Managing Celerra for the Windows Environment · Managing Celerra for the Windows Environment...

Managing Celerrafor the Windows Environment

P/N 300-002-679Rev A01

Version 5.5March 2006

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Windows and multiprotocol documentation . . . . . . . . . . . . . . . . . . . .3Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6EMC NAS Interoperability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

MMC snap-ins and programs for Windows . . . . . . . . . . . . . . . . . . . . . . . . .7Celerra UNIX Attributes Migration tool . . . . . . . . . . . . . . . . . . . . . . . . .7Celerra UNIX User Management snap-in . . . . . . . . . . . . . . . . . . . . . . .7Celerra UNIX property page extensions in ADUC . . . . . . . . . . . . . . . .7Celerra Data Mover Management snap-in . . . . . . . . . . . . . . . . . . . . . .7Celerra AntiVirus Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Celerra Home Directory Management snap-in . . . . . . . . . . . . . . . . . . .8Data Mover Security Settings snap-in . . . . . . . . . . . . . . . . . . . . . . . . .8Celerra Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Celerra User Rights Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

User interface choices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Managing Windows roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Checking the current CIFS configuration . . . . . . . . . . . . . . . . . . . . . . . . .11

Managing network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Managing DNS on a Data Mover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Modifying a CIFS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Adding a WINS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Renaming a NetBIOS name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Assigning aliases to NetBIOS and computer names . . . . . . . . . . . .16Associating comments with CIFS servers . . . . . . . . . . . . . . . . . . . . .19Changing the CIFS server password . . . . . . . . . . . . . . . . . . . . . . . . .22

Advanced procedures for joining CIFS servers to Windows domains. .23Configuration prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Delegated join . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Parameters for the join procedure . . . . . . . . . . . . . . . . . . . . . . . . . . .27Same namespace without a delegated join . . . . . . . . . . . . . . . . . . . .28Same namespace and a delegated join . . . . . . . . . . . . . . . . . . . . . . .31Disjoint namespace without a delegated join . . . . . . . . . . . . . . . . . .33Disjoint namespace and a delegated join. . . . . . . . . . . . . . . . . . . . . .35

Managing file systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

1 of 98

Ensuring synchronous writes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Opportunistic file locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38File change notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Reexporting all Celerra file systems . . . . . . . . . . . . . . . . . . . . . . . . . 41Disabling access to all file systems on a Data Mover . . . . . . . . . . 42

Stopping and starting the CIFS service . . . . . . . . . . . . . . . . . . . . . . . . . . 43Stopping the CIFS service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Starting the CIFS service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Deleting a CIFS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Deleting a CIFS server (Windows 2000/Windows Server 2003) . . . . 44Deleting a CIFS server (Windows NT) . . . . . . . . . . . . . . . . . . . . . . . . 45

Enabling home directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Creating the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Enabling home directories on the Data Mover . . . . . . . . . . . . . . . . . 47Creating the home directory file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Supporting Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Introduction to Microsoft Group Policy Objects . . . . . . . . . . . . . . . . 52GPO support on the Celerra Network Server . . . . . . . . . . . . . . . . . . 52Supported settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Multiple CIFS servers on a Data Mover . . . . . . . . . . . . . . . . . . . . . . . 54Displaying GPO settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Updating GPO settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Disabling GPO support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Disabling GPO caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Alternate data stream support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63ADS support on the Celerra Network Server. . . . . . . . . . . . . . . . . . . 64Disabling ADS support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Using SMB signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66SMB signing resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Configuring SMB signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Automatic computer password change . . . . . . . . . . . . . . . . . . . . . . . . . . 72Changing the time interval for password changes . . . . . . . . . . . . . . 73

Creating a file system as a security log . . . . . . . . . . . . . . . . . . . . . . . . . . 74Managing Windows domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Domain migration support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Operational considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78server_log error message construct . . . . . . . . . . . . . . . . . . . . . . . . . 78Kerberos error codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78NT status codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Problem Situations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Related information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Customer training programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Appendix A: Additional home directory information. . . . . . . . . . . . . . . . 91Home directory database format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Managing Celerra for the Windows EnvironmentVersion 5.5 2 of 98

M

IntroductionThe Celerra® Network Server supports the CIFS (Common Internet File Service) protocol, which allows Microsoft Windows clients to access files stored on the Celerra Network Server. After you have configured the Celerra Network Server to support Windows clients on the network, you may need to perform some of the additional configuration and management procedures in this technical module to maintain your Celerra CIFS servers.

This technical module is part of the Celerra Network Server information set and is intended for system administrators responsible for managing the Celerra Network Server in their Windows network.

Windows and multiprotocol documentationThe following technical modules in the Celerra Network Server information set explain how to configure and manage Celerra in a Windows environment and a multiprotocol environment:

◆ Configuring CIFS on Celerra: explains how to configure a basic CIFS configuration on the Celerra Network Server using the command line interface (CLI). You can also configure this initial environment using the Celerra Manager.

◆ Managing Celerra for the Windows Environment: contains advanced procedures you may need to perform after the initial configuration of CIFS on the Celerra Network Server and instructions for modifying and managing Celerra in a Windows environment.

◆ Managing Celerra for a Multiprotocol Environment: contains procedures for configuring and managing Celerra in a mixed environment of UNIX and Windows clients.

TerminologyThese terms are important to understanding the Celerra Network Server in the Windows environment. The Celerra Network Server User Information Glossary provides a complete list of Celerra terminology.

ACL (Access Control List): In Windows, a list of access control entries (ACEs) that provide information about the users and groups that are allowed access to an object.

Active Directory: An advanced directory service included with Windows 2000 Servers. It stores information about objects on a network and makes this information available to users and network administrators through a protocol such as LDAP.

authentication: The process for verifying the identity of a user who is trying to access a resource or object, such as a file or a directory.

CIFS (Common Internet File Service): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets. The CIFS protocol is primarily used for file sharing by Windows platforms.

3 of 98Version 5.5anaging Celerra for the Windows Environment

../ConfWindows/index.htm

../ConfWinMulti/index.htm

../../mergedprojects/Glossary/index.htm

CIFS Server: A logical server that uses the CIFS protocol to transfer files. A Data Mover can host many instances of a CIFS Server. Each instance is referred to as a CIFS server.

CIFS Service: A CIFS server process that runs on the Data Mover and presents shares on a network as well as on Windows-based computers.

Data Mover: Celerra Network Server cabinet component running its own operating system that retrieves files from storage devices and makes them available to a network client.

Default CIFS Server: The CIFS server that is created when you add a CIFS server and do not specify any interfaces (with the interfaces= option of the server_cifs -add command). The default CIFS server uses all interfaces not assigned to other CIFS servers on the Data Mover.

DNS (Domain Name System): A name resolution software that allows users to locate computers and services on a UNIX network or TCP/IP network by name. The DNS server maintains a database of domain names, hostnames and their corresponding IP addresses, and services provided by these hosts.

domain: A logical grouping of Microsoft Windows servers and other computers that share common security and user account information. All resources such as computers and users are members of the domain and have an account in the domain that uniquely identifies them. The domain administrator creates one user account for each user in the domain, and the users log in to the domain once. Users do not log in to each individual server.

file system: A method of cataloging and managing the files and directories on a storage system.

GPO: In Windows 2000 or Windows Server 2003, administrators can use Group Policy Objects to define configuration options for groups of users and computers. Windows Group Policy Objects can control elements such as local, domain, and network security settings.

NetBIOS: Network basic input/output system. A network programming interface and protocol developed for IBM personal computers.

NetBIOS name: A name that is recognized by WINS, which maps the name to an IP address.

share name: The name given to the resource on a file system or the file system itself that was made available from a particular CIFS server to CIFS users. There may be multiple shares with the same name, shared from different CIFS servers.

SMB Server Message Block: The underlying protocol used by the Common Internet File System (CIFS) protocol that was enhanced for use on the Internet to request file, print, and communication services from a server over the network. The CIFS protocol uses SMB to provide file access and transfer to many types of network hosts. The SMB protocol is an open, cross-platform protocol for distributed file sharing, and it is supported by all Windows platforms.

Virtual Data Mover (VDM): A Celerra software feature that enables users to administratively separate CIFS servers, replicate their CIFS environments, and move CIFS server from Data Mover to Data Mover with ease.

Managing Celerra for the Windows Environment4 of 98 Version 5.5

M

Windows 2000/Windows Server 2003 domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows 2000/Windows 2003 server using the Active Directory to manage all system resources and using the DNS for name resolution.

Windows NT domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows NT server using a SAM (Storage Area Management) database to manage user and group accounts and a NetBIOS namespace. In a Windows NT domain, there is one primary domain controller (PDC) that has a read/write copy of the SAM, and possibly several backup domain controllers (BDCs) with read-only copies of the SAM.


System requirementsThis section describes the Celerra Network Server software, hardware, network, and storage configurations required for using CIFS as described in this technical module.

EMC NAS Interoperability MatrixThe EMC NAS Interoperability Matrix is available on Powerlink™. It contains definitive information on supported software and hardware, such as backup software, Fibre Channel switches, and application support for Celerra network-attached storage (NAS) products.

Table 1 System requirements for CIFS

Software Celerra Network Server Version 5.5 or later

Hardware Celerra Network Server

Network

Windows 2000, Windows Server 2003, or Windows NT domain. You must configure the domains with the following:• Windows 2000 or Windows Server 2003 domains:

AD (Active Directory)DNS (Domain Name System)NTP (Network Time Protocol) server

• Windows NT Domains:WINS (Windows Internet Naming Service) server

Storage No specific storage requirements


M

MMC snap-ins and programs for WindowsThe Celerra Network Server supports a set of Microsoft Management Console (MMC) snap-ins and programs for managing Celerra users and Data Mover security settings from a Windows 2000, Windows Server 2003, or Windows XP computer. Refer to the online Help for a snap-in or program for more information.

Celerra UNIX Attributes Migration toolCelerra UNIX Attributes Migration is a tool you can use to migrate existing UNIX users from the Celerra Network Server to the Windows Active Directory. You can select the UNIX attributes (UIDs and GIDs) to add to the Active Directory. To add new users or groups, or to modify existing UNIX attributes, refer to the Celerra UNIX User Management Snap-in and Celerra UNIX Property Page Extensions in Active Directory Users and Computers (ADUC).

Celerra UNIX User Management snap-inCelerra UNIX User Management is an MMC snap-in to the Celerra Management Console that you can use to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain and on remote domains. You also use this snap-in to select the location of the attribute database. This location can either be in a local or a remote domain. You would choose to store the attribute database in the Active Directory of a local domain if:

◆ You have only one domain.

◆ Trusts are not allowed.

◆ You have no need to centralize your UNIX user management information.

You would choose a remote domain if:

◆ You have multiple domains.

◆ Bidirectional trusts between domains that need to access the attribute database already exist.

◆ You want to centralize your UNIX user management.

Celerra UNIX property page extensions in ADUCCelerra UNIX Users and Groups property pages are extensions to ADUC. You can use these property pages to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain. You cannot use this feature to manage users or groups on a remote domain.

Celerra Data Mover Management snap-inCelerra Data Mover management comprises several MMC snap-ins. You can use these snap-ins to manage virus-checking, home directories, and security settings on Data Movers from a Windows 2000, Windows Server 2003, or Window XP computer.


Celerra AntiVirus ManagementYou can use the Celerra AntiVirus Management snap-in to manage the virus-checking parameters (viruschecker.conf file) used with Celerra AntiVirus Agent (CAVA) and third-party antivirus programs. The Celerra AntiVirus Agent and a third-party antivirus program must be installed on the Windows NT, Windows 2000, or Windows Server 2003 server. The Using Celerra AntiVirus Agent technical module provides more details about CAVA.

Celerra Home Directory Management snap-inYou can use the Celerra Home Directory Management snap-in to associate a username with a directory that then acts as the user’s home directory. The home directory feature simplifies the administration of personal shares and the process of connecting to them.

Data Mover Security Settings snap-inCelerra Data Mover Security Settings comprises the Audit Policy node and the User Rights Assignment node.

Celerra Audit Policy You can use the Celerra Audit Policy node to determine which Data Mover security events are logged in the Security log. You can then view the Security log using the Windows Event Viewer. You can select to log successful attempts, failed attempts, both, or neither. The audit policies that appear in the Audit Policy node are a subset of the policies available as Group Policy Objects (GPOs) in ADUC. Audit policies are local policies and apply only to the selected Data Mover. You cannot use the Audit Policy node to manage GPO audit policies.

Celerra User Rights Assignment You can use the Celerra User Rights Assignment node to manage which users and groups have login and task privileges to a Data Mover. The user rights assignments that appear in the User Rights Assignment node are a subset of the user rights assignments available as GPOs in ADUC. User rights assignments are local policies and apply only to the selected Data Mover. You cannot use the User Rights Assignment node to manage GPO policies.

Refer to the online Help for a snap-in or program for more information.


../CAVA/index.htm

M

User interface choicesThe Celerra Network Server offers flexibility in managing networked storage based on your support environment and interface preferences. This technical module describes how to configure CIFS on a Data Mover using the command line interface (CLI). You can also perform many of these tasks using one of the Celerra management applications:

◆ Celerra Manager - Basic Edition

◆ Celerra Manager - Advanced Edition

◆ Microsoft Management Console (MMC) snap-ins (Windows 2000 and Windows Server 2003 only)

◆ Active Directory Users and Computers extensions (Windows 2000 and Windows Server 2003 only)

For additional information about managing your Celerra, refer to:

◆ Learning about Celerra

◆ Celerra Manager Online Help

◆ Monitoring Celerra

◆ Application’s online help system on the Celerra Network Server Documentation CD

The Installing Celerra Management Applications technical module includes instructions on launching Celerra Manager, and on installing the MMC snap-ins and the ADUC extensions.


../../mergedprojects/Concepts/Celerra_Product_Line.htm

../../HelpSystems/ManagerHelp/wwhelp/wwhimpl/java/html/wwhelp.htm

../../HelpSystems/ManagerHelp/wwhelp/wwhimpl/java/html/wwhelp.htm

../../mergedprojects/MonitoringCelerra/Monitoring_Celerra.htm

../InstallationManagement/index.htm


Managing Windows roadmapTable 2 lists the tasks to manage Windows as described in this technical module.

Table 2 CIFS management

Task Procedure

Display the current CIFS configuration for a Data Mover.

"Checking the current CIFS configuration" on page 11

Add, delete, enable, and disable a network interface for a CIFS server.

