IBM N Series Storage Systems in a Microsoft Windows Environment

Redbooks Paper Alex Osuna IBM N Series Storage Systems in a Microsoft Windows Environment Delivering highly reliable file services to Microsoft Windows clients via the CIFS protocol Introduction/overview This paper provides a high-level view of how N series Storage Systems integrate in Microsoft™ Windows™ environments. Specifically, this paper discusses the following topics: How N series Storage Systems can be integrated into mixed-mode or native-mode Active Directory environments How Windows-based administrative tools, such as the Microsoft Management Console (MMC) of Active Directory users and computers, can help to perform Windows administration tasks on an N series Storage System How Data ONTAP supports Windows client-side features that are typically used in most Windows environments Purpose and scope IBM™ N series systems can deliver highly reliable file services to Microsoft Windows clients via the Common Internet File System (CIFS) protocol. This paper describes how N series Storage Systems work seamlessly in the Microsoft Windows environment. It explains how N series Storage Systems enable you to effortlessly manage data by using standard Microsoft services and features such as Active Directory, IntelliMirror, Volume Shadow Copy, Offline File Cache, Auditing, and Distributed File System (DFS™). © Copyright IBM Corp. 2005. All rights reserved. ibm.com/redbooks 1 Assumptions Prior to reading this paper, you must have knowledge about Microsoft Windows 2000 Server and Windows 2003 Server products and their features. You must also have knowledge about IBM N series Storage System administration. For more information about N series Storage System administration, see the IBM N series System Administration Guide, GA32-0529. Introduction IBM N series Storage Systems are powered by Data ONTAP software. Data ONTAP software supports file services by combining the patented Write Anywhere File Layout (WAFL) file system and a microkernel design dedicated to network data access. N series Storage Systems are compatible with Windows environments. Whether operating as network-attached storage (NAS), a storage area network (SAN), or both, an N series Storage System can be used in a Windows environment. In Windows file-serving environments, N series Storage Systems look and act like Windows member servers. They can be monitored and administered using native Windows management components while providing a highly available file service. N series Storage Systems use Microsoft's industry-standard CIFS/SMB protocol. They support native implementations of the Lightweight Directory Access Protocol (LDAP) and the Kerberos authentication protocol without requiring additional software. This paper discusses how N series Storage Systems can be seamlessly integrated into enterprise-class Windows data centers to use services and features such as Active Directory, IntelliMirror, Volume Shadow Copy, Offline File Cache, Auditing, and Distributed File System. Interaction between N series Storage Systems and Windows The CIFS protocol is natively integrated into Data ONTAP. As a result, Windows 9.x, Windows NT™, Windows 2000, Windows XP, and Windows 2003 computers do not require additional client software to access data on N series Storage Systems. N series Storage Systems appear on the network as native file servers. 2 IBM N Series Storage Systems in a Microsoft Windows Environment Figure 1 illustrates the file input/output (I/O) path between Windows computers and the N series Storage Systems. N Series WAFL file system Figure 1 Windows computers and N series Storage System I/O path Just as a database uses a transaction log, the WAFL on-disk file system uses nonvolatile random access memory (NVRAM). This log-structured approach can help optimize reliability and help ensure that the file system retains its consistency. Snapshot technology leverages WAFL consistency points to create near-instantaneous online volume backups. This allows users to recover their own deleted or modified files using either Microsoft shadow copies of shared folders or simple “drag and drop” methods in Windows Explorer. SnapRestore technology makes it possible to recover very large databases from online backups in minutes rather than hours. Snapshots are simple to manage, require minimal disk space, and are easy to access. IBM N Series Storage Systems in a Microsoft Windows Environment 3 Active Directory support Microsoft's Active Directory service allows organizations to efficiently organize, manage, and control resources. Active Directory is implemented as a distributed, scalable database managed by Windows 2000 or Windows 2003 domain controllers. N series Storage Systems can join and participate in mixed-mode or native-mode Active Directory domains. Mixed-mode domains support a mix of Windows NT 4.0, Windows 2000 Server, and Windows 2003 Server domain controllers for directory lookups and authentication. Native-mode domains consist of Active Directory domain controllers only, and do not emulate Windows NT 4.0 domains for legacy computers. N series Storage Systems adhere to the environment in which they are installed and support both Active Directory and legacy computers. Note: Both domain styles support legacy computers. The difference lies in how the legacy computers interact with Active Directory. Name