Managing Celerra for the Windows Environment

(1)

Managing Celerra

for the Windows Environment

P/N 300-002-679 Rev A01

Version 5.5

March 2006

(2)

Ensuring synchronous writes. . . 38

Opportunistic file locking . . . 38

File change notification . . . 39

Reexporting all Celerra file systems . . . 41

Disabling access to all file systems on a Data Mover . . . 42

Stopping and starting the CIFS service . . . 43

Stopping the CIFS service. . . 43

Starting the CIFS service. . . 43

Deleting a CIFS server . . . 44

Deleting a CIFS server (Windows 2000/Windows Server 2003) . . . . 44

Deleting a CIFS server (Windows NT) . . . 45

Enabling home directories . . . 46

Restrictions. . . 47

Creating the database . . . 47

Enabling home directories on the Data Mover . . . 47

Creating the home directory file . . . 48

Supporting Group Policy Objects . . . 52

Introduction to Microsoft Group Policy Objects . . . 52

GPO support on the Celerra Network Server . . . 52

Supported settings. . . 53

Multiple CIFS servers on a Data Mover . . . 54

Displaying GPO settings . . . 56

Updating GPO settings . . . 59

Disabling GPO support . . . 60

Disabling GPO caching . . . 61

Alternate data stream support . . . 63

ADS support on the Celerra Network Server. . . 64

Disabling ADS support . . . 64

Using SMB signing . . . 66

SMB signing resolution . . . 66

Configuring SMB signing . . . 67

Automatic computer password change . . . 72

Changing the time interval for password changes . . . 73

Creating a file system as a security log . . . 74

Managing Windows domains . . . 76

Domain migration support . . . 76

Operational considerations. . . 77

Troubleshooting . . . 78

server_log error message construct . . . 78

Kerberos error codes. . . 78

NT status codes . . . 79

Error messages . . . 80

Problem Situations. . . 84

Related information. . . 89

Customer training programs. . . 89

Appendix A: Additional home directory information. . . 91

Home directory database format . . . 91

(3)

Introduction

The Celerra®_{Network Server supports the CIFS (Common Internet File Service)}

protocol, which allows Microsoft Windows clients to access files stored on the Celerra Network Server. After you have configured the Celerra Network Server to support Windows clients on the network, you may need to perform some of the additional configuration and management procedures in this technical module to maintain your Celerra CIFS servers.

This technical module is part of the Celerra Network Server information set and is intended for system administrators responsible for managing the Celerra Network Server in their Windows network.

Windows and multiprotocol documentation

The following technical modules in the Celerra Network Server information set explain how to configure and manage Celerra in a Windows environment and a multiprotocol environment:

◆ Configuring CIFS on Celerra: explains how to configure a basic CIFS

configuration on the Celerra Network Server using the command line interface (CLI). You can also configure this initial environment using the Celerra Manager.

◆ Managing Celerra for the Windows Environment: contains advanced

procedures you may need to perform after the initial configuration of CIFS on the Celerra Network Server and instructions for modifying and managing Celerra in a Windows environment.

◆ Managing Celerra for a Multiprotocol Environment: contains procedures for

configuring and managing Celerra in a mixed environment of UNIX and Windows clients.

Terminology

These terms are important to understanding the Celerra Network Server in the Windows environment. The Celerra Network Server User Information Glossary provides a complete list of Celerra terminology.

ACL (Access Control List): In Windows, a list of access control entries (ACEs) that provide information about the users and groups that are allowed access to an object.

Active Directory: An advanced directory service included with Windows 2000 Servers. It stores information about objects on a network and makes this

information available to users and network administrators through a protocol such as LDAP.

authentication: The process for verifying the identity of a user who is trying to access a resource or object, such as a file or a directory.

CIFS (Common Internet File Service): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet

(4)

CIFS Server: A logical server that uses the CIFS protocol to transfer files. A Data Mover can host many instances of a CIFS Server. Each instance is referred to as a CIFS server.

CIFS Service: A CIFS server process that runs on the Data Mover and presents shares on a network as well as on Windows-based computers.

Data Mover: Celerra Network Server cabinet component running its own operating system that retrieves files from storage devices and makes them available to a network client.

Default CIFS Server: The CIFS server that is created when you add a CIFS server and do not specify any interfaces (with the interfaces= option of the

server_cifs -add command). The default CIFS server uses all interfaces not

assigned to other CIFS servers on the Data Mover.

DNS (Domain Name System): A name resolution software that allows users to locate computers and services on a UNIX network or TCP/IP network by name. The DNS server maintains a database of domain names, hostnames and their corresponding IP addresses, and services provided by these hosts.

domain: A logical grouping of Microsoft Windows servers and other computers that share common security and user account information. All resources such as computers and users are members of the domain and have an account in the domain that uniquely identifies them. The domain administrator creates one user account for each user in the domain, and the users log in to the domain once. Users do not log in to each individual server.

file system: A method of cataloging and managing the files and directories on a storage system.

GPO: In Windows 2000 or Windows Server 2003, administrators can use Group Policy Objects to define configuration options for groups of users and computers. Windows Group Policy Objects can control elements such as local, domain, and network security settings.

NetBIOS: Network basic input/output system. A network programming interface and protocol developed for IBM personal computers.

NetBIOS name: A name that is recognized by WINS, which maps the name to an IP address.

share name: The name given to the resource on a file system or the file system itself that was made available from a particular CIFS server to CIFS users. There may be multiple shares with the same name, shared from different CIFS servers. SMB Server Message Block: The underlying protocol used by the Common Internet File System (CIFS) protocol that was enhanced for use on the Internet to request file, print, and communication services from a server over the network. The CIFS protocol uses SMB to provide file access and transfer to many types of network hosts. The SMB protocol is an open, cross-platform protocol for distributed file sharing, and it is supported by all Windows platforms.