"Managing network interfaces" on page 12

Manage the DNS server configuration. "Managing DNS on a Data Mover" on page 13

Create and modify the following elements to an existing CIFS configuration:• WINS server• NetBIOS name to a Windows 2000 or

Windows Server 2003 configuration• Computer name or NetBIOS name aliases• Comments• CIFS server password

"Modifying a CIFS configuration" on page 14

Create CIFS servers and join to a Windows domain with the following configurations:

• "Same namespace without a delegated join" on page 28

• "Same namespace and a delegated join" on page 31

• "Disjoint namespace without a delegated join" on page 33

• "Disjoint namespace and a delegated join" on page 35

Start and stop the CIFS service on a Data Mover.

"Reexporting all Celerra file systems" on page 41

Delete a CIFS server by deleting the NetBIOS or compname for the server.

"Deleting a CIFS server" on page 44

Manage Group Policy Objects. "Supporting Group Policy Objects" on page 52

Manage Multiple Data Stream support. "Alternate data stream support" on page 63

Configure or disable SMB (Server Message Block) signing.

Using SMB signing on page 66

Set the time interval at which the Data Mover changes passwords with the domain controller.

"Automatic computer password change" on page 72

Generate a file system for use as a security log. "Creating a file system as a security log" on page 74


M

Checking the current CIFS configurationUse this command to check the current CIFS configuration on a Data Mover.

Action

To display the CIFS configuration for a Data Mover, use this command syntax:$ server_cifs <movername>

Where: <movername> = name of the specified Data MoverExample:To display the CIFS configuration for server_2, type:$ server_cifs server_2

Output

If CIFS service is startedserver_2 :256 Cifs threads startedSecurity mode = NTMax protocol = NT1I18N mode = ASCIIHome Directory Shares DISABLEDUsermapper auto broadcast enabled

Usermapper[0] = [127.0.0.1] state:active (auto discovered)

Enabled interfaces: (All interfaces are enabled)

Disabled interfaces: (No interface disabled)

If CIFS Service is not started$ server_cifs server_2server_2 :Cifs NOT startedSecurity mode = NTMax protocol = NT1I18N mode = ASCIIHome Directory Shares DISABLEDUsermapper auto broadcast enabled

Usermapper[0] = [127.0.0.1] state:active (auto discovered)

Managing network interfacesThe Configuring and Managing Celerra Networking technical module provides information about managing network interfaces.

Output (if CIFS service is not started)

server_2 :Cifs NOT startedSecurity mode = NTMax protocol = NT1I18N mode = UNICODEHome Directory Shares DISABLED

Usermapper[0] = [172.24.100.121] last access 0



CIFS Server DPDOVDM1[CIFS] RC=4 Full computer name=dpdovdm1.cifs.eng.fr realm=CIFS.ENG.FR Active directory usermapper's domain: "not yet located" Comment='EMC-SNAS:T5.4.2.9' if=dpdo:1 l=10.64.220.83 b=10.64.223.255 mac=0:0:92:a7:b0:24 FQDN=dpdovdm1.cifs.eng.fr (Updated to DNS)


../Network/index.htm

M

Managing DNS on a Data MoverWithin a Windows 2000 and a Windows Server 2003 environment, a DNS configuration on a Data Mover is required to add a computer name and join it to a Windows domain. You can configure an unlimited number of DNS domains per Data Mover, and each domain can have up to three DNS servers.

The Configuring Celerra Naming Services technical module provides procedures to configure, start, stop, and manage your DNS servers.


../NameServices/index.htm

Modifying a CIFS configurationAfter creating the initial CIFS configuration and starting the CIFS service, you may need to add or modify various elements in the CIFS configuration on a Data Mover.

Table 3 explains the tasks to modify a CIFS configuration.

Note: The Configuring CIFS on Celerra technical module explains how to configure additional CIFS servers on a Data Mover.

Adding a WINS serverThe Celerra Network Server registers its NetBIOS name with the WINS (Windows Internet Name Service) server automatically. The WINS server distributes the NetBIOS name to users, and provides the NetBIOS name resolution of users and computers to IP addresses to the Data Mover. The WINS server is not mandatory if name resolution is done through DNS. There is no limit to the number of WINS servers that you can configure for a Data Mover.

If you have multiple CIFS configurations (NetBIOS/compname) on a Data Mover, consider using a WINS server per interface rather than per Data Mover. This eliminates the possibility of CIFS clients attempting to resolve unwanted Data Mover NetBIOS names over the WINS server.

Note: If you have only one subnet reached by each IP interface, and performance is not an issue, the WINS server is not mandatory. If you have more than one subnet, you must specify a WINS server. You can however, specify more than one WINS server to provide more robust networking capabilities.

Table 3 Modifying a CIFS configuration

Task Action Procedure

1. Add a WINS server to an existing CIFS server.

"Adding a WINS server" on page 14

2. Rename an existing NetBIOS name. "Renaming a NetBIOS name" on page 15

3. Create NetBIOS or computer name aliases.

"Assigning aliases to NetBIOS and computer names" on page 16

4. Add informational comments to a CIFS server.

"Associating comments with CIFS servers" on page 19

5. Change the CIFS server password. "Changing the CIFS server password" on page 22



M

Use this command to add a WINS server for use by all CIFS servers on a Data Mover.

Renaming a NetBIOS nameWhen you change a NetBIOS name, the system does the following:

◆ Temporarily suspends NetBIOS availability and disconnects all clients connected to it.

◆ Updates the local groups related to the new NetBIOS name.

◆ Updates all the shares corresponding to the new NetBIOS name.

◆ Maintains the account password between the server and the domain controller.

◆ Unregisters the original NetBIOS name, and then registers the new name in all the WINS servers.

◆ Retains all aliases associated with the original NetBIOS name.

◆ Resumes renamed NetBIOS availability.

Note: For Windows 2000 and Windows Server 2003, you cannot rename a NetBIOS name if the CIFS server is joined to a Windows domain. If the CIFS server is joined to a domain, unjoin the server. After performing the rename, join the CIFS server to the domain.

!CAUTION!The server_cifs -Join and -Unjoin procedures generate a new computer account for the compname, which results in the computer name losing its original account.

Action

To add a WINS server to your CIFS configuration, use this command syntax:$ server_cifs <movername> -add wins=<ip_addr>[,wins=<ip_addr>,...]

Where:<movername> = name of the specified Data Mover<ip_addr> = IP address of the WINS server

Note: The system processes a list of WINS servers in the order in which you add them in the wins= option, with the first one being the preferred WINS server. For example, if the WINS server times out after 1500 milliseconds, the system uses the next WINS server in the list. Use the wins.TimeOutMS parameter to configure WINS timeout.

Example:To add two WINS servers to server_2, type:$ server_cifs server_2 -add wins=172.31.255.255,wins=172.168.255.255

Output

server_2: done

Before performing the rename function, you must add the new NetBIOS name to the domain using the Windows NT Server Manager or the Windows 2000 and Windows Server 2003 Users and Computers MMC snap-in.

Note: The rename command changes the NetBIOS name of the server but not the compname name of that server. Contact EMC Customer Service for instructions on renaming a compname.

Use this command to rename a NetBIOS name in an existing CIFS server.

Assigning aliases to NetBIOS and computer namesYou can assign aliases to NetBIOS names and computer names. Aliases provide multiple, alternative identities for a given resource. Because aliases act as the secondary names, the aliases share the same set of local groups and shares as the primary NetBIOS name or computer name.

A NetBIOS alias registers the alternative name in WINS, not in DNS. If you want the NetBIOS alias to appear in DNS, you must add it to DNS.

The client can connect to an alias through the Network Neighborhood, Windows Explorer, or by using the Map Network Drive window.

You can add aliases to an existing server or when creating a new server.

Naming conventionsBased on the Microsoft requirements, aliases must be unique across a domain for WINS registration and broadcast announcements. Aliases must also be unique on the same Data Mover to avoid WINS name conflicts.

The alias name is limited to 15 characters. It cannot begin with the at sign (@) or the dash (-), and it cannot include spaces, tabs, and the following characters:

/ \ : ; , = * + | [ ] ? < > "

Action

To rename a NetBIOS name, use this command syntax:$ server_cifs <movername> -rename -netbios <old_name> <new_name>

Where:<movername> = name of the specified Data Mover.<old_name> = current NetBIOS name.<new_name> = new NetBIOS name. NetBIOS names must be unique and limited to 15 characters and cannot begin with an @ (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ; , = * + | [ ] ? < > "

Example:To rename the NetBIOS name of dm102-cge0 to dm112-cge0 on server_2, type: $ server_cifs server_2 -rename -netbios dm102-cge0 dm112-cge0

Output

server_2 : done

M

For performance reasons, it is recommended that you limit the number of aliases to 10 per CIFS server.

Adding an alias to a CIFS serverUse this command to assign one or more aliases to a computer name.

Adding a NetBIOS alias to the NetBIOS name Use this command to assign one or more aliases to a NetBIOS name.

Action

To add an alias to a CIFS server, use this command syntax:$ server_cifs <movername> -add compname=<comp_name>,domain=<full_domain_name>,alias=<alias_name>[,alias=<alias_name2>...]

Where:<movername> = name of the specified Data Mover<comp_name> = name of the CIFS server in the named domain<full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com)<alias_name> = alias for the computer nameExample:To declare three aliases for computer name big_comp, type:$ server_cifs server_2 -a compname=winserver1,domain=NASDOCS,alias=winserver1-a1,alias=winserver1-a2,alias=winserver-a3

Output

server_2 : done

Action

To add a NetBIOS alias to the NetBIOS name, use this command syntax:$ server_cifs <movername> -add netbios=<netbios_name>,domain=<domain_name>,alias=<alias_name>[,alias=<alias_name2>...]

Where:<movername> = name of the specified Data Mover<netbios_name> = NetBIOS name for the CIFS server<domain_name> = domain name for the Windows environment<alias_name> = alias for the NetBIOS nameExample:To declare three aliases for NetBIOS dm102-cge0, type:$ server_cifs server_2 -a netbios=dm102-cge0,domain=NASDOCS,alias=dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3

Output

server_2: done

Deleting a CIFS server aliasUse this command to delete one or more aliases assigned to the computer name.

Deleting a NetBIOS aliasUse this command to delete one or more aliases assigned to a NetBIOS name.

Action

To delete a compname alias, use this command syntax:$ server_cifs <movername> -delete compname=<comp_name>,alias=<alias_name>[,alias=<alias_name2>,...]

Where:<movername> = name of the specified Data Mover<comp_name> = name of the CIFS server<alias_name> = alias for the computer name

CAUTION!If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its computer name, is deleted.

Example:To delete the dm102-cge0-a1 alias assigned to winserver1, type:$ server_cifs server_2 -delete compname=winserver1,alias=winserver-a1

Output

server_2: done

Action

To delete one or more NetBIOS aliases from a CIFS server, use this command syntax:$ server_cifs <movername> -delete netbios=<netbios_name>,alias=<alias_name>[,alias=<alias_name2>,...]

Where:<movername> = name of the specified Data Mover<netbios_name> = NetBIOS name for the CIFS server<alias_name> = alias for the NetBIOS name

CAUTION!If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its NetBIOS name, is deleted.

Example:To delete the dm102-cge0-a2 alias assigned to dm102-cge0, type:$ server_cifs server_2 -delete netbios=dm102-cge0,alias= dm102-cge0-a2

Output

server_2: done

M

Viewing aliasesUse this command to view the aliases for a Data Mover.

Associating comments with CIFS serversYou can associate a comment, enclosed in quotation marks, with a CIFS server by using the server_cifs -add command. Comments let you add descriptive information to a CIFS server.

This section contains information on the following:

◆ Adding comments

◆ Changing comments

◆ Viewing comments

◆ Comment restrictions for Windows XP clients

Action

To list a server’s aliases, use this command syntax:$ server_cifs <movername>

Where: <movername> = name of the specified Data MoverExample:To view the aliases for server_2, type:$ server_cifs server_2

Output

CIFS Server (Default) dm102-cge0 [C1T1]Alias(es): dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3Full computer name=dm2-cge0.c1t1.pt1.c3lab.nasdocs.emc.com realm=C1T1.PT1.C3LAB.NASDOCS.EMC.COMComment='EMC-SNAS:T5.2.7.2'if=cge0 l=172.24.100.55 b=172.24.100.255 mac=0:6:2b:4:0:7fFQDN=dm102-cge0.c1t1.pt1.c3lab.nasdocs.emc.com (Updated to DNS)

Adding commentsYou can add comments when you initially create the CIFS server or after the CIFS server was created. Add comments with either of the following commands from the Celerra CLI.

Changing commentsTo change a comment, repeat the server_cifs -add command with the new comment. You may notice a delay in the comment change when browsing the domain computers. This delay is caused by the Data Mover broadcasting its name and comment approximately every 12 minutes (except on startup, when it broadcasts five times in the first minute).

You cannot currently add or change comments through Server Manager or the Computer Management MMC. You can change comments only through the server_cifs -add command.

Action

To add comments in a Windows NT environments, use this command syntax:$ server_cifs <movername> -add netbios=<netbios_name>,domain=<domain_name> -comment “<comment>”

To add comments in a Windows 2000 or Windows Server 2003 environment, use this command syntax:$ server_cifs <movername> -add compname=<comp_name>,domain=<full_domain_name> -comment “<comment>”

Where:<movername> = name of the specified Data Mover.<netbios_name> = NetBIOS name for the CIFS server. The NetBIOS name must be unique and limited to 15 characters. It cannot begin with @ (at sign) or - (dash) and it cannot include spaces, tabs, and the following symbols: / \ : ; , = * + | [ ] ? < > "<comp_name> = a Windows 2000 or Windows Server 2003-compatible CIFS server; can be up to 63 UTF-8 characters.<domain_name> = domain name for the Windows environment.<full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com).<comment> = your comment. Limited a comment to 48 ASCII characters and enclose in double quotation marks. Currently, international characters are not supported for comments. • Restricted Characters: You cannot use double quotation ("), semi-colon (;), accent (`), and

comma (,) characters within the body of a comment. Attempting to use these special characters results in an error message. In addition, you can only use an exclamation point (!) if it is preceded by a single quotation mark (’).

• Default Comments: If you do not explicitly add a comment, the system adds a default comment of the form EMC-SNAS:T<x.x.x.x> where <x.x.x.x> is the version of the NAS software.

Example:To add the comment “EMC_Celerra_Network_Server” to server_2 in a Windows NT environment, type:$ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals -comment "EMC_Celerra_Network_Server"

M

Clearing commentsTo clear a comment, issue the server_cifs -add command with a one-space comment as in the following example:

$ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals -comment " "

Viewing commentsYou can view a server’s comment from the Celerra Network Server CLI. In addition, comments appear in certain parts of various Windows interfaces.

Viewing comments from the CLIWhen you view a CIFS server configuration with the server_cifs command from the Celerra Network Server CLI, the comment appears with other information about the CIFS server.

Example The following example shows how to view comments using the server_cifs command.

