Managing Celerra for the Windows Environment

Transcription

1 Managing Celerra for the Windows Environment P/N Rev A01 March 2006 Contents Introduction Windows and multiprotocol documentation Terminology System requirements EMC NAS Interoperability Matrix MMC snap-ins and programs for Windows Celerra UNIX Attributes Migration tool Celerra UNIX User Management snap-in Celerra UNIX property page extensions in ADUC Celerra Data Mover Management snap-in Celerra AntiVirus Management Celerra Home Directory Management snap-in Data Mover Security Settings snap-in Celerra Audit Policy Celerra User Rights Assignment User interface choices Managing Windows roadmap Checking the current CIFS configuration Managing network interfaces Managing DNS on a Data Mover Modifying a CIFS configuration Adding a WINS server Renaming a NetBIOS name Assigning aliases to NetBIOS and computer names Associating comments with CIFS servers Changing the CIFS server password Advanced procedures for joining CIFS servers to Windows domains..23 Configuration prerequisites Delegated join Parameters for the join procedure Same namespace without a delegated join Same namespace and a delegated join Disjoint namespace without a delegated join Disjoint namespace and a delegated join Managing file systems of 98

2 Ensuring synchronous writes Opportunistic file locking File change notification Reexporting all Celerra file systems Disabling access to all file systems on a Data Mover Stopping and starting the CIFS service Stopping the CIFS service Starting the CIFS service Deleting a CIFS server Deleting a CIFS server (Windows 2000/Windows Server 2003) Deleting a CIFS server (Windows NT) Enabling home directories Restrictions Creating the database Enabling home directories on the Data Mover Creating the home directory file Supporting Group Policy Objects Introduction to Microsoft Group Policy Objects GPO support on the Celerra Network Server Supported settings Multiple CIFS servers on a Data Mover Displaying GPO settings Updating GPO settings Disabling GPO support Disabling GPO caching Alternate data stream support ADS support on the Celerra Network Server Disabling ADS support Using SMB signing SMB signing resolution Configuring SMB signing Automatic computer password change Changing the time interval for password changes Creating a file system as a security log Managing Windows domains Domain migration support Operational considerations Troubleshooting server_log error message construct Kerberos error codes NT status codes Error messages Problem Situations Related information Customer training programs Appendix A: Additional home directory information Home directory database format Index of 98

3 Introduction The Celerra Network Server supports the CIFS (Common Internet File Service) protocol, which allows Microsoft Windows clients to access files stored on the Celerra Network Server. After you have configured the Celerra Network Server to support Windows clients on the network, you may need to perform some of the additional configuration and management procedures in this technical module to maintain your Celerra CIFS servers. This technical module is part of the Celerra Network Server information set and is intended for system administrators responsible for managing the Celerra Network Server in their Windows network. Windows and multiprotocol documentation The following technical modules in the Celerra Network Server information set explain how to configure and manage Celerra in a Windows environment and a multiprotocol environment: Configuring CIFS on Celerra: explains how to configure a basic CIFS configuration on the Celerra Network Server using the command line interface (CLI). You can also configure this initial environment using the Celerra Manager. : contains advanced procedures you may need to perform after the initial configuration of CIFS on the Celerra Network Server and instructions for modifying and managing Celerra in a Windows environment. Managing Celerra for a Multiprotocol Environment: contains procedures for configuring and managing Celerra in a mixed environment of UNIX and Windows clients. Terminology These terms are important to understanding the Celerra Network Server in the Windows environment. The Celerra Network Server User Information Glossary provides a complete list of Celerra terminology. ACL (Access Control List): In Windows, a list of access control entries (ACEs) that provide information about the users and groups that are allowed access to an object. Active Directory: An advanced directory service included with Windows 2000 Servers. It stores information about objects on a network and makes this information available to users and network administrators through a protocol such as LDAP. authentication: The process for verifying the identity of a user who is trying to access a resource or object, such as a file or a directory. CIFS (Common Internet File Service): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets. The CIFS protocol is primarily used for file sharing by Windows platforms. 3 of 98

