%20login-formats%3A%20%3CA%20href%3D%22%5C%26quot%3Bmailto%3A%25U%40sapcontoso.com%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3E%25U%40sapcontoso.com%26lt%3B%5C%2FA%26gt%3B%3CBR%20%2F%3E%26nbsp%3B%20login-policy%3A%20allow-realm-logins%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CDIV%20id%3D%22%5C%26quot%3BtinyMceEditorRalfKlahr_30%5C%26quot%3B%22%20class%3D%22%5C%26quot%3BmceNonEditable%22%20lia-copypaste-placeholder%3D%22%22%3E%26nbsp%3B%26lt%3B%5C%2FDIV%26gt%3B%5Cn%3CP%3EThe%20client%20is%20now%20also%20visible%20in%20the%20AD%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22%5C%26quot%3Blia-inline-image-display-wrapper%22%20lia-image-align-inline%3D%22%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fgxcuf89792%2F%5C%26quot%3Bhttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346678i0092BA411C3CA371%2Fimage-dimensions%2F611x86%3Fv%3Dv2%5C%26quot%3B%22%20width%3D%22%5C%26quot%3B611%5C%26quot%3B%22%20height%3D%22%5C%26quot%3B86%5C%26quot%3B%22%20role%3D%22%5C%26quot%3Bbutton%5C%26quot%3B%22%20title%3D%22RalfKlahr_33-1644407068420.png%22%20alt%3D%22%5C%26quot%3BRalfKlahr_33-1644407068420.png%5C%26quot%3B%22%20%2F%3E%26lt%3B%5C%2Fspan%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EEnsure%20that%20default_realm%20is%20set%20to%20the%20provided%20realm%20in%20%2Fetc%2Fkrb5.conf.%20If%20not%2C%20add%20it%20under%20the%20%5Blibdefaults%5D%20section%20in%20the%20file%20as%20shown%20in%20the%20following%20example%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EBackup%20the%20existing%20default%20Kerberos%20config%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Ecp%20%2Fetc%2Fkrb5.conf%20%2Fetc%2Fkrb5.back%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAs%20an%20example%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Fkrb5.conf%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3Eincludedir%26nbsp%3B%20%2Fetc%2Fkrb5.conf.d%3CBR%20%2F%3E%5Blibdefaults%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_realm%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_tkt_enctypes%20%3D%20aes256-cts-hmac-sha1-96%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_tgs_enctypes%20%3D%20aes256-cts-hmac-sha1-96%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20permitted_enctypes%20%3D%20aes256-cts-hmac-sha1-96%3CBR%20%2F%3E%5Brealms%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SAPCONTOSO.COM%20%3D%20%7B%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20kdc%20%3D%20ALX5KJKDVH49M91.sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20admin_server%20%3D%20ALX5KJKDVH49M91.sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20master_kdc%20%3D%20ALX5KJKDVH49M91.sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_domain%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3CBR%20%2F%3E%5Bdomain_realm%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.sapcontoso.com%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20sapcontoso.com%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%5Blogging%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20kdc%20%3D%20SYSLOG%3AINFO%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20admin_server%20%3D%20FILE%3D%2Fvar%2Fkadm5.log%3CBR%20%2F%3E%3CBR%20%2F%3E%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERun%20the%20kinit%20command%20with%20the%20user%20account%20to%20get%20tickets%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EFor%20example%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Ekinit%20%3CA%20href%3D%22%5C%26quot%3Bmailto%3Aralf.klahr%40SAPCONTOSO.COM%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3Eralf.klahr%40SAPCONTOSO.COM%26lt%3B%5C%2FA%26gt%3B%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BPassword%20for%20%3C%2FA%3E%3CA%20href%3D%22%5C%26quot%3Bmailto%3Aralf.klahr%40SAPCONTOSO.COM%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3Eralf.klahr%40SAPCONTOSO.COM%26lt%3B%5C%2FA%26gt%3B%3A%20*********%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3EOr%20for%20the%20SISadm...%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Ekinit%20anaadm%40SAPCONTOSO.COM%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3ERestart%20all%20NFS%20services%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Esystemctl%20restart%20nfs-*%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3E%3CSTRONG%3Esystemctl%20restart%20rpc-gssd.service%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EChange%20the%20idmapd%20config%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Fidmapd.conf%20%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%5BGeneral%5D%3CBR%20%2F%3EVerbosity%20%3D%200%3CBR%20%2F%3EPipefs-Directory%20%3D%20%2Fvar%2Flib%2Fnfs%2Frpc_pipefs%3CBR%20%2F%3EDomain%20%3D%20%3CSTRONG%3Edefaultv4iddomain.com%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%5BMapping%5D%3CBR%20%2F%3ENobody-User%20%3D%20nobody%3CBR%20%2F%3ENobody-Group%20%3D%20nobody%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3EFinally%20try%20to%20mount%20the%20Volume%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Emount%20-t%20nfs%20-o%20sec%3Dkrb5i%2Crw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Cvers%3D4.1%2Ctcp%20anfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%20%2Fmnt%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Edf%20-h%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BFilesystem%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Size%26nbsp%3B%20Used%20Avail%20Use%25%20Mounted%20on%3CBR%20%2F%3E...%3CBR%20%2F%3E..%3CBR%20%2F%3Eanfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%200%25%20%2Fmnt%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3CPRE%3E%3CSTRONG%3E%3CSTRONG%3Emount%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Banfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%20on%20%2Fmnt%20type%20nfs4%20(rw%2Crelatime%2Cvers%3D4.1%2Crsize%3D262144%2Cwsize%3D262144%2Cnamlen%3D255%2Chard%2Cproto%3Dtcp%2Ctimeo%3D600%2Cretrans%3D2%2C%3CSTRONG%3Esec%3Dkrb5i%26lt%3B%5C%2FSTRONG%26gt%3B%2Cclientaddr%3D10.4.0.4%2Clocal_lock%3Dnone%2Caddr%3D10.4.1.4)%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Eif%20you%20plan%20to%20install%20HANA%20on%20a%20default%20SLES%20image%20you%20also%20need%20to%20install%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Ezypper%20in%20libatomic1%20insserv%20sapconf%20libltdl7%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EFor%20the%20HCMT%20test%20I%20made%20sure%20that%20both%20volumes%20are%20on%20the%20same%20storage%20endpoint%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3Eralfwestvm01%3A~%20%23%20%3CSTRONG%3Eping%2010.4.1.4%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BPING%2010.4.1.4%20(10.4.1.4)%2056(84)%20bytes%20of%20data.%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%3A%20icmp_seq%3D1%20ttl%3D63%20time%3D0.551%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%3A%20icmp_seq%3D2%20ttl%3D63%20time%3D0.468%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%3A%20icmp_seq%3D3%20ttl%3D63%20time%3D0.550%20ms%3CBR%20%2F%3E%3CBR%20%2F%3Eralfwestvm01%3A~%20%23%20%3CSTRONG%20style%3D%22%5C%26quot%3Bfont-family%3A%22%20inherit%3D%22%22%3Eping%20anfsmb-8859.sapcontoso.com%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BPING%20anfsmb-8859.sapcontoso.com%20(10.4.1.4)%2056(84)%20bytes%20of%20data.%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%20(10.4.1.4)%3A%20icmp_seq%3D1%20ttl%3D63%20time%3D0.380%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%20(10.4.1.4)%3A%20icmp_seq%3D2%20ttl%3D63%20time%3D0.483%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%20(10.4.1.4)%3A%20icmp_seq%3D3%20ttl%3D63%20time%3D0.467%20ms%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EConfigure%20the%20%2Fetc%2Fhosts%20entries%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Evi%2Fetc%2Fhosts%20%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%23%20IP-Address%26nbsp%3B%20Full-Qualified-Hostname%26nbsp%3B%20Short-Hostname%3CBR%20%2F%3E%23%3CBR%20%2F%3E127.0.0.1%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20localhost%3CBR%20%2F%3E10.4.0.5%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ralfwest02.sapcontoso.com%20ralfwest02%3CBR%20%2F%3E10.4.1.4%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20anfsmb-72cb.sapcontoso.com%3CBR%20%2F%3E10.4.1.5%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20anfsmb-e16d.sapcontoso.com%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3EConfigure%20the%20%2Fetc%2Ffstab%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Ffstab%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%23%3CBR%20%2F%3E%23%20Kerberos%20Volume%3CBR%20%2F%3Eanfsmb-e16d.sapcontoso.com%3A%2Fralfaddata01%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Fdata%2FANA%2Fmnt00002%26nbsp%3B%20nfs%26nbsp%3B%26nbsp%3B%20sec%3Dkrb5i%2Crw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3Eanfsmb-e16d.sapcontoso.com%3A%2Fralfadlog01%26nbsp%3B%26nbsp%3B%20%20%20%2Fhana%2Flog%2FANA%2Fmnt00002%26nbsp%3B%20%20nfs%26nbsp%3B%26nbsp%3B%20sec%3Dkrb5%2Crw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%20normal%20ANF%20Volume%3CBR%20%2F%3E10.4.1.4%3A%2Fralfdtata01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Fdata%2FANA%2Fmnt00001%26nbsp%3B%20nfs%26nbsp%3B%26nbsp%3B%20rw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Csec%3Dsys%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3E10.4.1.4%3A%2Fralflog01