Viewing comments from WindowsWindows 2000, Windows Server 2003, Windows NT, and Windows XP sometimes use comments in parts of the Windows interface. Comments may appear in the following instances:

◆ As the name of mapped network drives in the My Computer or Explorer window (Windows XP only)

◆ As the computer name in a domain window

Comment restrictions for Windows XP clientsWhen you change a comment, the change is only reflected in certain parts of the Windows XP interface. As the computer name in a domain window, the change is

Action

To view the configuration information for server_2, type:$ server_cifs server_2

Output

server_2 :32 Cifs threads startedSecurity mode = NT.(material deleted).DOMAIN CAPITALSSID=S-1-5-15-c6ab149b-92d87510-a3e900fb-ffffffff>DC=BOSTON(172.16.20.10) ref=2 time=0 msDC=NEWYORK(172.16.20.50) ref=1 time=0 ms

CIFS Server (Default) DM32-ANA0[CAPITALS] (Hidden)Alias(es): CFS32Comment=’EMCCelerraNetworkServer’if=ana0 l=172.16.21.202 b=172.16.21.255 mac=0:0:d1:1d:b7:25if=ana1 l=172.16.21.207 b=172.16.21.255 mac=0:0:d1:1d:b7:26


immediately reflected to the Windows XP client. However, in the Windows XP Explorer, the names of mapped network drives do not reflect the change.

When you first map a network drive on a Windows XP client, the client stores the comment in the local Registry and displays the comment as the name of the mapped drive. The client continues to use the stored comment as the mapped drive name until you manually change the Registry. If you manually change the name of the mapped network drive from Explorer or My Computer, the changed name is stored in another Registry entry and the client uses this name until you change it again from Explorer or in the Registry.

Recommendation Due to the previous Windows XP client restrictions, EMC recommends that you set the comment as part of the initial CIFS server setup.

Changing the CIFS server passwordUse this command to reset the CIFS password and encryption keys. "Automatic computer password change" on page 72 explains how to set the time interval at which the Data Mover changes passwords with the domain controller.

Action

To reset the CIFS password and encryption keys, use this command syntax:$ server_cifs <movername> -Join compname=<comp_name>, domain=<full_domain_name>,admin=<admin_name> -o resetserverpasswd

Where:<movername> = name of the specified Data Mover.<comp_name> = name of the CIFS server.<full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com).<admin_name> = the login name of the user with administrative rights in the domain. The user is prompted to type a password for the admin account.Example:To reset the CIFS password and encryption keys for server_2, type:$ server_cifs server_2 -Join compname=winserver1,domain=nasdocs.emc.com,admin=compadmin -o resetserverpasswd

Output

server_2: Enter Password: ******done

M

Advanced procedures for joining CIFS servers to Windows domainsThis section outlines the procedures for joining CIFS servers to Windows domains in different configurations.

Note: When attempting to resolve computer NetBIOS names in environments with Windows 2000 or Windows Server 2003, the Celerra Network Server may try to resolve the name through a broadcast or by querying the Windows Internet Name Service (WINS) server. Since Windows operating systems limit NetBIOS names to 15 characters, name resolution through broadcast and WINS queries is possible only for computer names that are 15 characters or less. If you specify a NetBIOS name longer than 15 characters, it is truncated.

Windows NT servers are automatically joined to a domain when created.

Configuration prerequisitesThe configuration prerequisites pertain to the following procedures:

◆ "Disjoint namespace without a delegated join" (steps 1 through 11)

◆ "Disjoint namespace and a delegated join" (steps 1 through 14)

◆ "Same namespace and a delegated join" (steps 12 through 14)

The configuration prerequisites contain the following steps:

◆ Steps 1-11 explain how to set domain-level permissions, which are based on the Microsoft Knowledge Base article 258503 DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ.

◆ Steps 11-14 show how to create a computer account in the AD domain.

To set up domain-level permissions:

1. Start the Active Directory Users and Computers snap-in.

2. In the console tree, right-click Active Directory Users and Computers, and then select Connect To Domain.

3. In the Domain box, type the domain name, or click Browse to find the domain in which you want to enable the computer to use different DNS names, and then click OK.

4. Right-click Active Directory Users and Computers and select View> Advanced Features.

5. Right-click the name of the domain, and then select Properties.

6. Click the Security tab and click Advanced.

7. Click Add and select Self group.8. On the Object tab in the Apply onto box, select Computer Objects. Under

Permissions, select the Validated write to DNS host name and Validated write to service principal name checkboxes.


9. On the Properties tab in the Apply onto box, select Computer Objects.

10. Under Permissions, select the Write SPN and Write dNSHostName checkboxes.

Note: By selecting/clearing the Write dNSHostName checkbox, the system automatically selects/clears the Write dNSHostName Attributes checkbox and vice versa.

11. Click OK.

Note: Steps 1 through 11 are based on the Windows 2000 AD server interface.

To create a computer account in the Active Directory:

12. Right-click the container where the computer account is to reside, and then select New > Computer.

13. In the Computer Name box, type the name of the new computer account.

Note: You can configure the delegated join operation here. Figure 2 on page 27 provides more details.

14. Click OK.

Joining existing computer accountsWhen you use the server_cifs -Join command to join a CIFS server to a domain, the Celerra Network Server:

◆ Searches for an existing account or creates an account for the CIFS server in Active Directory and completes its configuration.

◆ Sets several attributes in the computer account, including the dnsHostName and servicePrincipalName attributes.

If the Windows computer account already exists, the Celerra Network Server checks the servicePrincipalName attribute to see if the computer is already joined to the computer account.

If the attribute is not set, the Data Mover joins the new CIFS server to the existing account. If the servicePrincipalName attribute is already set, the Data Mover issues an error and logs a message saying that the account already exists.

If the servicePrincipalName attribute is already set, the following error message appears during the domain join:

The account already exists

This error indicates that the computer account was already joined to a domain by either a Data Mover or another server. If you still want to join the CIFS server to this computer account, you can reuse the account by entering the


M

server_cifs -Join command with the reuse option. Figure 1 illustrates the checks performed when you issue server_cifs -Join.

Figure 1 Checks performed when joining a CIFS server to a domain

Example The following command reuses an existing, in use, computer account in the Active Directory:

$ server_cifs server_2 -Join compname=dm32-ana0,domain=nsgprod.xyzcompany.com,admin=administrator -option reuse

Procedure overview

If you are using existing computer accounts when configuring Celerra-based CIFS servers, use this procedure to create and join the CIFS server.

No

Yes Yes

Does the Windows computer

account exist?

Is "servicePrincipalName"

attribute set?

Is reuse option

specified?

Join the CIFS server to the domain

Return an error

Create the computer account

No

CNS-000491

No

Yes

Step Action

1. From Windows, go to Active Directory Users and Computers and create a new computer with the same comp_name you will use to create the CIFS server in step 2. (Optional) If you are delegating join authority, under the User or Group field, enter or browse for the user or group to whom you want to delegate join authority. The procedure "Delegated join" on page 26 provides more information.

Note: The user account must belong to a domain in the same AD forest as the domain the CIFS server is joining.

2. Add the CIFS server to the Data Mover with the server_cifs -add command. Table 18 on page 77 details the syntax to use for the appropriate domain relationship.

3. Join the CIFS server to the domain with the server_cifs -Join command. Table 18 on page 77 details the syntax to use for the appropriate domain relationship.


Delegated joinAs an alternative to performing a CIFS server join by a default user (member of Domain Admins group), where the server_cifs -Join command automatically creates a computer account in the Active Directory, you can do the following:

◆ Create computer accounts for CIFS servers in the Windows Active Directory.

◆ Delegate authority to perform the join operation to an individual user or group from another domain within the same AD forest.

With these options, AD account creation can be separated from the join action. Therefore, a person other than the one who created the account in the AD can join the CIFS server to the domain.

Adding the user performing the join to the local administrator’s groupEach CIFS server contains a set of built-in user groups: Administrators, Users, Guests, Power Names, Account Operators, Backup Operations, and Replicator. The Administrators group contains the users and groups authorized to manage the CIFS server. By default, the Administrator’s group contains one entry for the Domain Admins group, which gives each member of the Domain Admins group the authority to manage the CIFS server.

If the domain join operation is delegated to a user not in the Local Administrator group, you must add this user to this group for the user to be able to manage the CIFS server. You can do this manually through the MMC, or automatically during the domain join process by first setting the following parameter to 1:

cifs djAddADminToLg=1

Delegating join authorityWhen you delegate join authority, the CIFS server can be joined to its domain by any user to whom you give authority. The user does not need specific Windows permissions, but must be in the same AD forest as the CIFS server.


M

You delegate join authority when you create the computer account in the Active Directory as shown in Figure 2.

Figure 2 Delegating join authority

Parameters for the join procedureThe following parameters, if set, are effective during the join operation. The Celerra Network Server Parameters Guide provides detailed information on these parameters.

◆ djUseKpassword: If set to 0, forces the domain join procedure to set the CIFS server password using the Microsoft RPC protocol. Only do this if you are a delegated user assigned to the domain local group.

◆ djAddAdminToLg: If set to 1, automatically adds the user performing the domain join procedure to the Local Administrator’s group.

◆ djEnforceDhn: If set to 0, enables the domain join procedure to continue without the dNSHostName being set.

Note: Use djEnforceDhn only as a temporary measure for access rights since the Data Mover authenticates Windows clients using NTLMSSP mode instead of Kerberos.


../Parameters/index.htm


Table 4 shows the domain join parameter values that you must use to perform a delegated join in the same and/or disjoint namespace AD domain.

Domains within the forest that do not have the same hierarchical domain name are in a different domain tree. When different domain trees are in a forest, the tree root domains are not contiguous. Disjoint namespace is the phrase used to describe the relationship between different domain trees within the forest.

Same namespace without a delegated joinPerform the following add and join procedures when:

◆ The DNS domain name and the Active Directory domain name are the same.

◆ You are using the default user account (member of domain admin group).

Table 4 Domain join parameter combinations

djUseKpassword djAddAdminToLg djEnforceDhn

Join delegated to:

1 (default)

0 (default)

1 (default)

Domain Admins Group Member (Microsoft default)

Domain User Account

Domain Global Group

Domain Local Group 0


M

Creating a CIFS serverUse this procedure to create a CIFS server.

Action

To create the CIFS server for a Windows 2000 or Windows Server 2003 environment on the Data Mover, use this command syntax:$ server_cifs <movername> -add compname=<comp_name>,domain=<full_domain_name>[,hidden={y|n}][,netbios=<netbios_name>][,interface=<if_name>][,dns=<if_suffix>]

Where:<movername> = name of the specified Data Mover or VDM.<comp_name> = Windows 2000 or Windows Server 2003-compatible CIFS server. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS.

Note: Each <comp_name> within a Celerra Network Server must be unique.

A default CIFS server and CIFS servers within a VDM cannot co-exist on the same Data Mover. A default CIFS server is a global CIFS server assigned to all interfaces, and CIFS servers within a VDM require specified interfaces. If a VDM exists on a Data Mover, a default CIFS server cannot be created.

<full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain.).hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear.<netbios_name> = (Optional) a NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default.<if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can have only one default CIFS server per Data Mover.<if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover.Example:To create CIFS server dm32-ana0 on server_2, type:$ server_cifs server_2 -add compname=dm32-cge0,domain=universe.com,netbios=eng23b,interface=cge0

Join CIFS server to a Windows domainUse this procedure to join the CIFS server to a domain.

Output Notes

server_2 : done • User authentication method for CIFS servers in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method.

• You can assign only one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information.

• NetBIOS names are limited to 15 characters and cannot begin with an @ (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ; , = * + | [ ] ? < > "

Action

To join the CIFS server to the Windows domain, use this command syntax:$ server_cifs <movername> -Join compname=<comp_name>,domain=<full_domain_name>,admin=<admin_name@domain_name>

Where:<movername> = name of the specified Data Mover or VDM.<comp_name> = name for the CIFS server’s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. If the primary DNS suffix of the CIFS server is different from the Windows domain, the <comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com, the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net, domain=win.com.<full_domain_name> = the DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com).<admin_name@<domain_name> = login name and full domain name of a user with sufficient rights to join a server to the domain. If you omit the @<domain_name>, the Data Mover assumes the user belongs to the domain that the CIFS server is joining. The user must be from a domain in the same AD forest.Example:To join the CIFS server dm32-ana0 to the universe.com domain, type:$ server_cifs server_2 -Join compname=dm32-cge0,domain=universe.com,admin=administrator

Output Note

server_2 : Enter Password: *******done

The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account.


../../CelerraDocCD.htm#DocListing.htm

M

Same namespace and a delegated join

Note: Before performing this procedure, you must complete the steps outlined in "Configuration prerequisites" on page 23 and "Delegated join" on page 26.

Perform the following add and join procedures when:

◆ The DNS domain name and the Active Directory domain name are the same.

◆ You are using a delegated user account.


Action





<full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain.).hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear.<netbios_name> = (Optional) NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default.<if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover.<if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover.Example:To create CIFS server dm32-ana0 on server_2, type:$ server_cifs server_2 -add compname=dm32-cge0,domain=universe.com,netbios=eng23b,interface=cge0

Join CIFS Server to a Windows domainUse this procedure to join the CIFS server to a domain.

Output Note


• You can only assign one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information.


Action

To join the CIFS server to the Windows domain, use this command syntax:$ server_cifs <movername> -Join compname=<comp_name>,domain=<full_domain_name>,admin=<user_name@AD_name>

Where:<movername> = name of the specified Data Mover or VDM.<comp_name> = name for the CIFS server’s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS.

Note: If the primary DNS suffix of the CIFS server is different from the Windows domain, the <comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com, the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net,domain=win.com.

<full_domain_name> = DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com).<user_name@<domain_name> = <user_name>[@AD_name>]= delegated user login name and domain name of the Active Directory.Example:To join the CIFS server dm32-ana0 to the universe.com domain, type:$ server_cifs server_2 -Join compname=dm32-cge0,domain=universe.com,[email protected]

Output Note

M

Disjoint namespace without a delegated join



◆ The DNS domain name and the Active Directory domain name are different.

◆ You are using the default user account (member of domain admin group).


Action





<full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain.).hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear.<netbios_name> = (Optional) NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default.<if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover.<if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover.Example:To create CIFS server dm32-ana0 on server_2, type:$ server_cifs server_2 -add compname=dm32-cge0. domain=universe.com,netbios=eng23b,interface=cge0,dns=nasdocs.emc.com

Output Note

server_2 : done • You can only assign one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information.


