Вы находитесь на странице: 1из 40

Microsoft Windows

Integration on the Sun Storage 7000


!"#$%"%&'(')*&+,-).%
Application Integration Engineering (AIE)
Sun Microsystems, Inc.
Ryan H. Pratt
April 28
th
, 2009 Revision 1.0
2009 Sun Microsystems, lnc., 4150 Network Circle, Santa Clara, CA 95054 USA
All rights reserved.
This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and
decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun
and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Parts of the product may be derived from Berkeley BSD appliances, licensed from the University of California.
Sun, Sun Microsystems, Sun StorageTek, the Sun logo, are trademarks, registered trademarks, or service marks of Sun Microsystems, lnc.
in the U.S. and other countries.
UNlX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd.
Microsoft and Windows are registered trademark of Microsoft corporation in the United States and other countries.
All SPAPC trademarks are used under license and are trademarks or registered trademarks of SPAPC lnternational, lnc. in the U.S. and
other countries. Products bearing SPAPC trademarks are based upon an architecture developed by Sun Microsystems, lnc.
The OPEN LOOK and Sun's Graphical User lnterface was developed by Sun Microsystems, lnc. for its users and licensees. Sun
acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the
computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User lnterface, which license also covers Sun's
licensees who implement OPEN LOOK GUls and otherwise comply with Sun's written license agreements.
PESTPlCTED PlGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAP 52.227-14(g)(2)(6/87) and
FAP 52.227-1987), or DFAP 252.227-7015(b)(6/95) and DFAP 227.7202-3(a). DOCUMENTATlON lS PPOVlDED AS lS AND ALL
EXPPESS OP lMPLlED CONDlTlONS, PEPPESENTATlONS AND WAPPANTlES, lNCLUDlNG ANY lMPLlED WAPPANTY OF
MEPCHANTABlLlTY, FlTNESS FOP A PAPTlCULAP PUPPOSE OP NON-lNFPlNGEMENT, APE DlSCLAlMED, EXCEPT TO THE
EXTENT THAT SUCH DlSCLAlMEPS HELD TO BE LEGALLY
TabIe of Contents
1 Overview................................................................................................................................................. 5
2 Scope....................................................................................................................................................... 6
3 Prerequisites............................................................................................................................................ 7
3.1 Operating System Prerequisites.......................................................................................................7
3.2 Storage System Prerequisites...........................................................................................................7
4 Appliance ConIiguration Best Practices................................................................................................. 9
4.1 System ConIiguration...................................................................................................................... 9
4.1.1 Network................................................................................................................................... 9
4.1.2 Appliance Cluster.................................................................................................................... 9
4.1.3 MicrosoIt Cluster Service (MSCS)..........................................................................................9
4.1.4 Users........................................................................................................................................ 9
5 Implementation Procedures...................................................................................................................10
5.1 System ConIiguration.................................................................................................................... 10
5.1.1 Network Time Protocol (NTP).............................................................................................. 10
5.1.2 Users...................................................................................................................................... 10
5.1.3 Active Directory.................................................................................................................... 12
5.2 Services ConIiguration.................................................................................................................. 15
5.2.1 CIFS Service.......................................................................................................................... 15
5.2.2 Share Creation Projects and Filesystems............................................................................ 15
5.3 Share ConIiguration.......................................................................................................................18
5.3.1 Share ACLs Workgroup Mode........................................................................................... 22
5.3.2 Share ACLs Domain Mode.................................................................................................23
5.4 Share Management From Windows Server 2003 R2.................................................................... 26
5.5 Publishing Shares to Active Directory.......................................................................................... 29
5.6 Data Migration...............................................................................................................................29
5.7 DFS Target.................................................................................................................................... 30
5.8 Snapshot........................................................................................................................................ 32
5.9 Analytics........................................................................................................................................34
6 ReIerence Material................................................................................................................................ 39
7 Quick Troubleshooting..........................................................................................................................40
IIIustration Index
Illustration 1: Local User Setup............................................................................................................... 11
Illustration 2: List oI Local Users.............................................................................................................11
Illustration 3: Active Directory Service Screen........................................................................................13
Illustration 4: Join Domain Dialog Box................................................................................................... 13
Illustration 5: Updated Active Directory Service Screen......................................................................... 14
Illustration 6: Active Directory Users and Computers............................................................................. 14
Illustration 7: Filesystem DeIaults........................................................................................................... 16
Illustration 8: Setting Full Control on Filesystem ACL........................................................................... 17
Illustration 9: Everyone ACL................................................................................................................... 17
