EMC Celerra's are often a bad idea ;)
They have many many many issues, not the least of which is
that in many instances they gateway a bunch of expensive disk to present it to
inexpensive machines. That's strange and expensive, but for
some...
They have a y2k issue (the Unix version). They don't
support much for many many many moons after it's possible to use. Got
compliance issues (SOX for example)? Not a good product to have because it
doesn't do real-time monitoring of access (the DART is not really meant for
that) and EMC has no current workaround. It requires many levels of other
infrastructure to make it work well (av?) All that pain for something that could
be done with a SINGLE Windows machine HBA connected to the same expensive
disk?
Some of the issues Joe mentions were *supposed* to go away
in the later versions. Haven't seen that implemented yet after upgrading
to W2K3 Active Directory and functional level. It still
*works*.
About the only advantage I've seen with it is it's ability
to present the same disk to different operating systems. Of course, I
can do the same thing with Windows direct connected, and at a fraction of the
implementation cost with better monitoring and av protection. I can also
use much cheaper disk for the piddly things it can do.
In short, it sux and is way expensive and causes you to buy
more expensive disk to do the job of something I can do for WAY less with a lot
less complexity. I hate it I hate it I hate it.
;)
</rant>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 18, 2004 12:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
EMC seems to have several issues. Some of them
are:
Handling of disjoint namespaces. If you don't have a
disjoint name space you don't have to worry about that one. Issues with it were
the join process, the SPN writing (they don't right the correct SPNs) and the
dnshostname attribute (the write the wrong value).
They don't handle SMB Signing or signed secure channels.
You need to disable those policies.
Requires domain admin for a join - I.E. you can't delegate
off the join process to your storage admins. Initially they didn't support
delegated join at all. Now they do, however the only group that has admin rights
after the join is the domain admins group so they have to modify the group
anyway.
I haven't looked at their schema mods they want to make for
at least a year but when I last saw them they were ridiculous. They were
creating a separate object for every single user which is not right (so every
user had 2 objects in AD for them). Luckily you can run without those mods.
I actually put together a paper last year March with
something like 15 issues but my biggest concern is the 100 day promise from EMC.
They seem to have issues hitting it. That promise the promise when something
needs to be changed, they modify the code within 100 days. The question I always
ask is... If MS makes a security change that adversely impacts EMC but must be
deployed to the DCs due to a security hole that is in the progress of being
slammed by worms/viruses do you compromise the security of your domain or do you
kill your storage? I have seen first hand in production some Celerras stop
authenticating when SP2 was applied. This was a while ago but shows the possible
impact. The solution until the frames could be upgraded was to hold the data on
W2K servers with internal disk.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, May 17, 2004 7:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Care to expand on the comment about the EMC Celerra below?? We just recently 'upgraded' from NetApp frames to several EMCs. We had our domain upgrade to W2K3 scheduled for last fall but was put on hold until the EMC boxes would even support a W2K3 domain. Our Storage team has recently upgraded the frames to the EMC OS version DART 5.2 and have proclaimed them ready to handle the updated domain (with blessings from EMC of course). Now I am even more leery about this being a seemless update!!!
Should I be worried??
mark
| "joe"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 05/17/2004 05:43 PM
|
|
A disjoint namespace is when your machines don't have a domain suffix the
same as the AD domain.
For instance, lets say I decide to incorporate joeware and set up offices
around the country and run everything from the AD domain joeware.net. I have
two options for the setup...
1. Take the MS default and every single machine everywhere in the country
has a domain suffix of joeware.net because they are part of the AD Domain,
joeware.net.
2. Choose to use geographic logical domain suffixes for the machines like
sanfran.joeware.net, newyork.joeware.net, atlanta.joeware.net,
miami.joeware.net, orlando.joeware.net, deanshouse.joeware.net,
dallas.joeware.net, kalaheo.joeware.net). Now all of those machines would be
in the joeware.net domain but would have a disjoint on the dns domain
suffix. This is fully supported by Active Directory / Windows. Various
programs have various levels of support for it due to <ahem> lack of testing
on the part of the developers/vendors.
If you use 2, you may have to modify permissions in Active Directory so that
the machines can properly register their dNSHostName and
servicePrincipalName. If they don't have that permission, the machines will
not have correct SPN's and kerberos can choke. Actually EMC has a nice issue
with that right now with the Celerras.
Domain controllers don't have the problem because the localsystem account of
a DC can write whatever the heck it wants to write in AD.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Hmmmm...I don't see any disjoint namespace...but don't know what do you mean
under "proper permissions are not set on the computer object "
But I've actually, took responsibility and done dcpromo now...so far
everything looks normal...
Maybe it was - a netdiag bug? [I hope it was!] Thanks for input.
Lana
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 17 May 2004 21:50
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Do you have a disjoint name space?
I have seen this when there is a disjoint namespace and the proper
permissions are not set on the computer object so that it can update its own
information properly.
The UDP/TCP thing Al mentioned is a good thought too but usually when that
is occurring you will see some hellacious slow downs. Like logons taking
30-40 minutes when they go fast. I have seen this occur when a Cisco CSM was
throwing away fragmented kerberos packets because of too many group
memberships and I have seen it when a NIC had bad configurations for (I
think) max frame size.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FATAL kerberos error on W2K3 server
Hello ,
I wonder if anyone seen this before:
W2K active directory, few W2K3 member servers. All of them display kerberos
error message when running netdiag kerberos test:
"[FATAL] Kerberos does not have a ticket for host/domain.com"
I am not receiving any errors or warnings in event logs; replication in AD
is fine and no W2K domain controllers show this problem. Run Kerbtray
- all tickets seems to be there. DC list test and all the rest of netdiag
tests - "passed".
Also some of W2K3 servers are happily running applications with no
problems.
The intention is to make W2K3 domain controller, but with this kind of error
seems a little risky, unless this is a "feature by design" in W2K3...
Thanks in advance for any ideas shared
Lana
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
