This article covers the essential steps needed to integrate NetApp Clustered Data ONTAP (cDOT) with Quota Server. A successful integration between the two sources is mandatory for quota enforcement. This type of integration requires that your Northern Storage Suite installation is upgraded to version 9.6 or later. Version 9.61 SR1 is required if the ONTAP version is 8.3 or later.
NSS uses a proprietary interface when delivering quota functionality on NetApp systems. This interface is used to streamline quota monitoring, to allow for fail-open locking of hard quotas and for file blocking functionality. The API used is a NetApp technology called FPolicy.
In order to establish this interface, and begin receiving FPolicy notifications, NSS must register to FPolicy on the vserver. Note that this registration is only necessary for quota operations. It is not used for reporting purposes.
A basic knowledge of NetApp Clustered Data ONTAP administrative command-line is required. Further details are available in the official Clustered Data ONTAP administrator guide.
The fpolicy object is created or updated as soon as the Quota or File Block is added or removed. This can only be done if the following four pre-requisites are met:
- The NSS Quota Server service account needs to be an administrator on each managed SVM.
- Quota Server must connect to the CIFS server on the target SVM with the vsadmin-account or equivalent (ontapi rights required).
- A TCP port needs to be opened for each managed SVM on the Windows Server where NSS is running. The default starting port defined in Quota Server is TCP port 9000. Each SVM connection claims a TCP port (e.g. if you have three SVMs to manage with NSS, TCP ports 9000, 9001 and 9002 need to be opened on the server running NSS).
- The IP-address of the Management LIF needs to be specified for each CIFS-server. The procedure varies depending on the installed version of NSS.
For version 9.61 SR5 or earlier
The IP-address of the Management LIF needs to be statically resolved for each managed CIFS-server. This is done in the HOSTS & LMHOSTS-files on the NSS-server. The files are located at C:\Windows\System32\drivers\etc by default. Add the IP, followed by the fully qualified domain name for the CIFS-server. Save the file.
Example (hosts-file):
10.20.30.40 cifs-server1.domain.com
10.20.30.50 cifs-server2.domain.com
10.20.30.60 cifs-server3.domain.com
For version 9.7 SR1 or later:
When adding the CIFS-server to the Quota Server NetApp settings (the NetApp filer field), specify the IP-address of the Management LIF after the CIFS-server name. Separate the name and the IP with an '@'-sign. Multiple CIFS-servers are separated with a semi-colon.
Example: cifs-server1@10.20.30.40;cifs-server2@10.20.30.50;cifs-server3@10.20.30.60
See the section 'Establishing the Fpolicy connection' a few steps below for more information on how to add the managed NetApp filers to Quota Server.
How to add the NSS Service account to the SVM Administrator group
Add the account used by the NSS Quota Server service in BUILTIN\Administrators on each managed vserver. This is needed because Quota Server needs to have permission to perform operations on the vserver.
There are two ways to add the NSS Quota Server service account to the BUILTIN\Administrators group on the managed vserver:
- Through the NetApp command station
- Through the OnCommand GUI
1. Adding the account through the NetApp command station
Enter the NetApp command prompt and enter vserver cifs users-and-groups local-group.In the example below, the NetApp cluster is named NorthernCDOT:

When inside this section of the NetApp Client, type the following command to add the NSS Quota Server service account to the BUILTIN\Administrator group on the vserver:
add-members -group-name BUILTIN\Administrators -member-names DOMAIN\service_account -vserver XXXXX
The DOMAIN\service_account is your NSS Quota Server service account and XXXXX is the name of your vserver. Please make sure that the credentials are correctly set in terms of domain and account name!
The screenshot below illustrates how this looks in the NetApp command prompt. In this example, the name of the vserver is SNV-FieldCDOT:

