Troubleshoot volume errors for Azure NetApp Files
If a volume create-read-update-delete (CRUD) operation is performed on a volume not in a terminal state, the operation will fail. Automation workflows and portal users should check for the terminal state of the volume before executing subsequent asynchronous operations on the volume.
Errors for SMB and dual-protocol volumes
Error conditions | Resolutions |
---|---|
The SMB or dual-protocol volume creation fails with the following error: {"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available."}]} |
This error indicates that the DNS is not reachable. Consider the following solutions:
The same solutions apply for Microsoft Entra Domain Services. Microsoft Entra Domain Services should be deployed in the same region. The VNet should be in the same region or peered with the VNet used by the volume. |
The SMB or dual-protocol volume creation fails with the following error: {"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-C1C8\". Reason: Kerberos Error: Invalid credentials were given Details: Error: Machine account creation procedure failed\n [ 563] Loaded the preliminary configuration.\n**[ 670] FAILURE: Could not authenticate as 'test@contoso.com':\n** Unknown user (KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)\n. "}]} |
|
The SMB or dual-protocol volume creation fails with the following error: {"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError", "message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-A452\". Reason: Kerberos Error: Pre-authentication information was invalid Details: Error: Machine account creation procedure failed\n [ 567] Loaded the preliminary configuration.\n [ 671] Successfully connected to ip 10.x.x.x, port 88 using TCP\n**[ 1099] FAILURE: Could not authenticate as\n** 'user@contoso.com': CIFS server account password does\n** not match password stored in Active Directory\n** (KRB5KDC_ERR_PREAUTH_FAILED)\n. "}]} |
Make sure that the password entered for joining the AD connection is correct. |
The SMB or dual-protocol volume creation fails with the following error: {"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InternalServerError","message":"Error when creating - Failed to create the Active Directory machine account \"SMBTESTAD-D9A2\". Reason: SecD Error: ou not found Details: Error: Machine account creation procedure failed\n [ 561] Loaded the preliminary configuration.\n [ 665] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ 1039] Successfully connected to ip 10.x.x.x, port 389 using TCP\n**[ 1147] FAILURE: Specifed OU 'OU=AADDC Com' does not exist in\n** contoso.com\n. "}]} |
Make sure that the OU path specified for joining the AD connection is correct. If you use Microsoft Entra Domain Services, make sure that the organizational unit path is OU=AADDC Computers . |
The SMB or dual-protocol volume creation fails with the following error: Failed to create the Active Directory machine account \"SMB-ANF-VOL. Reason: LDAP Error: Local error occurred Details: Error: Machine account creation procedure failed. [nnn] Loaded the preliminary configuration. [nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn] Successfully connected to ip 10.x.x.x, port 389 using [nnn] Entry for host-address: 10.x.x.x not found in the current source: FILES. Ignoring and trying next available source [nnn] Source: DNS unavailable. Entry for host-address:10.x.x.x found in any of the available sources\n*[nnn] FAILURE: Unable to SASL bind to LDAP server using GSSAPI: local error [nnn] Additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot determine realm for numeric host address) [nnn] Unable to connect to LDAP (Active Directory) service on contoso.com (Error: Local error) [nnn] Unable to make a connection (LDAP (Active Directory):contosa.com, result: 7643. |
The pointer (PTR) record of the AD host machine might be missing on the DNS server. You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone. |
The SMB or dual-protocol volume creation fails with the following error: Failed to create the Active Directory machine account \"SMB-ANF-VOL\". Reason: Kerberos Error: KDC has no support for encryption type Details: Error: Machine account creation procedure failed [nnn]Loaded the preliminary configuration. [nnn]Successfully connected to ip 10.x.x.x, port 88 using TCP [nnn]FAILURE: Could not authenticate as 'contosa.com': KDC has no support for encryption type (KRB5KDC_ERR_ETYPE_NOSUPP) |
Make sure that AES Encryption is enabled for both the Active Directory connection and the service account. |
