Вы находитесь на странице: 1из 34

Netwell

.
, ,
.
Netwell NetApp.

NETAPP TECHNICAL REPORT

NetApp
Microsoft Windows
Reena Gupta, NetApp
Bingxue Cai, NetApp
April 2011 | TR-3367

:
.
NetApp
Microsoft Windows Common Internet File
System (CIFS). ,
Microsoft Windows, , Microsoft Windows
NetApp. Data ONTAP 7.3.1,
NetApp SMB 2.0.


1 ............................................................................................................................ 4
2 ........................................................................................................................ 4
3 ............................................................................................................................................ 5
4 NetApp MS Windows .............................. 5
5 SMB 2.0 ......................................................................................................... 6
6 Active Directory ............................................................................................................... 7
6.1 ....................................................................................................................... 8
6.2 ........................................................................................... 9
6.3 Active Directory ...................................................................................... 11
6.4 SMB Signing ............................................................................................................ 11
6.5 LDAP Signing and Sealing ........................................................................................ 11
6.6 Sparse File ............................................................................................... 12
7 ............................................................................................................................... 12
7.1 Kerberos ......................................................................................................... 12
7.2 Windows NT LAN Manager ............................................................................. 13
7.3 Minimum Session Security NTLM.............................................................. 14
8 Active Directory ................................................................... 14
9 .............................................................................................. 15
10 MS Windows .................................. 16
10.1 MMC ........................ 16
10.2 Active Directory MMC .............................. 18
(Roaming Profiles)............................................................................... 18
10.3 ............................................................................ 19
(GPO) .............................................................................. 20
GPO ................................................................................................................ 20
GPO File System Security ............................................................................................. 21
(Restricted Group Security)................................................... 21
(Event Log) (Audit Policy Mapping) ................. 21
....................................................... 22
(User Rights Assignment)........................................................... 22
10.4 Windows DFS Manager
.......................................................................................................................................... 22
10.5 Widelink ................................................................................................................................... 23
11 Microsoft Windows ............................................................... 23
11.1 CIFS Share ............................................................................................................ 23
2

Access-Based Enumeration (ABE) .................................................................................................. 23


11.2 Shadow Copies (Volume Shadow Copy Service Client)..... 26
11.3 IntelliMirror .......................................................................................................... 26
Offline Folders ( ) ..................................................................... 26
My Documents ..................................................................................... 28
11.4 .......................................................................................................... 29
Live View: Event Log..................................................................... 30
Event Log ................................................................................ 31
12 ....................................................................................................... 31
13 CIFS ........................................................................................... 32
14 .......................................................................................................................................... 33
15 ........................................................................................................... 33
16 ............................................................................................................................................ 33
16.1 NetApp ........................................................................................................................ 33
16.2 Microsoft ..................................................................................................................... 33

1
NetApp
Microsoft Windows, Common Internet File System (CIFS).
, Microsoft Windows,
, Microsoft, Active
Directory, IntelliMirror, Volume Shadow Copy, Access-Based Enumeration,
, , Distributed File System (DFS), (File
Screening), .
, NetApp
Microsoft Windows. :

mixed- native-mode Active Directory



Windows, Microsoft Management Console
Active Directory Users and Computers,
Windows NetApp
Data ONTAP ,
NTLMv2, Server Message Block (SMB) signing, LDAP signing, file
screening
Data ONTAP Windows,
Windows
Data ONTAP

, NetApp
Windows, Data ONTAP File Access and Protocol Management Guide,
NetApp Support ( NOW) http://now.netapp.com.
, Windows,
Data ONTAP 8.0 7-Mode; Data ONTAP GX Data ONTAP 8.0 CMode. OS Windows
Windows File Service Compatibility Matrix NetApp Support.
Microsoft,
, www.microsoft.com.

2
,
:

Microsoft Windows 2000 Server, Windows Server 2003 (R2), Windows Server 2008 (R2),
Windows Vista, Windows XP.

,
NetApp.
Data ONTAP administration guides http://now.netapp.com.
4

3
NetApp , OS
NetApp Data ONTAP. OS Data ONTAP
,
WAFL (Write Anywhere File Layout).
NetApp Microsoft Windows,
(NAS), (SAN),
, . Windows,
NetApp - Microsoft Windows

Windows, , .
NetApp -
Microsoft CIFS/SMB Lightweight Directory Access Protocol (LDAP)
Kerberos,
.