4 CIFS Server: A logical server that uses the CIFS protocol to transfer files. A Data Mover can host many instances of a CIFS Server. Each instance is referred to as a CIFS server. CIFS Service: A CIFS server process that runs on the Data Mover and presents shares on a network as well as on Windows-based computers. Data Mover: Celerra Network Server cabinet component running its own operating system that retrieves files from storage devices and makes them available to a network client. Default CIFS Server: The CIFS server that is created when you add a CIFS server and do not specify any interfaces (with the interfaces= option of the server_cifs -add command). The default CIFS server uses all interfaces not assigned to other CIFS servers on the Data Mover. DNS (Domain Name System): A name resolution software that allows users to locate computers and services on a UNIX network or TCP/IP network by name. The DNS server maintains a database of domain names, hostnames and their corresponding IP addresses, and services provided by these hosts. domain: A logical grouping of Microsoft Windows servers and other computers that share common security and user account information. All resources such as computers and users are members of the domain and have an account in the domain that uniquely identifies them. The domain administrator creates one user account for each user in the domain, and the users log in to the domain once. Users do not log in to each individual server. file system: A method of cataloging and managing the files and directories on a storage system. GPO: In Windows 2000 or Windows Server 2003, administrators can use Group Policy Objects to define configuration options for groups of users and computers. Windows Group Policy Objects can control elements such as local, domain, and network security settings. NetBIOS: Network basic input/output system. A network programming interface and protocol developed for IBM personal computers. NetBIOS name: A name that is recognized by WINS, which maps the name to an IP address. share name: The name given to the resource on a file system or the file system itself that was made available from a particular CIFS server to CIFS users. There may be multiple shares with the same name, shared from different CIFS servers. SMB Server Message Block: The underlying protocol used by the Common Internet File System (CIFS) protocol that was enhanced for use on the Internet to request file, print, and communication services from a server over the network. The CIFS protocol uses SMB to provide file access and transfer to many types of network hosts. The SMB protocol is an open, cross-platform protocol for distributed file sharing, and it is supported by all Windows platforms. Virtual Data Mover (VDM): A Celerra software feature that enables users to administratively separate CIFS servers, replicate their CIFS environments, and move CIFS server from Data Mover to Data Mover with ease. 4 of 98

5 Windows 2000/Windows Server 2003 domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows 2000/Windows 2003 server using the Active Directory to manage all system resources and using the DNS for name resolution. Windows NT domain: A Microsoft Windows domain controlled and managed by a Microsoft Windows NT server using a SAM (Storage Area Management) database to manage user and group accounts and a NetBIOS namespace. In a Windows NT domain, there is one primary domain controller (PDC) that has a read/write copy of the SAM, and possibly several backup domain controllers (BDCs) with read-only copies of the SAM. 5 of 98

6 System requirements This section describes the Celerra Network Server software, hardware, network, and storage configurations required for using CIFS as described in this technical module. Table 1 System requirements for CIFS Software Hardware Network Storage Celerra Network Server or later Celerra Network Server Windows 2000, Windows Server 2003, or Windows NT domain. You must configure the domains with the following: Windows 2000 or Windows Server 2003 domains: AD (Active Directory) DNS (Domain Name System) NTP (Network Time Protocol) server Windows NT Domains: WINS (Windows Internet Naming Service) server No specific storage requirements EMC NAS Interoperability Matrix The EMC NAS Interoperability Matrix is available on Powerlink. It contains definitive information on supported software and hardware, such as backup software, Fibre Channel switches, and application support for Celerra networkattached storage (NAS) products. 6 of 98

7 MMC snap-ins and programs for Windows The Celerra Network Server supports a set of Microsoft Management Console (MMC) snap-ins and programs for managing Celerra users and Data Mover security settings from a Windows 2000, Windows Server 2003, or Windows XP computer. Refer to the online Help for a snap-in or program for more information. Celerra UNIX Attributes Migration tool Celerra UNIX Attributes Migration is a tool you can use to migrate existing UNIX users from the Celerra Network Server to the Windows Active Directory. You can select the UNIX attributes (UIDs and GIDs) to add to the Active Directory. To add new users or groups, or to modify existing UNIX attributes, refer to the Celerra UNIX User Management Snap-in and Celerra UNIX Property Page Extensions in Active Directory Users and Computers (ADUC). Celerra UNIX User Management snap-in Celerra UNIX User Management is an MMC snap-in to the Celerra Management Console that you can use to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain and on remote domains. You also use this snap-in to select the location of the attribute database. This location can either be in a local or a remote domain. You would choose to store the attribute database in the Active Directory of a local domain if: You have only one domain. Trusts are not allowed. You have no need to centralize your UNIX user management information. You would choose a remote domain if: You have multiple domains. Bidirectional trusts between domains that need to access the attribute database already exist. You want to centralize your UNIX user management. Celerra UNIX property page extensions in ADUC Celerra UNIX Users and Groups property pages are extensions to ADUC. You can use these property pages to assign, remove, or modify UNIX attributes for a single Windows user or group on the local domain. You cannot use this feature to manage users or groups on a remote domain. Celerra Data Mover Management snap-in Celerra Data Mover management comprises several MMC snap-ins. You can use these snap-ins to manage virus-checking, home directories, and security settings on Data Movers from a Windows 2000, Windows Server 2003, or Window XP computer. 7 of 98

8 Celerra AntiVirus Management You can use the Celerra AntiVirus Management snap-in to manage the viruschecking parameters (viruschecker.conf file) used with Celerra AntiVirus Agent (CAVA) and third-party antivirus programs. The Celerra AntiVirus Agent and a third-party antivirus program must be installed on the Windows NT, Windows 2000, or Windows Server 2003 server. The Using Celerra AntiVirus Agent technical module provides more details about CAVA. Celerra Home Directory Management snap-in You can use the Celerra Home Directory Management snap-in to associate a username with a directory that then acts as the user s home directory. The home directory feature simplifies the administration of personal shares and the process of connecting to them. Data Mover Security Settings snap-in Celerra Data Mover Security Settings comprises the Audit Policy node and the User Rights Assignment node. Celerra Audit Policy You can use the Celerra Audit Policy node to determine which Data Mover security events are logged in the Security log. You can then view the Security log using the Windows Event Viewer. You can select to log successful attempts, failed attempts, both, or neither. The audit policies that appear in the Audit Policy node are a subset of the policies available as Group Policy Objects (GPOs) in ADUC. Audit policies are local policies and apply only to the selected Data Mover. You cannot use the Audit Policy node to manage GPO audit policies. Celerra User Rights Assignment You can use the Celerra User Rights Assignment node to manage which users and groups have login and task privileges to a Data Mover. The user rights assignments that appear in the User Rights Assignment node are a subset of the user rights assignments available as GPOs in ADUC. User rights assignments are local policies and apply only to the selected Data Mover. You cannot use the User Rights Assignment node to manage GPO policies. Refer to the online Help for a snap-in or program for more information. 8 of 98

