Hot Topics

Overview

Hot topics are quick bite-sized learning events on items relating to service and support.

Current hot topics:

Active Directory: An Introdution
Active Directory: Behind the Scenes
SANtricity: An Introduction

If you have an idea or need for a Hot Topic presentation let us know by clicking the Notes tab and leaving a note.

Active Directory: An Introduction

During the Active Directory: An Introduction hot topic presentation, a Quantum-qualified DXi instructor provided an overview of Active Directory, showed how Active Directory interacts with DXi systems and how to set it up, and provided troubleshooting tips.

Download the presentation. If you want to print the presentation, consider choosing the "Print handouts" option, which allows you to print a few slides per page with lines for notes.

The following reference provides instructions for using the "net ads" and "net rpc" commands for troubleshooting samba issues:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html

Terminology

Samba: is a free software re-implementation of the SMB/CIFS networking protocol. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain Controller (PDC) or as a domain member. It can also be part of an Active Directory domain.

Active Directory: is a directory service created by Microsoft. Active Directory (AD) uses a number of standardized protocols to provide a variety of network services, including:

Lightweight Directory Access Protocol LDAP, the industry standard directory access protocol, compatible with many management and query applications. Active Directory supports LDAPv3 and LDAPv2.
Optional Kerberos-based authentication
DNS-based naming and other network information

Features include:

Central location for network administration and security
Information security and single sign-on for user access to networked resources
The ability to scale up or down easily
Standardizing access to application data
Synchronization of directory updates across servers

ADstores all information and settings for a deployment in a central database. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.

LDAP: The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate electronic mail directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

Workgroup: Aworkgroup is a collection of computers on a local area network (LAN) that share common resources and responsibilities. Workgroups provide easy sharing of files, printers and other network resources. Being a peer-to-peer (P2P) network design, each workgroup computer may both share and access resources if configured to do so.

Kerberos: a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication. Kerberos uses port 88 by default.

klist: displays the entries in the local credentials cache and key table. After the user has modified the credentials cache with kinit or modified the keytab with ktab, the only way to verify the changes is to view the contents of the credentials cache and/or keytab using klist. klist does not change the Kerberos database.

kinit: kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tools commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations. The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit.

CIFS: The Common Internet File System (CIFS), also known as Server Message Block (SMB), is a network protocol whose most common use is sharing files on a Local Area Network (LAN). The protocol allows a client to manipulate files just as if they were on the local computer. Operations such as read, write, create, delete, and rename are all supported – the only difference being that the files are not on the local computer and are actually on a remote server. The CIFS protocol is most commonly used with Microsoft operating systems.

Domains and Sites: Many people think that a domain is a geographical concept and that machines in a domain are always local. This is not true. There is another AD concept for this instead: the site. It is fairly common to see domains spanning different sites.

Domain is an organizational entity, and in particular, it is the level authentication works. A machine must authenticate to a domain controller in the same domain. A domain might span several sites. Conversely, machines in the same site might be in different domains.
Site is created to document which machines are physically close to each other.

Domain Controllers and Authentication
A domain controller is involvied with authentication operations (logging in, joining a domain). Authentication is always carried through a domain controller. Either a domain controller is directly specified, or the machine trying to authenticate will look for a suitable domain controller. This is done by querying specific DNS records called SRV records.

When setting up which DNS server the DXi is using, it is important to point to a DNS server that knows about these SRV records. The easiest is to use a domain controller as DNS server if possible because typically at least some domain controllers will be set up as DNS servers.

Troubleshooting which DCs we are talking to

Check in the Samba logs, and verify that the IP address corresponds a local DC. For details, refer to the Increase Log Level and Gather Samba Logs. (There have been cases where customes misconfigure their local domain controller- the DNS section didn't mention itself as a domain controller. Because of this, the DXi was talking to a DXi in another continent, leading to many network-related errors).
The list of DCs can be queried from the DXi by using dig _ldap._tcp.dc._msdcs.<domain name>. Samba is site-aware (I don't remember from which version, but recent versions used on DXis are ok): if sites are configured in AD, the most local DXis will always be used in priority.

Active Directory: Behind the Scenes

During the Active Directory: Behind the Scenes presentation, a Quantum-qualified DXi instructor shows you how to use the individual commands and the steps for working with Active Directory, all from the DXi CLI. It gives you a good idea what is happening behind the scenes.