Virtual Data Mover (VDM): A Celerra software feature that enables users to administratively separate CIFS servers, replicate their CIFS environments, and

(5)

Windows 2000/Windows Server 2003 domain: A Microsoft Windows domain

controlled and managed by a Microsoft Windows 2000/Windows 2003 server using the Active Directory to manage all system resources and using the DNS for name resolution.

Windows NT domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows NT server using a SAM (Storage Area Management) database to manage user and group accounts and a NetBIOS namespace. In a Windows NT domain, there is one primary domain controller (PDC) that has a read/write copy of the SAM, and possibly several backup domain controllers (BDCs) with read-only copies of the SAM.

(6)

System requirements

This section describes the Celerra Network Server software, hardware, network, and storage configurations required for using CIFS as described in this technical module.

EMC NAS Interoperability Matrix

The EMC NAS Interoperability Matrix is available on Powerlink™. It contains definitive information on supported software and hardware, such as backup software, Fibre Channel switches, and application support for Celerra network-attached storage (NAS) products.

Table 1 System requirements for CIFS

Software Celerra Network Server Version 5.5 or later Hardware Celerra Network Server

Network

Windows 2000, Windows Server 2003, or Windows NT domain. You must configure the domains with the following:

• Windows 2000 or Windows Server 2003 domains: AD (Active Directory)

DNS (Domain Name System) NTP (Network Time Protocol) server • Windows NT Domains:

WINS (Windows Internet Naming Service) server Storage No specific storage requirements

(7)

MMC snap-ins and programs for Windows

The Celerra Network Server supports a set of Microsoft Management Console (MMC) snap-ins and programs for managing Celerra users and Data Mover security settings from a Windows 2000, Windows Server 2003, or Windows XP computer. Refer to the online Help for a snap-in or program for more information.

Celerra UNIX Attributes Migration tool

Celerra UNIX Attributes Migration is a tool you can use to migrate existing UNIX users from the Celerra Network Server to the Windows Active Directory. You can select the UNIX attributes (UIDs and GIDs) to add to the Active Directory. To add new users or groups, or to modify existing UNIX attributes, refer to the Celerra UNIX User Management Snap-in and Celerra UNIX Property Page Extensions in Active Directory Users and Computers (ADUC).

Celerra UNIX User Management snap-in

Celerra UNIX User Management is an MMC snap-in to the Celerra Management Console that you can use to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain and on remote domains. You also use this snap-in to select the location of the attribute database. This location can either be in a local or a remote domain. You would choose to store the attribute database in the Active Directory of a local domain if:

◆ You have only one domain. ◆ Trusts are not allowed.

◆ You have no need to centralize your UNIX user management information.

You would choose a remote domain if:

◆ You have multiple domains.

◆ Bidirectional trusts between domains that need to access the attribute database

already exist.

◆ You want to centralize your UNIX user management.

Celerra UNIX property page extensions in ADUC

Celerra UNIX Users and Groups property pages are extensions to ADUC. You can use these property pages to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain. You cannot use this feature to manage users or groups on a remote domain.

Celerra Data Mover Management snap-in

Celerra Data Mover management comprises several MMC snap-ins. You can use these snap-ins to manage virus-checking, home directories, and security settings on Data Movers from a Windows 2000, Windows Server 2003, or Window XP

(8)

Celerra AntiVirus Management

You can use the Celerra AntiVirus Management snap-in to manage the virus-checking parameters (viruschecker.conf file) used with Celerra AntiVirus

Agent (CAVA) and third-party antivirus programs. The Celerra AntiVirus Agent and a third-party antivirus program must be installed on the Windows NT, Windows 2000, or Windows Server 2003 server. The Using Celerra AntiVirus Agenttechnical module provides more details about CAVA.

Celerra Home Directory Management snap-in

You can use the Celerra Home Directory Management snap-in to associate a username with a directory that then acts as the user’s home directory. The home directory feature simplifies the administration of personal shares and the process of connecting to them.

Data Mover Security Settings snap-in

Celerra Data Mover Security Settings comprises the Audit Policy node and the User Rights Assignment node.

Celerra Audit Policy

You can use the Celerra Audit Policy node to determine which Data Mover security events are logged in the Security log. You can then view the Security log using the Windows Event Viewer. You can select to log successful attempts, failed attempts, both, or neither. The audit policies that appear in the Audit Policy node are a subset of the policies available as Group Policy Objects (GPOs) in ADUC. Audit policies are local policies and apply only to the selected Data Mover. You cannot use the Audit Policy node to manage GPO audit policies.

Celerra User Rights Assignment

You can use the Celerra User Rights Assignment node to manage which users and groups have login and task privileges to a Data Mover. The user rights assignments that appear in the User Rights Assignment node are a subset of the user rights assignments available as GPOs in ADUC. User rights assignments are local policies and apply only to the selected Data Mover. You cannot use the User Rights Assignment node to manage GPO policies.

(9)

User interface choices

The Celerra Network Server offers flexibility in managing networked storage based on your support environment and interface preferences. This technical module describes how to configure CIFS on a Data Mover using the command line interface (CLI). You can also perform many of these tasks using one of the Celerra

management applications:

◆ Celerra Manager - Basic Edition ◆ Celerra Manager - Advanced Edition

◆ Microsoft Management Console (MMC) snap-ins (Windows 2000 and Windows

Server 2003 only)

◆ Active Directory Users and Computers extensions (Windows 2000 and

Windows Server 2003 only)

For additional information about managing your Celerra, refer to:

◆ Learning about Celerra ◆ Celerra Manager Online Help ◆ Monitoring Celerra

◆ Application’s online help system on the Celerra Network Server Documentation

CD

The Installing Celerra Management Applications technical module includes

instructions on launching Celerra Manager, and on installing the MMC snap-ins and the ADUC extensions.