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Flog%2FANA%2Fmnt00001%26nbsp%3B%20%20nfs%26nbsp%3B%26nbsp%3B%20rw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Csec%3Dsys%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3E10.4.1.4%3A%2Fralfshared01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Fshared%2FANA%26nbsp%3B%20%20%20%20%20%20%20%20nfs%26nbsp%3B%26nbsp%3B%20rw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Csec%3Dsys%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EFirst%20we%20start%20HCMT%20the%20%E2%80%9Cnormal%20NFSv4.1%20non%20Kerberos%20Volume%3A%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Edf%20-h%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BFilesystem%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Size%26nbsp%3B%20Used%20Avail%20Use%25%20Mounted%20on%3CBR%20%2F%3E10.4.1.4%3A%2Fralfdtata01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2012T%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%26nbsp%3B%2012T%26nbsp%3B%26nbsp%3B%200%25%20%3CSTRONG%3E%2Fhana%2Fdata%2FANA%2Fmnt00001%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Banfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%200%25%20%3CSTRONG%20style%3D%22%5C%26quot%3Bwhite-space%3A%22%20normal%3D%22%22%3E%2Fhana%2Fdata%2FANA%2Fmnt00002%26lt%3B%5C%2FSTRONG%26gt%3B%3CSTRONG%3E%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EStart%20of%20HCMT%20in%20an%20%E2%80%9Cscreen%E2%80%9D%20to%20avoid%20any%20connection%20issues%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Escreen%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3B%3CSTRONG%20style%3D%22%5C%26quot%3Bwhite-space%3A%22%20normal%3D%22%22%3Ecd%20%2Fhana%2Fshared%2FHCMT%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Bralfwestvm01%3A%2Fhana%2Fshared%2FHCMT%20%23%20%3CSTRONG%3E.%2Fhcmt%20-v%20-p%20config%2Fstorage.json%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%3CSPAN%20style%3D%22%5C%26quot%3Bfont-family%3A%22%20inherit%3D%22%22%3EPress%20CTRL%2BA%20and%20D%20to%20leave%20the%20screen%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThis%20test%20was%20done%20on%20native%2C%20Krb5%20and%20krb5i.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EThe%20HCMT%20with%20krb5p%20never%20was%20successful.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EFor%20the%20HANASpeed%20tests%20I%20copied%20the%20data%20and%20log%20area%20over%20from%20the%20native%20to%20the%20Kerberos%20volumes.%26lt%3B%5C%2FP%26gt%3B%5Cn%3CPRE%3E%3CSTRONG%3Esu%20%E2%80%93%20anaadm%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Banaadm%40ralfwest02%3A%2Fusr%2Fsap%2FANA%2FHDB00%26gt%3B%20%3CSTRONG%3Ekinit%20%3CA%20href%3D%22%5C%26quot%3Bmailto%3Aanaadm%40SAPCONTOSO.COM%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3Eanaadm%40SAPCONTOSO.COM%26lt%3B%5C%2FA%26gt%3B%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3BPassword%20for%20%3C%2FA%3E%3CA%20href%3D%22%5C%26quot%3Bmailto%3Aanaadm%40SAPCONTOSO.COM%3A*****%5C%26quot%3B%22%20target%3D%22%5C%26quot%3B_blank%5C%26quot%3B%22%20rel%3D%22%5C%26quot%3Bnoopener%20nofollow%20noopener%20noreferrer%22%20nofollow%3D%22%22%20noreferrer%3D%22%22%3Eanaadm%40SAPCONTOSO.COM%3A%3CSTRONG%3E*****%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FA%26gt%3B%3CBR%20%2F%3Eanaadm%40ralfwest02%3A%2Fusr%2Fsap%2FANA%2FHDB00%26gt%3B%20%3CSTRONG%3Ecp%20-r%20%2Fhana%2Fdata%2FANA%2Fmnt00001%2F*%20%2Fhana%2Fdata%2FANA%2Fmnt00002%2F%3CBR%20%2F%3E%26lt%3B%5C%2FSTRONG%26gt%3Banaadm%40ralfwest02%3A%2Fusr%2Fsap%2FANA%2FHDB00%26gt%3B%3CSTRONG%3E%20cp%20-r%20%2Fhana%2Flog%2FANA%2Fmnt00001%2F*%20%2Fhana%2Flog%2FANA%2Fmnt00002%2F%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FPRE%26gt%3B%5Cn%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3Ethen%20I%20remounted%20the%20Kerberos%20volumes%20under%20the%20mnt00001%20path%20and%20restarted%20HANA%20and%20the%20tests.%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-TEASER%20id%3D%22%5C%26quot%3Blingo-teaser-3142010%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3C%2FLINGO-TEASER%3E%3C%2FP%3E%3CH1%20id%3D%22toc-hId--114964814%22%20id%3D%22toc-hId--114964814%22%20id%3D%22toc-hId--114964814%22%3EKerberos%20with%20ANF%20for%20SAP%20HANA%26lt%3B%5C%2FH1%26gt%3B%5Cn%3CP%3EEncryption%20is%20a%20very%20big%20topic%20when%20it%20comes%20to%20data%20security%20especially%20in%20public%20clouds.%26lt%3B%5C%2FP%26gt%3B%5Cn%3C%2FP%3E%3CP%3EAzure%20NetApp%20Files%20(ANF)%20supports%20DES%2C%20Kerberos%20AES%20128%2C%20and%20Kerberos%20AES%20256%20encryption%20types%20(from%20the%20least%20secure%20to%20the%20most%20secure).%20If%20you%20enable%20AES%20encryption%2C%20the%20user%20credentials%20used%20to%20join%20Active%20Directory%20must%20have%20the%20highest%20corresponding%20account%20option%20enabled%20that%20matches%20the%20capabilities%20enabled%20for%20your%20Active%20Directory.%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-teaser%26gt%3B%3CLINGO-LABS%20id%3D%22%5C%26quot%3Blingo-labs-3142010%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CLINGO-LABEL%3EANF%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3Ehana%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3Ekerberos%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3Enetapp%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3Esap%26lt%3B%5C%2Flingo-label%26gt%3B%26lt%3B%5C%2Flingo-labs%26gt%3B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FP%3E%3C%2FH1%3E%3C%2FDIV%3E%3C%2FH2%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FP%3E%3C%2FH2%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FP%3E%3C%2FH1%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3142010%22%20slang%3D%22en-US%22%3EImplementing%20Azure%20NetApp%20Files%20with%20Kerberos%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3142010%22%20slang%3D%22en-US%22%3E%3CH1%20id%3D%22toc-hId--2135721262%22%20id%3D%22toc-hId--1922419277%22%3E%3CFONT%20size%3D%226%22%3EImplementing%20Azure%20NetApp%20Files%20with%20Kerberos%3C%2FFONT%3E%3C%2FH1%3E%0A%3CP%3EPoC%20and%20Validation%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-351791571%22%20id%3D%22toc-hId-565093556%22%3EKerberos%20with%20ANF%20for%20SAP%20HANA%3C%2FH1%3E%0A%3CP%3EEncryption%20is%20a%20very%20big%20topic%20when%20it%20comes%20to%20data%20security%20especially%20in%20public%20clouds.%3C%2FP%3E%0A%3CP%3EAzure%20NetApp%20Files%20(ANF)%20supports%20DES%2C%20Kerberos%20AES%20128%2C%20and%20Kerberos%20AES%20256%20encryption%20types%20(from%20the%20least%20secure%20to%20the%20most%20secure).%20If%20you%20enable%20AES%20encryption%2C%20the%20user%20credentials%20used%20to%20join%20Active%20Directory%20must%20have%20the%20highest%20corresponding%20account%20option%20enabled%20that%20matches%20the%20capabilities%20enabled%20for%20your%20Active%20Directory.%3C%2FP%3E%0A%3CP%3EThe%20question%20which%20has%20to%20be%20answered%20is%20if%20Kerberos%20adds%20additional%20value%20to%20the%20overall%20system%20security%20and%20system%20performance.%20Encryption%20always%20will%20cost%20CPU%20cycles%20and%20will%20also%20enlarge%20the%20storage%20latency.%20With%20SAP%20HANA%20you%20can%20enable%20LSS%20encryption%20which%20will%20encrypt%20the%20data%20additionally%20before%20the%20data%20will%20be%20written%20to%20the%20storage.%20At%20the%20storage%20the%20data%20will%20be%20encrypted%20at%20REST%20a%20second%20time%20by%20default.%20So%2C%20enabling%20Kerberos%20the%20data%20would%20be%20encrypted%20a%20third%20time%20which%20obviously%20has%20the%20biggest%20impact%20since%20this%20encryption%20is%20in%20the%20data%20path.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnyway%2C%20the%20request%20to%20enable%20Kerberos%20is%20coming%20more%20and%20more.%3C%2FP%3E%0A%3CP%3EThis%20document%20will%20try%20to%20describe%20the%20configuration%20and%20will%20also%20try%20to%20show%20the%20impact%20when%20Kerberos%20is%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20start%20with%20I%20will%20show%20the%20starting%20point%20without%20enabling%20Kerberos%20and%20LSS.%20The%20numbers%20here%20are%20the%20so%2C%20called%20%E2%80%9Cdefault%E2%80%9D.%3C%2FP%3E%0A%3CP%3EBefore%20you%20begin%20read%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fcompare-identity-solutions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECompare%20Active%20Directory-based%20services%20in%20Azure%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EWe%20will%20use%20Azure%20Active%20Directory%20Domain%20Services%20(Azure%20AD%20DS)%20in%20this%20documentation.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOverview%20of%20Azure%20Active%20Directory%20Domain%20Services%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EKerberos%20Authentication%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fkerberos%2Fkerberos-authentication-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EKerberos%20Authentication%20Overview%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EANF%20%E2%80%93%20Kerberos%20configuration%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fcreate-active-directory-connections%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20and%20manage%20Active%20Directory%20connections%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-kerberos-encryption%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20NFSv4.1%20Kerberos%20encryption%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fperformance-impact-kerberos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPerformance%20impact%20of%20Kerberos%20on%20Azure%20NetApp%20Files%20NFSv4.1%20volumes%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20NetApp%20TR-4616%20is%20also%20a%20very%20good%20information%20how%20to%20configure%20Kerberos%20and%20also%20describes%20some%20Kerberos%20terms%20very%20detailed.