The SMB or dual-protocol volume creation fails with the following error: Failed to create the Active Directory machine account \"SMB-NTAP-VOL\". Reason: LDAP Error: Strong authentication is required Details: Error: Machine account creation procedure failed\n [ 338] Loaded the preliminary configuration.\n [ nnn] Successfully connected to ip 10.x.x.x, port 88 using TCP\n [ nnn ] Successfully connected to ip 10.x.x.x, port 389 using TCP\n [ 765] Unable to connect to LDAP (Active Directory) service on\n dc51.area51.com (Error: Strong(er) authentication\n required)\n*[ nnn] FAILURE: Unable to make a connection (LDAP (Active\n* Directory):contoso.com), result: 7609\n. " |
The LDAP Signing option is not selected, but the AD client has LDAP signing. Enable LDAP Signing and retry. |
SMB volume creation fails with the following error: Failed to create the Active Directory machine account. Reason: LDAP Error: Intialization of LDAP library failed Details: Error: Machine account creation procedure failed |
This error occurs because the service or user account used in the Azure NetApp Files Active Directory connections does not have sufficient privilege to create computer objects or make modifications to the newly created computer object. To resolve the issue, grant the account being used greater privilege. You can apply a default role with sufficient privileges or delegate more privilege to the user, service account, or group it's part of. |
Errors for dual-protocol volumes
Error conditions | Resolutions |
---|---|
LDAP over TLS is enabled, and dual-protocol volume creation fails with the error This Active Directory has no Server root CA Certificate . |
If this error occurs when you are creating a dual-protocol volume, make sure that the root CA certificate is uploaded in your NetApp account. |
Dual-protocol volume creation fails with the error Failed to validate LDAP configuration, try again after correcting LDAP configuration . |
The pointer (PTR) record of the Active Directory (AD) host machine might be missing on the DNS server. You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone. For example, assume that the IP address of the AD machine is 10.x.x.x , the hostname of the AD machine (as found by using the hostname command) is AD1 , and the domain name is contoso.com . The PTR record added to the reverse lookup zone should be 10.x.x.x -> contoso.com . |
Dual-protocol volume creation fails with the error Failed to create the Active Directory machine account \\\"TESTAD-C8DD\\\". Reason: Kerberos Error: Pre-authentication information was invalid Details: Error: Machine account creation procedure failed\\n [ 434] Loaded the preliminary configuration.\\n [ 537] Successfully connected to ip 10.x.x.x, port 88 using TCP\\n**[ 950] FAILURE . |
This error indicates that the AD password is incorrect when Active Directory is joined to the NetApp account. Update the AD connection with the correct password and try again. |
Dual-protocol volume creation fails with the error Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available . |
This error indicates that DNS is not reachable. The reason might be because DNS IP is incorrect, or there's a networking issue. Check the DNS IP entered in AD connection and make sure that the IP is correct. If you're using Basic network features, make sure that the AD configuration and the volume are in same region and in same VNet. If they are in different VNets, ensure that VNet peering is established between the two VNets. See Guidelines for Azure NetApp Files network planning for details. |
Permission is denied error when mounting a dual-protocol volume. | A dual-protocol volume supports both the NFS and SMB protocols. When you try to access the mounted volume on the UNIX system, the system attempts to map the UNIX user you use to a Windows user. Ensure that the POSIX attributes are properly set on the AD DS User object. |
Errors for NFSv4.1 Kerberos volumes
Error conditions | Resolutions |
---|---|
Error allocating volume - Export policy rules does not match kerberosEnabled flag |
Azure NetApp Files does not support Kerberos for NFSv3 volumes. Kerberos is supported only for the NFSv4.1 protocol. |
This NetApp account has no configured Active Directory connections |
Configure Active Directory for the NetApp account with fields KDC IP and AD Server Name. See Configure the Azure portal for instructions. |
Mismatch between KerberosEnabled flag value and ExportPolicyRule's access type parameter values. |
Azure NetApp Files does not support converting a plain NFSv4.1 volume to Kerberos NFSv4.1 volume, and vice-versa. |
mount.nfs: access denied by server when mounting volume <SMB_SERVER_NAME-XXX.DOMAIN_NAME>/<VOLUME_NAME> Example: smb-test-64d9.contoso.com:/nfs41-vol101 |
|
mount.nfs: an incorrect mount option was specified |
The issue might be related to the NFS client issue. Reboot the NFS client. |
Hostname lookup failed |
You need to create a reverse lookup zone on the DNS server, and then add a PTR record of the AD host machine in that reverse lookup zone. For example, assume that the IP address of the AD machine is 10.1.1.4 , the hostname of the AD machine (as found by using the hostname command) is AD1 , and the domain name is contoso.com . The PTR record added to the reverse lookup zone should be 10.1.1.4 -> AD1.contoso.com . |
