Access denied when changing NTFS permissions on a NetApp CIFS share from Windows 2008

I suspect this problem isn’t limited to just managing CIFS shares on NetApp’s. I bet if you’ve got a Windows File Server and you’re trying to edit NTFS permissions on shares via a Windows 2008 Computer Management MMC you’ll get this error message.

In our case we’ve got a NetApp FAS2040 joined to our new AD forest with a few CIFS shares on it. In this new forest we’re using Windows 2008 R2 domain controllers and our forrest is set to a 2008 functional level.

When we want to manage the NTFS permissions of CIFS shares exported from our old NetApp FAS2020 in our old forrest (which is at a 2003 functional level with 2003 domain controllers) we’d typically login to a Windows 2003 server, load up the Computer Management MMC and connect to our NetApp.

Today I created a new CIFS share on our FAS2040, logged into a Windows 2008 R2 server, fired up the Computer Management MMC, connected to the NetApp and tried to change the NTFS permissions on the share. This is what I got:

This shouldn’t be happening. The account I’m using is a Domain Administrator and the Domain Admins group has been added to the NetApps local Administrator group.

If you click ‘Cancel’ all the way out and then go back and view the NTFS permissions it will turn out that the changes did take effect despite the “Access Denied” error message.

For some odd reason I thought to try using a Windows 2003 Server from our old forest to manage the NTFS permissions. It worked perfectly with no access denied error. What gives?

Turns out this does:

Microsoft doesn’t explicitly state this but to “solve” the problem just create an empty folder, a blank text file or anything in the share first and then edit the permissions… or you can fire up a Windows 2003 Server and just use it’s MMC.

How to securely erase your data on a NetApp

When drives in a NetApp are being obsoleted and replaced we need to make sure we securely erase all data that used to be on them. Unless you’re just going to crush your disks.

In this example we’ve got an aggregate of 14 disks (aggr0) that need to be wiped and removed from our NetApp so they can be replaced with new, much larger disks.

There are two methods that you can use to wipe disks using your NetApp. The first is to simply delete the aggregate they are a member of, turning them into spares and then running “disk zero spares” from the command line on your NetApp. This only does a single pass and only zero’s the disks. There are arguments I’ve seen where some people say this is enough. I honestly don’t know and we have a requirement to do a 7 pass wipe in our enterprise. You could run the zero command 7 times but I don’t imagine that would be as effective as option number two. The second option is to run the ‘disk sanitize’ command which allows you to specify which disks you want to erase and how many passes to perform. This is what we’re going to use.

The first thing you’ll need to do is get a license for your NetApp to enable the ‘disk sanitize’. It’s a free license (so I’ve been told) and you can contact your sales rep to get one. We got ours for free and I’ve seen forum posts from other NetApp owners saying the same thing.

There is a downside to installing the disk sanitization license. Once it’s installed on a NetApp it cannot be removed. It also restricts the use of three commands once installed:

  • dd (to copy blocks of data)
  • dumpblock (to print dumps of disk blocks)
  • setflag wafl_metadata_visible (to allow access to internal WAFL files)

There are also a few limitations regarding disk sanitization you should know about:

  • It is not supported in takeover mode for systems in an HA configuration. (If a storage system is disabled, it remains disabled during the disk sanitization process.)
  • It cannot be carried out on disks that were failed due to readability or writability problems.
  • It does not perform its formatting phase on ATA drives.
  • If you are using the random pattern, it cannot be performed on more than 100 disks at one time.
  • It is not supported on array LUNs.
  • It is not supported on SSDs.
  • If you sanitize both SES disks in the same ESH shelf at the same time, you see errors on the console about access to that shelf, and shelf warnings are not reported for the duration of the sanitization. However, data access to that shelf is not interrupted.
I’ve also read that you shouldn’t sanitize more then 6 disks at once. I’m going to sanitize our disks in batches of 5, 5 and 4 (14 total). I’ve also read you do not want to sanitize disks across shelves at the same time.


