Title: Message
The
lease is up on our Celerra, and we are shipping it back. We are replacing it
with two win2k3 DL380s connected to an EMC SAN.
Why?
Because when we stepped back and looked at the bigger picture, we realized that
what little benefit the Celerra provided just wasn't worth the added complexity.
EMC seems to have several issues. Some of them
are:
Handling of disjoint namespaces. If you don't have a
disjoint name space you don't have to worry about that one. Issues with it
were the join process, the SPN writing (they don't right the correct SPNs) and
the dnshostname attribute (the write the wrong value).
They don't handle SMB Signing or signed secure channels.
You need to disable those policies.
Requires domain admin for a join - I.E. you can't
delegate off the join process to your storage admins. Initially they didn't
support delegated join at all. Now they do, however the only group that has
admin rights after the join is the domain admins group so they have to modify
the group anyway.
I haven't looked at their schema mods they want to make
for at least a year but when I last saw them they were ridiculous. They
were creating a separate object for every single user which is not right (so
every user had 2 objects in AD for them). Luckily you can run without those
mods.
I actually put together a paper last year March with
something like 15 issues but my biggest concern is the 100 day promise from
EMC. They seem to have issues hitting it. That promise the promise when
something needs to be changed, they modify the code within 100 days. The
question I always ask is... If MS makes a security change that adversely
impacts EMC but must be deployed to the DCs due to a security hole that is in
the progress of being slammed by worms/viruses do you compromise the security
of your domain or do you kill your storage? I have seen first hand in
production some Celerras stop authenticating when SP2 was applied. This was a
while ago but shows the possible impact. The solution until the frames could
be upgraded was to hold the data on W2K servers with internal
disk.
joe
Care to expand on the comment
about the EMC Celerra below?? We just recently 'upgraded' from NetApp
frames to several EMCs. We had our domain upgrade to W2K3 scheduled for
last fall but was put on hold until the EMC boxes would even support a W2K3
domain. Our Storage team has recently upgraded the frames to the EMC OS
version DART 5.2 and have proclaimed them ready to handle the updated domain
(with blessings from EMC of course). Now I am even more leery about this
being a seemless update!!!
Should I be worried??
mark
"joe"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
05/17/2004 05:43 PM
|
Please respond
to
[EMAIL PROTECTED] |
|
|
To
| <[EMAIL PROTECTED]>
|
|
cc
|
|
|
Subject
| RE: [ActiveDir] FATAL
kerberos error on W2K3 server |
|
A disjoint namespace is when your machines don't have a domain
suffix the
same as the AD domain.
For instance, lets say I decide to
incorporate joeware and set up offices
around the country and run
everything from the AD domain joeware.net. I have
two options for the
setup...
1. Take the MS default and every single machine everywhere in
the country
has a domain suffix of joeware.net because they are part of the
AD Domain,
joeware.net.
2. Choose to use geographic logical domain
suffixes for the machines like
sanfran.joeware.net, newyork.joeware.net,
atlanta.joeware.net,
miami.joeware.net, orlando.joeware.net,
deanshouse.joeware.net,
dallas.joeware.net, kalaheo.joeware.net). Now all
of those machines would be
in the joeware.net domain but would have a
disjoint on the dns domain
suffix. This is fully supported by Active
Directory / Windows. Various
programs have various levels of support for it
due to <ahem> lack of testing
on the part of the developers/vendors.
If you use 2, you may have to modify permissions in Active Directory
so that
the machines can properly register their dNSHostName
and
servicePrincipalName. If they don't have that permission, the
machines will
not have correct SPN's and kerberos can choke. Actually EMC
has a nice issue
with that right now with the Celerras.
Domain
controllers don't have the problem because the localsystem account of
a DC
can write whatever the heck it wants to write in AD.
joe
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 5:12
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL
kerberos error on W2K3 server
Hmmmm...I don't see any disjoint
namespace...but don't know what do you mean
under "proper permissions
are not set on the computer object "
But I've actually, took
responsibility and done dcpromo now...so far
everything looks
normal...
Maybe it was - a netdiag bug? [I hope it was!] Thanks for
input.
Lana
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of joe
Sent: 17 May 2004 21:50
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error
on W2K3 server
Do you have a disjoint name space?
I have seen
this when there is a disjoint namespace and the proper
permissions are not
set on the computer object so that it can update its own
information
properly.
The UDP/TCP thing Al mentioned is a good thought too but
usually when that
is occurring you will see some hellacious slow downs.
Like logons taking
30-40 minutes when they go fast. I have seen this occur
when a Cisco CSM was
throwing away fragmented kerberos packets because of
too many group
memberships and I have seen it when a NIC had bad
configurations for (I
think) max frame size.
joe
-----Original Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 11:46
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FATAL kerberos
error on W2K3 server
Hello ,
I wonder if anyone seen this
before:
W2K active directory, few W2K3 member servers. All of
them display kerberos
error message when running netdiag kerberos test:
"[FATAL] Kerberos does not have a ticket for host/domain.com"
I am not receiving any errors or warnings in event logs; replication
in AD
is fine and no W2K domain controllers show this problem. Run
Kerbtray
- all tickets seems to be there. DC list test and all the rest of
netdiag
tests - "passed".
Also some of W2K3 servers are happily
running applications with no
problems.
The intention is to
make W2K3 domain controller, but with this kind of error
seems a little
risky, unless this is a "feature by design" in W2K3...
Thanks in
advance for any ideas shared
Lana
List info :
http://www.activedir.org/mail_list.htm
List FAQ :
http://www.activedir.org/list_faq.htm
List
archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/mail_list.htm
List FAQ
: http://www.activedir.org/list_faq.htm
List
archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/mail_list.htm
List FAQ
: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info
: http://www.activedir.org/mail_list.htm
List FAQ :
http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
�
