Difference between revisions of "Celerra"

From WolfTech
Jump to navigation Jump to search
m
m
Line 69: Line 69:
 
#On your server, you'll have a folder and share created automatically (everyone is different -- but looking at your server, you'll know what I'm talking about). In the case of ECE, this is the C:/ECE folder on our server "celerra-ece.ece.ncsu.edu". It's shared as "ECE" by the OIT service group. It's permissions are set to allow your admin group and a standard admin group for the celerra admins (OIT) access. None others. Leave it be. Don't edit it. This is your emergency backdoor just in case you muck something up.  
 
#On your server, you'll have a folder and share created automatically (everyone is different -- but looking at your server, you'll know what I'm talking about). In the case of ECE, this is the C:/ECE folder on our server "celerra-ece.ece.ncsu.edu". It's shared as "ECE" by the OIT service group. It's permissions are set to allow your admin group and a standard admin group for the celerra admins (OIT) access. None others. Leave it be. Don't edit it. This is your emergency backdoor just in case you muck something up.  
 
#C:\ECE is the location of the mounted storage space. This is the "volume" which you've purchased -- likely a 1TB one. For all intents and purposes, you need to think of C:\ECE as the D:\ drive of a standard Windows file server. It's not a folder -- its the root of the drive. When you purchase your next slice of space, it will be created along side. For example, if one of your research groups pays for a 1TB of space -- you'll request that it be mounted as C:\ECE2 or perhaps C:\SPEC if one of your research groups named SPEC pays for it. Whatever helps you differentiate.  
 
#C:\ECE is the location of the mounted storage space. This is the "volume" which you've purchased -- likely a 1TB one. For all intents and purposes, you need to think of C:\ECE as the D:\ drive of a standard Windows file server. It's not a folder -- its the root of the drive. When you purchase your next slice of space, it will be created along side. For example, if one of your research groups pays for a 1TB of space -- you'll request that it be mounted as C:\ECE2 or perhaps C:\SPEC if one of your research groups named SPEC pays for it. Whatever helps you differentiate.  
#Your first step is to create the folder you'll share to the world. Creating your root share: c:\ECE\data
+
#Your first step is to create the root share. You'll be placing all of your files in C:\ECE\data Within the C:\ECE folder will be nothing else. Well, you may have a "tools" directory created by OIT -- this contains some scripts for managing your celerra instance -- specifically regarding features like ABE. Which we'll discuss later. When creating any SMB share, its important that you set the share perms to allow EVERYONE *FULL* access to the share. We'll protect the files within in another way.  
 +
##Something you do need to consider is caching -- do you want

Revision as of 18:49, 24 October 2009

The Celerra is multiprotocol NAS head that can be attached to an EMC Clariion to provide SAN access via CIFS, NFS, or FTPS. The OIT-ISO-PROV group is building a storage service (and price point) around using this instead of accessing the SAN via Fibre Channel.

One of the primary features of the Celerra is the ability to create CIFS servers and join them to AD domains.

Quirks:

  • Access Based Enumeration (ABE) has to be enabled on the back end.
  • Shadow Copy has to be enabled on the back end.
  • File Filtering (by extension) has to be enabled on the back end.
  • Quotas must be managed using a command-line tool from EMC.
  • While the shares on the Celerra "server" can be used for DFS Roots or leaf nodes, NTFRS/DFR-R are not supported.
  • The first share on the "server" must be created on the back end (and it comes with some *nix-y folders that automatically get created within it). You can create additional shares inside the first one, but you do not have access directly under C$ to create any. You also will need to type in the share paths since it won't let you browse inside the original share.
  • When using the MMC Share snap-in to set NTFS permissions (not share permissions), you will be disabling inheritence of NTFS permissions. It is recommended to change the permissions by mapping higher-level share and setting them there.

GPO Support: The Celerra "server" will update its Group Policy every 90 minutes (need to double check) to update certain settings:

  • Security Settings
  • Audit Policy
  • Restricted Groups??

The information that OIT needs if you wish to use the service:

 Amount of storage (current pricing is <$1300/year)
 FQDN of the "server"
 Shadow Copy Enabled?
 ABE Enabled?
 AD Group that will be assigned permissions
 Name of the 1st share you want on it

Support models:

  • Support it yourself (OIT Creates is, gives permissions, you move it to your OU, and you deal with it)
  • Helpdesk Supported (more info once the HD is trained)

Getting Started

Your Server

It's recommended that when requesting a new Celerra file server, that you following the naming convention of starting the name with "celerra-". Doing so will avoid confusion when attempting to manage these "servers". You're welcome to use any description after this -- for example, my two servers are "celerra-ece.ece.ncsu.edu" and "celerra-freedm.ece.ncsu.edu".

