Celerra

From WolfTech
Revision as of 12:17, 20 April 2009 by Djgreen (talk | contribs)
Jump to navigation Jump to search

The Celerra is multiprotocol NAS head that can be attached to an EMC Clariion to provide SAN access via CIFS, NFS, or FTPS. The OIT-ISO-PROV group is building a storage service (and price point) around using this instead of accessing the SAN via Fibre Channel.

One of the primary features of the Celerra is the ability to create CIFS servers and join them to AD domains.

Quirks:

  • Access Based Enumeration (ABE) has to be enabled on the back end.
  • Shadow Copy has to be enabled on the back end.
  • File Filtering (by extension) has to be enabled on the back end.
  • Quotas must be managed using a command-line tool from EMC.
  • While the shares on the Celerra "server" can be used for DFS Roots or leaf nodes, NTFRS/DFR-R are not supported.
  • The first share on the "server" must be created on the back end (and it comes with some *nix-y folders that automatically get created within it). You can create additional shares inside the first one, but you do not have access directly under C$ to create any. You also will need to type in the share paths since it won't let you browse inside the original share.
  • When using the MMC Share snap-in to set NTFS permissions (not share permissions), you will be disabling inheritence of NTFS permissions. It is recommended to change the permissions by mapping higher-level share and setting them there.

GPO Support: The Celerra "server" will update its Group Policy every 90 minutes (need to double check) to update certain settings:

  • Security Settings
  • Audit Policy
  • Restricted Groups??

The information that OIT needs if you wish to use the service:

 Amount of storage (current pricing is <$1300/year)
 FQDN of the "server"
 Shadow Copy Enabled?
 ABE Enabled?
 AD Group that will be assigned permissions
 Name of the 1st share you want on it

Support models:

  • Support it yourself (OIT Creates is, gives permissions, you move it to your OU, and you deal with it)
  • Helpdesk Supported (more info once the HD is trained)

Getting Started

Your Server

It's recommended that when requesting a new Celerra file server, that you following the naming convention of starting the name with "celerra-". Doing so will avoid confusion when attempting to manage these "servers". You're welcome to use any description after this -- for example, my two servers are "celerra-ece.ece.ncsu.edu" and "celerra-freedm.ece.ncsu.edu".

This brings up the question of when do you need multiple servers versus multiple shares? Why didn't I just put the files for our FREEDM research group under the main ECE celerra server? Delegation of responsibility. The FREEDM center will have its own IT staff who will be responsible for running their file storage. Before we had celerra services, they would have purchases a separate physical server that they would have managed themselves. This acknowledges and continues that practice.

Your Primary Shares

When you server is created, you'll find that it will come with at least one primary share. In the case of "celerra-ece", this was the share "ECE" on C:\ECE. This is the only *primary* share on the server currently. OK, so what's a "primary share"? First off, this is a term I'm making up on the spot -- but something is needed to describe this. When you purchased space from OIT, they created this storage location for you. Within the virtual server, this primary share is where your purchased space has been placed. As I mentioned, for us, it was C:\ECE.

I *HIGHLY* recommend that you don't place any files here. Keep it empty. And the first thing you need to do is change the permissions on this space to only allow your server admins access.

Treat this share as a special one. And recognize that it's tied to a specific purchase/fee. When you later decide you need more space, or more likely, when one of your research groups decides to pony up for more space, you should create another primary share. If my "ARM" research group decides they want to purchase space, I'll ask OIT to create a new primary share called "C:\ARM" on my celerra-ece.ece.ncsu.edu server. (why not create a new server for them? We directly support them -- they have no IT staff). Once again, no files will be placed in the root of that share.

Your File Shares

When you're ready to start using your space, you'll need to create file shares. My first was for storage of our security camera footage (we have a system that captures still images from our teaching labs).

I used the Computer Management MMC for celerra-ece.ece.ncsu.edu to create a "New Share". The location was C:\ECE\cameras. The share name was "cameras$". Share permissions was Everyone with Full Rights. The NTFS permissions limited access to our camera server admins group and a service account we have to move these files around.

Note the location of the share -- this file share is within the "ECE" primary share. As such, it will eat up some of my quota there and inherits the permissions of that primary share (this is why it's important to edit the permissions on that primary share straight away -- you can edit your shares to not inherit permissions, but this can get you into trouble later on so I'd advise against it).

The share name is also important. Note the fact that it ends with a dollar sign. Why? Doing so will hide the share. Someone navigating to \\celerra-ece.ece.ncsu.edu\ will not see this share listed. If you've set the permissions correctly, this shouldn't matter, but it never hurts to add a layer of protection.

Even if you SHOULD be able to get into this share, I don't want anyone finding this location accidentally and mapping it -- everyone coming to my shares should do so via the DFS path I've published for my users.

The share permissions should be set to Everyone Full simply to avoid confusion and permission hell. Setting it in this manner eliminates its use. The permssions on your files should be completely determined by their NTFS permissions.