(10)

Managing Windows roadmap

Table 2 lists the tasks to manage Windows as described in this technical module. Table 2 CIFS management

Task Procedure

Display the current CIFS configuration for a Data Mover.

"Checking the current CIFS configuration" on page 11

Add, delete, enable, and disable a network interface for a CIFS server.

"Managing network interfaces" on page 12

Manage the DNS server configuration. "Managing DNS on a Data Mover" on page 13

Create and modify the following elements to an existing CIFS configuration:

• WINS server

• NetBIOS name to a Windows 2000 or Windows Server 2003 configuration • Computer name or NetBIOS name aliases • Comments

• CIFS server password

"Modifying a CIFS configuration" on page 14

Create CIFS servers and join to a Windows domain with the following configurations:

• "Same namespace without a delegated join" on page 28

• "Same namespace and a delegated join" on page 31

• "Disjoint namespace without a delegated join" on page 33

• "Disjoint namespace and a delegated join" on page 35

Start and stop the CIFS service on a Data Mover.

"Reexporting all Celerra file systems" on page 41

Delete a CIFS server by deleting the NetBIOS or compname for the server.

"Deleting a CIFS server" on page 44

Manage Group Policy Objects. "Supporting Group Policy Objects" on page 52

Manage Multiple Data Stream support. "Alternate data stream support" on page 63

Configure or disable SMB (Server Message Block) signing.

Using SMB signing on page 66

Set the time interval at which the Data Mover changes passwords with the domain controller.

"Automatic computer password change" on page 72

Generate a file system for use as a security log. "Creating a file system as a security log" on page 74

(11)

Checking the current CIFS configuration

Use this command to check the current CIFS configuration on a Data Mover. Action

To display the CIFS configuration for a Data Mover, use this command syntax:

$ server_cifs <movername>

Where:

<movername> = name of the specified Data Mover

Example:

To display the CIFS configuration for server_2, type: $ server_cifs server_2

Output

If CIFS service is started server_2 :

256 Cifs threads started Security mode = NT Max protocol = NT1 I18N mode = ASCII

Home Directory Shares DISABLED Usermapper auto broadcast enabled

Usermapper[0] = [127.0.0.1] state:active (auto discovered)

Enabled interfaces: (All interfaces are enabled)

Disabled interfaces: (No interface disabled)

If CIFS Service is not started $ server_cifs server_2 server_2 :

Cifs NOT started Security mode = NT Max protocol = NT1 I18N mode = ASCII

Home Directory Shares DISABLED Usermapper auto broadcast enabled

Usermapper[0] = [127.0.0.1] state:active (auto discovered)

(12)

Managing network interfaces

The Configuring and Managing Celerra Networking technical module provides information about managing network interfaces.

Output (if CIFS service is not started) server_2 :

Cifs NOT started

Security mode = NT Max protocol = NT1 I18N mode = UNICODE

Home Directory Shares DISABLED

Usermapper[0] = [172.24.100.121] last access 0

Disabled interfaces: (No interface disabled)

CIFS Server DPDOVDM1[CIFS] RC=4

Full computer name=dpdovdm1.cifs.eng.fr realm=CIFS.ENG.FR Active directory usermapper's domain: "not yet located" Comment='EMC-SNAS:T5.4.2.9'

if=dpdo:1 l=10.64.220.83 b=10.64.223.255 mac=0:0:92:a7:b0:24 FQDN=dpdovdm1.cifs.eng.fr (Updated to DNS)

(13)

Managing DNS on a Data Mover

Within a Windows 2000 and a Windows Server 2003 environment, a DNS

configuration on a Data Mover is required to add a computer name and join it to a Windows domain. You can configure an unlimited number of DNS domains per Data Mover, and each domain can have up to three DNS servers.

The Configuring Celerra Naming Services technical module provides procedures to configure, start, stop, and manage your DNS servers.

(14)

Modifying a CIFS configuration

After creating the initial CIFS configuration and starting the CIFS service, you may need to add or modify various elements in the CIFS configuration on a Data Mover.

Table 3 explains the tasks to modify a CIFS configuration.

Note: The Configuring CIFS on Celerra technical module explains how to configure additional CIFS servers on a Data Mover.

Adding a WINS server

The Celerra Network Server registers its NetBIOS name with the WINS (Windows Internet Name Service) server automatically. The WINS server distributes the NetBIOS name to users, and provides the NetBIOS name resolution of users and computers to IP addresses to the Data Mover. The WINS server is not mandatory if name resolution is done through DNS. There is no limit to the number of WINS servers that you can configure for a Data Mover.

If you have multiple CIFS configurations (NetBIOS/compname) on a Data Mover, consider using a WINS server per interface rather than per Data Mover. This eliminates the possibility of CIFS clients attempting to resolve unwanted Data Mover NetBIOS names over the WINS server.

Note: If you have only one subnet reached by each IP interface, and performance is not an issue, the WINS server is not mandatory. If you have more than one subnet, you must specify a WINS server. You can however, specify more than one WINS server to provide more robust networking capabilities.