Licensing disk sanitization

Once you’ve got your license you’ll need to install it. Login to your NetApp via SSH and run the following:


Sanitizing your disks

1. Identify what disks you want to sanitize

Here I’ve got 13 disks in aggr0 and the 14th acting as a spare. I need to delete aggr0 to free up the disks to be sanitized.


2. Delete the aggregate the disks are part of


3. Verify all the disks you want to sanitize are now spares


4. Sanitize the first batch of disks (7 passes)


You can periodically check the status of the sanitization by running:


When the disks have been sanitized if you want to re-use them instead of replace them run this command:

This will add the sanitized disks to the spare pool.


There are a few options you can customize when ‘disk santize’ command.


References (NetApp login require)

How to rename SnapMirror Target volumes on a NetApp

Someone not following your naming convention? We’ve got two filers (netapp1 and netapp2) and I want to rename a SnapMirror target to follow our new naming convention. We’re going to prefix the volume ‘sampleTarget’ with ‘st_’ to designate it as a SnapMirror Target.

1. Login to the NetApp via SSH that has the SnapMirror Target

2. Open the ‘etc$’ share on the NetApp that has the SnapMirror Target (\\<FILER>\etc$)

3. Open ‘snapmirror.conf’ on the ‘etc$’ share in Notepad

4. Run ‘snapmirror status’ and make sure no mirror operations are currently running

5. Run ‘snapmirror off’ to disable SnapMirror

6. Rename the volume

7. In the ‘snapmirror.conf’ file update the configuration to reflect the rename you just performed

8. Save and close ‘snapmirror.conf’

9. Restart SnapMirror

10. Manually update the SnapMirror to verify it’s working

11. If you backup your SnapMirror volumes using NDMP you’ll need to update your backup jobs to reflect the new volume name

How to migrate volumes between aggregates on a NetApp

There are two sets of instructions in this post. Follow the first for migrating regular volumes. Follow the second set for migrating SnapMirror Targets.

To keep things simple I use the original volume name and append ‘NEW’ at the end for the new volume and rename the original volume and append ‘OLD’ to the end of it. In the below examples I’m going to move a 100gb volume called ‘shares’ from aggr0 to aggr1.


Migrate a volume from one aggregate to another (NOT A SNAPMIRROR TARGET)

1.    Determine the size and name of the volume you are going to migrate

2.    Create a new volume the same size as the old volume

3.    NDMP copy the data from the old volume to the new volume

4.    Once the copy is complete rename the original volume to a temporary name

5.    Rename the new volume to match the original volumes name

6.    Offline the olds volume

7.    After doing a sanity check to verify all the data was properly copied delete the old volume

8.    If your volume was exported or configured as a CIFS share verify functionality of that export or share. They should still work.


Migrate a volume from one aggregate to another (SNAPMIRROR TARGET)

1.    Determine the size of the volume you are going to migrate

2.    Create a new volume the same size as the old volume

3.    Once the copy is complete rename the original volume to a temporary name

4.    Rename the new volume to match the original volumes name

5.    Offline the old volume

6.    Delete the old volume

7.    Restrict the new volume

8.    Re-initialize the Snapmirror relationship

How to migrate the root volume on a NetApp

Need to switch your root volume (vol0) to a different aggregate on a NetApp?

I performed the following on a NetApp FAS2020 running Data OnTap

WARNING: IF DONE INCORRECTLY THIS COULD RESULT IN YOUR NETAPP BEING UNABLE TO BOOT. PROCEED ARE YOUR OWN RISK. You may want to consider speaking with NetApp directly instead of following these instructions. They can be reached at 1-888-463-8277 if you are in Canada or the United States.

1.    Determine the current size of vol0

2.    Create a new vol0 of the same size on the new aggregate

3.    Verify NDMP is running on the NetApp

4.    NDMP copy the contents of the original vol0 to the new vol0new

5.    Set the new vol0 as the root for the filer

6.    Reboot the filer

7.    Verify that vol0new is the root volume and the NetApp booted off it

Verify that vol0new’s options start with “root, diskroot,” and that vol0 does not

8.    Offline the old root volume (vol0)

9.    Destroy the old root volume (vol0)

10.    Rename the new vol0new to vol0

11.    Verify the rename took