Illustration 10: Share Level ACL............................................................................................................. 17
Illustration 11: Create Filesystem Dialog Box......................................................................................... 18
Illustration 12: Project Level Protocol Tab.............................................................................................. 19
Illustration 13: Filesystem Level Protocol Tab........................................................................................ 19
Revision 1.0 page 3
Illustration 14: Client Explorer................................................................................................................ 19
Illustration 15: Project Level Protocol Tab.............................................................................................. 19
Illustration 16: Filesystem Level Protocol Tab........................................................................................ 20
Illustration 17: Client Explorer................................................................................................................ 20
Illustration 18: Filesystem Level Protocol Tab........................................................................................ 20
Illustration 19: Client Explorer................................................................................................................ 20
Illustration 20: Filesystem Level Protocol Tab Ior share 'code'............................................................... 21
Illustration 21: Client Explorer................................................................................................................ 21
Illustration 22: Without Named Resource................................................................................................21
Illustration 23: With Named Resouce...................................................................................................... 21
Illustration 24: DeIault ACL Permissions................................................................................................ 22
Illustration 25: ACL With Updated Permissions..................................................................................... 23
Illustration 26: Active Directory Permissions.......................................................................................... 24
Illustration 27: Security tab Ior Iolder...................................................................................................... 24
Illustration 28: Explicit user management............................................................................................... 25
Illustration 29: Security tab...................................................................................................................... 26
Illustration 30: File Server Management Console....................................................................................27
Illustration 31: Connecting to the appliance ........................................................................................... 27
Illustration 32: Appliance Shares Managed by the File Server Management Console............................ 28
Illustration 33: Appliance Sessions Displayed by the File Server Management Console........................28
Illustration 34: Publish a Share in Active Directory................................................................................ 29
Illustration 35: DFS Target Creation .......................................................................................................30
Illustration 36: DFS Shares Created.........................................................................................................31
Illustration 37: Windows Client view oI DFS Shares.............................................................................. 31
Illustration 38: Snapshot Schedule...........................................................................................................32
Illustration 39: Created Snapshots........................................................................................................... 32
Illustration 40: Windows Explorer Created Snapshot View.................................................................... 33
Illustration 41: .zIs snapshot Iolder expanded..........................................................................................33
Illustration 42: Analytics Ior CIFS Operations........................................................................................ 34
Illustration 43: Analytics CIFS operations by client................................................................................ 35
Illustration 44: Analytics drilldown on client.......................................................................................... 35
Illustration 45: Analytics CIFS TraIIic.....................................................................................................36
Illustration 46: Analytics CIFS ops/s by latency...................................................................................... 37
Illustration 47: Analytics CIFS ops/s by size........................................................................................... 37
Illustration 48: Analytics CIFS ops/s by oIIset........................................................................................ 38
Revision 1.0 page 4
1 Overview
This document discusses using the Sun Storage 7000 in a MicrosoIt Windows environment. The Sun
Storage 7000 series allows Ior CIFS authentication to an Active Directory database or using local users
on the appliance in workgroup mode. There is no Iacility to store Windows users in LDAP. The
Active Directory service provides access to a MicrosoIt Active Directory database, which stores
inIormation about users, groups, shares, and other shared objects.
When a resource is added as a member to Active Directory it is discoverable within the domain. Active
Directory works on a container basis or Organization Unit (OU) basis. Resources can be separated into
diIIerent OUs Ior administrative purposes. Administrative tasks can be accomplished within an OU.
Once the 7000 appliance is joined to a domain, a computer account object with the appliance's name is
created within AD.
This document assumes a knowledge oI Windows Server environments and an initially conIigured Sun
Storage 7000 appliance. The 7000 appliance should have the network setup including an IP, netmask
and gateway, storage pool conIigured, and have the clocks in sync between the appliance and client
machines (NTP).
Revision 1.0 page 5
2 Scope
This document Iocuses on the process oI creating and sharing Iilesystems in both domain and
workgroup mode, joining a domain, mounting CIFS shares within the domain and managing object
rights.
Knowledge gained by reading this document will include:
! Prerequisites Ior a successIul Active Directory membership
! How to use local users Ior CIFS shares
! How to join the 7000 appliance to an Active Directory domain
! How to set permissions Ior a share with both local and Active Directory users
! DFS Target Setup
! Publishing Shares in Active Directory
! Basic Analytics knowledge
!!
Revision 1.0 page 6
3 Prerequisites
!"#$%&'()*+,-$./0*'1$2('('34+0+*'0
MicrosoIt Windows Server 2000 SP4, Windows Server 2003 (or 2003 R2), and Windows Server 2008
domain controllers are supported. Windows NT 4.0 domain controllers are not currently supported.
