Monthly Archives: April 2012

Access denied when changing NTFS permissions on a NetApp CIFS share from Windows 2008

by

12

I suspect this problem isn’t limited to just managing CIFS shares on NetApp’s. I bet if you’ve got a Windows File Server and you’re trying to edit NTFS permissions on shares via a Windows 2008 Computer Management MMC you’ll get this error message.

In our case we’ve got a NetApp FAS2040 joined to our new AD forest with a few CIFS shares on it. In this new forest we’re using Windows 2008 R2 domain controllers and our forrest is set to a 2008 functional level.

When we want to manage the NTFS permissions of CIFS shares exported from our old NetApp FAS2020 in our old forrest (which is at a 2003 functional level with 2003 domain controllers) we’d typically login to a Windows 2003 server, load up the Computer Management MMC and connect to our NetApp.

Today I created a new CIFS share on our FAS2040, logged into a Windows 2008 R2 server, fired up the Computer Management MMC, connected to the NetApp and tried to change the NTFS permissions on the share. This is what I got:

This shouldn’t be happening. The account I’m using is a Domain Administrator and the Domain Admins group has been added to the NetApps local Administrator group.

If you click ‘Cancel’ all the way out and then go back and view the NTFS permissions it will turn out that the changes did take effect despite the “Access Denied” error message.

For some odd reason I thought to try using a Windows 2003 Server from our old forest to manage the NTFS permissions. It worked perfectly with no access denied error. What gives?

Turns out this does: http://support.microsoft.com/kb/972299

Microsoft doesn’t explicitly state this but to “solve” the problem just create an empty folder, a blank text file or anything in the share first and then edit the permissions… or you can fire up a Windows 2003 Server and just use it’s MMC.

How to securely erase your data on a NetApp

by

19

When drives in a NetApp are being obsoleted and replaced we need to make sure we securely erase all data that used to be on them. Unless you’re just going to crush your disks.

In this example we’ve got an aggregate of 14 disks (aggr0) that need to be wiped and removed from our NetApp so they can be replaced with new, much larger disks.

There are two methods that you can use to wipe disks using your NetApp. The first is to simply delete the aggregate they are a member of, turning them into spares and then running “disk zero spares” from the command line on your NetApp. This only does a single pass and only zero’s the disks. There are arguments I’ve seen where some people say this is enough. I honestly don’t know and we have a requirement to do a 7 pass wipe in our enterprise. You could run the zero command 7 times but I don’t imagine that would be as effective as option number two. The second option is to run the ‘disk sanitize’ command which allows you to specify which disks you want to erase and how many passes to perform. This is what we’re going to use.

The first thing you’ll need to do is get a license for your NetApp to enable the ‘disk sanitize’. It’s a free license (so I’ve been told) and you can contact your sales rep to get one. We got ours for free and I’ve seen forum posts from other NetApp owners saying the same thing.

There is a downside to installing the disk sanitization license. Once it’s installed on a NetApp it cannot be removed. It also restricts the use of three commands once installed:

  • dd (to copy blocks of data)
  • dumpblock (to print dumps of disk blocks)
  • setflag wafl_metadata_visible (to allow access to internal WAFL files)

There are also a few limitations regarding disk sanitization you should know about:

  • It is not supported in takeover mode for systems in an HA configuration. (If a storage system is disabled, it remains disabled during the disk sanitization process.)
  • It cannot be carried out on disks that were failed due to readability or writability problems.
  • It does not perform its formatting phase on ATA drives.
  • If you are using the random pattern, it cannot be performed on more than 100 disks at one time.
  • It is not supported on array LUNs.
  • It is not supported on SSDs.
  • If you sanitize both SES disks in the same ESH shelf at the same time, you see errors on the console about access to that shelf, and shelf warnings are not reported for the duration of the sanitization. However, data access to that shelf is not interrupted.
I’ve also read that you shouldn’t sanitize more then 6 disks at once. I’m going to sanitize our disks in batches of 5, 5 and 4 (14 total). I’ve also read you do not want to sanitize disks across shelves at the same time.

 

Licensing disk sanitization

Once you’ve got your license you’ll need to install it. Login to your NetApp via SSH and run the following:

netapp> license add <DISK SANTIZATION LICENSE>

You will not be able to remove this license, are you sure you
wish to continue? [no] yes
A disk_sanitization site license has been installed.
        Disk Sanitization enabled.