Action

To join the CIFS server to the Windows domain, use this command syntax:$ server_cifs <movername> -Join compname=<comp_name.FQDN>,domain=<full_domain_name>,admin=<admin_name@<domain_name>

Where:<movername> = name of the specified Data Mover or VDM.<comp_name.FQDN> = name for the CIFS server’s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. For disjoint namespaces, you must enter compname.FQDN (fully-qualified domain name); otherwise, the AD attributes are not updated. For example: compname=dm32-cge0.nasdocs.emc.com


<full_domain_name> = DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com).<admin_name@<domain_name> = login name and full domain name of a user with sufficient rights to join a server to the domain. If you omit the @<domain_name>, the Data Mover assumes the user belongs to the domain that the CIFS server is joining. The user must be from a domain in the same AD forest.Example:To join the CIFS server dm32-ana0 to the universe.com domain, type:$ server_cifs server_2 -Join compname=dm32-cge0.nasdocs.emc.com, domain=universe.com,admin=administrator

Output Note

M

Disjoint namespace and a delegated join



◆ The DNS domain name and the Active Directory domain name are different.

◆ You are using a delegated user account.


Action





<full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain).hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear.<netbios_name> = (Optional) NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default.<if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover.<if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover.Example:To create CIFS server dm32-ana0 on server_2, type:$ server_cifs server_2 -add compname=dm32-cge0, domain=universe.com,netbios=eng23b,interface=cge0,dns=nasdocs.emc.com

Output Note


• You can only assign one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information.


Action

To join the CIFS server to the Windows domain, use this command syntax:$ server_cifs <movername> -Join compname=<comp_name.FQDN>,domain=<full_domain_name>,admin=<user_name@AD_name>[,dns=<if_suffix>]

Where:<movername> = name of the specified Data Mover or VDM.<comp_name> = name for the CIFS server’s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. For disjoint namespaces, you must enter compname.FQDN (fully-qualified domain name); otherwise, the AD attributes are not updated. For example: compname=dm32-cge0.nasdocs.emc.com


<full_domain_name> = DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com).<user_name@AD_name> = delegated user login name and domain name of the Active Directory.Example:To join the CIFS server dm32-ana0 to the universe.com domain, type:$ server_cifs server_2 -Join compname=dm32-cge0.nasdocs.emc.com, domain=universe.com,[email protected]

M

Output Note


• You can join a CIFS server to a domain in a Windows environment where the Active Directory namespace is named independently from the DNS namespace.

• The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account.


Managing file systemsThis section outlines concepts and tasks associated with managing file systems in a Windows environment on your Celerra Network Server, including establishing synchronous writes, opportunistic file locking, and file change notifications.

Ensuring synchronous writesThe cifssyncwrite option of the server_mount command is used to enhance the support for storing and accessing database files via CIFS on the Celerra Network Server. This special mount option guarantees that any write to the file server is done synchronously. For Windows, it is important to make sure this option is specified if the Celerra Network Server will be used to store certain database files. This is recommended to avoid chances of data loss or file corruption across various failure scenarios, for example, loss of power.

Note: Use of the cifssyncwrite option is not recommended unless you require database access via the Celerra Network Server.

Use this procedure to mount a file system with the cifssyncwrite option.

Opportunistic file lockingOpportunistic file locks (oplocks) improve network performance by allowing CIFS clients to locally buffer file data before sending it to the server. These locks are configured per file system and are on by default. Unless you are using a database application that recommends oplocks be turned off, or if you are handling critical data and cannot afford any data loss, leave oplocks on.

Celerra Network Server supports level II, exclusive, and batch oplocks (filter oplocks are not applicable to a remote file server):

◆ Level II oplocks: When held, a level II oplock informs a client that multiple clients are currently accessing a file, but no client has yet modified it. A level II oplock lets the client perform reads and file attribute fetches using cached or read-

Action

To mount a file system to ensure synchronous writes, use this command syntax:$ server_mount <movername> -o cifssyncwrite <fs_name> <mount_point>

Where:<movername> = name of the specified Data Mover or VDM.<fs_name> = name of the file system being mounted.<mount_point> = name of the mount point.Example:To mount the file system ufs1 with ensured synchronous writes, type:$ server_mount server_2 -o cifssyncwrite ufs1 /ufs1

Output Note

server_2 : done A <mount_point> must begin with a forward slash (/).

M

ahead local information. All other file access requests must be sent to the server.

◆ Exclusive oplocks: When held, an exclusive oplock informs a client that it is the only client opening the file. An exclusive oplock lets a client perform all file operations using cached or read-ahead information until it closes the file, at which time the server must be updated with any changes made to the state of the file (contents and attributes).

◆ Batch oplocks: When held, a batch oplock informs a client that it is the only client opening the file. A batch oplock lets a client perform all file operations using cached or read-ahead information (including opens and closes); therefore, the server can keep a file opened for a client even though the local process on the client machine has closed the file. This mechanism curtails the amount of network traffic by letting clients skip the extraneous close and open requests.

Turning oplocks offUse this procedure to turn oplocks off for a specific file system.

Important: Performance may drop significantly if oplocks are disabled.

!CAUTION!In a Microsoft network, opportunistic locks can result in the loss of data if a Windows client or Windows server crashes or if network problems occur.

File change notificationApplications running on Windows platforms, using the Win32 API, can register with the CIFS server (or local OS) to be notified if and when certain actions are taken against file or directory contents (such as create file, rename file, delete, etc.). For example, this feature can indicate when a display needs to be refreshed (Windows

Action

To turn oplocks off for a file system, use this command syntax:$ server_mount <movername> -o nooplock <fs_name> <mount_point>

Where:<movername> = name of the specified Data Mover or VDM.<fs_name> = name of the file system being mounted.<mount_point> = name of the mount point.Example:To mount the file system ufs1 with oplocks turned off, type:$ server_mount server_2 -o nooplock ufs1 /ufs1

Output Note

server_2: done A <mount_point> must begin with a forward slash (/).

Explorer) or when cache needs to be refreshed (Microsoft Internet Information Server), without having to constantly poll the CIFS server (or local OS).

The Win32 API, and thus the CIFS protocol, supports the ability to specify the root of the directory tree that requires monitoring. If a subdirectory is specified, changes occurring above the specified directory will not notify the application.

To monitor changes occurring to directories beneath the specified directory, the application can also set the WatchSubTree bit. By default, monitoring for changes occurring in up to 512 directory levels beneath the root is supported. After receiving a change notification response, the application must reissue or reset the monitoring process in order to be notified of further modifications.

Note: Changes can also be buffered and notification can be satisfied by a single response to the client requesting the monitoring.

Limitations ◆ File change notification can only be used in a pure CIFS environment.

Therefore, changes to files and/or directories will not notify if performed from NFS, FTP, or MPFS clients.

◆ This functionality is only supported when the user authentication method on the Data Mover is set to NT.

Configuring file change notificationThe notify option is automatically on by default. You may want to disable the notify option if you have performance issues.

Use this procedure to turn off file change notification.

Action

To disable the notify feature for a file system, use this command syntax:$ server_mount <movername> -o nonotify <fs_name> <mount_point>

Where:<movername> = name of the specified Data Mover or VDM.<fs_name> = name of the file system being mounted.<mount_point> = name of the mount point.Example:To disable the notify feature for file system ufs1 on server_2, type:$ server_mount server_2 -o nonotify ufs1 /ufs1

Output Note

server_2: done • A directory file must be opened before this command is used.

• A <mount_point> must begin with a forward slash (/).

M

Configuring other file change notification optionsIn addition, you can configure the following notify options:

Reexporting all Celerra file systemsYou can reexport all exported Celerra file systems at once from a Celerra Network Server while the file server is running. The operation reexports all entries in the export table on the file server. You can use this feature when you want to reexport file systems that you have temporarily unexported.

Use this procedure to reexport all Celerra file systems from a Celerra Network Server.

Table 5 File change notification options

Option Description Example

triggerlevel=<value> Specifies how many directory levels beneath the monitored directory are monitored for changes. <value> must be in hexadecimal format.Default value: 512 levels (0x00000200)

The following example shows a configuration for up to 15 directory levels:$ server_mount server_2 -o “triggerlevel=0x0000000f” ufs1 /ufs1

notifyonwrite Provides a notification of write access to a file system.Default value: disabled

The following example enables notifyonwrite:$ server_mount server_2 -o notifyonwrite ufs1 /ufs1

This option is useful when an application needs to be notified of file writes before closing the file.

notifyonaccess Provides a notification of the access time of a modification. Default value: disabled

The following example enables both notifyonaccess and notifyonwrite:$ server_mount server_2 -o notifyonaccess,notifyonwrite ufs1 /ufs1

Note: The notifyonwrite and notifyonaccess options are disabled by default for performance reasons.

Action

To reexport all Celerra file systems exported from a Celerra Network Server, type:$ server_export ALL -all

Output

server_2 : doneserver_3 : doneserver_4 : done

Disabling access to all file systems on a Data Mover Use this procedure to permanently disable all access to all file systems on a Data Mover.

!CAUTION!This operation deletes the contents of the export table and prevents all client access to file systems on the Data Mover. To reestablish client access to file systems on the file server, you must rebuild the export table by reexporting each CIFS share and NFS path on the Data Mover.

Action

To permanently disable all access to all file systems on a Data Mover, use this command syntax:$ server_export <movername> -unexport -perm -all

Where:<movername> = name of the Data MoverExample:To permanently disable all access to all file systems on server_3, type: $ server_export server_3 -unexport -perm -all

Output

server_3: done

M

Stopping and starting the CIFS serviceThe following sections provide instructions for stopping and starting the CIFS service on a Data Mover.

!CAUTION!Stopping the CIFS service on a Data Mover prohibits users from accessing all CIFS servers on that Data Mover.

Stopping the CIFS serviceUse this command to stop a CIFS service.

Starting the CIFS serviceUse this command to start the CIFS service.

Action

To stop CIFS service for a Data Mover, use this command syntax:$ server_setup <movername> -P cifs -option stop

Where: <movername> = name of the specified Data MoverExample:To stop the CIFS service on server_2, type:$ server_setup server_2 -P cifs -o stop

Output

server_2: done

Action

To start the CIFS service, use this command syntax:$ server_setup <movername> -P cifs -o start[=<n>]

Where:<movername> = name of the specified Data Mover.-P cifs -o start = activates the protocol configuration for the specified Data Mover.[=<n>] = number of threads for all CIFS activity on the Data Mover, not the number of threads per CIFS server. The default number of CIFS threads depends on the memory size of the Data Mover. If the memory size is less than 1 GB, the default is 32 threads. For 510 Data Movers and NS series Celerra systems with 3 GB or more of memory, the default number of threads is 256.Example:To start the CIFS service on server_2, type:$ server_setup server_2 -P cifs -o start

Output

server_2 : done

Deleting a CIFS serverThis section describes how to delete a CIFS server from a Data Mover configuration in a Windows 2000, Window Server 2003, and Windows NT environment.

Note: Before deleting a CIFS server from a Data Mover, make sure that there are no active sessions associated with the CIFS server. Use server management tools (MMC or Server Manager) to close all active sessions.

Deleting a CIFS server (Windows 2000/Windows Server 2003)

!CAUTION!If writes are in process during the deletion of a CIFS server, data loss can occur. Before you perform this procedure, notify all users ahead of time that the CIFS server will no longer be available.

Use this procedure to remove a CIFS server from a Data Mover’s configuration and from the Active Directory.

Step Action

1. Unjoin the computer from the domain by using this command syntax:$ server_cifs <movername> -Unjoin compname=<comp_name>,domain=<full_domain_name>

Where:<movername> = name of the specified Data Mover<comp_name> = computer name of the CIFS server<full_domain_name> = full domain name for the Windows environment; must contain a dot (example: domain.com)

2. Remove the CIFS server by using this command syntax:$ server_cifs <movername> -delete compname=<comp_name>

Where:<movername> = name of the specified Data Mover<comp_name> = computer name of the CIFS server

M

Deleting a CIFS server (Windows NT)

!CAUTION!If writes are in process during the deletion of a CIFS server, data loss can occur. Before you perform this procedure, notify all users that the CIFS server will no longer be available.

Use this command to remove a CIFS server from a Data Mover’s configuration.

Step Action

1. Remove the CIFS server by using this command syntax:$ server_cifs <movername> -delete netbios=<netbios_name>

Where:<movername> = name of the specified Data Mover<netbios_name> = NetBIOS name for the CIFS server

Note: This command does not delete the NetBIOS entry from the PDC (primary domain controller).

Enabling home directoriesThe Celerra home directory feature lets you create a single share, called HOME, to which all users connect. You do not have to create individual shares for each user.

The home directory feature simplifies the administration of personal shares and the process of connecting to them by letting you associate a username with a directory that then acts as the user’s home directory. The home directory is mapped in a user’s profile so that upon login, the home directory is automatically connected to a network drive.

Note: If a client system (such as Citrix Metaframe or Windows Terminal Server) supports more than one Windows user concurrently and caches file access information, the Celerra HOME directory feature may not function as desired. With the Celerra's home directory capability, the path to the home directory for each user is the same from the perspective of a Celerra client. For example, if a user writes to a file in the home directory, and then another user reads a file in the home directory, the second user's request is completed using the cached data from the first user's home directory. Since the files have the same pathname, the client system assumes they are the same file.

Table 6 explains the tasks to enable the home directory feature for a Data Mover. You must have created and started the CIFS service before performing this procedure.

On Windows 2000 and Windows 2003 server systems, you can enable and manage home directories through the Celerra Home Directory Management snap-in for MMC. The Installing Celerra Management Applications technical module provides information on installing the snap-in. The snap-in online help describes the procedures for enabling and managing home directories.

Table 6 Enabling home directories

Task Action Procedure

1. Create the database. "Creating the database" on page 47

2. Enable home directories on the Data Mover.

Note: The home directory feature is disabled by default.

"Enabling home directories on the Data Mover" on page 47

3. Create the home directories. "Creating the home directory file" on page 48

4. Add home directories to user profiles. "Adding home directories to user profiles" on page 48



M

RestrictionsA special share name, HOME, is reserved for the home directory feature. Because of this limitation, the following restrictions apply:

◆ The home directory feature is not available on CIFS servers configured with SHARE- or UNIX-level security.

◆ If you have created a share called HOME, you cannot enable the home directory feature.

◆ If you have enabled the home directory feature, you cannot create a share called HOME.

A home directory is configured in a user’s Windows user profile by using the UNC path:

\\<cifs_server>\HOME

Where:

<cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server.

HOME = a special share that is reserved for the home directory feature. When HOME is used in the path for a user’s home directory and the user logs in, the user’s home directory is automatically mapped to a network drive and the HOMEDRIVE, HOMEPATH, and HOMESHARE environment variables are automatically set.

Creating the databaseTo use the home directory feature, you must create a database file, named homedir, which maps each domain/username combination to the user’s home directory location.