This document assumes the use oI MicrosoIt Windows Server 2003 or later in implementing Active
Directory Domains.
It is important that the client, server, domain controller and appliance clocks are synchronized (see the
Network Time Protocol (NTP) section).
!"5$.*6()-'$./0*'1$2('('34+0+*'0
The latest version oI the 7000 soItware can be download at Sun.COM's Download Center under
Hardware Drivers, Storage or directly here.
CIFS, NTP client and Active Directory are deIault Ieatures provided by the 7000 soItware. No
additional licenses are needed to enable CIFS, NTP client, Active Directory nor any other Ieatures,
present or Iuture.
" Clocks must be synchronized manually or via NTP. When a Iilesystem is shared using CIFS,
the client clocks must be synchronized to within Iive minutes oI the appliance clock to avoid
user authentication errors. One way to ensure clock synchronization is to conIigure the
appliance and the CIFS clients to use the same NTP server, preIerably the Domain Controller
itselI.
" II link aggregation or VLAN datalinks will be used, the connected switch ports must be
conIigured accordingly.
" Although a storage pool is not required to conIigure many oI the Ieatures, in order Ior a
Iilesystem, LUN or share to be created, there must be an underlying storage pool with available
space.
Revision 1.0 page 7
" BeIore attempting to join an Active Directory domain the appliance must be conIigured Ior
DNS service. DNS must be setup and a host (A) record should be manually created Ior the
appliance in DNS so that name resolution may occur. The DNS management plug-in Ior
Windows can accomplish this. The appliance will automatically Iind the Domain Controller
(DC) Ior the speciIied domain by retrieving the DNS SRV record Ior a DC. (Note: II the
appliance is conIigured to use a DNS server that is not the AD DC then the DNS server(s) must
be conIigured with an appropriate DNS SRV record. You can use a separate non-Windows DNS
server but that requires that all the DNS SRV records required to inter-operate with AD domain
controllers be manually added to that DNS. II you use AD as your DNS server then everything
is conIigured by deIault).
Revision 1.0 page 8
4 AppIiance Configuration Best Practices
7"#$./0*'1$86,9+-4()*+6,
4.1.1 Network
There are no speciIic networking tasks that need to be setup in regards to Active Directory or
CIFS shares. Devices, Datalinks, InterIaces, LACP link aggregations and IP Multi-pathing
(IPMP) groups are all supported. It is recommended to create a private network connection Ior
data traIIic that is not part oI a public or management LAN. II greater bandwidth is needed
10Gb interIaces and/or link aggregations may be implemented.
4.1.2 AppIiance CIuster
Appliance clustering is not discussed in this document, but is Iully supported in an Active
Directory environment with CIFS or NFS shares. In the event oI a Iail over, any shares will be
automatically moved to the alternate head.
4.1.3 Microsoft CIuster Service (MSCS)
Creating shareable cluster resources on an MSCS cluster is outside oI the scope oI this
document but is supported when mounting a LUN via iSCSI and then sharing it through the
cluster as a CIFS share.
4.1.4 Users
The Users screen is used Ior both appliance administration delegation and control, as well as
setting local user permissions when using the appliance in workgroup mode. II the appliance is
set to workgroup mode, local users must be created Ior access rights. II the appliance is joined
to an Active Directory domain, this section is not required Ior share permissions.
Administration delegation is not covered in this document.
For environments where there is a mix oI UNIX and Windows users and there is a desire to
have a mapping between Windows user and a corresponding Solaris, UNIX, or Linux users, an
identity mapping service is provided. This Ieature will not be discussed in this document.
Revision 1.0 page 9
5 ImpIementation Procedures
:"#$./0*'1$86,9+-4()*+6,
5.1.1 Network Time ProtocoI (NTP)
Enter the Iully qualiIied domain name (FQDN) oI the common NTP server. Although it is not required
to perIorm this step beIore or aIter joining an Active Directory domain, the process oI joining the
domain, as well as user authentication, may Iail iI there is greater than a 5 minute diIIerence between
the domain controller and the appliance. It is not required that the NTP server be the Active Directory
domain controller. See this article (http://support.microsoIt.com/kb/816042) Ior instructions on how to
conIigure a windows server Ior NTP.
Once apply is clicked, a dialog box will pop up to ask to enable the service iI it is not already enabled.
Click enable. Once enabled, the NTP service button should now be green and the appliance time
should be in sync with the clients and domain controller.