9 User interface choices The Celerra Network Server offers flexibility in managing networked storage based on your support environment and interface preferences. This technical module describes how to configure CIFS on a Data Mover using the command line interface (CLI). You can also perform many of these tasks using one of the Celerra management applications: Celerra Manager - Basic Edition Celerra Manager - Advanced Edition Microsoft Management Console (MMC) snap-ins (Windows 2000 and Windows Server 2003 only) Active Directory Users and Computers extensions (Windows 2000 and Windows Server 2003 only) For additional information about managing your Celerra, refer to: Learning about Celerra Celerra Manager Online Help Monitoring Celerra Application s online help system on the Celerra Network Server Documentation CD The Installing Celerra Management Applications technical module includes instructions on launching Celerra Manager, and on installing the MMC snap-ins and the ADUC extensions. 9 of 98

10 Managing Windows roadmap Table 2 lists the tasks to manage Windows as described in this technical module. Table 2 CIFS management Task Display the current CIFS configuration for a Data Mover. Add, delete, enable, and disable a network interface for a CIFS server. Procedure "Checking the current CIFS configuration" on page 11 "Managing network interfaces" on page 12 Manage the DNS server configuration. "Managing DNS on a Data Mover" on page 13 Create and modify the following elements to an existing CIFS configuration: WINS server NetBIOS name to a Windows 2000 or Windows Server 2003 configuration Computer name or NetBIOS name aliases Comments CIFS server password Create CIFS servers and join to a Windows domain with the following configurations: Start and stop the CIFS service on a Data Mover. Delete a CIFS server by deleting the NetBIOS or compname for the server. "Modifying a CIFS configuration" on page 14 "Same namespace without a delegated join" on page 28 "Same namespace and a delegated join" on page 31 "Disjoint namespace without a delegated join" on page 33 "Disjoint namespace and a delegated join" on page 35 "Reexporting all Celerra file systems" on page 41 "Deleting a CIFS server" on page 44 Manage Group Policy Objects. "Supporting Group Policy Objects" on page 52 Manage Multiple Data Stream support. "Alternate data stream support" on page 63 Configure or disable SMB (Server Message Block) signing. Set the time interval at which the Data Mover changes passwords with the domain controller. Generate a file system for use as a security log. Using SMB signing on page 66 "Automatic computer password change" on page 72 "Creating a file system as a security log" on page of 98

11 Checking the current CIFS configuration Use this command to check the current CIFS configuration on a Data Mover. Action To display the CIFS configuration for a Data Mover, use this command syntax: $ server_cifs <movername> Where: <movername> = name of the specified Data Mover Example: To display the CIFS configuration for server_2, type: $ server_cifs server_2 Output If CIFS service is started server_2 : 256 Cifs threads started Security mode = NT Max protocol = NT1 I18N mode = ASCII Home Directory Shares DISABLED Usermapper auto broadcast enabled Usermapper[0] = [ ] state:active (auto discovered) Enabled interfaces: (All interfaces are enabled) Disabled interfaces: (No interface disabled) If CIFS Service is not started $ server_cifs server_2 server_2 : Cifs NOT started Security mode = NT Max protocol = NT1 I18N mode = ASCII Home Directory Shares DISABLED Usermapper auto broadcast enabled Usermapper[0] = [ ] state:active (auto discovered) Enabled interfaces: (All interfaces are enabled) Disabled interfaces: (No interface disabled) 11 of 98

12 Output (if CIFS service is not started) server_2 : Cifs NOT started Security mode = NT Max protocol = NT1 I18N mode = UNICODE Home Directory Shares DISABLED Usermapper[0] = [ ] last access 0 Enabled interfaces: (All interfaces are enabled) Disabled interfaces: (No interface disabled) CIFS Server DPDOVDM1[CIFS] RC=4 Full computer name=dpdovdm1.cifs.eng.fr realm=cifs.eng.fr Active directory usermapper's domain: "not yet located" Comment='EMC-SNAS:T ' if=dpdo:1 l= b= mac=0:0:92:a7:b0:24 FQDN=dpdovdm1.cifs.eng.fr (Updated to DNS) Managing network interfaces The Configuring and Managing Celerra Networking technical module provides information about managing network interfaces. 12 of 98