Note: EMC recommends that you use the Celerra Management MMC plug-in to create and edit user home directory entries. The MMC plug-in validates your entries as you enter them. If you create or edit the homedir file and enter an incorrect entry, your home directory environment may become unusable.

When you create the initial entry using the Home Directory MMC snap-in, the snap-in creates a new database on your Data Mover.

Enabling home directories on the Data MoverThe home directory feature is enabled by default. After you create the database, use the following procedure to enable home directories on the Data Mover:

$ server_cifs <movername> -option homedir

Where:

<movername> = name of the Data Mover

Creating the home directory fileYou need to create a home directory for each user specified in the database. You can create the directories by selecting the create option when you create or edit your home directory entries. For more information about creating directories automatically, see the Celerra Management MMC plug-in online help. "Appendix A: Additional home directory information" on page 91 provides more information about the home directory database file.

Adding home directories to user profilesTo allow users access to individual home directories, you must map the home directory in each user profile with the following path:


Where:

<cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server.

HOME = special share name reserved for the home directory feature.

Adding home directories (Windows 2000/Windows Server 2003)Use this procedure to add a home directory in a Windows 2000 or Windows Server 2003 domain:

Step Action

1. Log in to a Windows server from a domain administrator account.

2. Click Start and select Programs > Administrative Tools > Active Directory Users and Computers.

3. Click Users to display the users in the right pane.

M

4. Right-click a user and select Properties. The user’s property sheet appears.

5. Click the Profile tab and under Home folder: a. Select Connect.b. Select the drive letter you want to map to the home directory.c. Enter the following in the To field:


Where:<cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server.

6. Clicke OK.

Step Action

Adding home directories from Windows NTUse this procedure to add a home directory in a Windows NT domain.

Adding home directories with regular expressionsUse this procedure to add a home directory to a Windows 2000 or Windows Server 2003 user account, using regular expressions.

Step Action Result


2. Click Start and select Programs > Administrative Tools > User Manager for Domains.

The User Manager for Domains appears.

3. Double-click a username. The user’s property sheet appears.

4. Click Profile. The User Environment Profile dialog box appears.

5. Under Home Directory:a. Select Connect.b. Select the drive letter you want to map to

the home directory.c. Enter the following in the To field:


Where: <cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server.

6. Click OK.

Step Action


2. Click Start and select Programs > Administrative Tools > Celerra Management.

M

3. Right-click the HomeDir folder icon and select New > home directory entry. The home directory property sheet appears.

4. a. In the Domain field, enter a regular expression. In this example, the expression matches any domain name that begins with DOC.

b. In the User name, enter a regular expression. In this example, an asterisk matches any user name.

c. In the Path field, enter:\homedirs\

In this example, homedirs is the share where home directories are stored. is the user’s login name. A directory with the same name as the user’s login name will be created, if it does not already exist.

5. Click OK.

Step Action

Supporting Group Policy ObjectsThe following sections introduce Microsoft Group Policy Objects (GPOs) and how the Celerra Network Server provides GPO support. In addition, this section discusses how to manage GPO support on the Celerra Network Server.

Introduction to Microsoft Group Policy ObjectsIn Windows 2000 or Windows Server 2003, administrators can use Group Policy to define configuration options for groups of users and computers. Windows Group Policy Objects can control elements such as local, domain, and network security settings. The Group Policy settings are stored in GPOs that are linked to the site, domain, and organizational unit (OU) containers in the Active Directory. The domain controllers replicate GPOs on all domain controllers within the domain.

Audit Policy is a component of the Data Mover Security Settings snap-in, which is installed as a Microsoft Management Console (MMC) snap-in into the Celerra Management Console on a Windows 2000 and Windows Server 2003 system. The Installing Celerra Management Applications technical module provides installation instructions.

You can use audit policies to determine which Data Mover security events are logged in the Security log. You can select to log successful attempts, failed attempts, both, or neither. Audited events are viewed in the Security log of the Windows Event Viewer.

The audit policies that appear in the Audit Policy node are a subset of the policies available as Group Policy Objects in Active Directory Users and Computers. These audit policies are local policies and apply only to the selected Data Mover. You cannot use the Audit Policy node to manage GPO audit policies.

If an audit policy is defined as a GPO in ADUC, the GPO setting overrides the local setting. When the domain administrator changes an audit policy on the domain controller, that change is reflected on the Data Mover and can be viewed using the Audit Policy node. You can change the local audit policy, but it will not be in effect until the GPO for that audit policy is disabled. If auditing is disabled, the GPO setting remains in the Effective setting column.

Note: You cannot use Microsoft’s Windows Local Policy Setting tools to manage auditpolicies on a Data Mover because in Windows 2000, Windows Server 2003, and WindowsXP, the Windows Local Policy Setting tools do not allow you to remotely manage auditpolicies.

GPO support on the Celerra Network ServerThe Celerra Network Server provides support for GPOs by retrieving and storing a copy of the GPO settings for each CIFS server joined to a Windows 2000 or Windows Server 2003 domain. The Celerra Network Server stores the GPO settings in a GPO cache on the Data Mover. Although there may be multiple CIFS servers on a Data Mover, there is only one GPO cache per Data Mover.

When you start the CIFS service on a Data Mover, the Celerra Network Server reads the settings stored in the GPO cache, and then retrieves the most recent



M

GPO settings from the Windows domain controller. The Celerra Network Server also retrieves GPO settings whenever a Celerra CIFS server is joined to a domain with the server_cifs -Join command.

After retrieving the GPO settings, the Celerra Network Server automatically updates the settings based on the domain’s refresh interval. If the refresh interval is not defined in the domain, it updates these settings every 90 minutes (Data Mover’s refresh default).

You can force an update anytime by issuing the server_security command. "Updating GPO settings" on page 59 provides instructions.

Supported settingsCelerra Network Server currently supports the following GPO Security settings:

Kerberos◆ Maximum tolerance for computer clock synchronization (clock skew)

Note: Because time synchronization is done per Data Mover, not per CIFS server, if you configure multiple CIFS servers on a Data Mover for multiple domains, then all the time sources for these domains must be in the same time zone.

◆ Maximum lifetime for user ticket

Audit policy◆ Audit account logon events

◆ Audit account management

◆ Audit directory service access

◆ Audit logon events

◆ Audit object access

◆ Audit policy change

◆ Audit privilege use

◆ Audit process tracking

◆ Audit system events

User rights◆ Access this computer from the network

◆ Back up files and directories

◆ Bypass traverse checking

◆ Deny access to this computer from the network

◆ EMC virus checking

◆ Generate security audits

◆ Manage auditing and security log


◆ Restore files and directories

◆ Take ownership of files or other objects

Security options◆ Digitally sign client communication (always)

◆ Digitally sign client communication (when possible)

◆ Digitally sign server communication (always)

◆ Digitally sign server communication (when possible)

◆ LAN Manager Authentication Level

Event logs◆ Maximum application log size

◆ Maximum security log size

◆ Maximum system log size

◆ Restrict guest access to application log

◆ Restrict guest access to security log

◆ Restrict guest access to system log

◆ Retain application log

◆ Retain security log

◆ Retain system log

◆ Retention method for application log

◆ Retention method for security log

◆ Retention method for system log

Group policy◆ Disable background refresh of Group Policy

◆ Group Policy refresh interval for computers

Multiple CIFS servers on a Data MoverCIFS servers on a Data Mover can have different GPO settings if they belong to separate organizational units. When a Data Mover has more than one CIFS server, the system processes the GPO audit and event log settings in a certain way, as explained in Table 7 on page 55.

Audit policies are resolved by combining settings from the multiple servers on the Data Mover and using the most secure setting. The CIFS servers are processed in the order in which they were joined to the domain.

Event log policies are resolved by using the most secure setting of all the related settings on the CIFS server. For example, for the maximum application log size


M

setting, the system looks at the log size setting of each server on the Data Mover, and then uses the largest size.

Table 7 GPO settings requiring conflict resolution

Setting Conflict resolution Note

Audit:

Audit account logon events Most audits Settings are:• No audit• Audit success• Audit failure• Audit success and failureExample:If a Data Mover has two CIFS servers, one with a success setting and the other with a failure setting, the system combines both settings to use for its auditing. In this example, the most secure setting of success and failure is used.

Event logs:

Maximum application log size

Largest size

Maximum security log size Largest size

Maximum system log size Largest size

Restrict guest access to application log

Most secure setting Least to most secure setting isDisabled -> Enabled

Restrict guest access to security log

Most secure setting Least to most secure setting is Disabled -> Enabled

Restrict guest access to system log

Most secure setting Least to most secure setting is Disabled -> Enabled

Retain application log Largest number of days Overwrites after x days

Retain security log Largest number of days Overwrites after x days

Retain system log Largest number of days Overwrites after x days

Retention method for application log

Most secure overwrite Least to most secure overwrite is days -> as needed -> never

Retention method for security log



Displaying GPO settingsUse this command to display the GPO settings of a Data Mover.

Retention method for system log


Action

To display the current GPO settings for the specified Data Mover, use this command syntax:$ server_security <movername>|ALL -info -policy gpo [server=<server_name>|domain=<domain_name>]

Where:<movername> = name of the specified Data Mover.ALL = all Data Movers.server=<server_name> | domain=<domain_name> (Optional).Limit the query to the specified CIFS server or domain. The <server_name> refers to the compname of a configured CIFS server on the Data Mover and the <domain_name> refers to a domain name for the CIFS server.Example:To display the GPO settings for all CIFS servers on all Data Movers, type:$ server_security ALL -info -policy gpo

Table 7 GPO settings requiring conflict resolution (continued)

Setting Conflict resolution Note

M

Output

server_2:Server compname: k10eqa19s2 Server NetBIOS: K10EQA19S2 Domain: dvt_f.celerraqa.emc.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled Digitally sign server communications (always): Not defined Digitally sign server communications (if client agrees): Enabled Audit account logon events: Success Audit account logon events server list: k10eqa19s2 Audit account management: No auditing Audit account management server list: k10eqa19s2 Audit directory service access: Failure Audit directory service access server list: k10eqa19s2 Audit logon events: Success, Failure Audit logon events server list: k10eqa19s2 Audit object access: Success Audit object access server list: k10eqa19s2,k10eqa19s3 Audit policy change: Success Audit policy change server list: k10eqa19s3 Audit privilege use: Not defined Audit process tracking: No auditing Audit process tracking server list: k10eqa19s3 Audit system events: Success, Failure Audit system events server list: k10eqa19s2,k10eqa19s3 Back up files and directories: *S-1-5-32-545,*S-1-5-21-602162358-1580818891-1957994488-1110,*S-1-5-21-602162358-1580818891-1957994488-1111,*S-1-5-21-602162358-1580818891-1957994488-1113,*S-1-5-21-602162358-1580818891-1957994488-1114,*S-1-5-21-602162358-1580818891-1957994488-1112,*S-1-5-32-552,*S-1-5-4,*S-1-5-32-546,*S-1-1-0,*S-1-5-9,*S-1-5-1,*S-1-3-0,*S-1-3-1,*S-1-5-3,*S-1-5-11,*S-1-5-7,*S-1-5-32-544 Restore files and directories: *S-1-5-32-54 Bypass traverse checking: Not defined Generate security audits: *S-1-5-32-544,*S-1-5-32-545 Manage auditing and security log: *S-1-5-11,*S-1-5-32-544 Access this computer from the network: *S-1-5-32-544 Deny access this computer from the network: Not defined Take ownership of files or other objects: EMC Virus Checking: *S-1-5-32-546 Maximum security log size (Kilobytes): 576 Maximum security log size server list: k10eqa19s2 Restrict guest access to security log: Enabled Restrict guest access to security log server list: k10eqa19s2Retention period for security log: Not defined Retention method for security log: Overwrite events as needed Retention Method for security log server list: k10eqa19s2Maximum system log size (Kilobytes): 1024 Maximum system log size server list: k10eqa19s2Restrict guest access to system log: Enabled Restrict guest access to system log server list: k10eqa19s2Retention period for system log: Not defined Retention method for system log: Do not overwrite eventsRetention Method for system log server list: k10eqa19s2,k10eqa19s3Maximum application log size (Kilobytes): 16384 Maximum application log size server list: k10eqa19s3Restrict guest access to application log: Disabled Restrict guest access to application log server list: k10eqa19s2Retention period for application log (Days): 7 Retention period for application log server list: k10eqa19s2Retention method for application log: Overwrite events by days Retention Method for application log server list: k10eqa19s2Disable background refresh of Group Policy: Not defined Group Policy Refresh interval (minutes): 60 Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 10 14:47:42 EDT 2003GPO Next Update time (local): Wed Sep 10 15:50:42 EDT 2003


When a User Rights setting, such as Take ownership of files or other objects:, is empty, it is set but no one is assigned to take ownership of the files or objects.

Note: If a Data Mover does not have any CIFS servers joined to a Windows domain, the server_security -info -policy gpo command returns the following error message: gpod isn’t running

Additional examplesExample 1 To display the GPO settings for all CIFS servers on the Data Mover server_2,

type:$ server_security server_2 -info -policy gposerver_2:Server compname: l10efa19s2Domain: securitytest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled ... Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 22 14:47:42 EDT 2003GPO Next Update time (local): Wed Sep 22 15:50:42 EDT 2003...Server compname: 110efa19s3Domain: ex.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled ...Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 22 14:47:42 EDT 2003GPO Next Update time (local): Wed Sep 22 15:50:42 EDT 2003

Example 2 To display the GPO settings for all Data Movers in the xptest.xxx.com domain, type:

$ server_security ALL -info -policy gpo domain=xptest.xxx.comserver_2:Server compname: k10eqa19s2 Domain: xptest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled ... Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 25 14:47:42 EDT 2003GPO Next Update time (local): Wed Sep 25 15:50:42 EDT 2003...Server compname: k10eqa19s3 Domain: xptest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled ...


M

Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 25 14:47:42 EDT 2003GPO Next Update time (local): Wed Sep 25 15:50:42 EDT 2003

Example 3 To display the GPO settings for the CIFS server cifs_test123 on Data Mover server_2, type:

$ server_security server_2 -info -policy gpo server=cifs_test123server_2: Server: cifs_test123Server compname: k10eqa19s2 Server NetBIOS: K10EQA19S2 Domain: xptest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled Digitally sign server communications (always): Not defined ... Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 25 14:47:42 EDT 2003GPO Next Update time (local): Wed Sep 25 15:50:42 EDT 2003

Updating GPO settingsWhile the CIFS service is running or after restarting the CIFS service, the Data Mover updates its GPO settings based on one of the following refresh intervals:

◆ If defined in the domain, the refresh interval can be set from zero (updates every 10 seconds) up to 64800 minutes (updates every 45 days).

◆ If not defined in the domain, the Data Mover uses its default refresh value of 90 minutes.