5.1.2 Users
For workgroup access only, a local user must be created on the appliance in order Ior a share to be
mounted on a client system as shown in Illustration 1. Under ConIiguration, Users, click the add user
button. Select the Local Only radio button, Iill in the inIormation Ior the Username, Full Name,
Password, and Password ConIirmation. II this user does not need the right to administer the box, leave
Require Session Annotation and Kiosk user unchecked. To prevent this user Irom logging into the
appliance, you also must uncheck any role which is speciIied at the bottom.
II possible, mirror the appliance local user with the Windows local user deIined on the workgroup
member machines. Matching the usernames/passwords across the appliance and the workgroup-mode
client eliminates the need to explicitly authenticate each time a share is mapped in workgroup mode.
This user may now be assigned share permissions and can now connect to the appliance and map shares
by navigating their Network Neighborhood or the Map Network Drive interIace.
Revision 1.0 page 10
There will now be local users listed as shown in Illustration 2.
Revision 1.0 page 11
"##$%&'(&)*+!,-!.*/(#!0%1'!21&$3
"##$%&'(&)*+!4-!.)%&!*5!.*/(#!0%1'%
5.1.3 Active Directory
In Domain mode the 7000 Appliance oIIers SMB/CIFS Iile services as a member server in a MicrosoIt
Active Directory domain. The 7000 may only be a member oI a single domain, but transitive, inter-
domain and cross Iorest trusts are Iully supported to extend Iunctionality across the windows
namespace.
Instead oI enabling and disabling the Active Directory service directly, the service is modiIied by
joining a domain or a workgroup. Joining a domain involves automatically creating a computer account
Ior the appliance in the given Active Directory domain. Once the computer account has been
established, the appliance can securely query the database Ior inIormation about users, groups, and
shares.
In Active Directory, every resource is required to have an account. This includes users, workstations,
servers and other devices that participate in an Active Directory domain. Once the 7000 series is joined
into the domain, a computer account is automatically created.
Windows users who have an identity established in Active Directory can map allowed shares on the
appliance as soon as the appliance has successIully joined the domain. When a Windows domain user
attempts to map a share, the Sun Storage 7000 appliance will validate the Windows users name by
authenticating the user's identity with the DC and obtaining the users credentials and access
permissions. According to the trust rules oI Active Directory, a user in any trusted domain in the Active
Directory Iorest can access the appliance iI they have been granted suIIicient privileges. Similarly, users
in trusted Iorests may also access appliance resources.
ModiIying the Active Directory service Irom authentication with Active Directory to a workgroup
implicitly leaves an Active Directory domain. This results in all CIFS clients who are stored in the
Active Directory database will be unable to connect to shares.
Prior to joining a domain, the Active Directory service screen will look as shown in Illustration 3.
Revision 1.0 page 12
To join an Active Directory domain, enter the Iully qualiIied domain name (FQDN) oI the Active
Directory Domain, a user with domain administrator credentials and their password as shown in
Illustration 4.
This step commonly takes less than 30 seconds. Once the appliance has been joined to the domain, the
Active Directory service will start and show online. The current details oI the domain will be displayed
as shown in Illustration 5.
Revision 1.0 page 13
"##$%&'(&)*+!6-!7/&)81!9)'1/&*':!21'8)/1!2/'11+
"##$%&'(&)*+!;-!<*)+!9*=()+!9)(#*>!?*@
The computer account Ior the appliance can be displayed by logging onto the domain controller and
accessing the Active Directory Users and Computers console, a computer account Ior the appliance has
been created in the generic Computers container as shown in Illustration 6.
A new Organizational Unit may be created to organize your 7000 appliances and other Iile servers.
Revision 1.0 page 14
"##$%&'(&)*+!A-!03B(&1B!7/&)81!9)'1/&*':!21'8)/1!2/'11+
"##$%&'(&)*+!C-!7/&)81!9)'1/&*':!0%1'%!(+B!D*=3$&1'%
:"5$.'(;+<'0$86,9+-4()*+6,
5.2.1 CIFS Service
The CIFS service provides access to the Iilesystems using the CIFS (SMB) protocol. Filesystems must
be conIigured to share using CIFS Irom the Shares conIiguration. The Iirst step is to enable the service
either Irom the ConIiguration, Services tab, or by drilling down to the CIFS conIiguration screen and
clicking the power button.
5.2.2 Share Creation - Projects and FiIesystems
All Iilesystems and LUNs are grouped into projects. A project deIines a common administrative
control point Ior managing shares. All shares within a project can share common settings, and quotas
can be enIorced at the project level in addition to the share level. Projects can also be used solely Ior
grouping logically related shares together, so their common attributes (such as accumulated space) can
be accessed Irom a single point. A preIix may be added to the project to help identiIy the project name
with the resource (i.e. devcode where dev is the preIix assigned to the Development project name and
code is the share name).