Download the presentation. If you want to print the presentation, consider choosing the "Print handouts" option, which allows you to print a few slides per page with lines for notes.

SANtricity: An Introduction

During the SANtricity: An Introduction hot topic presentation, a Quantum-qualified DXi instructor provided an overview of SANtricity. You will learn how SANtricity can help you with your day-to-day job and how to connect to SANtricity using either VNC or Xming You will also learn how to use several SMcli commands, manage storage arrays, and use the SANtricity tools such as MEL and recovery guru.

Download the presentation . If you want to print the presentation, consider choosing the "Print handouts" option, which allows you to print a few slides per page with lines for notes.

Download a copy of the Accessing SANtricity job aid for future reference.

Download a copy of the LSI SMcli: Basic Commands job aid for future reference.

The formatting got screwed up pretty bad there so heres a link to the original content.

http://10.105.12.112/mediawiki/index.php?title=DXi:HowTo

Note by Keith Hatton on 03/01/2011 04:35 AM

Heres a few of my notes i added to our wiki, they have been used successfully by customers on numerous occasions, they might be a help for you with this topic.

This doesnt mean im any sort of expert on AD though !!!

Join AD, (Active Directory) all flavours of DXi

(Not tested on 2.0 but should still work.)

For the benefit of everyone, I will summarize the procedure to delegate the right to join a domain to a regular domain user before he can join the DXi to the domain successfully.

Here is a summary of what to do when we want to join the ADS domain, say abc.def.xyz.com using a credential of a regular domain user, say, user1.

Typical error would be:

Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain. Or rejoin with using Domain Admin credentials. Using short domain name -- CLD1 Disabled account for 'DX1' in realm 'CLD1.TLD.INT' status = 65280, cmdstatus = 65280

A. Work to do on the Windows 2003 MMC: You need to be a domain admin to set up the following:

1. Delegate the right to join domain - Right click on the domain name abc.def.xyz - Choose "Delegate Control" and follow the instruction therein for user1.

2. Delegate the right to read/write dNSHostname and servicePrincipalName: - Right click on the Organizational Unit "Computers" (or the appropriate name, which contains individual computers that belong to the domain): - Choose menu: Delegate control - Next | Add | Type in username: user1 | OK - Next | Create a custom task to delegate - Next | Only the following objects in the folder: - Check the box: Computer objects - Check the box: Create selected objects in this folder - Next | Check box: Property-specific - Scroll down the list and check the boxes for:

     Read dNSHostName
     Write dNSHostName
     Read servicePrincipalName
     Write servicePrincipalName

- Next | Finish

B. Work to do on the DXi GUi

1. Network page:

  Note on the last two edit boxes:
  - Domain name:
    This is the DNS domain name. Normally, this DNS domain name is identical with the ADS domain name. So you can

enter abc.def.xyz. But note that the DNS domain name can be different from the ADS domain name.

  - Domain name server IP address:
    Enter the IP address of the domain name server that can resolve the domain name abc.def.xyz that you are trying to

join to.

2. Windows Domain page:

       Domain type:   Active Directory 
       Domain name: abc.def.xyz
            Note: Must use FQDN for the domain; character case is irrelevant, 
       Primary Domain Controller:
           - Preferred option if DNS is working:  Use DNS discovery
           - If DNS is not working well or if you can't ping abc.def.xyz, then use IP address explicitly.
             Usually, if you cannot ping the domain name abc.def.xyz, you may not join successfully.
             However, you may be able to join if you can resolve abc.def.xyz using the command (on the DXi):
                  # host abc.def.xyz ip_address_of_DNS_as_specified_at_bottom_of_network_page

       Organizational Unit: 
           - This is optional. There's usually a default organizational unit such as "Computers".  If you want to join

to an organizational unit that is different from the default, then enter the name of that organizational unit as seen in MMC.

       Administrator Name: user1
       Password: <enter password>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dxi 6500 (Prior to 2.0)

Unjoin the AD domain

How to force to unjoin an Active Directory Domain when it fails. Be sure to have correctly configure and to use NTP.

# rm -rf /snfs/common/galaxy-config/nas/node1/.cifs_configured
# nastool --unconfigure cifs
# service smb restart 
Then go on the WebGUI and reconfig it. Previous config should gone.