Disabling automatic GPO updatesA GPO setting called Disable background refresh of Group Policy disables any automatic GPO updates. If this policy is enabled, you must update the GPO policy manually.

When this policy is set, the following appears in the GPO output:Disable background refresh of Group Policy: Enabled Group Policy Refresh interval (minutes): 90 Refresh interval offset (minutes): Not defined GPO Last Update time (local): Wed Sep 10 14:47:42 EDT 2003 GPO Background Update disabled, must be updated manually


Manually updating GPO settingsIf you change group policies through MMC or the Server Manager, you can manually update the GPO settings on the Celerra Network Server, as shown in this example.

Disabling GPO supportGPO support is enabled per Data Mover and is enabled by default. You can disable GPO support by modifying the system parameters explained in this section. By disabling GPO support, the Celerra Network Server cannot access the Windows domain controller, and the related Celerra functions automatically use their own default settings.

Table 8 shows the cifs gpo parameter and its values.

Action

To force an update of GPO settings for the specified Data Mover, use this command syntax:$ server_security <movername>|ALL -update -policy gpo[server=<server_name>|domain=<domain_name>]

Where:<movername> = name of the specified Data Mover.ALL = all Data Movers.server=<server_name> | domain=<domain_name> (Optional).Limit the query to the specified CIFS server or domain. The <server_name> refers to the name of a configured CIFS server on the Data Mover, and the <domain_name> refers to a domain name for the CIFS server.Examples:• To update the GPO settings for all CIFS servers on all Data Movers on the Celerra Network

Server, type:$ server_security ALL -update -policy gpo

• To update the GPO settings for all CIFS servers in domain NASDOCS, type:$ server_security ALL -update -policy gpo domain=NASDOCS

Output

server_2: done

Table 8 cifs gpo parameter

Facility Parameter Value Comment/Description

cifs gpo 0 or 1 (default) Enables or disables group policy object (GPO) support.0 disables GPO support.1 enables GPO support.

M

Use this procedure to disable GPO support.

Disabling GPO cachingThe Data Mover caches the GPO settings retrieved from the Windows domain controller. The GPO cache allows a Data Mover to quickly retrieve GPO settings even when the domain controller is inaccessible.

You can disable GPO caching if you do not want the Data Mover to use cached settings. If GPO caching is disabled, the Data Mover must retrieve the settings from the Windows domain controller.

Note: If you disabled GPO caching and the Celerra Network Server cannot access the Windows domain controller, the related Celerra functions use their own default settings. For example, the default value for Maximum Tolerance for Computer Clock Synchronization is 5 minutes.

Table 9 shows the cifs gpocache parameter and its values.

Action

To disable GPO support, use this command syntax:$ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where:<movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameterExample:To disable GPO support on server_2, type:$ server_param server_2 -facility cifs -modify gpo -value 0

Note: Parameter and facility names are case-sensitive.

Output

server_2 : done

Table 9 cifs gpocache parameter


cifs gpocache 0 or 1 (default) Enables or disables GPO caching.0 disables GPO caching.1 enables GPO caching.

Use this procedure to disable GPO caching.

Action

To disable GPO caching, use this command syntax:$ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where:<movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameterExample:To disable GPO caching on server_2, type:$ server_param server_2 -facility cifs -modify gpocache -value 0

Note: Parameter and facility names are case-sensitive.

Output

server_2 : done

M

Alternate data stream supportWith the release of Windows NT, Microsoft introduced the Windows NT File System (NTFS) and the concept of alternate data streams (ADS). This feature is also know as multiple data streams (MDS). Data streams are independent resources that store a file’s data and also store information about the file. Unlike the FAT file system, in which a file consists of only one data stream, NTFS uses different data streams to store the file and the file’s metadata (such as file access rights, encryption, date and time information, and graphic information).

Microsoft originally created ADS so that a server using NTFS could act as a file server for Macintosh clients. Macintosh’s Hierarchical File System (HFS) uses two basic elements to represent files, as shown in Table 10.

NTFS files contain one primary data stream and, optionally, one or more alternate data streams—the primary data stream acts as the data fork and the alternate data streams act as the resource forks.

Table 10 HFS elements

Element Purpose

Data fork Stores data for a file

Resource fork Stores information about a file


For files, you can view and usually set this additional information from the Summary tab in the file’s Properties dialog box.

Figure 3 Properties dialog box - Summary tab

ADS support on the Celerra Network ServerThe Celerra Network Server supports ADS for both files and directories. The following provides additional information about ADS support on the Celerra Network Server:

◆ Directory streams are supported on mount points. If a file system is mounted on a mount point, only the directory streams of the mounted file system’s root directory are visible. If no file system is mounted, the streams of the mount point are visible.

◆ There is a limit of 64,000 streams per file or directory. This is several times the limit seen experimentally on Windows NTFS.

Disabling ADS supportADS support is controlled by the shadow stream system parameter and is enabled by default. Although there are rare cases when you may want to disable ADS support, EMC generally recommends that you leave ADS support enabled. Use this procedure to disable ADS support on the Celerra Network Server. Table 11 provides a description of the parameter.


M

Table 11 shows the shadow stream parameter and its values.

Use this procedure to disable ADS support.

Table 11 shadow stream parameter


shadow stream 0 or 1 (default) 0 disables alternate data stream support.1 (default) enables data stream support.This parameter is relevant in a Windows environment only.

Action

To disable ADS support, use this command syntax:$ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where:<movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameterExample:To disable ADS support on server_2, type:$ server_param server_2 -facility shadow -modify stream -value 0

Output

server_2 : done

Using SMB signingSMB (Server Message Block) signing is a mechanism used to ensure that a packet has not been intercepted, changed, or replayed. It guarantees that the data sent is the same as what the sender initiated and that the sequence has not been modified. Signing adds an 8-byte signature to every SMB packet. The client and server use this signature to verify the integrity of the packet.

For SMB signing to work, both the client and the server in a transaction must have SMB signing enabled. By default, Windows Server 2003 domain controllers require that clients use SMB signing. SMB signing is enabled by default on all CIFS servers created on the Data Movers.

Note: SMB signing is an option in Windows NT (SP 4 or greater) and Windows 2000 and Windows Server 2003 domains.

Data Movers use both client-side and server-side SMB signing depending on the situation. The following are some examples of when a Data Mover uses each type of signing:

◆ Data Mover acts as a server:

• When a client maps a share

• With CDMS

◆ Data Mover acts as a client:

• When retrieving GPO settings

• With CDMS

SMB signing resolutionIn Windows domains, you can independently configure server-side and client-side SMB signing settings. There are three possible settings for both server-side and client-side signing:

◆ Disabled—the client or server does not support any SMB signing.

◆ Enabled—the client or server supports SMB signing but does not require it for transactions.

◆ Required—the client or server require that SMB signing is used in all transactions.


M

Figure 4 on page 67 provides a matrix that shows how the three signing settings on the server side and client side interact to determine the outcome of a transaction.

Figure 4 Resolution matrix for SMB signing

Configuring SMB signingSMB signing is enabled by default on both the Celerra Network Server and in Windows Server 2003 domains. If you do not want SMB signing enabled, you can use the methods listed in Table 12 to configure SMB signing.

Server

Client

Disabled Enabled Required

No signingDisabled No signing Connection failure

No signingEnabled Signing in use Signing in use

Connection failureRequired Signing in use Signing in use

Table 12 SMB signing configuration methods

Configuration method Where configured What it effects Notes Instructions

smbsigning parameter on the Celerra Network Server

Individual Data Movers or the Celerra Network Server

Individual Data Movers or the Celerra Network Server

• No independent server-side or client-side control

• Overrides GPO settings

"Configuring SMB signing with the smbsigning parameter" on page 68

Default Domain Security Settings (GPO)

Active Directory All machines in the domain

• Independent server-side or client-side control

• Overrides Registry settings

"Configuring SMB signing with GPOs" on page 69

Registry settings Individual Windows workstations and servers

Individual Windows workstations and servers

Used in environments with no GPO support

"Configuring SMB signing with the Windows Registry" on page 70


Configuring SMB signing with the smbsigning parameterThe cifs smbsigning parameter controls SMB signing on the Data Mover and affects all CIFS servers on the Data Mover. This parameter controls both client-side and server-side signing and overrides any SMB signing GPOs set for the domain.

Table 13 shows the cifs smbsigning parameter and its values.

Disabling SMB signing on a Data Mover

Use this command to disable SMB signing on all CIFS servers on a Data Mover.

Table 13 smbsigning parameter


cifs smbsigning 0 or 1 (default) Enables or disables both client-side and server-side SMB signing on the Data Mover.0 disables SMB signing.1 enables SMB signing.

Action

To disable SMB signing, use this command syntax:$ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where:<movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameterExample:To disable SMB signing support on server_2, type:$ server_param server_2 -facility cifs -modify smbsigning -value 0

Result

server_2: done

M

Configuring SMB signing with GPOsIf you want independent control of server-side and client-side SMB signing, you can configure the GPOs shown in Table 14 on page 69. These GPOs are found under the Default Domain Security Settings (Figure 5) and can be configured from any domain controller.

The four relevant GPOs are highlighted in Figure 5.

Figure 5 SMB signing GPOs in default domain security settings

Note: Configuring SMB signing through GPOs affects all clients and servers within the domain and overrides individual Registry settings.

Table 14 SMB signing GPOs

GPO name What it controls Default setting for Data Mover

Microsoft network server: Digitally sign communications (always)

Whether the server-side SMB component requires signing

Disabled

Microsoft network server: Digitally sign communications (if client agrees)

Whether the server-side SMB component has signing enabled

Disabled

Microsoft network client: Digitally sign communications (always)

Whether the client-side SMB component requires signing

Disabled


Configuring SMB signing with the Windows RegistryYou can also configure SMB signing through the Windows Registry. If there is no GPO service available, such as in a Windows NT environment, the Registry settings are used.

Registry settings only affect the individual server or client that you configure. There are four Registry settings—two for server-side and two for client-side signing, and they function the same as the SMB signing GPOs.

Note: The following Registry settings pertain to Windows NT with SP 4 or later. These Registry entries exist in Windows 2000 and Windows Server 2003, but should be set through GPOs.

Server-side signing

The server-side settings are located in:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\

Table 15 shows the server-side SMB signing Registry entries.

Client-side signing

The client-side settings are located in:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanworkstation\parameters\

Microsoft network client: Digitally sign communications (if server agrees)

Whether the client-side SMB component has signing enabled

Enabled

Table 15 Server-Side SMB signing Registry entries

Registry entry Values Purpose

enablesecuritysignature 0 disabled (default)1 enabled

Determines if SMB signing is enabled

requiresecuritysignature 0 disabled (default)1 enabled

Determines if SMB signing is required

Table 14 SMB signing GPOs (continued)

GPO name What it controls Default setting for Data Mover


M

Table 16 shows the client-side SMB signing Registry entries.

Table 16 Client-side SMB signing registry entries

Registry Entry Values Purpose

enablesecuritysignature 0 disabled 1 enabled (default)

Determines if SMB signing is enabled

requiresecuritysignature 0 disabled (default)1 enabled

Determines if SMB signing is required


Automatic computer password changeA system administrator can activate computer password changes by doing one of the following:

◆ Setting a GPO to a password change interval. The Data Mover retrieves this policy and applies it to all CIFS servers within the domain.

◆ Setting the cifs srvpwd.updtMinutes parameter, which is overridden by the GPO policy.

◆ Changing the password change interval for a particular CIFS server using the srvpwd interface, which is overridden by any GPO policy.

The system parameter cifs srvpwd.updtMinutes lets you configure the time interval at which the Data Mover changes passwords with the domain controller. Table 17 provides a description of the parameter.

Table 17 cifs srvpwd.updtMinutes parameter


cifs srvpwd.updtMinutes 0 (default) disable or<minutes>

Defines the time interval between two server password changes in minutes. This time is UTC (coordinated universal time).0 disables the password change time interval.<minutes> sets the time interval between password changes in minutes. This value cannot be less than 1440 minutes (one day).The Microsoft default is seven days minus one hour.

M

Changing the time interval for password changesUse this procedure to change the time interval for password changes.

Action

To change the password change time interval, use this command syntax:$ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value>

Where:<movername> = name of the specified Data Mover<facility_name> = name of the facility to which the parameter belongs<param_name> = name of the parameter<new_value> = value you want to set for the specified parameterExample:To to set the password interval to one day (1440 minutes), type:$ server_param server_2 -facility cifs -modify srvpwd.updtMinutes -value 1440

Result

server_2: done

Creating a file system as a security logYou can access the Windows security log for a Data Mover in one of two ways:

◆ Using the Microsoft Event Viewer, or

◆ Accessing the security log file directly using an application that can read the Microsoft event log format.

By default, each Data Mover stores its Windows security log at c:\security.evt, which has a size limit of 512 KB. You can directly access this security log through the C$ share of each Data Mover, as shown next:

\\<netbiosnameofdatamover>\C$\security.evt

On a Windows server, the default location is c:\WINNT\System32\config\security.evt. If an application tries to access the Windows security log of a Data Mover at that location, it fails. However, you can change the location and the size limit of the Data Mover's Windows security log by following these steps:

1. Create a file system to store the security log in its new location.

2. Mount the file system on the Data Mover on a mount point called /WINNT and share it.

3. From a CIFS client, connect to the new WINNT share on the Data Mover and create the following under the WINNT directory:

System32\config

This enables you to access the following path:

\\<netbiosnameofdatamover>\C$\WINNT\System32\config

4. As the domain administrator, perform the following steps using the Windows Registry Editor:

WARNING

Incorrectly modifying the Registry may cause serious system-wide problems that require you to reinstall your system. Use this tool at your own risk.

a. Run the Registry Editor (regedt32.exe).

b. From the Registry menu, select the Select Computer option, and select the Data Mover NetBIOS name.

c. From the Window menu, select the Hkey Local Machine on Local Machine subtree, and go to the following key:

System\CurrentControlSet\Services\Eventlog\Security

d. Select the following string:

[File: REG_EXPAND_SZ:c:\security.evt]

e. From the Edit menu, select String.

M

f. Edit the string with the following information:

c:\WINNT\System32\config\security.evt

g. Click OK and quit the Registry Editor.

All Windows security events on the Data Mover are now logged to the new security event log location.


Managing Windows domainsCelerra CIFS servers act as member servers in Windows domains and provide data storage for domain users. Data stored on the Celerra CIFS file systems contain security metadata (DACLs, SACLs and ownership) associated with the domain SIDs (security IDs) from which the CIFS accounts are derived.

Domain migration supportDue to Microsoft’s end-of-life policy, you may need to perform domain migration from one version of the domain to another. During and after a Windows domain migration process, any data generated by user accounts in the source domain must be accessible by user accounts in the target domain.