resolution Similar to Windows 2000 and Windows 2003 computers in an Active Directory environment, N series Storage Systems query Domain Name System (DNS) servers to locate domain controllers. Because the Active Directory service relies on DNS to resolve names and services to IP addresses, the DNS servers that are used with N series Storage Systems in an Active Directory environment must support service location (SRV) resource records (per RFC 2782). Note: Microsoft recommends using DNS servers that support dynamic updates (per RFC 2136), so that important changes to SRV records about domain controllers are automatically updated and available immediately to clients. When using non-Windows 2000 DNS servers, such as Berkeley Internet Name Domain (BIND) servers, verify that the version you use supports SRV records or update it to a version that supports SRV records. Locating domain controllers An N series Storage System attempts to sense automatically the type of domain that exists on the network when one of the two following events occurs: You run a CIFS setup, the process that prepares the N series Storage System for CIFS, or when CIFS restarts on an N series Storage System. It accomplishes this by identifying the type of domain controllers that are available. The N series Storage System searches first for an Active Directory domain controller by querying DNS for the SRV record of an Active Directory domain controller. (This is the same method used by Microsoft Windows-based computers.) If the N series Storage System cannot locate an Active Directory domain controller, it switches to “NT4 mode” and then searches for a Windows NT 4.0 domain controller using the Windows Internet Naming Service (WINS) and NetBIOS protocol or by using b-node broadcasts. If the N series Storage System can locate an Active Directory domain controller, the following conditions apply: Clients obtain their session credentials by contacting a domain controller/Kerberos Key Distribution Center (DC/KDC). 4 IBM N Series Storage Systems in a Microsoft Windows Environment NetBIOS is not required to access an N series Storage System in a native-mode domain where NetBIOS-over-TCP/IP has been disabled. CIFS/SMB is supported on TCP port 445. Registering with WINS servers is optional and can be turned on or off for each network interface. If the N series Storage System is configured in or switches to “NT4 mode”, the following conditions apply: – – N series Storage Systems can register each interface with WINS. (WINS registration can be turned on or off for each interface.) N series Storage Systems authenticate incoming sessions against a Windows domain controller using the Windows NT LAN Manager (NTLM) authentication protocol. Active Directory site support Active Directory sites are used to logically represent an underlying physical network. A site is a collection of networks connected at local area network (LAN) speed. Slower and less reliable wide area networks (WANs) are used between sites (locations) that are too far apart to be connected by a LAN. N series Storage Systems are Active Directory site-aware. Therefore, N series Storage Systems attempt to communicate with a domain controller in the same site instead of selecting a domain controller at a different location. It is important to place the N series Storage System in the proper Active Directory site, so that it can use the resources that are physically close to it. Authentication N series Storage Systems can operate in a Windows workgroup mode or use Kerberos authentication. Workgroup authentication allows local Windows client access and does not rely on a domain controller. With Kerberos authentication, the client negotiates the highest possible security level when a connection to the N series Storage System is established. During the session-setup sequence, Windows computers negotiate which authentication methods support standalone Windows NT 4.0, Windows 2000, and Windows 2003 computers. Those that are not part of an Active Directory domain use only NTLM for authentication. By default, Windows 2003, Windows XP, and Windows 2000 computers that are part of an Active Directory domain try to use Kerberos authentication first and then use NTLM. Windows NT 4.0, Windows NT 3.x, and Windows 95/98 clients always authenticate using NTLM. Data ONTAP includes native implementation of the NTLM and Kerberos protocols. Therefore, it provides full support for the Active Directory and existing authentication methods. Kerberos authentication The Kerberos server, or KDC service, stores and retrieves information about security principles in the Active Directory. Unlike the NTLM model, Active Directory clients that want to establish a session with another computer, such as an N series Storage System, contact a KDC directly to obtain their session credentials. IBM N Series Storage Systems in a Microsoft Windows Environment 5 Using Kerberos, clients contact the KDC service that runs on Windows 2000 or Windows 2003 domain controllers. Clients then pass the authenticator and encrypted Kerberos ticket to the N series Storage System, as shown in Figure 2. Client Contacts DC Client presents Kerberos credentials Domain Controller N Series Figure 2 Figure 2 on page 6Windows 2003 Kerberos authentication Windows NT LAN Manager authentication Using NTLM, the N series Storage System contacts the Windows NT 4.0 or