13 Managing DNS on a Data Mover Within a Windows 2000 and a Windows Server 2003 environment, a DNS configuration on a Data Mover is required to add a computer name and join it to a Windows domain. You can configure an unlimited number of DNS domains per Data Mover, and each domain can have up to three DNS servers. The Configuring Celerra Naming Services technical module provides procedures to configure, start, stop, and manage your DNS servers. 13 of 98

14 Modifying a CIFS configuration After creating the initial CIFS configuration and starting the CIFS service, you may need to add or modify various elements in the CIFS configuration on a Data Mover. Table 3 explains the tasks to modify a CIFS configuration. Table 3 Modifying a CIFS configuration Task Action Procedure 1. Add a WINS server to an existing CIFS server. "Adding a WINS server" on page Rename an existing NetBIOS name. "Renaming a NetBIOS name" on page Create NetBIOS or computer name aliases. 4. Add informational comments to a CIFS server. "Assigning aliases to NetBIOS and computer names" on page 16 "Associating comments with CIFS servers" on page Change the CIFS server password. "Changing the CIFS server password" on page 22 Note: The Configuring CIFS on Celerra technical module explains how to configure additional CIFS servers on a Data Mover. Adding a WINS server The Celerra Network Server registers its NetBIOS name with the WINS (Windows Internet Name Service) server automatically. The WINS server distributes the NetBIOS name to users, and provides the NetBIOS name resolution of users and computers to IP addresses to the Data Mover. The WINS server is not mandatory if name resolution is done through DNS. There is no limit to the number of WINS servers that you can configure for a Data Mover. If you have multiple CIFS configurations (NetBIOS/compname) on a Data Mover, consider using a WINS server per interface rather than per Data Mover. This eliminates the possibility of CIFS clients attempting to resolve unwanted Data Mover NetBIOS names over the WINS server. Note: If you have only one subnet reached by each IP interface, and performance is not an issue, the WINS server is not mandatory. If you have more than one subnet, you must specify a WINS server. You can however, specify more than one WINS server to provide more robust networking capabilities. 14 of 98

15 Use this command to add a WINS server for use by all CIFS servers on a Data Mover. Action To add a WINS server to your CIFS configuration, use this command syntax: $ server_cifs <movername> -add wins=<ip_addr>[,wins=<ip_addr>,...] Where: <movername> = name of the specified Data Mover <ip_addr> = IP address of the WINS server Note: The system processes a list of WINS servers in the order in which you add them in the wins= option, with the first one being the preferred WINS server. For example, if the WINS server times out after 1500 milliseconds, the system uses the next WINS server in the list. Use the wins.timeoutms parameter to configure WINS timeout. Example: To add two WINS servers to server_2, type: $ server_cifs server_2 -add wins= ,wins= Output server_2: done Renaming a NetBIOS name When you change a NetBIOS name, the system does the following: Temporarily suspends NetBIOS availability and disconnects all clients connected to it. Updates the local groups related to the new NetBIOS name. Updates all the shares corresponding to the new NetBIOS name. Maintains the account password between the server and the domain controller. Unregisters the original NetBIOS name, and then registers the new name in all the WINS servers. Retains all aliases associated with the original NetBIOS name. Resumes renamed NetBIOS availability. Note: For Windows 2000 and Windows Server 2003, you cannot rename a NetBIOS name if the CIFS server is joined to a Windows domain. If the CIFS server is joined to a domain, unjoin the server. After performing the rename, join the CIFS server to the domain.!!caution The server_cifs -Join and -Unjoin procedures generate a new computer account for the compname, which results in the computer name losing its original account. 15 of 98

16 Before performing the rename function, you must add the new NetBIOS name to the domain using the Windows NT Server Manager or the Windows 2000 and Windows Server 2003 Users and Computers MMC snap-in. Note: The rename command changes the NetBIOS name of the server but not the compname name of that server. Contact EMC Customer Service for instructions on renaming a compname. Use this command to rename a NetBIOS name in an existing CIFS server. Action To rename a NetBIOS name, use this command syntax: $ server_cifs <movername> -rename -netbios <old_name> <new_name> Where: <movername> = name of the specified Data Mover. <old_name> = current NetBIOS name. <new_name> = new NetBIOS name. NetBIOS names must be unique and limited to 15 characters and cannot begin with (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ;, = * + [ ]? < > " Example: To rename the NetBIOS name of dm102-cge0 to dm112-cge0 on server_2, type: $ server_cifs server_2 -rename -netbios dm102-cge0 dm112-cge0 Output server_2 : done Assigning aliases to NetBIOS and computer names You can assign aliases to NetBIOS names and computer names. Aliases provide multiple, alternative identities for a given resource. Because aliases act as the secondary names, the aliases share the same set of local groups and shares as the primary NetBIOS name or computer name. A NetBIOS alias registers the alternative name in WINS, not in DNS. If you want the NetBIOS alias to appear in DNS, you must add it to DNS. The client can connect to an alias through the Network Neighborhood, Windows Explorer, or by using the Map Network Drive window. You can add aliases to an existing server or when creating a new server. Naming conventions Based on the Microsoft requirements, aliases must be unique across a domain for WINS registration and broadcast announcements. Aliases must also be unique on the same Data Mover to avoid WINS name conflicts. The alias name is limited to 15 characters. It cannot begin with the at sign (@) or the dash (-), and it cannot include spaces, tabs, and the following characters: / \ : ;, = * + [ ]? < > " 16 of 98

