Managing Celerra for the Windows Environment

Transcription

1 Managing Celerra for the Windows Environment P/N Rev A01 March 2006 Contents Introduction Windows and multiprotocol documentation Terminology System requirements EMC NAS Interoperability Matrix MMC snap-ins and programs for Windows Celerra UNIX Attributes Migration tool Celerra UNIX User Management snap-in Celerra UNIX property page extensions in ADUC Celerra Data Mover Management snap-in Celerra AntiVirus Management Celerra Home Directory Management snap-in Data Mover Security Settings snap-in Celerra Audit Policy Celerra User Rights Assignment User interface choices Managing Windows roadmap Checking the current CIFS configuration Managing network interfaces Managing DNS on a Data Mover Modifying a CIFS configuration Adding a WINS server Renaming a NetBIOS name Assigning aliases to NetBIOS and computer names Associating comments with CIFS servers Changing the CIFS server password Advanced procedures for joining CIFS servers to Windows domains..23 Configuration prerequisites Delegated join Parameters for the join procedure Same namespace without a delegated join Same namespace and a delegated join Disjoint namespace without a delegated join Disjoint namespace and a delegated join Managing file systems of 98

2 Ensuring synchronous writes Opportunistic file locking File change notification Reexporting all Celerra file systems Disabling access to all file systems on a Data Mover Stopping and starting the CIFS service Stopping the CIFS service Starting the CIFS service Deleting a CIFS server Deleting a CIFS server (Windows 2000/Windows Server 2003) Deleting a CIFS server (Windows NT) Enabling home directories Restrictions Creating the database Enabling home directories on the Data Mover Creating the home directory file Supporting Group Policy Objects Introduction to Microsoft Group Policy Objects GPO support on the Celerra Network Server Supported settings Multiple CIFS servers on a Data Mover Displaying GPO settings Updating GPO settings Disabling GPO support Disabling GPO caching Alternate data stream support ADS support on the Celerra Network Server Disabling ADS support Using SMB signing SMB signing resolution Configuring SMB signing Automatic computer password change Changing the time interval for password changes Creating a file system as a security log Managing Windows domains Domain migration support Operational considerations Troubleshooting server_log error message construct Kerberos error codes NT status codes Error messages Problem Situations Related information Customer training programs Appendix A: Additional home directory information Home directory database format Index of 98

3 Introduction The Celerra Network Server supports the CIFS (Common Internet File Service) protocol, which allows Microsoft Windows clients to access files stored on the Celerra Network Server. After you have configured the Celerra Network Server to support Windows clients on the network, you may need to perform some of the additional configuration and management procedures in this technical module to maintain your Celerra CIFS servers. This technical module is part of the Celerra Network Server information set and is intended for system administrators responsible for managing the Celerra Network Server in their Windows network. Windows and multiprotocol documentation The following technical modules in the Celerra Network Server information set explain how to configure and manage Celerra in a Windows environment and a multiprotocol environment: Configuring CIFS on Celerra: explains how to configure a basic CIFS configuration on the Celerra Network Server using the command line interface (CLI). You can also configure this initial environment using the Celerra Manager. : contains advanced procedures you may need to perform after the initial configuration of CIFS on the Celerra Network Server and instructions for modifying and managing Celerra in a Windows environment. Managing Celerra for a Multiprotocol Environment: contains procedures for configuring and managing Celerra in a mixed environment of UNIX and Windows clients. Terminology These terms are important to understanding the Celerra Network Server in the Windows environment. The Celerra Network Server User Information Glossary provides a complete list of Celerra terminology. ACL (Access Control List): In Windows, a list of access control entries (ACEs) that provide information about the users and groups that are allowed access to an object. Active Directory: An advanced directory service included with Windows 2000 Servers. It stores information about objects on a network and makes this information available to users and network administrators through a protocol such as LDAP. authentication: The process for verifying the identity of a user who is trying to access a resource or object, such as a file or a directory. CIFS (Common Internet File Service): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets. The CIFS protocol is primarily used for file sharing by Windows platforms. 3 of 98

4 CIFS Server: A logical server that uses the CIFS protocol to transfer files. A Data Mover can host many instances of a CIFS Server. Each instance is referred to as a CIFS server. CIFS Service: A CIFS server process that runs on the Data Mover and presents shares on a network as well as on Windows-based computers. Data Mover: Celerra Network Server cabinet component running its own operating system that retrieves files from storage devices and makes them available to a network client. Default CIFS Server: The CIFS server that is created when you add a CIFS server and do not specify any interfaces (with the interfaces= option of the server_cifs -add command). The default CIFS server uses all interfaces not assigned to other CIFS servers on the Data Mover. DNS (Domain Name System): A name resolution software that allows users to locate computers and services on a UNIX network or TCP/IP network by name. The DNS server maintains a database of domain names, hostnames and their corresponding IP addresses, and services provided by these hosts. domain: A logical grouping of Microsoft Windows servers and other computers that share common security and user account information. All resources such as computers and users are members of the domain and have an account in the domain that uniquely identifies them. The domain administrator creates one user account for each user in the domain, and the users log in to the domain once. Users do not log in to each individual server. file system: A method of cataloging and managing the files and directories on a storage system. GPO: In Windows 2000 or Windows Server 2003, administrators can use Group Policy Objects to define configuration options for groups of users and computers. Windows Group Policy Objects can control elements such as local, domain, and network security settings. NetBIOS: Network basic input/output system. A network programming interface and protocol developed for IBM personal computers. NetBIOS name: A name that is recognized by WINS, which maps the name to an IP address. share name: The name given to the resource on a file system or the file system itself that was made available from a particular CIFS server to CIFS users. There may be multiple shares with the same name, shared from different CIFS servers. SMB Server Message Block: The underlying protocol used by the Common Internet File System (CIFS) protocol that was enhanced for use on the Internet to request file, print, and communication services from a server over the network. The CIFS protocol uses SMB to provide file access and transfer to many types of network hosts. The SMB protocol is an open, cross-platform protocol for distributed file sharing, and it is supported by all Windows platforms. Virtual Data Mover (VDM): A Celerra software feature that enables users to administratively separate CIFS servers, replicate their CIFS environments, and move CIFS server from Data Mover to Data Mover with ease. 4 of 98

5 Windows 2000/Windows Server 2003 domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows 2000/Windows 2003 server using the Active Directory to manage all system resources and using the DNS for name resolution. Windows NT domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows NT server using a SAM (Storage Area Management) database to manage user and group accounts and a NetBIOS namespace. In a Windows NT domain, there is one primary domain controller (PDC) that has a read/write copy of the SAM, and possibly several backup domain controllers (BDCs) with read-only copies of the SAM. 5 of 98

6 System requirements This section describes the Celerra Network Server software, hardware, network, and storage configurations required for using CIFS as described in this technical module. Table 1 System requirements for CIFS Software Hardware Network Storage Celerra Network Server or later Celerra Network Server Windows 2000, Windows Server 2003, or Windows NT domain. You must configure the domains with the following: Windows 2000 or Windows Server 2003 domains: AD (Active Directory) DNS (Domain Name System) NTP (Network Time Protocol) server Windows NT Domains: WINS (Windows Internet Naming Service) server No specific storage requirements EMC NAS Interoperability Matrix The EMC NAS Interoperability Matrix is available on Powerlink. It contains definitive information on supported software and hardware, such as backup software, Fibre Channel switches, and application support for Celerra networkattached storage (NAS) products. 6 of 98

7 MMC snap-ins and programs for Windows The Celerra Network Server supports a set of Microsoft Management Console (MMC) snap-ins and programs for managing Celerra users and Data Mover security settings from a Windows 2000, Windows Server 2003, or Windows XP computer. Refer to the online Help for a snap-in or program for more information. Celerra UNIX Attributes Migration tool Celerra UNIX Attributes Migration is a tool you can use to migrate existing UNIX users from the Celerra Network Server to the Windows Active Directory. You can select the UNIX attributes (UIDs and GIDs) to add to the Active Directory. To add new users or groups, or to modify existing UNIX attributes, refer to the Celerra UNIX User Management Snap-in and Celerra UNIX Property Page Extensions in Active Directory Users and Computers (ADUC). Celerra UNIX User Management snap-in Celerra UNIX User Management is an MMC snap-in to the Celerra Management Console that you can use to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain and on remote domains. You also use this snap-in to select the location of the attribute database. This location can either be in a local or a remote domain. You would choose to store the attribute database in the Active Directory of a local domain if: You have only one domain. Trusts are not allowed. You have no need to centralize your UNIX user management information. You would choose a remote domain if: You have multiple domains. Bidirectional trusts between domains that need to access the attribute database already exist. You want to centralize your UNIX user management. Celerra UNIX property page extensions in ADUC Celerra UNIX Users and Groups property pages are extensions to ADUC. You can use these property pages to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain. You cannot use this feature to manage users or groups on a remote domain. Celerra Data Mover Management snap-in Celerra Data Mover management comprises several MMC snap-ins. You can use these snap-ins to manage virus-checking, home directories, and security settings on Data Movers from a Windows 2000, Windows Server 2003, or Window XP computer. 7 of 98

8 Celerra AntiVirus Management You can use the Celerra AntiVirus Management snap-in to manage the viruschecking parameters (viruschecker.conf file) used with Celerra AntiVirus Agent (CAVA) and third-party antivirus programs. The Celerra AntiVirus Agent and a third-party antivirus program must be installed on the Windows NT, Windows 2000, or Windows Server 2003 server. The Using Celerra AntiVirus Agent technical module provides more details about CAVA. Celerra Home Directory Management snap-in You can use the Celerra Home Directory Management snap-in to associate a username with a directory that then acts as the user s home directory. The home directory feature simplifies the administration of personal shares and the process of connecting to them. Data Mover Security Settings snap-in Celerra Data Mover Security Settings comprises the Audit Policy node and the User Rights Assignment node. Celerra Audit Policy You can use the Celerra Audit Policy node to determine which Data Mover security events are logged in the Security log. You can then view the Security log using the Windows Event Viewer. You can select to log successful attempts, failed attempts, both, or neither. The audit policies that appear in the Audit Policy node are a subset of the policies available as Group Policy Objects (GPOs) in ADUC. Audit policies are local policies and apply only to the selected Data Mover. You cannot use the Audit Policy node to manage GPO audit policies. Celerra User Rights Assignment You can use the Celerra User Rights Assignment node to manage which users and groups have login and task privileges to a Data Mover. The user rights assignments that appear in the User Rights Assignment node are a subset of the user rights assignments available as GPOs in ADUC. User rights assignments are local policies and apply only to the selected Data Mover. You cannot use the User Rights Assignment node to manage GPO policies. Refer to the online Help for a snap-in or program for more information. 8 of 98

9 User interface choices The Celerra Network Server offers flexibility in managing networked storage based on your support environment and interface preferences. This technical module describes how to configure CIFS on a Data Mover using the command line interface (CLI). You can also perform many of these tasks using one of the Celerra management applications: Celerra Manager - Basic Edition Celerra Manager - Advanced Edition Microsoft Management Console (MMC) snap-ins (Windows 2000 and Windows Server 2003 only) Active Directory Users and Computers extensions (Windows 2000 and Windows Server 2003 only) For additional information about managing your Celerra, refer to: Learning about Celerra Celerra Manager Online Help Monitoring Celerra Application s online help system on the Celerra Network Server Documentation CD The Installing Celerra Management Applications technical module includes instructions on launching Celerra Manager, and on installing the MMC snap-ins and the ADUC extensions. 9 of 98

10 Managing Windows roadmap Table 2 lists the tasks to manage Windows as described in this technical module. Table 2 CIFS management Task Display the current CIFS configuration for a Data Mover. Add, delete, enable, and disable a network interface for a CIFS server. Procedure "Checking the current CIFS configuration" on page 11 "Managing network interfaces" on page 12 Manage the DNS server configuration. "Managing DNS on a Data Mover" on page 13 Create and modify the following elements to an existing CIFS configuration: WINS server NetBIOS name to a Windows 2000 or Windows Server 2003 configuration Computer name or NetBIOS name aliases Comments CIFS server password Create CIFS servers and join to a Windows domain with the following configurations: Start and stop the CIFS service on a Data Mover. Delete a CIFS server by deleting the NetBIOS or compname for the server. "Modifying a CIFS configuration" on page 14 "Same namespace without a delegated join" on page 28 "Same namespace and a delegated join" on page 31 "Disjoint namespace without a delegated join" on page 33 "Disjoint namespace and a delegated join" on page 35 "Reexporting all Celerra file systems" on page 41 "Deleting a CIFS server" on page 44 Manage Group Policy Objects. "Supporting Group Policy Objects" on page 52 Manage Multiple Data Stream support. "Alternate data stream support" on page 63 Configure or disable SMB (Server Message Block) signing. Set the time interval at which the Data Mover changes passwords with the domain controller. Generate a file system for use as a security log. Using SMB signing on page 66 "Automatic computer password change" on page 72 "Creating a file system as a security log" on page of 98

11 Checking the current CIFS configuration Use this command to check the current CIFS configuration on a Data Mover. Action To display the CIFS configuration for a Data Mover, use this command syntax: $ server_cifs <movername> Where: <movername> = name of the specified Data Mover Example: To display the CIFS configuration for server_2, type: $ server_cifs server_2 Output If CIFS service is started server_2 : 256 Cifs threads started Security mode = NT Max protocol = NT1 I18N mode = ASCII Home Directory Shares DISABLED Usermapper auto broadcast enabled Usermapper[0] = [ ] state:active (auto discovered) Enabled interfaces: (All interfaces are enabled) Disabled interfaces: (No interface disabled) If CIFS Service is not started $ server_cifs server_2 server_2 : Cifs NOT started Security mode = NT Max protocol = NT1 I18N mode = ASCII Home Directory Shares DISABLED Usermapper auto broadcast enabled Usermapper[0] = [ ] state:active (auto discovered) Enabled interfaces: (All interfaces are enabled) Disabled interfaces: (No interface disabled) 11 of 98