4 NetApp
MS Windows
CIFS Data ONTAP. ,
Windows 2000, Windows XP, Windows 2003, Windows Vista, Windows 2008
Windows 7 -
, NetApp.
.
1 Windows .

. 1) Windows NetApp.
, , WAFL
nonvolatile random access memory (NVRAM).

. NetApp Snapshot WAFL consistency points
- .
,
Microsoft Shadow Copy , Windows Explorer.
NetApp SnapRestore ,
, - , . ,
.

5 SMB 2.0
Data ONTAP 7.3.1, NetApp SMB 2.0,
CIFS,
CIFS/SMB. , CIFS/SMB. SMB 2.0
:

(Compounded Operations)
Durable Handles
6

(credits)
- , 64K
SMB Signing

, CIFS/SMB, SMB 2.0 :



(QoS)

Session ID TreeID
UID FID
Asynchronous Messages
Durable Handles

SMB Signing SHA256


(64KB)

WAN



128K
tree connections TCP-
CIFS


1) SMB2.0
SMB 2.0 Data ONTAP 7.3.1 ,
cifs.smb2.enable; .
SMB 2.0 Data ONTAP, TR-3740 SMB
2.0-Next-Generation CIFS Protocol in Data ONTAP.

6 Active Directory
Microsoft Active Directory
. Active Directory , ,
Windows, .
Active Directory
(AD DS). , Windows Server,
.
,
, .
( ,
, ). Active
Directory : .

,
.

Windows Server,
.
.


NetApp /
Active Directory:
/
Windows 2000 mixed
Windows 2000 native

Windows Server 2003

Windows Server 2008


Windows Server 2008R2


Windows NT 4.0
Windows 2000
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008R2
Windows Server 2003
Windows Server 2008
Windows Server 2008R2
Windows Server 2008
Windows Server 2008R2
Windows Server 2008R2

:
Microsoft.
NetApp ,
,
.

6.1
, Windows Active Directory,
NetApp Domain Name Service (DNS) ,
. Active Directory DNS,
IP-, DNS, Active
Directory service location resource (SRV, RFC
2782). DNS , Data ONTAP
SRV, DC, KDC, LDAP, KPASSWD, , ,
AD.
: DNS, Microsoft,
dynamic updates ( RFC 2136), SRV
.
Data ONTAP 7.1.x, dns.update.enable
Dynamic DNS.
DNS , DNS Windows, ,
Berkeley Internet Name Domain (BIND), ,
SRV, DNS.
8

6.2
Microsoft Windows Active Directory, NetApp
, , ,
Windows. OS Data ONTAP ,
(DC), LDAP, KDC, KPASSWD.
LDAP :

.
CIFS resetdc.
4 .

Active Directory, (site membership) ,


(
).
.
Data ONTAP LDAP
. 2 -:
1. ( last connection).
2. :
Preferred: cifs prefdc.
Favored: Active Directory,
, ,

Other: Active Directory,
,

3. directory SRV DNS.
: (Site membership) Active Directory;
Favored Windows NT 4 domain
mixed-mode, NetApp
Windows NT 4. ,
Other.
NetApp Active Directory,
Windows NT 4 mode Windows NT 4.0,
Windows Internet Naming Service(WINS) NetBIOS,
b-node broadcasts. Windows
NT 4 mode, , :

Windows Internet Naming Service.


( Windows Internet Naming Service
.)
,
Windows NT LAN Manager authentication protocol.

NetApp Active Directory,


:

, Kerberos key
distribution center (DC/KDC).
CIFS/SMB TCP 445.
Windows Internet Naming Service
.

10

. 2) - .

6.3 Active Directory


Active Directory ,
. , LAN.
WAN ,
, LAN.
NetApp Active Directory.
, ,
. NetApp
Active Directory, .
, NetApp,
cifs domaininfo.