By deIault, the appliance creates a single B15($#& project when a storage pool is Iirst conIigured. It is
possible to create all shares within this deIault project, although Ior reasonably sized environments
creating additional projects is strongly recommended, iI only Ior organizational purposes.
In a Windows environment, there are two layers oI permissions in shared Iolders, permissions on the
share and permissions on the underlying Iilesystem. These two permissions are subtractive, meaning
that only the most restrictive permission is enIorced. It can be conIusing and tenuous to align and
manage both sides.
OIten the nomenclature oI Iilesystem permissions, Iile permissions, Iolder permissions and NTFS
permissions are used interchangeable. The corollary to these are the root directory access permission
on the 7000 appliance. These can be accessed under the Access tab oI the Iilesystem.
Shares can be Iilesystems or LUNs (iSCSI). Filesystems are created and then exported as CIFS shares.
Shares can be grouped into projects Ior common administrative purposes, including space management,
common settings and replication control. A share does not require a static size Ior the Iilesystems, as
Revision 1.0 page 15
they are thin provisioned by deIault. II a certain amount oI reserved space is required, this behavior can
be achieved by using quotas and reservations.
The deIault permissions on a Iilesystem creation are set to read, write and execute Ior owner with no
permissions Ior everyone else. This is done in order to error on the more conservative side by not
accidentally opening permissions up too wide. This can be changed at the project level under the
General Tab as shown inIllustration 7.
In creating a new Iilesystem, leave the deIault permissions as they are as Windows only reIers to the
ACL and not the 3x3 permission boxes.
The deIault Share Level ACL is set to be wide open to Everyone. The deIault Iilesystem ACL is set to
be owned by nobody, group other and only owner to be able to read, write and execute. A Windows
best practice is to control ACLs Irom the Iilesystem level and not the share level. As mentioned earlier,
maintaining both may be diIIicult. ThereIore ACLs should be managed at either the Iilesystem level or
the share level, but not both. In order to simpliIy management oI the appliance in a pure Windows
environment, it is recommended to set both the share level and Iilesystem level permissions to Iull
control Ior everyone and then manage the individual permissions Irom a Windows client. Illustration 8
Shows how to set Everyone with Iull control.
Revision 1.0 page 16
"##$%&'(&)*+!E-!F)#1%:%&1=!915($#&%
Once this is applied, there will now be a corresponding ACL as shown in Illustration 9.
Under the speciIic share, Protocols tab, the Share Level ACL is shown under the CIFS section oI the
page. Illustration 10 shows the wide open share ACL.
Revision 1.0 page 17
"##$%&'(&)*+!G-!21&&)+>!F$##!D*+&'*#!*+!F)#1%:%&1=!7D.
"##$%&'(&)*+!H-!I81':*+1!7D.
"##$%&'(&)*+!,J-!2K('1!.181#!7D.
Appropriate rights may be assigned with ACLs. ACLs are Iurther discussed in 5.3.1. Illustration 11
shows the creation oI a new Iilesystem named code in the Development project.
:"!$.=)('$86,9+-4()*+6,
Under the Protocols tab in the project, make sure that the CIFS service light is green and that the
Resource Name is not set to oII. Even iI the CIFS service is turned on, you must change the CIFS
Resource Name to a string so that the share will be published. Setting the Resource Name to on will
present each Iilesystem as its Iilesystem name as Iollows \\servername\Iilesystem. Alternatively, you
may assign a preIix in the project level that will place that preIix prior to the Iilesystem name in order
to diIIerentiate each project's shares Irom one another (e.g. \\servername\preIixIilesystem). This will
apply to all Iilesystems that are created in that project that have checked the inherit Irom project
checkbox in the CIFS section oI the Protocol tab. As shown in Illustration 12 and Illustration 13 the
deIault naming scheme Ior the CIFS shares are set to their Iilesystem names by setting the Resource
Name to on and allowing the Iilesystem setting to inherit Irom project. A Iilesystem named code was
created under the Development project.
Revision 1.0 page 18
"##$%&'(&)*+!,,-!D'1(&1!F)#1%:%&1=!9)(#*>!?*@
As shown in Illustration 15 and Illustration 16, by setting a unique identiIier in the Resource Name at
the project level (deptCIFS), the Iilesystem will inherit that preIix separated by an underscore iI the
inherit Irom project box is checked.