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.netapp.com%2Fmedia%2F19384-tr-4616.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ETR-4616%3A%20NFS%20Kerberos%20in%20ONTAP%20(netapp.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESome%20facts%20to%20know%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fperformance-impact-kerberos%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPerformance%20impact%20of%20Kerberos%20on%20Azure%20NetApp%20Files%20NFSv4.1%20volumes%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EThe%20security%20options%20currently%20available%20for%20NFSv4.1%20volumes%20are%20as%20follows%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Esec%3Dsys%20uses%20local%20UNIX%20UIDs%20and%20GIDs%20by%20using%20AUTH_SYS%20to%20authenticate%20NFS%20operations.%3C%2FLI%3E%0A%3CLI%3Esec%3Dkrb5%20uses%20Kerberos%20V5%20instead%20of%20local%20UNIX%20UIDs%20and%20GIDs%20to%20authenticate%20users.%3C%2FLI%3E%0A%3CLI%3Esec%3Dkrb5i%20uses%20Kerberos%20V5%20for%20user%20authentication%20and%20performs%20integrity%20checking%20of%20NFS%20operations%20using%20secure%20checksums%20to%20prevent%20data%20tampering.%3C%2FLI%3E%0A%3CLI%3Esec%3Dkrb5p%20uses%20Kerberos%20V5%20for%20user%20authentication%20and%20integrity%20checking.%20It%20encrypts%20NFS%20traffic%20to%20prevent%20traffic%20sniffing.%20This%20option%20is%20the%20most%20secure%20setting%2C%20but%20it%20also%20involves%20the%20most%20performance%20overhead.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThroughput%20here%20the%20baseline%20is%20128MB%20(max)%3A%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3ESec%3Dsys%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3E120MB%2Fs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3ESec%3Dkrb5%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3E95.1MB%2Fs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3ESec%3Dkrb5i%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3E94.5MB%2Fs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3ESec%3Dkrb5p%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22302%22%3E%3CP%3E23.8MB%2Fs%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReference%20(German)%20%3CA%20href%3D%22https%3A%2F%2Fwiki.ubuntuusers.de%2FKerberos%2FNFS_mit_Kerberos_sichern%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENFS%20mit%20Kerberos%20sichern%20%E2%80%BA%20Kerberos%20%E2%80%BA%20Wiki%20%E2%80%BA%20ubuntuusers.de%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20test%20setup%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_69-1644399736733.png%22%20style%3D%22width%3A%20538px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346608i8CEFB05FF88B0C77%2Fimage-dimensions%2F538x383%3Fv%3Dv2%22%20width%3D%22538%22%20height%3D%22383%22%20role%3D%22button%22%20title%3D%22RalfKlahr_69-1644399736733.png%22%20alt%3D%22RalfKlahr_69-1644399736733.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESUSE%20documentation%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocumentation.suse.com%2Fsles%2F15-SP2%2Fhtml%2FSLES-all%2Fcha-security-kerberos.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ENetwork%20Authentication%20with%20Kerberos%20%7C%20Security%20and%20Hardening%20Guide%20%7C%20SUSE%20Linux%20Enterprise%20Server%2015%20SP2%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1042353045%22%20id%3D%22toc-hId--1113278188%22%3EFirst%20some%20Performance%20measurements%20with%20and%20without%20Kerberos%3A%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EData%20and%20Log%20volumes%3A%3C%2FP%3E%0A%3CP%3EI%20used%20a%2012TiB%20Ultra%20Volume%20for%20the%20tests.%20Both%20tests%20(data%20and%20Log)%20are%20pointing%20to%20the%20same%20volume.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHCMT%20native%20no%20Kerberos%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_70-1644399789787.png%22%20style%3D%22width%3A%20606px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346609iA8FA048E4CD751B5%2Fimage-dimensions%2F606x188%3Fv%3Dv2%22%20width%3D%22606%22%20height%3D%22188%22%20role%3D%22button%22%20title%3D%22RalfKlahr_70-1644399789787.png%22%20alt%3D%22RalfKlahr_70-1644399789787.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHCMT%20with%20Kerberos%20krb5%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_2-1644399601135.png%22%20style%3D%22width%3A%20603px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346558i3BD13284CB882BFD%2Fimage-dimensions%2F603x169%3Fv%3Dv2%22%20width%3D%22603%22%20height%3D%22169%22%20role%3D%22button%22%20title%3D%22RalfKlahr_2-1644399601135.png%22%20alt%3D%22RalfKlahr_2-1644399601135.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHCMT%20with%20Kerberos%20krb5i%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_3-1644399601152.png%22%20style%3D%22width%3A%20601px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346560i88AA590173EE9A49%2Fimage-dimensions%2F601x179%3Fv%3Dv2%22%20width%3D%22601%22%20height%3D%22179%22%20role%3D%22button%22%20title%3D%22RalfKlahr_3-1644399601152.png%22%20alt%3D%22RalfKlahr_3-1644399601152.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EKerberos%205p%20will%20not%20be%20supported%3C%2FSTRONG%3E.%20The%20performance%20penalty%20is%20by%20far%20too%20high%20to%20meet%20any%20SAP%20HANA%20KPIs.%20We%20even%20got%20dumps%20with%20the%20random%201M%20data%20file%20read%20which%20caused%20HCMT%20to%20break.%3C%2FP%3E%0A%3CP%3ESo%20available%20and%20supported%20Kerberos%20flavors%20are%205%20and%205i%20but%20%3CSTRONG%3ENOT%205p%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHANA%20Stress%20tool%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20tool%20(from%20GitHub)%20is%20creating%2010000%20tables%20and%20will%20add%2020000%20rows%20into%20each%20table.%3C%2FP%3E%0A%3CP%3EI%20started%20the%20tool%20three%20times%20to%20see%20if%20there%20are%20no%20differences%20in%20the%20runs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20tests%20I%20am%20using%20two%20Ultra%20volumes%20%E2%80%93%20Data%204TB%20and%20Log%203TB%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_71-1644399901141.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346610iD527898E35876844%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_71-1644399901141.png%22%20alt%3D%22RalfKlahr_71-1644399901141.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENative%3C%2FP%3E%0A%3CPRE%3Eanaadm%40ralfvm01%3A%2Fopt%2Fhanastress%26gt%3B%20%3CSTRONG%3Etime%20.%2Fhanastress.py%20-v%20--host%20localhost%20-i%2000%20-u%20HANASTRESS%20-p%20HANAStress02%20-g%20%3CGROUP%3E%20--tables%2010000%20--rows%2020000%20%3CBR%20%2F%3E--threads%2010%3CBR%20%2F%3E%3C%2FGROUP%3E%3C%2FSTRONG%3E%5Binfo%5D%20Starting%20Generation...%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2012m.921s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m1.084s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m0.559s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2013m24.9s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m1.002s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m0.592s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2013m83.918s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m1.005s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m0.575s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKerberos%205%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2014m16.617s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m10.739s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.127s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2014m54.530s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m10.764s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.055s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2015m41.758s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m10.798s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.294s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKerberos%205i%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2016m20.946s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m11.175s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.018s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2016m52.497s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m11.094s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.181s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ereal%26nbsp%3B%26nbsp%3B%26nbsp%3B%2017m36.939s%3C%2FP%3E%0A%3CP%3Euser%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m11.190s%3C%2FP%3E%0A%3CP%3Esys%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200m6.055s%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20graphical%20overview.%20!!!%20Lower%20is%20better%20!!!%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_72-1644399952437.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346611i1545A36A5B6664C8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_72-1644399952437.png%22%20alt%3D%22RalfKlahr_72-1644399952437.