6.4 SMB Signing


Data ONTAP Server Message Block (SMB) signing,
. SMB signing ,
,
'man in the middle'. SMB signing,
Microsoft Digitally sign communications (if client
agrees). SMB
signing , Microsoft Digitally sign
communications (always). SMB signing
. , ,
cifs.signing.enable on.
Windows SMB signing ,
. SMB signing, CIFS Windows
, ,
, ( OS Data
ONTAP). CPU
, .
, SMB signing
.
SMB Windows,
SMB signing ,
SMB signing Windows, replay
attack.
: SMB signing SMB 2.0
cifs.smb2.signing.required on.

6.5 LDAP Signing and Sealing


(signing) Lightweight Directory Access Protocol (LDAP) ,
, . Sealing
LDAP.
11

Data ONTAP 7.0.1, LDAP signing and sealing


NetApp.

6.6 Sparse File


(Sparse) ,
.
sparse file , , -
.
, ,
, . sparse file ,
, ,
, C2
security requirement specification. Data ONTAP 7.3, NTFS Sparse File
NetApp.

7
NetApp Windows workgroup mode
Windows domain mode. Workgroup
Windows . ,
,
. :

Basic security Windows NT LAN Manager (NTLM) NTLMv2


Extended security Windows 2000 Kerberos

Windows
. Windows 2000 ,
Active Directory, NTLM. , Windows
2000 , Active Directory
Kerberos, NTLM-based. Windows NT 4.0, Windows NT 3.x,
Windows 95/98 NTLM-based authentication.
Data ONTAP NTLM Kerberos,
Active Directory
.

7.1 Kerberos
Kerberos, Kerberos Key Distribution Center (KDC) service,
Active Directory. NTLM, Active Directory,
, ,
KDC , (session
credentials).
Kerberos, KDC,
Windows 2000 . TGT (Ticket Granting Ticket)
. Kerberos SSP KDC
(KRB_AS_REQ KRB_AS_REP). TGT,
12

.
,
3.
Kerberos TR-3457: Unified Windows and UNIX
Authentication Using Microsoft Active Directory Kerberos.

. 3) Kerberos.

7.2 Windows NT LAN Manager


NTLM, NetApp
Windows NT 4.0, Windows 2000, Windows 2003, Windows 2008, Windows 2008R2
, ,
(challenge), (response), .
Security Account Manager
(challenge).
, . , NTLM
. ,
, ,
, . 4.

13

. 4) NT LAN Manager (NTLM).

7.3 Minimum Session Security NTLM


NTLM ,
.
challenge/response, :
option cifs.LMCompatibilityLevel <level>:

Level 1: LM, NTLM, NTLMv2 session security, NTLMv2, Kerberos ( )


Level 2: NTLM, NTLMv2 session security, NTLMv2, Kerberos
Level 3: NTLMv2 session security, NTLMv2, Kerberos
Level 4: NTLMv2, Kerberos
Level 5: Kerberos

8 Active Directory
NetApp Microsoft Active Directory,
:

, DNS,
Microsoft Active Directory. IP14

DNS, authoritative Windows,


NetApp.
( A) DNS.

.
NTP, timed NetApp. NetApp
(fully qualified hostname)
IP- NTP.

, ,
, . Kerberos ,
.
, .
Active Directory organizational unit (OU)
.

9
NetApp
(home directories) .
CIFS NetApp ,
,
. CIFS,
, ,
,
.

, ,
. CIFS
, .
, (share)
, NetApp
.
home directory ( 1000)
. Data ONTAP
,
.

NetApp Managing Home Directories
NetApp Support (NOW).

15

10
MS Windows
Active Directory organizational unit
(OU) Computers. 5 , Active Directory Users and
Computers ,
Microsoft Management Console (MMC).

. 5) Active Directory.

10.1 MMC

MMC
Computer Management Windows .
NetApp:




CIFS

6, 7, 8 , ,
CIFS Computer Management MMC.

16

. 6) CIFS .

. 7) CIFS .

17

. 8) .

10.2 Active Directory MMC

NetApp ,
Active Directory, (roaming profiles)
Windows (home directories) .
(Roaming Profiles)
Windows Server 2008R2, Windows Server 2008, Windows Server
2003 (R2), Windows Server 2000, .
roaming user profiles.
:

: ,
Windows7,
Windows Vista, Windows 2000, Windows XP.
, .
:
,
, .
, .
18

Configuring Roaming User Profiles Windows


2003 the Managing Roaming User Data Deployment Guide Windows Vista.
Active Directory
, .
9 ,
Active Directory Users and Computers MMC.