Revision 1.0 page 19
"##$%&'(&)*+!,4-!L'*M1/&!.181#!L'*&*/*#!N(O
"##$%&'(&)*+!,6-!F)#1%:%&1=!.181#!L'*&*/*#!N(O
"##$%&'(&)*+!,A-!L'*M1/&!.181#!L'*&*/*#!N(O
"##$%&'(&)*+!,;-!D#)1+& !
I@3#*'1'
Alternatively, iI inherit Irom project is not checked, on may be used to speciIy the Iilesystem name as
the share or a Iilesystem level unique identiIier may be used.
Revision 1.0 page 20
"##$%&'(&)*+!,C-!F)#1%:%&1=!.181#!L'*&*/*#!N(O
"##$%&'(&)*+!,G-!F)#1%:%&1=!.181#!L'*&*/*#!N(O
"##$%&'(&)*+!,E-!D#)1+& !
I@3#*'1'
"##$%&'(&)*+!,H-!D#)1+& !
I@3#*'1'
As shown in Illustration 20, changing the share name (dept1) Irom the Iilesystem name (code) is
not recommended due to the potential Ior conIusion.
Another example oI two projects, Development and Production, is as Iollows. Development has a
share named code and Production has a share named data. A client machine would see both shares
once connected to the appliance. II the dev preIix is added to the Development project and the
prod preIix is added to the Production project, there would be an easy way to show the diIIerences.
Revision 1.0 page 21
"##$%&'(&)*+!4J-!F)#1%:%&1=!.181#!L'*&*/*#!N(O!5*'!%K('1!P/*B1P
"##$%&'(&)*+!4,-!D#)1+& !
I@3#*'1'
"##$%&'(&)*+!44-!Q)&K*$&!R(=1B!
S1%*$'/1
"##$%&'(&)*+!46-!Q)&K!R(=1B!
S1%*$/1
5.3.1 Share ACLs - Workgroup Mode
The Iollowing will go through how to set ACLs speciIically on the appliance. As shown in Illustration
24, the share will now viewable Irom a client system, but permission is denied when an attempt to open
the code Iolder is made. SpeciIic permissions may now be made to each local user. This section oI
the document is Ior workgroup mode with local users and does not apply to Active Directory users
which will be discussed later.
As shown in Illustration 25, Read, write and execute permissions (rwx) will now be given to Bob, read
and execute (rx) permissions will be given to Tim, and the owner will be changed to Jack. Each oI
these users have a password set on the appliance in the Users tab. II the appliance's user name and
password matches the client login user name and password on the client machine and that user has
permission to at least read the share, they will be granted access via passthru. II the user's password is
Revision 1.0 page 22
"##$%&'(&)*+!4;-!915($#&!7D.!L1'=)%%)*+%
diIIerent on the client then the appliance, a password dialog box will be presented.
Jack and Bob can now create their own Iolders and Iiles under code. They cannot write or read each
other's Iiles or Iolders. Tim can now view the contents oI code, but can do nothing else.
Note: II the appliance is then joined to a domain aIter local shares and users are setup, these users and
permissions will remain valid.
5.3.2 Share ACLs - Domain Mode
Assigning permissions Ior domain users is slightly diIIerent. Once joined to the domain,
usernameFQDN must be used. As shown in Illustration 26, a new Iilesystem named Reports is being
Revision 1.0 page 23
"##$%&'(&)*+!4A-!7D.!Q)&K!03B(&1B!L1'=)%%)*+%
created by Joe (Joesspg.central.sun.com), who will own the Iilesystem, but gives read and execute
(rx) permissions to the accountingusers (accountinguserssspg.central.sun.com) domain group.
Frank, who is in the accountingusers domain group, can now view and traverse this directory.
Revision 1.0 page 24
"##$%&'(&)*+!4C-!7/&)81!9)'1/&*':!L1'=)%%)*+%
"##$%&'(&)*+!4E-!21/$')&:!&(O!5*'!5*#B1'
As shown in Illustration 28, individual access Ior users may also be granted by selecting Named User
under type. A FQDN must be used here when assigning domain user permissions.
As shown in Illustration 29, the ZFS ACLs are held in the Special Permissions section which can be
accessed by selecting the Advanced button.
Revision 1.0 page 25
"##$%&'(&)*+!4G-!I@3#)/)&!$%1'!=(+(>1=1+&
Permissions Ior the root Iolder can be changed Irom the Windows server or Irom the appliance. Care
should be taken to not override permissions when changing permissions on the Windows side.
:"7$.=)('$>),)-'1',*$?(61$@+,A6B0$.'(;'($5CC!$D5
As shown in Illustration 30, Windows Server 2003 R2 has a File Server Management console snap-in
that can manage the root directory oI the share. There is a File Server Management limitation that only
one server may be managed at a time.