17 For performance reasons, it is recommended that you limit the number of aliases to 10 per CIFS server. Adding an alias to a CIFS server Use this command to assign one or more aliases to a computer name. Action To add an alias to a CIFS server, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name>,alias=<alias_name>[,alias=<alias_name2>...] Where: <movername> = name of the specified Data Mover <comp_name> = name of the CIFS server in the named domain <full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com) <alias_name> = alias for the computer name Example: To declare three aliases for computer name big_comp, type: $ server_cifs server_2 -a compname=winserver1,domain=nasdocs,alias=winserver1-a1, alias=winserver1-a2,alias=winserver-a3 Output server_2 : done Adding a NetBIOS alias to the NetBIOS name Use this command to assign one or more aliases to a NetBIOS name. Action To add a NetBIOS alias to the NetBIOS name, use this command syntax: $ server_cifs <movername> -add netbios=<netbios_name>, domain=<domain_name>,alias=<alias_name>[,alias=<alias_name2>...] Where: <movername> = name of the specified Data Mover <netbios_name> = NetBIOS name for the CIFS server <domain_name> = domain name for the Windows environment <alias_name> = alias for the NetBIOS name Example: To declare three aliases for NetBIOS dm102-cge0, type: $ server_cifs server_2 -a netbios=dm102- cge0,domain=nasdocs,alias=dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3 Output server_2: done 17 of 98

18 Deleting a CIFS server alias Use this command to delete one or more aliases assigned to the computer name. Action To delete a compname alias, use this command syntax: $ server_cifs <movername> -delete compname=<comp_name>, alias=<alias_name>[,alias=<alias_name2>,...] Where: <movername> = name of the specified Data Mover <comp_name> = name of the CIFS server <alias_name> = alias for the computer name! CAUTION If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its computer name, is deleted. Example: To delete the dm102-cge0-a1 alias assigned to winserver1, type: $ server_cifs server_2 -delete compname=winserver1,alias=winserver-a1 Output server_2: done Deleting a NetBIOS alias Use this command to delete one or more aliases assigned to a NetBIOS name. Action To delete one or more NetBIOS aliases from a CIFS server, use this command syntax: $ server_cifs <movername> -delete netbios=<netbios_name>, alias=<alias_name>[,alias=<alias_name2>,...] Where: <movername> = name of the specified Data Mover <netbios_name> = NetBIOS name for the CIFS server <alias_name> = alias for the NetBIOS name! CAUTION If you do not specify the alias name in this command, the entire CIFS configuration, as identified by its NetBIOS name, is deleted. Example: To delete the dm102-cge0-a2 alias assigned to dm102-cge0, type: $ server_cifs server_2 -delete netbios=dm102-cge0,alias= dm102-cge0-a2 Output server_2: done 18 of 98

19 Viewing aliases Use this command to view the aliases for a Data Mover. Action To list a server s aliases, use this command syntax: $ server_cifs <movername> Where: <movername> = name of the specified Data Mover Example: To view the aliases for server_2, type: $ server_cifs server_2 Output CIFS Server (Default) dm102-cge0 [C1T1] Alias(es): dm102-cge0-a1,dm102-cge0-a2,dm102-cge0-a3 Full computer name=dm2-cge0.c1t1.pt1.c3lab.nasdocs.emc.com realm=c1t1.pt1.c3lab.nasdocs.emc.com Comment='EMC-SNAS:T ' if=cge0 l= b= mac=0:6:2b:4:0:7f FQDN=dm102-cge0.c1t1.pt1.c3lab.nasdocs.emc.com (Updated to DNS) Associating comments with CIFS servers You can associate a comment, enclosed in quotation marks, with a CIFS server by using the server_cifs -add command. Comments let you add descriptive information to a CIFS server. This section contains information on the following: Adding comments Changing comments Viewing comments Comment restrictions for Windows XP clients 19 of 98

20 Adding comments You can add comments when you initially create the CIFS server or after the CIFS server was created. Add comments with either of the following commands from the Celerra CLI. Action To add comments in a Windows NT environments, use this command syntax: $ server_cifs <movername> -add netbios=<netbios_name>, domain=<domain_name> -comment <comment> To add comments in a Windows 2000 or Windows Server 2003 environment, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name> -comment <comment> Where: <movername> = name of the specified Data Mover. <netbios_name> = NetBIOS name for the CIFS server. The NetBIOS name must be unique and limited to 15 characters. It cannot begin (at sign) or - (dash) and it cannot include spaces, tabs, and the following symbols: / \ : ;, = * + [ ]? < > " <comp_name> = a Windows 2000 or Windows Server 2003-compatible CIFS server; can be up to 63 UTF-8 characters. <domain_name> = domain name for the Windows environment. <full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com). <comment> = your comment. Limited a comment to 48 ASCII characters and enclose in double quotation marks. Currently, international characters are not supported for comments. Restricted Characters: You cannot use double quotation ("), semi-colon (;), accent (`), and comma (,) characters within the body of a comment. Attempting to use these special characters results in an error message. In addition, you can only use an exclamation point (!) if it is preceded by a single quotation mark ( ). Default Comments: If you do not explicitly add a comment, the system adds a default comment of the form EMC-SNAS:T<x.x.x.x> where <x.x.x.x> is the version of the NAS software. Example: To add the comment EMC_Celerra_Network_Server to server_2 in a Windows NT environment, type: $ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals -comment "EMC_Celerra_Network_Server" Changing comments To change a comment, repeat the server_cifs -add command with the new comment. You may notice a delay in the comment change when browsing the domain computers. This delay is caused by the Data Mover broadcasting its name and comment approximately every 12 minutes (except on startup, when it broadcasts five times in the first minute). You cannot currently add or change comments through Server Manager or the Computer Management MMC. You can change comments only through the server_cifs -add command. 20 of 98