. 9) Active Directory MMC .

10.3
Active Directory,
,
(Group Policy Objects, GPO). GPO ,
Active Directory.

. , GPO,
, , , ,
, , .
Data ONTAP 6.4, NetApp GPO,
. GPO
NetApp, GPO.
19

GPO:

(Startup and shutdown scripts)


GPO
(File system security settings)
(Restricted group security)



GPO

GPO NetApp Data


ONTAP (GUI) (CLI):
options cifs.gpo.enable on | off

, CIFS ,
, Organizational Unit (OU).
(GPO)
(GPO),
, cifs gpresult [ -r | -v | -d],
gpresult.exe /force Windows 2000/XP.
:

GPO 90 . , Data ONTAP Active


Directory GPO. GPO, Active Directory,
, , Data ONTAP GPO.
, GPO .
GPO 16 . Data ONTAP
GPO 16 , GPO
.
: 16 Data ONTAP.
Windows .

GPO , Data ONTAP.


GPO Active Directory,
cifs gpupdate, Windows 2000/XP
gpupdate.exe /force.

GPO
.
, GPO Active Directory,
:
1. , GPO ,
. ,
.
20

2. sysvol ,
/etc/ad.

.
.
GPO File System Security
GPO File System security
Data ONTAP ( ).
; , GPO File System security
, .
GPO
.
: File System security
security type qtree mixed NTFS. security
type qtree UNIX. ACL File System security
280 .
(Restricted Group Security)
(Restricted Group)
.

Windows 2000 ( ), : , ,
, (Administrators, Power Users, Print
Operators, Server Operators, Domain Admins).
Restricted Groups , .
,
. , ,
. ,
.

.
(Event Log) (Audit Policy Mapping)
- ,
- Net App Windows.

Data ONTAP.
, ,
. Event Log and Audit Policy Mapping NetApp
Support (NOW).

21


, ,
.
Computer Configuration.
, 90 ,
0 30 . ,
OS.
0 , 7
.
,
.
,
.
0 1440 (24 ).

.
(User Rights Assignment)

, .
Data ONTAP 7.2.1, Take Ownership of Files Other Objects User Rights
Assignment, , GPO;
, (take ownership) ,
, , .

Applying Group Policy Objects.

10.4 Windows DFS Manager



DFS Namespace Microsoft Distributed File System (DFS)
, ,
( ) (namespace).
,
. (shares) NetApp,
DFS Management Windows, 10.
NetApp DFS leaf node
(standalone) DFS root. DFS,
Distributed File System Microsoft.
: VFM (Virtual File Manager)
Windows. DFS, Virtual File
Manager
,
Windows. VFM, VFM Documentation NOW.

22

. 10) .

10.5 Widelink
Widelink NetApp Data ONTAP, Microsoft
Distributed File System; symlink.translations.
Widelink (symbolic link)
(share),
. widelink,
widelink symlink.translations DFS,
. , DFS, .

11 Microsoft Windows
Data ONTAP Microsoft Windows,
Microsoft Windows.
,
Microsoft Windows.

11.1 CIFS Share


Microsoft Windows
, Microsoft Computer and Users (MMC snap-in)
Data ONTAP:
cifs shares -add shareName path [-comment description] [-userlimit] [-browse | nobrowse] [-forcegroup groupname] [-widelink] [-nosymlink_strict_security] [-novscan]
[-novscanread] [-umask mask] [-no_caching | -auto_document_caching | auto_program_caching]

CIFS share Sharing Directories.


6 , Computer
Management MMC.
Access-Based Enumeration (ABE)
Data ONTAP 7.2 access-based
enumeration, ,
23

Microsoft Windows Server 2003 Service Pack 1.


, .
, (
) . ,
,
, , , .
,
, ,
.
Access-based enumeration ,
. ABE CIFS,
, , (
) . , ABE
.
ABE
,
, ,
, , ,
. ABE NetApp
.
ABE CIFS NetApp CIFS
share:
[-accessbasedenum | -noaccessbasedenum].