Revision 1.0 page 26
"##$%&'(&)*+!4H-!21/$')&:!&(O
To manage the 7000 appliance, Select Action, Connect to Another Computer and enter the registered
appliance name as shown in Illustration 31.
The shares are now visible and can be managed Irom the File Server Management console as shown in
Illustration 32.
Revision 1.0 page 27
"##$%&'(&)*+!6,-!D*++1/&)+>!&*!&K1!(33#)(+/1!
"##$%&'(&)*+!6J-!F)#1!21'81'!T(+(>1=1+&!D*+%*#1
The current sessions are also able to be viewed using the File Server Management Console as shown in
Illustration 33.
NFS iI concurrent NFS access is required as well as CIFS, make sure that the NFS service is enabled
and green.
Revision 1.0 page 28
"##$%&'(&)*+!64-!733#)(+/1!2K('1%!T(+(>1B!O:!&K1!F)#1!21'81'!T(+(>1=1+&!D*+%*#1
"##$%&'(&)*+!66-!733#)(+/1!21%%)*+%!9)%3#(:1B!O:!&K1!F)#1!21'81'!T(+(>1=1+&!D*+%*#1
:":$24EF+0=+,-$.=)('0$*6$G<*+;'$H+('<*6(/
Publishing shares makes it easier Ior a resource to be Iound in large AD environments. By publishing
shares to Active Directory, users can use the Find Ieature on the Start menu on their Windows desktops
to Iind remote shares based on their identiIier or description. In order to publish shares to Active
Directory, open the File Server Management console, click on Shares, right click on the share name to
be published, click on properties, then choose the Publish tab, check the Publish this share in Active
Directory box as shown in Illustration 34. A searchable Description and Keywords may also be
speciIied to Iurther assist in Iinding this resource.
:"I$H)*)$>+-()*+6,
When migrating data Irom an alternate CIFS share hosted on any other device, the ACLs used by ZFS
Iully support NT ACLs, thereIore no ACLs will be lost or truncated when migrating data.
Revision 1.0 page 29
"##$%&'(&)*+!6;-!L$O#)%K!(!2K('1!)+!7/&)81!9)'1/&*':
:"J$H?.$K)(-'*
The Distributed File System (DFS) solution in Windows Server 2003 R2 allows administrators to
group shared Iolders across the network into a virtual tree oI Iolders called a namespace. The current
7000 soItware release allows Ior an appliance CIFS share to act as a DFS target. A namespace root
must already be active on an alternate object in Active Directory. CIFS shares Irom the 7000 may be
added as targets to any DFS root.
To add a CIFS share Irom the 7000 as a target or DFS reIerral, click add Iolder Irom an existing DFS
root share, in this case a domain wide share oI \\sspg\HR, as shown in Illustration 35. Enter the path to
the CIFS share that should be shared underneath the root share and give the Iolder a unique name. In
this example, a Forms share Irom one 7110 is added along with a Reports share Irom an alternate 7110.
Revision 1.0 page 30
"##$%&'(&)*+!6A-!9F2!N('>1&!D'1(&)*+!
As shown in Illustration 36, both shares are now placed under the \\sspg\HR DFS root.
As shown in Illustration 37, Irom a client machine, browsing to \\sspg\HR will show both Forms and
Reports in the same directory tree although they are on separate 7110 appliances.
Revision 1.0 page 31
"##$%&'(&)*+!6C-!9F2!2K('1%!D'1(&1B
"##$%&'(&)*+!6E-!Q)+B*U%!D#)1+&!8)1U!*5!9F2!2K('1%
:"L$.,)&0=6*
Projects and/or shares may have snapshots enabled. The shares may inherit the snapshot policies Irom
the project or have their own schedule. This is a way to enable Iile consistency as well as Iile
versioning. Snapshot browsing in the .zIs Iolder is a quick and easy way to recover Iiles. By deIault,
the project's .zIs/snapshot visibility property is set to Hidden. In order to browse the .zIs Iolder Irom
a client system, Visible must be selected.
In order Ior a snapshot to be created, the project or share must either have a manual snapshot done or a
schedule created Ior snapshots to be run. Illustration 38 shows the deIault snapshot schedule page.
Click on the properties oI the Iolder, choose the Previous Versions tab to see any snapshots that have
been created as shown in Illustration 39.