The account is now a member of the BUILTIN\Administrators group. Repeat this process for all managed vservers.
2. Adding the account through the OnCommand interface
A more user friendly approach is through the NetApp OnCommand software. This software allows the administrator to manage the NetApp cluster from a graphical interface.
Open the OnCommand interface (preferrably version 3.1 or later). Navigate to Storage Virtual Machines\Cluster Name\Vserver Name\Configuration\Local Users and Groups\Windows.
In the example below, the pathway is Storage Virtual Machines\NorthernCDOT\SNV-FieldCDOT\Configuration\Local Users and Groups\Windows.
Select BUILTIN\Administrators in the list and Click on 'Edit' to modify the group:
'
Click on 'Add' under the Members-section:

Add the NSS Quota Server service account:

Click on 'Modify' to apply the change:

The account is now a member of the BUILTIN\Administrators group. Repeat this process for all managed vservers.
How to create a local security account equivalent to vsadmin
Quota Server uses a local security account on the target SVM(s) for the fpolicy authorization. The already existing vsadmin-account the recommended account to use here.
If the vsadmin-account cannot be used (e.g. locked due to a security policy), a new local security account must be created locally on each managed SVM. The new account must have the same rights as the vsadmin account.
Access OnCommand and navigate to Storage Virtual Machines\Cluster Name\Vserver Name\Configuration\Security\Users.
Click on Add:

Specify the user name, password and grant the account ontapi & ssh-rights with the 'vsadmin'-role:

Click on Add and then verify that the account has the required roles:

Repeat this process for all managed vservers.
Establishing the FPolicy Connection
The fpolicy connection can be established in Quota Server when the steps above have been completed. Once confirmed, launch Quota Server and navigate to System\Quota Servers and select your Quota Server. Right Click the selected Quota Server and select 'Modify':

This enables the settings menu at the bottom of the screen. Click on 'NetApp Settings':

How to establish the fpolicy connection in Quota Server
- NetApp filer: Specify the name(s) of the CIFS Server(s) that you will be managing. Separate multiple CIFS Server names with a semicolon ';'. Note that the CIFS Server name might or might not be the same as Storage Virtual Machine (SVM) name, depending on the configuration of your NetApp environment.
If you are running version 9.7 SR1 or later, please specify the IP-address of the Management LIF for each managed CIFS-server. Separate the CIFS-server name and the IP-address with an '@'-sign (e.g. SNV-FieldCDOT@10.1.0.248).
- Connection type: Specify the connection type you wish to use. Either HTTP or HTTPS.
- User name: Specify the vsadmin account or equivalent here. Our recommendation is to use the vsadmin account since this account has all the required rights to establish the fpolicy connection. It is possible to use another account, but this requires that the used account has the same rights on the vserver as the vsadmin account. Ontapi login rights are required. See the previous section for more information.
- Password: Specify the password of the account used for the authentication.
- TCP PortNo Start: Specify the starting TCP port that Quota Server will use to communicate to the vserver. The default port is set to 9000. Each vserver claims a port. An additional port needs to be opened for each managed vserver. I.e. if you want to manage 3 vservers, you need to open ports 9000, 9001 and 9002.
Optional settings
These settings are only relevant if the ambition is to encrypt the communication with an SSL-layer.
- CM SSL Auth: This settings dictates whether the connnection should be through SSL or not. The default value is set to 'No SSL'. The other two settings are 'Server' and 'Mutual'. These settings will enable SSL.
- QS Cert Name: Specify the name of your QS Certificate.
- Cluster Cert Name: Specify the name of your Cluster Certificate.
- Cluster Cert Serial: Specify your Cluster Certificate Serial.
- Cluster Cert CA: Specify the Cluster Certificate CA.
Apply the changes by either pressing 'Enter' or by right clicking the screen and selecting 'Apply' in the menu.
Authorization failed

If you see this it means that Quota Server is not able to connect to the NetApp Cluster due to a failed authorization. The most common problem is that the account username and/or password is incorrectly configured. Make sure that the credentials are correct and try again.