Volume creation fails due to unreachable DNS server |
Two possible solutions are available:
|
NFSv4.1 Kerberos volume creation fails with an error similar to the following example: Failed to enable NFS Kerberos on LIF "svm_e719cde8d6d0413fbd6adac0636cdecb_7ad0b82e_73349613". Failed to bind service principal name on LIF "svm_e719cde8d6d0413fbd6adac0636cdecb_7ad0b82e_73349613". SecD Error: server create fail join user auth. |
The KDC IP is wrong and the Kerberos volume has been created. Update the KDC IP with a correct address. After you update the KDC IP, the error will not go away. You need to re-create the volume. |
Errors for LDAP volumes
Error conditions | Resolutions |
---|---|
Error when creating an SMB volume with LDAP enabled as true: Error Message: ldapEnabled option is only supported with NFS protocol volume. |
You cannot create an SMB volume with LDAP enabled. Create SMB volumes with LDAP disabled. |
Error when updating the ldapEnabled parameter value for an existing volume: Error Message: ldapEnabled parameter is not allowed to update |
You cannot modify the LDAP option setting after creating a volume. Do not update the LDAP option setting on a created volume. See Configure AD DS LDAP with extended groups for NFS volume access for details. |
Error when creating an LDAP-enabled NFS volume: Could not query DNS server Sample error message: "log": time="2020-10-21 05:04:04.300" level=info msg=Res method=GET url=/v2/Volumes/070d0d72-d82c-c893-8ce3-17894e56cea3 x-correlation-id=aaaa0000-bb11-2222-33cc-444444dddddd x-request-id=bbbb1111-cc22-3333-44dd-555555eeeeee xresp="200: {\"created\":\"2020-10-21T05:02:55.000Z\",\"lifeCycleState\":\"error\",\"lifeCycleStateDetails\":\"Error when creating - Could not query DNS server. Verify that the network configuration is correct and that DNS servers are available.\",\"name\":\"smb1\",\"ownerId\ \":\"cccc2222-dd33-4444-55ee-666666ffffff\",\"region\":\"westus2stage\",\"volumeId\":\"070d0d72-d82c-c893-8ce3- |
This error occurs because DNS is unreachable.
|
Error when creating volume from a snapshot: Aggregate does not exist |
Azure NetApp Files doesn’t support provisioning a new, LDAP-enabled volume from a snapshot that belongs to an LDAP-disabled volume. Try creating new an LDAP-disabled volume from the given snapshot. |
When only primary group IDs are seen and user belongs to auxiliary groups too. | This is caused by a query timeout: -Use LDAP search scope option. -Use preferred Active Directory servers for LDAP client. |
Error describing volume - Entry doesn't exist for username: <username>, please try with a valid username |
-Check if the user is present on LDAP server. -Check if the LDAP server is healthy. |
Errors for volume allocation
When you create a new volume or resize an existing volume in Azure NetApp Files, Microsoft Azure allocates storage and networking resources to your subscription. You might occasionally experience resource allocation failures because of unprecedented growth in demand for Azure services in specific regions.
This section explains the causes of some of the common allocation failures and suggests possible remedies.
Error conditions | Resolutions |
---|---|
Error when creating new volumes or resizing existing volumes. Error message: There was a problem locating [or extending] storage for the volume. Please retry the operation. If the problem persists, contact Support. |
The error indicates that the service ran into an error when attempting to allocate resources for this request. Retry the operation after some time. Contact Support if the issue persists. |
Out of storage or networking capacity in a region for regular volumes. Error message: There are currently insufficient resources available to create [or extend] a volume in this region. Please retry the operation. If the problem persists, contact Support. |
The error indicates that there are insufficient resources available in the region to create or resize volumes. Try one of the following workarounds:
|
Out of storage capacity when creating a volume with network features set to Standard . Error message: No storage available with Standard network features, for the provided VNet. |
The error indicates that there are insufficient resources available in the region to create volumes with Standard networking features. Try one of the following workarounds:
|
Activity log warnings for volumes
Warnings | Resolutions |
---|---|
The Microsoft.NetApp/netAppAccounts/capacityPools/volumes/ScaleUp operation displays a warning: Percentage Volume Consumed Size reached 90% |
The used size of an Azure NetApp Files volume has reached 90% of the volume quota. You should resize the volume soon. |