12 Output (if CIFS service is not started) server_2 : Cifs NOT started Security mode = NT Max protocol = NT1 I18N mode = UNICODE Home Directory Shares DISABLED Usermapper[0] = [ ] last access 0 Enabled interfaces: (All interfaces are enabled) Disabled interfaces: (No interface disabled) CIFS Server DPDOVDM1[CIFS] RC=4 Full computer name=dpdovdm1.cifs.eng.fr realm=cifs.eng.fr Active directory usermapper's domain: "not yet located" Comment='EMC-SNAS:T ' if=dpdo:1 l= b= mac=0:0:92:a7:b0:24 FQDN=dpdovdm1.cifs.eng.fr (Updated to DNS) Managing network interfaces The Configuring and Managing Celerra Networking technical module provides information about managing network interfaces. 12 of 98

13 Managing DNS on a Data Mover Within a Windows 2000 and a Windows Server 2003 environment, a DNS configuration on a Data Mover is required to add a computer name and join it to a Windows domain. You can configure an unlimited number of DNS domains per Data Mover, and each domain can have up to three DNS servers. The Configuring Celerra Naming Services technical module provides procedures to configure, start, stop, and manage your DNS servers. 13 of 98

14 Modifying a CIFS configuration After creating the initial CIFS configuration and starting the CIFS service, you may need to add or modify various elements in the CIFS configuration on a Data Mover. Table 3 explains the tasks to modify a CIFS configuration. Table 3 Modifying a CIFS configuration Task Action Procedure 1. Add a WINS server to an existing CIFS server. "Adding a WINS server" on page Rename an existing NetBIOS name. "Renaming a NetBIOS name" on page Create NetBIOS or computer name aliases. 4. Add informational comments to a CIFS server. "Assigning aliases to NetBIOS and computer names" on page 16 "Associating comments with CIFS servers" on page Change the CIFS server password. "Changing the CIFS server password" on page 22 Note: The Configuring CIFS on Celerra technical module explains how to configure additional CIFS servers on a Data Mover. Adding a WINS server The Celerra Network Server registers its NetBIOS name with the WINS (Windows Internet Name Service) server automatically. The WINS server distributes the NetBIOS name to users, and provides the NetBIOS name resolution of users and computers to IP addresses to the Data Mover. The WINS server is not mandatory if name resolution is done through DNS. There is no limit to the number of WINS servers that you can configure for a Data Mover. If you have multiple CIFS configurations (NetBIOS/compname) on a Data Mover, consider using a WINS server per interface rather than per Data Mover. This eliminates the possibility of CIFS clients attempting to resolve unwanted Data Mover NetBIOS names over the WINS server. Note: If you have only one subnet reached by each IP interface, and performance is not an issue, the WINS server is not mandatory. If you have more than one subnet, you must specify a WINS server. You can however, specify more than one WINS server to provide more robust networking capabilities. 14 of 98

15 Use this command to add a WINS server for use by all CIFS servers on a Data Mover. Action To add a WINS server to your CIFS configuration, use this command syntax: $ server_cifs <movername> -add wins=<ip_addr>[,wins=<ip_addr>,...] Where: <movername> = name of the specified Data Mover <ip_addr> = IP address of the WINS server Note: The system processes a list of WINS servers in the order in which you add them in the wins= option, with the first one being the preferred WINS server. For example, if the WINS server times out after 1500 milliseconds, the system uses the next WINS server in the list. Use the wins.timeoutms parameter to configure WINS timeout. Example: To add two WINS servers to server_2, type: $ server_cifs server_2 -add wins= ,wins= Output server_2: done Renaming a NetBIOS name When you change a NetBIOS name, the system does the following: Temporarily suspends NetBIOS availability and disconnects all clients connected to it. Updates the local groups related to the new NetBIOS name. Updates all the shares corresponding to the new NetBIOS name. Maintains the account password between the server and the domain controller. Unregisters the original NetBIOS name, and then registers the new name in all the WINS servers. Retains all aliases associated with the original NetBIOS name. Resumes renamed NetBIOS availability. Note: For Windows 2000 and Windows Server 2003, you cannot rename a NetBIOS name if the CIFS server is joined to a Windows domain. If the CIFS server is joined to a domain, unjoin the server. After performing the rename, join the CIFS server to the domain.!!caution The server_cifs -Join and -Unjoin procedures generate a new computer account for the compname, which results in the computer name losing its original account. 15 of 98

16 Before performing the rename function, you must add the new NetBIOS name to the domain using the Windows NT Server Manager or the Windows 2000 and Windows Server 2003 Users and Computers MMC snap-in. Note: The rename command changes the NetBIOS name of the server but not the compname name of that server. Contact EMC Customer Service for instructions on renaming a compname. Use this command to rename a NetBIOS name in an existing CIFS server. Action To rename a NetBIOS name, use this command syntax: $ server_cifs <movername> -rename -netbios <old_name> <new_name> Where: <movername> = name of the specified Data Mover. <old_name> = current NetBIOS name. <new_name> = new NetBIOS name. NetBIOS names must be unique and limited to 15 characters and cannot begin with (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ;, = * + [ ]? < > " Example: To rename the NetBIOS name of dm102-cge0 to dm112-cge0 on server_2, type: $ server_cifs server_2 -rename -netbios dm102-cge0 dm112-cge0 Output server_2 : done Assigning aliases to NetBIOS and computer names You can assign aliases to NetBIOS names and computer names. Aliases provide multiple, alternative identities for a given resource. Because aliases act as the secondary names, the aliases share the same set of local groups and shares as the primary NetBIOS name or computer name. A NetBIOS alias registers the alternative name in WINS, not in DNS. If you want the NetBIOS alias to appear in DNS, you must add it to DNS. The client can connect to an alias through the Network Neighborhood, Windows Explorer, or by using the Map Network Drive window. You can add aliases to an existing server or when creating a new server. Naming conventions Based on the Microsoft requirements, aliases must be unique across a domain for WINS registration and broadcast announcements. Aliases must also be unique on the same Data Mover to avoid WINS name conflicts. The alias name is limited to 15 characters. It cannot begin with the at sign (@) or the dash (-), and it cannot include spaces, tabs, and the following characters: / \ : ;, = * + [ ]? < > " 16 of 98

17 For performance reasons, it is recommended that you limit the number of aliases to 10 per CIFS server. Adding an alias to a CIFS server Use this command to assign one or more aliases to a computer name. Action To add an alias to a CIFS server, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name>,alias=<alias_name>[,alias=<alias_name2>...] Where: <movername> = name of the specified Data Mover <comp_name> = name of the CIFS server in the named domain <full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com) <alias_name> = alias for the computer name Example: To declare three aliases for computer name big_comp, type: $ server_cifs server_2 -a compname=winserver1,domain=nasdocs,alias=winserver1-a1, alias=winserver1-a2,alias=winserver-a3 Output server_2 : done Adding a NetBIOS alias to the NetBIOS name Use this command to assign one or more aliases to a NetBIOS name. Action To add a NetBIOS alias to the NetBIOS name, use this command syntax: $ server_cifs <movername> -add netbios=<netbios_name>, domain=<domain_name>,alias=<alias_name>[,alias=<alias_name2>...] Where: <movername> = name of the specified Data Mover <netbios_name> = NetBIOS name for the CIFS server <domain_name> = domain name for the Windows environment <alias_name> = alias for the NetBIOS name Example: To declare three aliases for NetBIOS dm102-cge0, type: $ server_cifs server_2 -a netbios=dm102- cge0,domain=nasdocs,alias=dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3 Output server_2: done 17 of 98

18 Deleting a CIFS server alias Use this command to delete one or more aliases assigned to the computer name. Action To delete a compname alias, use this command syntax: $ server_cifs <movername> -delete compname=<comp_name>, alias=<alias_name>[,alias=<alias_name2>,...] Where: <movername> = name of the specified Data Mover <comp_name> = name of the CIFS server <alias_name> = alias for the computer name! CAUTION If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its computer name, is deleted. Example: To delete the dm102-cge0-a1 alias assigned to winserver1, type: $ server_cifs server_2 -delete compname=winserver1,alias=winserver-a1 Output server_2: done Deleting a NetBIOS alias Use this command to delete one or more aliases assigned to a NetBIOS name. Action To delete one or more NetBIOS aliases from a CIFS server, use this command syntax: $ server_cifs <movername> -delete netbios=<netbios_name>, alias=<alias_name>[,alias=<alias_name2>,...] Where: <movername> = name of the specified Data Mover <netbios_name> = NetBIOS name for the CIFS server <alias_name> = alias for the NetBIOS name! CAUTION If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its NetBIOS name, is deleted. Example: To delete the dm102-cge0-a2 alias assigned to dm102-cge0, type: $ server_cifs server_2 -delete netbios=dm102-cge0,alias= dm102-cge0-a2 Output server_2: done 18 of 98

19 Viewing aliases Use this command to view the aliases for a Data Mover. Action To list a server s aliases, use this command syntax: $ server_cifs <movername> Where: <movername> = name of the specified Data Mover Example: To view the aliases for server_2, type: $ server_cifs server_2 Output CIFS Server (Default) dm102-cge0 [C1T1] Alias(es): dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3 Full computer name=dm2-cge0.c1t1.pt1.c3lab.nasdocs.emc.com realm=c1t1.pt1.c3lab.nasdocs.emc.com Comment='EMC-SNAS:T ' if=cge0 l= b= mac=0:6:2b:4:0:7f FQDN=dm102-cge0.c1t1.pt1.c3lab.nasdocs.emc.com (Updated to DNS) Associating comments with CIFS servers You can associate a comment, enclosed in quotation marks, with a CIFS server by using the server_cifs -add command. Comments let you add descriptive information to a CIFS server. This section contains information on the following: Adding comments Changing comments Viewing comments Comment restrictions for Windows XP clients 19 of 98

20 Adding comments You can add comments when you initially create the CIFS server or after the CIFS server was created. Add comments with either of the following commands from the Celerra CLI. Action To add comments in a Windows NT environments, use this command syntax: $ server_cifs <movername> -add netbios=<netbios_name>, domain=<domain_name> -comment <comment> To add comments in a Windows 2000 or Windows Server 2003 environment, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name> -comment <comment> Where: <movername> = name of the specified Data Mover. <netbios_name> = NetBIOS name for the CIFS server. The NetBIOS name must be unique and limited to 15 characters. It cannot begin (at sign) or - (dash) and it cannot include spaces, tabs, and the following symbols: / \ : ;, = * + [ ]? < > " <comp_name> = a Windows 2000 or Windows Server 2003-compatible CIFS server; can be up to 63 UTF-8 characters. <domain_name> = domain name for the Windows environment. <full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com). <comment> = your comment. Limited a comment to 48 ASCII characters and enclose in double quotation marks. Currently, international characters are not supported for comments. Restricted Characters: You cannot use double quotation ("), semi-colon (;), accent (`), and comma (,) characters within the body of a comment. Attempting to use these special characters results in an error message. In addition, you can only use an exclamation point (!) if it is preceded by a single quotation mark ( ). Default Comments: If you do not explicitly add a comment, the system adds a default comment of the form EMC-SNAS:T<x.x.x.x> where <x.x.x.x> is the version of the NAS software. Example: To add the comment EMC_Celerra_Network_Server to server_2 in a Windows NT environment, type: $ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals -comment "EMC_Celerra_Network_Server" Changing comments To change a comment, repeat the server_cifs -add command with the new comment. You may notice a delay in the comment change when browsing the domain computers. This delay is caused by the Data Mover broadcasting its name and comment approximately every 12 minutes (except on startup, when it broadcasts five times in the first minute). You cannot currently add or change comments through Server Manager or the Computer Management MMC. You can change comments only through the server_cifs -add command. 20 of 98

21 Clearing comments To clear a comment, issue the server_cifs -add command with a one-space comment as in the following example: $ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals -comment " " Viewing comments You can view a server s comment from the Celerra Network Server CLI. In addition, comments appear in certain parts of various Windows interfaces. Viewing comments from the CLI Example When you view a CIFS server configuration with the server_cifs command from the Celerra Network Server CLI, the comment appears with other information about the CIFS server. The following example shows how to view comments using the server_cifs command. Action To view the configuration information for server_2, type: $ server_cifs server_2 Output server_2 : 32 Cifs threads started Security mode = NT. (material deleted). DOMAIN CAPITALS SID=S c6ab149b-92d87510-a3e900fb-ffffffff >DC=BOSTON( ) ref=2 time=0 ms DC=NEWYORK( ) ref=1 time=0 ms CIFS Server (Default) DM32-ANA0[CAPITALS] (Hidden) Alias(es): CFS32 Comment= EMCCelerraNetworkServer if=ana0 l= b= mac=0:0:d1:1d:b7:25 if=ana1 l= b= mac=0:0:d1:1d:b7:26 Viewing comments from Windows Windows 2000, Windows Server 2003, Windows NT, and Windows XP sometimes use comments in parts of the Windows interface. Comments may appear in the following instances: As the name of mapped network drives in the My Computer or Explorer window (Windows XP only) As the computer name in a domain window Comment restrictions for Windows XP clients When you change a comment, the change is only reflected in certain parts of the Windows XP interface. As the computer name in a domain window, the change is 21 of 98

22 Recommendation immediately reflected to the Windows XP client. However, in the Windows XP Explorer, the names of mapped network drives do not reflect the change. When you first map a network drive on a Windows XP client, the client stores the comment in the local Registry and displays the comment as the name of the mapped drive. The client continues to use the stored comment as the mapped drive name until you manually change the Registry. If you manually change the name of the mapped network drive from Explorer or My Computer, the changed name is stored in another Registry entry and the client uses this name until you change it again from Explorer or in the Registry. Due to the previous Windows XP client restrictions, EMC recommends that you set the comment as part of the initial CIFS server setup. Changing the CIFS server password Use this command to reset the CIFS password and encryption keys. "Automatic computer password change" on page 72 explains how to set the time interval at which the Data Mover changes passwords with the domain controller. Action To reset the CIFS password and encryption keys, use this command syntax: $ server_cifs <movername> -Join compname=<comp_name>, domain=<full_domain_name>,admin=<admin_name> -o resetserverpasswd Where: <movername> = name of the specified Data Mover. <comp_name> = name of the CIFS server. <full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com). <admin_name> = the login name of the user with administrative rights in the domain. The user is prompted to type a password for the admin account. Example: To reset the CIFS password and encryption keys for server_2, type: $ server_cifs server_2 -Join compname=winserver1, domain=nasdocs.emc.com,admin=compadmin -o resetserverpasswd Output server_2: Enter Password: ****** done 22 of 98