21 Clearing comments To clear a comment, issue the server_cifs -add command with a one-space comment as in the following example: $ server_cifs server_2 -add netbios=dm32-ana0,domain=capitals -comment " " Viewing comments You can view a server s comment from the Celerra Network Server CLI. In addition, comments appear in certain parts of various Windows interfaces. Viewing comments from the CLI Example When you view a CIFS server configuration with the server_cifs command from the Celerra Network Server CLI, the comment appears with other information about the CIFS server. The following example shows how to view comments using the server_cifs command. Action To view the configuration information for server_2, type: $ server_cifs server_2 Output server_2 : 32 Cifs threads started Security mode = NT. (material deleted). DOMAIN CAPITALS SID=S c6ab149b-92d87510-a3e900fb-ffffffff >DC=BOSTON( ) ref=2 time=0 ms DC=NEWYORK( ) ref=1 time=0 ms CIFS Server (Default) DM32-ANA0[CAPITALS] (Hidden) Alias(es): CFS32 Comment= EMCCelerraNetworkServer if=ana0 l= b= mac=0:0:d1:1d:b7:25 if=ana1 l= b= mac=0:0:d1:1d:b7:26 Viewing comments from Windows Windows 2000, Windows Server 2003, Windows NT, and Windows XP sometimes use comments in parts of the Windows interface. Comments may appear in the following instances: As the name of mapped network drives in the My Computer or Explorer window (Windows XP only) As the computer name in a domain window Comment restrictions for Windows XP clients When you change a comment, the change is only reflected in certain parts of the Windows XP interface. As the computer name in a domain window, the change is 21 of 98

22 Recommendation immediately reflected to the Windows XP client. However, in the Windows XP Explorer, the names of mapped network drives do not reflect the change. When you first map a network drive on a Windows XP client, the client stores the comment in the local Registry and displays the comment as the name of the mapped drive. The client continues to use the stored comment as the mapped drive name until you manually change the Registry. If you manually change the name of the mapped network drive from Explorer or My Computer, the changed name is stored in another Registry entry and the client uses this name until you change it again from Explorer or in the Registry. Due to the previous Windows XP client restrictions, EMC recommends that you set the comment as part of the initial CIFS server setup. Changing the CIFS server password Use this command to reset the CIFS password and encryption keys. "Automatic computer password change" on page 72 explains how to set the time interval at which the Data Mover changes passwords with the domain controller. Action To reset the CIFS password and encryption keys, use this command syntax: $ server_cifs <movername> -Join compname=<comp_name>, domain=<full_domain_name>,admin=<admin_name> -o resetserverpasswd Where: <movername> = name of the specified Data Mover. <comp_name> = name of the CIFS server. <full_domain_name> = the full domain name for the Windows environment; must contain a dot (example: domain.com). <admin_name> = the login name of the user with administrative rights in the domain. The user is prompted to type a password for the admin account. Example: To reset the CIFS password and encryption keys for server_2, type: $ server_cifs server_2 -Join compname=winserver1, domain=nasdocs.emc.com,admin=compadmin -o resetserverpasswd Output server_2: Enter Password: ****** done 22 of 98

23 Advanced procedures for joining CIFS servers to Windows domains This section outlines the procedures for joining CIFS servers to Windows domains in different configurations. Note: When attempting to resolve computer NetBIOS names in environments with Windows 2000 or Windows Server 2003, the Celerra Network Server may try to resolve the name through a broadcast or by querying the Windows Internet Name Service (WINS) server. Since Windows operating systems limit NetBIOS names to 15 characters, name resolution through broadcast and WINS queries is possible only for computer names that are 15 characters or less. If you specify a NetBIOS name longer than 15 characters, it is truncated. Windows NT servers are automatically joined to a domain when created. Configuration prerequisites The configuration prerequisites pertain to the following procedures: "Disjoint namespace without a delegated join" (steps 1 through 11) "Disjoint namespace and a delegated join" (steps 1 through 14) "Same namespace and a delegated join" (steps 12 through 14) The configuration prerequisites contain the following steps: Steps 1-11 explain how to set domain-level permissions, which are based on the Microsoft Knowledge Base article DNS Registration Errors 5788 and 5789 When DNS Domain and Active Directory Domain Name Differ. Steps show how to create a computer account in the AD domain. To set up domain-level permissions: 1. Start the Active Directory Users and Computers snap-in. 2. In the console tree, right-click Active Directory Users and Computers, and then select Connect To Domain. 3. In the Domain box, type the domain name, or click Browse to find the domain in which you want to enable the computer to use different DNS names, and then click OK. 4. Right-click Active Directory Users and Computers and select View> Advanced Features. 5. Right-click the name of the domain, and then select Properties. 6. Click the Security tab and click Advanced. 7. Click Add and select Self group. 8. On the Object tab in the Apply onto box, select Computer Objects. Under Permissions, select the Validated write to DNS host name and Validated write to service principal name checkboxes. 23 of 98