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-1031849941%22%20id%3D%22toc-hId-1245151926%22%3E%3CFONT%20size%3D%226%22%3ESetup%20of%20our%20test%20scenario%3C%2FFONT%3E%3C%2FH1%3E%0A%3CH1%20id%3D%22toc-hId--775604522%22%20id%3D%22toc-hId--562302537%22%3E%3CFONT%20size%3D%225%22%3EAzure%20AD%20DS%3C%2FFONT%3E%3C%2FH1%3E%0A%3CP%3EFirst%20create%20the%20Azure%20Active%20Directory%20Domain%20Service%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_73-1644399989731.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346612iF75EF75BDC7E2571%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_73-1644399989731.png%22%20alt%3D%22RalfKlahr_73-1644399989731.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESelect%20the%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20user%20who%20is%20trying%20to%20create%20the%20AD%20DS%20must%20have%20the%20Global%20Administrator%20role%20for%20the%20Directory.%3C%2FP%3E%0A%3CP%3ESelect%20the%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_8-1644399601169.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346562i4D7A36A20A836727%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_8-1644399601169.png%22%20alt%3D%22RalfKlahr_8-1644399601169.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EClick%20on%20Create%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_9-1644399601171.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346565iB67A87262BC66127%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_9-1644399601171.png%22%20alt%3D%22RalfKlahr_9-1644399601171.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_10-1644399601177.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346566iC73BD5D32C4A1639%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_10-1644399601177.png%22%20alt%3D%22RalfKlahr_10-1644399601177.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_11-1644399601181.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346567i86C019AE84665AD2%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_11-1644399601181.png%22%20alt%3D%22RalfKlahr_11-1644399601181.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUse%20the%20same%20vNET%20but%20let%20the%20service%20create%20a%20new%20subnet.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_12-1644399601185.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346569i57FCBC53DEAB3B9C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_12-1644399601185.png%22%20alt%3D%22RalfKlahr_12-1644399601185.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_13-1644399601188.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346568iFF47839C88E92D6C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_13-1644399601188.png%22%20alt%3D%22RalfKlahr_13-1644399601188.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_14-1644399601201.png%22%20style%3D%22width%3A%20450px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346570i50FC7B931906B8AB%2Fimage-dimensions%2F450x345%3Fv%3Dv2%22%20width%3D%22450%22%20height%3D%22345%22%20role%3D%22button%22%20title%3D%22RalfKlahr_14-1644399601201.png%22%20alt%3D%22RalfKlahr_14-1644399601201.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--85043048%22%20id%3D%22toc-hId-2054293015%22%3EClick%20on%20Create%20after%20the%20validation%20was%20successful.%3C%2FH2%3E%0A%3CP%3EKerberos%20RC4%20Encryption%3C%2FP%3E%0A%3CP%3EEnable%20or%20disable%20Kerberos%20RC4%20encryption%20for%20your%20managed%20domain.%20When%20Kerberos%20RC4%20encryption%20is%20disabled%2C%20all%20Kerberos%20requests%20that%20use%20RC4%20encryption%20will%20fail.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EKerberos%20Armoring%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EEnable%20or%20disable%20Kerberos%20Armoring%20for%20your%20managed%20domain.%20This%20will%20provide%20a%20protected%20channel%20between%20the%20Kerberos%20client%20and%20the%20KDC.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHelpful%20Links%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsecureyourdomain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHarden%20an%20Azure%20Active%20Directory%20Domain%20Services%20managed%20domain%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_15-1644399601205.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346571i5EC7D96E9DDB4ADE%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_15-1644399601205.png%22%20alt%3D%22RalfKlahr_15-1644399601205.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_16-1644399601207.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346572iC5DD0F596B8332D6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_16-1644399601207.png%22%20alt%3D%22RalfKlahr_16-1644399601207.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20will%20take%20several%20minutes%20to%20complete%E2%80%A6%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_17-1644399601210.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346573i1F384D9D39FB5D1F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_17-1644399601210.png%22%20alt%3D%22RalfKlahr_17-1644399601210.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20the%20result%20Azure%20will%20create%20the%20Azure%20AD%20DS%20with%20two%20DNS%20IP%20addresses%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1892497511%22%20id%3D%22toc-hId-945000493%22%3E%3CU%3E%3C%2FU%3EConfigure%20the%20vNET%20DNS%20config%3C%2FH2%3E%0A%3CP%3EAfter%20the%20Azure%20ADDS%20was%20deployed%2C%20we%20need%20to%20change%20the%20default%20DNS%20entry%20in%20the%20vNET%20settings.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_18-1644399601213.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346575i8BA8BF8AD24EB7E8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_18-1644399601213.png%22%20alt%3D%22RalfKlahr_18-1644399601213.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_19-1644399601216.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346574iD56A3B296505C510%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_19-1644399601216.png%22%20alt%3D%22RalfKlahr_19-1644399601216.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_20-1644399601219.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346576iB5507288CC984FAF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_20-1644399601219.png%22%20alt%3D%22RalfKlahr_20-1644399601219.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EIf%20you%20do%20not%20sync%20all%20users%20only%20the%20Domain%20Admins%20will%20be%20synchronized%20from%20the%20Azure%20AD%20to%20the%20Azure%20AD%20DS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20synchronization%20will%20take%20some%20time.%3C%2FP%3E%0A%3CP%3EAfter%20the%20synchronization%20is%20done%20you%20must%20see%20al%20users%20in%20the%20Administrative%20User%20tool.%20Be%20aware%20that%20you%20cannot%20change%20or%20add%20users%20in%20this%20tool%20(the%20Azure%20AD%20DS%20is%20read%20only%20from%20this%20point)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_0-1644400909383.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346617i08B6EFEF4C3287A7%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_0-1644400909383.png%22%20alt%3D%22RalfKlahr_0-1644400909383.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EBe%20aware%20that%20if%20you%20only%20have%20the%20Azure%20AD%20DS%20Service%20as%20your%20Domain%20Controller%20and%20AD%20you%20must%20reset%20the%20passwords%20if%20you%20like%20to%20authenticate%20towards%20the%20Azure%20AD%20DS%20service.%3C%2FP%3E%0A%3CP%3EPasswords%20are%20not%20synced%20from%20the%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_1-1644400967930.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346618i7F7BFFCC774EC93C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_1-1644400967930.png%22%20alt%3D%22RalfKlahr_1-1644400967930.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20log-off%20from%20the%20Azure%20portal%20and%20re-logon%20to%20the%20Azure%20portal.%20You%20now%20need%20to%20change%20the%20password.%20Now%20the%20password%20hash%20is%20also%20in%20the%20Azure%20AD%20DS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERun%20ipconfig%20%2Frenew%20after%20the%20reboot%20of%20the%20VM%20to%20switch%20from%20the%20Azure%20default%20DNS%20to%20the%20new%20created%20Azure%20AD%20DS%3C%2FP%3E%0A%3CP%3EBefore%3A%3C%2FP%3E%0A%3CPRE%3Eipconfig%20%2Fall%3CBR%20%2F%3E%E2%80%A6%3CBR%20%2F%3E%26nbsp%3B%20DNS-Server%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20%3A%20168.63.129.16%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter..%3C%2FP%3E%0A%3CPRE%3Eipconfig%20%2Frenew%3CBR%20%2F%3Eipconfig%20%2Fall%3CBR%20%2F%3E%E2%80%A6%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20DNS-Server%26nbsp%3B%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20.%20%3A%2010.4.2.4%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENow%20you%20can%20join%20the%20domain%E2%80%A6.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EEnable%20synchronization%20of%20password%20hashes%20from%20on-prem%20AD%20(if%20required)%3C%2FP%3E%0A%3CP%3EIf%20you%20select%20the%20Azure%20AD%20DS%20resource%20you%20see%20this%20picture%20on%20the%20right%20side.%20Click%20now%20Instructions%20for%20synced%20user%20accounts%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Ftutorial-configure-password-hash-sync%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnable%20password%20hash%20sync%20for%20Azure%20AD%20Domain%20Services%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-595015322%22%20id%3D%22toc-hId--862453970%22%3ECheck%20the%20AD%20settings%20from%20the%20JumpBox%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_23-1644399601263.