23 Advanced procedures for joining CIFS servers to Windows domains This section outlines the procedures for joining CIFS servers to Windows domains in different configurations. Note: When attempting to resolve computer NetBIOS names in environments with Windows 2000 or Windows Server 2003, the Celerra Network Server may try to resolve the name through a broadcast or by querying the Windows Internet Name Service (WINS) server. Since Windows operating systems limit NetBIOS names to 15 characters, name resolution through broadcast and WINS queries is possible only for computer names that are 15 characters or less. If you specify a NetBIOS name longer than 15 characters, it is truncated. Windows NT servers are automatically joined to a domain when created. Configuration prerequisites The configuration prerequisites pertain to the following procedures: "Disjoint namespace without a delegated join" (steps 1 through 11) "Disjoint namespace and a delegated join" (steps 1 through 14) "Same namespace and a delegated join" (steps 12 through 14) The configuration prerequisites contain the following steps: Steps 1-11 explain how to set domain-level permissions, which are based on the Microsoft Knowledge Base article DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ. Steps show how to create a computer account in the AD domain. To set up domain-level permissions: 1. Start the Active Directory Users and Computers snap-in. 2. In the console tree, right-click Active Directory Users and Computers, and then select Connect To Domain. 3. In the Domain box, type the domain name, or click Browse to find the domain in which you want to enable the computer to use different DNS names, and then click OK. 4. Right-click Active Directory Users and Computers and select View> Advanced Features. 5. Right-click the name of the domain, and then select Properties. 6. Click the Security tab and click Advanced. 7. Click Add and select Self group. 8. On the Object tab in the Apply onto box, select Computer Objects. Under Permissions, select the Validated write to DNS host name and Validated write to service principal name checkboxes. 23 of 98

24 9. On the Properties tab in the Apply onto box, select Computer Objects. 10. Under Permissions, select the Write SPN and Write dnshostname checkboxes. Note: By selecting/clearing the Write dnshostname checkbox, the system automatically selects/clears the Write dnshostname Attributes checkbox and vice versa. 11. Click OK. Note: Steps 1 through 11 are based on the Windows 2000 AD server interface. To create a computer account in the Active Directory: 12. Right-click the container where the computer account is to reside, and then select New > Computer. 13. In the Computer Name box, type the name of the new computer account. Note: You can configure the delegated join operation here. Figure 2 on page 27 provides more details. 14. Click OK. Joining existing computer accounts When you use the server_cifs -Join command to join a CIFS server to a domain, the Celerra Network Server: Searches for an existing account or creates an account for the CIFS server in Active Directory and completes its configuration. Sets several attributes in the computer account, including the dnshostname and serviceprincipalname attributes. If the Windows computer account already exists, the Celerra Network Server checks the serviceprincipalname attribute to see if the computer is already joined to the computer account. If the attribute is not set, the Data Mover joins the new CIFS server to the existing account. If the serviceprincipalname attribute is already set, the Data Mover issues an error and logs a message saying that the account already exists. If the serviceprincipalname attribute is already set, the following error message appears during the domain join: The account already exists This error indicates that the computer account was already joined to a domain by either a Data Mover or another server. If you still want to join the CIFS server to this computer account, you can reuse the account by entering the 24 of 98

25 server_cifs -Join command with the reuse option. Figure 1 illustrates the checks performed when you issue server_cifs -Join. Does the Windows computer account exist? Yes Is "serviceprincipalname" attribute set? Yes Return an error No No Create the computer account Is reuse option specified? Join the CIFS server to the domain No Yes CNS Figure 1 Checks performed when joining a CIFS server to a domain Example The following command reuses an existing, in use, computer account in the Active Directory: $ server_cifs server_2 -Join compname=dm32-ana0, domain=nsgprod.xyzcompany.com,admin=administrator -option reuse Procedure overview If you are using existing computer accounts when configuring Celerra-based CIFS servers, use this procedure to create and join the CIFS server. Step Action 1. From Windows, go to Active Directory Users and Computers and create a new computer with the same comp_name you will use to create the CIFS server in step 2. (Optional) If you are delegating join authority, under the User or Group field, enter or browse for the user or group to whom you want to delegate join authority. The procedure "Delegated join" on page 26 provides more information. Note: The user account must belong to a domain in the same AD forest as the domain the CIFS server is joining. 2. Add the CIFS server to the Data Mover with the server_cifs -add command. Table 18 on page 77 details the syntax to use for the appropriate domain relationship. 3. Join the CIFS server to the domain with the server_cifs -Join command. Table 18 on page 77 details the syntax to use for the appropriate domain relationship. 25 of 98

26 Delegated join As an alternative to performing a CIFS server join by a default user (member of Domain Admins group), where the server_cifs -Join command automatically creates a computer account in the Active Directory, you can do the following: Create computer accounts for CIFS servers in the Windows Active Directory. Delegate authority to perform the join operation to an individual user or group from another domain within the same AD forest. With these options, AD account creation can be separated from the join action. Therefore, a person other than the one who created the account in the AD can join the CIFS server to the domain. Adding the user performing the join to the local administrator s group Each CIFS server contains a set of built-in user groups: Administrators, Users, Guests, Power Names, Account Operators, Backup Operations, and Replicator. The Administrators group contains the users and groups authorized to manage the CIFS server. By default, the Administrator s group contains one entry for the Domain Admins group, which gives each member of the Domain Admins group the authority to manage the CIFS server. If the domain join operation is delegated to a user not in the Local Administrator group, you must add this user to this group for the user to be able to manage the CIFS server. You can do this manually through the MMC, or automatically during the domain join process by first setting the following parameter to 1: cifs djaddadmintolg=1 Delegating join authority When you delegate join authority, the CIFS server can be joined to its domain by any user to whom you give authority. The user does not need specific Windows permissions, but must be in the same AD forest as the CIFS server. 26 of 98

27 You delegate join authority when you create the computer account in the Active Directory as shown in Figure 2. Figure 2 Delegating join authority Parameters for the join procedure The following parameters, if set, are effective during the join operation. The Celerra Network Server Parameters Guide provides detailed information on these parameters. djusekpassword: If set to 0, forces the domain join procedure to set the CIFS server password using the Microsoft RPC protocol. Only do this if you are a delegated user assigned to the domain local group. djaddadmintolg: If set to 1, automatically adds the user performing the domain join procedure to the Local Administrator s group. djenforcedhn: If set to 0, enables the domain join procedure to continue without the dnshostname being set. Note: Use djenforcedhn only as a temporary measure for access rights since the Data Mover authenticates Windows clients using NTLMSSP mode instead of Kerberos. 27 of 98

28 Table 4 shows the domain join parameter values that you must use to perform a delegated join in the same and/or disjoint namespace AD domain. Table 4 Domain join parameter combinations djusekpassword djaddadmintolg djenforcedhn Join delegated to: Domain Admins Group Member (Microsoft default) Domain User Account 1 (default) 0 (default) 1 (default) Domain Global Group Domain Local Group 0 Domains within the forest that do not have the same hierarchical domain name are in a different domain tree. When different domain trees are in a forest, the tree root domains are not contiguous. Disjoint namespace is the phrase used to describe the relationship between different domain trees within the forest. Same namespace without a delegated join Perform the following add and join procedures when: The DNS domain name and the Active Directory domain name are the same. You are using the default user account (member of domain admin group). 28 of 98

29 Creating a CIFS server Use this procedure to create a CIFS server. Action To create the CIFS server for a Windows 2000 or Windows Server 2003 environment on the Data Mover, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name>[,hidden={y n}][,netbios=<netbios_name>] [,interface=<if_name>][,dns=<if_suffix>] Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = Windows 2000 or Windows Server 2003-compatible CIFS server. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. Note: Each <comp_name> within a Celerra Network Server must be unique. A default CIFS server and CIFS servers within a VDM cannot co-exist on the same Data Mover. A default CIFS server is a global CIFS server assigned to all interfaces, and CIFS servers within a VDM require specified interfaces. If a VDM exists on a Data Mover, a default CIFS server cannot be created. <full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain.). hidden={y n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear. <netbios_name> = (Optional) a NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default. <if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can have only one default CIFS server per Data Mover. <if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover. Example: To create CIFS server dm32-ana0 on server_2, type: $ server_cifs server_2 -add compname=dm32- cge0,domain=universe.com,netbios=eng23b,interface=cge0 29 of 98

30 Output Notes server_2 : done User authentication method for CIFS servers in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method. You can assign only one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information. NetBIOS names are limited to 15 characters and cannot begin with (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ;, = * + [ ]? < > " Join CIFS server to a Windows domain Use this procedure to join the CIFS server to a domain. Action To join the CIFS server to the Windows domain, use this command syntax: $ server_cifs <movername> -Join compname=<comp_name>, domain=<full_domain_name>,admin=<admin_name@domain_name> Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = name for the CIFS server s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. If the primary DNS suffix of the CIFS server is different from the Windows domain, the <comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com, the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net, domain=win.com. <full_domain_name> = the DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com). <admin_name@<domain_name> = login name and full domain name of a user with sufficient rights to join a server to the domain. If you omit the Data Mover assumes the user belongs to the domain that the CIFS server is joining. The user must be from a domain in the same AD forest. Example: To join the CIFS server dm32-ana0 to the universe.com domain, type: $ server_cifs server_2 -Join compname=dm32-cge0, domain=universe.com,admin=administrator Output server_2 : Enter Password: ******* done Note The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account. 30 of 98

31 Same namespace and a delegated join Note: Before performing this procedure, you must complete the steps outlined in "Configuration prerequisites" on page 23 and "Delegated join" on page 26. Perform the following add and join procedures when: The DNS domain name and the Active Directory domain name are the same. You are using a delegated user account. Creating a CIFS server Use this procedure to create a CIFS server. Action To create the CIFS server for a Windows 2000 or Windows Server 2003 environment on the Data Mover, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name>[,hidden={y n}][,netbios=<netbios_name>] [,interface=<if_name>][,dns=<if_suffix>] Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = Windows 2000 or Windows Server 2003-compatible CIFS server. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. Note: Each <comp_name> within a Celerra Network Server must be unique. A default CIFS server and CIFS servers within a VDM cannot co-exist on the same Data Mover. A default CIFS server is a global CIFS server assigned to all interfaces, and CIFS servers within a VDM require specified interfaces. If a VDM exists on a Data Mover, a default CIFS server cannot be created. <full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain.). hidden={y n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear. <netbios_name> = (Optional) NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default. <if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover. <if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover. Example: To create CIFS server dm32-ana0 on server_2, type: $ server_cifs server_2 -add compname=dm32- cge0,domain=universe.com,netbios=eng23b,interface=cge0 31 of 98

32 Output Note server_2 : done User authentication method for CIFS servers in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method. You can only assign one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information. NetBIOS names are limited to 15 characters and cannot begin with (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ;, = * + [ ]? < > " Join CIFS Server to a Windows domain Use this procedure to join the CIFS server to a domain. Action To join the CIFS server to the Windows domain, use this command syntax: $ server_cifs <movername> -Join compname=<comp_name>, domain=<full_domain_name>,admin=<user_name@ad_name> Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = name for the CIFS server s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. Note: If the primary DNS suffix of the CIFS server is different from the Windows domain, the <comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com, the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net,domain=win.com. <full_domain_name> = DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com). <user_name@<domain_name> = <user_name>[@ad_name>]= delegated user login name and domain name of the Active Directory. Example: To join the CIFS server dm32-ana0 to the universe.com domain, type: $ server_cifs server_2 -Join compname=dm32-cge0, domain=universe.com,[email protected] Output server_2 : Enter Password: ******* done Note The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account. 32 of 98

33 Disjoint namespace without a delegated join Note: Before performing this procedure, you must complete the steps outlined in "Configuration prerequisites" on page 23 and "Delegated join" on page 26. Perform the following add and join procedures when: The DNS domain name and the Active Directory domain name are different. You are using the default user account (member of domain admin group). Creating a CIFS server Use this procedure to create a CIFS server. Action To create the CIFS server for a Windows 2000 or Windows Server 2003 environment on the Data Mover, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name>[,hidden={y n}][,netbios=<netbios_name>] [,interface=<if_name>][,dns=<if_suffix>] Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = Windows 2000 or Windows Server 2003-compatible CIFS server. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. Note: Each <comp_name> within a Celerra Network Server must be unique. A default CIFS server and CIFS servers within a VDM cannot co-exist on the same Data Mover. A default CIFS server is a global CIFS server assigned to all interfaces, and CIFS servers within a VDM require specified interfaces. If a VDM exists on a Data Mover, a default CIFS server cannot be created. <full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain.). hidden={y n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear. <netbios_name> = (Optional) NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default. <if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover. <if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover. Example: To create CIFS server dm32-ana0 on server_2, type: $ server_cifs server_2 -add compname=dm32-cge0. domain=universe.com,netbios=eng23b,interface=cge0, dns=nasdocs.emc.com 33 of 98

34 Output Note server_2 : done You can only assign one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information. NetBIOS names are limited to 15 characters and cannot begin with (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ;, = * + [ ]? < > " Join CIFS server to a Windows domain Use this procedure to join the CIFS server to a domain. Action To join the CIFS server to the Windows domain, use this command syntax: $ server_cifs <movername> -Join compname=<comp_name.fqdn>, domain=<full_domain_name>,admin=<admin_name@<domain_name> Where: <movername> = name of the specified Data Mover or VDM. <comp_name.fqdn> = name for the CIFS server s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. For disjoint namespaces, you must enter compname.fqdn (fullyqualified domain name); otherwise, the AD attributes are not updated. For example: compname=dm32-cge0.nasdocs.emc.com Note: If the primary DNS suffix of the CIFS server is different from the Windows domain, the <comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com, the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net,domain=win.com. <full_domain_name> = DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com). <admin_name@<domain_name> = login name and full domain name of a user with sufficient rights to join a server to the domain. If you omit the Data Mover assumes the user belongs to the domain that the CIFS server is joining. The user must be from a domain in the same AD forest. Example: To join the CIFS server dm32-ana0 to the universe.com domain, type: $ server_cifs server_2 -Join compname=dm32-cge0.nasdocs.emc.com, domain=universe.com,admin=administrator Output server_2 : Enter Password: ******* done Note The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account. 34 of 98