Thu Apr 19 10:00:28 PDT [rc:notice]: disk_sanitization licensed

 

Sanitizing your disks

1. Identify what disks you want to sanitize

netapp> sysconfig -r

Aggregate aggr0 (online, raid_dp) (block checksums)
  Plex /aggr0/plex0 (online, normal, active)
    RAID group /aggr0/plex0/rg0 (normal)

      RAID Disk Device  HA  SHELF BAY CHAN Pool Type  RPM  Used (MB/blks)    Phys (MB/blks)
      --------- ------  ------------- ---- ---- ---- ----- --------------    --------------
      dparity   0a.16   0a    1   0   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      parity    0a.17   0a    1   1   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.18   0a    1   2   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.19   0a    1   3   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.20   0a    1   4   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.21   0a    1   5   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.22   0a    1   6   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.23   0a    1   7   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.24   0a    1   8   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.25   0a    1   9   FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.26   0a    1   10  FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.29   0a    1   13  FC:A   -  ATA   7200 211377/432901760  211921/434014304
      data      0a.28   0a    1   12  FC:A   -  ATA   7200 211377/432901760  211921/434014304

Spare disks

RAID Disk       Device  HA  SHELF BAY CHAN Pool Type  RPM  Used (MB/blks)    Phys (MB/blks)
---------       ------  ------------- ---- ---- ---- ----- --------------    --------------
Spare disks for block or zoned checksum traditional volumes or aggregates
spare           0a.27   0a    1   11  FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)

Here I’ve got 13 disks in aggr0 and the 14th acting as a spare. I need to delete aggr0 to free up the disks to be sanitized.

 

2. Delete the aggregate the disks are part of

netapp> aggr offline aggr0
Aggregate 'aggr0' is now offline.

netapp> aggr destroy aggr0
Are you sure you want to destroy this aggregate? yes
Aggregate 'aggr0' destroyed.

 

3. Verify all the disks you want to sanitize are now spares

netapp> sysconfig -r

Spare disks

RAID Disk       Device  HA  SHELF BAY CHAN Pool Type  RPM  Used (MB/blks)    Phys (MB/blks)
---------       ------  ------------- ---- ---- ---- ----- --------------    --------------
Spare disks for block or zoned checksum traditional volumes or aggregates
spare           0a.16   0a    1   0   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.17   0a    1   1   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.18   0a    1   2   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.19   0a    1   3   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.20   0a    1   4   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.21   0a    1   5   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.22   0a    1   6   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.23   0a    1   7   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.24   0a    1   8   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.25   0a    1   9   FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.26   0a    1   10  FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.27   0a    1   11  FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.28   0a    1   12  FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)
spare           0a.29   0a    1   13  FC:A   -  ATA   7200 211377/432901760  211921/434014304 (not zeroed)

 

4. Sanitize the first batch of disks (7 passes)

netapp> disk sanitize start -c 7 0a.16 0a.17 0a.18 0a.19 0a.20

WARNING:  The sanitization process may include a disk format.
If the system is power cycled or rebooted during a disk format
the disk may become unreadable. The process will attempt to
restart the format after 10 minutes.

The time required for the sanitization process may be quite long
depending on the size of the disk and the number of patterns and
cycles specified.
Do you want to continue (y/n)? y

The disk sanitization process has been initiated.  You will be notified via the system log when it is complete.
Thu Apr 19 11:10:41 PDT [disk.failmsg:error]: Disk 0a.20 (XXXXXXXX): message received.
Thu Apr 19 11:10:41 PDT [disk.failmsg:error]: Disk 0a.19 (XXXXXXXX): message received.
Thu Apr 19 11:10:41 PDT [disk.failmsg:error]: Disk 0a.18 (XXXXXXXX): message received.
Thu Apr 19 11:10:41 PDT [disk.failmsg:error]: Disk 0a.17 (XXXXXXXX): message received.
Thu Apr 19 11:10:41 PDT [disk.failmsg:error]: Disk 0a.16 (XXXXXXXX): message received.
Thu Apr 19 11:10:41 PDT [raid.disk.unload.done:info]: Unload of Disk 0a.20 Shelf 1 Bay 4 [NETAPP   X262_SGLXY250SSX AQNZ] S/N [XXXXXXXX] has completed successfully
Thu Apr 19 11:10:41 PDT [raid.disk.unload.done:info]: Unload of Disk 0a.19 Shelf 1 Bay 3 [NETAPP   X262_SGLXY250SSX AQNZ] S/N [XXXXXXXX] has completed successfully
Thu Apr 19 11:10:41 PDT [raid.disk.unload.done:info]: Unload of Disk 0a.18 Shelf 1 Bay 2 [NETAPP   X262_SGLXY250SSX AQNZ] S/N [XXXXXXXX] has completed successfully
Thu Apr 19 11:10:41 PDT [raid.disk.unload.done:info]: Unload of Disk 0a.17 Shelf 1 Bay 1 [NETAPP   X262_SGLXY250SSX AQNZ] S/N [XXXXXXXX] has completed successfully
Thu Apr 19 11:10:41 PDT [raid.disk.unload.done:info]: Unload of Disk 0a.16 Shelf 1 Bay 0 [NETAPP   X262_SGLXY250SSX AQNZ] S/N [XXXXXXXX] has completed successfully

 

You can periodically check the status of the sanitization by running:

netapp> disk sanitize status
sanitization for 0a.16 is 2 % complete
sanitization for 0a.18 is 2 % complete
sanitization for 0a.19 is 2 % complete
sanitization for 0a.17 is 2 % complete
sanitization for 0a.20 is 2 % complete

 

When the disks have been sanitized if you want to re-use them instead of replace them run this command:

netapp> disk sanitize release disk_list

Example
netapp> disk sanitize release 0a.16 0a.17 0a.18 0a.19 0a.20

This will add the sanitized disks to the spare pool.