Note: Domain migration is a complex task that is not covered in this document. Microsoft documentation provides detailed information on domain migration.

To meet the requirements of data availability during and after domain migration, the Celerra Network Server provides two server_cifs command options, -Migrate and -Replace. These options update the security IDs generated for resources created by CIFS users in one Windows domain (source) to another Windows domain (target):

◆ server_cifs -Migrate: Updates all SIDs from a source domain to the SIDs of a target domain by matching the user and group account names in the source domain to the user and group account names in the target domain. The interface that you specify in this option queries the local server and then its corresponding source and target domain controllers to look up each object’s SID.

◆ server_cifs -Replace: Updates all the SIDs of a file system with the corresponding target domain SIDs. The interface that you specify in this option queries the local server and then its corresponding target domain controller to look up each object’s SID and history SID.

The Celerra Network Server Command Reference Manual provides a detailed description of the server_cifs command.


../CommandReference/index.htm

M

Table 18 shows the options you can use with the different domains during and after the Windows domain migration process.

Operational considerationsReview the following before using the server_cifs -Migrate and -Replace command options:

◆ A trust relationship must be established between the source and target domains. This is a Microsoft requirement for domain migration.

◆ User and group accounts must match on the source and target domains.

• The migrate option does not require running any type of domain migration tool beforehand.

• The replace option requires that you first perform account migration using a domain migration tool.

◆ For the migrate option only:

• Both the source and target domain controllers must exist.

• As long as a trust relationship was established between the source and target domain, you can specify the same interface or NetBIOS name in the server_cifs command.

• To use different interfaces or NetBIOS names, you must configure two separate CIFS servers on the Data Mover for the source and target domains.

◆ The replace option provides one quota per user or group.

◆ After running a local group update, stop and start the CIFS service on the Data Mover to ensure all changes are made to the target domain. "Stopping the CIFS service" on page 43 and "Starting the CIFS service" on page 43 provides more information.

Table 18 Security support options for Windows domain migration

Target domainWindows NT: Windows 2000 Windows Server 2003:

Source domain

Windows NT:

Windows 2000/Windows Server 2003:

Migrate option Migrate and Replace options

Migrate option Migrate and Replace options


TroubleshootingYou can query the EMC WebSupport database for problem information, obtain release notes, or report a Celerra technical problem to EMC on Powerlink, the EMC secure extranet site. The Celerra Problem Resolution Roadmap technical module contains additional information about using Powerlink and resolving problems.

server_log error message constructThe format of the event code can help you narrow the scope of where to look for a message. There are several components in the beginning of each line that are fairly consistent across the entire scope of event logging. For example, the typical event message looks like:

2005-09-16 18:27:21: NFS: 3: commit failed, status = NoPermission2005-09-16 18:27:23: CFS: 3: Failed to open file, status NoPermission2005-09-16 18:27:23: LIB: 6: last message repeated 1 times

The Celerra Network Server Command Reference Manual provides detailed information on server_log. This logging mechanism uses the logging facilities typical with many systems.

◆ The first part is the date and time of the logged event.

◆ The second part is the subsystem of the Celerra code that reported the event (for example, NFS, CFS, and LIB).

◆ The third part is a classification code, which is typical of event logging facilities. You can find information on classification codes on most UNIX systems under the header file syslog.h in the directory /usr/include/sys.

The definition of the possible classification codes that the Celerra Network Server supports are:#define LOG_EMERG 0 /* system is unusable */#define LOG_ALERT 1 /* action must be taken immediately */#define LOG_CRIT 2 /* critical conditions */#define LOG_ERR 3 /* error conditions */#define LOG_WARNING 4 /* warning conditions */#define LOG_NOTICE 5 /* normal but signification condition */#define LOG_INFO 6 /* informational */#define LOG_DEBUG 7 /* debug-level messages */

◆ The fourth part describes the error condition. The error condition on the first two lines of the example are self-explanatory. The operations being performed are commit and open with the error condition, NoPermission. Other events are not as descriptive.

Kerberos error codesKerberos error codes are statuses generally displayed by the SMB subsystem. You can recognize these in the logged events by the appearance of a large negative number.

Example 2003-07-24 16:29:35: SMB: 3: SSXAK=c0020030 origin=401 stat=e0000,-1765328160



../ProblemResolutionRoadmap/index.htm

M

Since Kerberos is standardized, there are public resources for looking up the meanings of a majority of these status codes. One resource on the Web is http://www.net.berkeley.edu/kerberos/k5msgs.html, which provides a good listing of the Kerberos error codes and their definitions.

NT status codesThe NT status codes are reported for CIFS or Microsoft Windows emulation functions on the Celerra product. The NT status codes are 32-bit unsigned integers that are broken up into subgroups of binary data that identify the particulars of a event status. The 32-bit values are laid out as follows:

3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 +---+-+-+-----------------------+-------------------------------+ |Sev|C|R| Facility | Code | +---+-+-+-----------------------+-------------------------------+

Where:

Sev - is the severity code:

00 - Success

01 - Informational

10 - Warning

11 - Error

C - is the customer code flag

R - is a reserved bit

Facility - is the facility code

Code - is the facility's status code

Typically, the NT status codes appear in the server_log with a subsystem specification of SMB. The NT status code is presented in several ways in logged system events. Some popular ones are:

◆ A hexadecimal number prefixed by a Em=0x:

SMB: 4: authLogon=SamLogonInvalidReply Es=0x0 Em=0xc0000064

◆ A simple hexadecimal number with no prefix nor any indication of its format:

SMB: 4: SSXAuth_SERVER_EXT13 aT=3 mT=1 c0000016

◆ A simple hexadecimal number with a prefix of reply= with no indication of the format:

SMB: 4: lookupNames:bad reply=c0000073

◆ A simple hexadecimal number with a prefix of failed= with no indication of the format:

SMB: 4: SessSetupX failed=c0000016

◆ A hexadecimal number clearly marked as NTStatus= but no indication of the format:

SMB: 4: MsError sendLookupNames=21 NTStatus=c0000073


http://www.net.berkeley.edu/kerberos/k5msgs.html

http://www.net.berkeley.edu/kerberos/k5msgs.html

Error messagesWhile using the system, various messages appear indicating successful command execution, or in some cases, a failure. Error messages appear when there is a fault in the command syntax or the system, while system messages are continually reported to the log file. Both types of messages reflect the performance of your system and can be used to monitor system efficiency and to troubleshoot problems.

Table 19 lists the CIFS error messages written to the server log when problems occur in the Celerra CIFS facility and the corrective actions to take. The Celerra Network Server Error Messages Guide provides additional information on all Celerra errors.

Table 19 CIFS server log error messages

Message text Full description Corrective action

\\domain\share Security Descriptor error: Unable to set SD: Error 1337: The security ID structure is invalid. An ERROR occurred on \\domain\share.

The local groups have not migrated properly.

Contact EMC Customer Service.

Abort /umount received unable open file

A file cannot be opened in CIFS; the client gets permission denied.CIFS activity and umount file system or freeze FS for checkpoint update.

This message contains information on why a client is getting an unexpected Permission Denied.

Access denied Attempt to access files or directories with ACLs denying access.

Set the Back up files and directories or Restore files and directories privileges on the system where the pathname is located.

Bad parameter value, the min value allowed is 0

The error message when attempting to incorrectly set the cifs.maxLockXPending parameter. Occurs when attempting to change the param value of cifs.maxLockXPending parameter.

Set a value > 0. The range of allowed values is between 0 and #(CIFS threads/2). The Celerra Network Server Parameters Guide provides format and values.

could not get SIDS for user %d status %d to report file , id, lookup_stat

The translation user ID to SID failed for the specified UID.Quota report


../ErrorMsgs/index.htm




M

Error 4020 : server_x : failed to complete command server_log error message:DomainJoin::doDomjoin:Computer account compname already exists.

The computer object already exists in the Active Directory and may be in use by either a Data Mover or another server. Also, the servicePrincipalName attribute is set not to accept existing accounts.The join procedure automatically creates a computer object in the Active Directory.

Verify the existing computer object is not used by another system.To join the CIFS server to an existing account, use the reuse option of the server_cifs -Join command.

Incorrect password or unknown username

The Windows NT user account may be missing from the PDC domain, or there is no corresponding UNIX account for the Windows NT user.

Add the Windows NT user to the PDC of the domain and map the user to a UNIX username and UID.

logon of user dvt_b\cdmsadmin failed: c0000064

C0000064 means STATUS_NO_SUCH_USER.

Check for a CDMS admin user in the specified domain.

LOG_LOCK,LOG_ERR, Bad parameter for cifs maxLockXPending

The parameter value specified for cifs.maxLockXPending is not a numerical value.

Set a numerical value. The Celerra Network Server Parameters Guide provides more information.

migrate sd of \Perl\lib\perllocal.pod has unresolved ACLs, status: c000005b

C000005B means STATUS_INVALID_PRIMARY_GROUP.

This error occurs when the primary group’s SID is replaced by the primary group SID of the user that is used for migration:Generally, this occurs when the SID belongs to a group not supported on the Celerra Network Server. The user should ignore the error.If the SID belongs to a nonexistent local group on the Celerra Network Server, the user may not have run the lgdup.exe utility before migration began.

No domain controller found for the domain.

In NT security mode, clients are unable to connect to the server, and the window to prompt for username and password does not appear on the client side.

Check if PDC or BDC is up. Check if Data Mover can access a WINS server that knows about the PDC domain, or have the PDC/BDC in the same local subnet as the Data Mover.

OLE Object: PBrush

MMC requires Internet Explorer 6.0 in order to use its DOM (Document Object Model) XML parser.

Upgrade the version of your Internet Explorer to 6.0.

Table 19 CIFS server log error messages (continued)





Prealloc value must be integer and not greater than 6

User tried to set an incorrect value for the parameter cifs.prealloc.

Correct the parameter value (between 0 and 6). The Celerra Network Server Parameters Guide provides values and format.

RO Error from readdir key=256: 201065600466: UFS: 3: create: this->i_nlink == 0 for ino 11

An FS event occurred when trying to perform a lookup on the file system to retrieve the node for theses names. The lookupComponent fails with error 7 - "not found."

The Account is not authorized to login from this station

In a Windows NT environment, Windows clients cannot connect to a server using clear text passwords. (For example, this might occur when the Celerra Network Server is in UNIX mode.)The SMB redirector handles unencrypted passwords differently than previous version of Windows NT. The SMB redirector does not send an unencrypted password unless you add a Registry entry to enable unencrypted passwords.

Modify the Registry to enable unencrypted passwords.CAUTION: Incorrectly modifying the Registry may cause serious system-wide problems that may cause you to reinstall your system. Run Registry Editor (Regedt32.exe).From the HKEY_LOCAL_MACHINE subtree, go to the following key: System\CurrentControlSet\Services\rdr\parameters

Under this key, create a new DWORD registry key named EnablePlainTextPassword, set its value to 1, and then restart your computer.Select Add Value on the Edit menu.Add the following:Value Name: EnablePlainTextPassword

Data Type: REG_DWORDData: 1Click OK and quit Registry Editor.Shut down and restart Windows NT. This Procedure was adapted from Article ID: Q166730 of the Microsoft Knowledge Base.

The SAM database on the Windows NT server does not have a complete account for this workstation trust relationship.

The server’s NetBIOS name is not registered as a computer account on the PDC domain or a trust relationship is not established between the client and server domains.

If the computer account does exist, remove it and add it again before retrying the command. To set up a trust relationship between domains, refer to Microsoft NT server 4.0 documentation.






M

Unable to create files or directories in a share that is mapped to a client.

UNIX permission bits are not set to grant permission for the user to write to the shared directory.This situation could only occur if the access policy is set incorrectly.

Change the access policy or mount the directory over NFS on the Control Station or any other UNIX client, and use chmod to set the appropriate UNIX permission to allow the user to write to it.

Vnodepercent must be integer and between 10 and 100

User tried to set an incorrect value in the parameter cifs.vnodepercent.

Correct the parameter value (between 10 and 100). The Celerra Network Server Parameters Guide provides information for values and format.

write to SID file failed

The creation of the SID mapping file failed.Quota report.

Ensure the root file system is not full and can be correctly read/written.

xml_lookupid : groupQuery creation error

Memory saturation: The object groupQuery cannot be created.Quota report or quota creation.

Reboot the Data Mover and report the problem to EMC Customer Service.

xml_lookupid : groupQueryElt creation error

Memory saturation: The object groupQueryElt can’t be created.Quota report or quota creation.


xml_lookupid : nameQuery creation error

Memory saturation: The object nameQuery cannot be created.Quota report or quota creation.


xml_lookupid : nameQueryElt creation error

Memory saturation: The object nameQueryElt cannot be created.Quota report or quota creation.


xml_lookupid : userQuery creation error

Memory saturation: The object userQuery cannot be created.Quota report or quota creation.







Problem SituationsTable 20 lists problem situations you may encounter as well as their definitions and the corrective actions to take.

xml_lookupid : userQueryElt creation error

Memory saturation: The object userQueryElt cannot be created.Quota report or quota creation.


xml_lookupname: Cannot create SIDQuery %s , ident

Memory saturation: The object sidQuery cannot be createdQuota report or quota creation.


xml_lookupname: gidQuery creation error

Memory saturation: The object gidQuery cannot be created.Quota report or quota creation.


xml_lookupname: gidQueryElt creation error

Memory saturation: The object gidQueryElt cannot be created.Quota report or quota creation.


xml_lookupname: UID or gid must be numeric , ident

Syntax error in a XML request NAME_LOOKUP.

xml_lookupname: UIDQuery creation error, insufficient memory available

Memory saturation: The object UIDQuery cannot be created.Quota report or quota creation.


xml_lookupname: UIDQueryElt creation error, insufficient memory available

Memory saturation: The object UIDQueryElt cannot be created.Quota report or quota creation.





M

Table 20 Problem situations

Problem Description Corrective action

With NT user authentication, certain Windows 95 clients may not be able to map drives from the Data Mover.

The domain name sent to the Data Mover by the client was incorrectly specified, or the username.domain is not mapped in the passwd file on the Data Mover.

Verify that the client is sending the correct domain name to the passwd file on the Data Mover.To verify that the client is sending the correct domain, perform the following:1. In the Network option in the Control Panel,

double-click the network client (Client for Microsoft Networks).

2. Under General properties, verify that the correct domain name is shown.

With NT user authentication, Incorrect password or unknown username error message appears after attempts to connect to the server, and the username and password window appears.

The Windows NT user account may be missing from the PDC domain, or the Data Mover was unable to determine a UID to use for this user.

Add the Windows NT user to the PDC of the domain and map the user to a UNIX username and UID.

Unable to create files or directories in a share that is mapped to a client.