35 Disjoint namespace and a delegated join Note: Before performing this procedure, you must complete the steps outlined in "Configuration prerequisites" on page 23 and "Delegated join" on page 26. Perform the following add and join procedures when: The DNS domain name and the Active Directory domain name are different. You are using a delegated user account. Creating a CIFS server Use this procedure to create a CIFS server. Action To create the CIFS server for a Windows 2000 or Windows Server 2003 environment on the Data Mover, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name>[,hidden={y n}][,netbios=<netbios_name>] [,interface=<if_name>][,dns=<if_suffix>] Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = Windows 2000 or Windows Server 2003-compatible CIFS server. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. Note: Each <comp_name> within a Celerra Network Server must be unique. A default CIFS server and CIFS servers within a VDM cannot co-exist on the same Data Mover. A default CIFS server is a global CIFS server assigned to all interfaces, and CIFS servers within a VDM require specified interfaces. If a VDM exists on a Data Mover, a default CIFS server cannot be created. <full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain). hidden={y n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear. <netbios_name> = (Optional) NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default. <if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can only have one default CIFS server per Data Mover. <if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover. Example: To create CIFS server dm32-ana0 on server_2, type: $ server_cifs server_2 -add compname=dm32-cge0, domain=universe.com,netbios=eng23b,interface=cge0, dns=nasdocs.emc.com 35 of 98

36 Output Note server_2 : done User authentication method for CIFS servers in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method. You can only assign one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information. NetBIOS names are limited to 15 characters and cannot begin with (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ;, = * + [ ]? < > " Join CIFS server to a Windows domain Use this procedure to join the CIFS server to a domain. Action To join the CIFS server to the Windows domain, use this command syntax: $ server_cifs <movername> -Join compname=<comp_name.fqdn>, domain=<full_domain_name>,admin=<user_name@ad_name> [,dns=<if_suffix>] Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = name for the CIFS server s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. For disjoint namespaces, you must enter compname.fqdn (fully-qualified domain name); otherwise, the AD attributes are not updated. For example: compname=dm32-cge0.nasdocs.emc.com Note: If the primary DNS suffix of the CIFS server is different from the Windows domain, the <comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com, the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net,domain=win.com. <full_domain_name> = DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com). <user_name@ad_name> = delegated user login name and domain name of the Active Directory. Example: To join the CIFS server dm32-ana0 to the universe.com domain, type: $ server_cifs server_2 -Join compname=dm32-cge0.nasdocs.emc.com, domain=universe.com,[email protected] 36 of 98

37 Output server_2 : Enter Password: ******* done Note You can join a CIFS server to a domain in a Windows environment where the Active Directory namespace is named independently from the DNS namespace. The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account. 37 of 98

38 Managing file systems This section outlines concepts and tasks associated with managing file systems in a Windows environment on your Celerra Network Server, including establishing synchronous writes, opportunistic file locking, and file change notifications. Ensuring synchronous writes The cifssyncwrite option of the server_mount command is used to enhance the support for storing and accessing database files via CIFS on the Celerra Network Server. This special mount option guarantees that any write to the file server is done synchronously. For Windows, it is important to make sure this option is specified if the Celerra Network Server will be used to store certain database files. This is recommended to avoid chances of data loss or file corruption across various failure scenarios, for example, loss of power. Note: Use of the cifssyncwrite option is not recommended unless you require database access via the Celerra Network Server. Use this procedure to mount a file system with the cifssyncwrite option. Action To mount a file system to ensure synchronous writes, use this command syntax: $ server_mount <movername> -o cifssyncwrite <fs_name> <mount_point> Where: <movername> = name of the specified Data Mover or VDM. <fs_name> = name of the file system being mounted. <mount_point> = name of the mount point. Example: To mount the file system ufs1 with ensured synchronous writes, type: $ server_mount server_2 -o cifssyncwrite ufs1 /ufs1 Output server_2 : done Note A <mount_point> must begin with a forward slash (/). Opportunistic file locking Opportunistic file locks (oplocks) improve network performance by allowing CIFS clients to locally buffer file data before sending it to the server. These locks are configured per file system and are on by default. Unless you are using a database application that recommends oplocks be turned off, or if you are handling critical data and cannot afford any data loss, leave oplocks on. Celerra Network Server supports level II, exclusive, and batch oplocks (filter oplocks are not applicable to a remote file server): Level II oplocks: When held, a level II oplock informs a client that multiple clients are currently accessing a file, but no client has yet modified it. A level II oplock lets the client perform reads and file attribute fetches using cached or read- 38 of 98

39 ahead local information. All other file access requests must be sent to the server. Exclusive oplocks: When held, an exclusive oplock informs a client that it is the only client opening the file. An exclusive oplock lets a client perform all file operations using cached or read-ahead information until it closes the file, at which time the server must be updated with any changes made to the state of the file (contents and attributes). Batch oplocks: When held, a batch oplock informs a client that it is the only client opening the file. A batch oplock lets a client perform all file operations using cached or read-ahead information (including opens and closes); therefore, the server can keep a file opened for a client even though the local process on the client machine has closed the file. This mechanism curtails the amount of network traffic by letting clients skip the extraneous close and open requests. Turning oplocks off Use this procedure to turn oplocks off for a specific file system. Important: Performance may drop significantly if oplocks are disabled.!!caution In a Microsoft network, opportunistic locks can result in the loss of data if a Windows client or Windows server crashes or if network problems occur. Action To turn oplocks off for a file system, use this command syntax: $ server_mount <movername> -o nooplock <fs_name> <mount_point> Where: <movername> = name of the specified Data Mover or VDM. <fs_name> = name of the file system being mounted. <mount_point> = name of the mount point. Example: To mount the file system ufs1 with oplocks turned off, type: $ server_mount server_2 -o nooplock ufs1 /ufs1 Output server_2: done Note A <mount_point> must begin with a forward slash (/). File change notification Applications running on Windows platforms, using the Win32 API, can register with the CIFS server (or local OS) to be notified if and when certain actions are taken against file or directory contents (such as create file, rename file, delete, etc.). For example, this feature can indicate when a display needs to be refreshed (Windows 39 of 98

40 Explorer) or when cache needs to be refreshed (Microsoft Internet Information Server), without having to constantly poll the CIFS server (or local OS). The Win32 API, and thus the CIFS protocol, supports the ability to specify the root of the directory tree that requires monitoring. If a subdirectory is specified, changes occurring above the specified directory will not notify the application. To monitor changes occurring to directories beneath the specified directory, the application can also set the WatchSubTree bit. By default, monitoring for changes occurring in up to 512 directory levels beneath the root is supported. After receiving a change notification response, the application must reissue or reset the monitoring process in order to be notified of further modifications. Note: Changes can also be buffered and notification can be satisfied by a single response to the client requesting the monitoring. Limitations File change notification can only be used in a pure CIFS environment. Therefore, changes to files and/or directories will not notify if performed from NFS, FTP, or MPFS clients. This functionality is only supported when the user authentication method on the Data Mover is set to NT. Configuring file change notification The notify option is automatically on by default. You may want to disable the notify option if you have performance issues. Use this procedure to turn off file change notification. Action To disable the notify feature for a file system, use this command syntax: $ server_mount <movername> -o nonotify <fs_name> <mount_point> Where: <movername> = name of the specified Data Mover or VDM. <fs_name> = name of the file system being mounted. <mount_point> = name of the mount point. Example: To disable the notify feature for file system ufs1 on server_2, type: $ server_mount server_2 -o nonotify ufs1 /ufs1 Output Note server_2: done A directory file must be opened before this command is used. A <mount_point> must begin with a forward slash (/). 40 of 98

41 Configuring other file change notification options In addition, you can configure the following notify options: Table 5 File change notification options Option Description Example triggerlevel=<value> Specifies how many directory levels beneath the monitored directory are monitored for changes. <value> must be in hexadecimal format. Default value: 512 levels (0x ) The following example shows a configuration for up to 15 directory levels: $ server_mount server_2 -o triggerlevel=0x f ufs1 /ufs1 notifyonwrite Provides a notification of write access to a file system. Default value: disabled The following example enables notifyonwrite: $ server_mount server_2 -o notifyonwrite ufs1 /ufs1 This option is useful when an application needs to be notified of file writes before closing the file. notifyonaccess Provides a notification of the access time of a modification. Default value: disabled The following example enables both notifyonaccess and notifyonwrite: $ server_mount server_2 -o notifyonaccess,notifyonwrite ufs1 /ufs1 Note: The notifyonwrite and notifyonaccess options are disabled by default for performance reasons. Reexporting all Celerra file systems You can reexport all exported Celerra file systems at once from a Celerra Network Server while the file server is running. The operation reexports all entries in the export table on the file server. You can use this feature when you want to reexport file systems that you have temporarily unexported. Use this procedure to reexport all Celerra file systems from a Celerra Network Server. Action To reexport all Celerra file systems exported from a Celerra Network Server, type: $ server_export ALL -all Output server_2 : done server_3 : done server_4 : done 41 of 98

42 Disabling access to all file systems on a Data Mover Use this procedure to permanently disable all access to all file systems on a Data Mover. Action To permanently disable all access to all file systems on a Data Mover, use this command syntax: $ server_export <movername> -unexport -perm -all Where: <movername> = name of the Data Mover Example: To permanently disable all access to all file systems on server_3, type: $ server_export server_3 -unexport -perm -all Output server_3: done!!caution This operation deletes the contents of the export table and prevents all client access to file systems on the Data Mover. To reestablish client access to file systems on the file server, you must rebuild the export table by reexporting each CIFS share and NFS path on the Data Mover. 42 of 98

43 Stopping and starting the CIFS service The following sections provide instructions for stopping and starting the CIFS service on a Data Mover.!!CAUTION Stopping the CIFS service on a Data Mover prohibits users from accessing all CIFS servers on that Data Mover. Stopping the CIFS service Use this command to stop a CIFS service. Action To stop CIFS service for a Data Mover, use this command syntax: $ server_setup <movername> -P cifs -option stop Where: <movername> = name of the specified Data Mover Example: To stop the CIFS service on server_2, type: $ server_setup server_2 -P cifs -o stop Output server_2: done Starting the CIFS service Use this command to start the CIFS service. Action To start the CIFS service, use this command syntax: $ server_setup <movername> -P cifs -o start[=<n>] Where: <movername> = name of the specified Data Mover. -P cifs -o start = activates the protocol configuration for the specified Data Mover. [=<n>] = number of threads for all CIFS activity on the Data Mover, not the number of threads per CIFS server. The default number of CIFS threads depends on the memory size of the Data Mover. If the memory size is less than 1 GB, the default is 32 threads. For 510 Data Movers and NS series Celerra systems with 3 GB or more of memory, the default number of threads is 256. Example: To start the CIFS service on server_2, type: $ server_setup server_2 -P cifs -o start Output server_2 : done 43 of 98

44 Deleting a CIFS server This section describes how to delete a CIFS server from a Data Mover configuration in a Windows 2000, Window Server 2003, and Windows NT environment. Note: Before deleting a CIFS server from a Data Mover, make sure that there are no active sessions associated with the CIFS server. Use server management tools (MMC or Server Manager) to close all active sessions. Deleting a CIFS server (Windows 2000/Windows Server 2003)!!CAUTION If writes are in process during the deletion of a CIFS server, data loss can occur. Before you perform this procedure, notify all users ahead of time that the CIFS server will no longer be available. Use this procedure to remove a CIFS server from a Data Mover s configuration and from the Active Directory. Step Action 1. Unjoin the computer from the domain by using this command syntax: $ server_cifs <movername> -Unjoin compname=<comp_name>, domain=<full_domain_name> Where: <movername> = name of the specified Data Mover <comp_name> = computer name of the CIFS server <full_domain_name> = full domain name for the Windows environment; must contain a dot (example: domain.com) 2. Remove the CIFS server by using this command syntax: $ server_cifs <movername> -delete compname=<comp_name> Where: <movername> = name of the specified Data Mover <comp_name> = computer name of the CIFS server 44 of 98

45 Deleting a CIFS server (Windows NT)!!CAUTION If writes are in process during the deletion of a CIFS server, data loss can occur. Before you perform this procedure, notify all users that the CIFS server will no longer be available. Use this command to remove a CIFS server from a Data Mover s configuration. Step Action 1. Remove the CIFS server by using this command syntax: $ server_cifs <movername> -delete netbios=<netbios_name> Where: <movername> = name of the specified Data Mover <netbios_name> = NetBIOS name for the CIFS server Note: This command does not delete the NetBIOS entry from the PDC (primary domain controller). 45 of 98

46 Enabling home directories The Celerra home directory feature lets you create a single share, called HOME, to which all users connect. You do not have to create individual shares for each user. The home directory feature simplifies the administration of personal shares and the process of connecting to them by letting you associate a username with a directory that then acts as the user s home directory. The home directory is mapped in a user s profile so that upon login, the home directory is automatically connected to a network drive. Note: If a client system (such as Citrix Metaframe or Windows Terminal Server) supports more than one Windows user concurrently and caches file access information, the Celerra HOME directory feature may not function as desired. With the Celerra's home directory capability, the path to the home directory for each user is the same from the perspective of a Celerra client. For example, if a user writes to a file in the home directory, and then another user reads a file in the home directory, the second user's request is completed using the cached data from the first user's home directory. Since the files have the same pathname, the client system assumes they are the same file. Table 6 explains the tasks to enable the home directory feature for a Data Mover. You must have created and started the CIFS service before performing this procedure. Table 6 Enabling home directories Task Action Procedure 1. Create the database. "Creating the database" on page Enable home directories on the Data Mover. "Enabling home directories on the Data Mover" on page 47 Note: The home directory feature is disabled by default. 3. Create the home directories. "Creating the home directory file" on page Add home directories to user profiles. "Adding home directories to user profiles" on page 48 On Windows 2000 and Windows 2003 server systems, you can enable and manage home directories through the Celerra Home Directory Management snapin for MMC. The Installing Celerra Management Applications technical module provides information on installing the snap-in. The snap-in online help describes the procedures for enabling and managing home directories. 46 of 98