Table 3 Modifying a CIFS configuration

Task Action Procedure

1. Add a WINS server to an existing CIFS server.

"Adding a WINS server" on page 14

2. Rename an existing NetBIOS name. "Renaming a NetBIOS name" on page 15

3. Create NetBIOS or computer name aliases.

"Assigning aliases to NetBIOS and computer names" on page 16

4. Add informational comments to a CIFS server.

"Associating comments with CIFS servers" on page 19

5. Change the CIFS server password. "Changing the CIFS server password" on page 22

(15)

Use this command to add a WINS server for use by all CIFS servers on a Data Mover.

Renaming a NetBIOS name

When you change a NetBIOS name, the system does the following:

◆ Temporarily suspends NetBIOS availability and disconnects all clients

connected to it.

◆ Updates the local groups related to the new NetBIOS name. ◆ Updates all the shares corresponding to the new NetBIOS name.

◆ Maintains the account password between the server and the domain controller. ◆ Unregisters the original NetBIOS name, and then registers the new name in all

the WINS servers.

◆ Retains all aliases associated with the original NetBIOS name. ◆ Resumes renamed NetBIOS availability.

Note: For Windows 2000 and Windows Server 2003, you cannot rename a NetBIOS name if the CIFS server is joined to a Windows domain. If the CIFS server is joined to a domain, unjoin the server. After performing the rename, join the CIFS server to the domain.

!

CAUTION

!

The server_cifs -Join and -Unjoin procedures generate a new computer

account for the compname, which results in the computer name losing its original account.

Action

To add a WINS server to your CIFS configuration, use this command syntax:

$ server_cifs <movername> -add wins=<ip_addr>[,wins=<ip_addr>,...]

Where:

<movername> = name of the specified Data Mover <ip_addr> = IP address of the WINS server

Note: The system processes a list of WINS servers in the order in which you add them in the

wins= option, with the first one being the preferred WINS server. For example, if the WINS server

times out after 1500 milliseconds, the system uses the next WINS server in the list. Use the

wins.TimeOutMS parameter to configure WINS timeout.

Example:

To add two WINS servers to server_2, type:

$ server_cifs server_2 -add wins=172.31.255.255,wins=172.168.255.255

Output

(16)

Before performing the rename function, you must add the new NetBIOS name to the domain using the Windows NT Server Manager or the Windows 2000 and Windows Server 2003 Users and Computers MMC snap-in.

Note: The rename command changes the NetBIOS name of the server but not the compname name of that server. Contact EMC Customer Service for instructions on renaming a compname.

Use this command to rename a NetBIOS name in an existing CIFS server.

Assigning aliases to NetBIOS and computer names

You can assign aliases to NetBIOS names and computer names. Aliases provide multiple, alternative identities for a given resource. Because aliases act as the secondary names, the aliases share the same set of local groups and shares as the primary NetBIOS name or computer name.

A NetBIOS alias registers the alternative name in WINS, not in DNS. If you want the NetBIOS alias to appear in DNS, you must add it to DNS.

The client can connect to an alias through the Network Neighborhood, Windows Explorer, or by using the Map Network Drive window.

You can add aliases to an existing server or when creating a new server.

Naming conventions

Based on the Microsoft requirements, aliases must be unique across a domain for WINS registration and broadcast announcements. Aliases must also be unique on the same Data Mover to avoid WINS name conflicts.

The alias name is limited to 15 characters. It cannot begin with the at sign (@) or the dash (-), and it cannot include spaces, tabs, and the following characters:

Action

To rename a NetBIOS name, use this command syntax:

$ server_cifs <movername> -rename -netbios <old_name> <new_name>

Where:

<movername> = name of the specified Data Mover. <old_name> = current NetBIOS name.

<new_name> = new NetBIOS name. NetBIOS names must be unique and limited to 15 characters

and cannot begin with an @ (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols:

/ \ : ; , = * + | [ ] ? < > "

Example:

To rename the NetBIOS name of dm102-cge0 to dm112-cge0 on server_2, type: $ server_cifs server_2 -rename -netbios dm102-cge0 dm112-cge0

Output

(17)

For performance reasons, it is recommended that you limit the number of aliases to 10 per CIFS server.

Adding an alias to a CIFS server

Use this command to assign one or more aliases to a computer name.

Adding a NetBIOS alias to the NetBIOS name

Use this command to assign one or more aliases to a NetBIOS name. Action

To add an alias to a CIFS server, use this command syntax:

$ server_cifs <movername> -add compname=<comp_name>,

domain=<full_domain_name>,alias=<alias_name>[,alias=<alias_name2>...]

Where:

<comp_name> = name of the CIFS server in the named domain

<full_domain_name> = the full domain name for the Windows environment; must contain a dot

(example: domain.com)

<alias_name> = alias for the computer name

Example:

To declare three aliases for computer name big_comp, type: $ server_cifs server_2 -a compname=winserver1,domain=NASDOCS,alias=winserver1-a1, alias=winserver1-a2,alias=winserver-a3 Output server_2 : done Action

To add a NetBIOS alias to the NetBIOS name, use this command syntax:

$ server_cifs <movername> -add netbios=<netbios_name>,

domain=<domain_name>,alias=<alias_name>[,alias=<alias_name2>...]

Where:

<movername> = name of the specified Data Mover <netbios_name> = NetBIOS name for the CIFS server <domain_name> = domain name for the Windows environment <alias_name> = alias for the NetBIOS name

Example:

To declare three aliases for NetBIOS dm102-cge0, type: $ server_cifs server_2 -a

netbios=dm102-cge0,domain=NASDOCS,alias=dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3

Output

(18)

Deleting a CIFS server alias

Use this command to delete one or more aliases assigned to the computer name.

Deleting a NetBIOS alias

Use this command to delete one or more aliases assigned to a NetBIOS name. Action

To delete a compname alias, use this command syntax:

$ server_cifs <movername> -delete compname=<comp_name>,

alias=<alias_name>[,alias=<alias_name2>,...]