24 9. On the Properties tab in the Apply onto box, select Computer Objects. 10. Under Permissions, select the Write SPN and Write dnshostname checkboxes. Note: By selecting/clearing the Write dnshostname checkbox, the system automatically selects/clears the Write dnshostname Attributes checkbox and vice versa. 11. Click OK. Note: Steps 1 through 11 are based on the Windows 2000 AD server interface. To create a computer account in the Active Directory: 12. Right-click the container where the computer account is to reside, and then select New > Computer. 13. In the Computer Name box, type the name of the new computer account. Note: You can configure the delegated join operation here. Figure 2 on page 27 provides more details. 14. Click OK. Joining existing computer accounts When you use the server_cifs -Join command to join a CIFS server to a domain, the Celerra Network Server: Searches for an existing account or creates an account for the CIFS server in Active Directory and completes its configuration. Sets several attributes in the computer account, including the dnshostname and serviceprincipalname attributes. If the Windows computer account already exists, the Celerra Network Server checks the serviceprincipalname attribute to see if the computer is already joined to the computer account. If the attribute is not set, the Data Mover joins the new CIFS server to the existing account. If the serviceprincipalname attribute is already set, the Data Mover issues an error and logs a message saying that the account already exists. If the serviceprincipalname attribute is already set, the following error message appears during the domain join: The account already exists This error indicates that the computer account was already joined to a domain by either a Data Mover or another server. If you still want to join the CIFS server to this computer account, you can reuse the account by entering the 24 of 98

25 server_cifs -Join command with the reuse option. Figure 1 illustrates the checks performed when you issue server_cifs -Join. Does the Windows computer account exist? Yes Is "serviceprincipalname" attribute set? Yes Return an error No No Create the computer account Is reuse option specified? Join the CIFS server to the domain No Yes CNS Figure 1 Checks performed when joining a CIFS server to a domain Example The following command reuses an existing, in use, computer account in the Active Directory: $ server_cifs server_2 -Join compname=dm32-ana0, domain=nsgprod.xyzcompany.com,admin=administrator -option reuse Procedure overview If you are using existing computer accounts when configuring Celerra-based CIFS servers, use this procedure to create and join the CIFS server. Step Action 1. From Windows, go to Active Directory Users and Computers and create a new computer with the same comp_name you will use to create the CIFS server in step 2. (Optional) If you are delegating join authority, under the User or Group field, enter or browse for the user or group to whom you want to delegate join authority. The procedure "Delegated join" on page 26 provides more information. Note: The user account must belong to a domain in the same AD forest as the domain the CIFS server is joining. 2. Add the CIFS server to the Data Mover with the server_cifs -add command. Table 18 on page 77 details the syntax to use for the appropriate domain relationship. 3. Join the CIFS server to the domain with the server_cifs -Join command. Table 18 on page 77 details the syntax to use for the appropriate domain relationship. 25 of 98

26 Delegated join As an alternative to performing a CIFS server join by a default user (member of Domain Admins group), where the server_cifs -Join command automatically creates a computer account in the Active Directory, you can do the following: Create computer accounts for CIFS servers in the Windows Active Directory. Delegate authority to perform the join operation to an individual user or group from another domain within the same AD forest. With these options, AD account creation can be separated from the join action. Therefore, a person other than the one who created the account in the AD can join the CIFS server to the domain. Adding the user performing the join to the local administrator s group Each CIFS server contains a set of built-in user groups: Administrators, Users, Guests, Power Names, Account Operators, Backup Operations, and Replicator. The Administrators group contains the users and groups authorized to manage the CIFS server. By default, the Administrator s group contains one entry for the Domain Admins group, which gives each member of the Domain Admins group the authority to manage the CIFS server. If the domain join operation is delegated to a user not in the Local Administrator group, you must add this user to this group for the user to be able to manage the CIFS server. You can do this manually through the MMC, or automatically during the domain join process by first setting the following parameter to 1: cifs djaddadmintolg=1 Delegating join authority When you delegate join authority, the CIFS server can be joined to its domain by any user to whom you give authority. The user does not need specific Windows permissions, but must be in the same AD forest as the CIFS server. 26 of 98

27 You delegate join authority when you create the computer account in the Active Directory as shown in Figure 2. Figure 2 Delegating join authority Parameters for the join procedure The following parameters, if set, are effective during the join operation. The Celerra Network Server Parameters Guide provides detailed information on these parameters. djusekpassword: If set to 0, forces the domain join procedure to set the CIFS server password using the Microsoft RPC protocol. Only do this if you are a delegated user assigned to the domain local group. djaddadmintolg: If set to 1, automatically adds the user performing the domain join procedure to the Local Administrator s group. djenforcedhn: If set to 0, enables the domain join procedure to continue without the dnshostname being set. Note: Use djenforcedhn only as a temporary measure for access rights since the Data Mover authenticates Windows clients using NTLMSSP mode instead of Kerberos. 27 of 98

