Troubleshoot volume errors for Azure NetApp Files

This article describes error messages and resolutions that can help you troubleshoot Azure NetApp Files volumes.

Errors for SMB and dual-protocol volumes

Error conditions Resolutions
The SMB or dual-protocol volume creation fails with the following error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available."}]}
This error indicates that the DNS is not reachable.
Consider the following solutions:
  • Check if ADDS and the volume are being deployed in same region.
  • Check if ADDS and the volume are using the same VNet. If they are using different VNETs, make sure that the VNets are peered with each other. See Guidelines for Azure NetApp Files network planning.
  • The DNS server might have network security groups (NSGs) applied. As such, it does not allow the traffic to flow. In this case, open the NSGs to the DNS or AD to connect to various ports. For port requirements, see Requirements for Active Directory connections.

The same solutions apply for Azure ADDS. Azure ADDS should be deployed in the same region. The VNet should be in the same region or peered with the VNet used by the volume.
The SMB or dual-protocol volume creation fails with the following error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-C1C8\". Reason: Kerberos Error: Invalid credentials were given Details: Error: Machine account creation procedure failed\n [ 563] Loaded the preliminary configuration.\n**[ 670] FAILURE: Could not authenticate as 'test@contoso.com':\n** Unknown user (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)\n. "}]}
  • Make sure that the username entered is correct.
  • Make sure that the user is part of the Administrator group that has the privilege to create machine accounts.
  • If you use Azure ADDS, make sure that the user is part of the Azure AD group Azure AD DC Administrators.
The SMB or dual-protocol volume creation fails with the following error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-A452\". Reason: Kerberos Error: Pre-authentication information was invalid Details: Error: Machine account creation procedure failed\n [ 567] Loaded the preliminary configuration.\n [ 671] Successfully connected to ip 10.x.x.x, port 88 using TCP\n**[ 1099] FAILURE: Could not authenticate as\n** 'user@contoso.com': CIFS server account password does\n** not match password stored in Active Directory\n** (KRB5KDC_ERR_PREAUTH_FAILED)\n. "}]}
Make sure that the password entered for joining the AD connection is correct.
The SMB or dual-protocol volume creation fails with the following error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError","message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-D9A2\". Reason: SecD Error: ou not found Details: Error: Machine account creation procedure failed\n [ 561] Loaded the preliminary configuration.\n [ 665] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ 1039] Successfully connected to ip 10.x.x.x, port 389 using TCP\n**[ 1147] FAILURE: Specifed OU 'OU=AADDC Com' does not exist in\n** contoso.com\n. "}]}
Make sure that the OU path specified for joining the AD connection is correct. If you use Azure ADDS, make sure that the organizational unit path is OU=AADDC Computers.
The SMB or dual-protocol volume creation fails with the following error:
Failed to create the Active Directory machine account \"SMB-ANF-VOL. Reason: LDAP Error: Local error occurred Details: Error: Machine account creation procedure failed. [nnn] Loaded the preliminary configuration. [nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn] Successfully connected to ip 10.x.x.x, port 389 using [nnn] Entry for host-address: 10.x.x.x not found in the current source: FILES. Ignoring and trying next available source [nnn] Source: DNS unavailable. Entry for host-address:10.x.x.x found in any of the available sources\n*[nnn] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: local error [nnn] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address) [nnn] Unable to connect to LDAP (Active Directory) service on contoso.com (Error: Local error) [nnn] Unable to make a connection (LDAP (Active Directory):contosa.com, result: 7643.
The pointer (PTR) record of the AD host machine might be missing on the DNS server. You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone.
For example, assume that the IP address of the AD machine is 10.x.x.x, the hostname of the AD machine (as found by using the hostname command) is AD1, and the domain name is contoso.com. The PTR record added to the reverse lookup zone should be 10.x.x.x -> contoso.com.
The SMB or dual-protocol volume creation fails with the following error:
Failed to create the Active Directory machine account \"SMB-ANF-VOL\". Reason: Kerberos Error: KDC has no support for encryption type Details: Error: Machine account creation procedure failed [nnn]Loaded the preliminary configuration. [nnn]Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn]FAILURE: Could not authenticate as 'contosa.com': KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP)
Make sure that AES Encryption is enabled both in the Active Directory connection and for the service account.
The SMB or dual-protocol volume creation fails with the following error:
Failed to create the Active Directory machine account \"SMB-NTAP-VOL\". Reason: LDAP Error: Strong authentication is required Details: Error: Machine account creation procedure failed\n [ 338] Loaded the preliminary configuration.\n [ nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ nnn ] Successfully connected to ip 10.x.x.x, port 389 using TCP\n [ 765] Unable to connect to LDAP (Active Directory) service on\n dc51.area51.com (Error: Strong(er) authentication\n required)\n*[ nnn] FAILURE: Unable to make a connection (LDAP (Active\n* Directory):contoso.com), result: 7609\n. "
The LDAP Signing option is not selected, but the AD client has LDAP signing. Enable LDAP Signing and retry.