ABE Windows, CIFS- NetApp,


abecmd.exe:
abecmd [/enable | /disable] [/server <servername>] {/all | <sharename>}

11 12 , ABE .
11, ,
. 12, accessbased enumeration , ,
.

24

. 11) ABE customer data.

. 12) ABE customer data

25

11.2 Shadow Copies


(Volume Shadow Copy Service Client)
NetApp 1992.
Microsoft Volume Shadow Copy
Service (VSS) OS. 13 , shadow copies
.

. 13) shadow copies .

11.3 IntelliMirror
Offline Folders ( )
NetApp Microsoft Offline Folders,
, offline- Windows Vista,
Windows XP, Windows 2000, Windows 2003 Windows 2008.
,
, .
.
CIFS shares :
[-no_caching | - auto_document_caching | -auto_program_caching]

14 Windows 2008 NetApp.


26

. 14) Windows 2008 NetApp.


, offline,
Windows.
,
.
Offline Folders Windows Vista, Windows Explorer,
, Offline Files,
15.

27

. 15) offline folders Windows Vista.


,
, Always Available Offline.
Offline files for Windows Vista.
(,
CATIA V5 CAD) ,
.
My Documents
NetApp Windows,
Microsoft IntelliMirror. ,

.
. ,
, , My Documents, Desktop, Start Menu.

.
16 ,
Windows Vista .

28

. 16) My Documents Windows Vista.


(GPO)
Windows. Managing Roaming
User Data Deployment Guide.

11.4
NetApp ,
, .
Microsoft Event View security log. ,
Windows.
17 , .
CIFS NetApp, TR-3595:
Auditing Quick Start Guide.

29

. 17) .
:

(Network logon)
(Unsuccessful network logon)
(Network logoff)
Windows
UNIX
(Unsuccessful file access)
(Lost record event)
(Clear audit log event)

Live View: Event Log


Data ONTAP 7.2, CIFS,
Live View. Microsoft Event Viewer (MMC
snap-in)
. Live View , EVT
, Event
Viewer 5000 . Live View
, ,
, . Live
View, Configuring Live View.
30

: Live View, Windows


Windows 2000 .
18 Live View Event Viewer,
. real-time audit logs.

. 18) Live View.


Event Log
Live View, EVT ,
, . Event Viewer
,
.

12

NetApp. ,
, .mpg .mp3.
, ,
, , , .
(file
screening) Data ONTAP:
31

:
NetApp.
.
:
,
. NetApp
NetApp FPolicy.

.
: Kazeon, NuView, NTP Software, Symantec Enterprise Vault FSA,
Arkivio. FPolicy,
, , ,
, /, , .

: , NetApp
FPolicy , .

FPolicy, File Screening


Using FPolicy.

13 CIFS
CIFS Data ONTAP,

. ,
CIFS- .
NetApp Symantec, Trend Micro, McAfee, Sophos,
Computer Associates,
.
CIFS ,
, Data ONTAP.
Data ONTAP,
.
, .
,
Data ONTAP
.
Data ONTAP
-,
. ,
, .
: TR-3107: Antivirus Scanning Best Practices Guide.

32

14
NetApp , ,
.
Windows ,
,
Active Directory,
, Microsoft. ,
, ,
.

15

April 2011
January 2009
May 2008
November 2006
December 2004

Bingxue Cai
Reena Gupta
Reena Gupta
Reena Gupta
Jeff Feierfeil

Data ONTAP 8.0 7-Mode


Data ONTAP 7.3.1
ONTAP 7.3

16
16.1 NetApp
Applying Group Policy Objects
The NetApp Support site ( NOW)
Configuring Live View
File Screening Using FPolicy
Sharing Directories
TR-3107: Antivirus Scanning Best Practices Guide
TR-3457: Unified Windows and UNIX Authentication Using Microsoft Active Directory Kerberos
TR-3740: SMB 2.0Next-Generation CIFS Protocol in Data ONTAP
VFM Documentation
Windows File Service Compatibility Matrix

16.2 Microsoft
Configuring Roaming User Profiles
Distributed File System
Offline Files for Windows Vista
Managing Roaming User Data Deployment Guide
33

www.microsoft.com

34