28 Table 4 shows the domain join parameter values that you must use to perform a delegated join in the same and/or disjoint namespace AD domain. Table 4 Domain join parameter combinations djusekpassword djaddadmintolg djenforcedhn Join delegated to: Domain Admins Group Member (Microsoft default) Domain User Account 1 (default) 0 (default) 1 (default) Domain Global Group Domain Local Group 0 Domains within the forest that do not have the same hierarchical domain name are in a different domain tree. When different domain trees are in a forest, the tree root domains are not contiguous. Disjoint namespace is the phrase used to describe the relationship between different domain trees within the forest. Same namespace without a delegated join Perform the following add and join procedures when: The DNS domain name and the Active Directory domain name are the same. You are using the default user account (member of domain admin group). 28 of 98

29 Creating a CIFS server Use this procedure to create a CIFS server. Action To create the CIFS server for a Windows 2000 or Windows Server 2003 environment on the Data Mover, use this command syntax: $ server_cifs <movername> -add compname=<comp_name>, domain=<full_domain_name>[,hidden={y n}][,netbios=<netbios_name>] [,interface=<if_name>][,dns=<if_suffix>] Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = Windows 2000 or Windows Server 2003-compatible CIFS server. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. Note: Each <comp_name> within a Celerra Network Server must be unique. A default CIFS server and CIFS servers within a VDM cannot co-exist on the same Data Mover. A default CIFS server is a global CIFS server assigned to all interfaces, and CIFS servers within a VDM require specified interfaces. If a VDM exists on a Data Mover, a default CIFS server cannot be created. <full_domain_name> = Windows domain for the domain name. The <full_domain_name> must contain a dot (example: domain.com or mydomain.). hidden={y n} = By default, the computer name is displayed in Windows Explorer. If hidden=y is specified, the computer name does not appear. <netbios_name> = (Optional) a NetBIOS name used in place of the default NetBIOS name. The default name is assigned automatically and is derived from the first 15 characters of the <comp_name>. You should enter an optional NetBIOS name if the first 15 characters of the <comp_name> do not conform to the NetBIOS naming conventions or if you want something other than the default. <if_name> = interface to be used by the CIFS server being configured. If you add a CIFS server and do not specify any interfaces (with the interfaces= option), this server becomes the default CIFS server and uses all interfaces not assigned to other CIFS servers on the Data Mover. You can have only one default CIFS server per Data Mover. <if_suffix> = different DNS suffix for the interface for DNS updates. By default, the DNS suffix is derived from the domain. This DNS option does not have any impact on the DNS settings of the Data Mover. Example: To create CIFS server dm32-ana0 on server_2, type: $ server_cifs server_2 -add compname=dm32- cge0,domain=universe.com,netbios=eng23b,interface=cge0 29 of 98

30 Output Notes server_2 : done User authentication method for CIFS servers in Windows 2000 or Windows Server 2003 environments must be NT mode. NT mode is the default user authentication method. You can assign only one compname and one NetBIOS name to a CIFS server. If you need to assign multiple compnames or NetBIOS names to a CIFS server, you must create aliases. "Assigning aliases to NetBIOS and computer names" on page 16 provides more information. NetBIOS names are limited to 15 characters and cannot begin with (at sign) or - (dash) character. The name also cannot include white space, tab characters, or the following symbols: / \ : ;, = * + [ ]? < > " Join CIFS server to a Windows domain Use this procedure to join the CIFS server to a domain. Action To join the CIFS server to the Windows domain, use this command syntax: $ server_cifs <movername> -Join compname=<comp_name>, domain=<full_domain_name>,admin=<admin_name@domain_name> Where: <movername> = name of the specified Data Mover or VDM. <comp_name> = name for the CIFS server s account in the Active Directory. The <comp_name> can be up to 63 UTF-8 characters and represents the name of the server to be registered in DNS. If the primary DNS suffix of the CIFS server is different from the Windows domain, the <comp_name> must be a fully-qualified name. For example, if the Windows domain is win.com, the DNS primary suffix is abc.net, and the CIFS server is server1, the command would be server_cifs <movername> -Join compname=server1.abc.net, domain=win.com. <full_domain_name> = the DNS name for the Windows domain. The <full_domain_name> must contain a dot (example: domain.com). <admin_name@<domain_name> = login name and full domain name of a user with sufficient rights to join a server to the domain. If you omit the Data Mover assumes the user belongs to the domain that the CIFS server is joining. The user must be from a domain in the same AD forest. Example: To join the CIFS server dm32-ana0 to the universe.com domain, type: $ server_cifs server_2 -Join compname=dm32-cge0, domain=universe.com,admin=administrator Output server_2 : Enter Password: ******* done Note The user account and user password are used to create the account in the Active Directory, and are not stored after adding the machine account. 30 of 98