Errors for dual-protocol volumes

Error conditions Resolutions
LDAP over TLS is enabled, and dual-protocol volume creation fails with the error This Active Directory has no Server root CA Certificate. If this error occurs when you are creating a dual-protocol volume, make sure that the root CA certificate is uploaded in your NetApp account.
Dual-protocol volume creation fails with the error Failed to validate LDAP configuration, try again after correcting LDAP configuration. The pointer (PTR) record of the AD host machine might be missing on the DNS server. You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone.
For example, assume that the IP address of the AD machine is 10.x.x.x, the hostname of the AD machine (as found by using the hostname command) is AD1, and the domain name is contoso.com. The PTR record added to the reverse lookup zone should be 10.x.x.x -> contoso.com.
Dual-protocol volume creation fails with the error Failed to create the Active Directory machine account \\\"TESTAD-C8DD\\\". Reason: Kerberos Error: Pre-authentication information was invalid Details: Error: Machine account creation procedure failed\\n [ 434] Loaded the preliminary configuration.\\n [ 537] Successfully connected to ip 10.x.x.x, port 88 using TCP\\n**[ 950] FAILURE. This error indicates that the AD password is incorrect when Active Directory is joined to the NetApp account. Update the AD connection with the correct password and try again.
Dual-protocol volume creation fails with the error Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available. This error indicates that DNS is not reachable. The reason might be because DNS IP is incorrect, or there is a networking issue. Check the DNS IP entered in AD connection and make sure that the IP is correct.
Also, make sure that the AD and the volume are in same region and in same VNet. If they are in different VNETs, ensure that VNet peering is established between the two VNets.
See Guidelines for Azure NetApp Files network planning for details.
Permission is denied error when mounting a dual-protocol volume. A dual-protocol volume supports both the NFS and SMB protocols. When you try to access the mounted volume on the UNIX system, the system attempts to map the UNIX user you use to a Windows user. If no mapping is found, the “Permission denied” error occurs.
This situation applies also when you use the ‘root’ user for the access.
To avoid the “Permission denied” issue, make sure that Windows Active Directory includes pcuser before you access the mount point. If you add pcuser after encountering the “Permission denied” issue, wait 24 hours for the cache entry to clear before trying the access again.

Errors for NFSv4.1 Kerberos volumes

Error conditions Resolutions
Error allocating volume - Export policy rules does not match kerberosEnabled flag Azure NetApp Files does not support Kerberos for NFSv3 volumes. Kerberos is supported only for the NFSv4.1 protocol.
This NetApp account has no configured Active Directory connections Configure Active Directory for the NetApp account with fields KDC IP and AD Server Name. See Configure the Azure portal for instructions.
Mismatch between KerberosEnabled flag value and ExportPolicyRule's access type parameter values. Azure NetApp Files does not support converting a plain NFSv4.1 volume to Kerberos NFSv4.1 volume, and vice-versa.
mount.nfs: access denied by server when mounting volume <SMB_SERVER_NAME-XXX.DOMAIN_NAME>/<VOLUME_NAME>
Example: smb-test-64d9.contoso.com:/nfs41-vol101
  1. Ensure that the A/PTR records are properly set up and exist in the Active Directory for the server name smb-test-64d9.contoso.com.
    In the NFS client, if nslookup of smb-test-64d9.contoso.com resolves to IP address IP1 (that is, 10.1.1.68), then nslookup of IP1 must resolve to only one record (that is, smb-test-64d9.contoso.com). nslookup of IP1 must not resolve to multiple names.
  2. Set AES-256 for the NFS machine account of type NFS-<Smb NETBIOS NAME>-<few random characters> on AD using either PowerShell or the UI.
    Example commands:
    • Set-ADComputer <NFS_MACHINE_ACCOUNT_NAME> -KerberosEncryptionType AES256
    • Set-ADComputer NFS-SMB-TEST-64 -KerberosEncryptionType AES256
  3. Ensure that the time of the NFS client, AD, and Azure NetApp Files storage software is synchronized with each other and is within a five-minute skew range.
  4. Get the Kerberos ticket on the NFS client using the command kinit <administrator>.
  5. Reduce the NFS client hostname to less than 15 characters and perform the realm join again.
  6. Restart the NFS client and the rpcgssd service as follows. The command might vary depending on the OS.
    RHEL 7:
    service nfs restart
    service rpcgssd restart
    CentOS 8:
    systemctl enable nfs-client.target && systemctl start nfs-client.target
    Ubuntu:
    (Restart the rpc-gssd service.)
    sudo systemctl start rpc-gssd.service
mount.nfs: an incorrect mount option was specified The issue might be related to the NFS client issue. Reboot the NFS client.
Hostname lookup failed You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone.
For example, assume that the IP address of the AD machine is 10.1.1.4, the hostname of the AD machine (as found by using the hostname command) is AD1, and the domain name is contoso.com. The PTR record added to the reverse lookup zone should be 10.1.1.4 -> AD1.contoso.com.
Volume creation fails due to unreachable DNS server Two possible solutions are available:
  • This error indicates that DNS is not reachable. The reason might be an incorrect DNS IP or a networking issue. Check the DNS IP entered in AD connection and make sure that the IP is correct.
  • Make sure that the AD and the volume are in same region and in same VNet. If they are in different VNets, ensure that VNet peering is established between the two VNets.
NFSv4.1 Kerberos volume creation fails with an error similar to the following example:
Failed to enable NFS Kerberos on LIF "svm_e719cde8d6d0413fbd6adac0636cdecb_7ad0b82e_73349613". Failed to bind service principal name on LIF "svm_e719cde8d6d0413fbd6adac0636cdecb_7ad0b82e_73349613". SecD Error: server create fail join user auth.
The KDC IP is wrong and the Kerberos volume has been created. Update the KDC IP with a correct address.
After you update the KDC IP, the error will not go away. You need to re-create the volume.