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346579iB5DDD632FEE7D819%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_23-1644399601263.png%22%20alt%3D%22RalfKlahr_23-1644399601263.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInstall%20the%20required%20DNS%20Tolls%20if%20you%20would%20like%20to%20manage%20the%20DNS%20as%20well.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_24-1644399601279.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346581i47C28BFD73491583%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_24-1644399601279.png%22%20alt%3D%22RalfKlahr_24-1644399601279.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EWhen%20starting%20the%20DNS%20Editor%20you%20only%20need%20to%20specify%20the%20domain%20name.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_25-1644399601283.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346580i6521CC4148A1D444%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_25-1644399601283.png%22%20alt%3D%22RalfKlahr_25-1644399601283.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20like%20to%20add%20the%20Linux%20host%20in%20the%20domain%20simply%20specify%20the%20client%20here%20as%20new%20host.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_26-1644399601296.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346582iC49039AFC1F3BF8B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_26-1644399601296.png%22%20alt%3D%22RalfKlahr_26-1644399601296.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EYou%20need%20to%20restart%20the%20nscd%20daemon%20on%20the%20client%20that%20the%20clint%20can%20ping%20the%20new%20defined%20entry.%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Eping%20ralfwest02.sapcontoso.com%3CBR%20%2F%3E%3C%2FSTRONG%3Eping%3A%20ralfwest02.sapcontoso.com%3A%20Name%20or%20service%20not%20known%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Esystemctl%20restart%20nscd%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSTRONG%3Eping%20ralfwest02.sapcontoso.com%3CBR%20%2F%3E%3C%2FSTRONG%3E64%20bytes%20from%20ralfwest02.internal.cloudapp.net%20(10.4.0.5)%3A%20icmp_seq%3D1%20ttl%3D64%20time%3D0.020%20ms%3CBR%20%2F%3E64%20bytes%20from%20ralfwest02.internal.cloudapp.net%20(10.4.0.5)%3A%20icmp_seq%3D2%20ttl%3D64%20time%3D0.044%20ms%3C%2FPRE%3E%0A%3CP%3ETo%20understand%20the%20LDAP%20structure%2C%20it%20is%20important%20to%20start%20the%20ADSI%20Edit%20to%20view%20an%20understand%3CBR%20%2F%3Ehow%20the%20LDAP%20structure%20from%20the%20Azure%20AD%20DS%20looks%20like.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_2-1644401554219.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346623i63535C836D7F52A9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_2-1644401554219.png%22%20alt%3D%22RalfKlahr_2-1644401554219.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFor%20the%20ANF%20SMB%20and%20Kerberos%20configuration%20the%20AADDS%20structure%20must%20be%20used.%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20OU%20which%20must%20be%20configured%20in%20ANF%20for%20the%20AD%20join.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_28-1644399601309.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346584iD127492198BA783D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_28-1644399601309.png%22%20alt%3D%22RalfKlahr_28-1644399601309.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20hostname%20of%20the%20DNS%20Server%20for%20the%20ANF%20AD%20join%20can%20also%20be%20retrieved%20from%20the%20MMC%3C%2FP%3E%0A%3CP%3EStart%20MMC%20on%20the%20JumpBox%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_3-1644401644121.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346624i5ED8860C25D82A22%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_3-1644401644121.png%22%20alt%3D%22RalfKlahr_3-1644401644121.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ENote%20the%20DNS%20hostname%20for%20the%20Kerberos%20Realm%20ANF%20config.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1212439141%22%20id%3D%22toc-hId-1625058863%22%3EAzure%20AD%20DS%20User%20workaround%3C%2FH2%3E%0A%3CP%3EBecause%20you%20cannot%20modify%20the%20G-id%20and%20U-id%20under%20OU%3DAADDS%20Users%20you%20need%20to%20create%20a%20new%20OU%20for%20the%20SAP%20LDAP%20users.%3C%2FP%3E%0A%3CP%3EFirst%20create%20a%20new%20OU%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_30-1644399601319.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346587i3E1FB27C18FC733A%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_30-1644399601319.png%22%20alt%3D%22RalfKlahr_30-1644399601319.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESpecify%20the%20name%20for%20the%20OU%20%E2%80%A6%20can%20be%20anything%2C%20here%20I%20used%20SAP%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_5-1644401762616.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346647i9D2340148D810052%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_5-1644401762616.png%22%20alt%3D%22RalfKlahr_5-1644401762616.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOpen%20the%20properties%20by%20right%20click%20on%20the%20SAP%20OU.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_6-1644401762642.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346627i1275C035ED821560%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_6-1644401762642.png%22%20alt%3D%22RalfKlahr_6-1644401762642.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ENote%20down%20the%20full%20OU.%20This%20is%20required%20for%20the%20ANF%20AD%20connection.%3C%2FP%3E%0A%3CP%3EHere%3A%20%3CSTRONG%3EOU%3DSAP%2CDC%3Dsapcontoso%2CDC%3Dcom%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--521877667%22%20id%3D%22toc-hId--53312881%22%3ELDAP%20User%20creation%3C%2FH3%3E%0A%3CP%3ESelect%20the%20new%20OU%20(Organizational%20Unit)%20by%20a%20single%20click%20and%20use%20the%20add%20user%20button.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_7-1644401762642.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346628iA237013AE123AD13%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_7-1644401762642.png%22%20alt%3D%22RalfKlahr_7-1644401762642.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESpecify%20the%20SIDadm%20user.%20Here%20%3CSTRONG%3Eanaadm%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_8-1644401762646.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346629i219BD3A377758907%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_8-1644401762646.png%22%20alt%3D%22RalfKlahr_8-1644401762646.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESpecify%20the%20password%20for%20the%20user%20and%20click%20Next%20then%20finish.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_9-1644401762649.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346630i10E12F3A7377D704%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_9-1644401762649.png%22%20alt%3D%22RalfKlahr_9-1644401762649.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoubleClick%20the%20just%20created%20user%20and%20go%20to%20Attribute%20Editor.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_10-1644401762662.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346633i48C4C6ECBB13CF15%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_10-1644401762662.png%22%20alt%3D%22RalfKlahr_10-1644401762662.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EChange%20the%20uid%2C%20uidNumber%20and%20the%20gid%20to%20the%20values%20from%20the%20Linux%20user.%3C%2FP%3E%0A%3CP%3EHere%3C%2FP%3E%0A%3CPRE%3E%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%20uid%20%3D%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3Banaadm%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20uidNumber%3D%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%201001%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20gidNumber%3D%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2079%3C%2FPRE%3E%0A%3CP%3EDoubleClick%20the%20just%20created%20user%20and%20go%20to%20Attribute%20Editor.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_11-1644401762668.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346631iCD1CD7298A8F46A0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_11-1644401762668.png%22%20alt%3D%22RalfKlahr_11-1644401762668.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThen%20create%20the%20Group%20sapsys%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_12-1644401762672.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346632i6AE0C70519084EC9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_12-1644401762672.png%22%20alt%3D%22RalfKlahr_12-1644401762672.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOpen%20again%20the%20Attribute%20Editor%20and%20change%20the%20gidNumber%20to%2079%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_13-1644401762681.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346634i4DF250F5C0345795%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_13-1644401762681.png%22%20alt%3D%22RalfKlahr_13-1644401762681.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20we%20have%20created%20the%20SIDadm%20user%20and%20the%20sapsys%20group.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_31-1644402631014.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346653i62E3EBD96C8921E0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_31-1644402631014.png%22%20alt%3D%22RalfKlahr_31-1644402631014.