47 Restrictions A special share name, HOME, is reserved for the home directory feature. Because of this limitation, the following restrictions apply: The home directory feature is not available on CIFS servers configured with SHARE- or UNIX-level security. If you have created a share called HOME, you cannot enable the home directory feature. If you have enabled the home directory feature, you cannot create a share called HOME. A home directory is configured in a user s Windows user profile by using the UNC path: Where: \\<cifs_server>\home <cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server. HOME = a special share that is reserved for the home directory feature. When HOME is used in the path for a user s home directory and the user logs in, the user s home directory is automatically mapped to a network drive and the HOMEDRIVE, HOMEPATH, and HOMESHARE environment variables are automatically set. Creating the database To use the home directory feature, you must create a database file, named homedir, which maps each domain/username combination to the user s home directory location. Note: EMC recommends that you use the Celerra Management MMC plug-in to create and edit user home directory entries. The MMC plug-in validates your entries as you enter them. If you create or edit the homedir file and enter an incorrect entry, your home directory environment may become unusable. When you create the initial entry using the Home Directory MMC snap-in, the snapin creates a new database on your Data Mover. Enabling home directories on the Data Mover The home directory feature is enabled by default. After you create the database, use the following procedure to enable home directories on the Data Mover: $ server_cifs <movername> -option homedir Where: <movername> = name of the Data Mover 47 of 98

48 Creating the home directory file You need to create a home directory for each user specified in the database. You can create the directories by selecting the create option when you create or edit your home directory entries. For more information about creating directories automatically, see the Celerra Management MMC plug-in online help. "Appendix A: Additional home directory information" on page 91 provides more information about the home directory database file. Adding home directories to user profiles To allow users access to individual home directories, you must map the home directory in each user profile with the following path: Where: \\<cifs_server>\home <cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server. HOME = special share name reserved for the home directory feature. Adding home directories (Windows 2000/Windows Server 2003) Use this procedure to add a home directory in a Windows 2000 or Windows Server 2003 domain: Step Action 1. Log in to a Windows server from a domain administrator account. 2. Click Start and select Programs > Administrative Tools > Active Directory Users and Computers. 3. Click Users to display the users in the right pane. 48 of 98

49 Step Action 4. Right-click a user and select Properties. The user s property sheet appears. 5. Click the Profile tab and under Home folder: a. Select Connect. b. Select the drive letter you want to map to the home directory. c. Enter the following in the To field: \\<cifs_server>\home Where: <cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server. 6. Clicke OK. 49 of 98

50 Adding home directories from Windows NT Use this procedure to add a home directory in a Windows NT domain. Step Action Result 1. Log in to a Windows server from a domain administrator account. 2. Click Start and select Programs > Administrative Tools > User Manager for Domains. The User Manager for Domains appears. 3. Double-click a username. The user s property sheet appears. 4. Click Profile. The User Environment Profile dialog box appears. 5. Under Home Directory: a. Select Connect. b. Select the drive letter you want to map to the home directory. c. Enter the following in the To field: \\<cifs_server>\home Where: <cifs_server> = IP address, computer name, or NetBIOS name of the CIFS server. 6. Click OK. Adding home directories with regular expressions Use this procedure to add a home directory to a Windows 2000 or Windows Server 2003 user account, using regular expressions. Step Action 1. Log in to a Windows server from a domain administrator account. 2. Click Start and select Programs > Administrative Tools > Celerra Management. 50 of 98

51 Step Action 3. Right-click the HomeDir folder icon and select New > home directory entry. The home directory property sheet appears. 4. a. In the Domain field, enter a regular expression. In this example, the expression matches any domain name that begins with DOC. b. In the User name, enter a regular expression. In this example, an asterisk matches any user name. c. In the Path field, enter: \homedirs\<u> In this example, homedirs is the share where home directories are stored. <u> is the user s login name. A directory with the same name as the user s login name will be created, if it does not already exist. 5. Click OK. 51 of 98

52 Supporting Group Policy Objects The following sections introduce Microsoft Group Policy Objects (GPOs) and how the Celerra Network Server provides GPO support. In addition, this section discusses how to manage GPO support on the Celerra Network Server. Introduction to Microsoft Group Policy Objects In Windows 2000 or Windows Server 2003, administrators can use Group Policy to define configuration options for groups of users and computers. Windows Group Policy Objects can control elements such as local, domain, and network security settings. The Group Policy settings are stored in GPOs that are linked to the site, domain, and organizational unit (OU) containers in the Active Directory. The domain controllers replicate GPOs on all domain controllers within the domain. Audit Policy is a component of the Data Mover Security Settings snap-in, which is installed as a Microsoft Management Console (MMC) snap-in into the Celerra Management Console on a Windows 2000 and Windows Server 2003 system. The Installing Celerra Management Applications technical module provides installation instructions. You can use audit policies to determine which Data Mover security events are logged in the Security log. You can select to log successful attempts, failed attempts, both, or neither. Audited events are viewed in the Security log of the Windows Event Viewer. The audit policies that appear in the Audit Policy node are a subset of the policies available as Group Policy Objects in Active Directory Users and Computers. These audit policies are local policies and apply only to the selected Data Mover. You cannot use the Audit Policy node to manage GPO audit policies. If an audit policy is defined as a GPO in ADUC, the GPO setting overrides the local setting. When the domain administrator changes an audit policy on the domain controller, that change is reflected on the Data Mover and can be viewed using the Audit Policy node. You can change the local audit policy, but it will not be in effect until the GPO for that audit policy is disabled. If auditing is disabled, the GPO setting remains in the Effective setting column. Note: You cannot use Microsoft s Windows Local Policy Setting tools to manage audit policies on a Data Mover because in Windows 2000, Windows Server 2003, and Windows XP, the Windows Local Policy Setting tools do not allow you to remotely manage audit policies. GPO support on the Celerra Network Server The Celerra Network Server provides support for GPOs by retrieving and storing a copy of the GPO settings for each CIFS server joined to a Windows 2000 or Windows Server 2003 domain. The Celerra Network Server stores the GPO settings in a GPO cache on the Data Mover. Although there may be multiple CIFS servers on a Data Mover, there is only one GPO cache per Data Mover. When you start the CIFS service on a Data Mover, the Celerra Network Server reads the settings stored in the GPO cache, and then retrieves the most recent 52 of 98

53 GPO settings from the Windows domain controller. The Celerra Network Server also retrieves GPO settings whenever a Celerra CIFS server is joined to a domain with the server_cifs -Join command. After retrieving the GPO settings, the Celerra Network Server automatically updates the settings based on the domain s refresh interval. If the refresh interval is not defined in the domain, it updates these settings every 90 minutes (Data Mover s refresh default). You can force an update anytime by issuing the server_security command. "Updating GPO settings" on page 59 provides instructions. Supported settings Celerra Network Server currently supports the following GPO Security settings: Kerberos Maximum tolerance for computer clock synchronization (clock skew) Note: Because time synchronization is done per Data Mover, not per CIFS server, if you configure multiple CIFS servers on a Data Mover for multiple domains, then all the time sources for these domains must be in the same time zone. Maximum lifetime for user ticket Audit policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User rights Access this computer from the network Back up files and directories Bypass traverse checking Deny access to this computer from the network EMC virus checking Generate security audits Manage auditing and security log 53 of 98

54 Restore files and directories Take ownership of files or other objects Security options Digitally sign client communication (always) Digitally sign client communication (when possible) Digitally sign server communication (always) Digitally sign server communication (when possible) LAN Manager Authentication Level Event logs Maximum application log size Maximum security log size Maximum system log size Restrict guest access to application log Restrict guest access to security log Restrict guest access to system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Group policy Disable background refresh of Group Policy Group Policy refresh interval for computers Multiple CIFS servers on a Data Mover CIFS servers on a Data Mover can have different GPO settings if they belong to separate organizational units. When a Data Mover has more than one CIFS server, the system processes the GPO audit and event log settings in a certain way, as explained in Table 7 on page 55. Audit policies are resolved by combining settings from the multiple servers on the Data Mover and using the most secure setting. The CIFS servers are processed in the order in which they were joined to the domain. Event log policies are resolved by using the most secure setting of all the related settings on the CIFS server. For example, for the maximum application log size 54 of 98

55 setting, the system looks at the log size setting of each server on the Data Mover, and then uses the largest size. Table 7 GPO settings requiring conflict resolution Setting Conflict resolution Note Audit: Audit account logon events Most audits Settings are: No audit Audit success Audit failure Audit success and failure Example: If a Data Mover has two CIFS servers, one with a success setting and the other with a failure setting, the system combines both settings to use for its auditing. In this example, the most secure setting of success and failure is used. Event logs: Maximum application log size Largest size Maximum security log size Largest size Maximum system log size Largest size Restrict guest access to application log Most secure setting Least to most secure setting is Disabled -> Enabled Restrict guest access to security log Most secure setting Least to most secure setting is Disabled -> Enabled Restrict guest access to system log Most secure setting Least to most secure setting is Disabled -> Enabled Retain application log Largest number of days Overwrites after x days Retain security log Largest number of days Overwrites after x days Retain system log Largest number of days Overwrites after x days Retention method for application log Most secure overwrite Least to most secure overwrite is days -> as needed -> never Retention method for security log Most secure overwrite Least to most secure overwrite is days -> as needed -> never 55 of 98

56 Table 7 GPO settings requiring conflict resolution (continued) Setting Conflict resolution Note Retention method for system log Most secure overwrite Least to most secure overwrite is days -> as needed -> never Displaying GPO settings Use this command to display the GPO settings of a Data Mover. Action To display the current GPO settings for the specified Data Mover, use this command syntax: $ server_security <movername> ALL -info -policy gpo [server=<server_name> domain=<domain_name>] Where: <movername> = name of the specified Data Mover. ALL = all Data Movers. server=<server_name> domain=<domain_name> (Optional). Limit the query to the specified CIFS server or domain. The <server_name> refers to the compname of a configured CIFS server on the Data Mover and the <domain_name> refers to a domain name for the CIFS server. Example: To display the GPO settings for all CIFS servers on all Data Movers, type: $ server_security ALL -info -policy gpo 56 of 98

57 Output server_2: Server compname: k10eqa19s2 Server NetBIOS: K10EQA19S2 Domain: dvt_f.celerraqa.emc.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled Digitally sign server communications (always): Not defined Digitally sign server communications (if client agrees): Enabled Audit account logon events: Success Audit account logon events server list: k10eqa19s2 Audit account management: No auditing Audit account management server list: k10eqa19s2 Audit directory service access: Failure Audit directory service access server list: k10eqa19s2 Audit logon events: Success, Failure Audit logon events server list: k10eqa19s2 Audit object access: Success Audit object access server list: k10eqa19s2,k10eqa19s3 Audit policy change: Success Audit policy change server list: k10eqa19s3 Audit privilege use: Not defined Audit process tracking: No auditing Audit process tracking server list: k10eqa19s3 Audit system events: Success, Failure Audit system events server list: k10eqa19s2,k10eqa19s3 Back up files and directories: *S ,*S ,*S ,*S ,*S ,*S ,*S ,*S-1-5-4,*S ,*S ,*S-1-5-9,*S-1-5-1,*S-1-3-0,*S-1-3-1,*S-1-5-3,*S ,*S ,*S Restore files and directories: *S Bypass traverse checking: Not defined Generate security audits: *S ,*S Manage auditing and security log: *S ,*S Access this computer from the network: *S Deny access this computer from the network: Not defined Take ownership of files or other objects: EMC Virus Checking: *S Maximum security log size (Kilobytes): 576 Maximum security log size server list: k10eqa19s2 Restrict guest access to security log: Enabled Restrict guest access to security log server list: k10eqa19s2 Retention period for security log: Not defined Retention method for security log: Overwrite events as needed Retention Method for security log server list: k10eqa19s2 Maximum system log size (Kilobytes): 1024 Maximum system log size server list: k10eqa19s2 Restrict guest access to system log: Enabled Restrict guest access to system log server list: k10eqa19s2 Retention period for system log: Not defined Retention method for system log: Do not overwrite events Retention Method for system log server list: k10eqa19s2,k10eqa19s3 Maximum application log size (Kilobytes): Maximum application log size server list: k10eqa19s3 Restrict guest access to application log: Disabled Restrict guest access to application log server list: k10eqa19s2 Retention period for application log (Days): 7 Retention period for application log server list: k10eqa19s2 Retention method for application log: Overwrite events by days Retention Method for application log server list: k10eqa19s2 Disable background refresh of Group Policy: Not defined Group Policy Refresh interval (minutes): 60 Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 10 14:47:42 EDT 2003 GPO Next Update time (local): Wed Sep 10 15:50:42 EDT of 98

58 When a User Rights setting, such as Take ownership of files or other objects:, is empty, it is set but no one is assigned to take ownership of the files or objects. Note: If a Data Mover does not have any CIFS servers joined to a Windows domain, the server_security -info -policy gpo command returns the following error message: gpod isn t running Example 1 Example 2 Additional examples To display the GPO settings for all CIFS servers on the Data Mover server_2, type: $ server_security server_2 -info -policy gpo server_2: Server compname: l10efa19s2 Domain: securitytest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled... Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 22 14:47:42 EDT 2003 GPO Next Update time (local): Wed Sep 22 15:50:42 EDT Server compname: 110efa19s3 Domain: ex.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled... Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 22 14:47:42 EDT 2003 GPO Next Update time (local): Wed Sep 22 15:50:42 EDT 2003 To display the GPO settings for all Data Movers in the xptest.xxx.com domain, type: $ server_security ALL -info -policy gpo domain=xptest.xxx.com server_2: Server compname: k10eqa19s2 Domain: xptest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled... Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 25 14:47:42 EDT 2003 GPO Next Update time (local): Wed Sep 25 15:50:42 EDT Server compname: k10eqa19s3 Domain: xptest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled of 98

59 Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 25 14:47:42 EDT 2003 GPO Next Update time (local): Wed Sep 25 15:50:42 EDT 2003 Example 3 To display the GPO settings for the CIFS server cifs_test123 on Data Mover server_2, type: $ server_security server_2 -info -policy gpo server=cifs_test123 server_2: Server: cifs_test123 Server compname: k10eqa19s2 Server NetBIOS: K10EQA19S2 Domain: xptest.xxx.com Kerberos Max Clock Skew (minutes): 5 Digitally sign client communications (always): Not defined Digitally sign client communications (if server agrees): Enabled Digitally sign server communications (always): Not defined... Refresh interval offset (minutes): 5 GPO Last Update time (local): Wed Sep 25 14:47:42 EDT 2003 GPO Next Update time (local): Wed Sep 25 15:50:42 EDT 2003 Updating GPO settings While the CIFS service is running or after restarting the CIFS service, the Data Mover updates its GPO settings based on one of the following refresh intervals: If defined in the domain, the refresh interval can be set from zero (updates every 10 seconds) up to minutes (updates every 45 days). If not defined in the domain, the Data Mover uses its default refresh value of 90 minutes. Disabling automatic GPO updates A GPO setting called Disable background refresh of Group Policy disables any automatic GPO updates. If this policy is enabled, you must update the GPO policy manually. When this policy is set, the following appears in the GPO output: Disable background refresh of Group Policy: Enabled Group Policy Refresh interval (minutes): 90 Refresh interval offset (minutes): Not defined GPO Last Update time (local): Wed Sep 10 14:47:42 EDT 2003 GPO Background Update disabled, must be updated manually 59 of 98