Errors for LDAP volumes

Error conditions Resolutions
Error when creating an SMB volume with ldapEnabled as true:
Error Message: ldapEnabled option is only supported with NFS protocol volume.
You cannot create an SMB volume with LDAP enabled.
Create SMB volumes with LDAP disabled.
Error when updating the ldapEnabled parameter value for an existing volume:
Error Message: ldapEnabled parameter is not allowed to update
You cannot modify the LDAP option setting after creating a volume.
Do not update the LDAP option setting on a created volume. See Configure ADDS LDAP with extended groups for NFS volume access for details.
Error when creating an LDAP-enabled NFS volume:
Could not query DNS server
Sample error message:
"log": time="2020-10-21 05:04:04.300" level=info msg=Res method=GET url=/v2/Volumes/070d0d72-d82c-c893-8ce3-17894e56cea3 x-correlation-id=9bb9e9fe-abb6-4eb5-a1e4-9e5fbb838813 x-request-id=c8032cb4-2453-05a9-6d61-31ca4a922d85 xresp="200: {\"created\":\"2020-10-21T05:02:55.000Z\",\"lifeCycleState\":\"error\",\"lifeCycleStateDetails\":\"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available.\",\"name\":\"smb1\",\"ownerId\ \":\"8c925a51-b913-11e9-b0de-9af5941b8ed0\",\"region\":\"westus2stage\",\"volumeId\":\"070d0d72-d82c-c893-8ce3-
This error occurs because DNS is unreachable.
  • Check if you have configured the correct site (site scoping) for Azure NetApp Files.
  • The reason that DNS is unreachable might be an incorrect DNS IP address or networking issues. Check the DNS IP address entered in the AD connection to make sure that it is correct.
  • Make sure that the AD and the volume are in the same region and the same VNet. If they are in different VNets, ensure that VNet peering is established between the two VNets.
Error when creating volume from a snapshot:
Aggregate does not exist
Azure NetApp Files doesn’t support provisioning a new, LDAP-enabled volume from a snapshot that belongs to an LDAP-disabled volume.
Try creating new an LDAP-disabled volume from the given snapshot.

Errors for volume allocation

When you create a new volume or resize an existing volume in Azure NetApp Files, Microsoft Azure allocates storage and networking resources to your subscription. You might occasionally experience resource allocation failures because of unprecedented growth in demand for Azure services in specific regions.

This section explains the causes of some of the common allocation failures and suggests possible remedies.

Error conditions Resolutions
Error when creating new volumes or resizing existing volumes.
Error message: There was a problem locating [or extending] storage for the volume. Please retry the operation. If the problem persists, contact Support.
The error indicates that the service ran into an error when attempting to allocate resources for this request.
Retry the operation after some time. Contact Support if the issue persists.
Out of storage or networking capacity in a region for regular volumes.
Error message: There are currently insufficient resources available to create [or extend] a volume in this region. Please retry the operation. If the problem persists, contact Support.
The error indicates that there are insufficient resources available in the region to create or resize volumes.
Try one of the following workarounds:
  • Create the volume under a new VNet. Doing so will avoid hitting networking-related resource limits.
  • Retry after some time. Resources may have been freed in the cluster, region, or zone in the interim.
Out of storage capacity when creating a volume with network features set to Standard.
Error message: No storage available with Standard network features, for the provided VNet.
The error indicates that there are insufficient resources available in the region to create volumes with Standard networking features.
Try one of the following workarounds:
  • If Standard network features are not required, create the volume with Basic network features.
  • Try creating the volume under a new VNet. Doing so will avoid hitting networking-related resource limits
  • Retry after some time. Resources may have been freed in the cluster, region, or zone in the interim.

Next steps