Where:

<movername> = name of the specified Data Mover <comp_name> = name of the CIFS server

<alias_name> = alias for the computer name

CAUTION

!

If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its computer name, is deleted.

Example:

To delete the dm102-cge0-a1 alias assigned to winserver1, type:

$ server_cifs server_2 -delete compname=winserver1,alias=winserver-a1

Output

server_2: done

Action

To delete one or more NetBIOS aliases from a CIFS server, use this command syntax:

$ server_cifs <movername> -delete netbios=<netbios_name>,

alias=<alias_name>[,alias=<alias_name2>,...]

Where:

<movername> = name of the specified Data Mover <netbios_name> = NetBIOS name for the CIFS server <alias_name> = alias for the NetBIOS name

CAUTION

!

If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its NetBIOS name, is deleted.

Example:

To delete the dm102-cge0-a2 alias assigned to dm102-cge0, type:

$ server_cifs server_2 -delete netbios=dm102-cge0,alias=dm102-cge0-a2

(19)

Viewing aliases

Use this command to view the aliases for a Data Mover.

Associating comments with CIFS servers

You can associate a comment, enclosed in quotation marks, with a CIFS server by using the server_cifs -add command. Comments let you add descriptive

information to a CIFS server.

This section contains information on the following:

◆ Adding comments ◆ Changing comments ◆ Viewing comments

◆ Comment restrictions for Windows XP clients

Action

To list a server’s aliases, use this command syntax:

$ server_cifs <movername>

Where:

Example:

To view the aliases for server_2, type: $ server_cifs server_2

Output

CIFS Server (Default) dm102-cge0 [C1T1]

Alias(es): dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3

Full computer name=dm2-cge0.c1t1.pt1.c3lab.nasdocs.emc.com realm=C1T1.PT1.C3LAB.NASDOCS.EMC.COM

Comment='EMC-SNAS:T5.2.7.2'

if=cge0 l=172.24.100.55 b=172.24.100.255 mac=0:6:2b:4:0:7f FQDN=dm102-cge0.c1t1.pt1.c3lab.nasdocs.emc.com (Updated to DNS)

(20)

Adding comments

You can add comments when you initially create the CIFS server or after the CIFS server was created. Add comments with either of the following commands from the Celerra CLI.

Changing comments

To change a comment, repeat the server_cifs -add command with the new

comment. You may notice a delay in the comment change when browsing the domain computers. This delay is caused by the Data Mover broadcasting its name and comment approximately every 12 minutes (except on startup, when it

broadcasts five times in the first minute).

You cannot currently add or change comments through Server Manager or the Computer Management MMC. You can change comments only through the

server_cifs -add command.

Action

To add comments in a Windows NT environments, use this command syntax:

$ server_cifs <movername> -add netbios=<netbios_name>,

domain=<domain_name> -comment “<comment>”

To add comments in a Windows 2000 or Windows Server 2003 environment, use this command syntax:

domain=<full_domain_name> -comment “<comment>”

Where:

<movername> = name of the specified Data Mover.

<netbios_name> = NetBIOS name for the CIFS server. The NetBIOS name must be unique and

limited to 15 characters. It cannot begin with @ (at sign) or - (dash) and it cannot include spaces,

tabs, and the following symbols: / \ : ; , = * + | [ ] ? < > "

<comp_name> = a Windows 2000 or Windows Server 2003-compatible CIFS server; can be up to

63 UTF-8 characters.

<domain_name> = domain name for the Windows environment.

(example: domain.com).

<comment> = your comment. Limited a comment to 48 ASCII characters and enclose in double

quotation marks. Currently, international characters are not supported for comments.

• Restricted Characters: You cannot use double quotation ("), semi-colon (;), accent (`), and comma (,) characters within the body of a comment. Attempting to use these special characters results in an error message. In addition, you can only use an exclamation point (!) if it is preceded by a single quotation mark (’).

• Default Comments: If you do not explicitly add a comment, the system adds a default comment of the form EMC-SNAS:T<x.x.x.x> where <x.x.x.x> is the version of the NAS

software. Example:

To add the comment “EMC_Celerra_Network_Server” to server_2 in a Windows NT

environment, type:

$ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals -comment

(21)

Clearing comments

To clear a comment, issue the server_cifs -add command with a one-space

comment as in the following example:

$ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals

-comment " "

Viewing comments

You can view a server’s comment from the Celerra Network Server CLI. In addition, comments appear in certain parts of various Windows interfaces.

Viewing comments from the CLI

When you view a CIFS server configuration with the server_cifs command from

the Celerra Network Server CLI, the comment appears with other information about the CIFS server.

Example The following example shows how to view comments using the server_cifs

command.

Viewing comments from Windows

Windows 2000, Windows Server 2003, Windows NT, and Windows XP sometimes use comments in parts of the Windows interface. Comments may appear in the following instances:

◆ As the name of mapped network drives in the My Computer or Explorer window

(Windows XP only)

◆ As the computer name in a domain window

Comment restrictions for Windows XP clients

Action

To view the configuration information for server_2, type: $ server_cifs server_2

Output server_2 :

32 Cifs threads started Security mode = NT . (material deleted) . DOMAIN CAPITALS SID=S-1-5-15-c6ab149b-92d87510-a3e900fb-ffffffff >DC=BOSTON(172.16.20.10) ref=2 time=0 ms

DC=NEWYORK(172.16.20.50) ref=1 time=0 ms

CIFS Server (Default) DM32-ANA0[CAPITALS] (Hidden) Alias(es): CFS32

Comment=’EMCCelerraNetworkServer’

if=ana0 l=172.16.21.202 b=172.16.21.255 mac=0:0:d1:1d:b7:25 if=ana1 l=172.16.21.207 b=172.16.21.255 mac=0:0:d1:1d:b7:26

(22)

immediately reflected to the Windows XP client. However, in the Windows XP Explorer, the names of mapped network drives do not reflect the change.