Windows 2000 mixed-mode domain controllers to verify a user's supplied credentials, as illustrated in Figure 3. •Client requests access •Filer contacts DC and verifies credentials Domain Controller N series Figure 3 Windows NTLM authentication 6 IBM N Series Storage Systems in a Microsoft Windows Environment Installing an N series Storage System in an Active Directory environment When installing an N series Storage System in a Microsoft Active Directory environment, you must meet the following requirements: Verify that the N series Storage System is configured with the IP address of a DNS server that meets the requirements for the Microsoft Active Directory. This address is usually the Internet Protocol (IP) address of a DNS server that is authoritative for the Windows domain. Manually create a host (or “A” address) record for the N series Storage System in the DNS. Match the N series Storage System's time and time zone setting to the ones on the domain controller. Important: If the time settings on the N series Storage System and the domain controller are more than five minutes apart, then the installation will fail. The Kerberos protocol requires that the time settings on the N series Storage System and domain controller be nearly the same. Have access to an account in the domain that has rights to add a computer to the domain. Select the Active Directory container or organizational unit (OU) in which the N series Storage System's machine account will reside. By default, this is the computer's OU. Administering an N series Storage System using a Windows computer You can perform many Windows-based administrative tasks on an N series Storage System using Windows-based administrative tools. One such tool is the Active Directory Microsoft Management Console (MMC). By default, N series Storage Systems are installed in the Computers folder under Active Directory. Figure 4 on page 8 shows how to use the Active Directory MMC to do the following tasks: Provide a description of the N series Storage System in the Active Directory. Set a NetBIOS alias name or names of the N series Storage System. Disable NetBIOS over TCP. Specify a pre-Windows 2000 name for the N series Storage System. Change the N series Storage System's computer account password. IBM N Series Storage Systems in a Microsoft Windows Environment 7 sjitso.almaden.ibm.com. N series system clpubs.-filer1.sjitso.almaden.ibm.com N Series system Figure 4 Using Active Directory Computer Management Using the Computer Management MMC to administer an N series Storage System Administrators can use the Computer Management MMC from any Windows computer in the domain to perform the following common administration tasks on an N series Storage System: Create a share on the file Create a local group on the N series Storage System Add users to a local group Figure 5 on page 9 and Figure 6 on page 10 illustrate how to create shares and manage local groups using the Computer Management MMC. 8 IBM N Series Storage Systems in a Microsoft Windows Environment Figure 5 Creating a Share on an N series Storage System IBM N Series Storage Systems in a Microsoft Windows Environment 9 Figure 6 Managing local groups on an N series Storage System Using the Active Directory MMC to manage users IBM N series Storage Systems support the users and group database that are stored in Active Directory. Administrators can use Active Directory to create users and specify their user profile and the home folders that reside on N series Storage Systems. Figure 7 on page 11 shows how to create a roaming profile on an N series Storage System for a user who is using the Active Directory users and computer’s MMC. 10 IBM N Series Storage Systems in a Microsoft Windows Environment Itsosj.almaden.com 69 © 2005 IBM Corporation Figure 7 Using Active Directory MMC to manage users Applying Group Policy Objects To enable additional management in Active Directory, Group Policy Objects (GPOs) can be applied to users, computers, and servers in the domain. A GPO is a set of rules applicable to users and computers in an Active Directory environment. GPOs are defined centrally for ease of administration and increased security. Settings that you control with GPOs include environmental settings, user rights assignment, account policies, folder redirection, script assignment, security settings, and software distribution. IBM N series Storage Systems fully support GPOs that apply to users and users' computers. While there are few GPOs that are applicable to an N series Storage System, the N series Storage System can recognize and process a certain set of GPOs. The following GPOs are currently supported: Startup and shutdown scripts The GPO refresh time interval for computer GPO scripts can be easily enabled on an N series Storage System by setting an option in Data ONTAP using the graphical user interface (GUI) available for N series Storage System administration. How startup and shutdown scripts are applied on the N series After GPOs are enabled on an N series Storage System and specified in the Active Directory domain, the startup and shutdown scripts are applied to the N series Storage System in the following manner: 1. When the N series Storage System starts, it retrieves GPOs from the domain controller, including the startup and shutdown scripts information. 