Revision 1.0 page 32
"##$%&'(&)*+!6G-!2+(3%K*&!2/K1B$#1
"##$%&'(&)*+!6H-!D'1(&1B!2+(3%K*&%
II the .zIs/snapshot visibility set to Visible there is a .zIs Iolder which can be browsed and individual
Iiles may be copied Irom Ior a quick restore as shown in Illustration 40.
Revision 1.0 page 33
"##$%&'(&)*+!;J-!Q)+B*U%!I@3#*'1'!D'1(&1B!2+(3%K*&!V)1U
"##$%&'(&)*+!;,-!WX5%!%+(3%K*&!5*#B1'!1@3(+B1B
:"M$G,)F/*+<0
There are nine categories available to view CIFS shares within Analytics. They are as Iollows:
! CIFS Operations Broken down by type oI operation
! CIFS Operations Broken down by client
! CIFS Operations Broken down by Iile name
! CIFS Operations Broken down by!share
! CIFS Operations Broken down by project
! CIFS Operations Broken down by latency
! CIFS Operations Broken down by size
! CIFS Operations Broken down by oIIset
! CIFS Operations As a raw statistic (Operations per second)
Analytics is a useIul tool when trying to gauge how much data is being sent in and out oI an appliance,
as well as views into what Iiles, what clients, what latency, etc.
Analytics allows Ior the breakdown oI perIormance statistics Ior the CIFS protocol by several diIIerent
type oI operations as shown in Illustration 42 below.
A high level picture oI activity can be seen with CIFS operations per second broken down by client as
shown in Illustration 43.
Revision 1.0 page 34
"##$%&'(&)*+!;4-!7+(#:&)/%!5*'!D"F2!Y31'(&)*+%
II a particular client has more activity than another, the ability to view more granular data can be seen
by drilling down on a particular client as shown in Illustration 44. In this example, isv-xp21 is
accessing I/O more than isv-xp22. To view exactly what isv-xp21 is doing, you are able to drill down
on a speciIic host Ior more details. It may be helpIul to view which Iiles are being accessed most oIten.
To view Iiles select isv-xp21 click the drill icon and choose CIFS Operations broken down by Iilename.
Revision 1.0 page 35
"##$%&'(&)*+!;6-!7+(#:&)/%!D"F2!*31'(&)*+%!O:!/#)1+&
"##$%&'(&)*+!;;-!7+(#:&)/%!B')##B*U+!*+!/#)1+&
The Iollowing views in Illustration 45 include CIFS traIIic by Iile name, share and project as shown
The ability to view what Iiles are being accessed, which share is being used the most and which project
is being utilized the most is a valuable tool in troubleshooting storage problems, load balancing or
planning expansion.
Revision 1.0 page 36
"##$%&'(&)*+!;A-!7+(#:&)/%!D"F2!N'(55)/
The latency view shown in Illustration 46 shows that 253 operations complete in less than 131
microseconds and 197 operations complete in 131 microseconds. The Y-axis represents the latency and
the X-axis represents the time. The darker bands near the bottom represent that more data is being
serviced at the shorter response times compared to the longer response times.
Illustration 47 shows the size oI I/O that is being serviced. 60K transIers are nearly all oI the I/O. This
is represented by the dark line near the top oI the Y-axis. There are small amounts oI smaller I/O as
shown by the spattering oI blocks.
Revision 1.0 page 37
"##$%&'(&)*+!;C-!7+(#:&)/%!D"F2!*3%Z%!O:!#(&1+/:
"##$%&'(&)*+!;E-!7+(#:&)/%!D"F2!*3%Z%!O:!%)X1
Illustration 48 shows less dense chatter at the bottom oI the Y-axis which represents the metadata
update on the Iilesystem. The darker band is the actual data that is being copied to disk.
Revision 1.0 page 38
"##$%&'(&)*+!;G-!7+(#:&)/%!D"F2!*3%Z%!O:!*55%1&
6 Reference MateriaI
"#$%&'(!")*+ http://www.sun.com/storage/disksystems/uniIiedstorage/
Bill Pijewski's blog
Revision 1.0 page 39
7 Quick TroubIeshooting
Q: I cannot join my appliance to the domain
A1: Make sure the appliance can resolve the domain name via dns (use nslookup Irom the CLI)
A2: Make sure the user that you are using to joining the domain has the permission to add computer
accounts (domain admin rights).
A3: Make sure the client clocks are within 5 minutes oI the appliance clock
Q: I cannot assign permissions to a domain user
A: make sure you add the Iully qualiIied domain user name as Iollows: joesspg.central.sun.com
Q: My CIFS service is green, but I cannot see my shares Irom a client.
A: Make sure the Named Resource in either the project or share is not set to oII
Revision 1.0 page 40

Оценить