60 Manually updating GPO settings If you change group policies through MMC or the Server Manager, you can manually update the GPO settings on the Celerra Network Server, as shown in this example. Action To force an update of GPO settings for the specified Data Mover, use this command syntax: $ server_security <movername> ALL -update -policy gpo [server=<server_name> domain=<domain_name>] Where: <movername> = name of the specified Data Mover. ALL = all Data Movers. server=<server_name> domain=<domain_name> (Optional). Limit the query to the specified CIFS server or domain. The <server_name> refers to the name of a configured CIFS server on the Data Mover, and the <domain_name> refers to a domain name for the CIFS server. Examples: To update the GPO settings for all CIFS servers on all Data Movers on the Celerra Network Server, type: $ server_security ALL -update -policy gpo To update the GPO settings for all CIFS servers in domain NASDOCS, type: $ server_security ALL -update -policy gpo domain=nasdocs Output server_2: done Disabling GPO support GPO support is enabled per Data Mover and is enabled by default. You can disable GPO support by modifying the system parameters explained in this section. By disabling GPO support, the Celerra Network Server cannot access the Windows domain controller, and the related Celerra functions automatically use their own default settings. Table 8 shows the cifs gpo parameter and its values. Table 8 cifs gpo parameter Facility Parameter Value Comment/Description cifs gpo 0 or 1 (default) Enables or disables group policy object (GPO) support. 0 disables GPO support. 1 enables GPO support. 60 of 98

61 Use this procedure to disable GPO support. Action To disable GPO support, use this command syntax: $ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value> Where: <movername> = name of the specified Data Mover <facility_name> = name of the facility to which the parameter belongs <param_name> = name of the parameter <new_value> = value you want to set for the specified parameter Example: To disable GPO support on server_2, type: $ server_param server_2 -facility cifs -modify gpo -value 0 Note: Parameter and facility names are case-sensitive. Output server_2 : done Disabling GPO caching The Data Mover caches the GPO settings retrieved from the Windows domain controller. The GPO cache allows a Data Mover to quickly retrieve GPO settings even when the domain controller is inaccessible. You can disable GPO caching if you do not want the Data Mover to use cached settings. If GPO caching is disabled, the Data Mover must retrieve the settings from the Windows domain controller. Note: If you disabled GPO caching and the Celerra Network Server cannot access the Windows domain controller, the related Celerra functions use their own default settings. For example, the default value for Maximum Tolerance for Computer Clock Synchronization is 5 minutes. Table 9 shows the cifs gpocache parameter and its values. Table 9 cifs gpocache parameter Facility Parameter Value Comment/Description cifs gpocache 0 or 1 (default) Enables or disables GPO caching. 0 disables GPO caching. 1 enables GPO caching. 61 of 98

62 Use this procedure to disable GPO caching. Action To disable GPO caching, use this command syntax: $ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value> Where: <movername> = name of the specified Data Mover <facility_name> = name of the facility to which the parameter belongs <param_name> = name of the parameter <new_value> = value you want to set for the specified parameter Example: To disable GPO caching on server_2, type: $ server_param server_2 -facility cifs -modify gpocache -value 0 Note: Parameter and facility names are case-sensitive. Output server_2 : done 62 of 98

63 Alternate data stream support With the release of Windows NT, Microsoft introduced the Windows NT File System (NTFS) and the concept of alternate data streams (ADS). This feature is also know as multiple data streams (MDS). Data streams are independent resources that store a file s data and also store information about the file. Unlike the FAT file system, in which a file consists of only one data stream, NTFS uses different data streams to store the file and the file s metadata (such as file access rights, encryption, date and time information, and graphic information). Microsoft originally created ADS so that a server using NTFS could act as a file server for Macintosh clients. Macintosh s Hierarchical File System (HFS) uses two basic elements to represent files, as shown in Table 10. Table 10 HFS elements Element Data fork Resource fork Purpose Stores data for a file Stores information about a file NTFS files contain one primary data stream and, optionally, one or more alternate data streams the primary data stream acts as the data fork and the alternate data streams act as the resource forks. 63 of 98

64 For files, you can view and usually set this additional information from the Summary tab in the file s Properties dialog box. Figure 3 Properties dialog box - Summary tab ADS support on the Celerra Network Server The Celerra Network Server supports ADS for both files and directories. The following provides additional information about ADS support on the Celerra Network Server: Directory streams are supported on mount points. If a file system is mounted on a mount point, only the directory streams of the mounted file system s root directory are visible. If no file system is mounted, the streams of the mount point are visible. There is a limit of 64,000 streams per file or directory. This is several times the limit seen experimentally on Windows NTFS. Disabling ADS support ADS support is controlled by the shadow stream system parameter and is enabled by default. Although there are rare cases when you may want to disable ADS support, EMC generally recommends that you leave ADS support enabled. Use this procedure to disable ADS support on the Celerra Network Server. Table 11 provides a description of the parameter. 64 of 98

65 Table 11 shows the shadow stream parameter and its values. Table 11 shadow stream parameter Facility Parameter Value Comment/Description shadow stream 0 or 1 (default) 0 disables alternate data stream support. 1 (default) enables data stream support. This parameter is relevant in a Windows environment only. Use this procedure to disable ADS support. Action To disable ADS support, use this command syntax: $ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value> Where: <movername> = name of the specified Data Mover <facility_name> = name of the facility to which the parameter belongs <param_name> = name of the parameter <new_value> = value you want to set for the specified parameter Example: To disable ADS support on server_2, type: $ server_param server_2 -facility shadow -modify stream -value 0 Output server_2 : done 65 of 98

66 Using SMB signing SMB (Server Message Block) signing is a mechanism used to ensure that a packet has not been intercepted, changed, or replayed. It guarantees that the data sent is the same as what the sender initiated and that the sequence has not been modified. Signing adds an 8-byte signature to every SMB packet. The client and server use this signature to verify the integrity of the packet. For SMB signing to work, both the client and the server in a transaction must have SMB signing enabled. By default, Windows Server 2003 domain controllers require that clients use SMB signing. SMB signing is enabled by default on all CIFS servers created on the Data Movers. Note: SMB signing is an option in Windows NT (SP 4 or greater) and Windows 2000 and Windows Server 2003 domains. Data Movers use both client-side and server-side SMB signing depending on the situation. The following are some examples of when a Data Mover uses each type of signing: Data Mover acts as a server: When a client maps a share With CDMS Data Mover acts as a client: When retrieving GPO settings With CDMS SMB signing resolution In Windows domains, you can independently configure server-side and client-side SMB signing settings. There are three possible settings for both server-side and client-side signing: Disabled the client or server does not support any SMB signing. Enabled the client or server supports SMB signing but does not require it for transactions. Required the client or server require that SMB signing is used in all transactions. 66 of 98

67 Figure 4 on page 67 provides a matrix that shows how the three signing settings on the server side and client side interact to determine the outcome of a transaction. Client Server Disabled Enabled Required Disabled No signing No signing Connection failure Enabled No signing Signing in use Signing in use Required Connection failure Signing in use Signing in use Figure 4 Resolution matrix for SMB signing Configuring SMB signing SMB signing is enabled by default on both the Celerra Network Server and in Windows Server 2003 domains. If you do not want SMB signing enabled, you can use the methods listed in Table 12 to configure SMB signing. Table 12 SMB signing configuration methods Configuration method Where configured What it effects Notes Instructions smbsigning parameter on the Celerra Network Server Individual Data Movers or the Celerra Network Server Individual Data Movers or the Celerra Network Server No independent serverside or client-side control Overrides GPO settings "Configuring SMB signing with the smbsigning parameter" on page 68 Default Domain Security Settings (GPO) Active Directory All machines in the domain Independent server-side or client-side control Overrides Registry settings "Configuring SMB signing with GPOs" on page 69 Registry settings Individual Windows workstations and servers Individual Windows workstations and servers Used in environments with no GPO support "Configuring SMB signing with the Windows Registry" on page of 98

68 Configuring SMB signing with the smbsigning parameter The cifs smbsigning parameter controls SMB signing on the Data Mover and affects all CIFS servers on the Data Mover. This parameter controls both client-side and server-side signing and overrides any SMB signing GPOs set for the domain. Table 13 shows the cifs smbsigning parameter and its values. Table 13 smbsigning parameter Facility Parameter Value Comment/Description cifs smbsigning 0 or 1 (default) Enables or disables both client-side and server-side SMB signing on the Data Mover. 0 disables SMB signing. 1 enables SMB signing. Disabling SMB signing on a Data Mover Use this command to disable SMB signing on all CIFS servers on a Data Mover. Action To disable SMB signing, use this command syntax: $ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value> Where: <movername> = name of the specified Data Mover <facility_name> = name of the facility to which the parameter belongs <param_name> = name of the parameter <new_value> = value you want to set for the specified parameter Example: To disable SMB signing support on server_2, type: $ server_param server_2 -facility cifs -modify smbsigning -value 0 Result server_2: done 68 of 98

69 Configuring SMB signing with GPOs If you want independent control of server-side and client-side SMB signing, you can configure the GPOs shown in Table 14 on page 69. These GPOs are found under the Default Domain Security Settings (Figure 5) and can be configured from any domain controller. The four relevant GPOs are highlighted in Figure 5. Figure 5 SMB signing GPOs in default domain security settings Note: Configuring SMB signing through GPOs affects all clients and servers within the domain and overrides individual Registry settings. Table 14 SMB signing GPOs GPO name Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network client: Digitally sign communications (always) What it controls Whether the server-side SMB component requires signing Whether the server-side SMB component has signing enabled Whether the client-side SMB component requires signing Default setting for Data Mover Disabled Disabled Disabled 69 of 98

70 Table 14 SMB signing GPOs (continued) GPO name Microsoft network client: Digitally sign communications (if server agrees) What it controls Whether the client-side SMB component has signing enabled Default setting for Data Mover Enabled Configuring SMB signing with the Windows Registry You can also configure SMB signing through the Windows Registry. If there is no GPO service available, such as in a Windows NT environment, the Registry settings are used. Registry settings only affect the individual server or client that you configure. There are four Registry settings two for server-side and two for client-side signing, and they function the same as the SMB signing GPOs. Note: The following Registry settings pertain to Windows NT with SP 4 or later. These Registry entries exist in Windows 2000 and Windows Server 2003, but should be set through GPOs. Server-side signing The server-side settings are located in: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ lanmanserver\parameters\ Table 15 shows the server-side SMB signing Registry entries. Table 15 Server-Side SMB signing Registry entries Registry entry Values Purpose enablesecuritysignature requiresecuritysignature 0 disabled (default) 1 enabled 0 disabled (default) 1 enabled Determines if SMB signing is enabled Determines if SMB signing is required Client-side signing The client-side settings are located in: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ lanmanworkstation\parameters\ 70 of 98

71 Table 16 shows the client-side SMB signing Registry entries. Table 16 Client-side SMB signing registry entries Registry Entry Values Purpose enablesecuritysignature 0 disabled 1 enabled (default) Determines if SMB signing is enabled requiresecuritysignature 0 disabled (default) 1 enabled Determines if SMB signing is required 71 of 98

72 Automatic computer password change A system administrator can activate computer password changes by doing one of the following: Setting a GPO to a password change interval. The Data Mover retrieves this policy and applies it to all CIFS servers within the domain. Setting the cifs srvpwd.updtminutes parameter, which is overridden by the GPO policy. Changing the password change interval for a particular CIFS server using the srvpwd interface, which is overridden by any GPO policy. The system parameter cifs srvpwd.updtminutes lets you configure the time interval at which the Data Mover changes passwords with the domain controller. Table 17 provides a description of the parameter. Table 17 cifs srvpwd.updtminutes parameter Facility Parameter Value Comment/Description cifs srvpwd.updtminutes 0 (default) disable or <minutes> Defines the time interval between two server password changes in minutes. This time is UTC (coordinated universal time). 0 disables the password change time interval. <minutes> sets the time interval between password changes in minutes. This value cannot be less than 1440 minutes (one day). The Microsoft default is seven days minus one hour. 72 of 98

73 Changing the time interval for password changes Use this procedure to change the time interval for password changes. Action To change the password change time interval, use this command syntax: $ server_param <movername> -facility <facility_name> -modify <param_name> -value <new_value> Where: <movername> = name of the specified Data Mover <facility_name> = name of the facility to which the parameter belongs <param_name> = name of the parameter <new_value> = value you want to set for the specified parameter Example: To to set the password interval to one day (1440 minutes), type: $ server_param server_2 -facility cifs -modify srvpwd.updtminutes -value 1440 Result server_2: done 73 of 98

74 Creating a file system as a security log You can access the Windows security log for a Data Mover in one of two ways: Using the Microsoft Event Viewer, or Accessing the security log file directly using an application that can read the Microsoft event log format. By default, each Data Mover stores its Windows security log at c:\security.evt, which has a size limit of 512 KB. You can directly access this security log through the C$ share of each Data Mover, as shown next: \\<netbiosnameofdatamover>\c$\security.evt On a Windows server, the default location is c:\winnt\system32\config\security.evt. If an application tries to access the Windows security log of a Data Mover at that location, it fails. However, you can change the location and the size limit of the Data Mover's Windows security log by following these steps: 1. Create a file system to store the security log in its new location. 2. Mount the file system on the Data Mover on a mount point called /WINNT and share it. 3. From a CIFS client, connect to the new WINNT share on the Data Mover and create the following under the WINNT directory: System32\config This enables you to access the following path: \\<netbiosnameofdatamover>\c$\winnt\system32\config 4. As the domain administrator, perform the following steps using the Windows Registry Editor: WARNING Incorrectly modifying the Registry may cause serious system-wide problems that require you to reinstall your system. Use this tool at your own risk. a. Run the Registry Editor (regedt32.exe). b. From the Registry menu, select the Select Computer option, and select the Data Mover NetBIOS name. c. From the Window menu, select the Hkey Local Machine on Local Machine subtree, and go to the following key: System\CurrentControlSet\Services\Eventlog\Security d. Select the following string: [File: REG_EXPAND_SZ:c:\security.evt] e. From the Edit menu, select String. 74 of 98