 

There are a few options you can customize when ‘disk santize’ command.

disk sanitize start [-p pattern1|-r [-p pattern2|-r [-p pattern3|-r]]] [-c cycle_count] disk_list

-p pattern1 -p pattern2 -p pattern3 specifies a cycle of one to three user-defined hex byte overwrite patterns that can be applied in succession to the disks being sanitized. The default pattern is three passes, using 0x55 for the first pass, 0xaa for the second pass, and 0x3c for the third pass.

-r replaces a patterned overwrite with a random overwrite for any or all of the passes.

-c cycle_count specifies the number of times the specified overwrite patterns will be applied. The default value is one cycle. The maximum value is seven cycles.

disk_list specifies a space-separated list of the IDs of the spare disks to be sanitized.

 

References (NetApp login require)

How to rename SnapMirror Target volumes on a NetApp

by

0

Someone not following your naming convention? We’ve got two filers (netapp1 and netapp2) and I want to rename a SnapMirror target to follow our new naming convention. We’re going to prefix the volume ‘sampleTarget’ with ‘st_’ to designate it as a SnapMirror Target.

1. Login to the NetApp via SSH that has the SnapMirror Target

2. Open the ‘etc$’ share on the NetApp that has the SnapMirror Target (\\<FILER>\etc$)

3. Open ‘snapmirror.conf’ on the ‘etc$’ share in Notepad

4. Run ‘snapmirror status’ and make sure no mirror operations are currently running

netapp2> snapmirror status

Snapmirror is on.
Source                           Destination                      State          Lag        Status
netapp1:sampleTarget             netapp2:sampleTarget             Snapmirrored   00:06:42   Idle

5. Run ‘snapmirror off’ to disable SnapMirror

netapp2> snapmirror off

6. Rename the volume

netapp2> vol rename <ORIGINAL NAME> <NEW NAME>

Example
netapp2> vol rename sampleTarget st_sampleTaget

7. In the ‘snapmirror.conf’ file update the configuration to reflect the rename you just performed

8. Save and close ‘snapmirror.conf’

9. Restart SnapMirror

netapp2> snapmirror on

10. Manually update the SnapMirror to verify it’s working

netapp2> snapmirror update <TARGET>

Example
netapp2> snapmirror update netapp2:st_sampleTarget
netapp2> snapmirror status

Snapmirror is on.
Source                           Destination                      State          Lag        Status
netapp1:sampleTarget             netapp2:st_sampleTarget          Snapmirrored   00:00:02   Idle

11. If you backup your SnapMirror volumes using NDMP you’ll need to update your backup jobs to reflect the new volume name

How to migrate volumes between aggregates on a NetApp

by

4

There are two sets of instructions in this post. Follow the first for migrating regular volumes. Follow the second set for migrating SnapMirror Targets.

To keep things simple I use the original volume name and append ‘NEW’ at the end for the new volume and rename the original volume and append ‘OLD’ to the end of it. In the below examples I’m going to move a 100gb volume called ‘shares’ from aggr0 to aggr1.

 

Migrate a volume from one aggregate to another (NOT A SNAPMIRROR TARGET)

1.    Determine the size and name of the volume you are going to migrate

netapp> df -h

Filesystem                 total       used       avail capacity  Mounted on
/vol/shares/               100GB       10GB       90GB       10%  /vol/shares/

2.    Create a new volume the same size as the old volume

netapp> vol create <VOLUME NAME>NEW aggr1 <VOLUME SIZE>g

EXAMPLE
netapp> vol create sharesNEW aggr1 100g

3.    NDMP copy the data from the old volume to the new volume

netapp> ndmpcopy <ORIGINAL VOLUME> <NEW VOLUME>

EXAMPLE
netapp> ndmpcopy shares sharesNEW

4.    Once the copy is complete rename the original volume to a temporary name

netapp> vol rename <ORIGINAL VOLUME> <ORIGINAL VOLUME>OLD

EXAMPLE
netapp> vol rename shares sharesOLD

5.    Rename the new volume to match the original volumes name

netapp> vol rename <NEW VOLUME> <ORIGINAL VOLUME NAME>

EXAMPLE
netapp> vol rename sharesNEW shares

6.    Offline the olds volume

netapp> vol offline <OLD VOLUME NAME>

EXAMPLE
netapp> vol offline sharesOLD

7.    After doing a sanity check to verify all the data was properly copied delete the old volume

netapp> vol destroy <OLD VOLUME NAME>

EXAMPLE
netapp> vol destroy sharesOLD

8.    If your volume was exported or configured as a CIFS share verify functionality of that export or share. They should still work.