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1141388968%22%20id%3D%22toc-hId--1989850063%22%3ENow%20create%20the%20NFS%20Volume%20with%20enabled%20Kerberos%3C%2FH2%3E%0A%3CP%3EBefore%20you%20create%20a%20volume%20for%20SAP%20workloads%20you%20must%20enable%20the%20UNIX%20permission%20feature%20of%20ANF%3C%2FP%3E%0A%3CP%3EThose%20features%20are%20public%20preview%20at%20the%20moment.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-unix-permissions-change-ownership-mode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Unix%20permissions%20and%20change%20ownership%20mode%20for%20Azure%20NetApp%20Files%20NFS%20and%20dual-protocol%20volumes%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fazure-netapp-files-create-volumes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20an%20NFS%20volume%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%3Eaz%20feature%20register%20--namespace%20Microsoft.NetApp%20--name%20ANFUnixPermissions%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3Eaz%20feature%20register%20--namespace%20Microsoft.NetApp%20--name%20ANFChownMode%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3Eaz%20feature%20register%20--namespace%20Microsoft.NetApp%20--name%20ANFLdapExtendedGroups%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3Eaz%20feature%20list%20--namespace%20Microsoft.NetApp%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3Ethe%20activation%20can%20take%20up%20to%2060%20minutes...%3C%2FP%3E%0A%3CP%3EAfter%20the%20feature%20registration%20there%20is%20a%20new%20field%20in%20the%20volume%20creation%20workflow%20under%20protocol.%20After%20the%20volume%20is%20created%20you%20can%20change%20the%20volume%20access%20from%20restricted%20to%20unrestricted.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--666065495%22%20id%3D%22toc-hId-497662770%22%3EJoin%20ANF%20to%20the%20Domain%3C%2FH2%3E%0A%3CP%3EAfter%20we%20created%20the%20Azure%20AD%20DS%20we%20join%20the%20NetApp%20Account%20to%20this%20AD%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_15-1644401762700.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346635i166CA54472D7BB02%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_15-1644401762700.png%22%20alt%3D%22RalfKlahr_15-1644401762700.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EClick%20join%3C%2FP%3E%0A%3CP%3EConfigure%20the%20AD%20settings%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_16-1644401762704.png%22%20style%3D%22width%3A%20231px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346638iE9D3FEBA9DD0B4F6%2Fimage-dimensions%2F231x574%3Fv%3Dv2%22%20width%3D%22231%22%20height%3D%22574%22%20role%3D%22button%22%20title%3D%22RalfKlahr_16-1644401762704.png%22%20alt%3D%22RalfKlahr_16-1644401762704.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_17-1644401762705.png%22%20style%3D%22width%3A%20291px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346637i730AEB9CE5E204A5%2Fimage-dimensions%2F291x325%3Fv%3Dv2%22%20width%3D%22291%22%20height%3D%22325%22%20role%3D%22button%22%20title%3D%22RalfKlahr_17-1644401762705.png%22%20alt%3D%22RalfKlahr_17-1644401762705.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20a%20result%2C%20you%20will%20see%20the%20config%20in%20the%20portal%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_18-1644401762709.png%22%20style%3D%22width%3A%20656px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346639iCA6E113CB6ABB261%2Fimage-dimensions%2F656x141%3Fv%3Dv2%22%20width%3D%22656%22%20height%3D%22141%22%20role%3D%22button%22%20title%3D%22RalfKlahr_18-1644401762709.png%22%20alt%3D%22RalfKlahr_18-1644401762709.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3Ego%20to%20your%20ANF%20account%20and%20create%20a%20new%20Volume%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_19-1644401762712.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346641i418331E5535CA992%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_19-1644401762712.png%22%20alt%3D%22RalfKlahr_19-1644401762712.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%3ESelect%20the%20Kerberos%20Protokoll%20which%20suits%20your%20requironments.%20If%20you%20select%20all%2C%20all%20kerberos%20modies%20will%20be%20possible.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_32-1644403591791.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346657iDDFB700CB1D5D512%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_32-1644403591791.png%22%20alt%3D%22RalfKlahr_32-1644403591791.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EKerberos%205p%20is%20not%20supported%3C%2FSTRONG%3E%20because%20of%20performance%20and%20functional%20reasons.%3C%2FP%3E%0A%3CP%3ENow%20we%20create%20the%20data%20volume%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20the%20volume%20is%20created%20you%20find%20additional%20entries%20in%20the%20LDAP%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_22-1644401762719.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346643i4A366D2E94907270%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_22-1644401762719.png%22%20alt%3D%22RalfKlahr_22-1644401762719.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1821447338%22%20id%3D%22toc-hId--1309791693%22%3EConfigure%20Active%20Directory%20connection%3C%2FH2%3E%0A%3CP%3EAlso%20see%20this%20documentation%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-kerberos-encryption%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20NFSv4.1%20Kerberos%20encryption%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EConfiguration%20of%20NFSv4.1%20Kerberos%20creates%20two%20computer%20accounts%20in%20Active%20Directory%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ecomputer%20account%20for%20SMB%20shares%3C%2FLI%3E%0A%3CLI%3EA%20computer%20account%20for%20NFSv4.1--You%20can%20identify%20this%20account%20by%20way%20of%20the%20prefix%20NFS-.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAfter%20creating%20the%20first%20NFSv4.1%20Kerberos%20volume%2C%20set%20the%20encryption%20type%20for%20the%20computer%20account%20by%20using%20the%20following%20PowerShell%20command%3A%3C%2FP%3E%0A%3CPRE%3ESet-ADComputer%20%24NFSCOMPUTERACCOUNT%20-KerberosEncryptionType%20AES256%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20the%20correct%20command%20line%20in%20the%20Portal%20under%20Mount%20Instructions%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_23-1644401762725.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346644i4A1A262C7F882826%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_23-1644401762725.png%22%20alt%3D%22RalfKlahr_23-1644401762725.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESet-ADComputer%20NFS-ANFSMB-8859%20-KerberosEncryptionType%20AES256%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_24-1644401762726.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346645iDE90E41225F10215%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RalfKlahr_24-1644401762726.png%22%20alt%3D%22RalfKlahr_24-1644401762726.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20AD%20is%20now%20configured.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20like%20to%20add%20an%20Azure%20AD%20user%20as%20Windows%20Logon%20User%20you%20must%20add%20the%20user%20as%20Desktop%20User%3C%2FP%3E%0A%3CPRE%3EPS%20C%3A%5CWindows%5Csystem32%26gt%3B%20%3CSTRONG%3Enet%20localgroup%20%22Remote%20Desktop%20Users%22%20%2Fadd%20%22anaadm%40sapcontoso.com%22%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRalfKlahr_28%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESet-ADComputer%20NFS-ANFSMB-8859%20-KerberosEncryptionType%20AES256%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRalfKlahr_29%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20AD%20is%20now%20configured.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20like%20to%20add%20an%20Azure%20AD%20user%20as%20Windows%20Logon%20User%20you%20must%20add%20the%20user%20as%20Desktop%20User%3C%2FP%3E%0A%3CP%3EPS%20C%3A%5CWindows%5Csystem32%26gt%3B%20%3CSTRONG%3Enet%20localgroup%20%22Remote%20Desktop%20Users%22%20%2Fadd%20%22anaadm%40sapcontoso.com%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--115089844%22%20id%3D%22toc-hId-1048638421%22%3EConfiguration%20of%20the%20client%20SLES15SP2%3C%2FH1%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-netapp-files%2Fconfigure-nfs-clients%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20an%20NFS%20client%20for%20Azure%20NetApp%20Files%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInstall%20the%20required%20SUSE%20packages%20for%20Kerberos%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Ezypper%20in%20krb5%20krb5-client%20realmd%20samba-common%20chrony%20nfs-utils%20sssd-ad%20sssd-ipa%20sssd-krb5%20sssd-ldap%20sssd-proxy%20realmd-lang%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSTRONG%3Ezypper%20in%20sssd-tools%20sssd%20adcli%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3Econfigure%20the%20chrony%20(NTP)%20service%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Enslookup%200.pool.ntp.org%3CBR%20%2F%3E%3C%2FSTRONG%3EServer%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010.4.2.4%3CBR%20%2F%3EAddress%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2010.4.2.4%2353%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Fchrony.conf%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