This brings up the question of when do you need multiple servers versus multiple shares? Why didn't I just put the files for our FREEDM research group under the main ECE celerra server? Delegation of responsibility. The FREEDM center will have its own IT staff who will be responsible for running their file storage. Before we had celerra services, they would have purchases a separate physical server that they would have managed themselves. This acknowledges and continues that practice.

Your Primary Shares

When you server is created, you'll find that it will come with at least one primary share. In the case of "celerra-ece", this was the share "ECE" on C:\ECE. This is the only *primary* share on the server currently. OK, so what's a "primary share"? First off, this is a term I'm making up on the spot -- but something is needed to describe this. When you purchased space from OIT, they created this storage location for you. Within the virtual server, this primary share is where your purchased space has been placed. As I mentioned, for us, it was C:\ECE.

I *HIGHLY* recommend that you don't place any files here. Keep it empty. And the first thing you need to do is change the permissions on this space to only allow your server admins access.

Treat this share as a special one. And recognize that it's tied to a specific purchase/fee. When you later decide you need more space, or more likely, when one of your research groups decides to pony up for more space, you should create another primary share. If my "ARM" research group decides they want to purchase space, I'll ask OIT to create a new primary share called "C:\ARM" on my celerra-ece.ece.ncsu.edu server. (why not create a new server for them? We directly support them -- they have no IT staff). Once again, no files will be placed in the root of that share.

Your File Shares

When you're ready to start using your space, you'll need to create file shares. My first was for storage of our security camera footage (we have a system that captures still images from our teaching labs).

I used the Computer Management MMC for celerra-ece.ece.ncsu.edu to create a "New Share". The location was C:\ECE\cameras. The share name was "cameras$". Share permissions was Everyone with Full Rights. The NTFS permissions limited access to our camera server admins group and a service account we have to move these files around.

Note the location of the share -- this file share is within the "ECE" primary share. As such, it will eat up some of my quota there and inherits the permissions of that primary share (this is why it's important to edit the permissions on that primary share straight away -- you can edit your shares to not inherit permissions, but this can get you into trouble later on so I'd advise against it).

The share name is also important. Note the fact that it ends with a dollar sign. Why? Doing so will hide the share. Someone navigating to \\celerra-ece.ece.ncsu.edu\ will not see this share listed. If you've set the permissions correctly, this shouldn't matter, but it never hurts to add a layer of protection.

Even if you SHOULD be able to get into this share, I don't want anyone finding this location accidentally and mapping it -- everyone coming to my shares should do so via the DFS path I've published for my users.

The share permissions should be set to Everyone Full simply to avoid confusion and permission hell. Setting it in this manner eliminates its use. The permssions on your files should be completely determined by their NTFS permissions.

Advanced Features

Using Shadow Copies

Using Access Based Enumeration

Quick Steps

  1. In your Unit OU, make sure you have a subOU called "Servers". In here, create "Celerra" -- here's where you'll place all of the Celerra server objects OIT will create for you.
  2. Create a group in this OU -- "<OU>-Celerra Server Admins"
  3. Place in this group any admins you expect to control these file servers. When asked by OIT, this is the group you'll tell them to give control over your Celerra server.
  4. Most Units will only need one server as multiple "volumes" can be purchased and hung onto this single server. Why would you need a 2nd server? Control. He who controls the server, controls the shares on it. Remember that its not possible to delegate the ability to make a share -- you must be an administrator on a computer to do this. So if you think that someone outside of your group will need access that high, you need to create a 2nd Celerra server object and give a different group control over it.
  5. On your server, you'll have a folder and share created automatically (everyone is different -- but looking at your server, you'll know what I'm talking about). In the case of ECE, this is the C:/ECE folder on our server "celerra-ece.ece.ncsu.edu". It's shared as "ECE" by the OIT service group. It's permissions are set to allow your admin group and a standard admin group for the celerra admins (OIT) access. None others. Leave it be. Don't edit it. This is your emergency backdoor just in case you muck something up.
  6. C:\ECE is the location of the mounted storage space. This is the "volume" which you've purchased -- likely a 1TB one. For all intents and purposes, you need to think of C:\ECE as the D:\ drive of a standard Windows file server. It's not a folder -- its the root of the drive. When you purchase your next slice of space, it will be created along side. For example, if one of your research groups pays for a 1TB of space -- you'll request that it be mounted as C:\ECE2 or perhaps C:\SPEC if one of your research groups named SPEC pays for it. Whatever helps you differentiate.
  7. Your first step is to create the root share. You'll be placing all of your files in C:\ECE\data Within the C:\ECE folder will be nothing else. Well, you may have a "tools" directory created by OIT -- this contains some scripts for managing your celerra instance -- specifically regarding features like ABE. Which we'll discuss later. When creating any SMB share, its important that you set the share perms to allow EVERYONE *FULL* access to the share. We'll protect the files within in another way.
    1. Something you do need to consider is caching -- do you want