When you first map a network drive on a Windows XP client, the client stores the comment in the local Registry and displays the comment as the name of the mapped drive. The client continues to use the stored comment as the mapped drive name until you manually change the Registry. If you manually change the name of the mapped network drive from Explorer or My Computer, the changed name is stored in another Registry entry and the client uses this name until you change it again from Explorer or in the Registry.

Recommendation Due to the previous Windows XP client restrictions, EMC recommends that you set the comment as part of the initial CIFS server setup.

Changing the CIFS server password

Use this command to reset the CIFS password and encryption keys. "Automatic computer password change" on page 72 explains how to set the time interval at which the Data Mover changes passwords with the domain controller.

Action

To reset the CIFS password and encryption keys, use this command syntax:

$ server_cifs <movername> -Join compname=<comp_name>,

domain=<full_domain_name>,admin=<admin_name> -o resetserverpasswd

Where:

<movername> = name of the specified Data Mover. <comp_name> = name of the CIFS server.

(example: domain.com).

<admin_name> = the login name of the user with administrative rights in the domain. The user is

prompted to type a password for the admin account. Example:

To reset the CIFS password and encryption keys for server_2, type: $ server_cifs server_2 -Join compname=winserver1,

domain=nasdocs.emc.com,admin=compadmin -o resetserverpasswd

Output

server_2: Enter Password: ****** done

(23)

Advanced procedures for joining CIFS servers to

Windows domains

This section outlines the procedures for joining CIFS servers to Windows domains in different configurations.

Note: When attempting to resolve computer NetBIOS names in environments with

Windows 2000 or Windows Server 2003, the Celerra Network Server may try to resolve the name through a broadcast or by querying the Windows Internet Name Service (WINS) server. Since Windows operating systems limit NetBIOS names to 15 characters, name resolution through broadcast and WINS queries is possible only for computer names that are 15 characters or less. If you specify a NetBIOS name longer than 15 characters, it is truncated.

Windows NT servers are automatically joined to a domain when created.

Configuration prerequisites

The configuration prerequisites pertain to the following procedures:

◆ "Disjoint namespace without a delegated join" (steps 1 through 11) ◆ "Disjoint namespace and a delegated join" (steps 1 through 14) ◆ "Same namespace and a delegated join" (steps 12 through 14)

The configuration prerequisites contain the following steps:

◆ Steps 1-11 explain how to set domain-level permissions, which are based on

the Microsoft Knowledge Base article 258503 DNS Registration Errors 5788

and 5789 When DNS Domain and Active Directory Domain Name Differ.

◆ Steps 11-14 show how to create a computer account in the AD domain.

To set up domain-level permissions:

1. Start the Active Directory Users and Computers snap-in.

2. In the console tree, right-click Active Directory Users and Computers, and then select Connect To Domain.

3. In the Domain box, type the domain name, or click Browse to find the domain in which you want to enable the computer to use different DNS names, and then click OK.

4. Right-click Active Directory Users and Computers and select View> Advanced Features.

5. Right-click the name of the domain, and then select Properties. 6. Click the Security tab and click Advanced.

7. Click Add and select Self group.

8. On the Object tab in the Apply onto box, select Computer Objects. Under Permissions, select the Validated write to DNS host name and Validated

(24)

9. On the Properties tab in the Apply onto box, select Computer Objects. 10. Under Permissions, select the Write SPN and Write dNSHostName

checkboxes.

Note: By selecting/clearing the Write dNSHostName checkbox, the system

automatically selects/clears the Write dNSHostName Attributes checkbox and vice versa.

11. Click OK.

Note: Steps 1 through 11 are based on the Windows 2000 AD server interface. To create a computer account in the Active Directory:

12. Right-click the container where the computer account is to reside, and then select New > Computer.

13. In the Computer Name box, type the name of the new computer account. Note: You can configure the delegated join operation here. Figure 2 on page 27

provides more details.

14. Click OK.

Joining existing computer accounts

When you use the server_cifs -Join command to join a CIFS server to a

domain, the Celerra Network Server:

◆ Searches for an existing account or creates an account for the CIFS server in

Active Directory and completes its configuration.

◆ Sets several attributes in the computer account, including the dnsHostName

and servicePrincipalName attributes.

If the Windows computer account already exists, the Celerra Network Server checks the servicePrincipalName attribute to see if the computer is already

joined to the computer account.

If the attribute is not set, the Data Mover joins the new CIFS server to the existing account. If the servicePrincipalName attribute is already set, the Data Mover

issues an error and logs a message saying that the account already exists. If the servicePrincipalName attribute is already set, the following error

message appears during the domain join:

The account already exists

This error indicates that the computer account was already joined to a domain by either a Data Mover or another server. If you still want to join the CIFS server to this computer account, you can reuse the account by entering the

(25)

server_cifs -Join command with the reuse option. Figure 1 illustrates the

checks performed when you issue server_cifs -Join.

Figure 1 Checks performed when joining a CIFS server to a domain

Example The following command reuses an existing, in use, computer account in the Active Directory:

$ server_cifs server_2 -Join compname=dm32-ana0,

domain=nsgprod.xyzcompany.com,admin=administrator -option reuse

Procedure overview

If you are using existing computer accounts when configuring Celerra-based CIFS servers, use this procedure to create and join the CIFS server.