2. The N series Storage System runs the retrieved startup scripts. IBM N Series Storage Systems in a Microsoft Windows Environment 11 3. The N series Storage System accesses the scripts from the domain controller's sysvol directory and saves these files locally in the /etc/ad directory. 4. Periodically, the N series Storage System retrieves updates to the startup and shutdown scripts. 5. During a shutdown or a reboot, the N series Storage System runs the last retrieved shutdown script. Using Windows DFS Manager to manage links to shares on N series Storage Systems Windows DFS Manager can help to create and manage links to shares on N series Storage Systems, as shown in Figure 8. \\tmad.mlab.ibm.com\ntapdfs1 Figure 8 Managing links to shares on N series Storage Systems Windows client features support Data ONTAP supports many Windows client-side features, typically used in Windows environments. These features are implemented and administered exactly as they are for existing Windows environments. The following list describes supported Windows client features: Accessing and mapping to a share Accessing shadow copies of a shared folder IntelliMirror support – Enabling offline folders – My Document folder redirection Auditing event log The following examples show how to use these features on N series Storage Systems in existing Windows environments. Example one: Accessing shadow copies of a shared folder Users can view snapshots taken on the N series Storage System via the Microsoft Volume Shadow Copy Service (VSS) client application. Figure 9 shows how to access shadow copies of a shared folder. 12 IBM N Series Storage Systems in a Microsoft Windows Environment Figure 9 Accessing Shadow copies of a shared folder Example two: Redirecting a Microsoft folder IBM N series Storage Systems support Microsoft folder redirection, one of the key components of Microsoft IntelliMirror technology. Figure 10 on page 14 shows how to specify a target for folder redirection to a share on an N series Storage System. In this example, the My Documents folder is redirected. IBM N Series Storage Systems in a Microsoft Windows Environment 13 Figure 10 Specifying a Target for redirecting My Documents Example three: Auditing the event log IBM N series Storage Systems have the ability to audit file and folder access to identify the user who took actions with the various files and directories. The actions are logged in the Microsoft Event View security log format. The mechanism used to provide and manage this feature is the same one that is used by Windows file servers. Figure 11 on page 15 shows how to set an audit on a directory. 14 IBM N Series Storage Systems in a Microsoft Windows Environment Itsosj.almaden.ibm.com 67 ©2005 IBM Corporation Figure 11 Setting an audit on a directory Conclusion IBM N series Storage Systems are built on principles of simplicity, scalability, high data availability, and easy integration with the existing environment. The N series Storage Systems support a broad range of Windows client types and client features, fully leverage the management and authentication framework provided by Active Directory, and allow administrators to continue to use the native Microsoft administration tools with which they are familiar. As a result, the N series Storage Systems better protect information assets, dramatically simplify the file-serving environment, and increase overall corporate productivity. IBM N Series Storage Systems in a Microsoft Windows Environment 15 16 IBM N Series Storage Systems in a Microsoft Windows Environment Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. © Copyright IBM Corp. 2005. All rights reserved. 17 This document created or updated on October 28, 2005. Send us your comments in one of the following ways: Use the online Contact us review redbook form found at: ibm.com/redbooks Send your comments in an email to: redbook@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. QXXE Building 80-E2 650 Harry Road San Jose, California 95120-6099 U.S.A. Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: Eserver Eserver® ibm.com® DFS® IBM® Redbooks™ Redbooks™ (logo) TotalStorage™ The following terms are trademarks of other companies: Java™ and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium™ are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX™ is a registered trademark of The Open Group in the United States and other countries. Linux™ is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. NetApp, the Network Appliance logo, the bolt design, DataFabric, FAServer, storage systemView, MultiStore, NearStore, NetCache, SecureShare, SnapManager, SnapMirror, SnapMover, SnapRestore, SnapVault, SyncMirror, and WAFL are registered trademarks and Network Appliance, ApplianceWatch, BareMetal, Camera-to-Viewer, Center-to-Edge, ContentDirector, ContentFabric, Data ONTAP, EdgeFiler, HyperSAN, InfoFabric, NetApp Availability Assurance, NetApp ProTech Expert, NOW, NOW NetApp on the Web, RoboCache, RoboFiler, SecureAdmin, Serving Data by Design, SharedStorage, Smart SAN, SnapCache, SnapCopy, SnapDirector, SnapDrive, SnapFilter, SnapMigrator, Snapshot, SnapSuite, SohoCache, SohoFiler, The evolution of storage, Vfiler, VFM, Virtual File Manager, and Web Filer are trademarks of Network Appliance, Inc. in the U.S. and other countries. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such. 18 IBM N Series Storage Systems in a Microsoft Windows Environment