75 f. Edit the string with the following information: c:\winnt\system32\config\security.evt g. Click OK and quit the Registry Editor. All Windows security events on the Data Mover are now logged to the new security event log location. 75 of 98

76 Managing Windows domains Celerra CIFS servers act as member servers in Windows domains and provide data storage for domain users. Data stored on the Celerra CIFS file systems contain security metadata (DACLs, SACLs and ownership) associated with the domain SIDs (security IDs) from which the CIFS accounts are derived. Domain migration support Due to Microsoft s end-of-life policy, you may need to perform domain migration from one version of the domain to another. During and after a Windows domain migration process, any data generated by user accounts in the source domain must be accessible by user accounts in the target domain. Note: Domain migration is a complex task that is not covered in this document. Microsoft documentation provides detailed information on domain migration. To meet the requirements of data availability during and after domain migration, the Celerra Network Server provides two server_cifs command options, -Migrate and -Replace. These options update the security IDs generated for resources created by CIFS users in one Windows domain (source) to another Windows domain (target): server_cifs -Migrate: Updates all SIDs from a source domain to the SIDs of a target domain by matching the user and group account names in the source domain to the user and group account names in the target domain. The interface that you specify in this option queries the local server and then its corresponding source and target domain controllers to look up each object s SID. server_cifs -Replace: Updates all the SIDs of a file system with the corresponding target domain SIDs. The interface that you specify in this option queries the local server and then its corresponding target domain controller to look up each object s SID and history SID. The Celerra Network Server Command Reference Manual provides a detailed description of the server_cifs command. 76 of 98

77 Table 18 shows the options you can use with the different domains during and after the Windows domain migration process. Table 18 Security support options for Windows domain migration Source domain Target domain Windows NT: Windows 2000 Windows Server 2003: Windows NT: Windows 2000/Windows Server 2003: Migrate option Migrate option Migrate and Replace options Migrate and Replace options Operational considerations Review the following before using the server_cifs -Migrate and -Replace command options: A trust relationship must be established between the source and target domains. This is a Microsoft requirement for domain migration. User and group accounts must match on the source and target domains. The migrate option does not require running any type of domain migration tool beforehand. The replace option requires that you first perform account migration using a domain migration tool. For the migrate option only: Both the source and target domain controllers must exist. As long as a trust relationship was established between the source and target domain, you can specify the same interface or NetBIOS name in the server_cifs command. To use different interfaces or NetBIOS names, you must configure two separate CIFS servers on the Data Mover for the source and target domains. The replace option provides one quota per user or group. After running a local group update, stop and start the CIFS service on the Data Mover to ensure all changes are made to the target domain. "Stopping the CIFS service" on page 43 and "Starting the CIFS service" on page 43 provides more information. 77 of 98

78 Troubleshooting You can query the EMC WebSupport database for problem information, obtain release notes, or report a Celerra technical problem to EMC on Powerlink, the EMC secure extranet site. The Celerra Problem Resolution Roadmap technical module contains additional information about using Powerlink and resolving problems. server_log error message construct The format of the event code can help you narrow the scope of where to look for a message. There are several components in the beginning of each line that are fairly consistent across the entire scope of event logging. For example, the typical event message looks like: :27:21: NFS: 3: commit failed, status = NoPermission :27:23: CFS: 3: Failed to open file, status NoPermission :27:23: LIB: 6: last message repeated 1 times The Celerra Network Server Command Reference Manual provides detailed information on server_log. This logging mechanism uses the logging facilities typical with many systems. The first part is the date and time of the logged event. The second part is the subsystem of the Celerra code that reported the event (for example, NFS, CFS, and LIB). The third part is a classification code, which is typical of event logging facilities. You can find information on classification codes on most UNIX systems under the header file syslog.h in the directory /usr/include/sys. The definition of the possible classification codes that the Celerra Network Server supports are: #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but signification condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ The fourth part describes the error condition. The error condition on the first two lines of the example are self-explanatory. The operations being performed are commit and open with the error condition, NoPermission. Other events are not as descriptive. Example Kerberos error codes Kerberos error codes are statuses generally displayed by the SMB subsystem. You can recognize these in the logged events by the appearance of a large negative number :29:35: SMB: 3: SSXAK=c origin=401 stat=e0000, of 98

79 Since Kerberos is standardized, there are public resources for looking up the meanings of a majority of these status codes. One resource on the Web is / which provides a good listing of the Kerberos error codes and their definitions. NT status codes The NT status codes are reported for CIFS or Microsoft Windows emulation functions on the Celerra product. The NT status codes are 32-bit unsigned integers that are broken up into subgroups of binary data that identify the particulars of a event status. The 32-bit values are laid out as follows: Sev C R Facility Code Where: Sev - is the severity code: 00 - Success 01 - Informational 10 - Warning 11 - Error C - is the customer code flag R - is a reserved bit Facility - is the facility code Code - is the facility's status code Typically, the NT status codes appear in the server_log with a subsystem specification of SMB. The NT status code is presented in several ways in logged system events. Some popular ones are: A hexadecimal number prefixed by a Em=0x: SMB: 4: authlogon=samlogoninvalidreply Es=0x0 Em=0xc A simple hexadecimal number with no prefix nor any indication of its format: SMB: 4: SSXAuth_SERVER_EXT13 at=3 mt=1 c A simple hexadecimal number with a prefix of reply= with no indication of the format: SMB: 4: lookupnames:bad reply=c A simple hexadecimal number with a prefix of failed= with no indication of the format: SMB: 4: SessSetupX failed=c A hexadecimal number clearly marked as NTStatus= but no indication of the format: SMB: 4: MsError sendlookupnames=21 NTStatus=c of 98

80 Error messages While using the system, various messages appear indicating successful command execution, or in some cases, a failure. Error messages appear when there is a fault in the command syntax or the system, while system messages are continually reported to the log file. Both types of messages reflect the performance of your system and can be used to monitor system efficiency and to troubleshoot problems. Table 19 lists the CIFS error messages written to the server log when problems occur in the Celerra CIFS facility and the corrective actions to take. The Celerra Network Server Error Messages Guide provides additional information on all Celerra errors. Table 19 CIFS server log error messages Message text Full description Corrective action \\domain\share Security Descriptor error: Unable to set SD: Error 1337: The security ID structure is invalid. An ERROR occurred on \\domain\share. Abort /umount received unable open file Access denied Bad parameter value, the min value allowed is 0 could not get SIDS for user %d status %d to report file, id, lookup_stat The local groups have not migrated properly. A file cannot be opened in CIFS; the client gets permission denied. CIFS activity and umount file system or freeze FS for checkpoint update. Attempt to access files or directories with ACLs denying access. The error message when attempting to incorrectly set the cifs.maxlockxpending parameter. Occurs when attempting to change the param value of cifs.maxlockxpending parameter. The translation user ID to SID failed for the specified UID. Quota report Contact EMC Customer Service. This message contains information on why a client is getting an unexpected Permission Denied. Set the Back up files and directories or Restore files and directories privileges on the system where the pathname is located. Set a value > 0. The range of allowed values is between 0 and #(CIFS threads/2). The Celerra Network Server Parameters Guide provides format and values. 80 of 98

81 Table 19 CIFS server log error messages (continued) Message text Full description Corrective action Error 4020 : server_x : failed to complete command server_log error message: DomainJoin::doDo mjoin: Computer account compname already exists. Incorrect password or unknown username logon of user dvt_b\cdmsadmin failed: c LOG_LOCK,LOG_ERR, Bad parameter for cifs maxlockxpending migrate sd of \Perl\lib\perllo cal.pod has unresolved ACLs, status: c000005b No domain controller found for the domain. OLE Object: PBrush The computer object already exists in the Active Directory and may be in use by either a Data Mover or another server. Also, the serviceprincipalname attribute is set not to accept existing accounts. The join procedure automatically creates a computer object in the Active Directory. The Windows NT user account may be missing from the PDC domain, or there is no corresponding UNIX account for the Windows NT user. C means STATUS_NO_SUCH_USER. The parameter value specified for cifs.maxlockxpending is not a numerical value. C000005B means STATUS_INVALID_PRIMARY _GROUP. In NT security mode, clients are unable to connect to the server, and the window to prompt for username and password does not appear on the client side. MMC requires Internet Explorer 6.0 in order to use its DOM (Document Object Model) XML parser. Verify the existing computer object is not used by another system. To join the CIFS server to an existing account, use the reuse option of the server_cifs -Join command. Add the Windows NT user to the PDC of the domain and map the user to a UNIX username and UID. Check for a CDMS admin user in the specified domain. Set a numerical value. The Celerra Network Server Parameters Guide provides more information. This error occurs when the primary group s SID is replaced by the primary group SID of the user that is used for migration: Generally, this occurs when the SID belongs to a group not supported on the Celerra Network Server. The user should ignore the error. If the SID belongs to a nonexistent local group on the Celerra Network Server, the user may not have run the lgdup.exe utility before migration began. Check if PDC or BDC is up. Check if Data Mover can access a WINS server that knows about the PDC domain, or have the PDC/BDC in the same local subnet as the Data Mover. Upgrade the version of your Internet Explorer to of 98

82 Table 19 CIFS server log error messages (continued) Message text Full description Corrective action Prealloc value must be integer and not greater than 6 RO Error from readdir key=256: : UFS: 3: create: this->i_nlink == 0 for ino 11 The Account is not authorized to login from this station The SAM database on the Windows NT server does not have a complete account for this workstation trust relationship. User tried to set an incorrect value for the parameter cifs.prealloc. An FS event occurred when trying to perform a lookup on the file system to retrieve the node for theses names. The lookupcomponent fails with error 7 - "not found." In a Windows NT environment, Windows clients cannot connect to a server using clear text passwords. (For example, this might occur when the Celerra Network Server is in UNIX mode.) The SMB redirector handles unencrypted passwords differently than previous version of Windows NT. The SMB redirector does not send an unencrypted password unless you add a Registry entry to enable unencrypted passwords. The server s NetBIOS name is not registered as a computer account on the PDC domain or a trust relationship is not established between the client and server domains. Correct the parameter value (between 0 and 6). The Celerra Network Server Parameters Guide provides values and format. Modify the Registry to enable unencrypted passwords. CAUTION: Incorrectly modifying the Registry may cause serious systemwide problems that may cause you to reinstall your system. Run Registry Editor (Regedt32.exe). From the HKEY_LOCAL_MACHINE subtree, go to the following key: System\CurrentControlSet\Se rvices\rdr\parameters Under this key, create a new DWORD registry key named EnablePlainTextPassword, set its value to 1, and then restart your computer. Select Add Value on the Edit menu. Add the following: Value Name: EnablePlainTextPassword Data Type: REG_DWORD Data: 1 Click OK and quit Registry Editor. Shut down and restart Windows NT. This Procedure was adapted from Article ID: Q of the Microsoft Knowledge Base. If the computer account does exist, remove it and add it again before retrying the command. To set up a trust relationship between domains, refer to Microsoft NT server 4.0 documentation. 82 of 98

83 Table 19 CIFS server log error messages (continued) Message text Full description Corrective action Unable to create files or directories in a share that is mapped to a client. Vnodepercent must be integer and between 10 and 100 write to SID file failed xml_lookupid : groupquery creation error xml_lookupid : groupqueryelt creation error xml_lookupid : namequery creation error xml_lookupid : namequeryelt creation error xml_lookupid : userquery creation error UNIX permission bits are not set to grant permission for the user to write to the shared directory. This situation could only occur if the access policy is set incorrectly. User tried to set an incorrect value in the parameter cifs.vnodepercent. The creation of the SID mapping file failed. Quota report. Memory saturation: The object groupquery cannot be created. Quota report or quota creation. Memory saturation: The object groupqueryelt can t be created. Quota report or quota creation. Memory saturation: The object namequery cannot be created. Quota report or quota creation. Memory saturation: The object namequeryelt cannot be created. Quota report or quota creation. Memory saturation: The object userquery cannot be created. Quota report or quota creation. Change the access policy or mount the directory over NFS on the Control Station or any other UNIX client, and use chmod to set the appropriate UNIX permission to allow the user to write to it. Correct the parameter value (between 10 and 100). The Celerra Network Server Parameters Guide provides information for values and format. Ensure the root file system is not full and can be correctly read/written. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. 83 of 98

84 Table 19 CIFS server log error messages (continued) Message text Full description Corrective action xml_lookupid : userqueryelt creation error xml_lookupname: Cannot create SIDQuery %s, ident xml_lookupname: gidquery creation error xml_lookupname: gidqueryelt creation error xml_lookupname: UID or gid must be numeric, ident xml_lookupname: UIDQuery creation error, insufficient memory available xml_lookupname: UIDQueryElt creation error, insufficient memory available Memory saturation: The object userqueryelt cannot be created. Quota report or quota creation. Memory saturation: The object sidquery cannot be created Quota report or quota creation. Memory saturation: The object gidquery cannot be created. Quota report or quota creation. Memory saturation: The object gidqueryelt cannot be created. Quota report or quota creation. Syntax error in a XML request NAME_LOOKUP. Memory saturation: The object UIDQuery cannot be created. Quota report or quota creation. Memory saturation: The object UIDQueryElt cannot be created. Quota report or quota creation. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Reboot the Data Mover and report the problem to EMC Customer Service. Problem Situations Table 20 lists problem situations you may encounter as well as their definitions and the corrective actions to take. 84 of 98