No Yes Yes Does the Windows computer account exist? Is "servicePrincipalName" attribute set? Is reuse option specified?

Join the CIFS server to the domain

Return an error

Create the computer account No CNS-000491 No Yes Step Action

1. From Windows, go to Active Directory Users and Computers and create a new computer with the same comp_name you will use to create the CIFS server in step 2.

(Optional) If you are delegating join authority, under the User or Group field, enter or browse for the user or group to whom you want to delegate join authority. The procedure

"Delegated join" on page 26 provides more information.

Note: The user account must belong to a domain in the same AD forest as the domain the CIFS server is joining.

2. Add the CIFS server to the Data Mover with the server_cifs -add command.

Table 18 on page 77 details the syntax to use for the appropriate domain relationship. 3. Join the CIFS server to the domain with the server_cifs -Join command. Table 18 on

(26)

Delegated join

As an alternative to performing a CIFS server join by a default user (member of Domain Admins group), where the server_cifs -Join command automatically

creates a computer account in the Active Directory, you can do the following:

◆ Create computer accounts for CIFS servers in the Windows Active Directory. ◆ Delegate authority to perform the join operation to an individual user or group

from another domain within the same AD forest.

With these options, AD account creation can be separated from the join action. Therefore, a person other than the one who created the account in the AD can join the CIFS server to the domain.

Adding the user performing the join to the local administrator’s

group

Each CIFS server contains a set of built-in user groups: Administrators, Users, Guests, Power Names, Account Operators, Backup Operations, and Replicator. The Administrators group contains the users and groups authorized to manage the CIFS server. By default, the Administrator’s group contains one entry for the Domain Admins group, which gives each member of the Domain Admins group the authority to manage the CIFS server.

If the domain join operation is delegated to a user not in the Local Administrator group, you must add this user to this group for the user to be able to manage the CIFS server. You can do this manually through the MMC, or automatically during the domain join process by first setting the following parameter to 1:

cifs djAddADminToLg=1

Delegating join authority

When you delegate join authority, the CIFS server can be joined to its domain by any user to whom you give authority. The user does not need specific Windows permissions, but must be in the same AD forest as the CIFS server.

(27)

You delegate join authority when you create the computer account in the Active Directory as shown in Figure 2.

Figure 2 Delegating join authority

Parameters for the join procedure

The following parameters, if set, are effective during the join operation. The Celerra

Network Server Parameters Guide provides detailed information on these

parameters.

◆ djUseKpassword: If set to 0, forces the domain join procedure to set the CIFS

server password using the Microsoft RPC protocol. Only do this if you are a delegated user assigned to the domain local group.

◆ djAddAdminToLg: If set to 1, automatically adds the user performing the

domain join procedure to the Local Administrator’s group.

◆ djEnforceDhn: If set to 0, enables the domain join procedure to continue

without the dNSHostName being set.

Note: Use djEnforceDhn only as a temporary measure for access rights since the Data Mover authenticates Windows clients using NTLMSSP mode instead of Kerberos.

(28)

Table 4 shows the domain join parameter values that you must use to perform a delegated join in the same and/or disjoint namespace AD domain.

Domains within the forest that do not have the same hierarchical domain name are in a different domain tree. When different domain trees are in a forest, the tree root domains are not contiguous. Disjoint namespace is the phrase used to describe the relationship between different domain trees within the forest.

Same namespace without a delegated join

Perform the following add and join procedures when:

◆ The DNS domain name and the Active Directory domain name are the same. ◆ You are using the default user account (member of domain admin group).

Table 4 Domain join parameter combinations

djUseKpassword djAddAdminToLg djEnforceDhn Join delegated to:

1 (default) 0 (default)

1 (default) Domain Admins Group

Member (Microsoft default)

Domain User Account Domain Global Group

(29)

Creating a CIFS server

Use this procedure to create a CIFS server. Action

To create the CIFS server for a Windows 2000 or Windows Server 2003 environment on the Data Mover, use this command syntax:

domain=<full_domain_name>[,hidden={y|n}][,netbios=<netbios_name>] [,interface=<if_name>][,dns=<if_suffix>]

Where:

<movername> = name of the specified Data Mover or VDM.

<comp_name> = Windows 2000 or Windows Server 2003-compatible CIFS server. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be

registered in DNS.

Note: Each <comp_name> within a Celerra Network Server must be unique.

A default CIFS server and CIFS servers within a VDM cannot co-exist on the same Data Mover. A default CIFS server is a global CIFS server assigned to all interfaces, and CIFS servers within a VDM require specified interfaces. If a VDM exists on a Data Mover, a default CIFS server cannot be created.

<full_domain_name> = Windows domain for the domain name. The <full_domain_name>

must contain a dot (example: domain.com or mydomain.).

hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y

is specified, the computer name does not appear.

<netbios_name> = (Optional) a NetBIOS name used in place of the default NetBIOS name. The

default name is assigned automatically and is derived from the first 15 characters of the

<comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other

than the default.

<if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server

and do not specify any interfaces (with the interfaces= option), this server becomes the

default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can have only one default CIFS server per Data Mover.

<if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS

suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover.

Example:

To create CIFS server dm32-ana0 on server_2, type: $ server_cifs server_2 -add

(30)

Join CIFS server to a Windows domain

Use this procedure to join the CIFS server to a domain.

Output Notes

server_2 : done • User authentication method for CIFS servers

in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method. • You can assign only one compname and one

NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information.

• NetBIOS names are limited to 15 characters and cannot begin with an @ (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols:

/ \ : ; , = * + | [ ] ? < > "

Action

To join the CIFS server to the Windows domain, use this command syntax:

domain=<full_domain_name>,admin=<admin_name@domain_name>

Where:

<comp_name> = name for the CIFS server’s account in the Active Directory. The <comp_name>

can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS.