 

Migrate a volume from one aggregate to another (SNAPMIRROR TARGET)

1.    Determine the size of the volume you are going to migrate

netapp> df -h

Filesystem                 total       used       avail capacity  Mounted on
/vol/shares/               100GB       10GB       90GB       10%  /vol/shares/

2.    Create a new volume the same size as the old volume

netapp> vol create <VOLUME NAME>NEW aggr1 <VOLUME SIZE>g

EXAMPLE
netapp> vol create sharesNEW aggr1 100g

3.    Once the copy is complete rename the original volume to a temporary name

netapp> vol rename <ORIGINAL VOLUME> <ORIGINAL VOLUME>OLD

EXAMPLE
netapp> vol rename shares sharesOLD

4.    Rename the new volume to match the original volumes name

netapp> vol rename <NEW VOLUME> <ORIGINAL VOLUME NAME>

EXAMPLE
netapp> vol rename sharesNEW shares

5.    Offline the old volume

netapp> vol offline <OLD VOLUME NAME>

EXAMPLE
netapp> vol offline sharesOLD

6.    Delete the old volume

netapp> vol destroy <OLD VOLUME NAME>

EXAMPLE
netapp> vol destroy sharesOLD

7.    Restrict the new volume

netapp> vol restrict <NEW VOLUME NAME>

EXAMPLE
vol restrict shares

8.    Re-initialize the Snapmirror relationship

netapp> snapmirror initialize <SNAPMIRROR TARGET>

EXAMPLE
netapp> snapmirror initialize netapp:shares

How to migrate the root volume on a NetApp

by

2

Need to switch your root volume (vol0) to a different aggregate on a NetApp?

I performed the following on a NetApp FAS2020 running Data OnTap 7.3.5.1

WARNING: IF DONE INCORRECTLY THIS COULD RESULT IN YOUR NETAPP BEING UNABLE TO BOOT. PROCEED ARE YOUR OWN RISK. You may want to consider speaking with NetApp directly instead of following these instructions. They can be reached at 1-888-463-8277 if you are in Canada or the United States.

1.    Determine the current size of vol0

netapp> vol size vol0
vol size: Flexible volume 'vol0' has size 30g.

2.    Create a new vol0 of the same size on the new aggregate

netapp> vol create vol0new aggr1 30g

3.    Verify NDMP is running on the NetApp

netapp> ndmpd status
ndmpd ON.
No ndmpd sessions active.

4.    NDMP copy the contents of the original vol0 to the new vol0new

netapp> ndmpcopy /vol/vol0 /vol/vol0new

5.    Set the new vol0 as the root for the filer

netapp> vol options vol0new root

6.    Reboot the filer

netapp> reboot

7.    Verify that vol0new is the root volume and the NetApp booted off it

netapp> vol options vol0
nosnap=off, nosnapdir=off, minra=off,
no_atime_update=off, nvfail=off, ignore_inconsistent=off,
snapmirrored=off, create_ucode=on, convert_ucode=on, maxdirsize=9175,
schedsnapname=ordinal, fs_size_fixed=off, compression=off,
guarantee=volume, svo_enable=off, svo_checksum=off, svo_allow_rman=off,
svo_reject_errors=off, no_i2p=off, fractional_reserve=100, extent=off,
try_first=volume_grow, read_realloc=off, snapshot_clone_dependency=off,

netapp> vol options vol0new
root, diskroot, nosnap=off, nosnapdir=off, minra=off, no_atime_update=off, nvfail=off,
ignore_inconsistent=off, snapmirrored=off, create_ucode=on,
convert_ucode=on, maxdirsize=9175, schedsnapname=ordinal,
fs_size_fixed=off, compression=off, guarantee=volume, svo_enable=off,
svo_checksum=off, svo_allow_rman=off, svo_reject_errors=off,
no_i2p=off, fractional_reserve=100, extent=off, try_first=volume_grow,
read_realloc=off, snapshot_clone_dependency=off

Verify that vol0new’s options start with “root, diskroot,” and that vol0 does not

8.    Offline the old root volume (vol0)

netapp> vol offline vol0

9.    Destroy the old root volume (vol0)

netapp> vol destroy vol0

10.    Rename the new vol0new to vol0

netapp> vol rename vol0new vol0

11.    Verify the rename took

netapp> df -sh