While we are not running Celerra (thank goodness), when we implemented
our SAN, our Dell rep told us we could connect our Dell NAS box to the
SAN for added storage. When I asked why we would want to do that, I
never got a good answer. Personnaly I prefer to run Windows as the file
server. It is one less OS I need to keep up with and the performance
meets our needs.
Denny
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, May 18, 2004 11:20 AM
To: [EMAIL PROTECTED]
Subject: RE: EMC Celerra (was: [ActiveDir] FATAL kerberos error
on W2K3 se rver)
:) I wish I could get a clue-by-four for some of the folks
where I am. They talk about cost cutting while we put this thing in.
Cost savings is apparently not an issue. If you could just bottle and
sell some of the wisdom that caused that step back and rethink, let me
know. I have a willing market somewhere close by...
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, May 18, 2004 9:20 AM
To: [EMAIL PROTECTED]
Subject: EMC Celerra (was: [ActiveDir] FATAL kerberos error on
W2K3 server)
The lease is up on our Celerra, and we are shipping it back. We
are replacing it with two win2k3 DL380s connected to an EMC SAN.
Why? Because when we stepped back and looked at the bigger
picture, we realized that what little benefit the Celerra provided just
wasn't worth the added complexity.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 17, 2004 11:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3
server
EMC seems to have several issues. Some of them are:
Handling of disjoint namespaces. If you don't have a
disjoint name space you don't have to worry about that one. Issues with
it were the join process, the SPN writing (they don't right the correct
SPNs) and the dnshostname attribute (the write the wrong value).
They don't handle SMB Signing or signed secure channels.
You need to disable those policies.
Requires domain admin for a join - I.E. you can't
delegate off the join process to your storage admins. Initially they
didn't support delegated join at all. Now they do, however the only
group that has admin rights after the join is the domain admins group so
they have to modify the group anyway.
I haven't looked at their schema mods they want to make
for at least a year but when I last saw them they were ridiculous. They
were creating a separate object for every single user which is not right
(so every user had 2 objects in AD for them). Luckily you can run
without those mods.
I actually put together a paper last year March with
something like 15 issues but my biggest concern is the 100 day promise
from EMC. They seem to have issues hitting it. That promise the promise
when something needs to be changed, they modify the code within 100
days. The question I always ask is... If MS makes a security change that
adversely impacts EMC but must be deployed to the DCs due to a security
hole that is in the progress of being slammed by worms/viruses do you
compromise the security of your domain or do you kill your storage? I
have seen first hand in production some Celerras stop authenticating
when SP2 was applied. This was a while ago but shows the possible
impact. The solution until the frames could be upgraded was to hold the
data on W2K servers with internal disk.
joe
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, May 17, 2004 7:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3
server
Care to expand on the comment about the EMC Celerra
below?? We just recently 'upgraded' from NetApp frames to several EMCs.
We had our domain upgrade to W2K3 scheduled for last fall but was put on
hold until the EMC boxes would even support a W2K3 domain. Our Storage
team has recently upgraded the frames to the EMC OS version DART 5.2 and
have proclaimed them ready to handle the updated domain (with blessings
from EMC of course). Now I am even more leery about this being a
seemless update!!!
Should I be worried??
mark
"joe" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
05/17/2004 05:43 PM
Please respond to
[EMAIL PROTECTED]
To
<[EMAIL PROTECTED]>
cc
Subject
RE: [ActiveDir] FATAL kerberos error on W2K3 server
A disjoint namespace is when your machines don't have a
domain suffix the
same as the AD domain.
For instance, lets say I decide to incorporate joeware
and set up offices
around the country and run everything from the AD domain
joeware.net. I have
two options for the setup...
1. Take the MS default and every single machine
everywhere in the country
has a domain suffix of joeware.net because they are part
of the AD Domain,
joeware.net.
2. Choose to use geographic logical domain suffixes for
the machines like
sanfran.joeware.net, newyork.joeware.net,
atlanta.joeware.net,
miami.joeware.net, orlando.joeware.net,
deanshouse.joeware.net,
dallas.joeware.net, kalaheo.joeware.net). Now all of
those machines would be
in the joeware.net domain but would have a disjoint on
the dns domain
suffix. This is fully supported by Active Directory /
Windows. Various
programs have various levels of support for it due to
<ahem> lack of testing
on the part of the developers/vendors.
If you use 2, you may have to modify permissions in
Active Directory so that
the machines can properly register their dNSHostName
and
servicePrincipalName. If they don't have that
permission, the machines will
not have correct SPN's and kerberos can choke. Actually
EMC has a nice issue
with that right now with the Celerras.
Domain controllers don't have the problem because the
localsystem account of
a DC can write whatever the heck it wants to write in
AD.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3
server
Hmmmm...I don't see any disjoint namespace...but don't
know what do you mean
under "proper permissions are not set on the computer
object "
But I've actually, took responsibility and done dcpromo
now...so far
everything looks normal...
Maybe it was - a netdiag bug? [I hope it was!] Thanks
for input.
Lana
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joe
Sent: 17 May 2004 21:50
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FATAL kerberos error on W2K3
server
Do you have a disjoint name space?
I have seen this when there is a disjoint namespace and
the proper
permissions are not set on the computer object so that
it can update its own
information properly.
The UDP/TCP thing Al mentioned is a good thought too but
usually when that
is occurring you will see some hellacious slow downs.
Like logons taking
30-40 minutes when they go fast. I have seen this occur
when a Cisco CSM was
throwing away fragmented kerberos packets because of too
many group
memberships and I have seen it when a NIC had bad
configurations for (I
think) max frame size.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Svetlana
Kouznetsova
Sent: Monday, May 17, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FATAL kerberos error on W2K3 server
Hello ,
I wonder if anyone seen this before:
W2K active directory, few W2K3 member servers. All of
them display kerberos
error message when running netdiag kerberos test:
"[FATAL] Kerberos does not have a ticket for
host/domain.com"
I am not receiving any errors or warnings in event logs;
replication in AD
is fine and no W2K domain controllers show this problem.
Run Kerbtray
- all tickets seems to be there. DC list test and all
the rest of netdiag
tests - "passed".
Also some of W2K3 servers are happily running
applications with no
problems.
The intention is to make W2K3 domain controller, but
with this kind of error
seems a little risky, unless this is a "feature by
design" in W2K3...
Thanks in advance for any ideas shared
Lana
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