85 Table 20 Problem situations Problem Description Corrective action With NT user authentication, certain Windows 95 clients may not be able to map drives from the Data Mover. The domain name sent to the Data Mover by the client was incorrectly specified, or the username.domain is not mapped in the passwd file on the Data Mover. Verify that the client is sending the correct domain name to the passwd file on the Data Mover. To verify that the client is sending the correct domain, perform the following: 1. In the Network option in the Control Panel, double-click the network client (Client for Microsoft Networks). 2. Under General properties, verify that the correct domain name is shown. With NT user authentication, Incorrect password or unknown username error message appears after attempts to connect to the server, and the username and password window appears. The Windows NT user account may be missing from the PDC domain, or the Data Mover was unable to determine a UID to use for this user. Add the Windows NT user to the PDC of the domain and map the user to a UNIX username and UID. Unable to create files or directories in a share that is mapped to a client. UNIX permission bits are not set to grant permission for the user to write to the shared directory. Note: This situation only occurs if the access policy is set incorrectly. The Managing Celerra for a Multiprotocol Environment technical module provides more information. Change the access policy or mount the directory over NFS on the Control Station or any other UNIX client, and use chmod to set the appropriate UNIX permission to allow the user to be able to write to it. 85 of 98

86 Table 20 Problem situations (continued) Problem Description Corrective action Windows NT environment: Windows clients cannot connect to a server using clear text passwords. (For example, this might occur when the Celerra Network Server is in UNIX mode.) The following error message might appear: The Account is not authorized to login from this station The SMB redirector handles unencrypted passwords differently than previous version of Windows NT. The SMB redirector does not send an unencrypted password unless you add a Registry entry to enable unencrypted passwords. You must modify the Registry to enable unencrypted passwords. WARNING Incorrectly modifying the Registry may cause serious system-wide problems that may require you to reinstall your system. Use this tool at your own risk. 1. Run Registry Editor (Regedt32.exe). 2. From the HKEY_LOCAL_MACHINE subtree, go to the following key: System\CurrentControlSet\Services\ rdr\parameters Under this key, create a new DWORD Registry key named EnablePlainTextPassword, set its value to 1, and then restart your computer. 3. Select Add Value on the Edit menu. 4. Add the following: Value Name: EnablePlainTextPassword Data Type: REG_DWORD Data: 1 5. Click OK and quit Registry Editor. 6. Shut down and restart Windows NT. Note: Use GPOs for Windows 2000 and Windows Server 2003 clients. The procedure was adapted from Article ID: Q of the Microsoft Knowledge Base. With NT user authentication, clients are unable to connect to the server, and the window to prompt for username and password does not appear on the client side. No domain controller found for the domain. or Check if PDC or BDC is up. Check if Data Mover can access a WINS server that knows about the PDC domain, or have the PDC/BDC in the same local subnet as the Data Mover. The server s NetBIOS name is not registered as a computer account on the PDC domain or a trust relationship has not been established between the client and server domains. The following message may appear in the server_log: The SAM database on the Windows NT server does not have a complete account for this workstation trust relationship. Add a computer account to the PDC. If the computer account does exist, remove it and add it again before retrying the command. To set up a trust relationship between domains, refer to Microsoft NT server 4.0 documentation. 86 of 98

87 Table 20 Problem situations (continued) Problem Description Corrective action After joining a CIFS server to a domain, the following error appears in the server_cifs output, indicating the system cannot update the DNS record: FQDN=dm4-a140- ana0.c1t1.pt1.c3lab.nsgpro d.emc.com (Update of "A" record failed during update: Operation refused for policy or security reasons) The DNS server s zone may include the same FQDN (fully-qualified domain name) for another computer account. Verify the DNS server s zone does not have the same FQDN with a different IP address for another computer account. When attempting to join a CIFS server to a domain, the following error message appears: Error 4020: server_2 : failed to complete command Possible server_log error messages: :42:29: SMB: 3: DomainJoin::getAdminCreds: gss_acquire_cred_ext failed: Miscellaneous failure. Clients credentials have been revoked :42:29: ADMIN: 3: Command failed: domjoin compname=dm3-a121- ana0 domain=c1t1.pt1.c3lab.nsgp rod.emc.com admin=c1t1admin password= d179d D init Domain administrator account was locked out. Typically, this happens when another user is logged in using the same administrator account on another system. Clear the Account is locked out checkbox on the Account tab of the User Account Properties window. 0xC :49:40: SMB: 3: Srv=<Celerra_netbios_name> buildsecurechanel=authenti cate2invalidreply E=0xc Access is denied because the computer was created on the domain controller without enabling the Allow pre-windows 2000 computers to use this account option on the Windows New Object - Computer dialog box. Delete the computer and then recreate it with the Allow pre-windows 2000 computers to use this account option enabled. After upgrading from a Windows NT domain to Windows 2000, unable to change the original domain suffix during Windows 2000 setup. Unable to change domain suffix because it was hardcoded in DDNS. Before upgrading, change the domain suffix. 87 of 98

88 Table 20 Problem situations (continued) Problem Description Corrective action Access is denied to Internet Information Services (IIS) 6.0 when attempting to connect to the web directory on a Celerra share. In the IIS web log, the error bad user name or password displays even though the user name and password are in the local user database. For a stand-alone CIFS server with local user support enabled, the user name and password must be the same on IIS 6.0, the Data Mover, and the client. Specify the same user name and password on IIS 6.0, the Data Mover, and the client. 88 of 98

89 Related information For specific information related to the features and functionality described in this technical module, refer to: Configuring CIFS on Celerra Managing Celerra for a Multiprotocol Environment Celerra Network Server Parameters Guide Celerra Network Server Command Reference Manual Celerra Network Server Error Messages Guide Using EMC Utilities for the CIFS Environment Celerra Network Server User Information Glossary Using Windows Administrative Tools with Celerra Managing Celerra Volumes and File Systems Manually Replicating Celerra CIFS Environments Installing Celerra Management Applications Configuring Celerra Time Services Configuring Virtual Data Movers for Celerra Using International Character Sets with Celerra Configuring Celerra Naming Services Configuring External Usermapper for Celerra Configuring Celerra User Mapping The Celerra Network Server Documentation CD, supplied with your Celerra Network Server and also available on Powerlink, provides general information on other EMC Celerra publications. Customer training programs EMC customer training programs are designed to help you learn how EMC storage products work together and integrate within your environment to maximize your entire infrastructure investment. EMC customer training programs feature online and hands-on training in state-of-the-art labs conveniently located throughout the world. EMC customer training programs are developed and delivered by EMC experts. For program information and registration, refer to Powerlink, our customer and partner website. 89 of 98

90 90 of 98

91 Appendix A: Additional home directory information This section provides additional information regarding the optional home directory feature described in "Enabling home directories" on page 46. The information in this section is intended for users who are creating or maintaining home directory configurations. Home directory database format This section outlines the format of the entries in the home directory database. EMC recommends that you use the Home Directory MMC snap-in to create and maintain home directory. The snap-in validates entries and helps to ensure that your entries are correct and complete. The following table contains the basic home directory database format. Format The database contains an entry for each user and uses the following format: <domain>:<username>:</path> [:regex][:create][:ro][:<umask>] Where: <domain> = Windows domain name <username> = user s Windows username </path> = UNIX path of the parent home directory create = target directory will be created if it does not already exist regex = domain and/or username are regular expressions ro = read-only file access (the default is read/write) <umask> = user file-creation <mask> for the umask allowing NFS permissions to be determined for the share. The database may contain comments. Comments start with a # on a new line. Example: The following is an example of a database: # Comment - These entries specify users in the galaxy domain. galaxy:glenn:/mnt1/usr1 galaxy:grissom:/mnt2/usr2 galaxy:armstrong:/mnt2/usr3 Where: # = character that precedes comment text. galaxy = Windows domain glenn, grissom, and armstrong = usernames /mnt1/usr1,/mnt/usr2, and /mnt/usr3 = individual home directories for glenn, grissom, and armstrong, respectively. 91 of 98

92 Format Wildcards Map files can contain wildcard entries. "Wildcards" on page 92 provides more information. Example: The following example is a database with wildcard entries: *:*:/mnt3/guest galaxy:*:/mnt3/cifs galaxy:glenn:/mnt1/usr1 galaxy:grissom:/mnt2/usr2 galaxy:armstrong:/mnt2/usr3 Create Map files can indicate that directories should be created automatically. The parent directory must exist. In following example, the directory sales must exist before the directory usr1 can be created. Example: The following is an example of a database with a directory entry that will be created automatically: galaxy:glenn:/mnt1/sales/usr1:create Regular Expressions Map file entries can contain regular expressions. The Celerra Management MMC plug-in online help provides a complete discussion on regular expressions. Example: The following is an example of a database with regular expression entries: nasdocs:*:/ufs/user4/<d>/<u>:regex:create nasdocs:^[a-g]:/ufs/user1/<d>/<u>:regex:create nasdocs:^[h-p]:/ufs/user2/<d>/<u>:regex:create nasdocs:^[q-z]:/ufs/user3/<u>/<u>:regex:create Umask Map files can contain an NFS permissions mask that sets the permissions on newly created directories and files. This mask does not affect the CIFS ACL. Note Each field in the database must be separated by the : delimiter. Wildcards Map files can contain wildcards (*) for the domain and username fields. Wildcards let you assign home directories to multiple users without making individual entries for each user in the database. For example, if the username field contains a wildcard, all users from the specified domain match the wildcard entry. In this situation, a directory with the user s Windows username in its path becomes the user s home directory. Therefore, if the database contains the following entry: galaxy:*:/mnt3/cifs/ all users in the galaxy domain can access home directories under /mnt3/cifs/ that match their usernames. For example, user1 in the galaxy domain can access the home directory /mnt3/cifs/user1, and user2 can access the home directory /mnt3/cifs/user2. 92 of 98

93 Wildcard entries should be put at the beginning of the database, with specific entries following. "Parsing order" on page 93 provides an additional explanation. Regular expressions You can use regular expressions when you specify the user names and directories. Note: EMC recommends to use the Celerra Management MMC plug-in to create and edit usernames and directories when you are using regular expressions. The MMC plug-in validates your regular expressions as you enter them. If you create or edit the.homedir file and enter incorrect regular expressions, your home directory environment may become unusable. The Celerra Management MMC plug-in online help provides additional information about the implementation of regular expressions on Celerra. Parsing order The Data Mover parses the database from top to bottom. If you use wildcards, there may be multiple matches for a domain:user pair; therefore, when the Data Mover finds a match for a domain:user pair, it then searches the path for the user s directory. If there is a user directory under the path, that directory is mapped as the user s HOME directory. If there is no matching directory, the Data Mover continues parsing the database looking for the user s home directory. For example, you have a database that contains the following wildcard entries: galaxy:*:/homes1/ galaxy:*:/homes2/ galaxy:*:/homes3/ You are trying to map a HOME directory for user1 and you have the following directory structures: /homes1/user1 does not exist /homes2/user1 does exist /homes3/user1 does not exist If the Data Mover looked only for a galaxy:user1 match, it would stop parsing at the first map entry. However, the Data Mover, after finding a galaxy:user1 match, searches the path for a user1 directory if it does not find a user1 directory, the Data Mover continues parsing the database. In the example above, the Data Mover would find the match under the second entry, and then map that directory as the home directory for user1. Guest accounts For occasional or guest users, you can specify a guest directory in the database. Users who log in from domains not listed in the database are directed to the guest directory. A guest directory entry contains wildcards for the domain and the username as shown in the following example: *:*:/mnt3/guest 93 of 98

94 Disabling home directories on the Data Mover Use the following command syntax to disable home directories on the Data Mover. $ server_cifs <movername> -option homedir=no Where: <movername> = name of the Data Mover 94 of 98

95 Index A access, disabling all 42 Active Directory adding CIFS server to 30, 32, 34, 36 creating computer accounts in 26 adding aliases 17 WINS server 14 aliases assigning to a CIFS server 17 assigning to a NetBIOS name 17 compname 34 definition of 16 deleting 18 naming conventinos 16 viewing 19 C CIFS checking current configuration 11 definition 3 starting 43 stopping 43 troubeshooting 78 CIFS server changing the password 22 definition 4 delegating join authority 26 deleting for Windows deleting for Windows NT 45 CIFS service definition 4 starting 43 stopping 43 cifs.smbsigning 68 cifssyncwrite option 38 comments changing 20 CLI viewing 21 viewing from Windows 21 computer password, automatic change of 72 configuration checking for CIFS 11 DNS 13 joining server to the domain 30, 32, 34, 36 D deleting CIFS server for Windows CIFS server for Windows NT 45 disable all access 42 disjoint namespace 28, 35 DNS changing the configuration 13 managing 13 domain migration, support of 76 E error messages 80 F file change notification options 41 tracking 39 file system ensuring synchronous writes 38 oplocks 38 reexporting 41 format, home directory database 91 G GPOs configuring with SMB signing 69 disabling caching 61 disabling support 60 displaying settings 56 manually updating GPO settings 60 overview of 52 support 52 supported CNS settings 53 supported settings 53 updating settings 59 H home directories adding from Windows NT 50 adding to user profiles 48 creating 48 enabling 46 enabling on Data Mover 47 map file 47 overview 46 restrictions 47 home directory database format 91 J join authority, delegating 26 L listing, CIFS configuration 11 M map file home directories 47 MDS on Celerra 64 overview 63 multiple data stream support of 98

96 N name resolution, WINS 14 NetBIOS adding aliases to 17 renaming 15 NetBIOS name hiding 29, 31, 33, 35 notification, of file changes 39 O oplocks 38 opportunistic file locks 38 P parameters djaddadmintolg 27 djenforcedhn 27 djusekpassword 27 password, automatic change of 72 R reexporting file systems 41 regular expressions 93 S security log, creating 74 server_mount command 38 settings, GPOs 53 SIDs, updating target domain 76 signing, SMB 66 SMB signing configuring 67 configuring with GPOs 69 disabling 68 overview 66 srvpwd.updtminutes 72 synchronous writes, ensuring 38 T troubleshooting 78 U user interfaces, choices 9 user profiles, adding home directories 48 W WINS, adding a server of 98

97 Notes 97 of 98

98 About this technical module As part of its effort to continuously improve and enhance the performance and capabilities of the Celerra Network Server product line, EMC from time to time releases new revisions of Celerra hardware and software. Therefore, some functions described in this document may not be supported by all revisions of Celerra software or hardware presently in use. For the most up-to-date information on product features, see your product release notes. If your Celerra system does not offer a function described in this document, contact your EMC Customer Support Representative for a hardware upgrade or software update. Comments and suggestions about documentation Your suggestions will help us improve the accuracy, organization, and overall quality of the user documentation. Send a message to [email protected] with your opinions of this document. Copyright EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners. 98 of 98