If the primary DNS suffix of the CIFS server is different from the Windows domain, the

<comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com,

the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net, domain=win.com. <full_domain_name> = the DNS name for the Windows domain. The <full_domain_name>

must contain a dot (example: domain.com).

<admin_name@<domain_name> = login name and full domain name of a user with sufficient

rights to join a server to the domain. If you omit the @<domain_name>, the Data Mover assumes the user belongs to the domain that the CIFS server is joining. The user must be from a domain in the same AD forest.

Example:

To join the CIFS server dm32-ana0 to the universe.com domain, type: $ server_cifs server_2 -Join compname=dm32-cge0,

domain=universe.com,admin=administrator

Output Note

server_2 : Enter Password: ******* done

The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account.

(31)

Same namespace and a delegated join

Note: Before performing this procedure, you must complete the steps outlined in "Configuration prerequisites" on page 23and "Delegated join" on page 26.

◆ The DNS domain name and the Active Directory domain name are the same. ◆ You are using a delegated user account.

Creating a CIFS server

Where:

registered in DNS.

must contain a dot (example: domain.com or mydomain.).

hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y

<netbios_name> = (Optional) NetBIOS name used in place of the default NetBIOS name. The

<comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something

other than the default.

and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover.

<if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix

is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover.

Example:

To create CIFS server dm32-ana0 on server_2, type: $ server_cifs server_2 -add

(32)

Join CIFS Server to a Windows domain

Output Note

in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method. • You can only assign one compname and one

/ \ : ; , = * + | [ ] ? < > "

Action

domain=<full_domain_name>,admin=<user_name@AD_name>

Where:

can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. Note: If the primary DNS suffix of the CIFS server is different from the Windows domain, the

the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net,domain=win.com. <full_domain_name> = DNS name for the Windows domain. The <full_domain_name>

<user_name@<domain_name> = <user_name>[@AD_name>]= delegated user login name and

domain name of the Active Directory. Example:

To join the CIFS server dm32-ana0 to the universe.com domain, type: $ server_cifs server_2 -Join compname=dm32-cge0,

domain=universe.com,[email protected]

Output Note

The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account.

(33)

Disjoint namespace without a delegated join

◆ The DNS domain name and the Active Directory domain name are different. ◆ You are using the default user account (member of domain admin group).

Creating a CIFS server

Where:

registered in DNS.

must contain a dot (example: domain.com ormydomain.).

hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y

<comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something

other than the default.

and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover.

Example:

To create CIFS server dm32-ana0 on server_2, type:

$ server_cifs server_2 -add compname=dm32-cge0.

(34)

Join CIFS server to a Windows domain

Output Note

server_2 : done • You can only assign one compname and one

/ \ : ; , = * + | [ ] ? < > "

Action

$ server_cifs <movername> -Join compname=<comp_name.FQDN>,

domain=<full_domain_name>,admin=<admin_name@<domain_name>

Where:

<comp_name.FQDN> = name for the CIFS server’s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be

registered in DNS. For disjoint namespaces, you must enter compname.FQDN (fully-qualified domain name); otherwise, the AD attributes are not updated. For example: compname=dm32-cge0.nasdocs.emc.com

Note: If the primary DNS suffix of the CIFS server is different from the Windows domain, the

<admin_name@<domain_name> = login name and full domain name of a user with sufficient

rights to join a server to the domain. If you omit the @<domain_name>, the Data Mover assumes the user belongs to the domain that the CIFS server is joining. The user must be from a domain in the same AD forest.

Example:

To join the CIFS server dm32-ana0 to the universe.com domain, type:

$ server_cifs server_2 -Join compname=dm32-cge0.nasdocs.emc.com,

domain=universe.com,admin=administrator

Output Note

The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine

(35)

Disjoint namespace and a delegated join

◆ The DNS domain name and the Active Directory domain name are different. ◆ You are using a delegated user account.

Creating a CIFS server

Where:

registered in DNS.

must contain a dot (example: domain.com ormydomain).

hidden={y|n} = By default, the computer name is displayed in Windows Explorer. If hidden=y

<comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other

than the default.

and do not specify any interfaces (with the interfaces= option), this server becomes the

default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover.

Example:

To create CIFS server dm32-ana0 on server_2, type:

$ server_cifs server_2 -add compname=dm32-cge0,

(36)

Join CIFS server to a Windows domain

Output Note

in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method. • You can only assign one compname and one

/ \ : ; , = * + | [ ] ? < > "

Action

$ server_cifs <movername> -Join compname=<comp_name.FQDN>,

domain=<full_domain_name>,admin=<user_name@AD_name> [,dns=<if_suffix>]

Where:

can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. For disjoint namespaces, you must enter compname.FQDN (fully-qualified domain name);

otherwise, the AD attributes are not updated. For example:

compname=dm32-cge0.nasdocs.emc.com

Note: If the primary DNS suffix of the CIFS server is different from the Windows domain, the

<user_name@AD_name> = delegated user login name and domain name of the Active Directory.

Example:

To join the CIFS server dm32-ana0 to the universe.com domain, type:

$ server_cifs server_2 -Join compname=dm32-cge0.nasdocs.emc.com,

(37)

Output Note server_2 : Enter Password: *******

done

• You can join a CIFS server to a domain in a Windows environment where the Active Directory namespace is named

independently from the DNS namespace. • The user account and user password are

used to create the account in the Active Directory, and are not stored after adding the machine account.

Managing Celerra for the Windows Environment

Contents