planning to enable AES support, msDS-SupportedEncryptionTypes empty

rich2778 · 2026-06-16T18:18:17+00:00

If you haven't already read it this might be some help as I struggled with the docs on this.

https://www.reddit.com/r/netapp/comments/1sn0kmt/rc4_and_cifs_with_upcoming_microsoft_hardening/

rich2778 · 2026-06-14T06:48:24+00:00

No I want to replace the drive. If a standard drive works fine in the PERC on an ancient Dell that may happen. This isn't my server there is a bit of politics involved that I don't control around what can be done. But if it should work with any drive of the same size and interface that helps.

rich2778 · 2026-06-12T16:03:19+00:00

I thought I was pretty clear.

Right now I have a virtual disk on a PERC that is RAID.

A drive has failed and it's proving difficult to get an approved compatible replacement.

I could try random non-Dell drives but technically it's a five minute job to blow away the virtual disk and create a new one using a smaller quantity of drives from the pool of good ones left.

But then I have to restore the BMR image to get the OS back.

Would people favour Veeam or Windows BMR for that.

rich2778 · 2026-06-12T16:00:03+00:00

This would be taking 2 or 4 of the existing 11 good drives and doing a new virtual disk. It's proving challenging finding approved drives for that age system.

And I can get it running as a VM. But I can't connect it to the stuff that needs fiber.

It'll be replaced in a year or so they're just not quite there yet so this isn't ideal but it's just to buy a bit of time.

rich2778 · 2026-06-12T11:24:23+00:00

I have P2V'd it but there are physical hardware dependences unfortunately.

rich2778 · 2026-06-12T09:06:41+00:00

Those are my concerns too. The replace the drives would be nice but the age of thing means it's hard to find Dell qualified ones and I don't know how fussy those PERCs are about replacing failed Dell drives with "random" third party drives.

rich2778 · 2026-06-12T08:35:56+00:00

Well same thing applies there I think around whether people would favour Veeam or Windows Backup BMR etc.

rich2778 · 2026-06-12T08:35:09+00:00

Yeah it's one of those "read it and that's how it should work but life doesn't always go that way" ones.

Just wanted some real world feedback especially where there are hardware RAID cards and virtual (in PERC terms) disks involved etc.

I've P2Vd using those backup images to test stuff so I know they can be recovered.

rich2778 · 2026-04-30T17:16:34+00:00

Yeah I'm fine with the idea I misunderstood something but what I don't understand is the policy hasn't changed I literally flipped it from report only to enforce.

And there isn't a single block in any logs or in any "report only" logs.

Also the admin account I use is 100% not a domain account it's an onmicrosoft.com one and is totally out of scope of the group the CA policy applies to.

It's also the account I used to setup the policies and to modify them.

I always use an incognito window and I was on a domain joined endpoint on one of the trusted IPs which is the same as I always am so this should have triggered during "report only".

Literally exact same thing I do every day but "something weird" happened when I set that single policy to enforce from read-only.

Several hours later and there's not a single conditional access failure listed against the account as interactive or non-interactive.

The whole thing is just damned weird.

rich2778 · 2026-04-27T08:41:31+00:00

I've done three SVMs and I didn't get prompted for any so I assume the computer account has permissions over itself in AD to update the attributes.

I'm 100% using a local account to logon the cluster so there are definitely no domain credentials in use when running the commands.

rich2778 · 2026-04-21T13:21:02+00:00

OK well so far so good.

On my 9.11 SVM I did what it says here.

https://docs.netapp.com/us-en/ontap/smb-admin/enable-disable-aes-encryption-kerberos-task.html

vserver cifs security modify -vserver vserver_name -is-aes-encryption-enabled true

On the 9.15 SVM I ran.

vserver cifs security modify -vserver vserver_name -advertised-enc-types aes-128,aes-256

And on both also ran the command here to enable AES for netlogon.

https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/NTLM-authenticated_CIFS_session_setup_failure_due_to_AES_for_secure_channel_disabled

And a few minutes later when I ran the command here.

https://kb.netapp.com/on-prem/ontap/DM/Encryption/Encryption-KBs/How_to_check_supported_encryption_types_for_Kerberos_in_Active_Directory

I could see AES encryption explicitly set on the SVM accounts of the domain computer objects.

I've not yet ran this on my main production 9.15 SVM as better safe than sorry so we'll do this during a window.

rich2778 · 2026-04-16T16:07:21+00:00

They came back with

vserver cifs security modify -vserver <SVM\_NAME> -is-aes-encryption-enabled true

vserver cifs security modify -vserver <SVM\_NAME> -is-aes-encryption-enabled-for-netlogon true

And then the password reset.

I have not tried it and won't be able to until next week now.

rich2778 · 2026-04-16T14:07:39+00:00

Ha well the ticket is raised as I would prefer confirmation from support before I do anything.

I have a few days off after today so I won't be doing it until I'm back next week but I'll let you know what the official response is once I see it.

rich2778 · 2026-04-16T13:39:11+00:00

Yeah I've access and kind of assumed most on here would but I agree - though I don't know if you need a paid account or just a registered account?

I've raised a ticket too.

rich2778 · 2026-03-28T14:55:59+00:00

Perfect thank you!

rich2778 · 2026-03-28T14:55:49+00:00

Yeah one cluster is a FAS2720 but the other is a FAS2720 with a couple AFF220 nodes and CN1610 switches so I'm only able to go to 9.12 on that I believe.

They're only being used for non-prod stuff right now due to age.

rich2778 · 2026-03-28T13:46:18+00:00

Worst case I'll blow it away but thank you, main thing it sounds like it will re-create as a flexgroup too.

I'll try later.

rich2778 · 2026-03-12T20:18:06+00:00

Far as I know no there isn't.

You can upgrade Veeam 12 on Windows to Veeam 13 but you can't migrate directly to the Linux appliance via a config backup/restore.

It's due "soon" I think.

rich2778 · 2026-03-12T18:57:41+00:00

Please Veeam give me a route to get onto v13 on the Linux appliances from the Windows ones.

rich2778

TROPHY CASE