3Eserver%200.pool.ntp.org%20iburst%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStart%20the%20chrony%20service%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Esystemctl%20enable%20chronyd.service%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSTRONG%3Esystemctl%20start%20chronyd.service%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Echeck%20the%20chrony%20status%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Echronyc%20sources%20-v%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3E210%20Number%20of%20sources%20%3D%205%3CBR%20%2F%3E%E2%80%A6%3CBR%20%2F%3EMS%20Name%2FIP%20address%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Stratum%20Poll%20Reach%20LastRx%20Last%20sample%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%23*%20PHC0%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%26nbsp%3B%203%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%26nbsp%3B%2011%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-15us%5B%26nbsp%3B%20-86us%5D%20%2B%2F-%202724ns%3CBR%20%2F%3E%5E-%20lithium.constant.com%26nbsp%3B%26nbsp%3B%26nbsp%3B%202%26nbsp%3B%26nbsp%3B%209%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20249%26nbsp%3B%20%2B2054us%5B%2B1878us%5D%20%2B%2F-%26nbsp%3B%26nbsp%3B%2070ms%3CBR%20%2F%3E%5E-%20149.20.176.27%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%204%26nbsp%3B%2010%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20899%26nbsp%3B%26nbsp%3B%26nbsp%3B%20-13ms%5B%26nbsp%3B%20-13ms%5D%20%2B%2F-%26nbsp%3B%20880ms%3CBR%20%2F%3E%5E-%2038.229.54.9%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%202%26nbsp%3B%26nbsp%3B%208%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20108%26nbsp%3B%26nbsp%3B%20%2B743us%5B%20%2B456us%5D%20%2B%2F-%26nbsp%3B%20164ms%3CBR%20%2F%3E%5E-%2050-205-244-109-static.hf%26gt%3B%26nbsp%3B%26nbsp%3B%209%26nbsp%3B%26nbsp%3B%20377%26nbsp%3B%26nbsp%3B%20501%26nbsp%3B%20-2665us%5B-2603us%5D%20%2B%2F-%26nbsp%3B%26nbsp%3B%2057ms%3C%2FPRE%3E%0A%3CH2%20id%3D%22toc-hId--1793461588%22%20id%3D%22toc-hId--629733323%22%3ESearch%20Domain%3C%2FH2%3E%0A%3CP%3EIf%20you%20like%20to%20add%20your%20own%20search%20domain%20in%20the%20%2Fetc%2Fresolv.conf%20you%20have%20to%20change%20the%20network%20config.%20Manual%20changes%20in%20%2Fetc%2Fresolv.conf%20will%20be%20overwritten%20from%20the%20wicked%20daemon%20after%20some%20time.%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Ecd%20%2Fetc%2Fsysconfig%2Fnetwork%20%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSTRONG%3Evi%20config%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eadd%20the%20search%20domains%20here%3A%3C%2FP%3E%0A%3CPRE%3E%23%23%20Type%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20string%3CBR%20%2F%3E%23%23%20Default%3A%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%22%22%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%20List%20of%20DNS%20domain%20names%20used%20for%20host-name%20lookup.%3CBR%20%2F%3E%23%20It%20is%20written%20as%20search%20list%20into%20the%20%2Fetc%2Fresolv.conf%20file.%3CBR%20%2F%3E%23%3CBR%20%2F%3ENETCONFIG_DNS_STATIC_SEARCHLIST%3D%22reddog.microsoft.com%20%3CSTRONG%3Esapcontoso.com%3C%2FSTRONG%3E%22%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERestart%20the%20network%20service%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Enetconfig%20update%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Enow%20the%20change%20is%20persistent%20in%20the%20%2Fetc%2Fresolv.conf%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Ecat%20%2Fetc%2Fresolv.conf%3CBR%20%2F%3E%3C%2FSTRONG%3E%23%23%23%20%2Fetc%2Fresolv.conf%20is%20a%20symlink%20to%20%2Fvar%2Frun%2Fnetconfig%2Fresolv.conf%3CBR%20%2F%3E%23%23%23%20autogenerated%20by%20netconfig!%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%20See%20also%20the%20netconfig(8)%20manual%20page%20and%20other%20documentation.%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%23%23%20Call%20%22netconfig%20update%20-f%22%20to%20force%20adjusting%20of%20%2Fetc%2Fresolv.conf.%3CBR%20%2F%3E%3CSTRONG%3Esearch%20reddog.microsoft.com%20sapcontoso.com%3CBR%20%2F%3E%3C%2FSTRONG%3Enameserver%2010.4.2.4%3CBR%20%2F%3Enameserver%2010.4.2.5%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-694051245%22%20id%3D%22toc-hId-1857779510%22%3EJoin%20the%20Active%20Directory%20domain%3C%2FH2%3E%0A%3CP%3ETo%20join%20the%20AD%20Domain%2C%20issue%20the%20command%20(as%20root)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eexample%3A%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Erealm%20join%20SAPCONTOSO.COM%20-U%20ralf.klahr%20--computer-ou%3D%22OU%3DAADDC%20Computers%22%3CBR%20%2F%3E%3C%2FSTRONG%3EPassword%20for%20ralf.klahr%3A*********%3CBR%20%2F%3Eralfwestvm01%3A~%20%23%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20validate%20the%20success%2C%20you%20can%20check%20again%20the%20AD%20and%20the%20realm%20list%20command%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Erealm%20list%3CBR%20%2F%3E%3C%2FSTRONG%3Esapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%20type%3A%20kerberos%3CBR%20%2F%3E%26nbsp%3B%20realm-name%3A%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%20domain-name%3A%20sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%20configured%3A%20kerberos-member%3CBR%20%2F%3E%26nbsp%3B%20server-software%3A%20active-directory%3CBR%20%2F%3E%26nbsp%3B%20client-software%3A%20sssd%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20sssd-tools%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20sssd%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20adcli%3CBR%20%2F%3E%26nbsp%3B%20required-package%3A%20samba-client%3CBR%20%2F%3E%26nbsp%3B%20login-formats%3A%20%3CA%20href%3D%22mailto%3A%25U%40sapcontoso.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%25U%40sapcontoso.com%3C%2FA%3E%3CBR%20%2F%3E%26nbsp%3B%20login-policy%3A%20allow-realm-logins%3C%2FPRE%3E%0A%3CDIV%20id%3D%22tinyMceEditorRalfKlahr_30%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3EThe%20client%20is%20now%20also%20visible%20in%20the%20AD%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RalfKlahr_33-1644407068420.png%22%20style%3D%22width%3A%20611px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F346678i0092BA411C3CA371%2Fimage-dimensions%2F611x86%3Fv%3Dv2%22%20width%3D%22611%22%20height%3D%2286%22%20role%3D%22button%22%20title%3D%22RalfKlahr_33-1644407068420.png%22%20alt%3D%22RalfKlahr_33-1644407068420.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnsure%20that%20default_realm%20is%20set%20to%20the%20provided%20realm%20in%20%2Fetc%2Fkrb5.conf.%20If%20not%2C%20add%20it%20under%20the%20%5Blibdefaults%5D%20section%20in%20the%20file%20as%20shown%20in%20the%20following%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBackup%20the%20existing%20default%20Kerberos%20config%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Ecp%20%2Fetc%2Fkrb5.conf%20%2Fetc%2Fkrb5.back%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20an%20example%3A%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Fkrb5.conf%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3Eincludedir%26nbsp%3B%20%2Fetc%2Fkrb5.conf.d%3CBR%20%2F%3E%5Blibdefaults%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_realm%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_tkt_enctypes%20%3D%20aes256-cts-hmac-sha1-96%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_tgs_enctypes%20%3D%20aes256-cts-hmac-sha1-96%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20permitted_enctypes%20%3D%20aes256-cts-hmac-sha1-96%3CBR%20%2F%3E%5Brealms%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20SAPCONTOSO.COM%20%3D%20%7B%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20kdc%20%3D%20ALX5KJKDVH49M91.sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20admin_server%20%3D%20ALX5KJKDVH49M91.sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20master_kdc%20%3D%20ALX5KJKDVH49M91.sapcontoso.com%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20default_domain%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%7D%3CBR%20%2F%3E%5Bdomain_realm%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20.sapcontoso.com%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20sapcontoso.com%20%3D%20SAPCONTOSO.COM%3CBR%20%2F%3E%5Blogging%5D%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20kdc%20%3D%20SYSLOG%3AINFO%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20admin_server%20%3D%20FILE%3D%2Fvar%2Fkadm5.log%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FPRE%3E%0A%3CP%3E%3CBR%20%2F%3ERun%20the%20kinit%20command%20with%20the%20user%20account%20to%20get%20tickets%3A%3C%2FP%3E%0A%3CP%3EFor%20example%3A%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Ekinit%20%3CA%20href%3D%22mailto%3Aralf.klahr%40SAPCONTOSO.COM%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eralf.klahr%40SAPCONTOSO.COM%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSTRONG%3EPassword%20for%20%3CA%20href%3D%22mailto%3Aralf.klahr%40SAPCONTOSO.COM%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eralf.klahr%40SAPCONTOSO.COM%3C%2FA%3E%3A%20*********%3C%2FPRE%3E%0A%3CP%3EOr%20for%20the%20SISadm...