UNIX permission bits are not set to grant permission for the user to write to the shared directory.

Note: This situation only occurs if the access policy is set incorrectly. The Managing Celerra for a Multiprotocol Environment technical module provides more information.

Change the access policy or mount the directory over NFS on the Control Station or any other UNIX client, and use chmod to set the appropriate UNIX permission to allow the user to be able to write to it.




Windows NT environment:Windows clients cannot connect to a server using clear text passwords. (For example, this might occur when the Celerra Network Server is in UNIX mode.)The following error message might appear:The Account is not authorized to login from this station

The SMB redirector handles unencrypted passwords differently than previous version of Windows NT. The SMB redirector does not send an unencrypted password unless you add a Registry entry to enable unencrypted passwords.

You must modify the Registry to enable unencrypted passwords.

WARNING

Incorrectly modifying the Registry may cause serious system-wide problems that may require you to reinstall your system. Use this tool at your own risk.

1. Run Registry Editor (Regedt32.exe).2. From the HKEY_LOCAL_MACHINE subtree,

go to the following key:System\CurrentControlSet\Services\rdr\parameters

Under this key, create a new DWORD Registry key named EnablePlainTextPassword, set its value to 1, and then restart your computer.

3. Select Add Value on the Edit menu.4. Add the following:Value Name: EnablePlainTextPassword

Data Type: REG_DWORD

Data: 1

5. Click OK and quit Registry Editor.6. Shut down and restart Windows NT.

Note: Use GPOs for Windows 2000 and Windows Server 2003 clients.

The procedure was adapted from Article ID: Q166730 of the Microsoft Knowledge Base.

With NT user authentication, clients are unable to connect to the server, and the window to prompt for username and password does not appear on the client side.

No domain controller found for the domain.

or

Check if PDC or BDC is up. Check if Data Mover can access a WINS server that knows about the PDC domain, or have the PDC/BDC in the same local subnet as the Data Mover.

The server’s NetBIOS name is not registered as a computer account on the PDC domain or a trust relationship has not been established between the client and server domains.The following message may appear in the server_log:The SAM database on the Windows NT server does not have a complete account for this workstation trust relationship.

Add a computer account to the PDC. If the computer account does exist, remove it and add it again before retrying the command. To set up a trust relationship between domains, refer to Microsoft NT server 4.0 documentation.

Table 20 Problem situations (continued)



M

After joining a CIFS server to a domain, the following error appears in the server_cifs output, indicating the system cannot update the DNS record:FQDN=dm4-a140-ana0.c1t1.pt1.c3lab.nsgprod.emc.com (Update of "A" record failed during update: Operation refused for policy or security reasons)

The DNS server’s zone may include the same FQDN (fully-qualified domain name) for another computer account.

Verify the DNS server’s zone does not have the same FQDN with a different IP address for another computer account.

When attempting to join a CIFS server to a domain, the following error message appears:Error 4020: server_2 : failed to complete command

Possible server_log error messages:2004-03-11 13:42:29: SMB: 3: DomainJoin::getAdminCreds: gss_acquire_cred_ext failed: Miscellaneous failure. Clients credentials have been revoked.

2004-03-11 13:42:29: ADMIN: 3: Command failed: domjoin compname=dm3-A121-ana0 domain=c1t1.pt1.c3lab.nsgprod.emc.com admin=c1t1admin password=6173399D179D3999673D init

Domain administrator account was locked out. Typically, this happens when another user is logged in using the same administrator account on another system.

Clear the Account is locked out checkbox on the Account tab of the User Account Properties window.

0xC0000022

2004-04-26 10:49:40: SMB: 3: Srv=<Celerra_netbios_name> buildSecureChanel=Authenticate2InvalidReply E=0xc0000022

Access is denied because the computer was created on the domain controller without enabling the Allow pre-Windows 2000 computers to use this account option on the Windows New Object - Computer dialog box.

Delete the computer and then recreate it with the Allow pre-Windows 2000 computers to use this account option enabled.

After upgrading from a Windows NT domain to Windows 2000, unable to change the original domain suffix during Windows 2000 setup.

Unable to change domain suffix because it was hardcoded in DDNS.

Before upgrading, change the domain suffix.

Access is denied to Internet Information Services (IIS) 6.0 when attempting to connect to the web directory on a Celerra share.In the IIS web log, the error bad user name or password displays even though the user name and password are in the local user database.

For a stand-alone CIFS server with local user support enabled, the user name and password must be the same on IIS 6.0, the Data Mover, and the client.

Specify the same user name and password on IIS 6.0, the Data Mover, and the client.




M

Related informationFor specific information related to the features and functionality described in this technical module, refer to:

◆ Configuring CIFS on Celerra

◆ Managing Celerra for a Multiprotocol Environment

◆ Celerra Network Server Parameters Guide

◆ Celerra Network Server Command Reference Manual

◆ Celerra Network Server Error Messages Guide

◆ Using EMC Utilities for the CIFS Environment

◆ Celerra Network Server User Information Glossary

◆ Using Windows Administrative Tools with Celerra

◆ Managing Celerra Volumes and File Systems Manually

◆ Replicating Celerra CIFS Environments

◆ Installing Celerra Management Applications

◆ Configuring Celerra Time Services

◆ Configuring Virtual Data Movers for Celerra

◆ Using International Character Sets with Celerra

◆ Configuring Celerra Naming Services

◆ Configuring External Usermapper for Celerra

◆ Configuring Celerra User Mapping

The Celerra Network Server Documentation CD, supplied with your Celerra Network Server and also available on Powerlink, provides general information on other EMC® Celerra publications.

Customer training programsEMC customer training programs are designed to help you learn how EMC storage products work together and integrate within your environment to maximize your entire infrastructure investment. EMC customer training programs feature online and hands-on training in state-of-the-art labs conveniently located throughout the world. EMC customer training programs are developed and delivered by EMC experts. For program information and registration, refer to Powerlink, our customer and partner website.







../EMCUtilities/index.htm

../../mergedprojects/Glossary/index.htm

../WindowsAdminTools/index.htm

../VolFSManually/index.htm

../ReplicatingCIFSENvironments/index.htm


../TimeServices/index.htm

../ConfiguringVDMs/index.htm

../i18N/index.htm

../NameServices/index.htm

../ExternalUsermapper/index.htm

../InternalUsermapper/index.htm

M

Appendix A: Additional home directory informationThis section provides additional information regarding the optional home directory feature described in "Enabling home directories" on page 46. The information in this section is intended for users who are creating or maintaining home directory configurations.

Home directory database formatThis section outlines the format of the entries in the home directory database.

EMC recommends that you use the Home Directory MMC snap-in to create and maintain home directory. The snap-in validates entries and helps to ensure that your entries are correct and complete.

The following table contains the basic home directory database format.

Format

The database contains an entry for each user and uses the following format:<domain>:<username>:</path> [:regex][:create][:ro][:<umask>]

Where: <domain> = Windows domain name<username> = user’s Windows username</path> = UNIX path of the parent home directorycreate = target directory will be created if it does not already existregex = domain and/or username are regular expressionsro = read-only file access (the default is read/write)<umask> = user file-creation <mask> for the umask allowing NFS permissions to be determined for the share.The database may contain comments. Comments start with a # on a new line.Example:The following is an example of a database:# Comment - These entries specify users in the galaxy domain.galaxy:glenn:/mnt1/usr1galaxy:grissom:/mnt2/usr2galaxy:armstrong:/mnt2/usr3

Where:# = character that precedes comment text.galaxy = Windows domainglenn, grissom, and armstrong = usernames/mnt1/usr1,/mnt/usr2, and /mnt/usr3 = individual home directories for glenn, grissom, and armstrong, respectively.

Wildcards

Map files can contain wildcards (*) for the domain and username fields. Wildcards let you assign home directories to multiple users without making individual entries for each user in the database.

For example, if the username field contains a wildcard, all users from the specified domain match the wildcard entry. In this situation, a directory with the user’s Windows username in its path becomes the user’s home directory.

Therefore, if the database contains the following entry:galaxy:*:/mnt3/CIFS/

all users in the galaxy domain can access home directories under /mnt3/CIFS/ that match their usernames. For example, user1 in the galaxy domain can access the home directory /mnt3/CIFS/user1, and user2 can access the home directory /mnt3/CIFS/user2.

Format

WildcardsMap files can contain wildcard entries. "Wildcards" on page 92 provides more information.Example:The following example is a database with wildcard entries:*:*:/mnt3/guestgalaxy:*:/mnt3/CIFSgalaxy:glenn:/mnt1/usr1galaxy:grissom:/mnt2/usr2galaxy:armstrong:/mnt2/usr3

CreateMap files can indicate that directories should be created automatically. The parent directory must exist. In following example, the directory sales must exist before the directory usr1 can be created.Example:The following is an example of a database with a directory entry that will be created automatically:galaxy:glenn:/mnt1/sales/usr1:createRegular Expressions

Map file entries can contain regular expressions. The Celerra Management MMC plug-in online help provides a complete discussion on regular expressions.Example:The following is an example of a database with regular expression entries:nasdocs:*:/ufs/user4/<d>/:regex:createnasdocs:^[a-g]:/ufs/user1/<d>/:regex:createnasdocs:^[h-p]:/ufs/user2/<d>/:regex:createnasdocs:^[q-z]:/ufs/user3//:regex:createUmask

Map files can contain an NFS permissions mask that sets the permissions on newly created directories and files. This mask does not affect the CIFS ACL.

Note

Each field in the database must be separated by the “:” delimiter.

M

Wildcard entries should be put at the beginning of the database, with specific entries following. "Parsing order" on page 93 provides an additional explanation.

Regular expressions

You can use regular expressions when you specify the user names and directories.

Note: EMC recommends to use the Celerra Management MMC plug-in to create and edit usernames and directories when you are using regular expressions. The MMC plug-in validates your regular expressions as you enter them. If you create or edit the .homedir file and enter incorrect regular expressions, your home directory environment may become unusable.

The Celerra Management MMC plug-in online help provides additional information about the implementation of regular expressions on Celerra.

Parsing order

The Data Mover parses the database from top to bottom. If you use wildcards, there may be multiple matches for a domain:user pair; therefore, when the Data Mover finds a match for a domain:user pair, it then searches the path for the user’s directory. If there is a user directory under the path, that directory is mapped as the user’s HOME directory. If there is no matching directory, the Data Mover continues parsing the database looking for the user’s home directory.

For example, you have a database that contains the following wildcard entries:

galaxy:*:/homes1/galaxy:*:/homes2/galaxy:*:/homes3/

You are trying to map a HOME directory for user1 and you have the following directory structures:

/homes1/user1 – does not exist/homes2/user1 – does exist/homes3/user1 – does not exist

If the Data Mover looked only for a galaxy:user1 match, it would stop parsing at the first map entry. However, the Data Mover, after finding a galaxy:user1 match, searches the path for a user1 directory—if it does not find a user1 directory, the Data Mover continues parsing the database. In the example above, the Data Mover would find the match under the second entry, and then map that directory as the home directory for user1.

Guest accountsFor occasional or guest users, you can specify a guest directory in the database. Users who log in from domains not listed in the database are directed to the guest directory. A guest directory entry contains wildcards for the domain and the username as shown in the following example:

*:*:/mnt3/guest


Disabling home directories on the Data MoverUse the following command syntax to disable home directories on the Data Mover.

$ server_cifs <movername> -option homedir=no

Where:

<movername> = name of the Data Mover

M

Index

Aaccess, disabling all 42Active Directory

adding CIFS server to 30, 32, 34, 36creating computer accounts in 26

addingaliases 17WINS server 14

aliasesassigning to a CIFS server 17assigning to a NetBIOS name 17compname 34definition of 16deleting 18naming conventinos 16viewing 19

CCIFS

checking current configuration 11definition 3starting 43stopping 43troubeshooting 78

CIFS serverchanging the password 22definition 4delegating join authority 26deleting for Windows 2000 44deleting for Windows NT 45

CIFS servicedefinition 4starting 43stopping 43

cifs.smbsigning 68cifssyncwrite option 38comments

changing 20CLI viewing 21viewing from Windows 21

computer password, automatic change of 72configuration

checking for CIFS 11DNS 13joining server to the domain 30, 32, 34, 36

Ddeleting

CIFS server for Windows 2000 44CIFS server for Windows NT 45

disableall access 42

disjoint namespace 28, 35DNS

changing the configuration 13

managing 13domain migration, support of 76

Eerror messages 80

Ffile change

notification options 41tracking 39

file systemensuring synchronous writes 38oplocks 38reexporting 41

format, home directory database 91

GGPOs

configuring with SMB signing 69disabling caching 61disabling support 60displaying settings 56manually updating GPO settings 60overview of 52support 52supported CNS settings 53supported settings 53updating settings 59

Hhome directories

adding from Windows NT 50adding to user profiles 48creating 48enabling 46enabling on Data Mover 47map file 47overview 46restrictions 47

home directory databaseformat 91

Jjoin authority, delegating 26

Llisting, CIFS configuration 11

Mmap file

home directories 47MDS

on Celerra 64overview 63

multiple data stream support 63


Nname resolution, WINS 14NetBIOS

adding aliases to 17renaming 15

NetBIOS namehiding 29, 31, 33, 35

notification, of file changes 39

Ooplocks 38opportunistic file locks 38

Pparameters

djAddAdminToLg 27djEnforceDhn 27djUseKpassword 27

password, automatic change of 72

Rreexporting file systems 41regular expressions 93

Ssecurity log, creating 74server_mount command 38settings, GPOs 53SIDs, updating target domain 76signing, SMB 66SMB signing

configuring 67configuring with GPOs 69disabling 68overview 66

srvpwd.updtMinutes 72synchronous writes, ensuring 38

Ttroubleshooting 78

Uuser interfaces, choices 9user profiles, adding home directories 48

WWINS, adding a server 14

96 of 98 Managing Celerra for the Windows EnvironmentVersion 5.5

M

Notes


About this technical moduleAs part of its effort to continuously improve and enhance the performance and capabilities of the Celerra Network Server product line, EMC from time to time releases new revisions of Celerra hardware and software. Therefore, some functions described in this document may not be supported by all revisions of Celerra software or hardware presently in use. For the most up-to-date information on product features, see your product release notes. If your Celerra system does not offer a function described in this document, contact your EMC Customer Support Representative for a hardware upgrade or software update.

Comments and suggestions about documentationYour suggestions will help us improve the accuracy, organization, and overall quality of the user documentation. Send a message to [email protected] with your opinions of this document.

Copyright © 1998-2006 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

Version 5.5 98 of 98

Managing Celerra for the Windows Environment · Managing Celerra for the Windows Environment...

Documents

Transcript of Managing Celerra for the Windows Environment · Managing Celerra for the Windows Environment...