%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Ekinit%20anaadm%40SAPCONTOSO.COM%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERestart%20all%20NFS%20services%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Esystemctl%20restart%20nfs-*%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CPRE%3E%3CSTRONG%3Esystemctl%20restart%20rpc-gssd.service%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EChange%20the%20idmapd%20config%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Fidmapd.conf%20%3CBR%20%2F%3E%3C%2FSTRONG%3E%5BGeneral%5D%3CBR%20%2F%3EVerbosity%20%3D%200%3CBR%20%2F%3EPipefs-Directory%20%3D%20%2Fvar%2Flib%2Fnfs%2Frpc_pipefs%3CBR%20%2F%3EDomain%20%3D%20%3CSTRONG%3Edefaultv4iddomain.com%3CBR%20%2F%3E%3C%2FSTRONG%3E%5BMapping%5D%3CBR%20%2F%3ENobody-User%20%3D%20nobody%3CBR%20%2F%3ENobody-Group%20%3D%20nobody%3C%2FPRE%3E%0A%3CP%3EFinally%20try%20to%20mount%20the%20Volume%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Emount%20-t%20nfs%20-o%20sec%3Dkrb5i%2Crw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Cvers%3D4.1%2Ctcp%20anfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%20%2Fmnt%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Edf%20-h%3CBR%20%2F%3E%3C%2FSTRONG%3EFilesystem%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Size%26nbsp%3B%20Used%20Avail%20Use%25%20Mounted%20on%3CBR%20%2F%3E...%3CBR%20%2F%3E..%3CBR%20%2F%3Eanfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%200%25%20%2Fmnt%3C%2FPRE%3E%0A%3CPRE%3E%3CSTRONG%3Emount%3CBR%20%2F%3E%3C%2FSTRONG%3Eanfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%20on%20%2Fmnt%20type%20nfs4%20(rw%2Crelatime%2Cvers%3D4.1%2Crsize%3D262144%2Cwsize%3D262144%2Cnamlen%3D255%2Chard%2Cproto%3Dtcp%2Ctimeo%3D600%2Cretrans%3D2%2C%3CSTRONG%3Esec%3Dkrb5i%3C%2FSTRONG%3E%2Cclientaddr%3D10.4.0.4%2Clocal_lock%3Dnone%2Caddr%3D10.4.1.4)%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eif%20you%20plan%20to%20install%20HANA%20on%20a%20default%20SLES%20image%20you%20also%20need%20to%20install%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Ezypper%20in%20libatomic1%20insserv%20sapconf%20libltdl7%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20HCMT%20test%20I%20made%20sure%20that%20both%20volumes%20are%20on%20the%20same%20storage%20endpoint%3C%2FP%3E%0A%3CPRE%3Eralfwestvm01%3A~%20%23%20%3CSTRONG%3Eping%2010.4.1.4%3CBR%20%2F%3E%3C%2FSTRONG%3EPING%2010.4.1.4%20(10.4.1.4)%2056(84)%20bytes%20of%20data.%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%3A%20icmp_seq%3D1%20ttl%3D63%20time%3D0.551%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%3A%20icmp_seq%3D2%20ttl%3D63%20time%3D0.468%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%3A%20icmp_seq%3D3%20ttl%3D63%20time%3D0.550%20ms%3CBR%20%2F%3E%3CBR%20%2F%3Eralfwestvm01%3A~%20%23%20%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20white-space%3A%20normal%3B%22%3Eping%20anfsmb-8859.sapcontoso.com%3CBR%20%2F%3E%3C%2FSTRONG%3EPING%20anfsmb-8859.sapcontoso.com%20(10.4.1.4)%2056(84)%20bytes%20of%20data.%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%20(10.4.1.4)%3A%20icmp_seq%3D1%20ttl%3D63%20time%3D0.380%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%20(10.4.1.4)%3A%20icmp_seq%3D2%20ttl%3D63%20time%3D0.483%20ms%3CBR%20%2F%3E64%20bytes%20from%2010.4.1.4%20(10.4.1.4)%3A%20icmp_seq%3D3%20ttl%3D63%20time%3D0.467%20ms%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConfigure%20the%20%2Fetc%2Fhosts%20entries%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Evi%2Fetc%2Fhosts%20%3CBR%20%2F%3E%3C%2FSTRONG%3E%23%20IP-Address%26nbsp%3B%20Full-Qualified-Hostname%26nbsp%3B%20Short-Hostname%3CBR%20%2F%3E%23%3CBR%20%2F%3E127.0.0.1%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20localhost%3CBR%20%2F%3E10.4.0.5%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20ralfwest02.sapcontoso.com%20ralfwest02%3CBR%20%2F%3E10.4.1.4%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20anfsmb-72cb.sapcontoso.com%3CBR%20%2F%3E10.4.1.5%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20anfsmb-e16d.sapcontoso.com%3C%2FPRE%3E%0A%3CP%3EConfigure%20the%20%2Fetc%2Ffstab%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Evi%20%2Fetc%2Ffstab%3CBR%20%2F%3E%3C%2FSTRONG%3E%23%3CBR%20%2F%3E%23%20Kerberos%20Volume%3CBR%20%2F%3Eanfsmb-e16d.sapcontoso.com%3A%2Fralfaddata01%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Fdata%2FANA%2Fmnt00002%26nbsp%3B%20nfs%26nbsp%3B%26nbsp%3B%20sec%3Dkrb5i%2Crw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3Eanfsmb-e16d.sapcontoso.com%3A%2Fralfadlog01%26nbsp%3B%26nbsp%3B%20%20%20%2Fhana%2Flog%2FANA%2Fmnt00002%26nbsp%3B%20%20nfs%26nbsp%3B%26nbsp%3B%20sec%3Dkrb5%2Crw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3E%23%3CBR%20%2F%3E%23%20normal%20ANF%20Volume%3CBR%20%2F%3E10.4.1.4%3A%2Fralfdtata01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Fdata%2FANA%2Fmnt00001%26nbsp%3B%20nfs%26nbsp%3B%26nbsp%3B%20rw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Csec%3Dsys%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3E10.4.1.4%3A%2Fralflog01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Flog%2FANA%2Fmnt00001%26nbsp%3B%20%20nfs%26nbsp%3B%26nbsp%3B%20rw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Csec%3Dsys%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3CBR%20%2F%3E10.4.1.4%3A%2Fralfshared01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%2Fhana%2Fshared%2FANA%26nbsp%3B%20%20%20%20%20%20%20%20nfs%26nbsp%3B%26nbsp%3B%20rw%2Chard%2Crsize%3D262144%2Cwsize%3D262144%2Csec%3Dsys%2Cvers%3D4.1%2Ctcp%26nbsp%3B%200%26nbsp%3B%200%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%20we%20start%20HCMT%20the%20%E2%80%9Cnormal%20NFSv4.1%20non%20Kerberos%20Volume%3A%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Edf%20-h%3CBR%20%2F%3E%3C%2FSTRONG%3EFilesystem%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20Size%26nbsp%3B%20Used%20Avail%20Use%25%20Mounted%20on%3CBR%20%2F%3E10.4.1.4%3A%2Fralfdtata01%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%2012T%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%26nbsp%3B%2012T%26nbsp%3B%26nbsp%3B%200%25%20%3CSTRONG%3E%2Fhana%2Fdata%2FANA%2Fmnt00001%3CBR%20%2F%3E%3C%2FSTRONG%3Eanfsmb-8859.sapcontoso.com%3A%2Fralfaddata01%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%26nbsp%3B%200%26nbsp%3B%20100G%26nbsp%3B%26nbsp%3B%200%25%20%3CSTRONG%20style%3D%22white-space%3A%20normal%3B%22%3E%2Fhana%2Fdata%2FANA%2Fmnt00002%3C%2FSTRONG%3E%3CSTRONG%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStart%20of%20HCMT%20in%20an%20%E2%80%9Cscreen%E2%80%9D%20to%20avoid%20any%20connection%20issues%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Escreen%3CBR%20%2F%3E%3C%2FSTRONG%3E%3CSTRONG%20style%3D%22white-space%3A%20normal%3B%22%3Ecd%20%2Fhana%2Fshared%2FHCMT%3CBR%20%2F%3E%3C%2FSTRONG%3Eralfwestvm01%3A%2Fhana%2Fshared%2FHCMT%20%23%20%3CSTRONG%3E.%2Fhcmt%20-v%20-p%20config%2Fstorage.json%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EPress%20CTRL%2BA%20and%20D%20to%20leave%20the%20screen%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20test%20was%20done%20on%20native%2C%20Krb5%20and%20krb5i.%3C%2FP%3E%0A%3CP%3EThe%20HCMT%20with%20krb5p%20never%20was%20successful.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20the%20HANASpeed%20tests%20I%20copied%20the%20data%20and%20log%20area%20over%20from%20the%20native%20to%20the%20Kerberos%20volumes.%3C%2FP%3E%0A%3CPRE%3E%3CSTRONG%3Esu%20%E2%80%93%20anaadm%3CBR%20%2F%3E%3C%2FSTRONG%3Eanaadm%40ralfwest02%3A%2Fusr%2Fsap%2FANA%2FHDB00%26gt%3B%20%3CSTRONG%3Ekinit%20%3CA%20href%3D%22mailto%3Aanaadm%40SAPCONTOSO.COM%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eanaadm%40SAPCONTOSO.COM%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSTRONG%3EPassword%20for%20%3CA%20href%3D%22mailto%3Aanaadm%40SAPCONTOSO.COM%3A*****%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Eanaadm%40SAPCONTOSO.COM%3A%3CSTRONG%3E*****%3C%2FSTRONG%3E%3C%2FA%3E%3CBR%20%2F%3Eanaadm%40ralfwest02%3A%2Fusr%2Fsap%2FANA%2FHDB00%26gt%3B%20%3CSTRONG%3Ecp%20-r%20%2Fhana%2Fdata%2FANA%2Fmnt00001%2F*%20%2Fhana%2Fdata%2FANA%2Fmnt00002%2F%3CBR%20%2F%3E%3C%2FSTRONG%3Eanaadm%40ralfwest02%3A%2Fusr%2Fsap%2FANA%2FHDB00%26gt%3B%3CSTRONG%3E%20cp%20-r%20%2Fhana%2Flog%2FANA%2Fmnt00001%2F*%20%2Fhana%2Flog%2FANA%2Fmnt00002%2F%3C%2FSTRONG%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethen%20I%20remounted%20the%20Kerberos%20volumes%20under%20the%20mnt00001%20path%20and%20restarted%20HANA%20and%20the%20tests.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3142010%22%20slang%3D%22en-US%22%3E%3CH1%20id%3D%22toc-hId-619404269%22%3EKerberos%20with%20ANF%20for%20SAP%20HANA%3C%2FH1%3E%0A%3CP%3EEncryption%20is%20a%20very%20big%20topic%20when%20it%20comes%20to%20data%20security%20especially%20in%20public%20clouds.%3C%2FP%3E%0A%3CP%3EAzure%20NetApp%20Files%20(ANF)%20supports%20DES%2C%20Kerberos%20AES%20128%2C%20and%20Kerberos%20AES%20256%20encryption%20types%20(from%20the%20least%20secure%20to%20the%20most%20secure).%20If%20you%20enable%20AES%20encryption%2C%20the%20user%20credentials%20used%20to%20join%20Active%20Directory%20must%20have%20the%20highest%20corresponding%20account%20option%20enabled%20that%20matches%20the%20capabilities%20enabled%20for%20your%20Active%20Directory.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3142010%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EANF%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehana%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ekerberos%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enetapp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esap%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Feb 09 2022 07:35 PM
Updated by: